Fortify: bump Scala, sbt, plugin versions #99
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: test | |
on: | |
push: | |
branches: | |
- fortify | |
pull_request: | |
branches: | |
- fortify | |
jobs: | |
test: | |
strategy: | |
fail-fast: false | |
matrix: | |
java: [8, 11, 17, 21] | |
scala: [2.13.x, 3.x] | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-java@v4 | |
with: | |
distribution: temurin | |
java-version: ${{matrix.java}} | |
cache: sbt | |
- uses: actions/cache@v4 | |
env: | |
cache-name: fortify | |
with: | |
path: ./Fortify | |
key: fortify-23.1.1 | |
# https://github.com/gruntwork-io/fetch | |
- uses: Homebrew/actions/setup-homebrew@master | |
- name: Install Fetch | |
run: brew install fetch | |
- name: Install secrets | |
env: | |
LIGHTBEND_LICENSE: ${{secrets.LIGHTBEND_LICENSE}} | |
FORTIFY_LICENSE: ${{secrets.FORTIFY_LICENSE}} | |
run: | | |
mkdir -p ~/.lightbend | |
echo "$LIGHTBEND_LICENSE" > ~/.lightbend/license | |
echo "$FORTIFY_LICENSE" > fortify.license | |
# The easiest way I could think of to make the Fortify installer available to CI | |
# was to attach it as a release asset to a tag in a private repo. | |
- name: Install Fortify | |
run: | | |
if [[ ! -d Fortify ]] ; then | |
GITHUB_OAUTH_TOKEN=${{secrets.FORTIFY_INSTALLER_TOKEN}} fetch --repo="https://github.com/lightbend/scala-fortify" --tag="23.1.1_linux_x64" --release-asset="Fortify_SCA_23.1.1_linux_x64.run" . | |
chmod +x Fortify_SCA_23.1.1_linux_x64.run | |
mkdir Fortify | |
echo installdir=`pwd`/Fortify/Fortify_SCA_23.1.1 > Fortify_SCA_23.1.1_linux_x64.run.options | |
echo fortify_license_path=`pwd`/fortify.license >> Fortify_SCA_23.1.1_linux_x64.run.options | |
./Fortify_SCA_23.1.1_linux_x64.run --mode unattended | |
# download the Scala security rules; VersionTests makes sure they're the ones we expect | |
./Fortify/Fortify_SCA_23.1.1/bin/fortifyupdate | |
fi | |
- name: Test | |
run: | | |
sbt ++${{matrix.scala}} compile | |
rm -f target/vulnerabilities-actual.txt | |
./Fortify/Fortify_SCA_23.1.1/bin/sourceanalyzer \ | |
-b akka-http-webgoat \ | |
-logfile target/scan.log \ | |
-scan \ | |
| tail -n +4 > target/vulnerabilities-actual.txt | |
cat target/scan.log | |
sum vulnerabilities-${{matrix.scala}}.txt target/vulnerabilities-actual.txt | |
diff -u vulnerabilities-${{matrix.scala}}.txt target/vulnerabilities-actual.txt |