Merge pull request #3368 from mercedes-benz/develop

Merge `develop` into `master` for release of secretvalidator-wrapper

.github/workflows/release-wrapper-validation.yml

@@ -0,0 +1,213 @@
+# SPDX-License-Identifier: MIT
+name: Release Wrapper for Secret-Validation
+
+on:
+  workflow_dispatch:
+    inputs:
+      actor-email:
+        description: Insert your email address here. It will be used in the generated pull requests
+        required: true
+      secretvalidation-wrapper-version:
+        description: Secret-Validation-wrapper Version (e.g. 1.0.0)
+        required: true
+      secretvalidation-wrapper-milestone-number:
+        description: Secret-Validation-wrapper Milestone number (e.g. 153)
+        required: true
+jobs:
+  release-version:
+    name: Create Secret-Validation-wrapper release
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Show Inputs"
+        run: |
+          echo "actor-email: '${{ inputs.actor-email }}'"
+          echo "Secret-Validation-wrapper '${{ inputs.secretvalidation-wrapper-version }}' - Milestone '${{ inputs.secretvalidation-wrapper-milestone-number }}'"
+
+      - name: Checkout branch master
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
+        with:
+          ref: master
+
+      # Create temporary local tags, so we build documentation for this tag...
+      # The final tag on git server side will be done automatically by the release when the draft is saved as "real" release
+      - name: Tag Secret-Validation Wrapper version v${{ inputs.secretvalidation-wrapper-version }}-secretvalidation-wrapper (temporarily)
+        run: git tag v${{ inputs.secretvalidation-wrapper-version }}-secretvalidation-wrapper
+
+      # ----------------------
+      # Setup + Caching
+      # ----------------------
+      - name: Set up JDK 17
+        uses: actions/setup-java@6a0805fcefea3d4657a47ac4c165951e33482018
+        with:
+          java-version: 17
+          distribution: temurin
+
+      - name: Set up Gradle
+        uses: gradle/actions/setup-gradle@af1da67850ed9a4cedd57bfd976089dd991e2582
+        with:
+          cache-read-only: false
+
+      # ----------------------
+      # Create a pull request if license headers are missing
+      # ----------------------
+      - name: run apply-headers.sh
+        id: apply-headers
+        run: |
+          git config user.name "$GITHUB_TRIGGERING_ACTOR (via github-actions)"
+          git config user.email "${{ inputs.actor-email }}"
+          ./apply-headers.sh
+          git commit -am "SPDX headers added by SecHub release job @github-actions" || true
+          COMMITS=`git log --oneline --branches --not --remotes`
+          echo "commits=$COMMITS" >> $GITHUB_OUTPUT
+
+      - name: Create a pull request for SPDX license headers
+        id: pr_spdx_headers
+        if: steps.apply-headers.outputs.commits != ''
+        uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c
+        with:
+          branch: release-spdx-headers
+          branch-suffix: short-commit-hash
+          delete-branch: true
+          title: '0 - Before secretvalidation-wrapper release: Add missing SPDX license headers [auto-generated]'
+          body: |
+            Auto-generated by Github Actions secretvalidation-wrapper release job.
+
+            -> Please review and merge **before** publishing the secretvalidation-wrapper release.
+
+      - name: Print PR infos
+        if: steps.apply-headers.outputs.commits != ''
+        run: |
+          echo "Pull Request Number - ${{ steps.pr_spdx_headers.outputs.pull-request-number }}"
+          echo "Pull Request URL - ${{ steps.pr_spdx_headers.outputs.pull-request-url }}"
+
+      - name: Switch back to master branch
+        run: git checkout master
+
+      # -----------------------------------------
+      # Build SecHub Secret-Validation Wrapper
+      # -----------------------------------------
+      - name: Build Secret-Validation Wrapper
+        run: ./gradlew :sechub-wrapper-secretvalidation:bootJar
+
+      # -----------------------------------------
+      # Upload build artifacts
+      # -----------------------------------------
+      - name: Inspect GIT status
+        if: always()
+        run: |
+          mkdir build/reports -p
+          git status > build/reports/git-status.txt
+
+      - name: Archive GIT status
+        if: always()
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3
+        with:
+          name: git-status.txt
+          path: build/reports/git-status.txt
+          retention-days: 14
+
+      - name: Archive Secret-Validation Wrapper libs directory
+        if: always()
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3
+        with:
+          name: sechub-wrapper-secretvalidation
+          path: sechub-wrapper-secretvalidation/build/libs
+          retention-days: 14
+
+      - name: Switch back to master branch
+        run: git checkout master
+
+      # -----------------------------------------
+      # Assert releaseable, so no dirty flags on releases
+      # even when all artifact creation parts are done!
+      # -----------------------------------------
+      - name: Assert releasable
+        run: ./gradlew assertReleaseable
+
+      - name: Create Secret-Validation Wrapper release
+        id: create_secretvalidation-wrapper_release
+        uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
+        with:
+          tag_name: v${{ inputs.secretvalidation-wrapper-version }}-secretvalidation-wrapper
+          commitish: master
+          release_name: Secret-Validation Wrapper Version ${{ inputs.secretvalidation-wrapper-version }}
+          body: |
+            Changes in this Release
+            - Some minor changes on Secret-Validation Wrapper implementation
+
+            For more details please look at [Milestone ${{inputs.secretvalidation-wrapper-milestone-number}}]( https://github.com/mercedes-benz/sechub/milestone/${{inputs.secretvalidation-wrapper-milestone-number}}?closed=1)
+          draft: true
+          prerelease: false
+
+      # -----------------------------------------
+      # Upload release artifacts
+      # -----------------------------------------
+      - name: Create files and sha256 checksum for Secret-Validation Wrapper jar
+        run: |
+          cd sechub-wrapper-secretvalidation/build/libs/
+          sha256sum sechub-wrapper-secretvalidation-${{ inputs.secretvalidation-wrapper-version }}.jar > sechub-wrapper-secretvalidation-${{ inputs.secretvalidation-wrapper-version }}.jar.sha256sum
+
+      - name: Upload asset sechub-wrapper-secretvalidation-${{ inputs.secretvalidation-wrapper-version }}.jar
+        uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ steps.create_secretvalidation-wrapper_release.outputs.upload_url }}
+          asset_path: sechub-wrapper-secretvalidation/build/libs/sechub-wrapper-secretvalidation-${{ inputs.secretvalidation-wrapper-version }}.jar
+          asset_name: sechub-wrapper-secretvalidation-${{ inputs.secretvalidation-wrapper-version }}.jar
+          asset_content_type: application/zip
+
+      - name: Upload asset sechub-wrapper-secretvalidation-${{ inputs.secretvalidation-wrapper-version }}.jar.sha256sum
+        uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ steps.create_secretvalidation-wrapper_release.outputs.upload_url }}
+          asset_path: sechub-wrapper-secretvalidation/build/libs/sechub-wrapper-secretvalidation-${{ inputs.secretvalidation-wrapper-version }}.jar.sha256sum
+          asset_name: sechub-wrapper-secretvalidation-${{ inputs.secretvalidation-wrapper-version }}.jar.sha256sum
+          asset_content_type: text/plain
+
+      # -----------------------------------------
+      # Create release issue
+      # -----------------------------------------
+      - name: Create Secret-Validation Wrapper ${{ inputs.secretvalidation-wrapper-version }} release issue
+        uses: dacbd/create-issue-action@main
+        with:
+          token: ${{ github.token }}
+          title: Release Secret-Validation Wrapper ${{ inputs.secretvalidation-wrapper-version }}
+          body: |
+            See [Milestone ${{inputs.secretvalidation-wrapper-milestone-number}}]( https://github.com/mercedes-benz/sechub/milestone/${{inputs.secretvalidation-wrapper-milestone-number}}?closed=1) for details.
+
+            Please close this issue after the release.
+          milestone: ${{ inputs.secretvalidation-wrapper-milestone-number }}
+
+      # -----------------------------------------
+      # Create a pull request for merging back `master` into `develop`
+      # -----------------------------------------
+      - name: pull-request master to develop
+        id: pr_master_to_develop
+        continue-on-error: true
+        uses: repo-sync/pull-request@7e79a9f5dc3ad0ce53138f01df2fad14a04831c5
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          source_branch: "master"
+          destination_branch: "develop"
+          pr_allow_empty: true  # should allow an empty PR, but seems not to work
+          pr_title: '2 - After Secret-Validation Wrapper release: Merge master back into develop [auto-generated]'
+          pr_body: |
+            Merge master branch back into develop
+
+            -> Please merge **after** the release has been published.
+
+      - name: Print PR infos if PR was created
+        if: steps.pr_master_to_develop.outcome == 'success'
+        run: |
+          echo "Pull Request Number - ${{ steps.pr_master_to_develop.outputs.pr_number }}"
+          echo "Pull Request URL - ${{ steps.pr_master_to_develop.outputs.pr_url }}"
+
+      - name: Print info if no PR was created
+        if: steps.pr_master_to_develop.outcome != 'success'
+        run: |
+          echo "Nothing to merge - no pull request necessary."

buildSrc/src/main/groovy/VersionData.groovy

@@ -9,8 +9,9 @@ class VersionData{
     private static final String ID_WEBUI = "webui"
     private static final String ID_WRAPPER_CHECKMARX = "checkmarx wrapper"
     private static final String ID_WRAPPER_OWASPZAP = "owasp-zap wrapper"
-    private static final String ID_WRAPPER_XRAY= "xray wrapper"
     private static final String ID_WRAPPER_PREPARE= "prepare wrapper"
+    private static final String ID_WRAPPER_SECRETVALIDATION= "secretvalidation wrapper"
+    private static final String ID_WRAPPER_XRAY= "xray wrapper"
 
     private StringBuilder debugInfo = new StringBuilder();
 
@@ -28,10 +29,11 @@ class VersionData{
         initialize(ID_PDS_TOOLS,"PDS-Tools")
         initialize(ID_SERVER,   "Server")
         initialize(ID_WEBUI,    "WebUI")
-        initialize(ID_WRAPPER_CHECKMARX, "Checkmarx Wrapper")
-        initialize(ID_WRAPPER_OWASPZAP,  "OWASP-ZAP Wrapper")
-        initialize(ID_WRAPPER_XRAY,      "Xray Wrapper")
-        initialize(ID_WRAPPER_PREPARE,   "Prepare Wrapper")
+        initialize(ID_WRAPPER_CHECKMARX,        "Checkmarx Wrapper")
+        initialize(ID_WRAPPER_OWASPZAP,         "OWASP-ZAP Wrapper")
+        initialize(ID_WRAPPER_PREPARE,          "Prepare Wrapper")
+        initialize(ID_WRAPPER_SECRETVALIDATION, "SecretValidation Wrapper")
+        initialize(ID_WRAPPER_XRAY,             "Xray Wrapper")
     }
 
     public class VersionInfo{
@@ -43,7 +45,7 @@ class VersionData{
         String shortVersionForDocs
 
         public String describe(){
-            return text.padLeft(17)+": "+shortVersion+" ("+fullVersion+") docs: "+shortVersionForDocs
+            return text.padLeft(24)+": "+shortVersion+" ("+fullVersion+") docs: "+shortVersionForDocs
         }
 
     }
@@ -127,6 +129,10 @@ class VersionData{
         return map.get(ID_WRAPPER_PREPARE).getShortVersion()
     }
 
+    public String getSecretvalidationWrapperVersion(){
+        return map.get(ID_WRAPPER_SECRETVALIDATION).getShortVersion()
+    }
+
     public String getDebugInfo(){
 
         return "Debug info:\ncontainingAtLeastOneDirtyReleaseVersion=$containingAtLeastOneDirtyReleaseVersion\ncontainingAtLeastOneRealReleaseVersion=$containingAtLeastOneRealReleaseVersion\n\n$debugInfo";

gradle/build-versioning.gradle

@@ -46,14 +46,15 @@ def buildVersionFiles(){
     // We use "v${major}.${minor}.${hotfix}-${type}" pattern for tag names
     def clientVersionCommitTag = versionCommitTags.find{ it.name.endsWith("-client") }
     def librariesVersionCommitTag = versionCommitTags.find{ it.name.endsWith("-libraries") }
-    def checkmarxWrapperVersionCommitTag = versionCommitTags.find{ it.name.endsWith("-checkmarx-wrapper") }
-    def owaspzapWrapperVersionCommitTag = versionCommitTags.find{ it.name.endsWith("-owaspzap-wrapper") }
-    def xrayWrapperVersionCommitTag = versionCommitTags.find{ it.name.endsWith("-xray-wrapper") }
-    def prepareWrapperVersionCommitTag = versionCommitTags.find{ it.name.endsWith("-prepare-wrapper") }
     def pdsVersionCommitTag = versionCommitTags.find{ it.name.endsWith("-pds") }
     def pdsToolsVersionCommitTag = versionCommitTags.find{ it.name.endsWith("-pds-tools") }
     def serverVersionCommitTag = versionCommitTags.find{ it.name.endsWith("-server") }
     def webuiVersionCommitTag = versionCommitTags.find{ it.name.endsWith("-webui") }
+    def checkmarxWrapperVersionCommitTag = versionCommitTags.find{ it.name.endsWith("-checkmarx-wrapper") }
+    def owaspzapWrapperVersionCommitTag = versionCommitTags.find{ it.name.endsWith("-owaspzap-wrapper") }
+    def prepareWrapperVersionCommitTag = versionCommitTags.find{ it.name.endsWith("-prepare-wrapper") }
+    def secretvalidationWrapperVersionCommitTag = versionCommitTags.find{ it.name.endsWith("-secretvalidation-wrapper") }
+    def xrayWrapperVersionCommitTag = versionCommitTags.find{ it.name.endsWith("-xray-wrapper") }
 
     def unstagedChanges = git.status().unstaged
     def stagedChanges = git.status().staged
@@ -240,7 +241,23 @@ def buildVersionFiles(){
     def latestPrepareWrapperVersion = latestPrepareWrapperTag - 'v'
     latestPrepareWrapperVersion = latestPrepareWrapperVersion - "-prepare-wrapper"
 
-    def latestWrapperVersionInfo = versionData.defineVersion("Prepare Wrapper",buildVersionString(prepareWrapperVersionCommitTag, hasChanged, buildNumber),latestPrepareWrapperVersion)
+    def prepareWrapperVersionInfo = versionData.defineVersion("Prepare Wrapper",buildVersionString(prepareWrapperVersionCommitTag, hasChanged, buildNumber),latestPrepareWrapperVersion)
+
+    // ----------------------------
+    // - Secret Validation wrapper
+    // ----------------------------
+
+    // Get latest tagged secretvalidation-wrapper version
+    def latestSecretValidationWrapperTagCmd = [
+      'sh',
+      '-c',
+      'git tag -l --sort=-creatordate | grep -e \'^v.*-secretvalidation-wrapper$\' | head -1'
+    ]
+    def latestSecretValidationWrapperTag = latestSecretValidationWrapperTagCmd.execute().text.trim()
+    def latestSecretValidationWrapperVersion = latestSecretValidationWrapperTag - 'v'
+    latestSecretValidationWrapperVersion = latestSecretValidationWrapperVersion - "-secretvalidation-wrapper"
+
+    def secretvalidationWrapperVersionInfo = versionData.defineVersion("SecretValidation Wrapper",buildVersionString(secretvalidationWrapperVersionCommitTag, hasChanged, buildNumber),latestSecretValidationWrapperVersion)
 
 
     // ------------------------
@@ -269,8 +286,9 @@ def buildVersionFiles(){
     println(librariesVersionInfo.describe())
     println(checkmarxWrapperVersionInfo.describe())
     println(owaspzapWrapperVersionInfo.describe())
+    println(prepareWrapperVersionInfo.describe())
+    println(secretvalidationWrapperVersionInfo.describe())
     println(xrayWrapperVersionInfo.describe())
-    println(latestWrapperVersionInfo.describe())
 
     TimeDuration td = TimeCategory.minus( stop, start )
     println("\nTime elapsed to build versions: "+td)
@@ -322,6 +340,8 @@ def buildVersionString(commitTag, boolean hasChanged, buildNumber){
         calcversion = calcversion - "-webui"
         calcversion = calcversion - "-checkmarx-wrapper"
         calcversion = calcversion - "-owaspzap-wrapper"
+        calcversion = calcversion - "-prepare-wrapper"
+        calcversion = calcversion - "-secretvalidation-wrapper"
         calcversion = calcversion - "-xray-wrapper"
         // remove leading 'v'
         calcversion = calcversion - 'v'

gradle/projects.gradle

@@ -54,7 +54,7 @@ projectType = [
                     project(':sechub-wrapper-checkmarx'),
                     project(':sechub-wrapper-prepare'),
 
-                    project(':sechub-wrapper-secret-validator'),
+                    project(':sechub-wrapper-secretvalidation'),
 
                     /* archUnit */
                     project(':sechub-archunit-test')
@@ -103,7 +103,7 @@ projectType = [
                    project(':sechub-wrapper-checkmarx'),
                    project(':sechub-wrapper-prepare'),
                    project(':sechub-webui'),
-                   project(':sechub-wrapper-secret-validator'),
+                   project(':sechub-wrapper-secretvalidation'),
             ],
 
             springBootWebUIProjects:[

sechub-developertools/scripts/sechub-api.sh

@@ -71,6 +71,7 @@ project_unassign_user <project-id> <user-id> - Unassign user from project (revok
 scheduler_disable - Stop SecHub job scheduler
 scheduler_enable - Continue SecHub job scheduler
 scheduler_status - Get scheduler status
+server_encryption_status - Get current status of encryption (json format)
 server_info - Print infos about SecHub server (json format)
 server_status - Get status entries of SecHub server like scheduler, jobs etc. (json format)
 server_version - Print version of SecHub server
@@ -719,6 +720,11 @@ function sechub_scheduler_status {
 }
 
 
+function sechub_server_encryption_status {
+  curl_with_sechub_auth -i -X GET -H 'Content-Type: application/json' "$SECHUB_SERVER/api/admin/encryption/status" | $RESULT_FILTER | jq '.domains'
+}
+
+
 function sechub_server_info {
   curl_with_sechub_auth -i -X GET -H 'Content-Type: application/json' "$SECHUB_SERVER/api/admin/info/server" | $RESULT_FILTER | $JSON_FORMATTER
 }
@@ -1122,6 +1128,9 @@ case "$action" in
   scheduler_status)
     $failed || sechub_scheduler_status
     ;;
+  server_encryption_status)
+    $failed || sechub_server_encryption_status
+    ;;
   server_info)
     $failed || sechub_server_info
     ;;

sechub-pds-solutions/checkmarx/helm/pds-checkmarx/Chart.yaml

@@ -9,4 +9,4 @@ type: application
 # This is the chart version.
 # This version number should be incremented each time you make changes to the chart and its templates.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.2.0
+version: 1.3.0

sechub-pds-solutions/checkmarx/helm/pds-checkmarx/templates/deployment.yaml

@@ -57,6 +57,10 @@ spec:
               value: "{{ .Values.pds.archive.extraction.maxFileFizeUncompressed }}"
             - name: PDS_ARCHIVE_EXTRACTION_TIMEOUT
               value: "{{ .Values.pds.archive.extraction.timeout }}"
+            - name: PDS_ENCRYPTION_ALGORITHM
+              value: "{{ .Values.pds.encryption.algorithm }}"
+            - name: PDS_ENCRYPTION_SECRET_KEY
+              value: "{{ .Values.pds.encryption.secretKey }}"
             - name: PDS_HEARTBEAT_LOGGING
               value: "{{ .Values.pds.heartbeatLogging }}"
 {{- if .Values.deploymentComment }}