From 72036f2eed13d030c026492d8d8e82242a3b21f7 Mon Sep 17 00:00:00 2001
From: Deepanshu Khanna <78655908+deep1792@users.noreply.github.com>
Date: Sun, 2 Jun 2024 16:28:55 +0400
Subject: [PATCH 01/21] Update users.js
---
web/routes/users.js | 1 +
1 file changed, 1 insertion(+)
diff --git a/web/routes/users.js b/web/routes/users.js
index 283705f..0b640d7 100644
--- a/web/routes/users.js
+++ b/web/routes/users.js
@@ -1,3 +1,4 @@
+# nothing to change just testing
const express = require('express')
const router = express.Router()
From b16265ccf3aac0c96e9aeec3010fc40a7b0519ad Mon Sep 17 00:00:00 2001
From: Deepanshu Khanna <78655908+deep1792@users.noreply.github.com>
Date: Sun, 2 Jun 2024 16:33:30 +0400
Subject: [PATCH 02/21] Update ci.yml
---
.github/workflows/ci.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 9404428..aeda5c8 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,4 +1,4 @@
-name: Continuous Integration Workflow
+name: Continuous Integration Workflow1
# This workflow is triggered whenever a new PR is created on the main branch
on:
From b135a8c37fa12763a8862ff968805f9b900828b9 Mon Sep 17 00:00:00 2001
From: Deepanshu Khanna <78655908+deep1792@users.noreply.github.com>
Date: Sun, 2 Jun 2024 16:51:30 +0400
Subject: [PATCH 03/21] Create frogbot-scan-and-fix.yml
---
.github/workflows/frogbot-scan-and-fix.yml | 69 ++++++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 .github/workflows/frogbot-scan-and-fix.yml
diff --git a/.github/workflows/frogbot-scan-and-fix.yml b/.github/workflows/frogbot-scan-and-fix.yml
new file mode 100644
index 0000000..4bbdfc2
--- /dev/null
+++ b/.github/workflows/frogbot-scan-and-fix.yml
@@ -0,0 +1,69 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# Frogbot Scan and Fix does the following:
+# Automatically creates pull requests with fixes for vulnerable project dependencies.
+# Uses JFrog Xray to scan the project.
+# Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot
+
+# Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md
+
+name: "Frogbot Scan and Fix"
+on:
+ push:
+ branches: [ "main" ]
+permissions:
+ contents: write
+ pull-requests: write
+ security-events: write
+jobs:
+ create-fix-pull-requests:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+
+ # IMPORTANT:
+ # 1. See the following link for information about the tools that need to be installed for Frogbot to work - https://github.com/jfrog/frogbot/tree/master/docs/templates/github-actions/scan-and-fix
+ # 2. Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md
+
+ - uses: jfrog/frogbot@8fbeca612957ae5f5f0c03a19cb6e59e237026f3 # v2.10.0
+ env:
+ # [Mandatory if the two conditions below are met]
+ # 1. The project uses npm, yarn 2, NuGet or .NET to download its dependencies
+ # 2. The `installCommand` variable isn't set in your frogbot-config.yml file.
+ #
+ # The command that installs the project dependencies (e.g "npm i", "nuget restore" or "dotnet restore")
+ # JF_INSTALL_DEPS_CMD: ""
+
+ # [Mandatory]
+ # JFrog platform URL
+ JF_URL: ${{ secrets.JF_URL }}
+
+ # [Mandatory if JF_USER and JF_PASSWORD are not provided]
+ # JFrog access token with 'read' permissions on Xray service
+ JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }}
+
+ # [Mandatory if JF_ACCESS_TOKEN is not provided]
+ # JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD
+ # JF_USER: ${{ secrets.JF_USER }}
+
+ # [Mandatory if JF_ACCESS_TOKEN is not provided]
+ # JFrog password. Must be provided with JF_USER
+ # JF_PASSWORD: ${{ secrets.JF_PASSWORD }}
+
+ # [Mandatory]
+ # The GitHub token automatically generated for the job
+ JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+ # [Optional]
+ # If the machine that runs Frogbot has no access to the internat, set the name of a remote repository
+ # in Artifactory, which proxies https://releases.jfrog.io/artifactory
+ # The 'frogbot' executable and other tools it needs will be downloaded through this repository.
+ # JF_RELEASES_REPO: ""
+
+ # [Optional]
+ # Frogbot will download the project dependencies, if they're not cached locally. To download the
+ # dependencies from a virtual repository in Artifactory, set the name of of the repository. There's no
+ # need to set this value, if it is set in the frogbot-config.yml file.
+ # JF_DEPS_REPO: ""
From dfd1fae955a70191e9aec45cab39caec07622cd3 Mon Sep 17 00:00:00 2001
From: Deepanshu Khanna <78655908+deep1792@users.noreply.github.com>
Date: Sun, 2 Jun 2024 16:52:19 +0400
Subject: [PATCH 04/21] Create frogbot-scan-pr.yml
---
.github/workflows/frogbot-scan-pr.yml | 74 +++++++++++++++++++++++++++
1 file changed, 74 insertions(+)
create mode 100644 .github/workflows/frogbot-scan-pr.yml
diff --git a/.github/workflows/frogbot-scan-pr.yml b/.github/workflows/frogbot-scan-pr.yml
new file mode 100644
index 0000000..2c63e20
--- /dev/null
+++ b/.github/workflows/frogbot-scan-pr.yml
@@ -0,0 +1,74 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# Frogbot Scan Pull Request does the following:
+# Automatically scans new pull requests for security vulnerabilities.
+# Uses JFrog Xray to scan the project.
+# Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot
+
+# Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md
+
+name: "Frogbot Scan Pull Request"
+on:
+ pull_request_target:
+ types: [ opened, synchronize ]
+permissions:
+ pull-requests: write
+ contents: read
+jobs:
+ scan-pull-request:
+ runs-on: ubuntu-latest
+ # A pull request needs to be approved, before Frogbot scans it. Any GitHub user who is associated with the
+ # "frogbot" GitHub environment can approve the pull request to be scanned.
+ # Read more here (Install Frogbot Using GitHub Actions): https://github.com/jfrog/frogbot/blob/master/docs/install-github.md
+ environment: frogbot
+ steps:
+ - uses: actions/checkout@v2
+ with:
+ ref: ${{ github.event.pull_request.head.sha }}
+
+ # IMPORTANT:
+ # 1. See the following link for information about the tools that need to be installed for Frogbot to work - https://github.com/jfrog/frogbot/tree/master/docs/templates/github-actions/scan-and-fix
+ # 2. Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md
+
+ - uses: jfrog/frogbot@8fbeca612957ae5f5f0c03a19cb6e59e237026f3 # v2.10.0
+ env:
+ # [Mandatory if the two conditions below are met]
+ # 1. The project uses npm, yarn 2, NuGet or .NET to download its dependencies
+ # 2. The `installCommand` variable isn't set in your frogbot-config.yml file.
+ #
+ # The command that installs the project dependencies (e.g "npm i", "nuget restore" or "dotnet restore")
+ # JF_INSTALL_DEPS_CMD: ""
+
+ # [Mandatory]
+ # JFrog platform URL
+ JF_URL: ${{ secrets.JF_URL }}
+
+ # [Mandatory if JF_USER and JF_PASSWORD are not provided]
+ # JFrog access token with 'read' permissions on Xray service
+ JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }}
+
+ # [Mandatory if JF_ACCESS_TOKEN is not provided]
+ # JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD
+ # JF_USER: ${{ secrets.JF_USER }}
+
+ # [Mandatory if JF_ACCESS_TOKEN is not provided]
+ # JFrog password. Must be provided with JF_USER
+ # JF_PASSWORD: ${{ secrets.JF_PASSWORD }}
+
+ # [Mandatory]
+ # The GitHub token automatically generated for the job
+ JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+ # [Optional]
+ # If the machine that runs Frogbot has no access to the internat, set the name of a remote repository
+ # in Artifactory, which proxies https://releases.jfrog.io/artifactory
+ # The 'frogbot' executable and other tools it needs will be downloaded through this repository.
+ # JF_RELEASES_REPO: ""
+
+ # [Optional]
+ # Frogbot will download the project dependencies, if they're not cached locally. To download the
+ # dependencies from a virtual repository in Artifactory, set the name of of the repository. There's no
+ # need to set this value, if it is set in the frogbot-config.yml file.
+ # JF_DEPS_REPO: ""
From c4d5f58a65bc963016944d40de25ad932c9f5536 Mon Sep 17 00:00:00 2001
From: Deepanshu Khanna <78655908+deep1792@users.noreply.github.com>
Date: Sun, 2 Jun 2024 17:03:30 +0400
Subject: [PATCH 05/21] Create sonarqube.yml
---
.github/workflows/sonarqube.yml | 66 +++++++++++++++++++++++++++++++++
1 file changed, 66 insertions(+)
create mode 100644 .github/workflows/sonarqube.yml
diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml
new file mode 100644
index 0000000..92f5cc1
--- /dev/null
+++ b/.github/workflows/sonarqube.yml
@@ -0,0 +1,66 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow helps you trigger a SonarQube analysis of your code and populates
+# GitHub Code Scanning alerts with the vulnerabilities found.
+# (this feature is available starting from SonarQube 9.7, Developer Edition and above)
+
+# 1. Make sure you add a valid GitHub configuration to your SonarQube (Administration > DevOps platforms > GitHub)
+
+# 2. Import your project on SonarQube
+# * Add your repository as a new project by clicking "Create project" from your homepage.
+#
+# 3. Select GitHub Actions as your CI and follow the tutorial
+# * a. Generate a new token and add it to your GitHub repository's secrets using the name SONAR_TOKEN
+# (On SonarQube, click on your avatar on top-right > My account > Security or ask your administrator)
+#
+# * b. Copy/paste your SonarQube host URL to your GitHub repository's secrets using the name SONAR_HOST_URL
+#
+# * c. Copy/paste the project Key into the args parameter below
+# (You'll find this information in SonarQube by following the tutorial or by clicking on Project Information at the top-right of your project's homepage)
+
+# Feel free to take a look at our documentation (https://docs.sonarqube.org/latest/analysis/github-integration/)
+# or reach out to our community forum if you need some help (https://community.sonarsource.com/c/sq/10)
+
+name: SonarQube analysis
+
+on:
+ push:
+ branches: [ "main" ]
+ pull_request:
+ branches: [ "main" ]
+ workflow_dispatch:
+
+permissions:
+ pull-requests: read # allows SonarQube to decorate PRs with analysis results
+
+jobs:
+ Analysis:
+ runs-on: ubuntu-latest
+
+ steps:
+ - name: Analyze with SonarQube
+
+ # You can pin the exact commit or the version.
+ # uses: SonarSource/sonarqube-scan-action@v1.1.0
+ uses: SonarSource/sonarqube-scan-action@7295e71c9583053f5bf40e9d4068a0c974603ec8
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information
+ SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on SonarQube, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret)
+ # SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} # add the URL of your instance to the secrets of this repo with the name SONAR_HOST_URL (Settings > Secrets > Actions > add new repository secret)
+ with:
+ # Additional arguments for the sonarcloud scanner
+ args:
+ # Unique key of your project. You can find it in SonarQube > [my project] > Project Information (top-right menu)
+ # mandatory
+ -Dsonar.projectKey= deep1792
+ # Comma-separated paths to directories containing main source files.
+ #-Dsonar.sources= # optional, default is project base directory
+ # When you need the analysis to take place in a directory other than the one from which it was launched
+ #-Dsonar.projectBaseDir= # optional, default is .
+ # Comma-separated paths to directories containing test source files.
+ #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/
+ # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing.
+ #-Dsonar.verbose= # optional, default is false
From 9a6d4c889b793c06b468ed9644768853a76a068b Mon Sep 17 00:00:00 2001
From: Deepanshu Khanna <78655908+deep1792@users.noreply.github.com>
Date: Sun, 2 Jun 2024 17:06:10 +0400
Subject: [PATCH 06/21] Update sonarqube.yml
---
.github/workflows/sonarqube.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml
index 92f5cc1..abd1699 100644
--- a/.github/workflows/sonarqube.yml
+++ b/.github/workflows/sonarqube.yml
@@ -49,13 +49,13 @@ jobs:
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on SonarQube, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret)
- # SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} # add the URL of your instance to the secrets of this repo with the name SONAR_HOST_URL (Settings > Secrets > Actions > add new repository secret)
+ SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} # add the URL of your instance to the secrets of this repo with the name SONAR_HOST_URL (Settings > Secrets > Actions > add new repository secret)
with:
# Additional arguments for the sonarcloud scanner
args:
# Unique key of your project. You can find it in SonarQube > [my project] > Project Information (top-right menu)
# mandatory
- -Dsonar.projectKey= deep1792
+ -Dsonar.projectKey= deep1792/ci-cd-intro
# Comma-separated paths to directories containing main source files.
#-Dsonar.sources= # optional, default is project base directory
# When you need the analysis to take place in a directory other than the one from which it was launched
From 5159c7a2f048b0be16e073f44059621ae6c21d42 Mon Sep 17 00:00:00 2001
From: Deepanshu Khanna <78655908+deep1792@users.noreply.github.com>
Date: Sun, 2 Jun 2024 17:07:45 +0400
Subject: [PATCH 07/21] Update sonarqube.yml
---
.github/workflows/sonarqube.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml
index abd1699..4f592cb 100644
--- a/.github/workflows/sonarqube.yml
+++ b/.github/workflows/sonarqube.yml
@@ -55,7 +55,7 @@ jobs:
args:
# Unique key of your project. You can find it in SonarQube > [my project] > Project Information (top-right menu)
# mandatory
- -Dsonar.projectKey= deep1792/ci-cd-intro
+ -Dsonar.projectKey=deep1792/ci-cd-intro
# Comma-separated paths to directories containing main source files.
#-Dsonar.sources= # optional, default is project base directory
# When you need the analysis to take place in a directory other than the one from which it was launched
From 0a278baa6d1101c2c8fdc9e32c26b7395eaee2d8 Mon Sep 17 00:00:00 2001
From: Deepanshu Khanna <78655908+deep1792@users.noreply.github.com>
Date: Sun, 2 Jun 2024 17:09:31 +0400
Subject: [PATCH 08/21] Update sonarqube.yml
---
.github/workflows/sonarqube.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml
index 4f592cb..6b9971e 100644
--- a/.github/workflows/sonarqube.yml
+++ b/.github/workflows/sonarqube.yml
@@ -52,10 +52,10 @@ jobs:
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} # add the URL of your instance to the secrets of this repo with the name SONAR_HOST_URL (Settings > Secrets > Actions > add new repository secret)
with:
# Additional arguments for the sonarcloud scanner
- args:
+ args:
# Unique key of your project. You can find it in SonarQube > [my project] > Project Information (top-right menu)
# mandatory
- -Dsonar.projectKey=deep1792/ci-cd-intro
+ -Dsonar.projectKey=deep1792
# Comma-separated paths to directories containing main source files.
#-Dsonar.sources= # optional, default is project base directory
# When you need the analysis to take place in a directory other than the one from which it was launched
From 1e2e4fb6e47c8f7c5fbd2cc78da71f00b14f0053 Mon Sep 17 00:00:00 2001
From: Deepanshu Khanna <78655908+deep1792@users.noreply.github.com>
Date: Sun, 2 Jun 2024 17:12:32 +0400
Subject: [PATCH 09/21] Update and rename sonarqube.yml to build.yml
---
.github/workflows/build.yml | 20 ++++++++++
.github/workflows/sonarqube.yml | 66 ---------------------------------
2 files changed, 20 insertions(+), 66 deletions(-)
create mode 100644 .github/workflows/build.yml
delete mode 100644 .github/workflows/sonarqube.yml
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
new file mode 100644
index 0000000..5f896a6
--- /dev/null
+++ b/.github/workflows/build.yml
@@ -0,0 +1,20 @@
+name: Build
+on:
+ push:
+ branches:
+ - master
+ pull_request:
+ types: [opened, synchronize, reopened]
+jobs:
+ sonarcloud:
+ name: SonarCloud
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v3
+ with:
+ fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
+ - name: SonarCloud Scan
+ uses: SonarSource/sonarcloud-github-action@master
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
+ SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml
deleted file mode 100644
index 6b9971e..0000000
--- a/.github/workflows/sonarqube.yml
+++ /dev/null
@@ -1,66 +0,0 @@
-# This workflow uses actions that are not certified by GitHub.
-# They are provided by a third-party and are governed by
-# separate terms of service, privacy policy, and support
-# documentation.
-
-# This workflow helps you trigger a SonarQube analysis of your code and populates
-# GitHub Code Scanning alerts with the vulnerabilities found.
-# (this feature is available starting from SonarQube 9.7, Developer Edition and above)
-
-# 1. Make sure you add a valid GitHub configuration to your SonarQube (Administration > DevOps platforms > GitHub)
-
-# 2. Import your project on SonarQube
-# * Add your repository as a new project by clicking "Create project" from your homepage.
-#
-# 3. Select GitHub Actions as your CI and follow the tutorial
-# * a. Generate a new token and add it to your GitHub repository's secrets using the name SONAR_TOKEN
-# (On SonarQube, click on your avatar on top-right > My account > Security or ask your administrator)
-#
-# * b. Copy/paste your SonarQube host URL to your GitHub repository's secrets using the name SONAR_HOST_URL
-#
-# * c. Copy/paste the project Key into the args parameter below
-# (You'll find this information in SonarQube by following the tutorial or by clicking on Project Information at the top-right of your project's homepage)
-
-# Feel free to take a look at our documentation (https://docs.sonarqube.org/latest/analysis/github-integration/)
-# or reach out to our community forum if you need some help (https://community.sonarsource.com/c/sq/10)
-
-name: SonarQube analysis
-
-on:
- push:
- branches: [ "main" ]
- pull_request:
- branches: [ "main" ]
- workflow_dispatch:
-
-permissions:
- pull-requests: read # allows SonarQube to decorate PRs with analysis results
-
-jobs:
- Analysis:
- runs-on: ubuntu-latest
-
- steps:
- - name: Analyze with SonarQube
-
- # You can pin the exact commit or the version.
- # uses: SonarSource/sonarqube-scan-action@v1.1.0
- uses: SonarSource/sonarqube-scan-action@7295e71c9583053f5bf40e9d4068a0c974603ec8
- env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information
- SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on SonarQube, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret)
- SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} # add the URL of your instance to the secrets of this repo with the name SONAR_HOST_URL (Settings > Secrets > Actions > add new repository secret)
- with:
- # Additional arguments for the sonarcloud scanner
- args:
- # Unique key of your project. You can find it in SonarQube > [my project] > Project Information (top-right menu)
- # mandatory
- -Dsonar.projectKey=deep1792
- # Comma-separated paths to directories containing main source files.
- #-Dsonar.sources= # optional, default is project base directory
- # When you need the analysis to take place in a directory other than the one from which it was launched
- #-Dsonar.projectBaseDir= # optional, default is .
- # Comma-separated paths to directories containing test source files.
- #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/
- # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing.
- #-Dsonar.verbose= # optional, default is false
From 456d024f0d3a683687d542fd833e498e954a67d2 Mon Sep 17 00:00:00 2001
From: Deepanshu Khanna <78655908+deep1792@users.noreply.github.com>
Date: Sun, 2 Jun 2024 17:13:42 +0400
Subject: [PATCH 10/21] Create sonar-project.properties
---
sonar-project.properties | 13 +++++++++++++
1 file changed, 13 insertions(+)
create mode 100644 sonar-project.properties
diff --git a/sonar-project.properties b/sonar-project.properties
new file mode 100644
index 0000000..8daf71b
--- /dev/null
+++ b/sonar-project.properties
@@ -0,0 +1,13 @@
+sonar.projectKey=deep1792_ci-cd-intro
+sonar.organization=deep1792
+
+# This is the name and version displayed in the SonarCloud UI.
+#sonar.projectName=ci-cd-intro
+#sonar.projectVersion=1.0
+
+
+# Path is relative to the sonar-project.properties file. Replace "\" by "/" on Windows.
+#sonar.sources=.
+
+# Encoding of the source code. Default is default system encoding
+#sonar.sourceEncoding=UTF-8
From 40e3559de8f67d45e28c2af1b3ae8361f89c88de Mon Sep 17 00:00:00 2001
From: Deepanshu Khanna <78655908+deep1792@users.noreply.github.com>
Date: Sun, 2 Jun 2024 17:17:33 +0400
Subject: [PATCH 11/21] Create main.yaml
---
.github/workflows/main.yaml | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
create mode 100644 .github/workflows/main.yaml
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
new file mode 100644
index 0000000..d967770
--- /dev/null
+++ b/.github/workflows/main.yaml
@@ -0,0 +1,24 @@
+name: Sonar Qube Build
+on:
+ push:
+ branches:
+ - master
+ pull_request:
+ types: [opened, synchronize, reopened]
+jobs:
+ sonarcloud:
+ name: SonarCloud
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v3
+ with:
+ fetch-depth: 0
+ - name: SonarCloud Scan
+ uses: SonarSource/sonarcloud-github-action@master
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+ with:
+ args: >
+ -Dsonar.organization=deep1792
+ -Dsonar.projectKey=deep1792
From a196443947662f0aec73b66a7263f4c338c1f22d Mon Sep 17 00:00:00 2001
From: Deepanshu Khanna <78655908+deep1792@users.noreply.github.com>
Date: Sun, 2 Jun 2024 17:18:24 +0400
Subject: [PATCH 12/21] Update main.yaml
---
.github/workflows/main.yaml | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
index d967770..a6522a6 100644
--- a/.github/workflows/main.yaml
+++ b/.github/workflows/main.yaml
@@ -11,14 +11,14 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- with:
+ with:
fetch-depth: 0
- - name: SonarCloud Scan
+ - name: SonarCloud Scan
uses: SonarSource/sonarcloud-github-action@master
- env:
+ env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
- with:
+ with:
args: >
-Dsonar.organization=deep1792
-Dsonar.projectKey=deep1792
From 9b2d16d4c3b65ae4c4429d6a980bf42bd794d206 Mon Sep 17 00:00:00 2001
From: Deepanshu Khanna <78655908+deep1792@users.noreply.github.com>
Date: Sun, 2 Jun 2024 17:31:37 +0400
Subject: [PATCH 13/21] Create pm.xml
---
.github/workflows/pm.xml | 4 ++++
1 file changed, 4 insertions(+)
create mode 100644 .github/workflows/pm.xml
diff --git a/.github/workflows/pm.xml b/.github/workflows/pm.xml
new file mode 100644
index 0000000..754d853
--- /dev/null
+++ b/.github/workflows/pm.xml
@@ -0,0 +1,4 @@
+
+ deep1792-1
+ https://sonarcloud.io
+
From bf8ae7be69304a41486aec635fbc3088577f764d Mon Sep 17 00:00:00 2001
From: Deepanshu Khanna <78655908+deep1792@users.noreply.github.com>
Date: Sun, 2 Jun 2024 17:32:23 +0400
Subject: [PATCH 14/21] Update build.yml
---
.github/workflows/build.yml | 29 +++++++++++++++++++++++------
1 file changed, 23 insertions(+), 6 deletions(-)
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 5f896a6..9d6b927 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,20 +1,37 @@
-name: Build
+name: SonarCloud
on:
push:
branches:
- - master
+ - main
pull_request:
types: [opened, synchronize, reopened]
jobs:
- sonarcloud:
- name: SonarCloud
+ build:
+ name: Build and analyze
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- - name: SonarCloud Scan
- uses: SonarSource/sonarcloud-github-action@master
+ - name: Set up JDK 17
+ uses: actions/setup-java@v3
+ with:
+ java-version: 17
+ distribution: 'zulu' # Alternative distribution options are available.
+ - name: Cache SonarCloud packages
+ uses: actions/cache@v3
+ with:
+ path: ~/.sonar/cache
+ key: ${{ runner.os }}-sonar
+ restore-keys: ${{ runner.os }}-sonar
+ - name: Cache Maven packages
+ uses: actions/cache@v3
+ with:
+ path: ~/.m2
+ key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
+ restore-keys: ${{ runner.os }}-m2
+ - name: Build and analyze
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+ run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=deep1792_ci-cd-intro
From 537a835735bd91c1142ed04cbe19e70564f75dc3 Mon Sep 17 00:00:00 2001
From: Deepanshu Khanna <78655908+deep1792@users.noreply.github.com>
Date: Sun, 2 Jun 2024 17:33:16 +0400
Subject: [PATCH 15/21] Rename pm.xml to pom.xml
---
.github/workflows/{pm.xml => pom.xml} | 0
1 file changed, 0 insertions(+), 0 deletions(-)
rename .github/workflows/{pm.xml => pom.xml} (100%)
diff --git a/.github/workflows/pm.xml b/.github/workflows/pom.xml
similarity index 100%
rename from .github/workflows/pm.xml
rename to .github/workflows/pom.xml
From 4ee544f5de527a5b8e106c81cc64003ae704102c Mon Sep 17 00:00:00 2001
From: Deepanshu Khanna <78655908+deep1792@users.noreply.github.com>
Date: Sun, 2 Jun 2024 17:34:39 +0400
Subject: [PATCH 16/21] Update build.yml
---
.github/workflows/build.yml | 27 +++++----------------------
1 file changed, 5 insertions(+), 22 deletions(-)
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 9d6b927..2796c76 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,4 +1,4 @@
-name: SonarCloud
+name: Build
on:
push:
branches:
@@ -6,32 +6,15 @@ on:
pull_request:
types: [opened, synchronize, reopened]
jobs:
- build:
- name: Build and analyze
+ sonarcloud:
+ name: SonarCloud
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- - name: Set up JDK 17
- uses: actions/setup-java@v3
- with:
- java-version: 17
- distribution: 'zulu' # Alternative distribution options are available.
- - name: Cache SonarCloud packages
- uses: actions/cache@v3
- with:
- path: ~/.sonar/cache
- key: ${{ runner.os }}-sonar
- restore-keys: ${{ runner.os }}-sonar
- - name: Cache Maven packages
- uses: actions/cache@v3
- with:
- path: ~/.m2
- key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
- restore-keys: ${{ runner.os }}-m2
- - name: Build and analyze
+ - name: SonarCloud Scan
+ uses: SonarSource/sonarcloud-github-action@master
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
- run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=deep1792_ci-cd-intro
From 25fd30bcdd77341db2ae81a0148dac517a6d5119 Mon Sep 17 00:00:00 2001
From: Deepanshu Khanna <78655908+deep1792@users.noreply.github.com>
Date: Sun, 2 Jun 2024 17:37:08 +0400
Subject: [PATCH 17/21] Delete .github/workflows/pom.xml
---
.github/workflows/pom.xml | 4 ----
1 file changed, 4 deletions(-)
delete mode 100644 .github/workflows/pom.xml
diff --git a/.github/workflows/pom.xml b/.github/workflows/pom.xml
deleted file mode 100644
index 754d853..0000000
--- a/.github/workflows/pom.xml
+++ /dev/null
@@ -1,4 +0,0 @@
-
- deep1792-1
- https://sonarcloud.io
-
From 553a50a973dc1bdf7480636c8c64f8a72a5d442c Mon Sep 17 00:00:00 2001
From: Deepanshu Khanna <78655908+deep1792@users.noreply.github.com>
Date: Sun, 2 Jun 2024 17:37:22 +0400
Subject: [PATCH 18/21] Delete .github/workflows/main.yaml
---
.github/workflows/main.yaml | 24 ------------------------
1 file changed, 24 deletions(-)
delete mode 100644 .github/workflows/main.yaml
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
deleted file mode 100644
index a6522a6..0000000
--- a/.github/workflows/main.yaml
+++ /dev/null
@@ -1,24 +0,0 @@
-name: Sonar Qube Build
-on:
- push:
- branches:
- - master
- pull_request:
- types: [opened, synchronize, reopened]
-jobs:
- sonarcloud:
- name: SonarCloud
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v3
- with:
- fetch-depth: 0
- - name: SonarCloud Scan
- uses: SonarSource/sonarcloud-github-action@master
- env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
- with:
- args: >
- -Dsonar.organization=deep1792
- -Dsonar.projectKey=deep1792
From 40aaf0a78546980db6f37097ca3053d86897bb67 Mon Sep 17 00:00:00 2001
From: Deepanshu Khanna <78655908+deep1792@users.noreply.github.com>
Date: Sun, 2 Jun 2024 17:41:57 +0400
Subject: [PATCH 19/21] Update and rename build.yml to main.yaml
---
.github/workflows/build.yml | 20 ---------------
.github/workflows/main.yaml | 50 +++++++++++++++++++++++++++++++++++++
2 files changed, 50 insertions(+), 20 deletions(-)
delete mode 100644 .github/workflows/build.yml
create mode 100644 .github/workflows/main.yaml
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
deleted file mode 100644
index 2796c76..0000000
--- a/.github/workflows/build.yml
+++ /dev/null
@@ -1,20 +0,0 @@
-name: Build
-on:
- push:
- branches:
- - main
- pull_request:
- types: [opened, synchronize, reopened]
-jobs:
- sonarcloud:
- name: SonarCloud
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v3
- with:
- fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- - name: SonarCloud Scan
- uses: SonarSource/sonarcloud-github-action@master
- env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
- SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
new file mode 100644
index 0000000..c3efe51
--- /dev/null
+++ b/.github/workflows/main.yaml
@@ -0,0 +1,50 @@
+name: Build
+on:
+ push:
+ branches:
+ - master
+ pull_request:
+ types: [opened, synchronize, reopened]
+jobs:
+ sonarcloud:
+ name: SonarCloud
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v3
+ with:
+ fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
+ - name: SonarCloud Scan
+ uses: SonarSource/sonarcloud-github-action@master
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
+ SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+ with:
+ args: >
+ -Dsonar.organization="Deepanshu Khanna"
+ -Dsonar.projectKey=deep1792-1
+#name: Sonar Qube Build
+#on:
+ # push:
+ # branches:
+ # - master
+ # pull_request:
+ # types: [opened, synchronize, reopened]
+#jobs:
+# sonarcloud:
+ # name: SonarCloud
+ # runs-on: ubuntu-latest
+ # steps:
+ # - uses: actions/checkout@v3
+ # with:
+ # fetch-depth: 0
+ # - name: SonarCloud Scan
+ # uses: SonarSource/sonarcloud-github-action@master
+ # env:
+ # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ # SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+ # with:
+ # args: >
+ # -Dsonar.organization=deep1792
+ # -Dsonar.projectKey=deep1792
+
+
From 59016ce275a49ad511669a4879db509eda1dd097 Mon Sep 17 00:00:00 2001
From: Deepanshu Khanna <78655908+deep1792@users.noreply.github.com>
Date: Sun, 2 Jun 2024 17:44:53 +0400
Subject: [PATCH 20/21] Update main.yaml
---
.github/workflows/main.yaml | 1 +
1 file changed, 1 insertion(+)
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
index c3efe51..bee6dbe 100644
--- a/.github/workflows/main.yaml
+++ b/.github/workflows/main.yaml
@@ -22,6 +22,7 @@ jobs:
args: >
-Dsonar.organization="Deepanshu Khanna"
-Dsonar.projectKey=deep1792-1
+
#name: Sonar Qube Build
#on:
# push:
From 1d27514fc1a9b71274cd284966fe9a0f79c8237f Mon Sep 17 00:00:00 2001
From: Deepanshu Khanna <78655908+deep1792@users.noreply.github.com>
Date: Mon, 3 Jun 2024 11:33:15 +0400
Subject: [PATCH 21/21] Create codeql.yml
---
.github/workflows/codeql.yml | 93 ++++++++++++++++++++++++++++++++++++
1 file changed, 93 insertions(+)
create mode 100644 .github/workflows/codeql.yml
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 0000000..3839396
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,93 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+ push:
+ branches: [ "main" ]
+ pull_request:
+ branches: [ "main" ]
+ schedule:
+ - cron: '15 8 * * 0'
+
+jobs:
+ analyze:
+ name: Analyze (${{ matrix.language }})
+ # Runner size impacts CodeQL analysis time. To learn more, please see:
+ # - https://gh.io/recommended-hardware-resources-for-running-codeql
+ # - https://gh.io/supported-runners-and-hardware-resources
+ # - https://gh.io/using-larger-runners (GitHub.com only)
+ # Consider using larger runners or machines with greater resources for possible analysis time improvements.
+ runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+ timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
+ permissions:
+ # required for all workflows
+ security-events: write
+
+ # required to fetch internal or private CodeQL packs
+ packages: read
+
+ # only required for workflows in private repositories
+ actions: read
+ contents: read
+
+ strategy:
+ fail-fast: false
+ matrix:
+ include:
+ - language: javascript-typescript
+ build-mode: none
+ # CodeQL supports the following values keywords for 'language': 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift'
+ # Use `c-cpp` to analyze code written in C, C++ or both
+ # Use 'java-kotlin' to analyze code written in Java, Kotlin or both
+ # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
+ # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
+ # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
+ # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
+ # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@v4
+
+ # Initializes the CodeQL tools for scanning.
+ - name: Initialize CodeQL
+ uses: github/codeql-action/init@v3
+ with:
+ languages: ${{ matrix.language }}
+ build-mode: ${{ matrix.build-mode }}
+ # If you wish to specify custom queries, you can do so here or in a config file.
+ # By default, queries listed here will override any specified in a config file.
+ # Prefix the list here with "+" to use these queries and those in the config file.
+
+ # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+ # queries: security-extended,security-and-quality
+
+ # If the analyze step fails for one of the languages you are analyzing with
+ # "We were unable to automatically build your code", modify the matrix above
+ # to set the build mode to "manual" for that language. Then modify this step
+ # to build your code.
+ # âšī¸ Command-line programs to run using the OS shell.
+ # đ See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+ - if: matrix.build-mode == 'manual'
+ shell: bash
+ run: |
+ echo 'If you are using a "manual" build mode for one or more of the' \
+ 'languages you are analyzing, replace this with the commands to build' \
+ 'your code, for example:'
+ echo ' make bootstrap'
+ echo ' make release'
+ exit 1
+
+ - name: Perform CodeQL Analysis
+ uses: github/codeql-action/analyze@v3
+ with:
+ category: "/language:${{matrix.language}}"