ansys · RobPasMue · Mar 21, 2024 · Mar 19, 2024 · Mar 20, 2024 · Mar 20, 2024
@@ -0,0 +1,191 @@
+# Copyright (C) 2022 - 2024 ANSYS, Inc. and/or its affiliates.
+# SPDX-License-Identifier: MIT
+#
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+
+name: >
+  Upload vulnerability reports to PyAnsys Dashboard database.
+
+description: >
+  This action is only intended to be used by repositories that are part of the
+  PyAnsys Dashboard project. It uploads the vulnerability reports generated by
+  the `safety <https://pyup.io/safety/>`_  and `bandit <https://bandit.readthedocs.io/en/latest/>`_
+  tools to the PyAnsys Dashboard database.
+
+inputs:
+
+  # Required inputs
+  pyansys-dashboard-token:
+    description: >
+      Token used to clone the PyAnsys Dashboard repository and upload the
+      vulnerability reports.
+    required: true
+    type: string
+
+  pyansys-dashboard-credentials:
+    description: >
+      Credentials to access the PyAnsys Dashboard database. They
+      are available as a secret inside the ``ansys`` and ``ansys-internal``
+      organizations.
+    required: true
+    type: string
+
+  dry-run:
+    description: >
+      Whether to run or not this action in dry run mode or not.
+      Dry run does not upload the vulnerability reports to the database.
+    required: true
+    type: boolean
+
+  repository:
+    description: >
+      Full name of the repository for which the vulnerability reports are generated.
+    required: true
+    type: string
+
+  safety-report:
+    description: >
+      Path to the safety report file.
+    required: true
+    type: string
+
+  bandit-report:
+    description: >
+      Path to the bandit report file.
+    required: true
+    type: string
+
+  hide-log:
+    description: >
+      Whether to hide the output log of the GitHub action or not.
+      If set to true, the output log will be redirected to /dev/null.
+      If set to false, the output log will be displayed. This would
+      disclose any potential vulnerabilities to anyone.
+    required: true
+    type: boolean
+
+runs:
+  using: "composite"
+  steps:
+    - name: "Check whether the repository owner is 'ansys' or 'ansys-internal'"
+      shell: bash
+      run: |
+        if [[ ${{ github.repository_owner }} != "ansys" && ${{ github.repository_owner }} != "ansys-internal" ]]; then
+          echo "This action is only intended to be used by repositories that are part of the PyAnsys Dashboard project."
+          echo "Detected repository owner: '${{ github.repository_owner }}'"
+          echo "Expected repository owner: 'ansys' or 'ansys-internal'"
+          exit 1
+        fi
+
+    - name: "Verify that the report files exist"
+      shell: bash
+      run: |
+        if [[ ! -f ${{ inputs.safety-report }} ]]; then
+          echo "The safety report file does not exist."
+          exit 1
+        else
+          echo "Safety report file exists at location: ${{ inputs.safety-report }}."
+        fi
+        if [[ ! -f ${{ inputs.bandit-report }} ]]; then
+          echo "The bandit report file does not exist."
+          exit 1
+        else
+          echo "Bandit report file exists at location: ${{ inputs.bandit-report }}."
+        fi
+
+    - name: "Verify that the PyAnsys Dashboard token and database credentials are available"
+      shell: bash
+      run: |
+        if [[ -z ${{ inputs.pyansys-dashboard-token }} ]]; then
+          echo "The PyAnsys Dashboard token is not available."
+          exit 1
+        fi
+        if [[ -z ${{ inputs.pyansys-dashboard-credentials }} ]]; then
+          echo "The PyAnsys Dashboard credentials are not available."
+          exit 1
+        fi
+
+    - name: "Install drivers"
+      shell: bash
+      run: |
+        # Install the Microsoft ODBC Driver for SQL Server on Linux
+        #
+        # Script from https://learn.microsoft.com/en-us/sql/connect/odbc/linux-mac/installing-the-microsoft-odbc-driver-for-sql-server?view=sql-server-ver15&tabs=ubuntu18-install%2Calpine17-install%2Cdebian8-install%2Credhat7-13-install%2Crhel7-offline#18
+        #
+        if ! [[ "18.04 20.04 22.04 23.04" == *"$(lsb_release -rs)"* ]];
+        then
+            echo "Ubuntu $(lsb_release -rs) is not currently supported.";
+            exit;
+        fi
+
+        curl https://packages.microsoft.com/keys/microsoft.asc | sudo tee /etc/apt/trusted.gpg.d/microsoft.asc
+
+        curl https://packages.microsoft.com/config/ubuntu/$(lsb_release -rs)/prod.list | sudo tee /etc/apt/sources.list.d/mssql-release.list
+
+        sudo apt-get update
+        sudo ACCEPT_EULA=Y apt-get install -y msodbcsql18
+        # optional: for bcp and sqlcmd
+        sudo ACCEPT_EULA=Y apt-get install -y mssql-tools18
+        echo 'export PATH="$PATH:/opt/mssql-tools18/bin"' >> ~/.bashrc
+        source ~/.bashrc
+        # optional: for unixODBC development headers
+        sudo apt-get install -y unixodbc-dev
+
+    - name: "Clone the PyAnsys Dashboard repository"
+      uses: actions/checkout@v4
+      with:
+        repository: "ansys-internal/pyansys-dashboard"
+        token: ${{ inputs.pyansys-dashboard-token }}
+        path: dashboard
+        sparse-checkout: queries
+
+    - name: "Install the required Python packages"
+      shell: bash
+      run: |
+        python -m pip install --upgrade pip
+        python -m venv .venv-dashboard
+        source .venv-dashboard/bin/activate
+        python -m pip install -r dashboard/queries/requirements.txt
+
+    - name: "Check if dry run flag should be enabled"
+      shell: bash
+      run: |
+        if [[ ${{ inputs.dry-run }} == "true" ]]; then
+          echo "DRY_RUN= --dry-run" >> $GITHUB_ENV
+        fi
+
+    - name: "Check if logs should be hidden (i.e. > /dev/null 2>&1)"
+      shell: bash
+      run: |
+        if [[ ${{ inputs.hide-log }} == "true" ]]; then
+          echo "HIDE_LOG= > /dev/null 2>&1" >> $GITHUB_ENV
+        fi
+
+    - name: "Upload the vulnerability reports"
+      shell: bash
+      env:
+        AZ_GH_SQL_PASS: ${{ inputs.pyansys-dashboard-credentials }}
+      run: |
+        source .venv-dashboard/bin/activate
+        python dashboard/queries/update_advisories.py \
+          --repository ${{ inputs.repository }} \
+          --safety-report ${{ inputs.safety-report }} \
+          --bandit-report ${{ inputs.bandit-report }} \
+          ${{ env.DRY_RUN }} ${{ env.HIDE_LOG }}
@@ -42,6 +42,18 @@ description: |
     being introduced by them on their feature branch (while no new advisories
     are created).
 
+  .. note::
+
+      This action also allows you to upload the vulnerabilities detected to the
+      PyAnsys dashboard. This is done by setting the ``pyansys-dashboard-upload``
+      input to ``true``. However, this option is only available for the ``ansys``
+      and ``ansys-internal`` GitHub organizations. If your repository
+      is not part of these organizations, the action will not upload the
+      vulnerabilities to the PyAnsys dashboard.
+
+      In case we are running in ``dev-mode``, the upload to the PyAnsys dashboard
+      is disabled.
+
 
   The following list of `safety`_ vulnerabilities are accepted:
 
@@ -88,6 +100,7 @@ inputs:
     description: >
       Whether to run or not this action in development mode. It will activate
       by default the ``dry-run`` and ``exit-with-error-on-new-advisory`` flags.
+      Upload of information to the PyAnsys dashboard is disabled in dev-mode.
     required: false
     default: false
     type: boolean
@@ -150,6 +163,28 @@ inputs:
     required: false
     type: string
 
+  pyansys-dashboard-upload:
+    description: >
+      Whether to upload the vulnerabilities to the PyAnsys dashboard.
+      By default, the vulnerabilities are not uploaded to the PyAnsys dashboard.
+    default: false
+    required: false
+    type: boolean
+
+  pyansys-dashboard-token:
+    description: >
+      Token with read permissions on the PyAnsys dashboard repository.
+    required: false
+    type: string
+
+  pyansys-dashboard-credentials:
+    description: >
+      Credentials to access the PyAnsys dashboard database. They
+      are available as a secret inside the ``ansys`` and ``ansys-internal``
+      organizations.
+    required: false
+    type: string
+
 runs:
   using: "composite"
   steps:
@@ -193,8 +228,7 @@ runs:
       shell: bash
       run: |
         python -m pip install --upgrade pip
-        pip install "pygithub>=1.59,<2" "bandit>=1.7,<2" "safety>=2.3,<3"
-
+        pip install "pygithub>=1.59,<2" "bandit>=1.7,<2" "safety>=2.3,<4"
 
     - name: "Install library"
       shell: bash
@@ -233,6 +267,7 @@ runs:
         Script for detecting vulnerabilities on a given repo and creating
         associated security vulnerability advisories.
         """
+
         import hashlib
         import json
         import os
@@ -410,7 +445,12 @@ runs:
 
                 # Advisory info
                 summary = f"Bandit [{v_test_id}:{v_test_name}] on {v_filename} - Hash: {v_hash}"
-                vuln_adv = {"package": {"name": f"{v_package}", "ecosystem": "pip"}}
+                vuln_adv = {
+                    "package": {"name": f"{v_package}", "ecosystem": "pip"},
+                    "vulnerable_functions": [],
+                    "vulnerable_version_range": None,
+                    "patched_versions": None,
+                }
                 desc = f"""
         {v_desc}
 
@@ -501,6 +541,7 @@ runs:
 
 
 
+
         EOF
         cat dependency-check.py
 
@@ -520,3 +561,16 @@ runs:
         name: vulnerability-results
         path: ./info_*.json
         retention-days: 7
+
+    - name: "Upload to PyAnsys dashboard"
+      uses: ansys/actions/_pyansys-dashboard-vulnerabilities-upload@main
+      # Only upload if the flag is set to true and we are not in dev-mode
+      if: ${{ inputs.pyansys-dashboard-upload == 'true' }} && ${{ inputs.dev-mode == 'false' }}
+      with:
+        pyansys-dashboard-token: ${{ inputs.pyansys-dashboard-token }}
+        pyansys-dashboard-credentials: ${{ inputs.pyansys-dashboard-credentials }}
+        dry-run: ${{ inputs.dry-run }}
+        repository: ${{ env.DEPENDENCY_CHECK_REPOSITORY }}
+        safety-report: ${{ github.workspace }}/info_safety.json
+        bandit-report: ${{ github.workspace }}/info_bandit.json
+        hide-log: ${{ inputs.hide-log }}
@@ -99,6 +99,10 @@
 # Generate section labels for up to four levels
 autosectionlabel_maxdepth = 2
 
+# Ignore the following patterns when accessing links
+linkcheck_ignore = [
+    r"https://github.com/ansys-internal/.*",
+]
 
 # Auxiliary routines for automatic documentation generation
 

@@ -1,4 +1,4 @@
-.. _doc_changelog_action_setup:
+.. _docs_changelog_action_setup:
 
 Doc-changelog action setup
 ==========================

@@ -16,14 +16,17 @@ Development version
   This is useful when you want to hide the vulnerabilities from the logs, but still want to fail the action if vulnerabilities are found.
 - Avoid creating issues by default if vulnerabilities are found in the ``ansys/actions/check-vulnerabilities`` action.
 - Create a changelog fragment file for each pull request using ``towncrier`` in the ``ansys/actions/doc-changelog`` action.
+- Vulnerability advisories can now be uploaded to the PyAnsys Dashboard using the ``ansys/actions/check-vulnerabilities`` action
+  by setting the ``pyansys-dashboard-upload`` input to ``true``, together with the necessary credentials.
 
 **Breaking changes:**
 
 - N/A
 
 **Migration steps:**
 
-- To set up your repository to use the ``ansys/actions/doc-changelog`` action, see the :ref:`doc_changelog_action_setup`.
+- To set up your repository to use the ``ansys/actions/doc-changelog`` action, see the :ref:`docs_changelog_action_setup`.
+- To upload vulnerability advisories to the PyAnsys Dashboard, see the :ref:`pyansys_dashboard_upload`.
 
 Version ``v5``
 --------------
@@ -78,4 +81,5 @@ Version ``v4``
    :hidden:
    :maxdepth: 3
 
-   doc_changelog_setup
+   docs-changelog-setup
+   pyansys-dashboard-upload