From cf34781062650672e781d9329f3cb19f2f98e6b4 Mon Sep 17 00:00:00 2001 From: mikolajbrzezinski <86791239+mikolajbrzezinski@users.noreply.github.com> Date: Wed, 15 May 2024 13:04:22 +0200 Subject: [PATCH] ACS-6305 Fix Pipeline scan detecting 3rd party libraries (#956) ACS-6305 Fix Pipeline scan detecting 3rd party libraries --- .github/workflows/ci.yml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 27fe648c2..98fb32f2f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -83,7 +83,17 @@ jobs: - name: "Build" run: mvn -B -U install -DskipTests - name: "Create zip" - run: zip -r to-scan.zip engines/aio/target/alfresco-transform-core-aio-*.jar engines/base/target/alfresco-base-t-engine-*.jar model/target/alfresco-transform-model-*.jar + run: | + mkdir -p to-scan + for file in engines/aio/target/alfresco-transform-core-aio-*.jar engines/base/target/alfresco-base-t-engine-*.jar model/target/alfresco-transform-model-*.jar + do + if [[ $file != *javadoc.jar ]] && [[ $file != *sources.jar ]] && [[ $file != *tests.jar ]]; then + mv "$file" to-scan/ + fi + done + # Removing the aspectjweaver and bouncycastle jars from the scan, since Veracode detects them as 1st party code and fails the scan. TO BE REVERTED ONCE VERACODE FIXES THE ISSUE + zip -d to-scan/alfresco-transform*.jar "BOOT-INF/lib/bcmail-jdk18on-*.jar" "BOOT-INF/lib/bcprov-jdk18on-*.jar" "BOOT-INF/lib/aspectjweaver*.jar" + zip -r to-scan.zip to-scan - name: "Run SAST Scan" uses: veracode/Veracode-pipeline-scan-action@v1.0.10 with: @@ -98,6 +108,7 @@ jobs: summary_output_file: results.json summary_display: true baseline_file: baseline.json + include: "to-scan/alfresco*" - name: Upload scan result if: success() || failure() run: zip readable_output.zip results.json