Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

More code analysis checks and integrations #20

Merged
merged 62 commits into from
May 18, 2024
Merged

More code analysis checks and integrations #20

merged 62 commits into from
May 18, 2024

Conversation

kkovaletp
Copy link
Owner

@kkovaletp kkovaletp commented May 16, 2024
edited

Do better code and artifact analysis:

  • Dockle scans images in master branch and reports to the GitHub Security tab
  • Hadolint scans Dockerfile in PRs and master, reports to PR's comment, GitHub Security tab, SonarCloud
  • SonarCloud scans UI, API, Docker sub-projects collecting a lot of different info, show results in Dashboard and with badges in Readme
  • Anchore Grype scans dependencies for known vulnerabilities, reports to GitHub Security tab, PRs comment (with only those, having fixed versions)
  • Go test execution now reports JSON, analysed by SonarCloud
  • NPM audit check added to UI testing flow
  • ESLint step added to generate a report for SonarCloud
  • Coverity Scan scans the repo code with building both API and UI, as well as FS scanning source code for bugs and vulnerabilities in the source code, showing results by a badge in Readme and on the Dashboard, where there is a button the View Defects (I need to invite you to the project to let you view and triage defects, so it would be accessible to a limited amount of engineers)

@kkovaletp kkovaletp added enhancement New feature or request dependencies Pull requests that update a dependency file labels May 16, 2024
@kkovaletp kkovaletp self-assigned this May 16, 2024
@codecov Codecov
Copy link

codecov bot commented May 16, 2024
edited

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 55.65%. Comparing base (68c4349) to head (0859eb0).

Additional details and impacted files 
@@           Coverage Diff            @@
##           master      #20    +/-   ##
========================================
  Coverage   55.65%   55.65%            
========================================
  Files         196      196            
  Lines       16215    16215            
  Branches      558      387   -171     
========================================
  Hits         9025     9025            
  Misses       6929     6929            
  Partials      261      261
Flag Coverage Δ
api 26.50% <ø> (ø)
ui 68.49% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@github-actions GitHub Actions
Copy link 

# npm audit report

postcss  <=8.4.30
Severity: moderate
Regular Expression Denial of Service in postcss - https://github.com/advisories/GHSA-566m-qj78-rww5
PostCSS line return parsing error - https://github.com/advisories/GHSA-7fh5-64p2-3v2j
No fix available
node_modules/postcss-functions/node_modules/postcss
node_modules/postcss-js/node_modules/postcss
node_modules/postcss-nested/node_modules/postcss
node_modules/tailwindcss/node_modules/postcss
  @tailwindcss/postcss7-compat  *
  Depends on vulnerable versions of autoprefixer
  Depends on vulnerable versions of postcss
  Depends on vulnerable versions of postcss-functions
  Depends on vulnerable versions of postcss-js
  Depends on vulnerable versions of postcss-nested
  node_modules/tailwindcss
  autoprefixer  1.0.20131222 - 9.8.8
  Depends on vulnerable versions of postcss
  node_modules/tailwindcss/node_modules/autoprefixer
  postcss-functions  <=3.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-functions
  postcss-js  <=2.0.3
  Depends on vulnerable versions of postcss
  node_modules/postcss-js
  postcss-nested  <=4.2.3
  Depends on vulnerable versions of postcss
  node_modules/postcss-nested

6 moderate severity vulnerabilities

To address issues that do not require attention, run:
  npm audit fix

Some issues need review, and may require choosing
a different dependency.

Repository owner deleted a comment from github-actions bot May 16, 2024
Repository owner deleted a comment from github-actions bot May 16, 2024
Repository owner deleted a comment from github-actions bot May 16, 2024
Repository owner deleted a comment from github-actions bot May 16, 2024
Repository owner deleted a comment from github-actions bot May 16, 2024
Repository owner deleted a comment from github-actions bot May 16, 2024
Repository owner deleted a comment from github-actions bot May 16, 2024
Repository owner deleted a comment from sonarcloud bot May 17, 2024
Repository owner deleted a comment from sonarcloud bot May 17, 2024
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented May 18, 2024

Quality Gate Passed Quality Gate passed for 'kostiantyn-github_photoview-docker'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

@sonarcloud SonarCloud
Copy link

sonarcloud bot commented May 18, 2024

Quality Gate Failed Quality Gate failed for 'kostiantyn-github_photoview-ui'

Failed conditions
7 Security Hotspots
67.5% Coverage on New Code (required ≥ 80%)
C Reliability Rating on New Code (required ≥ A)

See analysis details on SonarCloud

Catch issues before they fail your Quality Gate with our IDE extension SonarLint

@sonarcloud SonarCloud
Copy link

sonarcloud bot commented May 18, 2024

Quality Gate Failed Quality Gate failed for 'kostiantyn-github_photoview-api'

Failed conditions
8.6% Coverage on New Code (required ≥ 80%)
24.3% Duplication on New Code (required ≤ 3%)

See analysis details on SonarCloud

@kkovaletp kkovaletp merged commit b34aa0e into master May 18, 2024
17 of 19 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@kkovaletp kkovaletp

Labels
dependencies Pull requests that update a dependency file enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@kkovaletp