Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/debricked/example-source-codeless-scan-maven
An example showcasing the Source-codeless Scan feature for a Maven project
https://github.com/debricked/example-source-codeless-scan-maven
Last synced: about 2 months ago
JSON representation
An example showcasing the Source-codeless Scan feature for a Maven project
- Host: GitHub
- URL: https://github.com/debricked/example-source-codeless-scan-maven
- Owner: debricked
- License: apache-2.0
- Created: 2020-07-07T12:45:35.000Z (over 4 years ago)
- Default Branch: master
- Last Pushed: 2021-09-30T11:30:20.000Z (over 3 years ago)
- Last Synced: 2023-03-02T02:22:23.733Z (almost 2 years ago)
- Language: Java
- Homepage:
- Size: 70.3 KB
- Stars: 0
- Watchers: 3
- Forks: 2
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Source-codeless Scan for Maven, with Debricked Github Action
This example shows how you can use the Debricked Github Action to scan the dependencies of your Maven repository, without uploading the source code to Debricked.
This is called a _Source-codeless Scan_, and is available for Gradle and Maven.
Note that most other languages, such as JavaScript and Python, are already sourcecode-less by default, and you don't need to take any further action.To do this for Maven, two steps need to be performed.
1. You need to generate a list of dependencies as a part of your own pipeline.
2. Add caching for the list generation to make the action snappy.
3. These lists must be uploaded to Debricked.This repository shows how this can be done for a simple Maven project.
## Steps
Here is a description of the two steps above in more details.
If you want to look at the final version of a working file, look in the [.github/workflows/vulnerabilities.yml](.github/workflows/vulnerabilities.yml) workflow file in this repository.
The different parts of it are described below.### Generate a list of dependencies
This can be done by running Maven `dependency:tree` plugin, and storing the output in a file.
The output filename is important, the Debricked integration will look for these files in the next step.
The output file _must_ be placed in the same directory as the `pom.xml` file it belongs to, otherwise Debricked cannot connect them together.In [.github/workflows/vulnerabilities.yml](.github/workflows/vulnerabilities.yml), this is the first part of the workflow, i.e., the following step:
```
- run: |
mvn dependency:tree \
-DoutputFile=.debricked-maven-dependencies.tgf \
-DoutputType=tgf
```If you haven't already, you also need to choose which Java version to use beforehand, like below:
```
- uses: actions/setup-java@v1
with:
java-version: '13'
- run: |
mvn dependency:tree \
-DoutputFile=.debricked-maven-dependencies.tgf \
-DoutputType=tgf
```### Add caching
To enable caching we use GitHub`s own [cache action](https://github.com/actions/cache).Example of caching:
```
- uses: actions/cache@v2
with:
path: ~/.m2/repository
key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
restore-keys: |
${{ runner.os }}-maven-
```### Upload dependency files to Debricked
This is done with the usual Github Action, described in https://github.com/debricked/actions.
As long as your files are named correctly (`.debricked-maven-dependencies.json` for Maven), the action will automatically detect that you have generated the dependency file yourself.
This means you should *not* enable the `UPLOAD_ALL_FILES` option.Example of this step:
```
- uses: debricked/actions/scan@v1
env:
DEBRICKED_TOKEN: ${{ secrets.DEBRICKED_TOKEN }}
```## License
The Maven example is based on the code from this tutorial https://github.com/spring-guides/gs-maven, which is licensed under the Apache License, Version 2.0.
Modifications performed by Debricked, as well as other files are also covered under the Apache License, Version 2.0.
See the file LICENSE in this repository.