From 77f5881ef128aa3684517a7ea23218a0758fc8cf Mon Sep 17 00:00:00 2001 From: Dan Stefaniuk Date: Tue, 17 Oct 2023 11:57:23 +0100 Subject: [PATCH] Address peer review feedback --- .../action.yaml | 12 ++++++------ .github/actions/scan-dependencies/action.yaml | 2 +- .github/workflows/stage-1-commit.yaml | 4 ++-- docs/user-guides/Scan_dependencies.md | 4 ++-- docs/user-guides/Test_GitHub_Actions_locally.md | 4 ++-- scripts/init.mk | 4 +--- ...epository.sh => create-lines-of-code-report.sh} | 14 +++++++------- .../{generate-sbom.sh => create-sbom-report.sh} | 2 +- scripts/reports/scan-vulnerabilities.sh | 2 +- 9 files changed, 23 insertions(+), 25 deletions(-) rename .github/actions/{cloc-repository => create-lines-of-code-report}/action.yaml (85%) rename scripts/reports/{cloc-repository.sh => create-lines-of-code-report.sh} (90%) rename scripts/reports/{generate-sbom.sh => create-sbom-report.sh} (98%) diff --git a/.github/actions/cloc-repository/action.yaml b/.github/actions/create-lines-of-code-report/action.yaml similarity index 85% rename from .github/actions/cloc-repository/action.yaml rename to .github/actions/create-lines-of-code-report/action.yaml index 03c55831..452b432b 100644 --- a/.github/actions/cloc-repository/action.yaml +++ b/.github/actions/create-lines-of-code-report/action.yaml @@ -26,16 +26,16 @@ runs: shell: bash run: | export BUILD_DATETIME=${{ inputs.build_datetime }} - ./scripts/reports/cloc-repository.sh + ./scripts/reports/create-lines-of-code-report.sh - name: "Compress CLOC report" shell: bash - run: zip cloc-report.json.zip cloc-report.json + run: zip lines-of-code-report.json.zip lines-of-code-report.json - name: "Upload CLOC report as an artefact" if: ${{ !env.ACT }} uses: actions/upload-artifact@v3 with: - name: cloc-report.json.zip - path: ./cloc-report.json.zip + name: lines-of-code-report.json.zip + path: ./lines-of-code-report.json.zip retention-days: 21 - name: "Check prerequisites for sending the report" shell: bash @@ -53,5 +53,5 @@ runs: if: steps.check.outputs.secrets_exist == 'true' run: | aws s3 cp \ - ./cloc-report.json.zip \ - ${{ inputs.idp_aws_report_upload_bucket_endpoint }}/${{ inputs.build_timestamp }}-cloc-report.json.zip + ./lines-of-code-report.json.zip \ + ${{ inputs.idp_aws_report_upload_bucket_endpoint }}/${{ inputs.build_timestamp }}-lines-of-code-report.json.zip diff --git a/.github/actions/scan-dependencies/action.yaml b/.github/actions/scan-dependencies/action.yaml index bac9cdbc..925ba096 100644 --- a/.github/actions/scan-dependencies/action.yaml +++ b/.github/actions/scan-dependencies/action.yaml @@ -26,7 +26,7 @@ runs: shell: bash run: | export BUILD_DATETIME=${{ inputs.build_datetime }} - ./scripts/reports/generate-sbom.sh + ./scripts/reports/create-sbom-report.sh - name: "Compress SBOM report" shell: bash run: zip sbom-repository-report.json.zip sbom-repository-report.json diff --git a/.github/workflows/stage-1-commit.yaml b/.github/workflows/stage-1-commit.yaml index 81fdb2cb..131cc1c0 100644 --- a/.github/workflows/stage-1-commit.yaml +++ b/.github/workflows/stage-1-commit.yaml @@ -75,7 +75,7 @@ jobs: uses: actions/checkout@v4 - name: "Lint Terraform" uses: ./.github/actions/lint-terraform - cloc-repository: + count-lines-of-code: name: "Count lines of code" runs-on: ubuntu-latest permissions: @@ -86,7 +86,7 @@ jobs: - name: "Checkout code" uses: actions/checkout@v4 - name: "Count lines of code" - uses: ./.github/actions/cloc-repository + uses: ./.github/actions/create-lines-of-code-report with: build_datetime: "${{ inputs.build_datetime }}" build_timestamp: "${{ inputs.build_timestamp }}" diff --git a/docs/user-guides/Scan_dependencies.md b/docs/user-guides/Scan_dependencies.md index 8872aeca..25aff559 100644 --- a/docs/user-guides/Scan_dependencies.md +++ b/docs/user-guides/Scan_dependencies.md @@ -15,7 +15,7 @@ In modern software development, leveraging third-party dependencies is a common ## Key files -- [generate-sbom.sh](../../scripts/reports/generate-sbom.sh): A shell script that generates SBOM (Software Bill of Materials) +- [create-sbom-report.sh](../../scripts/reports/create-sbom-report.sh): A shell script that generates SBOM (Software Bill of Materials) - [syft.yaml](../../scripts/config/syft.yaml): A configuration file for the SBOM generator - [scan-vulnerabilities.sh](../../scripts/reports/scan-vulnerabilities.sh): A shell script that performs CVE analysis - [grype.yaml](../../scripts/config/grype.yaml): A configuration file for the CVE scanner @@ -41,7 +41,7 @@ You can run and test the process locally on a developer's workstation using the SBOM generator ```shell -./scripts/reports/generate-sbom.sh +./scripts/reports/create-sbom-report.sh cat sbom-repository-report.json | jq ``` diff --git a/docs/user-guides/Test_GitHub_Actions_locally.md b/docs/user-guides/Test_GitHub_Actions_locally.md index 0f35f1d9..2da643b2 100644 --- a/docs/user-guides/Test_GitHub_Actions_locally.md +++ b/docs/user-guides/Test_GitHub_Actions_locally.md @@ -28,7 +28,7 @@ The following command-line tools are expected to be installed: Here is an example on how to run a GitHub workflow job: ```shell -$ make runner-act workflow="stage-1-commit" job="cloc-repository" +$ make runner-act workflow="stage-1-commit" job="create-lines-of-code-report" [Commit stage/Count lines of code] 🚀 Start image=ghcr.io/nhs-england-tools/github-runner-image:20230101-abcdef0-rt [Commit stage/Count lines of code] 🐳 docker pull image=ghcr.io/nhs-england-tools/github-runner-image:20230101-abcdef0-rt platform=linux/amd64 username= forcePull=false @@ -42,7 +42,7 @@ $ make runner-act workflow="stage-1-commit" job="cloc-repository" [Commit stage/Count lines of code] ✅ Success - Main Create CLOC report [Commit stage/Count lines of code] ⭐ Run Main Compress CLOC report [Commit stage/Count lines of code] 🐳 docker exec cmd=[bash --noprofile --norc -e -o pipefail /var/run/act/workflow/1-composite-1.sh] user= workdir= -| updating: cloc-report.json (deflated 68%) +| updating: lines-of-code-report.json (deflated 68%) [Commit stage/Count lines of code] ✅ Success - Main Compress CLOC report [Commit stage/Count lines of code] ☁ git clone 'https://github.com/actions/upload-artifact' # ref=v3 [Commit stage/Count lines of code] ⭐ Run Main Check prerequisites for sending the report diff --git a/scripts/init.mk b/scripts/init.mk index eca74413..5800e1e8 100644 --- a/scripts/init.mk +++ b/scripts/init.mk @@ -47,9 +47,7 @@ _install-dependency: # Install asdf dependency - mandatory: name=[listed in the clean:: # Remove all generated and temporary files (common) @Operations rm -rf \ .scannerwork \ - *cloc-report*.json \ - *sbom*report*.json \ - *vulnerabilities*report*.json \ + *report*.json \ *report*json.zip \ docs/diagrams/.*.bkp \ docs/diagrams/.*.dtmp \ diff --git a/scripts/reports/cloc-repository.sh b/scripts/reports/create-lines-of-code-report.sh similarity index 90% rename from scripts/reports/cloc-repository.sh rename to scripts/reports/create-lines-of-code-report.sh index 1c80b4a7..01645c7d 100755 --- a/scripts/reports/cloc-repository.sh +++ b/scripts/reports/create-lines-of-code-report.sh @@ -9,7 +9,7 @@ set -euo pipefail # Docker container. # # Usage: -# $ [options] ./cloc-repository.sh +# $ [options] ./create-lines-of-code-report.sh # # Options: # BUILD_DATETIME=%Y-%m-%dT%H:%M:%S%z # Build datetime, default is `date -u +'%Y-%m-%dT%H:%M:%S%z'` @@ -34,7 +34,7 @@ function create-report() { run-gocloc-in-docker fi # shellcheck disable=SC2002 - cat cloc-report.tmp.json \ + cat lines-of-code-report.tmp.json \ | jq -r '["Language","files","blank","comment","code"],["--------"],(.languages[]|[.name,.files,.blank,.comment,.code]),["-----"],(.total|["TOTAL",.files,.blank,.comment,.code])|@tsv' \ | sed 's/Plain Text/Plaintext/g' \ | column -t @@ -42,7 +42,7 @@ function create-report() { function run-gocloc-natively() { - gocloc --output-type=json . > cloc-report.tmp.json + gocloc --output-type=json . > lines-of-code-report.tmp.json } function run-gocloc-in-docker() { @@ -57,7 +57,7 @@ function run-gocloc-in-docker() { "$image" \ --output-type=json \ . \ - > cloc-report.tmp.json + > lines-of-code-report.tmp.json } function enrich-report() { @@ -74,9 +74,9 @@ function enrich-report() { # shellcheck disable=SC2086 jq \ '.creationInfo |= . + {"created":"'${build_datetime}'","repository":{"url":"'${git_url}'","branch":"'${git_branch}'","tags":['${git_tags}'],"commitHash":"'${git_commit_hash}'"},"pipeline":{"id":'${pipeline_run_id}',"number":'${pipeline_run_number}',"attempt":'${pipeline_run_attempt}'}}' \ - cloc-report.tmp.json \ - > cloc-report.json - rm -f cloc-report.tmp.json + lines-of-code-report.tmp.json \ + > lines-of-code-report.json + rm -f lines-of-code-report.tmp.json } # ============================================================================== diff --git a/scripts/reports/generate-sbom.sh b/scripts/reports/create-sbom-report.sh similarity index 98% rename from scripts/reports/generate-sbom.sh rename to scripts/reports/create-sbom-report.sh index 117c1cf0..1ed735a7 100755 --- a/scripts/reports/generate-sbom.sh +++ b/scripts/reports/create-sbom-report.sh @@ -10,7 +10,7 @@ set -euo pipefail # it in a Docker container. # # Usage: -# $ [options] ./generate-sbom.sh +# $ [options] ./create-sbom-report.sh # # Options: # BUILD_DATETIME=%Y-%m-%dT%H:%M:%S%z # Build datetime, default is `date -u +'%Y-%m-%dT%H:%M:%S%z'` diff --git a/scripts/reports/scan-vulnerabilities.sh b/scripts/reports/scan-vulnerabilities.sh index ef4e5020..eb68d4b5 100755 --- a/scripts/reports/scan-vulnerabilities.sh +++ b/scripts/reports/scan-vulnerabilities.sh @@ -17,7 +17,7 @@ set -euo pipefail # VERBOSE=true # Show all the executed commands, default is `false` # # Depends on: -# $ ./generate-sbom.sh +# $ ./create-sbom-report.sh # ==============================================================================