chore: add vulnerability scan VSCODE-424 (#532)

mongodb-js · Jun 13, 2023 · 5bdff9e · 5bdff9e
1 parent 415bc5a
commit 5bdff9e
Show file tree

Hide file tree

Showing 8 changed files with 1,916 additions and 673 deletions.
diff --git a/.depcheckrc b/.depcheckrc
@@ -15,3 +15,10 @@ ignores:
  - "vscode"
  - "webpack-cli"
  - "@mongodb-js/oidc-plugin"
+ - css-loader
+ - less
+ - less-loader
+ - node-loader
+ - postcss-loader
+ - style-loader
+ - ts-loader
diff --git a/.github/workflows/test-and-build.yaml b/.github/workflows/test-and-build.yaml
@@ -35,26 +35,27 @@ jobs:
 
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
 
       - name: Setup Node.js Environment
-        uses: actions/setup-node@v2.1.2
+        uses: actions/setup-node@v3
         with:
           # Version Spec of the version to use. Examples: 12.x, 10.15.1, >=10.15.0
-          node-version: ^16.16.0
+          node-version: 16.x
 
       - name: Run node-gyp bug workaround script
         run: |
           curl -sSfLO https://raw.githubusercontent.com/mongodb-js/compass/42e6142ae08be6fec944b80ff6289e6bcd11badf/.evergreen/node-gyp-bug-workaround.sh && bash node-gyp-bug-workaround.sh
 
-      - name: Install npm@8.3.1
-        run: npm install -g npm@8.3.1
+      - name: Install npm
+        run: npm install -g npm@8.19.4
 
       - name: Install Dependencies
         shell: bash
-        run: npm ci --omit=optional
+        run: |
+          npm ci --omit=optional
 
       - name: Run Checks
         run: npm run check
@@ -63,7 +64,8 @@ jobs:
         shell: bash
 
       - name: Run Tests
-        run: npm run test
+        run: |
+          npm run test
         shell: bash
 
       - name: Prepare build for release
@@ -96,6 +98,42 @@ jobs:
           name: VSIX built on ${{ runner.os }}
           path: "*.vsix"
 
+      - name: Run Snyk Test
+        if: runner.os == 'Linux'
+        shell: bash
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        run: |
+          npm run snyk-test > /dev/null 2>&1
+
+      - name: Create Jira Tickets
+        if: >
+          runner.os == 'Linux' &&
+          (
+            github.event_name == 'push' && github.ref == 'refs/heads/main' ||
+            github.event_name == 'workflow_dispatch' ||
+            github.event_name == 'schedule'
+          )
+        shell: bash
+        env:
+          JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }}
+          JIRA_BASE_URL: "https://jira.mongodb.org"
+          JIRA_PROJECT: "VSCODE"
+          JIRA_VULNERABILITY_BUILD_INFO: "- [GitHub Run|https://github.com/mongodb-js/vscode/actions/runs/${{github.run_id}}/jobs/${{github.job}}]"
+        run: |
+          npm run create-jira-tickets > /dev/null
+
+      - name: Generate Vulnerability Report (Fail on >= High)
+        if: runner.os == 'Linux'
+        continue-on-error: ${{ github.event_name == 'pull_request' }}
+        shell: bash
+        run: |
+          # The standard output is suppressed since Github Actions logs are
+          # available for everyone with read access to the repo, which is everyone that is
+          # logged in for public repos.
+          # This command is only here to fail on failures for `main` and tags.
+          npm run generate-vulnerability-report > /dev/null
+
       - name: Create Draft Release
         run: |
           echo Creating draft release for: "${RELEASE_TAG}"

diff --git a/.gitignore b/.gitignore
@@ -9,3 +9,4 @@ test-webview-results.xml
 constants.json
 .env
 .eslintcache
+.sbom
diff --git a/.vscodeignore b/.vscodeignore
@@ -17,3 +17,4 @@ webpack.test.config.js
 .eslintignore
 playgrounds/**
 resources
+.sbom/**
-Original file line number
+Diff line change
@@ Expand Up / @@ -9,3 +9,4 @@ test-webview-results.xml @@
     constants.json
     .env
     .eslintcache
+    .sbom