From ae15372d8d475579d316502578886a57421c8e52 Mon Sep 17 00:00:00 2001 From: Matt Bishop Date: Thu, 20 Jun 2024 16:44:39 -0400 Subject: [PATCH] Additional scanning (#3328) --- .github/workflows/scan.yml | 34 ++++++++++++++++++++++++++++++++++ app/build.gradle.kts | 17 +++++++++++++++++ build.gradle.kts | 1 + gradle/libs.versions.toml | 2 ++ 4 files changed, 54 insertions(+) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 15ec603ff..d031a56ce 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -40,3 +40,37 @@ jobs: base_uri: https://ast.checkmarx.net/ cx_client_id: ${{ secrets.CHECKMARX_CLIENT_ID }} cx_client_secret: ${{ secrets.CHECKMARX_SECRET }} + additional_params: | + --report-format sarif \ + --filter "state=TO_VERIFY;PROPOSED_NOT_EXPLOITABLE;CONFIRMED;URGENT" \ + --output-path . ${{ env.INCREMENTAL }} + + - name: Upload Checkmarx results to GitHub + uses: github/codeql-action/upload-sarif@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6 + with: + sarif_file: cx_result.sarif + + quality: + name: Quality scan + runs-on: ubuntu-22.04 + needs: check-run + permissions: + contents: read + pull-requests: write + + steps: + - name: Check out repo + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + with: + fetch-depth: 0 + ref: ${{ github.event.pull_request.head.sha }} + + - name: Scan with SonarCloud + uses: sonarsource/sonarcloud-github-action@4006f663ecaf1f8093e8e4abb9227f6041f52216 # v2.2.0 + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + args: > + -Dsonar.organization=${{ github.repository_owner }} + -Dsonar.projectKey=${{ github.repository_owner }}_${{ github.event.repository.name }} diff --git a/app/build.gradle.kts b/app/build.gradle.kts index 003276ef7..5775fe169 100644 --- a/app/build.gradle.kts +++ b/app/build.gradle.kts @@ -17,6 +17,7 @@ plugins { alias(libs.plugins.kotlinx.kover) alias(libs.plugins.ksp) alias(libs.plugins.google.services) + alias(libs.plugins.sonarqube) } android { @@ -276,3 +277,19 @@ afterEvaluate { .filter { it.name.contains("Fdroid") } .forEach { it.enabled = false } } + +sonar { + properties { + property("sonar.projectKey", "bitwarden_android") + property("sonar.organization", "bitwarden") + property("sonar.host.url", "https://sonarcloud.io") + property("sonar.sources", "app/src/main/,app/src/standard/,app/src/fdroid/") + property("sonar.tests", "app/src/test/") + } +} + +tasks { + getByName("sonar") { + dependsOn("check") + } +} diff --git a/build.gradle.kts b/build.gradle.kts index 85d304ea3..a8bc6377e 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -7,4 +7,5 @@ plugins { alias(libs.plugins.kotlinx.kover) apply false alias(libs.plugins.ksp) apply false alias(libs.plugins.google.services) apply false + alias(libs.plugins.sonarqube) apply false } diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml index 29cca6cae..447c68ffe 100644 --- a/gradle/libs.versions.toml +++ b/gradle/libs.versions.toml @@ -44,6 +44,7 @@ mockk = "1.13.11" okhttp = "4.12.0" retrofitBom = "2.11.0" roboelectric = "4.12.2" +sonarqube = "5.0.0.4638" turbine = "1.1.0" zxcvbn4j = "1.9.0" zxing = "3.5.3" @@ -122,3 +123,4 @@ kotlin-parcelize = { id = "org.jetbrains.kotlin.plugin.parcelize", version.ref = kotlin-serialization = { id = "org.jetbrains.kotlin.plugin.serialization", version.ref = "kotlin" } kotlinx-kover = { id = "org.jetbrains.kotlinx.kover", version.ref = "kotlinxKover" } ksp = { id = "com.google.devtools.ksp", version.ref = "ksp" } +sonarqube = { id = "org.sonarqube", version.ref = "sonarqube" }