Vulnerability and license scanning - Java

[martin-traverse]

These scans will cover the core platform services:

• Automated vulnerability scanning
• License scanning, to check for license conflicts in dependencies

Both scans to run out of CI and publish results as build artifacts. Probably it is sufficient to run on PR, merge and tag events.

(The same scanning should cover the Java/Scala model runtime in future).

[maoo]

We used https://jeremylong.github.io/DependencyCheck/dependency-check-maven/ for security checks.

As per license reporting, another FINOS project found a gradle plugin to manage it, see https://github.com/finos/symphony-bdk-java/issues/416#issuecomment-762332733

[martin-traverse]

Hi @maoo - I've raised PR #81 for this. Example run/output here (time limited):

https://github.com/Accenture/trac/actions/runs/1375626678

Some points to note:

• False positives for vulnerabilities are listed in dev/vulnerabilities/, the project name 'trac' is one! Probably a separate discussion, so I have marked it as a false positive for now.
• There are no vulnerabilities that need risk accepting
• On license, I have allowed EPL for test licenses and two BOM packages that have missing (null) license
• Create trac-lib-javax to get around the dependency from gRPC on javax.annotation, which is CDDL. Implementation is copied from the Tomcat version, which is Apache 2.
• Build is set to fail on any license scan failure, or a CVSS score >= 4 (i.e medium and above)
• Reports are always generated as build artefacts

Questions

• I think it is ok to run this on PR, merge and tag only, do you agree?
• Where would you like the compliance reports saved? Should we add them as a release artefact for release tag builds?

I'll see if I can make GitHub cache the NVD files in the build before merging.

[maoo]

Hi @maoo - I've raised PR #81 for this. Example run/output here (time limited):

https://github.com/Accenture/trac/actions/runs/1375626678

Awesome work here @martin-traverse ! My comments below:

Some points to note:

• False positives for vulnerabilities are listed in dev/vulnerabilities/, the project name 'trac' is one! Probably a separate discussion, so I have marked it as a false positive for now.
• There are no vulnerabilities that need risk accepting

That's awesome! I'll review it, and confirm that we can actually check the security requirement for FINOS contribution.

• On license, I have allowed EPL for test licenses and two BOM packages that have missing (null) license
• Create trac-lib-javax to get around the dependency from gRPC on javax.annotation, which is CDDL. Implementation is copied from the Tomcat version, which is Apache 2.

That's great, but please keep in mind that both EPL and CDDL (as any other Category B license) are licenses that you can safely redistribute, assuming you add a mention in the NOTICE file, see https://github.com/finos/community/blob/master/governance/Software-Projects/License-categories.md

• Build is set to fail on any license scan failure, or a CVSS score >= 4 (i.e medium and above)
• Reports are always generated as build artefacts

Amazing.

I don't see the Python and Node validations yet; is this something we'll tackle as separate issues/PRs ?

Questions

• I think it is ok to run this on PR, merge and tag only, do you agree?

Yes, assuming we protect the main branch from direct commits, these events would suffice.

• Where would you like the compliance reports saved? Should we add them as a release artefact for release tag builds?

For now, I'd just print them out in the GitHub Actions logs; we can safely leave this task for later, ie when we discuss the first release of Trac into FINOS. WDYT?

[maoo]

Answering to myself re. JS and Python validations... see #75 and #76

@martin-traverse - I reviewed reports on https://github.com/martin-traverse/trac/tree/feature/java_compliance/dev . LGTM, thank you!

[martin-traverse]

That's great, thanks @maoo, I will prepare PRs for the other two languages.