From e1d7a1aa96cfcebbf862f7b117d50cbbbc5eb188 Mon Sep 17 00:00:00 2001 From: kailash-b Date: Wed, 16 Oct 2024 16:32:17 +0530 Subject: [PATCH] Integrate rl-scanner --- .github/actions/rl-scanner/action.yml | 71 +++++++++++++ .github/workflows/release.yml | 142 ++++++++++++++++++++++++-- .github/workflows/rl-secure.yml | 83 +++++++++++++++ 3 files changed, 285 insertions(+), 11 deletions(-) create mode 100644 .github/actions/rl-scanner/action.yml create mode 100644 .github/workflows/rl-secure.yml diff --git a/.github/actions/rl-scanner/action.yml b/.github/actions/rl-scanner/action.yml new file mode 100644 index 00000000..eb017134 --- /dev/null +++ b/.github/actions/rl-scanner/action.yml @@ -0,0 +1,71 @@ +name: 'Reversing Labs Scanner' +description: 'Runs the Reversing Labs scanner on a specified artifact.' +inputs: + artifact-path: + description: 'Path to the artifact to be scanned.' + required: true + version: + description: 'Version of the artifact.' + required: true + +runs: + using: 'composite' + steps: + - name: Set up Python + uses: actions/setup-python@v4 + with: + python-version: '3.10' + + - name: Install Python dependencies + shell: bash + run: | + pip install boto3 requests + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + role-to-assume: ${{ env.PRODSEC_TOOLS_ARN }} + aws-region: us-east-1 + mask-aws-account-id: true + + - name: Install RL Wrapper + shell: bash + run: | + pip install rl-wrapper>=1.0.0 --index-url "https://${{ env.PRODSEC_TOOLS_USER }}:${{ env.PRODSEC_TOOLS_TOKEN }}@a0us.jfrog.io/artifactory/api/pypi/python-local/simple" + + - name: Run RL Scanner + shell: bash + env: + RLSECURE_LICENSE: ${{ env.RLSECURE_LICENSE }} + RLSECURE_SITE_KEY: ${{ env.RLSECURE_SITE_KEY }} + SIGNAL_HANDLER_TOKEN: ${{ env.SIGNAL_HANDLER_TOKEN }} + PYTHONUNBUFFERED: 1 + run: | + if [ ! -f "${{ inputs.artifact-path }}" ]; then + echo "Artifact not found: ${{ inputs.artifact-path }}" + exit 1 + fi + + rl-wrapper \ + --artifact "${{ inputs.artifact-path }}" \ + --name "${{ github.event.repository.name }}" \ + --version "${{ inputs.version }}" \ + --repository "${{ github.repository }}" \ + --commit "${{ github.sha }}" \ + --build-env "github_actions" \ + --suppress_output + + # Check the outcome of the scanner + if [ $? -ne 0 ]; then + echo "RL Scanner failed." + echo "scan-status=failed" >> $GITHUB_ENV + exit 1 + else + echo "RL Scanner passed." + echo "scan-status=success" >> $GITHUB_ENV + fi + +outputs: + scan-status: + description: 'The outcome of the scan process.' + value: ${{ env.scan-status }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a514f000..bbc4c3b0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -6,20 +6,20 @@ on: - closed workflow_dispatch: - permissions: contents: write + id-token: write ### TODO: Replace instances of './.github/workflows/' w/ `auth0/dx-sdk-actions/workflows` and append `@latest` after the common `dx-sdk-actions` repo is made public. ### TODO: Also remove `get-prerelease`, `get-release-notes`, `get-version`, `release-create`, and `tag-exists` actions from this repo's .github/actions folder once the repo is public. jobs: + build: name: Build runs-on: windows-latest environment: 'release' if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/')) - steps: - name: Checkout code uses: actions/checkout@v4 @@ -57,10 +57,130 @@ jobs: retention-days: 1 compression-level: 9 + rl-scanner-android: + needs: build + uses: ./.github/workflows/rl-secure.yml + with: + nuspec-file: "nuget/Auth0.OidcClient.Android.nuspec" + artifact-name: "Auth0.OidcClient.Android.tgz" + project-path: "src/Auth0.OidcClient.Android" + secrets: + RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} + RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} + SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }} + PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }} + PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }} + PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }} + + rl-scanner-androidx: + needs: build + uses: ./.github/workflows/rl-secure.yml + with: + nuspec-file: "nuget/Auth0.OidcClient.AndroidX.nuspec" + artifact-name: "Auth0.OidcClient.AndroidX.tgz" + project-path: "src/Auth0.OidcClient.AndroidX" + secrets: + RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} + RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} + SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }} + PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }} + PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }} + PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }} + + rl-scanner-iOS: + needs: build + uses: ./.github/workflows/rl-secure.yml + with: + nuspec-file: "nuget/Auth0.OidcClient.iOS.nuspec" + artifact-name: "Auth0.OidcClient.iOS.tgz" + project-path: "src/Auth0.OidcClient.iOS" + secrets: + RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} + RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} + SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }} + PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }} + PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }} + PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }} + + rl-scanner-core: + needs: build + uses: ./.github/workflows/rl-secure.yml + with: + nuspec-file: "nuget/Auth0.OidcClient.Core.nuspec" + artifact-name: "Auth0.OidcClient.Core.tgz" + project-path: "src/Auth0.OidcClient.Core" + secrets: + RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} + RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} + SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }} + PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }} + PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }} + PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }} + + rl-scanner-wpf: + needs: build + uses: ./.github/workflows/rl-secure.yml + with: + nuspec-file: "nuget/Auth0.OidcClient.WPF.nuspec" + artifact-name: "Auth0.OidcClient.WPF.tgz" + project-path: "src/Auth0.OidcClient.WPF" + secrets: + RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} + RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} + SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }} + PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }} + PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }} + PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }} + + rl-scanner-winforms: + needs: build + uses: ./.github/workflows/rl-secure.yml + with: + nuspec-file: "nuget/Auth0.OidcClient.WinForms.nuspec" + artifact-name: "Auth0.OidcClient.WinForms.tgz" + project-path: "src/Auth0.OidcClient.WinForms" + secrets: + RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} + RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} + SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }} + PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }} + PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }} + PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }} + + rl-scanner-uwp: + needs: build + uses: ./.github/workflows/rl-secure.yml + with: + nuspec-file: "nuget/Auth0.OidcClient.UWP.nuspec" + artifact-name: "Auth0.OidcClient.UWP.tgz" + project-path: "src/Auth0.OidcClient.UWP" + secrets: + RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} + RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} + SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }} + PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }} + PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }} + PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }} + + rl-scanner-maui: + needs: build + uses: ./.github/workflows/rl-secure.yml + with: + nuspec-file: "nuget/Auth0.OidcClient.MAUI.nuspec" + artifact-name: "Auth0.OidcClient.MAUI.tgz" + project-path: "src/Auth0.OidcClient.MAUI" + secrets: + RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} + RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} + SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }} + PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }} + PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }} + PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }} + android: name: Android uses: ./.github/workflows/nuget-release.yml - needs: build + needs: [rl-scanner-android,rl-scanner-androidx,rl-scanner-iOS,rl-scanner-core,rl-scanner-wpf,rl-scanner-winforms,rl-scanner-uwp,rl-scanner-maui] with: tag-prefix: 'android-' project-path: "src/Auth0.OidcClient.Android" @@ -72,7 +192,7 @@ jobs: androidx: name: AndroidX uses: ./.github/workflows/nuget-release.yml - needs: build + needs: [rl-scanner-android,rl-scanner-androidx,rl-scanner-iOS,rl-scanner-core,rl-scanner-wpf,rl-scanner-winforms,rl-scanner-uwp,rl-scanner-maui] with: tag-prefix: 'androidx-' project-path: "src/Auth0.OidcClient.AndroidX" @@ -84,7 +204,7 @@ jobs: ios: name: iOS uses: ./.github/workflows/nuget-release.yml - needs: build + needs: [rl-scanner-android,rl-scanner-androidx,rl-scanner-iOS,rl-scanner-core,rl-scanner-wpf,rl-scanner-winforms,rl-scanner-uwp,rl-scanner-maui] with: tag-prefix: 'ios-' project-path: "src/Auth0.OidcClient.iOS" @@ -96,7 +216,7 @@ jobs: core: name: Core uses: ./.github/workflows/nuget-release.yml - needs: build + needs: [rl-scanner-android,rl-scanner-androidx,rl-scanner-iOS,rl-scanner-core,rl-scanner-wpf,rl-scanner-winforms,rl-scanner-uwp,rl-scanner-maui] with: tag-prefix: 'core-' project-path: "src/Auth0.OidcClient.Core" @@ -108,7 +228,7 @@ jobs: wpf: name: WPF uses: ./.github/workflows/nuget-release.yml - needs: build + needs: [rl-scanner-android,rl-scanner-androidx,rl-scanner-iOS,rl-scanner-core,rl-scanner-wpf,rl-scanner-winforms,rl-scanner-uwp,rl-scanner-maui] with: tag-prefix: 'wpf-' project-path: "src/Auth0.OidcClient.WPF" @@ -120,7 +240,7 @@ jobs: winforms: name: WinForms uses: ./.github/workflows/nuget-release.yml - needs: build + needs: [rl-scanner-android,rl-scanner-androidx,rl-scanner-iOS,rl-scanner-core,rl-scanner-wpf,rl-scanner-winforms,rl-scanner-uwp,rl-scanner-maui] with: tag-prefix: 'winforms-' project-path: "src/Auth0.OidcClient.WinForms" @@ -132,7 +252,7 @@ jobs: uwp: name: UWP uses: ./.github/workflows/nuget-release.yml - needs: build + needs: [rl-scanner-android,rl-scanner-androidx,rl-scanner-iOS,rl-scanner-core,rl-scanner-wpf,rl-scanner-winforms,rl-scanner-uwp,rl-scanner-maui] with: tag-prefix: 'uwp-' project-path: "src/Auth0.OidcClient.UWP" @@ -144,7 +264,7 @@ jobs: maui: name: MAUI uses: ./.github/workflows/nuget-release.yml - needs: build + needs: [rl-scanner-android,rl-scanner-androidx,rl-scanner-iOS,rl-scanner-core,rl-scanner-wpf,rl-scanner-winforms,rl-scanner-uwp,rl-scanner-maui] with: tag-prefix: 'maui-' project-path: "src/Auth0.OidcClient.MAUI" @@ -158,7 +278,7 @@ jobs: if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/')) runs-on: windows-latest environment: release - needs: build + needs: [rl-scanner-android,rl-scanner-androidx,rl-scanner-iOS,rl-scanner-core,rl-scanner-wpf,rl-scanner-winforms,rl-scanner-uwp,rl-scanner-maui] steps: - name: Checkout code diff --git a/.github/workflows/rl-secure.yml b/.github/workflows/rl-secure.yml new file mode 100644 index 00000000..2eba1f70 --- /dev/null +++ b/.github/workflows/rl-secure.yml @@ -0,0 +1,83 @@ +name: RL-Secure Workflow +run-name: rl-scanner + +on: + workflow_call: + inputs: + nuspec-file: + type: string + required: true + artifact-name: + type: string + required: true + project-path: + type: string + required: true + secrets: + RLSECURE_LICENSE: + required: true + RLSECURE_SITE_KEY: + required: true + SIGNAL_HANDLER_TOKEN: + required: true + PRODSEC_TOOLS_USER: + required: true + PRODSEC_TOOLS_TOKEN: + required: true + PRODSEC_TOOLS_ARN: + required: true + +jobs: + rl-scanner: + name: Run Reversing Labs scanner + if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/')) + runs-on: ubuntu-latest + outputs: + scan-status: ${{ steps.rl-scan-conclusion.outcome }} + + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Setup .NET + uses: actions/setup-dotnet@v3 + with: + dotnet-version: 6.0.x + + - uses: actions/download-artifact@v4 + with: + path: './src' + name: build + + - name: Create NuGet packages + shell: pwsh + run: | + nuget pack ${{ inputs.nuspec-file }} -OutputDirectory ${{ github.workspace }}/nuget + + - name: Create tgz build artifact + run: | + tar -czvf ${{ github.workspace }}/${{ inputs.artifact-name }} ${{ github.workspace }}/nuget + + - id: get_version + uses: ./.github/actions/get-version + with: + working-directory: ${{ inputs.project-path }} + + - name: Run RL Scanner + id: rl-scan-conclusion + uses: ./.github/actions/rl-scanner + with: + artifact-path: ${{ github.workspace }}/${{ inputs.artifact-name }} + version: "${{ steps.get_version.outputs.version }}" + env: + RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} + RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} + SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }} + PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }} + PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }} + PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }} + + - name: Output scan result + run: echo "scan-status=${{ steps.rl-scan-conclusion.outcome }}" >> $GITHUB_ENV \ No newline at end of file