#    Copyright (c) 2023 Contributors to the Eclipse Foundation
#
#    See the NOTICE file(s) distributed with this work for additional
#    information regarding copyright ownership.
#
#    This program and the accompanying materials are made available under the
#    terms of the Apache License, Version 2.0 which is available at
#    https://www.apache.org/licenses/LICENSE-2.0.
#
#    Unless required by applicable law or agreed to in writing, software
#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
#    License for the specific language governing permissions and limitations
#    under the License.
#
#  SPDX-License-Identifier: Apache-2.0

# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.

name: "[BE][FE][SECURITY] Trivy"

on:
  pull_request:
    branches: main
    paths-ignore:
      - '**/*.md'
      - '**/*.txt'
  push:
    branches: [ "main" ]
    paths-ignore:
      - '**/*.md'
      - '**/*.txt'
  schedule:
    - cron: "0 0 * * *"
  workflow_dispatch:
  workflow_run:
    workflows: ["Pull request Backend"]
    types: ["completed"]

permissions:
  contents: read

env:
  JAVA_VERSION: 17
  COMMIT_SHA: ${{ github.sha }}

jobs:
  build-frontend:
    permissions:
      actions: read
      contents: read # for actions/checkout to fetch code
      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
    services:
      registry:
        image: registry:2
        ports:
          - 5000:5000

    name: Build frontend
    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: .
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Build an image from Dockerfile
        run: docker build -t localhost:5000/traceability-foss:fe_${{ github.sha }} -f ./frontend/Dockerfile .

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@0.23.0
        with:
          trivyignores: "./.github/workflows/.trivyignore"
          image-ref: 'localhost:5000/traceability-foss:fe_${{ github.sha }}'
          format: "sarif"
          limit-severities-for-sarif: true
          output: 'trivy-results.sarif'
          severity: 'CRITICAL,HIGH'

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: 'trivy-results.sarif'

  prepare-env-backend:
    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: tx-backend
    outputs:
      check_sha: ${{ steps.step1.outputs.check_sha }}
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          ref: ${{needs.prepare-env.outputs.check_sha}}
      - name: Set commit SHA to check
        id: step1
        run: |
          if [ -z "${{ github.event.workflow_run.head_sha }}" ]; then
            # use the value that is set when triggering the workflow manually
            echo "check_sha=$GITHUB_SHA" >> $GITHUB_OUTPUT
          else
            echo "check_sha=${{ github.event.workflow_run.head_sha }}" >> $GITHUB_OUTPUT
          fi

  analyze-config-backend:
    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: tx-backend
    if: always()
    needs: [prepare-env-backend]
    permissions:
      actions: read
      contents: read
      security-events: write
    services:
      registry:
        image: registry:2
        ports:
          - 5000:5000

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          ref: ${{needs.prepare-env.outputs.check_sha}}

      - name: Run Trivy vulnerability scanner in repo mode
        uses: aquasecurity/trivy-action@0.23.0
        with:
          trivyignores: "./.github/workflows/.trivyignore"
          scan-type: "config"
          hide-progress: false
          format: "sarif"
          output: "trivy-results1.sarif"
          severity: "CRITICAL,HIGH"
          timeout: "10m0s"

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        if: always()
        with:
          sarif_file: "trivy-results1.sarif"

  analyze-traceability-foss-backend:
    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: tx-backend
    if: always()
    needs: ["prepare-env-backend"]
    permissions:
      actions: read
      contents: read
      security-events: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - uses: actions/setup-java@v4
        with:
          java-version: '${{ env.JAVA_VERSION }}'
          distribution: 'temurin'
          cache: 'maven'

      - name: Locally build docker image
        uses: docker/build-push-action@v6
        with:
          context: .
          push: false
          tags: localhost:5000/traceability-foss:trivy

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@0.23.0
        with:
          image-ref: localhost:5000/traceability-foss:trivy
          trivyignores: "./.github/workflows/.trivyignore"
          format: "sarif"
          limit-severities-for-sarif: true
          output: "trivy-results2.sarif"
          severity: "CRITICAL,HIGH"
          timeout: "10m0s"

      - name: Upload Trivy scan results to GitHub Security tab
        if: always()
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: "trivy-results2.sarif"