Skip to content

Merge remote-tracking branch 'origin/2.9.x' into fortify #179

Merge remote-tracking branch 'origin/2.9.x' into fortify

Merge remote-tracking branch 'origin/2.9.x' into fortify #179

Workflow file for this run

name: test
on:
push:
branches:
- fortify
pull_request:
branches:
- fortify
jobs:
test:
strategy:
fail-fast: false
matrix:
java: [11, 17, 21]
scala: [2.13.x, 3.x]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: sbt/setup-sbt@v1
- uses: coursier/cache-action@v6
- uses: actions/setup-java@v4
with:
distribution: temurin
java-version: ${{matrix.java}}
- uses: actions/cache@v4
env:
cache-name: fortify
with:
path: ./Fortify
key: fortify-24.2.0
# https://github.com/gruntwork-io/fetch
- uses: Homebrew/actions/setup-homebrew@master
- name: Install Fetch
run: brew install fetch
- name: Install secrets
env:
LIGHTBEND_LICENSE: ${{secrets.LIGHTBEND_LICENSE}}
FORTIFY_LICENSE: ${{secrets.FORTIFY_LICENSE}}
run: |
mkdir -p ~/.lightbend
echo "$LIGHTBEND_LICENSE" > ~/.lightbend/license
echo "$FORTIFY_LICENSE" > fortify.license
# The easiest way I could think of to make the Fortify installer available to CI
# was to attach it as a release asset to a tag in a private repo.
- name: Install Fortify
run: |
if [[ ! -d Fortify ]] ; then
GITHUB_OAUTH_TOKEN=${{secrets.FORTIFY_INSTALLER_TOKEN}} fetch --repo="https://github.com/lightbend/scala-fortify" --tag="24.2.0_linux_x64" --release-asset="Fortify_SCA_24.2.0_linux_x64.run" .
chmod +x Fortify_SCA_24.2.0_linux_x64.run
mkdir Fortify
echo installdir=`pwd`/Fortify/Fortify_SCA_24.2.0 > Fortify_SCA_24.2.0_linux_x64.run.options
echo fortify_license_path=`pwd`/fortify.license >> Fortify_SCA_24.2.0_linux_x64.run.options
./Fortify_SCA_24.2.0_linux_x64.run --mode unattended
# download the Scala security rules; VersionTests makes sure they're the ones we expect
./Fortify/Fortify_SCA_24.2.0/bin/fortifyupdate
# otherwise we get some false positives from sample files
rm -rf ./Fortify/Fortify_SCA_24.2.0/Samples
fi
- name: Test
run: |
sbt ++${{matrix.scala}} compile
rm -f target/vulnerabilities-actual-${{matrix.scala}}.txt
./Fortify/Fortify_SCA_24.2.0/bin/sourceanalyzer \
-b play-webgoat \
-logfile target/scan.log \
-scan \
| tail -n +4 > target/vulnerabilities-actual-${{matrix.scala}}.txt
cat target/scan.log
sum vulnerabilities-${{matrix.scala}}.txt target/vulnerabilities-actual-${{matrix.scala}}.txt
diff -u vulnerabilities-${{matrix.scala}}.txt target/vulnerabilities-actual-${{matrix.scala}}.txt