add blackduck scan to run on master #6130
Conversation
|
I don't think our CI has access to DACH-NY. |
that particular repo in DACH-NY is public so should be okay |
dasormeter
force-pushed
the
enable-blackduck
branch
from
9b7d8a6 to
d0b2375
Compare
|
Also note that despite the description of the PR, as it stands it would run on every PR and master commit, and on both Linux and macOS. |
yeah just testing the run first, will then move it to the daily job. i'll mark it as DRAFT so it is clear it is not yet to be merged |
dasormeter
force-pushed
the
enable-blackduck
branch
from
de79943 to
7bb3050
Compare
dasormeter
force-pushed
the
enable-blackduck
branch
from
fea2dc3 to
7cbf818
Compare
| env: | ||
| BLACKDUCK_HUBDETECT_TOKEN: $(BLACKDUCK_HUBDETECT_TOKEN) | ||
|
|
||
|
|
There was a problem hiding this comment.
Do these depend on the build having run? If not, could we move this to a separate job?
There was a problem hiding this comment.
@garyverhaegen-da yeah it does depend on the build having run since we need the bazel build resolution and node modules and other build output to be interrogated to get the full list of libraries used
|
I'm a bit confused by the change to use |
experimenting with runs that fail on policy violation on PRs to see how long it takes |
dasormeter
force-pushed
the
enable-blackduck
branch
3 times, most recently
from
4fc7d3b to
c71d956
Compare
run on PRs and master
…for bazel jvm and node and other langs
ensure haskell processing complete before full scan
Signed-off-by: Brian Healey <brian.healey@digitalasset.com>
…to wrapper script
dasormeter
force-pushed
the
enable-blackduck
branch
from
4c2cc6e to
f60717d
Compare
| - template: ../bash-lib.yml | ||
| parameters: | ||
| var_name: bash_lib |
There was a problem hiding this comment.
| - template: ../bash-lib.yml | |
| parameters: | |
| var_name: bash_lib |
You're not using that library.
dasormeter
changed the base branch from
master
to
enable-blackduck-daily-scan
* add blackduck scan * disable go scanning exclude entire language-support/ts directory for node scanning break to multiple lines to make command line params easier to parse * Increase timeout for blackduck binary scan * update blackduck scan config * remove some exclusions, force python3 * exclude GO until path to go executable can be resolved * added readme explanation of why we want this file * fail in case of policy violation * ensure haskell bazel scan completes before running second round scan for bazel jvm and node and other langs * trigger notices file gen to ensure BOM complete * remove trailing end of lines * run with latest detect version and unique code location name changes to wrapper script * Add blackduck to daily compat job * DO NOT MERGE: condition false to disable other jobs for testing * remove parameters not available to cronjob
* add blackduck scan to run on master (#6130) * add blackduck scan * disable go scanning exclude entire language-support/ts directory for node scanning break to multiple lines to make command line params easier to parse * Increase timeout for blackduck binary scan * update blackduck scan config * remove some exclusions, force python3 * exclude GO until path to go executable can be resolved * added readme explanation of why we want this file * fail in case of policy violation * ensure haskell bazel scan completes before running second round scan for bazel jvm and node and other langs * trigger notices file gen to ensure BOM complete * remove trailing end of lines * run with latest detect version and unique code location name changes to wrapper script * Add blackduck to daily compat job * DO NOT MERGE: condition false to disable other jobs for testing * remove parameters not available to cronjob * Revert changes to regular CI pipeline CHANGELOG_BEGIN CHANGELOG_END Signed-off-by: Brian Healey <brian.healey@digitalasset.com> * Do not get branch name from variable * Upgrade com.fasterxml.jackson.core:jackson-databind to 2.12.0 to address security vulnerability * Remove disabling of other jobs, set to branch to be used on prod runs * Apply suggestions from code review Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com> * Address code review comments * Updated NOTICES file * Run bazel build, update NOTICES file * Correct dade-assist * do not have perms to pipe to dev/null * Add md file explaining how to update NOTICES file * Add instructions for running blackduck locally * Add a link to full security-blackduck readme Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com>
THIS PR
TODO (follow-on PRs)