Merge pull request #126 from ProteGO-Safe/release/4.5.2

Release/4.5.1 + Release/4.5.2

.github/workflows/ci.yml

@@ -1,6 +1,6 @@
 ---
 
-name: build and deploy
+name: Build and Deploy
 on:
   release:
     types:
@@ -54,7 +54,7 @@ jobs:
           echo "PUSH_MODE=true" >> $GITHUB_ENV
 
   deploy-efgs-downloader:
-    name: Deploy Efgs Downloader
+    name: Build&Deploy Efgs Downloader
     needs: Setup
     runs-on: ubuntu-latest
     defaults:
@@ -127,13 +127,14 @@ jobs:
              --allow-unauthenticated \
              --region $REGION \
              --timeout=540s \
-             --set-env-vars EFGS_MESSAGE_PROJECT_ID=$PROJECT_ID,STACKDRIVER_LOG_NAME=EfgsDiagnosisKeysDownloader,EFGS_MESSAGE_TOPIC_ID=firebase-subscription-uploadDiagnosisKeysSubscriber-$REGION,EFGS_API=$EFGS_URL
+             --set-env-vars EFGS_PROJECT_ID=$PROJECT_ID,EFGS_MESSAGE_PROJECT_ID=$PROJECT_ID,STACKDRIVER_LOG_NAME=EfgsDiagnosisKeysDownloader,EFGS_MESSAGE_TOPIC_ID=firebase-subscription-uploadDiagnosisKeysSubscriber-$REGION,EFGS_API=$EFGS_URL
         if: ${{ needs.Setup.outputs.ENVIRONMENT }}
 
   test-efgs-uploader:
     name: Test Efgs Uploader
     runs-on: ubuntu-latest
     needs: Setup
+    if: ${{ needs.Setup.outputs.ENVIRONMENT }}
     defaults:
       run:
         working-directory: ./efgs/uploader
@@ -195,9 +196,9 @@ jobs:
           path: efgs/uploader/efgs-uploader-tests-result.txt
 
   deploy-efgs-uploader:
-    name: Deploy Efgs Uploader
+    name: Build&Deploy Efgs Uploader
     runs-on: ubuntu-latest
-    needs: [Setup, test-efgs-uploader]
+    needs: [Setup]
     defaults:
       run:
         working-directory: ./efgs/uploader
@@ -302,7 +303,7 @@ jobs:
       - run: npm update
       - run: npm install
       - run: npm run lint
-      - run: npm audit --audit-level moderate
+      - run: npm audit --production --audit-level moderate
       - run: npm test > nodejs-tests-result.txt
         env:
           CLOUD_RUNTIME_CONFIG: '{"config":{"region":"europe-west1"}}'
@@ -313,7 +314,7 @@ jobs:
           path: functions/nodejs-tests-result.txt
 
   Deplot_TS:
-    name: Deploy TS Functions
+    name: Build&Deploy TS Functions
     needs: [Setup,Lint_TS,deploy-efgs-uploader,deploy-efgs-downloader]
     runs-on: ubuntu-latest
     if: ${{ needs.Setup.outputs.ENVIRONMENT }}
@@ -355,7 +356,7 @@ jobs:
           node-version: ${{ env.NODE_VERSION }}
 
       - run: npm --prefix functions install
-      - run: npm --prefix functions audit --audit-level moderate
+      - run: npm --prefix functions audit --production --audit-level moderate
 
 
       - run: echo "FUNCTIONS=$(cat functions/src/index.ts | sed -n '/exports/,/cloudFunctions/p' | sed -e 's/exports\(.*\)cloudFunctions/\1/' | sed 's/ = ..*;//' | sed 's/\./functions:/g' |tr '\n' ',')" >> $GITHUB_ENV
@@ -380,6 +381,7 @@ jobs:
     if: always()
     name: Notify
     needs:
+      - Deplot_TS
       - Lint_TS
       - deploy-efgs-uploader
       - test-efgs-uploader
@@ -461,7 +463,7 @@ jobs:
                 if (j.status != "completed") {
                     continue
                 }
-                if (j.conclusion != "success") {
+                if (!(j.conclusion == "skipped" || j.conclusion == "success")) {
                   is_wf_success = false
                 }
                 if (j.conclusion == "failure") {

.github/workflows/schedul.yml → .github/workflows/schedule.yml

@@ -1,27 +1,45 @@
----
-
-name: build and deploy
+--- 
+name: Schedule test
 on:
   schedule:
     - cron: '0 9 * * *'
 
 jobs:
   Setup:
     runs-on: ubuntu-latest
+    if: github.repository_owner != 'ProteGO-Safe' && github.event_name == 'schedule' 
     outputs:
       ENVIRONMENT: ${{ env.ENVIRONMENT }}
       NODE_VERSION: 12
       JAVA_VERSION: 11
+      BRANCH_MATRIX: ${{ env.BRANCH_MATRIX }}
     steps:
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
       - name: Set env to SCHEDULE
-        if: github.repository_owner != 'ProteGO-Safe'
-            && github.event_name == 'schedule'
         run: |
           echo "ENVIRONMENT=SCHEDULE" >> $GITHUB_ENV
 
+      - name: Set matrix branch
+        id: set-matrix
+        run: |
+          last_releases=$(git branch -a --format='%(refname:short)' --sort=-committerdate |sed -e 's|origin/||g;' | grep release | head -n 1)
+          last_active=$(git branch -a --format='%(refname:short)' --sort=-committerdate |sed -e 's|origin/||g; /HEAD/d; /release/d; /snyk/d; /master/d; /dependabot/d;' | head -n 3)
+          matrix="$last_releases $last_active master"
+          matrix=$(printf '%s\n' $matrix | sort | uniq | jq --slurp --raw-input 'split("\n")[:-1]')
+          echo "BRANCH_MATRIX=$(echo $matrix)" >> $GITHUB_ENV
+
   efgs-downloader-build:
     name: Efgs Downloader Build
     if: ${{ needs.Setup.outputs.ENVIRONMENT }}
+    continue-on-error: true
+    strategy:
+      fail-fast: false
+      matrix: 
+        branches: ${{ fromJson(needs.Setup.outputs.BRANCH_MATRIX) }}
     needs: Setup
     runs-on: ubuntu-latest
     defaults:
@@ -34,6 +52,8 @@ jobs:
     steps:
       - name: Checkout Repo
         uses: actions/checkout@v2
+        with:
+          ref: ${{ matrix.branches }}
 
       - uses: actions/cache@v2
         env:
@@ -63,8 +83,13 @@ jobs:
 
   efgs-uploader-build:
     name: Efgs Uploader Build
+    continue-on-error: true
     if: ${{ needs.Setup.outputs.ENVIRONMENT }}
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix: 
+         branches: ${{ fromJson(needs.Setup.outputs.BRANCH_MATRIX) }}
     needs: Setup
     defaults:
       run:
@@ -76,6 +101,8 @@ jobs:
     steps:
       - name: Checkout Repo
         uses: actions/checkout@v2
+        with:
+          ref: ${{ matrix.branches }}
 
       - uses: actions/cache@v2
         env:
@@ -85,6 +112,17 @@ jobs:
           key: ${{ env.cache-name }}-${{ hashFiles('**/efgs/uploader/pom.xml') }}
           restore-keys: ${{ env.cache-name }}-
 
+      - name: Set Env's to run tests for schedule mode
+        run: |
+          echo "EFGS_URL=${{ secrets[env.EFGS_ENV] }}" >> $GITHUB_ENV
+          echo "NBBS=${{ secrets[env.NBBS_ENV] }}" >> $GITHUB_ENV
+          echo "NBTLS=${{ secrets[env.NBTLS_ENV] }}" >> $GITHUB_ENV
+        if: env.ENVIRONMENT == 'SCHEDULE'
+        env:
+          EFGS_ENV: "DEV_EFGS"
+          NBBS_ENV: "DEV_NBBS"
+          NBTLS_ENV: "DEV_NBTLS"
+
       - name: Install java
         uses: actions/setup-java@v1
         with:
@@ -106,6 +144,11 @@ jobs:
   Lint_TS:
     name: Lint&Audit TS Functions
     if: ${{ needs.Setup.outputs.ENVIRONMENT }}
+    continue-on-error: true
+    strategy:
+      fail-fast: false
+      matrix: 
+         branches: ${{ fromJson(needs.Setup.outputs.BRANCH_MATRIX) }}
     runs-on: ubuntu-latest
     needs: [Setup]
     env:
@@ -115,6 +158,9 @@ jobs:
         working-directory: functions
     steps:
       - uses: actions/checkout@v2
+        with:
+          ref: ${{ matrix.branches }}
+
       - uses: actions/cache@v2
         env:
           cache-name: node
@@ -135,7 +181,7 @@ jobs:
           CLOUD_RUNTIME_CONFIG: '{"config":{"region":"europe-west1"}}'
 
   notify:
-    if: always()
+    if: ${{ needs.Setup.outputs.ENVIRONMENT }} && always()
     name: Notify
     needs:
       - Lint_TS
@@ -219,24 +265,42 @@ jobs:
                 if (j.status != "completed") {
                     continue
                 }
-                if (j.conclusion != "success") {
+                if (!(j.conclusion == "skipped" || j.conclusion == "success")) {
                   is_wf_success = false
                 }
                 if (j.conclusion == "failure") {
                   is_wf_failure = true
-                }
-                fields.push({
+                  fields.push({
                     type: "mrkdwn",
                     text: status_icon_func(j.conclusion) + " <" + j.html_url + "|" + j.name + ">\n  \u21b3 completed in " + date_diff_func(new Date(j.started_at), new Date(j.completed_at))
-                })
+                  })
+                }
             }
             var workflow_status = "w_cancelled"
             if (is_wf_success) {
               workflow_status = "w_success"
+              var slack_msg = {
+                blocks: [
+                    {
+                        type: "section",
+                        text: {
+                            type: "mrkdwn",
+                            text: "<https://github.com/${{ github.repository }}|*${{ github.repository }}*>\nfrom *${{ github.ref }}@" + commit + "*"
+                        }
+                    },
+                    {
+                        type: "section",
+                        text: {
+                            type: "mrkdwn",
+                            text: status_icon_func(workflow_status) + " *${{ github.workflow }}* " + pr + "\nWorkflow run <" + wf_run.data.html_url + "|#${{ github.run_number }}> completed in " + date_diff_func(new Date(wf_run.data.created_at), new Date(wf_run.data.updated_at))
+                        }
+                    }
+                ]
+            }
+            
             } else if (is_wf_failure) {
               workflow_status = "w_failure"
-            }
-            var slack_msg = {
+              var slack_msg = {
                 blocks: [
                     {
                         type: "section",
@@ -261,6 +325,8 @@ jobs:
                     }
                 ]
             }
+            }
+
             return slack_msg
 
       - name: Send to Slack

CHANGELOG.md

@@ -4,6 +4,22 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
+## 4.5.1
+
+### Added
+- Multi-branch audit with notification on slack (#282)
+- Check date of file on storage before publish
+
+### Changed
+- Update CI VAR(s) and steps
+- Changed time window for executing statistic's CF (#284)
+- Update pom and remove spring-cloud-gcp-starter-secretmanager
+- Update jsdom
+
+### Fixed
+- Fix vulnerabilities
+- Fix for merge to master
+
 ## 4.5.0
 
 ### Added

efgs/downloader/owasp/suppressions.xml

@@ -4,10 +4,6 @@
         <packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-crypto.*$</packageUrl>
         <cve>CVE-2018-1258</cve>
     </suppress>
-    <suppress>
-        <packageUrl regex="true">^pkg:maven/com\.google\.cloud/google\-cloud\-logging\-logback.*$</packageUrl>
-        <cve>CVE-2017-5929</cve>
-    </suppress>
     <suppress>
         <packageUrl regex="true">^pkg:maven/io\.opencensus/opencensus\-contrib\-grpc\-util@.*$</packageUrl>
         <cve>CVE-2017-8359</cve>
@@ -38,6 +34,7 @@
         <cve>CVE-2021-25122</cve>
         <cve>CVE-2021-25329</cve>
         <cve>CVE-2020-9484</cve>
+        <cve>CVE-2021-33037</cve>
     </suppress>
     <suppress>
         <packageUrl regex="true">^pkg:maven/org\.apache\.tomcat\.embed/tomcat\-embed\-websocket.*$</packageUrl>
@@ -47,6 +44,7 @@
         <cve>CVE-2021-25122</cve>
         <cve>CVE-2021-25329</cve>
         <cve>CVE-2020-9484</cve>
+        <cve>CVE-2021-33037</cve>
     </suppress>
     <suppress>
         <packageUrl regex="true">^pkg:maven/io\.netty/netty\-transport.*$</packageUrl>
@@ -78,4 +76,19 @@
         <cve>CVE-2021-21295</cve>
         <cve>CVE-2021-21409</cve>
     </suppress>
+    <suppress>
+        <packageUrl regex="true">^pkg:maven/ch\.qos\.logback\.contrib/logback\-json\-core.*$</packageUrl>
+        <cve>CVE-2017-5929</cve>
+    </suppress>
+    <suppress>
+        <packageUrl regex="true">^pkg:maven/ch\.qos\.logback\.contrib/logback\-json\-classic.*$</packageUrl>
+        <cve>CVE-2017-5929</cve>
+    </suppress>
+    <suppress>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.commons/commons\-compress.*$</packageUrl>
+        <cve>CVE-2021-35517</cve>
+        <cve>CVE-2021-35516</cve>
+        <cve>CVE-2021-35515</cve>
+        <cve>CVE-2021-36090</cve>
+    </suppress>
 </suppressions>