Merge pull request #8686 from wmontwe/add-fluidattacks-scan

[CASA] Add fluidattacks scanner
thunderbird · Dec 16, 2024 · d579dc0 · d579dc0
2 parents 7a3be48 + 8610a55
commit d579dc0
Show file tree

Hide file tree

Showing 3 changed files with 96 additions and 0 deletions.
diff --git a/.github/workflows/fluidscan.yml b/.github/workflows/fluidscan.yml
@@ -0,0 +1,37 @@
+name: Fluidattacks - Code scanning
+on:
+  schedule:
+    - cron: '0 10 * * 1'
+  workflow_dispatch:
+
+jobs:
+  fluidattacks-scan:
+
+    runs-on: ubuntu-latest
+
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
+        with:
+          persist-credentials: false
+
+      - name: "Run Fluidattacks scanner"
+        run: |
+          bash scripts/run-fluidattacks-scanner.sh
+
+      - name: "Upload scan results"
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        with:
+          name: SARIF scan results
+          path: fluidscan-results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@babb554ede22fd5605947329c4d04d8e7a0b8155 # v3.27.7
+        with:
+          sarif_file: fluidscan-results.sarif
diff --git a/config/fluidattacks/config.yaml b/config/fluidattacks/config.yaml
@@ -0,0 +1,28 @@
+# Taken from: https://appdefensealliance.dev/casa/tier-2/ast-guide/static-scan
+# as that is out of date, updated to the latest version of the scanner, see below
+# https://help.fluidattacks.com/portal/en/kb/articles/validate-casa-tier-2-requirements
+namespace: thunderbird-android
+working_dir: /repo
+language: EN
+output:
+  file_path: /repo/fluidscan-results.sarif
+  format: SARIF
+#apk:
+#  include:
+#    - ./app-k9mail/build/outputs/apk/foss/release/app-k9mail-foss-release.apk
+#    - ./app-k9mail/build/outputs/apk/full/release/app-k9mail-full-release.apk
+#    - ./app-thunderbird/build/outputs/apk/foss/release/app-thunderbird-full-release.apk
+#    - ./app-thunderbird/build/outputs/apk/foss/release/app-thunderbird-full-release.apk
+sast:
+  include:
+    - .
+  exclude:
+    - glob(**/build/**)
+    - glob(**/test/**)
+sca:
+  include:
+    - .
+  exclude:
+    - glob(**/test/**)
+file_size_limit: false
+tracing_opt_out: true
diff --git a/scripts/run-fluidattacks-scanner.sh b/scripts/run-fluidattacks-scanner.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+function fail() {
+  echo "Error: $*"
+  exit 1
+}
+
+# Check if tools are installed
+command -v docker &> /dev/null || fail "Docker is not installed"
+
+# Default values
+debug=false
+
+# Parse command-line arguments
+for arg in "$@"; do
+  case $arg in
+    --debug)
+      debug=true
+      shift
+      ;;
+    *)
+      fail "Unknown argument: $arg"
+      ;;
+  esac
+done
+
+if [ "$debug" = true ]; then
+  docker run --rm -v "$(pwd)":/repo -it fluidattacks/cli:latest /bin/bash
+  exit
+fi
+docker run --rm -v "$(pwd)":/repo fluidattacks/cli:latest skims scan /repo/config/fluidattacks/config.yaml