Merge branch 'master' into tag-guard

inspectIT · Nov 9, 2023 · 04f7dba · 04f7dba
2 parents 26f3ee1 + caddf26
commit 04f7dba
Show file tree

Hide file tree

Showing 22 changed files with 833 additions and 486 deletions.
diff --git a/.github/workflows/agent_test.yml b/.github/workflows/agent_test.yml
@@ -69,6 +69,26 @@ jobs:
           flags: unittests
           verbose: true
 
+  dependency-scan:
+    name: Dependency Scan
+    runs-on: ubuntu-latest
+    container: eclipse-temurin:8-jdk
+    needs: [ pr-check ]
+    steps:
+      - uses: actions/checkout@v3
+      - name: Grant execute permission for gradlew
+        run: chmod +x gradlew
+      - name: Scan dependencies inspectit-ocelot-sdk
+        run: ./gradlew :inspectit-ocelot-sdk:dependencyCheckAnalyze
+      - name: Scan dependencies inspectit-ocelot-config
+        run: ./gradlew :inspectit-ocelot-config:dependencyCheckAnalyze
+      - name: Scan dependencies inspectit-ocelot-core
+        run: ./gradlew :inspectit-ocelot-core:dependencyCheckAnalyze
+      - name: Scan dependencies inspectit-ocelot-bootstrap
+        run: ./gradlew :inspectit-ocelot-bootstrap:dependencyCheckAnalyze
+      - name: Scan dependencies inspectit-ocelot-agent
+        run: ./gradlew :inspectit-ocelot-agent:dependencyCheckAnalyze
+
   jmh-compile:
     name: 'Compile JMH Tests'
     runs-on: ubuntu-latest

diff --git a/.github/workflows/configdocsgenerator_test.yml b/.github/workflows/configdocsgenerator_test.yml
@@ -24,3 +24,17 @@ jobs:
       - name: test
         run: ../../gradlew test
         working-directory: ${{env.working-directory}}
+
+  dependency-scan:
+    name: Dependency Scan
+    runs-on: ubuntu-latest
+    env:
+      working-directory: ./components/inspectit-ocelot-configdocsgenerator
+    container: openjdk:8-jdk
+    steps:
+      - uses: actions/checkout@v2
+      - name: Grant execute permission for gradlew
+        run: chmod +x gradlew
+      - name: Scan dependencies
+        working-directory: ${{env.working-directory}}
+        run: ../../gradlew :inspectit-ocelot-configdocsgenerator:dependencyCheckAnalyze
diff --git a/.github/workflows/configuration_ui_test.yml b/.github/workflows/configuration_ui_test.yml
@@ -15,9 +15,23 @@ jobs:
     runs-on: ubuntu-latest
     container: openjdk:8-jdk
     env:
-      working-directory: ./components/inspectit-ocelot-configurationserver
+      working-directory: ./components/inspectit-ocelot-configurationserver-ui
     steps:
       - uses: actions/checkout@v3
       - name: Build frontend
         working-directory: ${{env.working-directory}}
         run: ../../gradlew buildFrontend
+
+  dependency-scan:
+    name: Dependency Scan
+    runs-on: ubuntu-latest
+    env:
+      working-directory: ./components/inspectit-ocelot-configurationserver-ui
+    container: openjdk:8-jdk
+    steps:
+      - uses: actions/checkout@v3
+      - name: Grant execute permission for gradlew
+        run: chmod +x gradlew
+      - name: Scan dependencies
+        working-directory: ${{env.working-directory}}
+        run: ../../gradlew :inspectit-ocelot-configurationserver-ui:dependencyCheckAnalyze
diff --git a/.github/workflows/configurationserver_test.yml b/.github/workflows/configurationserver_test.yml
@@ -32,3 +32,17 @@ jobs:
       - name: test
         run: ../../gradlew test
         working-directory: ${{env.working-directory}}
+
+  dependency-scan:
+    name: Dependency Scan
+    runs-on: ubuntu-latest
+    env:
+      working-directory: ./components/inspectit-ocelot-configurationserver
+    container: openjdk:8-jdk
+    steps:
+      - uses: actions/checkout@v2
+      - name: Grant execute permission for gradlew
+        run: chmod +x gradlew
+      - name: Scan dependencies
+        working-directory: ${{env.working-directory}}
+        run: ../../gradlew :inspectit-ocelot-configurationserver:dependencyCheckAnalyze
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -15,6 +15,8 @@ jobs:
         uses: actions/checkout@v3
       - name: Grant execute permission for gradlew
         run: chmod +x gradlew
+      - name: Scan dependencies
+        run: ./gradlew dependencyCheckAggregate
       - name: Build artifacts
         run: |
           ./gradlew assemble bootJarWithFrontend :inspectit-ocelot-core:cyclonedxBom :inspectit-ocelot-configurationserver:cyclonedxBom -PbuildVersion=${{ github.ref_name }}
@@ -26,7 +28,7 @@ jobs:
           cp ./inspectit-ocelot-core/build/reports/bom.xml ./boms/inspectit-ocelot-agent-bom.xml
           cp ./components/inspectit-ocelot-configurationserver/build/reports/bom.json ./boms/inspectit-ocelot-configurationserver-bom.json
           cp ./components/inspectit-ocelot-configurationserver/build/reports/bom.xml ./boms/inspectit-ocelot-configurationserver-bom.xml
-          zip -r ./artifacts/software-bill-of-materials.zip ./boms 
+          zip -r ./artifacts/software-bill-of-materials.zip ./boms
       - name: Calculate checksums of release artifacts
         working-directory: ./artifacts
         run: for f in *; do sha256sum "$f" >> inspectit-ocelot-sha256-checksums.txt; done
@@ -39,8 +41,8 @@ jobs:
         uses: danipaniii/[email protected]
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
-          sinceTag: ${{ steps.previoustag.outputs.tag }} 
-          dateFormat: 
+          sinceTag: ${{ steps.previoustag.outputs.tag }}
+          dateFormat:
           maxIssues: 500
           unreleased: false
           author: false
@@ -57,7 +59,7 @@ jobs:
           body: |
             "You can also find the corresponding documentation online under the following link: [inspectIT Ocelot Documentation](http://docs.inspectit.rocks)"
             ${{ steps.build_changelog.outputs.changelog }}
-            
+
   build_and_publish_docker_images:
     name: "Build and Push Docker Images"
     runs-on: ubuntu-latest

diff --git a/.gitignore b/.gitignore
@@ -1,5 +1,6 @@
 .gradle
 *build/
+*bin/
 !gradle/wrapper/gradle-wrapper.jar
 *.log
 *.zip
@@ -31,3 +32,4 @@
 /.nb-gradle/
 
 /working_directory/
+/gradle/*.versions.updates.toml
diff --git a/README.md b/README.md
@@ -119,6 +119,11 @@ If you need additional or in-depth information on the actual implementation of i
   <img src="https://contributors-img.web.app/image?repo=inspectit/inspectit-ocelot" />
 </a>
 
+## How to Release
+
+Important tasks to check first are `dependencyUpdates` or `dependencyUpdates[Major|Minor]` for newer (patch, minor, major)
+versions, the `outdated` task for node modules and `dependencyCheckAnalyze` or `dependencyCheckAggregate` for security issues in the used dependencies (including node modules).
+
 ## FAQ
 
 #### Is it pronounced inspect-"IT" or "it"?

diff --git a/build.gradle b/build.gradle
@@ -1,7 +1,11 @@
 import com.github.jk1.license.render.TextReportRenderer
+import com.github.benmanes.gradle.versions.updates.DependencyUpdatesTask
 
 plugins {
-    id "com.github.jk1.dependency-license-report" version "${licenseReportVersion}"
+    alias(libs.plugins.nlLittlerobotsVersionCatalogUpdate)
+    alias(libs.plugins.comGithubJk1DependencyLicenseReport)
+    alias(libs.plugins.orgOwaspDependencycheck) apply false
+    alias(libs.plugins.comGithubBenManesVersions)
 }
 
 licenseReport {
@@ -18,12 +22,98 @@ allprojects {
 
     apply plugin: 'java'
     apply plugin: 'jacoco'
+    apply plugin: 'org.owasp.dependencycheck'
 
     if (!project.hasProperty('buildVersion') || project.getProperty('buildVersion').empty) {
         ext.buildVersion = 'SNAPSHOT'
     }
 
     version = "$buildVersion"
+
+    dependencyCheck {
+        //failBuildOnCVSS = 6
+        scanProjects = [
+                ':inspectit-ocelot-agent',
+                ':inspectit-ocelot-core',
+                ':inspectit-ocelot-sdk',
+                ':inspectit-ocelot-bootstrap',
+                ':inspectit-ocelot-configurationserver',
+                ':inspectit-ocelot-configurationserver-ui'
+        ]
+        skipConfigurations = ["jmh", "jmhCompileClasspath", "systemTest", "systemTestCompileClasspath", "systemTestRuntimeClasspath"]
+        analyzers {
+            assemblyEnabled = false
+            ossIndex {
+                enabled = true
+            }
+            nodeAudit {
+                yarnEnabled = false
+            }
+        }
+    }
+
+
+}
+
+versionCatalogUpdate {
+    // sort the catalog by key (default is true)
+    sortByKey = true
+    keep {
+        // keep versions without any library or plugin reference
+        keepUnusedVersions = true
+        // keep all libraries that aren't used in the project
+        keepUnusedLibraries = true
+        // keep all plugins that aren't used in the project
+        keepUnusedPlugins = true
+    }
+}
+
+tasks.withType(DependencyUpdatesTask).configureEach {
+    // default settings
+    revision = 'milestone'
+    gradleReleaseChannel = "current"
+    checkConstraints = true
+    checkBuildEnvironmentConstraints = true
+    outputFormatter = 'json,plain'
+}
+
+def isNonStable = { String candidate ->
+    def stableKeyword = ['RELEASE', 'FINAL', 'GA', 'JRE'].any { it -> candidate.toUpperCase().contains(it) }
+    def versionRegex = /^[0-9,.v-]+(-r)?$/
+    return !stableKeyword && !(candidate ==~ versionRegex)
+}
+
+def isNotSameMajorMinor = { String current, String candidate, boolean matchMinor ->
+    if(current.equals(candidate)) return false
+
+    def firstDot = current.indexOf('.')
+    def secondDot = current.indexOf('.', firstDot + 1)
+    def major = current.substring(0, firstDot)
+    def minor = current.substring(firstDot + 1, secondDot)
+    def majorRegex = /^$major\..*/
+    def minorRegex = /^$major\.${minor}\..*/
+    return !((candidate ==~ majorRegex) && (!matchMinor || (candidate ==~ minorRegex)))
+}
+
+tasks.named("dependencyUpdates").configure {
+    rejectVersionIf {
+        // only patch updates
+        isNonStable(it.candidate.version) || isNotSameMajorMinor(it.currentVersion, it.candidate.version, true)
+    }
+}
+
+tasks.register('dependencyUpdatesMinor', DependencyUpdatesTask) {
+    rejectVersionIf {
+        // only minor updates
+        isNonStable(it.candidate.version) || isNotSameMajorMinor(it.currentVersion, it.candidate.version, false)
+    }
+}
+
+tasks.register('dependencyUpdatesMajor', DependencyUpdatesTask) {
+    rejectVersionIf {
+        // all updates including major updates
+        isNonStable(it.candidate.version)
+    }
 }
 
 tasks.register('codeCoverageReport', JacocoReport) {

diff --git a/components/inspectit-ocelot-configdocsgenerator/build.gradle b/components/inspectit-ocelot-configdocsgenerator/build.gradle
@@ -2,38 +2,45 @@ plugins {
     // Apply the application plugin to add support for building a CLI application in Java.
     id 'application'
     // spring dependency manager
-    id 'org.springframework.boot' version "${springBootVersion}"
+    alias(libs.plugins.orgSpringframeworkBoot)
 }
 apply plugin: 'io.spring.dependency-management'
 
 dependencies {
     // Use JUnit Jupiter for testing.
     testImplementation(
-            'org.junit.jupiter:junit-jupiter',
-            "io.opencensus:opencensus-api:${openCensusVersion}",
-            "io.opentelemetry:opentelemetry-api:${openTelemetryVersion}",
+            libs.orgJunitJupiterJunitJupiter,
+            libs.ioOpencensusOpencensusApi,
+            libs.ioOpentelemetryOpentelemetryApi,
 
-            'org.mockito:mockito-junit-jupiter',
-            "org.assertj:assertj-core",
-            "com.google.guava:guava:${guavaVersionConfigServer}"
+            libs.orgMockitoMockitoJunitJupiter,
+            libs.orgAssertjAssertjCore,
+            libs.comGoogleGuava
     )
 
     // This dependency is used by the application.
     implementation(
             project(':inspectit-ocelot-config'),
-            "ch.qos.logback:logback-classic",
-            "org.apache.commons:commons-lang3",
-            "commons-beanutils:commons-beanutils:${commonsBeanUtilsVersion}",
+            libs.chQosLogbackLogbackClassic,
+            libs.orgApacheCommonsCommonsLang3,
+            libs.commonsBeanutils,
             // Update dependency, due to Out-of-Support
-            "org.apache.commons:commons-collections4:${commonsCollectionsVersion}",
+            libs.orgApacheCommonsCommonsCollections4,
 
-            "org.springframework.boot:spring-boot-starter-web",
-            // override snakeyaml due to vulnerabilities in v1.29 used by the SpringBoot version used in this module
-            "org.yaml:snakeyaml:${snakeYamlVersion}"
+            libs.orgSpringframeworkBootSpringBootStarterWeb,
+            libs.orgYamlSnakeyaml
     )
 
-    compileOnly "org.projectlombok:lombok"
-    annotationProcessor "org.projectlombok:lombok"
+    constraints {
+        implementation(libs.orgYamlSnakeyaml) {
+            because 'vulnerabilities in v1.29 used by the SpringBoot version used in this module'
+        }
+        testImplementation(libs.comGoogleGuava) {
+            because 'security issues'
+        }
+    }
+    compileOnly libs.orgProjectlombokLombok
+    annotationProcessor libs.orgProjectlombokLombok
 }
 
 application {