From c22b9e9f013d4393bf0cc7a079b19731b9376bfb Mon Sep 17 00:00:00 2001 From: tdruez Date: Thu, 26 Jun 2025 17:29:53 +0400 Subject: [PATCH 1/3] Refine the find-vulnerabilities to use latest scancode-action features Signed-off-by: tdruez --- .github/workflows/find-vulnerabilities.yml | 24 ++++------------------ pyproject.toml | 4 +++- 2 files changed, 7 insertions(+), 21 deletions(-) diff --git a/.github/workflows/find-vulnerabilities.yml b/.github/workflows/find-vulnerabilities.yml index 0f22c117..49eb1e0c 100644 --- a/.github/workflows/find-vulnerabilities.yml +++ b/.github/workflows/find-vulnerabilities.yml @@ -13,27 +13,11 @@ jobs: sparse-checkout: pyproject.toml sparse-checkout-cone-mode: false - - uses: aboutcode-org/scancode-action@main + - name: Fail on known vulnerabilities + uses: aboutcode-org/scancode-action@main with: pipelines: "inspect_packages:StaticResolver,find_vulnerabilities" + check-compliance: true + compliance-fail-on-vulnerabilities: true env: VULNERABLECODE_URL: https://public.vulnerablecode.io/ - - - name: Fail in case of vulnerabilities - shell: bash - run: | - scanpipe shell --command ' - from scanpipe.models import Project - project = Project.objects.get() - packages_qs = project.discoveredpackages.vulnerable() - dependencies_qs = project.discovereddependencies.vulnerable() - vulnerability_count = packages_qs.count() + dependencies_qs.count() - if vulnerability_count: - print(vulnerability_count, "vulnerabilities found:") - for entry in [*packages_qs, *dependencies_qs]: - print(entry) - exit(1) - else: - print("No vulnerabilities found") - exit(0) - ' diff --git a/pyproject.toml b/pyproject.toml index 221670e7..87ade619 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -164,7 +164,9 @@ dependencies = [ "maturin==1.8.6", "setuptools-rust==1.11.1", "annotated-types==0.7.0", - "semantic-version==2.10.0" + "semantic-version==2.10.0", + # Introduce vulnerability on purpose + "abupy==0.0.1" ] [project.optional-dependencies] From 4cc2ffd50995a62ef44e87a8c88a4ede7409844f Mon Sep 17 00:00:00 2001 From: tdruez Date: Thu, 26 Jun 2025 17:33:32 +0400 Subject: [PATCH 2/3] Use scancodeio repo "main" branch to ensure feature availability Signed-off-by: tdruez --- .github/workflows/find-vulnerabilities.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/find-vulnerabilities.yml b/.github/workflows/find-vulnerabilities.yml index 49eb1e0c..c908110d 100644 --- a/.github/workflows/find-vulnerabilities.yml +++ b/.github/workflows/find-vulnerabilities.yml @@ -19,5 +19,6 @@ jobs: pipelines: "inspect_packages:StaticResolver,find_vulnerabilities" check-compliance: true compliance-fail-on-vulnerabilities: true + scancodeio-repo-branch: "main" env: VULNERABLECODE_URL: https://public.vulnerablecode.io/ From 761a97ec88a71247dc5e26d1022aca015a81db4c Mon Sep 17 00:00:00 2001 From: tdruez Date: Thu, 26 Jun 2025 17:36:52 +0400 Subject: [PATCH 3/3] Remove the temp vulnerability used for testing Signed-off-by: tdruez --- pyproject.toml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 87ade619..221670e7 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -164,9 +164,7 @@ dependencies = [ "maturin==1.8.6", "setuptools-rust==1.11.1", "annotated-types==0.7.0", - "semantic-version==2.10.0", - # Introduce vulnerability on purpose - "abupy==0.0.1" + "semantic-version==2.10.0" ] [project.optional-dependencies]