Merge pull request #5 from entando-ps/ESB-452

ESB-452 Fix vulnerability CVE-2023-50164

Author: eliamezzano

.github/build.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+mvn -B clean
+
+(mvn org.codehaus.mojo:license-maven-plugin:2.5.0:aggregate-download-licenses &> ./license-maven-plugin.log) &
+BKMVNPID="$!"
+
+mvn versions:set -DnewVersion="$ARTIFACT_VERSION"
+
+mvn -B package;
+
+echo ""
+echo "~> Waiting for license download completion"
+wait "$BKMVNPID" || true
+
+if grep -q "BUILD SUCCESS" ./license-maven-plugin.log; then
+  echo "~> License download completed with success"
+else
+  echo "::error::License download terminated with error"
+  exit 99
+fi

.github/configure

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+git config --global advice.detachedHead false
+
+(
+  cd .github
+  git clone --depth 1 --branch "${ENTANDO_GITHUB_TOOLS_VERSION}" "https://github.com/entando-ps/github-tools" &>/dev/null
+)
+
+. .github/github-tools/lib.sh
+
+configure.start "$1"
+
+if [[ "$GITHUB_REF" == refs/tags/* ]]; then
+  . .github/github-tools/base.configure --tag "$GITHUB_REF"
+else
+  . .github/github-tools/base.configure "$GH_PR_TITLE" "$GH_PR_NUMBER"
+fi
+
+configure.complete

.github/pr-title-checker-config.json

@@ -0,0 +1,43 @@
+#!/bin/bash
+
+OPT1="" OPT2=""
+if ! $SKIP_TESTS; then
+  # ~ TEST setup
+  OPT1+="-Ppre-deployment-verification"
+  #OPT1+=" -Dsurefire.skipAfterFailure=false"
+  #OPT1+=" -Dmaven.test.failure.ignore=false"
+
+  # ~ COVERAGE setup
+  OPT2+="org.jacoco:jacoco-maven-plugin:prepare-agent"
+  OPT2+=" org.jacoco:jacoco-maven-plugin:report"
+fi
+
+OPT3=""
+if ! $SKIP_SCANS; then
+  # ~ SCAN setup
+  OPT3+=" org.sonarsource.scanner.maven:sonar-maven-plugin:5.0.0.4389:sonar"
+  OPT3+=" -Dsonar.verbose=true"
+else
+  SONAR_PROJECT_KEY=""
+  SONAR_ORG=""
+fi
+
+# ~ version set
+mvn versions:set -DnewVersion="$ARTIFACT_VERSION"
+
+_mvn_verify() {
+  if $VERBOSE; then
+    echo "~> Running mvn verify with options: $*"
+  fi
+
+  mvn -B verify "$@"
+}
+
+_mvn_verify $OPT1 $OPT2 $OPT3 \
+  ${SONAR_PROJECT_KEY:+-Dsonar.projectKey="$SONAR_PROJECT_KEY"} \
+  ${SONAR_ORG:+-Dsonar.organization="$SONAR_ORG"} \
+;
+
+RV="$?"
+.github/github-tools/mvn.test.report.generate
+exit "$RV"

.github/test-and-scan.sh

@@ -0,0 +1,169 @@
+name: Maven MultiModule PR
+
+env:
+  ENTANDO_GITHUB_TOOLS_VERSION: "v0.1.0"
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GH_PR_TITLE: ${{ github.event.pull_request.title }}
+  GH_PR_NUMBER: ${{ github.event.pull_request.number }}
+  GH_PR_RUN_NUMBER: ${{ github.run_number }}
+  IMAGES_TO_BUILD: "Dockerfile.eap:entando-de-app-eap,Dockerfile.wildfly:entando-de-app-wildfly,Dockerfile.tomcat:entando-de-app-tomcat"
+  ENTANDO_CRANE_VERSION: ${{ vars.ENTANDO_CRANE_VERSION || 'v0.10.0' }}
+  GITHUB_REF: ${{ github.ref }}
+
+on:
+  push:
+    branches: [ "develop", "release/*" ]
+    tags: [ 'v*' ]
+  pull_request:
+    branches: [ "develop", "release/*" ]
+
+jobs:
+  #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+  build:
+    permissions:
+      contents: write
+      pull-requests: read
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Set up JDK 11
+      uses: actions/setup-java@v4
+      with:
+        java-version: '11'
+        distribution: 'temurin'
+        cache: maven
+
+    - name: Configure
+      id: configure
+      run: |
+        if [ -f ".github/configure" ]; then . .github/configure "build"; fi
+        gh.job.outputVar SKIP_SCANS
+        gh.job.outputVar SKIP_TESTS
+
+    - name: Cache Maven packages
+      uses: actions/cache@v4
+      with:
+        path: ~/.m2
+        key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
+        restore-keys: ${{ runner.os }}-m2-
+
+    - name: Build Java
+      run: .github/build.sh
+
+    - name: Submit Dependency Snapshot
+      uses: advanced-security/maven-dependency-submission-action@v4
+
+    - name: Save the build output
+      uses: actions/upload-artifact@v4
+      with:
+        name: target
+        overwrite: true
+        path: |
+          target/generated-resources/licenses
+          webapp/target/*.war
+
+  #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+  test-and-scan:
+    needs: build
+    if: ${{ needs.build.outputs.SKIP_SCANS != 'true' || needs.build.outputs.SKIP_TESTS != 'true' }}
+
+    permissions:
+      contents: read
+      pull-requests: write
+
+    runs-on: ubuntu-latest
+
+    env:
+      SONAR_PROJECT_KEY: ${{ vars.SONAR_PROJECT_KEY }}
+      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+      SONAR_ORG: ${{ vars.SONAR_ORG }}
+      SONAR_URL: ${{ vars.SONAR_URL }}
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up JDK 11
+        uses: actions/setup-java@v4
+        with:
+          java-version: '11'
+          distribution: 'temurin'
+          cache: maven
+
+      - name: Cache SonarQube packages
+        uses: actions/cache@v4
+        with:
+          path: ~/.sonar/cache
+          key: ${{ runner.os }}-sonar
+          restore-keys: ${{ runner.os }}-sonar
+
+      - name: Restore the build output
+        uses: actions/download-artifact@v4
+        with:
+          name: target
+          path: .
+
+      - name: Configure
+        id: configure
+        run: if [ -f ".github/configure" ]; then . .github/configure "test-and-scan"; fi
+
+      - name: Test and Scan
+        run: .github/test-and-scan.sh
+
+      - name: Save the test report
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: tests-report
+          compression-level: 0
+          overwrite: true
+          path: |
+            target/site/surefire-report.html
+            target/reports/surefire.html
+
+  #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+  publish:
+    permissions:
+      contents: read
+      pull-requests: write
+
+    runs-on: ubuntu-latest
+    needs: build
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Restore the build output
+      uses: actions/download-artifact@v4
+      with:
+        name: target
+        path: .
+
+    - name: Configure
+      run: if [ -f ".github/configure" ]; then . .github/configure "publish"; fi
+
+    - name: Build Docker image
+      run: |
+        mkdir -p ./target/generated-resources/licenses
+        touch ./target/generated-resources/licenses.xml
+
+        .github/github-tools/docker.multiBuild \
+          "${IMAGES_TO_BUILD}" \
+          "${ARTIFACT_VERSION}" \
+          "${{ vars.DOCKER_ORG }}" \
+        ;
+
+    - name: Publish Docker image
+      run: |
+        GH_DO_COMMENT=true \
+          .github/github-tools/docker.multiPublish \
+            "${IMAGES_TO_BUILD}" \
+            "${ARTIFACT_VERSION}" \
+            "${{ vars.DOCKER_ORG }}" \
+            "${{ vars.DOCKER_REGISTRY }}" \
+            "${{ secrets.DOCKER_USERNAME }}" \
+            "${{ secrets.DOCKER_PASSWORD }}" \
+            "${ARTIFACT_PUB_TYPE}" \
+          ;