├── .github └── ISSUE_TEMPLATE │ ├── bug-report.md │ ├── contribution-request.md │ ├── feature-request.md │ └── question.md ├── .gitignore ├── .whitesource ├── CI-CD ├── AzureDevOps │ ├── AzureDevOpsBuilds.md │ ├── Mend CLI │ │ ├── AzureDevOps advanced linux with templates │ │ │ ├── AzureDevOps-advanced-linux-with-templates.yml │ │ │ ├── README.md │ │ │ ├── mend-reports-template.yml │ │ │ └── mend-scan-template.yml │ │ ├── AzureDevOps-Image-Scanning-windows.yaml │ │ └── AzureDevOps-windows.yaml │ └── Unified Agent │ │ ├── azure-pipelines_linux.yml │ │ └── azure-pipelines_windows.yml ├── Bamboo │ ├── Mend CLI │ │ └── Atlassian_Bamboo.sh │ └── Unified Agent │ │ └── Bamboo.sh ├── Bitbucket │ ├── Mend CLI │ │ └── Bitbucket.yaml │ └── Unified Agent │ │ └── Bitbucket.yml ├── CircleCI │ ├── Mend CLI │ │ └── CircleCI.yaml │ └── Unified Agent │ │ └── CircleCI.yaml ├── CloudBuild │ └── Unified Agent │ │ └── GoogleCloudBuild.yaml ├── CodeBuild │ └── Unified Agent │ │ └── buildspec.yml ├── CodeFresh │ └── Unified Agent │ │ └── CodeFresh.yml ├── GitHub │ ├── GitHubBuilds.md │ ├── Mend CLI │ │ ├── GitHub-SAST-PR.yaml │ │ ├── GitHub.yaml │ │ ├── Github_Advanced_Linux │ │ │ ├── README.md │ │ │ ├── mend-scan-template.yaml │ │ │ └── mend-scan.yaml │ │ └── Github_image_scan.yaml │ └── Unified Agent │ │ └── GitHub.yml ├── GitLab │ └── Mend CLI │ │ ├── Gitlab_template │ │ ├── README.md │ │ └── mend.yaml │ │ └── gitlab_image_scan.yml ├── Jenkins │ ├── Mend CLI │ │ ├── Jenkins.groovy │ │ ├── README.md │ │ ├── resources │ │ │ └── trustpipelines.jpg │ │ └── vars │ │ │ ├── DownloadMendCLI.groovy │ │ │ ├── GenerateSCAReports.groovy │ │ │ ├── MendSASTScan.groovy │ │ │ └── MendSCAScan.groovy │ └── Unified Agent │ │ ├── Jenkins.groovy │ │ ├── Jenkins_pipeline_maven_multi-org.groovy │ │ └── README.md ├── README.md ├── TeamCity │ ├── Mend CLI │ │ ├── Teamcity.sh │ │ └── settings.kts │ └── Unified Agent │ │ └── TeamCity.sh └── [Generic] │ ├── Mend CLI │ ├── CLIPolicyCheck.md │ └── UnifiedCLI-scan.sh │ └── Unified Agent │ ├── Policy-Check │ ├── README.md │ ├── mendpolicycheck-default.yml │ └── mendpolicycheck-feature.yml │ ├── Prioritize │ ├── Java │ │ ├── Multi-Module │ │ │ ├── Gradle │ │ │ │ └── github-action.yml │ │ │ └── Maven │ │ │ │ ├── azure-pipelines.yml │ │ │ │ ├── github-action.yml │ │ │ │ └── gitlab-ci.yml │ │ └── Single-Module │ │ │ ├── Gradle │ │ │ ├── github-action.yml │ │ │ └── prioritize.sh │ │ │ └── Maven │ │ │ ├── azure-pipelines.yml │ │ │ ├── github-action-workshop.yml │ │ │ ├── github-action.yml │ │ │ ├── gitlab-ci.yml │ │ │ └── prioritize.sh │ ├── JavaScript │ │ ├── azure-pipelines.yml │ │ ├── github-action.yml │ │ └── prioritize.sh │ ├── Python │ │ └── github-action.yml │ ├── README.md │ └── Scala │ │ └── SBT-Maven │ │ └── github-action.yml │ └── UA-SCA.sh ├── LICENSE ├── README.md ├── Repo-Integration ├── Binaries │ └── update-java-ca-certificates │ │ ├── LICENSE │ │ └── update-java-ca-certificates ├── Encryption │ ├── README.md │ └── encrypt_credentials.py ├── Private-Registries-No-HostRules │ ├── Conda │ │ ├── .condarc │ │ └── docker-compose.yaml │ ├── Docker │ │ ├── config.js │ │ └── docker-compose.yaml │ ├── Go │ │ └── docker-compose.yaml │ ├── Gradle │ │ ├── Groovy │ │ │ ├── config.js │ │ │ ├── docker-compose.yaml │ │ │ ├── gradle.properties │ │ │ └── init.gradle │ │ └── Kotlin │ │ │ ├── config.js │ │ │ ├── docker-compose.yaml │ │ │ ├── gradle.properties │ │ │ └── init.gradle.kts │ ├── Maven │ │ ├── config.js │ │ ├── docker-compose.yaml │ │ └── settings.xml │ ├── NPM │ │ ├── .npmrc │ │ ├── config.js │ │ └── docker-compose.yaml │ ├── NuGet │ │ ├── NuGet.Config │ │ ├── config.js │ │ └── docker-compose.yaml │ ├── PIP │ │ ├── config.js │ │ └── docker-compose.yaml │ ├── Poetry │ │ ├── config.js │ │ └── docker-compose.yaml │ ├── README.md │ └── Ruby │ │ ├── config.js │ │ └── docker-compose.yaml ├── Renovate │ ├── README.md │ └── smart-merge.json ├── SAST │ ├── 2nd-gen-engines │ │ └── mendsastcli-config.json │ ├── IncreaseTimeout │ │ └── mendsastcli-config.json │ └── README.md ├── Schemas │ ├── README.md │ └── ghc-integration-schema.json ├── Self-Managed │ ├── Graylog.md │ ├── README.md │ ├── certs.md │ ├── docker-compose-no-graylog.yaml │ ├── docker-compose-sast.yaml │ ├── docker-compose.yaml │ ├── images │ │ ├── graylog_widget_creation.png │ │ └── memory_usage_extractor_example.png │ ├── mend-graylog-content-pack.json │ └── setup.sh └── Silent-Onboarding │ ├── README.md │ ├── azure-repo-config.json │ ├── bitbucket-repo-config.json │ └── github-repo-config.json ├── SAST CLI ├── 3rd Party Results Consumption │ ├── README.md │ ├── mend_convert_brakeman.sh │ └── output.json └── README.md ├── Scripts ├── Committers │ ├── README.md │ ├── dedup-repo.sh │ ├── get-committers.sh │ └── get-repo-tags.sh ├── Mend CN │ ├── README.md │ ├── create-traceability-tags.sh │ └── get-image-vulnerabilities.sh ├── Mend SAST │ ├── README.md │ └── cleanup_tool_sast.py └── Mend SCA │ ├── README.md │ ├── cache-ua.sh │ ├── check-project-state.sh │ ├── delete-ua-proj.sh │ ├── generate-async-report.sh │ ├── get-all-policies.sh │ ├── get-all-users-under-global-org.py │ ├── get-library-ages.py │ ├── get-malicious-packages.sh │ ├── get-project-scan-info.sh │ ├── group-permissions.sh │ ├── list-policy-violations.sh │ ├── list-project-alerts.sh │ ├── pending-task-cleanup.sh │ ├── product-last-scan-date-export.py │ ├── reassign-projects.sh │ └── scanerrors.sh └── Workshop ├── easybuggy ├── .whitesource_init_pull_request ├── .whitesource_renovate └── pom-after-adding-jboss.xml └── nodegoat ├── .whitesource_init_pull_request ├── .whitesource_renovate └── package.json after adding node-forge /.github/ISSUE_TEMPLATE/bug-report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug Report 3 | about: Create a report to help us improve 4 | title: "[BUG] [mend-examples] Issue Short Description" 5 | labels: bug 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Bug Description** 11 | A clear and concise description of what the bug is. 12 | 13 | **Steps to Reproduce** 14 | Steps to reproduce the behavior: 15 | 1. Go to '...' 16 | 2. Click on '....' 17 | 3. Scroll down to '....' 18 | 4. See error 19 | 20 | **Expected Behavior** 21 | A clear and concise description of what you expected to happen. 22 | 23 | **Screenshots** 24 | If applicable, add screenshots to help explain your problem. 25 | 26 | **Environment Details** 27 | - OS: [e.g. Ubuntu 18.04] 28 | - Browser [e.g. chrome, safari] 29 | - Version [e.g. 22] 30 | 31 | **Additional Context** 32 | Add any other context about the problem here. 33 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/contribution-request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Contribution Request 3 | about: Discuss potential changes you wish to contribute 4 | title: "[CR] [mend-examples] Contribution Request Topic" 5 | labels: enhancement 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Planned Changes:** 11 | Describe the changes you wish to contribute, to initiate a discussion with the Mend Toolkit team. 12 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature-request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature Request 3 | about: Suggest an idea for this project 4 | title: "[FR] [mend-examples] Feature Short Description" 5 | labels: feature request 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Is your feature request related to a problem? Please describe.** 11 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] 12 | 13 | **Describe the solution you'd like** 14 | A clear and concise description of what you want to happen. 15 | 16 | **Describe alternatives you've considered** 17 | A clear and concise description of any alternative solutions or features you've considered. 18 | 19 | **Additional context** 20 | Add any other context or screenshots about the feature request here. 21 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/question.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Question 3 | about: General question/how-to 4 | title: "[Question] [mend-examples] Question Topic" 5 | labels: question 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Question** 11 | Ask your question here. Please be as specific as possible. 12 | 13 | **Environment Details** 14 | - OS: [e.g. Ubuntu 18.04] 15 | - Browser [e.g. chrome, safari] 16 | - Version [e.g. 22] 17 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Excluded IDE Directories 2 | .idea/ 3 | .vs/ 4 | .vscode/ 5 | .ws/ 6 | .mend/ 7 | 8 | # Excluded Local/User Directories 9 | _archive/ 10 | _misc/ 11 | _resources/ 12 | local/ 13 | log/ 14 | target/ 15 | whitesource/ 16 | 17 | # Excluded Files - Extensions 18 | *.iml 19 | *.png 20 | *.tar.gz 21 | *.url 22 | 23 | # Excluded Files - Naming Convention 24 | local-env.* 25 | .DS_Store 26 | -------------------------------------------------------------------------------- /.whitesource: -------------------------------------------------------------------------------- 1 | { 2 | "settingsInheritedFrom": "mend-toolkit/whitesource-config@main", 3 | "scanSettingsSAST": { 4 | "enableScan": false 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /CI-CD/AzureDevOps/AzureDevOpsBuilds.md: -------------------------------------------------------------------------------- 1 | # Table of Contents 2 | - [.NET](#.net) 3 | - [Gradle](#gradle) 4 | - [Maven](#maven) 5 | - [Npm](#npm) 6 | - [Publishing Mend Unified Agent Logs From a Pipeline](#publishing-mend-unified-agent-logs-from-a-pipeline) 7 | - [Publishing Mend CLI Logs From a Pipeline](#publishing-mend-cli-logs-from-a-pipeline) 8 | 9 | Yaml files should be customized with proper steps for specific builds. Below are a few examples for common Azure DevOps build types. 10 | 11 | # .NET 12 | ```yml 13 | - script: dotnet build --configuration Release 14 | displayName: 'dotnet build Release' 15 | ``` 16 | # Gradle 17 | ```yml 18 | - task: Gradle@2 19 | inputs: 20 | workingDirectory: '' 21 | gradleWrapperFile: 'gradlew' 22 | gradleOptions: '-Xmx3072m' 23 | publishJUnitResults: false 24 | testResultsFiles: '**/TEST-*.xml' 25 | tasks: 'build' 26 | ``` 27 | # Maven 28 | ```yml 29 | - task: Maven@3 30 | inputs: 31 | mavenPomFile: 'pom.xml' 32 | goals: 'clean install' 33 | mavenOptions: -DskipTests=true 34 | publishJUnitResults: false 35 | javaHomeOption: 'JDKVersion' 36 | jdkVersionOption: '1.11' 37 | mavenVersionOption: 'Default' 38 | mavenAuthenticateFeed: false 39 | effectivePomSkip: false 40 | sonarQubeRunAnalysis: false 41 | ``` 42 | 43 | # Npm 44 | ```yml 45 | - task: NodeTool@0 46 | inputs: 47 | versionSpec: '12.x' 48 | displayName: 'Install Node.js' 49 | - task: Npm@1 50 | displayName: 'NPM Install' 51 | inputs: 52 | customCommand: install --package-lock 53 | ``` 54 | 55 | 56 | # Publishing Mend Unified Agent Logs From a Pipeline 57 | 58 | Publish the `whitesource` folder with logs & reports by adding one the following commands, depending on your platform 59 | 60 | 61 | ```yaml 62 | - publish: $(System.DefaultWorkingDirectory)/whitesource 63 | artifact: Whitesource 64 | ``` 65 | 66 | # Publishing Mend CLI Logs From a Pipeline 67 | 68 | * Publish the `.mend/logs` folder with logs & reports by adding the following commands depending on each pipeline 69 | * SAST logs are currently located in ```.mend/storage/sast/logs``` 70 | 71 | * Windows: 72 | ```yaml 73 | - publish: c:\users\VssAdministrator\.mend\logs 74 | artifact: "Mend CLI Logs" 75 | ``` 76 | * Linux: 77 | ```yaml 78 | - publish: ../../../.mend/logs 79 | artifact: "Mend CLI logs" 80 | ``` 81 | 82 | 83 | -------------------------------------------------------------------------------- /CI-CD/AzureDevOps/Mend CLI/AzureDevOps advanced linux with templates/README.md: -------------------------------------------------------------------------------- 1 | # Azure DevOps pipeline sample using templates 2 | 3 | This pipeline is designed for demonstration purposes. You may modify it to fit your specific scanning and pipeline requirements. 4 | 5 | This example takes advantage of Azure DevOps pipeline templates, making it easier to use, read, and reuse across different pipelines. 6 | The templates (`mend-*-template.yml`) need to be placed in a location accessible to all pipelines requiring their use. In this sample, a repository in a global Azure DevOps project is used (`mend-resources/mend-pipeline-templates`), [see example](#how-to-consume-the-template). You may change it to a [different preferred method](https://learn.microsoft.com/en-us/azure/devops/pipelines/process/templates?view=azure-devops&pivots=templates-includes#reference-template-paths). 7 | 8 | The template (`mend-scan-template.yml`) uses the [Mend CLI](https://docs.mend.io/bundle/integrations/page/scan_with_the_mend_cli.html) to run: 9 | * **Software Composition Analysis (SCA)** scan using package managers (and file system scanning [optional]) to detect open-source components 10 | * **Static Application Security Testing (SAST)** scan to detect languages and frameworks used in your projects and report code weaknesses 11 | * **Mend container image** scan to detect secrets and vulnerabilities in image layers (Operating System and application open-source packages) 12 | 13 | Optionally, it uses (`mend-reports-template.yml`) to generate post-scan SCA reports: 14 | * SBOM report 15 | * Risk report 16 | * Inventory report 17 | * Due diligence report 18 | 19 | 20 | #### How to consume the template? 21 | ##### Place the templates files 22 | If you already have a template repo in your ADO Organization, add the `mend-reports-template.yml` and `mend-scan-template.yml` to it, if not, create a new Repo within your ADO organiation e.g `scan-templates` and place files there. 23 | 24 | ##### Call the template functions 25 | In your ADO pipline you wish to call Mend, add them template to the `resources` section with calling the template. 26 | For example, if we'll use `mend-resources/mend-pipeline-templatess` as the Project\Repo, the usage will look like this: 27 | ```yaml 28 | resources: 29 | repositories: 30 | - repository: templates 31 | type: git 32 | name: mend-resources/mend-pipeline-templates 33 | # ref: refs/heads/main 34 | ``` 35 | 36 | Note: if you placed the templates on another branch, you may specify the correct branch using `ref` 37 | 38 | Now, running the Mend scans and generating post-scan SCA reports is done in a **single step** via the `mend-scan-template.yml` template (make sure it is run AFTER the package manager(s) build step(s)): 39 | ```yaml 40 | - template: mend-scan-template.yml@templates 41 | parameters: 42 | appName: #Name of of the Mend application where results wil be uplodaed to 43 | projectName: #Name of of the Mend project where results wil be uplodaed to 44 | scanTypeList: #OPTIONAL - Comma-separated list containing any of: SCA,SAST,IMAGE,ALL (Default: "SCA,SAST") 45 | postScanSCAReports: #OPTIONAL - Comma-separated list containing any of: SBOM,RISK,INVENTORY,DUE_DILIGENCE,ALL (Default: "") 46 | imagesToScan: #OPTIONAL - File name containing a list of images to scan (Default: "") 47 | ``` 48 | -------------------------------------------------------------------------------- /CI-CD/AzureDevOps/Mend CLI/AzureDevOps advanced linux with templates/mend-reports-template.yml: -------------------------------------------------------------------------------- 1 | # File: mend-reports-template.yml 2 | 3 | parameters: 4 | reportTypeList: 5 | type: string 6 | default: '' 7 | ### Allowed values: 8 | ### Comma-separated list containing any of: SBOM,RISK,INVENTORY,DUE_DILIGENCE,ALL 9 | 10 | steps: 11 | - script: | 12 | 13 | ### Generate Mend reports ### 14 | ### Obtain project token ### 15 | export WS_PROJECTTOKEN=$(grep -oP "(?<=token=)[^&]+" $(System.DefaultWorkingDirectory)/logs/dep-results.txt) 16 | echo "FOUND TOKEN: $WS_PROJECTTOKEN" 17 | if [ -z "$WS_PROJECTTOKEN" ]; 18 | then 19 | echo "##vso[task.logissue type=warning;] No project token found, reports will not be generated" 20 | else 21 | export REPORT_TYPES="${{ parameters.reportTypeList }}" 22 | 23 | ### Run SBOM generator ### 24 | ### Requires admin priviledges ### 25 | if [[ "$REPORT_TYPES" == *"SBOM"* || "$REPORT_TYPES" == *"ALL"* ]]; 26 | then 27 | echo "Generating SBOM report" 28 | pip install mend-sbom-export-cli 29 | sbom_export_cli --user-key $MEND_USER_KEY --service $MEND_EMAIL --url $MEND_URL --project $WS_PROJECTTOKEN --out $(System.DefaultWorkingDirectory)/logs 30 | fi 31 | 32 | ### Dependency Reports (SCA) ### 33 | ### Risk Report 34 | if [[ "$REPORT_TYPES" == *"RISK"* || "$REPORT_TYPES" == *"ALL"* ]]; 35 | then 36 | echo "Generating Risk report" 37 | curl -o $(System.DefaultWorkingDirectory)/logs/riskreport.pdf -X POST "${MEND_URL}/api/v1.4" -H "Content-Type: application/json" \ 38 | -d '{"requestType":"getProjectRiskReport","userKey":"'${MEND_USER_KEY}'","projectToken":"'${WS_PROJECTTOKEN}'"}' 39 | fi 40 | 41 | ### Inventory Report 42 | if [[ "$REPORT_TYPES" == *"INVENTORY"* || "$REPORT_TYPES" == *"ALL"* ]]; 43 | then 44 | echo "Generating Inventory report" 45 | curl -o $(System.DefaultWorkingDirectory)/logs/inventoryreport.xlsx -X POST "${MEND_URL}/api/v1.4" -H "Content-Type: application/json" \ 46 | -d '{"requestType":"getProjectInventoryReport","userKey":"'${MEND_USER_KEY}'","projectToken":"'${WS_PROJECTTOKEN}'"}' 47 | fi 48 | 49 | ### Due Diligence Report 50 | if [[ "$REPORT_TYPES" == *"DUE_DILIGENCE"* || "$REPORT_TYPES" == *"ALL"* ]]; 51 | then 52 | echo "Generating Due Diligence report" 53 | curl -o $(System.DefaultWorkingDirectory)/logs/duediligencereport.xlsx -X POST "${MEND_URL}/api/v1.4" -H "Content-Type: application/json" \ 54 | -d '{"requestType":"getProjectDueDiligenceReport","userKey":"'${MEND_USER_KEY}'","projectToken":"'${WS_PROJECTTOKEN}'"}' 55 | fi 56 | fi 57 | env: 58 | ### Authentication Environment Variables ### 59 | MEND_EMAIL: $(MENDEMAIL) 60 | MEND_USER_KEY: $(MENDUSERKEY) 61 | displayName: 'Generating post-scan Mend SCA reports' 62 | -------------------------------------------------------------------------------- /CI-CD/AzureDevOps/Mend CLI/AzureDevOps-Image-Scanning-windows.yaml: -------------------------------------------------------------------------------- 1 | # ******** Mend Unified CLI Template for Azure DevOps ******** 2 | # 3 | # You may wish to alter this file to override the build tool and Mend scanning technologies. 4 | # 5 | # For more configuration options, please check the technical documentation portal: 6 | # 📚 https://docs.mend.io/bundle/integrations/page/scan_with_the_mend_cli.html 7 | # 8 | # ******** Description ******** 9 | # mend image will automatically scan an image for vulnerabilities with Operating System packages, Open Source vulnerabilities, and for secrets. 10 | # 11 | # Environment variables from Azure Key Vault must use letters, numbers, and hyphens only. Please reference this link for more information: 12 | # https://learn.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates 13 | # If you are NOT using a service user and have multiple organizations, don't forget to set the organization using the scope parameter 14 | # The following values should be added as environment variables with email and userkey being secrets 15 | # MEND_URL: the mend url that you login to - (https://saas.mend.io) for example 16 | # MENDEMAIL: the user email for the mend platform account that you wish to scan with. This should be stored as a secret and then translated to MEND_EMAIL at runtime. 17 | # MENDUSERKEY: the user key found under my profile for the user you wish to scan with. This should be stored as a secret and then translated to MEND_USER_KEY at runtime. 18 | # IMAGE_NAME: The name/repository where the image should be stored/pulled from 19 | # IMAGE_TAG: The tag for the image that you have built 20 | 21 | name: 'mend-image-scan' 22 | 23 | # Define your own pipeline trigger here: 24 | # Below is defined a trigger for scanning on a push to the main branch and scanning on a push to release branches. This is considered an ideal time to scan an image so as to manage an image inventory with each version released. 25 | trigger: 26 | - master 27 | - release* 28 | 29 | pool: 30 | vmImage: windows-latest 31 | 32 | variables: 33 | - name: MEND_URL 34 | value: https://saas.mend.io 35 | - name: IMAGE_NAME 36 | value: my-image 37 | - name: IMAGE_TAG 38 | value: $(Build.BuildId) 39 | 40 | stages: 41 | - stage: Build 42 | displayName: Build image 43 | jobs: 44 | - job: Build 45 | displayName: Build 46 | steps: 47 | - task: Docker@2 48 | displayName: Build an image 49 | inputs: 50 | repository: $(IMAGE_NAME) 51 | command: build 52 | dockerfile: '$(Build.SourcesDirectory)/Dockerfile' 53 | tags: $(IMAGE_TAG) 54 | - task: Powershell@2 55 | inputs: 56 | targetType: 'inline' 57 | script: | 58 | echo Downloading Mend CLI 59 | Invoke-WebRequest -Uri "https://downloads.mend.io/cli/windows_amd64/mend.exe" -OutFile "mend.exe" 60 | 61 | echo Run Mend Image Analysis 62 | ./mend.exe image $(IMAGE_NAME):$(IMAGE_TAG) --local-pull 63 | env: 64 | ### Authentication Environment Variable Secrets ### 65 | MEND_EMAIL: $(MENDEMAIL) 66 | MEND_USER_KEY: $(MENDUSERKEY) 67 | 68 | -------------------------------------------------------------------------------- /CI-CD/AzureDevOps/Mend CLI/AzureDevOps-windows.yaml: -------------------------------------------------------------------------------- 1 | # ******** Mend Unified CLI Template for Azure DevOps ******** 2 | # 3 | # You may wish to alter this file to override the build tool and Mend scanning technologies. 4 | # 5 | # For more configuration options, please check the technical documentation portal: 6 | # 📚 https://docs.mend.io/bundle/integrations/page/scan_with_the_mend_cli.html 7 | # 8 | # ******** Description ******** 9 | # mend dep will automatically use package managers and file system scanning to detect open source components. 10 | # mend code will automatically detect languages and frameworks used in your projects to scan for code weaknesses. 11 | 12 | # Environment variables from Azure Key Vault must use letters, numbers, and hyphens only. Please reference this link for more information: 13 | # https://learn.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates 14 | # If you are NOT using a service user, and have multiple organizations, don't forget to set the organization in the scope parameter 15 | # The following values should be added as environment variables with email and userKey being secrets 16 | # MEND_URL: the mend url that you login to - (https://saas.mend.io) for example 17 | # MENDEMAIL: the user email for the mend platform account that you wish to scan with. This should be stored as a secret and then translated to MEND_EMAIL at runtime. 18 | # MENDUSERKEY: the user key found under my profile for the user you wish to scan with. This should be stored as a secret and then translated to MEND_USER_KEY at runtime. 19 | 20 | name: 'mend-cli-scan' 21 | 22 | # Define your own pipeline trigger here: 23 | # Below is defined a trigger for scanning on a push to the main branch and scanning on a push to release branches. This is considered an ideal time to scan so that an SBOM can be created for software releases and inventory is managed for released software. 24 | trigger: 25 | - main 26 | - release* 27 | 28 | pool: 29 | vmImage: windows-latest 30 | 31 | variables: 32 | - name: MEND_URL 33 | value: https://saas.mend.io 34 | # value: https://saas-eu.mend.io 35 | 36 | steps: 37 | ### Build the application with your required package manager, e.g: ### 38 | # - task: NodeTool@0 39 | # - task: Maven@0 40 | # - task: NuGetCommand@0 41 | # - task: Gradle@0 42 | # - task: PythonScript@0 43 | # The mend dep scan should be called AFTER a package manager build step such as "mvn clean install -DskipTests=true" or "npm install --only=prod" 44 | - task: PowerShell@2 45 | inputs: 46 | targetType: 'inline' 47 | script: | 48 | ### Download the Mend Unified CLI ### 49 | echo "Downloading Mend CLI" 50 | Invoke-WebRequest -Uri "https://downloads.mend.io/cli/windows_amd64/mend.exe" -OutFile "mend.exe" 51 | ### Run a Mend Software Composition Analysis Scan 52 | echo "Run Mend dependencies scan" 53 | ./mend.exe dep -u -s "*//$(System.TeamProject)//$(Build.Repository.Name)_$(Build.SourceBranchName)" 54 | ### Run a Mend Static Application Security Analysis Scan 55 | echo "Run Mend code scan" 56 | ./mend.exe code -s "*//$(System.TeamProject)//$(Build.Repository.Name)_$(Build.SourceBranchName)" 57 | 58 | env: 59 | ### Authentication Environment Variable Secrets ### 60 | MEND_EMAIL: $(MENDEMAIL) 61 | MEND_USER_KEY: $(MENDUSERKEY) 62 | 63 | displayName: 'Mend Unified CLI Scan' 64 | -------------------------------------------------------------------------------- /CI-CD/AzureDevOps/Unified Agent/azure-pipelines_linux.yml: -------------------------------------------------------------------------------- 1 | name: 'mend-ua-azdo-maven' 2 | 3 | trigger: 4 | - main 5 | 6 | pool: 7 | vmImage: 'ubuntu-latest' 8 | 9 | steps: 10 | ## Maven example - Replace with your build steps 11 | - task: Maven@3 12 | inputs: 13 | mavenPomFile: 'pom.xml' 14 | goals: 'clean install' 15 | mavenOptions: -DskipTests=true 16 | publishJUnitResults: false 17 | javaHomeOption: 'JDKVersion' 18 | jdkVersionOption: '1.11' 19 | mavenVersionOption: 'Default' 20 | mavenAuthenticateFeed: false 21 | effectivePomSkip: false 22 | sonarQubeRunAnalysis: false 23 | ## end maven example 24 | 25 | # The Unified Agent scan should be called AFTER a package manager build step such as "mvn clean install -DskipTests=true" or "npm install --only=prod" 26 | - script: | 27 | echo Downloading Mend Unified Agent 28 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 29 | 30 | if [[ "$(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256)" != "$(sha256sum wss-unified-agent.jar)" ]] ; then 31 | echo "Integrity Check Failed" 32 | else 33 | echo "Integrity Check Passed" 34 | echo Starting Mend Scan 35 | java -jar wss-unified-agent.jar 36 | fi 37 | env: 38 | WS_APIKEY: $(APIKEY) 39 | WS_USERKEY: $(USERKEY) 40 | WS_WSS_URL: https://saas.mend.io/agent 41 | WS_PRODUCTNAME: $(System.TeamProject) 42 | WS_PROJECTNAME: $(Build.Repository.Name)_$(Build.SourceBranchName) 43 | WS_EXCLUDES: "**/.*,**/node_modules,**/src/test,**/testdata,**/*sources.jar,**/*javadoc.jar,**/*.jar,**/*.war,**/*.ear,**/*.aar,**/*.dll,**/*.exe,**/*.msi,**/*.nupkg,**/*.egg,**/*.whl,**/*.tar.gz,**/*.gem,**/*.deb,**/*.udeb,**/*.dmg,**/*.drpm,**/*.rpm,**/*.pkg.tar.xz,**/*.apk,**/*.swf,**/*.swc,**/*.air,**/*.apk,**/*.zip,**/*.gzip,**/*.tar.bz2,**/*.tgz" 44 | displayName: 'Mend Scan' 45 | -------------------------------------------------------------------------------- /CI-CD/AzureDevOps/Unified Agent/azure-pipelines_windows.yml: -------------------------------------------------------------------------------- 1 | --- 2 | trigger: 3 | - main 4 | pool: 5 | vmImage: windows-latest 6 | 7 | steps: 8 | ## Maven example - Replace with your build steps 9 | - task: Maven@3 10 | inputs: 11 | mavenPomFile: pom.xml 12 | goals: clean install 13 | mavenOptions: -DskipTests=true 14 | publishJUnitResults: false 15 | javaHomeOption: JDKVersion 16 | jdkVersionOption: "1.11" 17 | mavenVersionOption: Default 18 | mavenAuthenticateFeed: false 19 | effectivePomSkip: false 20 | ## end maven example 21 | 22 | # The Unified Agent scan should be called AFTER a package manager build step such as "mvn clean install -DskipTests=true" or "npm install --only=prod" 23 | - task: PowerShell@2 24 | inputs: 25 | targetType: inline 26 | script: | 27 | echo Downloading Mend Unified Agent 28 | Invoke-WebRequest -Uri "https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar" -OutFile ".\wss-unified-agent.jar" 29 | echo Unified Agent downloaded successfully 30 | java -jar wss-unified-agent.jar 31 | env: 32 | WS_APIKEY: $(APIKEY) 33 | WS_USERKEY: $(USERKEY) 34 | WS_WSS_URL: https://saas.mend.io/agent 35 | WS_PRODUCTNAME: $(System.TeamProject) 36 | WS_PROJECTNAME: $(Build.Repository.Name)_$(Build.SourceBranchName) 37 | WS_EXCLUDES: "**/.*,**/node_modules,**/src/test,**/testdata,**/*sources.jar,**/*javadoc.jar,**/*.jar,**/*.war,**/*.ear,**/*.aar,**/*.dll,**/*.exe,**/*.msi,**/*.nupkg,**/*.egg,**/*.whl,**/*.tar.gz,**/*.gem,**/*.deb,**/*.udeb,**/*.dmg,**/*.drpm,**/*.rpm,**/*.pkg.tar.xz,**/*.apk,**/*.swf,**/*.swc,**/*.air,**/*.apk,**/*.zip,**/*.gzip,**/*.tar.bz2,**/*.tgz" 38 | displayName: Mend Unified Agent Scan 39 | -------------------------------------------------------------------------------- /CI-CD/Bamboo/Mend CLI/Atlassian_Bamboo.sh: -------------------------------------------------------------------------------- 1 | # ******** Mend Unified CLI Template for Atlassian Bamboo ******** 2 | # 3 | # You may wish to alter this file to override the build tool and Mend scanning technologies. 4 | # 5 | # For more configuration options, please check the technical documentation portal: 6 | # 📚 https://docs.mend.io/bundle/integrations/page/scan_with_the_mend_cli.html 7 | # 8 | # ******** Description ******** 9 | # mend dep will automatically use package managers and file system scanning to detect open source components. 10 | # mend code will automatically detect languages and frameworks used in your projects to scan for code weaknesses. 11 | 12 | # If you are NOT using a service user, and have multiple organizations, don't forget to call the scope -s parameter to set the organization 13 | 14 | # Variables are taken from the job Variables List 15 | # For Example: 16 | # MEND_EMAIL: ${MEND_EMAIL} 17 | # MEND_USER_KEY: ${MEND_USER_KEY} 18 | # MEND_URL: https://saas.mend.io 19 | 20 | # The mend dep scan should be called AFTER a package manager build step such as "mvn clean install -DskipTests=true" or "npm install --only=prod" 21 | 22 | # Create a Script build step and paste the following: 23 | 24 | ### Authentication Variables ### 25 | export MEND_EMAIL=${bamboo_MEND_EMAIL} 26 | export MEND_USER_KEY=${bamboo_MEND_USER_KEY} 27 | export MEND_URL=${bamboo_MEND_URL} 28 | 29 | ### Download the Mend Unified CLI ### 30 | echo "Download Mend CLI" 31 | curl https://downloads.mend.io/cli/linux_amd64/mend -o /usr/local/bin/mend && chmod +x /usr/local/bin/mend 32 | ### Run a Mend Software Composition Analysis Scan 33 | echo "Run Mend dependencies scan" 34 | mend dep -u 35 | ### Run a Mend Static Application Security Analysis Scan 36 | echo "Run Mend code scan" 37 | mend code 38 | -------------------------------------------------------------------------------- /CI-CD/Bamboo/Unified Agent/Bamboo.sh: -------------------------------------------------------------------------------- 1 | # Variables are taken from the job Variables List 2 | # For Example: 3 | # WS_PRODUCTNAME = ${bamboo.planKey} 4 | # WS_PROJECTNAME = ${bamboo.buildPlanName} 5 | # WS_WSS_URL = https://saas.mend.io/agent 6 | # WS_APIKEY = {MASKED_APIKEY} 7 | # WS_USERKEY = {MASKED_USERKEY} 8 | 9 | # The Unified Agent scan should be called AFTER a package manager build step such as "mvn clean install -DskipTests=true" or "npm install --only=prod" 10 | # Create a Script build step and paste the following: 11 | 12 | 13 | # Download Unified Agent 14 | export WS_APIKEY=${bamboo_WS_APIKEY} 15 | export WS_WSS_URL=${bamboo_WS_WSS_URL} 16 | export WS_PRODUCTNAME=${bamboo_WS_PRODUCTNAME} 17 | export WS_PROJECTNAME=${bamboo_WS_PROJECTNAME} 18 | echo Downloading Mend Unified Agent 19 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 20 | if [[ "$(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256)" != "$(sha256sum wss-unified-agent.jar)" ]] ; then 21 | echo "Integrity Check Failed" 22 | else 23 | echo "Integrity Check Passed" 24 | echo "Starting Mend Scan" 25 | java -jar wss-unified-agent.jar 26 | fi 27 | 28 | # Scan with Mend Unified Agent 29 | java -jar wss-unified-agent.jar -------------------------------------------------------------------------------- /CI-CD/Bitbucket/Mend CLI/Bitbucket.yaml: -------------------------------------------------------------------------------- 1 | # ******** Mend Unified CLI Template for Bitbucket CI ******** 2 | # 3 | # You may wish to alter this file to override the build tool and Mend scanning technologies. 4 | # 5 | # For more configuration options, please check the technical documentation portal: 6 | # 📚 https://docs.mend.io/bundle/integrations/page/scan_with_the_mend_cli.html 7 | # 8 | # ******** Description ******** 9 | # mend dep will automatically use package managers and file system scanning to detect open source components. 10 | # mend code will automatically detect languages and frameworks used in your projects to scan for code weaknesses. 11 | 12 | # If you are NOT using a service user, and have multiple organizations, don't forget to call the scope -s parameter to set the organization 13 | 14 | # The user needs to set up enviroment variables in Bitbucket CI, see here for more inforamtion: https://support.atlassian.com/bitbucket-cloud/docs/variables-and-secrets/ 15 | # The environment variables are: 16 | ### Authentication Variables ### 17 | # MEND_EMAIL: MEND_EMAIL 18 | # MEND_USER_KEY: MEND_USER_KEY 19 | # MEND_URL: https://saas.mend.io 20 | 21 | image: atlassian/default-image:latest 22 | 23 | pipelines: 24 | default: 25 | # Build steps 26 | # - step: 27 | # name: NPM Build 28 | # name: Maven Install 29 | # name: Dotnet Restore 30 | # The mend deps scan should be called AFTER a package manager build step such as "mvn clean install -DskipTests=true" or "npm install --only=prod" 31 | # Mend CLI 32 | - step: 33 | name: Mend CLI Scan 34 | script: 35 | - | 36 | echo Downloading Mend CLI 37 | curl https://downloads.mend.io/cli/linux_amd64/mend -o /usr/local/bin/mend && chmod +x /usr/local/bin/mend 38 | ### Run a Mend Software Composition Analysis Scan 39 | echo Run Mend dependencies scan 40 | mend dep -u 41 | ### Run a Mend Static Application Security Analysis Scan 42 | echo Run Mend code scan 43 | mend code -------------------------------------------------------------------------------- /CI-CD/Bitbucket/Unified Agent/Bitbucket.yml: -------------------------------------------------------------------------------- 1 | image: atlassian/default-image:latest 2 | 3 | pipelines: 4 | default: 5 | - step: 6 | name: NPM Build 7 | caches: 8 | - node 9 | script: 10 | - npm install --only=prod 11 | 12 | # The Unified Agent scan should be called AFTER a package manager build step such as "mvn clean install -DskipTests=true" or "npm install --only=prod" 13 | - step: 14 | name: Run Mend Unified Agent Scan 15 | script: 16 | - | 17 | echo "Downloading Mend Unified Agent" 18 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 19 | if [[ "$(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256)" != "$(sha256sum wss-unified-agent.jar)" ]] ; then 20 | echo "Integrity Check Failed" 21 | else 22 | echo "Integrity Check Passed" 23 | fi 24 | export WS_APIKEY=$APIKEY #add as a variable to the pipeline 25 | export WS_USERKEY=$USERKEY #add as a variable to the pipeline 26 | export WS_WSS_URL=https://saas.mend.io/agent 27 | export WS_PRODUCTNAME=$BITBUCKET_REPO_SLUG 28 | export WS_PROJECTNAME=$BITBUCKET_BRANCH 29 | export WS_FILESYSTEMSCAN=false 30 | echo "Starting Mend Unified Agent Scan" 31 | java -jar wss-unified-agent.jar 32 | -------------------------------------------------------------------------------- /CI-CD/CircleCI/Mend CLI/CircleCI.yaml: -------------------------------------------------------------------------------- 1 | # ******** Mend Unified CLI Template for CircleCI ******** 2 | # 3 | # You may wish to alter this file to override the build tool and Mend scanning technologies. 4 | # 5 | # For more configuration options, please check the technical documentation portal: 6 | # 📚 https://docs.mend.io/bundle/integrations/page/scan_with_the_mend_cli.html 7 | # 8 | # ******** Description ******** 9 | # mend dep will automatically use package managers and file system scanning to detect open source components. 10 | # Mend code will automatically detect languages and frameworks used in your projects to scan for code weaknesses. 11 | 12 | # Use the latest 2.1 version of CircleCI pipeline process engine. See: https://circleci.com/docs/2.0/configuration-reference 13 | version: 2.1 14 | # Use a package of configuration called an orb. 15 | orbs: 16 | node: circleci/node@4.7.0 17 | # maven: circleci/maven@1.4.1 18 | # Context is used below to set environment variables for MEND_EMAIL, MEND_USER_KEY, and MEND_URL 19 | # https://circleci.com/docs/contexts/#create-and-use-a-context 20 | workflows: 21 | mend-workflow: 22 | jobs: 23 | - example-mend-job: 24 | context: 25 | - Mend 26 | jobs: 27 | example-mend-job: 28 | docker: 29 | # prebuilt image with java 30 | - image: circleci/openjdk:11-jdk-buster 31 | user: root 32 | # user root is required when using circleci images due to permissions within the image, this not required for any other image such as ubuntu:latest 33 | steps: 34 | ## checkout git 35 | - checkout 36 | ## install node/npm 37 | # - node/install 38 | ## npm install packages 39 | # - node/install-packages 40 | ## 41 | ## - maven install 42 | # - maven/install: 43 | # command: '-DskipTests' 44 | # The mend dep scan should be called AFTER a package manager build step such as "mvn clean install -DskipTests=true" or "npm install --only=prod" 45 | # If you are NOT using a service user, and have multiple organizations, don't forget to scall the scope -s parameter to set the organization 46 | - run: 47 | name: Download Mend CLI 48 | command: curl https://downloads.mend.io/cli/linux_amd64/mend -o /usr/local/bin/mend && chmod +x /usr/local/bin/mend 49 | - run: 50 | name: Run Mend dependencies scan 51 | command: mend dep -u 52 | - run: 53 | name: Run Mend code scan 54 | command: mend code 55 | -------------------------------------------------------------------------------- /CI-CD/CircleCI/Unified Agent/CircleCI.yaml: -------------------------------------------------------------------------------- 1 | # Use the latest 2.1 version of CircleCI pipeline process engine. See: https://circleci.com/docs/2.0/configuration-reference 2 | version: 2.1 3 | jobs: 4 | example-mend-job: 5 | docker: 6 | - image: circleci/openjdk:8u171-jdk 7 | working_directory: ~/repo 8 | environment: 9 | MAVEN_OPTS: -Xmx3200m 10 | steps: 11 | - checkout 12 | - run: 13 | name: maven install 14 | command: mvn clean install 15 | # The Unified Agent scan should be called AFTER a package manager build step such as "mvn clean install -DskipTests=true" or "npm install --only=prod" 16 | # Execute Mend scan, curling the latest unified agent. Remeber to set environment variables (api key, url, project name and product name, they need to be upper case too) 17 | # WS_APIKEY 18 | # WS_USERKEY 19 | # WS_WSS_URL 20 | # WS_PRODUCTNAME 21 | # WS_PROJECTNAME 22 | - run: 23 | name: Download Mend 24 | command: bash <(curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar) 25 | - run: 26 | name: Run Mend 27 | command: java -jar wss-unified-agent.jar 28 | workflows: 29 | example-workflow: 30 | jobs: 31 | - example-mend-job -------------------------------------------------------------------------------- /CI-CD/CloudBuild/Unified Agent/GoogleCloudBuild.yaml: -------------------------------------------------------------------------------- 1 | steps: 2 | # NPM example - replace with your build steps 3 | - name: 'gcr.io/cloud-builders/npm' 4 | args: ['install'] 5 | 6 | # The Unified Agent scan should be called AFTER a package manager build step such as "mvn clean install -DskipTests=true" or "npm install --only=prod" 7 | - name: 'gcr.io/cloud-builders/curl' 8 | args: ['-J', '-L', '-O', 'https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar'] 9 | 10 | - name: 'docker.io/openjdk' 11 | env: 12 | - 'WS_APIKEY=$APIKEY' #add your apiKey here using: https://cloud.google.com/build/docs/securing-builds/use-secrets 13 | - 'WS_USERKEY=$USERKEY' #add your userKey here using: https://cloud.google.com/build/docs/securing-builds/use-secrets 14 | - 'WS_WSS_URL=https://saas.mend.io/agent' 15 | - 'WS_PRODUCTNAME=$PROJECT_ID' 16 | - 'WS_PROJECTNAME=$BUILD_ID' 17 | args: ['java','-jar','wss-unified-agent.jar'] 18 | -------------------------------------------------------------------------------- /CI-CD/CodeBuild/Unified Agent/buildspec.yml: -------------------------------------------------------------------------------- 1 | version: 0.2 2 | 3 | env: 4 | shell: bash 5 | variables: 6 | WS_WSS_URL: "https://saas.mend.io/agent" 7 | secrets-manager: # for more information: https://aws.amazon.com/about-aws/whats-new/2019/11/aws-codebuild-adds-support-for-aws-secrets-manager/ 8 | WS_APIKEY: "SecretName:Value" 9 | WS_USERKEY: "SecretName:Value" 10 | 11 | # The Unified Agent scan should be called AFTER a package manager build step such as "mvn clean install -DskipTests=true" or "npm install --only=prod" 12 | 13 | phases: 14 | build: 15 | commands: 16 | - export WS_PRODUCTNAME=AWS_$AWS_REGION-$CODEBUILD_INITIATOR 17 | - export WS_PROJECTNAME=$CODEBUILD_BUILD_ID 18 | - curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 19 | - java -jar wss-unified-agent.jar 20 | -------------------------------------------------------------------------------- /CI-CD/CodeFresh/Unified Agent/CodeFresh.yml: -------------------------------------------------------------------------------- 1 | # More examples of Codefresh YAML can be found at 2 | # https://codefresh.io/docs/docs/yaml-examples/examples/ 3 | # Before Running pipeline, make sure your add WS_APIKEY and WS_WSS_URL as pipeline variables 4 | 5 | version: "1.0" 6 | stages: 7 | - "Mend" 8 | 9 | steps: 10 | Freestyle: 11 | title: Mend-E2E 12 | type: freestyle 13 | stage: "Mend" 14 | working_directory: "${{CF_BRANCH}}" 15 | arguments: 16 | image: 'quay.io/codefreshplugins/alpine:3.8' 17 | commands: 18 | - apk update 19 | - apk add openjdk8 curl npm git 20 | - git clone https://github.com/some/repo 21 | - cd repo 22 | - npm install --only=prod 23 | - curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 24 | # The Unified Agent scan should be called AFTER a package manager build step such as "mvn clean install -DskipTests=true" or "npm install --only=prod" 25 | - export WS_PRODUCTNAME=CodeFresh 26 | - export WS_PROJECTNAME=$CF_BRANCH 27 | - export WS_FILESYSTEMSCAN=false 28 | - java -jar wss-unified-agent.jar -------------------------------------------------------------------------------- /CI-CD/GitHub/Mend CLI/GitHub-SAST-PR.yaml: -------------------------------------------------------------------------------- 1 | # ******** Mend Unified CLI Template for Github Actions ******** 2 | # 3 | # You may wish to alter this file to override the build tool and Mend scanning technologies. 4 | # 5 | # For more configuration options, please check the technical documentation portal: 6 | # 📚 https://docs.mend.io/bundle/integrations/page/scan_with_the_mend_cli.html 7 | # 8 | # ******** Description ******** 9 | # mend dep will automatically use package managers and file system scanning to detect open source components. 10 | # mend code will automatically detect languages and frameworks used in your projects to scan for code weaknesses. 11 | 12 | # If you are NOT using a service user, and have multiple organizations, don't forget to call the scope -s parameter to set the organization 13 | 14 | name: Mend CLI SAST PR Scan 15 | 16 | on: 17 | pull_request: 18 | branches: 19 | - main 20 | 21 | jobs: 22 | build: 23 | runs-on: ubuntu-latest 24 | 25 | steps: 26 | - uses: actions/checkout@v3 27 | - name: Mend CLI Scan 28 | env: 29 | MEND_EMAIL: ${{secrets.MEND_EMAIL}} 30 | MEND_USER_KEY: ${{secrets.MEND_USER_KEY}} 31 | MEND_URL: https://saas.mend.io 32 | MEND_SAST_THRESHOLD_ONLY_NEW: true 33 | # Set diff thresholds from the base scan 34 | # MEND_SAST_THRESHOLD_HIGH: 1 35 | # MEND_SAST_THRESHOLD_MEDIUM: 1 36 | # MEND_SAST_THRESHOLD_LOW: 1 37 | run: | 38 | echo Downloading Mend CLI 39 | curl https://downloads.mend.io/cli/linux_amd64/mend -o /usr/local/bin/mend && chmod +x /usr/local/bin/mend 40 | echo Run Mend code scan 41 | mend code -s "*//*//${{github.event.repository.name}}_${{github.ref_name}}_{{github.head_ref}}" 42 | -------------------------------------------------------------------------------- /CI-CD/GitHub/Mend CLI/GitHub.yaml: -------------------------------------------------------------------------------- 1 | # ******** Mend Unified CLI Template for Github Actions ******** 2 | # 3 | # You may wish to alter this file to override the build tool and Mend scanning technologies. 4 | # 5 | # For more configuration options, please check the technical documentation portal: 6 | # 📚 https://docs.mend.io/bundle/integrations/page/scan_with_the_mend_cli.html 7 | # 8 | # ******** Description ******** 9 | # mend dep will automatically use package managers and file system scanning to detect open source components. 10 | # mend code will automatically detect languages and frameworks used in your projects to scan for code weaknesses. 11 | 12 | # If you are NOT using a service user, and have multiple organizations, don't forget to call the scope -s parameter to set the organization 13 | 14 | name: Mend CLI Scan 15 | 16 | on: 17 | push: 18 | branches: [ main ] 19 | 20 | jobs: 21 | build: 22 | runs-on: ubuntu-latest 23 | 24 | steps: 25 | - uses: actions/checkout@v3 26 | ## Maven example - replace with your build steps 27 | # - name: Set up JDK 28 | # uses: actions/setup-java@v2 29 | # with: 30 | # java-version: '11' 31 | # distribution: 'adopt' 32 | # - name: Build with Maven 33 | # run: mvn clean install -DskipTests=true 34 | ## 35 | # The mend dep scan should be called AFTER a package manager build step such as "mvn clean install -DskipTests=true" or "npm install --only=prod" 36 | - name: Mend CLI Scan 37 | env: 38 | MEND_EMAIL: ${{secrets.MEND_EMAIL}} 39 | MEND_USER_KEY: ${{secrets.MEND_USER_KEY}} 40 | MEND_URL: https://saas.mend.io 41 | run: | 42 | echo Downloading Mend CLI 43 | curl https://downloads.mend.io/cli/linux_amd64/mend -o /usr/local/bin/mend && chmod +x /usr/local/bin/mend 44 | echo run Mend dependencies scan 45 | mend dep -u 46 | echo Run Mend code scan 47 | mend code 48 | -------------------------------------------------------------------------------- /CI-CD/GitHub/Mend CLI/Github_Advanced_Linux/README.md: -------------------------------------------------------------------------------- 1 | # GH Actions CLI Templates 2 | 3 | This pipeline is designed for demonstration purposes. You may modify it to fit your specific scanning and pipeline requirements. 4 | 5 | This example takes advantage of [GH Templates](https://docs.github.com/en/actions/using-workflows/creating-starter-workflows-for-your-organization), making it easier to use, read, and reuse across different pipelines. 6 | 7 | The template (`mend-scan.yaml`) uses the [Mend CLI](https://docs.mend.io/bundle/integrations/page/scan_with_the_mend_cli.html) to run: 8 | * **Software Composition Analysis (SCA)** scan using package managers (and file system scanning [optional]) to detect open-source components with report creating of: 9 | * SBOM Export 10 | * Risk report 11 | * Inventory report 12 | * Due diligence report 13 | 14 | * **Static Application Security Testing (SAST)** scan to detect languages and frameworks used in your projects and report code weaknesses and creates `sarif` report 15 | 16 | ### Create a Template Repo 17 | 18 | If you don't already have a template repo, create one and give it access from from the Repo where you are running the the pipeline, for example: 19 | `mend-examples/mend-toolkit/.github/workflows/mend-scan-template.yaml@scan-templates` 20 | 21 | Copy the `mend-scan-template.yaml` to `.github/workflows` folder 22 | 23 | ### Use the template 24 | 25 | In your GH Actions, place the `mend-scan.yaml` add define the parameters: 26 | ```yaml 27 | call-template: 28 | uses: mend-examples/mend-toolkit/.github/workflows/mend-scan-template.yaml@scan-templates 29 | with: 30 | MEND_URL: "https://saas-eu.mend.io" 31 | # MEND_URL: "https://saas.mend.io" 32 | SCA: true 33 | SCA_Reachability: true # Whether to run SCA Reachability, supported for Java and JS: https://docs.mend.io/bundle/sca_user_guide/page/sca_reachability_in_the_mend_cli.html 34 | SAST: true 35 | CN: false # TODO add steps to template 36 | SCA_Reports: 'ALL' 37 | ### Allowed values: 38 | ### Comma-separated list containing any of: SBOM,RISK,INVENTORY,DUE_DILIGENCE,ALL 39 | secrets: 40 | MEND_EMAIL: ${{ secrets.MEND_EMAIL }} 41 | MEND_USER_KEY: ${{ secrets.MEND_USER_KEY }} 42 | ``` 43 | 44 | -------------------------------------------------------------------------------- /CI-CD/GitHub/Mend CLI/Github_Advanced_Linux/mend-scan.yaml: -------------------------------------------------------------------------------- 1 | # ******** Mend Unified CLI Template for Github Actions ******** 2 | # 3 | # You may wish to alter this file to override the build tool and Mend scanning technologies. 4 | # 5 | # For more configuration options, please check the technical documentation portal: 6 | # 📚 https://docs.mend.io/bundle/integrations/page/scan_with_the_mend_cli.html 7 | # 8 | # ******** Description ******** 9 | # mend dep will automatically use package managers and file system scanning to detect open source components. 10 | # mend code will automatically detect languages and frameworks used in your projects to scan for code weaknesses. 11 | 12 | # If you are NOT using a service user, and have multiple organizations, don't forget to call the scope -s parameter to set the organizatio 13 | 14 | name: Mend 15 | 16 | on: 17 | push: 18 | branches: [ main ] 19 | 20 | 21 | jobs: 22 | 23 | call-template: 24 | # Replace the below with your own location 25 | uses: mend-examples/mend-toolkit/.github/workflows/mend-scan-template.yaml@scan-templates 26 | with: 27 | MEND_URL: "https://saas-eu.mend.io" 28 | # MEND_URL: "https://saas.mend.io" 29 | SCA: true 30 | SCA_Reachability: true # Whether to run SCA Reachability, supported for Java and JS: https://docs.mend.io/bundle/sca_user_guide/page/sca_reachability_in_the_mend_cli.html 31 | SAST: false 32 | CN: false # TODO define template 33 | SCA_Reports: 'ALL' # Comma-separated list containing any of: SBOM,RISK,INVENTORY,DUE_DILIGENCE,ALL 34 | secrets: 35 | MEND_EMAIL: ${{ secrets.MEND_EMAIL }} 36 | MEND_USER_KEY: ${{ secrets.MEND_USER_KEY }} 37 | -------------------------------------------------------------------------------- /CI-CD/GitHub/Mend CLI/Github_image_scan.yaml: -------------------------------------------------------------------------------- 1 | # ******** Mend Unified CLI Template for Github ******** 2 | # 3 | # You may wish to alter this file to override the build tool and Mend scanning technologies. 4 | # 5 | # For more configuration options, please check the technical documentation portal: 6 | # 📚 https://docs.mend.io/bundle/integrations/page/scan_with_the_mend_cli.html 7 | # 8 | # ******** Description ******** 9 | # mend image will automatically scan an image for vulnerabilities with Operating System packages, Open Source vulnerabilities, and for secrets. 10 | # 11 | # If you are NOT using a service user and have multiple organizations, don't forget to set the organization using the scope parameter 12 | # The following values should be added as environment variables with email and userkey being secrets 13 | # MEND_URL: the mend url that you login to - (https://saas.mend.io) for example 14 | # MEND_EMAIL: the user email for the mend platform account that you wish to scan with. This should be stored as a secret and then translated to MEND_EMAIL at runtime. 15 | # MEND_USER_KEY: the user key found under my profile for the user you wish to scan with. This should be stored as a secret and then translated to MEND_USER_KEY at runtime. 16 | # 17 | # REPO_NAME: The repository where the image should be stored/pulled from 18 | # IMAGE_NAME: The name where the image should be stored/pulled from 19 | # IMAGE_TAG: The tag for the image that you have built 20 | 21 | name: Mend Image Scan 22 | 23 | on: 24 | push: 25 | branches: [ main ] 26 | 27 | env: 28 | DOCKER_IMAGE_NAME: IMAGE_NAME 29 | DOCKER_REPO_NAME: REPO_NAME 30 | DOCKER_TAG: dev-${{ github.run_number }} 31 | MEND_USER_KEY: ${{ secrets.MEND_USER_KEY }} 32 | MEND_EMAIL: ${{ secrets.MEND_EMAIL }} 33 | MEND_URL: https://saas.mend.io 34 | # MEND_URL: https://saas-eu.mend.io 35 | 36 | 37 | jobs: 38 | 39 | build: 40 | runs-on: ubuntu-latest 41 | steps: 42 | - uses: actions/checkout@v3 43 | - name: install buildx 44 | id: buildx 45 | uses: crazy-max/ghaction-docker-buildx@v1 46 | with: 47 | version: latest 48 | - name: Build the Docker image 49 | run: | 50 | docker buildx build --platform=linux/arm64 . --file Dockerfile --tag $DOCKER_REPO_NAME:$DOCKER_TAG --load 51 | docker images 52 | 53 | - name: Download Mend CLI & Run a Scan 54 | run: | 55 | curl https://downloads.mend.io/cli/linux_amd64/mend -o /usr/local/bin/mend && chmod +x /usr/local/bin/mend 56 | mend image $DOCKER_REPO_NAME:$DOCKER_TAG --format sarif --filename results.sarif --local-pull 57 | 58 | - name: Upload sarif 59 | uses: github/codeql-action/upload-sarif@v3 60 | with: 61 | sarif_file: results.sarif 62 | -------------------------------------------------------------------------------- /CI-CD/GitHub/Unified Agent/GitHub.yml: -------------------------------------------------------------------------------- 1 | name: Mend Unified Agent Release Scan 2 | 3 | on: 4 | push: 5 | branches: 6 | - '**release**' 7 | 8 | jobs: 9 | mendscan: 10 | env: 11 | WS_APIKEY: ${{secrets.PROD_APIKEY}} 12 | WS_USERKEY: ${{secrets.PROD_USERKEY}} 13 | WS_WSS_URL: https://saas.mend.io/agent 14 | runs-on: ubuntu-latest 15 | 16 | steps: 17 | - uses: actions/checkout@v3 18 | - name: Set up JDK 19 | uses: actions/setup-java@v2 20 | with: 21 | java-version: '11' 22 | distribution: 'adopt' 23 | ## Maven example - replace with your build steps 24 | # 25 | # - name: Build with Maven 26 | # run: mvn clean install -DskipTests=true 27 | ## 28 | # The Unified Agent scan should be called AFTER a package manager build step such as "mvn clean install -DskipTests=true" or "npm install --only=prod" 29 | - name: Mend Unified Agent Scan 30 | env: 31 | WS_PRODUCTNAME: ${{github.event.repository.name}} 32 | WS_PROJECTNAME: ${{github.event.repository.name}}_${{github.ref_name}} 33 | WS_GENERATEPROJECTDETAILSJSON: true 34 | run: | 35 | echo Downloading Mend Unified Agent 36 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 37 | if [[ "$(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256)" != "$(sha256sum wss-unified-agent.jar)" ]] ; then 38 | echo "Integrity Check Failed" 39 | else 40 | echo "Integrity Check Passed" 41 | echo Starting Unified Agent Scan 42 | java -jar wss-unified-agent.jar 43 | fi 44 | ## (Optional) Download reports and save as pipeline artifact 45 | # - name: Check Project State 46 | # run: | 47 | # curl -LJO https://raw.githubusercontent.com/mend-toolkit/mend-examples/main/Scripts/Mend%20SCA/check-project-state.sh 48 | # chmod +x check-project-state.sh && ./check-project-state.sh 49 | # - name: Mend Report Generation 50 | # run: | 51 | # export WS_PROJECTTOKEN=$(jq -r '.projects | .[] | .projectToken' ./whitesource/scanProjectDetails.json) 52 | # export WS_URL=$(echo $WS_WSS_URL | awk -F "agent" '{print $1}') 53 | # curl -o ./whitesource/riskreport.pdf -X POST "${WS_URL}/api/v1.3" -H "Content-Type: application/json" -d '{"requestType":"getProjectRiskReport","userKey":"'${WS_USERKEY}'","projectToken":"'${WS_PROJECTTOKEN}'"}' 54 | # curl -o ./whitesource/inventoryreport.xlsx -X POST "${WS_URL}/api/v1.3" -H "Content-Type: application/json" -d '{"requestType":"getProjectInventoryReport","userKey":"'${WS_USERKEY}'","projectToken":"'${WS_PROJECTTOKEN}'"}' 55 | # curl -o ./whitesource/duediligencereport.xlsx -X POST "${WS_URL}/api/v1.3" -H "Content-Type: application/json" -d '{"requestType":"getProjectDueDiligenceReport","userKey":"'${WS_USERKEY}'","projectToken":"'${WS_PROJECTTOKEN}'"}' 56 | 57 | - name: 'Upload WhiteSource folder' 58 | uses: actions/upload-artifact@v2 59 | with: 60 | name: Mend 61 | path: whitesource 62 | retention-days: 14 63 | - name: 'Upload Mend folder if failure' 64 | uses: actions/upload-artifact@v2 65 | if: failure() 66 | with: 67 | name: Mend 68 | path: whitesource 69 | retention-days: 14 70 | -------------------------------------------------------------------------------- /CI-CD/GitLab/Mend CLI/gitlab_image_scan.yml: -------------------------------------------------------------------------------- 1 | # ******** Mend Unified CLI Template for Gitlab CI ******** 2 | # 3 | # You may wish to alter this file to override the build tool and Mend scanning technologies. 4 | # Note: This example used a self-hosted Gitlab-runner running with Shell executor as described here: https://docs.gitlab.com/ee/ci/docker/using_docker_build.html#use-the-shell-executor 5 | # 6 | # For more configuration options, please check the technical documentation portal: 7 | # 📚 https://docs.mend.io/bundle/integrations/page/scan_with_the_mend_cli.html 8 | # 9 | # ******** Description ******** 10 | # mend image will automatically scan an image for vulnerabilities with Operating System packages, Open Source vulnerabilities, and for secrets. 11 | 12 | # If you are NOT using a service user, and have multiple organizations, don't forget to set the organization in the scope parameter 13 | # The following values should be added as environment variables with email and userKey being secrets 14 | # MEND_URL: the mend url that you login to - (https://saas.mend.io) for example 15 | # MEND_EMAIL: the user email for the mend platform account you wish to scan with 16 | # MEND_USER_KEY: the user key found under my profile for the user you wish to scan with 17 | 18 | 19 | stages: 20 | - scan 21 | 22 | mend-image-scan: 23 | stage: scan 24 | variables: 25 | IMAGE_TAG: $CI_JOB_ID 26 | IMAGE_NAME: REPO_NAME/IMAGE_NAME 27 | MEND_EMAIL: $MEND_EMAIL 28 | MEND_USER_KEY: $MEND_USER_KEY 29 | MEND_URL: "https://saas.mend.io" 30 | # MEND_URL: "https://saas-eu.mend.io" 31 | 32 | 33 | before_script: 34 | - docker info 35 | 36 | script: | 37 | docker build -t $IMAGE_NAME:$IMAGE_TAG . -f Dockerfile 38 | echo Downloading Mend CLI 39 | curl https://downloads.mend.io/cli/linux_amd64/mend -o ./mend && chmod +x ./mend 40 | echo Run Mend Image scan 41 | ./mend image $IMAGE_NAME:$IMAGE_TAG --local-pull 42 | cp -r ~/.mend/logs $CI_PROJECT_DIR/mend-logs 43 | artifacts: 44 | paths: 45 | - mend-logs/ 46 | when: always -------------------------------------------------------------------------------- /CI-CD/Jenkins/Mend CLI/Jenkins.groovy: -------------------------------------------------------------------------------- 1 | // ******** Mend Unified CLI Template for Jenkins ******** 2 | // You may wish to alter this file to override the build tool and the Mend scanning technologies 3 | 4 | //This pipeline utilizes shared libraries to make it easier to implement Mend into several pipelines. 5 | //For more information on shared libraries, please check the official Jenkins documentation: 6 | // 📚 https://www.jenkins.io/doc/book/pipeline/shared-libraries/ 7 | 8 | // For more configeration options, please check the technical documentation portal: 9 | // 📚 https://docs.mend.io/bundle/cli/page/scan_with_mend_s_unified_cli.html 10 | 11 | // ******** Description ******** 12 | // mend deps will automatically use package managers and file system scanning to detect open source components. 13 | // mend code will automatically detect languages and frameworks used in your projects to scan for code weaknesses. 14 | // mend image will automatically scan an image for vulnerabilities with Operating System packages, Open Source vulnerabilities, and for secrets. 15 | 16 | // If you are NOT using a service user, and have multiple organizations, don't forget to set the organization in the scope parameter 17 | // The following values should be added as environment variables 18 | // MEND_EMAIL: the user email for the mend platform account you wish to scan with 19 | // MEND_USER_KEY: the user key found under my profile for the user you wish to scan with 20 | 21 | //update with the name of your shared library 22 | @Library("my-shared-library") _ 23 | pipeline { 24 | agent any 25 | 26 | environment { 27 | MEND_SAST_THRESHOLD_ONLY_NEW = "true" 28 | // Set diff thresholds from the base scan 29 | // MEND_SAST_THRESHOLD_HIGH = 1 30 | // MEND_SAST_THRESHOLD_MEDIUM = 1 31 | // MEND_SAST_THRESHOLD_LOW = 1 32 | 33 | // update with the Server URL found on the integrate tab 34 | MEND_URL = 'https://saas.mend.io' 35 | } 36 | 37 | tools { 38 | maven 'Maven-3.9.6' 39 | jdk 'JDK11' 40 | } 41 | 42 | stages { 43 | stage('Clean Workspace') { 44 | steps { 45 | cleanWs() 46 | } 47 | } 48 | 49 | stage('Git Clone') { 50 | steps { 51 | // replace branch and url with your repository information 52 | checkout changelog: false, poll: false, scm: scmGit(branches: [[name: 'refs/tags/v8.1.0']], extensions: [], userRemoteConfigs: [[url: 'https://github.com/WebGoat/WebGoat.git']]) 53 | } 54 | } 55 | // Build the application with your required package manager. The below example is for maven: ### 56 | stage('Install dependencies') { 57 | steps { 58 | sh 'mvn clean install -DskipTests' 59 | } 60 | } 61 | 62 | 63 | stage('Download Mend CLI') { 64 | steps { 65 | DownloadMendCLI() 66 | } 67 | } 68 | 69 | stage('Run Mend SCA') { 70 | steps { 71 | echo "Reachability is enabled" 72 | MendSCAScan(reachability: true) 73 | echo "Reachability is disabled" 74 | MendSCAScan(reachability: false) 75 | } 76 | } 77 | stage('Run SCA Reports') { 78 | steps { 79 | GenerateSCAReports() 80 | } 81 | } 82 | stage('Run SAST Scan') { 83 | steps { 84 | MendSASTScan() 85 | } 86 | } 87 | } 88 | } 89 | -------------------------------------------------------------------------------- /CI-CD/Jenkins/Mend CLI/README.md: -------------------------------------------------------------------------------- 1 | # Jenkins Pipeline Using Trusted Libraries 2 | 3 | This pipeline is designed for demonstration purposes. You may modify it to fit your specific scanning and pipeline requirements. 4 | 5 | This example takes advantage of Jenkins Global Trusted Pipeline Libraries, making it easier to use, read, and reuse across different pipelines. 6 | 7 | The template (`jenkins.groovy`) uses the [Mend CLI](https://docs.mend.io/bundle/integrations/page/scan_with_the_mend_cli.html) to run: 8 | * **Software Composition Analysis (SCA)** scan using package managers (and file system scanning [optional]) to detect open-source components with report creating of: 9 | * Risk report 10 | * Inventory report 11 | * Due diligence report 12 | 13 | * **Static Application Security Testing (SAST)** scan to detect languages and frameworks used in your projects and report code weaknesses and creates `sarif` report 14 | 15 | The `vars` folder and its content need to be placed on the root of a Git repo and accessible by the Jenkins pipline, in this example, we'll be using github.com access. 16 | 17 | ### Create the trusted library 18 | 19 | If you don't already have a trusted library repo, create one and configure Jenkins to access it from `Manage Jenkins->System->Global Trusted Pipeline Libraries`, see below example: 20 | 21 | 22 | 23 | ### Use the functions 24 | 25 | In your Jenkins pipeline, make sure you are declaring the library as indicated on the [Jenkins.groovy](./Jenkins.groovy) 26 | -------------------------------------------------------------------------------- /CI-CD/Jenkins/Mend CLI/resources/trustpipelines.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mend-toolkit/mend-examples/e6161d48a4cac380a8b4f139a0096bf55e628f93/CI-CD/Jenkins/Mend CLI/resources/trustpipelines.jpg -------------------------------------------------------------------------------- /CI-CD/Jenkins/Mend CLI/vars/DownloadMendCLI.groovy: -------------------------------------------------------------------------------- 1 | def call() { 2 | echo 'Downloading Mend CLI' 3 | sh 'curl -LJO https://downloads.mend.io/production/unified/latest/linux_amd64/mend && chmod +x mend' 4 | } 5 | -------------------------------------------------------------------------------- /CI-CD/Jenkins/Mend CLI/vars/GenerateSCAReports.groovy: -------------------------------------------------------------------------------- 1 | def call() { 2 | catchError(buildResult: 'SUCCESS', stageResult: 'FAILURE'){ 3 | sh ''' 4 | WS_PROJECTTOKEN=$(grep -oP "(?<=token=)[^&]+" "${PWD}"/dep-results.txt) 5 | if [ -z "$WS_PROJECTTOKEN" ]; 6 | then 7 | echo " No project token found, reports will not be generated" >&2 8 | else 9 | echo "Creating Project Risk Report" 10 | curl -o "${PWD}"/riskreport.pdf -X POST "${MEND_URL}/api/v1.4" -H "Content-Type: application/json" -d '{"requestType":"getProjectRiskReport","userKey":"'${MEND_USER_KEY}'","projectToken":"'${WS_PROJECTTOKEN}'"}' 11 | echo "Creating Project Inventory Report" 12 | curl -o "${PWD}"/inventoryreport.xlsx -X POST "${MEND_URL}/api/v1.4" -H "Content-Type: application/json" -d '{"requestType":"getProjectInventoryReport","userKey":"'${MEND_USER_KEY}'","projectToken":"'${WS_PROJECTTOKEN}'"}' 13 | echo "Creating Project Due Diligence Report" 14 | curl -o "${PWD}"/duediligencereport.xlsx -X POST "${MEND_URL}/api/v1.4" -H "Content-Type: application/json" -d '{"requestType":"getProjectDueDiligenceReport","userKey":"'${MEND_USER_KEY}'","projectToken":"'${WS_PROJECTTOKEN}'"}' 15 | fi 16 | ''' 17 | archiveArtifacts artifacts: "riskreport.pdf, inventoryreport.xlsx, duediligencereport.xlsx, spdxreport.json", fingerprint: true 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /CI-CD/Jenkins/Mend CLI/vars/MendSASTScan.groovy: -------------------------------------------------------------------------------- 1 | def call() { 2 | echo 'Start Mend Code Scan' 3 | catchError(buildResult: 'SUCCESS', stageResult: 'FAILURE'){ 4 | sh ''' 5 | export repo=$(basename -s .git $(git config --get remote.origin.url)) 6 | export branch=$(git rev-parse --abbrev-ref HEAD) 7 | ./mend code --non-interactive -s "*//${JOB_NAME}//${repo}_${branch}" -r --formats sarif --filename code-results 8 | ''' 9 | archiveArtifacts artifacts: "code-results.sarif", fingerprint: true 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /CI-CD/Jenkins/Mend CLI/vars/MendSCAScan.groovy: -------------------------------------------------------------------------------- 1 | def call(Map args = [:]) { 2 | boolean reachability = args.get('reachability', false) 3 | echo 'Run Mend dependencies scan' 4 | 5 | catchError(buildResult: 'SUCCESS', stageResult: 'FAILURE') { 6 | def reachabilityFlag = reachability ? "-r" : "" 7 | 8 | sh """ 9 | export repo=\$(basename -s .git \$(git config --get remote.origin.url)) 10 | export branch=\$(git rev-parse --abbrev-ref HEAD) 11 | ./mend dep -u ${reachabilityFlag} -s "*//\${JOB_NAME}//\${repo}_\${branch}" --fail-policy --non-interactive --export-results dep-results.txt 12 | """ 13 | } 14 | archiveArtifacts artifacts: "dep-results.txt", fingerprint: true 15 | } 16 | -------------------------------------------------------------------------------- /CI-CD/Jenkins/Unified Agent/Jenkins_pipeline_maven_multi-org.groovy: -------------------------------------------------------------------------------- 1 | pipeline { 2 | agent any 3 | 4 | environment { 5 | WS_WSS_URL = "${WSURL}" //Taken from Jenkins Global Environment Variables 6 | WS_PRODUCTNAME = "Jenkins_Pipeline" 7 | WS_PROJECTNAME = "${JOB_NAME}" 8 | WS_PRODUCTION_BRANCH = "main" 9 | WS_FILESYSTEMSCAN = false 10 | } 11 | 12 | tools { 13 | // Install the Maven version configured as "M3" and add it to the path. 14 | maven "M3" 15 | } 16 | 17 | stages { 18 | stage('Build') { 19 | steps { 20 | // Get some code from a GitHub repository 21 | git 'https://github.com/someorg/java_repo.git' 22 | 23 | // Run Maven on a Unix agent. 24 | sh "mvn -Dmaven.test.failure.ignore=true clean package" 25 | } 26 | } 27 | 28 | stage('Set Result Environment') { 29 | steps { 30 | script { 31 | //get the branch information from Git 32 | GIT_COMMIT_BRANCH = sh (script:"git branch | grep \\* | cut -d ' ' -f2",,returnStdout:true).trim() 33 | 34 | if ( "${WS_PRODUCTION_BRANCH}" == "${GIT_COMMIT_BRANCH}" ) { 35 | echo "Working in the production branch" 36 | WORKING_USERKEY = "${USERKEY}" 37 | WORKING_APIKEY = "${APIKEY}" 38 | } else { 39 | echo "Working in the dev branch" 40 | WORKING_USERKEY = "${DEV_USERKEY}" 41 | WORKING_APIKEY = "${DEV_APIKEY}" 42 | } 43 | } 44 | } 45 | } 46 | 47 | stage('Download Mend Script') { 48 | steps { 49 | script { 50 | echo "Downloading Mend Unified Agent and Checking Integrity" 51 | sh 'curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar' 52 | ua_jar_checksum=sh(returnStdout: true, script: "sha256sum 'wss-unified-agent.jar'") 53 | ua_integrity_file=sh(returnStdout: true, script: "curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256") 54 | if ("${ua_integrity_file}" == "${ua_jar_checksum}") { 55 | echo "Integrity Check Passed" 56 | } else { 57 | echo "Integrity Check Failed" 58 | } 59 | } 60 | } 61 | } 62 | 63 | stage('Run Mend Script') { 64 | steps { 65 | script { 66 | withEnv(["WS_USERKEY=${WORKING_USERKEY}", "WS_APIKEY=${WORKING_APIKEY}", "WS_PROJECTNAME=${JOB_NAME}-${GIT_COMMIT_BRANCH}"]) { 67 | sh 'java -jar wss-unified-agent.jar' 68 | } 69 | } 70 | } 71 | } 72 | } 73 | } 74 | 75 | -------------------------------------------------------------------------------- /CI-CD/Jenkins/Unified Agent/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # Multi-Organizational Pipeline or (multi-org) 4 | The [jenkins example](./Jenkins_pipeline_maven_multi-org.groovy) in this folder shows an example implementation of the concepts discussing in the [Organization/Product/Project Mapping Best Practices documentation](https://docs.mend.io/bundle/wsk/page/organization_product_project_mapping_best_practices.html#Pipeline-Integration-Example). 5 | 6 | ## Pipeline Integration Notes 7 | Two options to store the “key” information 8 | 9 | * Global Properties 10 | * Local Pipeline script in the “environment” section 11 | 12 | ** The examples shown use the global properties. Make sure you create the following keys and populate their values: 13 | * APIKEY (Integration -> Organization APIKEY from your production organization) 14 | * DEV_APIKEY (Integration -> Organization APIKEY from your development organization) 15 | * USERKEY (User Profile -> User Keys section from your production organization) 16 | * DEV_USERKEY (User Profile -> User Keys section from your development organization) 17 | * WSURL (https://<Mend URL>/agent) 18 | -------------------------------------------------------------------------------- /CI-CD/README.md: -------------------------------------------------------------------------------- 1 | ![Logo](https://mend-toolkit-resources-public.s3.amazonaws.com/img/mend-io-logo-horizontal.svg) 2 | 3 | # CI/CD Examples 4 | This repository contains tool specific examples of how to deploy the [Mend Unified Agent](https://docs.mend.io/bundle/unified_agent/page/overview_of_the_unified_agent.html), the [Mend CLI](https://docs.mend.io/bundle/cli/page/scan_with_mend_s_unified_cli.html) and other tools, within a CI/CD pipeline. 5 | 6 | 7 | - [Generic Examples](#generic-examples) 8 | - [Examples by CI/CD Tool](#examples-by-cicd-tool) 9 | - [Additional Tips](#additional-tips) 10 | - [Caching the Unified Agent](#caching-the-unified-agent) 11 | - [Publishing Mend's Logs From a Pipeline](#publishing-mends-logs-from-a-pipeline) 12 | - [Azure DevOps Pipelines](#azure-devops-pipelines) 13 | - [GitHub Actions](#github-actions) 14 | 15 | >**Note:** When scanning using the [Mend Unified Agent](https://docs.mend.io/bundle/unified_agent/page/overview_of_the_unified_agent.html), ensure first that JDK 8/11 is installed on the pipeline image. 16 | 17 |
18 | 19 | ## Generic Examples 20 | - [Mend CLI](./%5BGeneric%5D/Mend%20CLI/) 21 | - [SCA and SAST Scan](./%5BGeneric%5D/Mend%20CLI/sca%2Bsast-scan.sh) 22 | - [Container/Image Scan](./%5BGeneric%5D/Mend%20CLI/ContainerScanning.md) 23 | - [Unified Agent](./%5BGeneric%5D/Unified%20Agent/) 24 | - [Policy Check](./%5BGeneric%5D/Unified%20Agent/Policy-Check/) 25 | - [Prioritize](./%5BGeneric%5D/Unified%20Agent/Prioritize/) 26 | 27 | ## Examples by CI/CD Tool 28 | - [AzureDevOps](./AzureDevOps) 29 | - [Bamboo](./Bamboo) 30 | - [Bitbucket](./Bitbucket) 31 | - [CircleCI](./CircleCI) 32 | - [CloudBuild](./CloudBuild) 33 | - [CodeBuild](./CodeBuild) 34 | - [CodeFresh](./CodeFresh) 35 | - [GitHub](./GitHub) 36 | - [GitLab](./GitLab) 37 | - [Jenkins](./Jenkins) 38 | - [TeamCity](./TeamCity) 39 | 40 | ## Additional Tips 41 | 42 | ### Caching the Unified Agent 43 | The best practice with all of the above pipeline integrations is to have the [Unified Agent](https://docs.mend.io/bundle/unified_agent/page/getting_started_with_the_unified_agent.html#GettingStartedwiththeUnifiedAgent-DownloadingtheUnifiedAgent) downloaded onto the build's workspace during the build job, so that you always use the latest version. 44 | 45 | It is possible to utilize your CI tool's built-in caching functionality, so that you only download the latest version of the agent once every release. 46 | 47 | In the following examples, the `wss-unified-agent.jar` artifact is stored in the pipeline's cache, and the Mend pipeline task first checks whether a newer version of the agent was published since the last time the agent was cached, and if so, it downloads the latest version to be cached instead, before proceeding to the scan itself. 48 | 49 | **Examples:** 50 | 51 | * [Generic Example](../../Scripts/Mend%20SCA/README.md#cache-the-latest-version-of-the-unified-agent) 52 | * [GitLab Pipelines](./GitLab/Unified%20Agent/GitLab-cached-ua.yml) -------------------------------------------------------------------------------- /CI-CD/TeamCity/Mend CLI/Teamcity.sh: -------------------------------------------------------------------------------- 1 | # ******** Mend Unified CLI Template for JetBrains TeamCity ******** 2 | # 3 | # You may wish to alter this file to override the build tool and Mend scanning technologies. 4 | # 5 | # For more configuration options, please check the technical documentation portal: 6 | # 📚 https://docs.mend.io/bundle/integrations/page/scan_with_the_mend_cli.html 7 | # 8 | # ******** Description ******** 9 | # mend dep will automatically use package managers and file system scanning to detect open source components. 10 | # mend code will automatically detect languages and frameworks used in your projects to scan for code weaknesses. 11 | # mend image will scan the local image:tag for open source components and secrets. 12 | 13 | # If you are NOT using a service user, and have multiple organizations, don't forget to set the organization in the scope parameter 14 | # The following values should be added as environment variables with email and userKey being secrets 15 | # MEND_URL: the mend url that you login to - (https://saas.mend.io) for example 16 | # MEND_EMAIL: the user email for the mend platform account you wish to scan with 17 | # MEND_USER_KEY: the user key found under my profile for the user you wish to scan with 18 | 19 | ### Define the following parameters either at the project or build level: 20 | # Go to the build settings and click on "Parameters". 21 | # Define the following environment variables: 22 | ### Authentication Variables ### 23 | # env.MEND_EMAIL="YOUR EMAIL" 24 | # env.MEND_USER_KEY="YOUR MEND USERKEY" 25 | # env.MEND_URL="https://saas.mend.io" 26 | 27 | ### Define these General Settings 28 | # Publish Artifacts - even if build fails 29 | # Artifact paths - %env.HOME%/.mend/logs => mend 30 | 31 | ### Add a custom report tab - https://www.jetbrains.com/help/teamcity/including-third-party-reports-in-the-build-results.html 32 | ### Edit the project and add a new build report tab on the project named Mend SCA Results 33 | ### Set Start Page as mend/riskreport.pdf 34 | ### In Administration -> Global Settings update the Artifacts URL to serve build aritfacts from - https://www.jetbrains.com/help/teamcity/2023.11/?TeamCity+Configuration+and+Maintenance#artifacts-url 35 | ### An insecure solution would be to disable isolation protection to see if your artifact is displaying in the reports tab 36 | 37 | # The mend dep scan should be called AFTER a package manager build step such as "mvn clean install -DskipTests=true" or "npm install --only=prod" 38 | 39 | # Create the following build step: 40 | # Runner type: Commandline 41 | # Step Name: Mend Scan 42 | # Run: Custom Script 43 | 44 | ## Many Team City runners do not have access to /usr/local/bin which the recommended download for the CLI according to the documentation, use %env.HOME% instead 45 | ## Package managers are not always available on the PATH due to default Team City installations methods - https://youtrack.jetbrains.com/issue/TW-67369/Default-Maven-is-not-available-in-Command-Line-build-i.e.-mvn-command-not-found 46 | 47 | echo "Downloading Mend CLI" 48 | curl https://downloads.mend.io/cli/linux_amd64/mend -o %env.HOME%/mend && chmod +x %env.HOME%/mend 49 | echo "Set installed package manager on the PATH" 50 | ### Maven example 51 | # export PATH="%teamcity.tool.maven.DEFAULT%/bin":${PATH} 52 | # mvn -version 53 | 54 | echo "Execute Mend CLI" 55 | echo "Run Mend dependencies scan" 56 | echo "Clean Up Logs if using a persisent runner" 57 | rm -rf %env.HOME%/.mend/logs 58 | $HOME/mend dep -u --export-results dep-results.txt 59 | ### Collect projectToken and download riskreport 60 | export WS_PROJECTTOKEN=$(grep -oP "(?<=token=)[^&]+" ./dep-results.txt) 61 | curl -o %env.HOME%/.mend/logs/riskreport.pdf -X POST "${MEND_URL}/api/v1.4" -H "Content-Type: application/json" \ 62 | -d '{"requestType":"getProjectRiskReport","userKey":"'${MEND_USER_KEY}'","projectToken":"'${WS_PROJECTTOKEN}'"}' 63 | echo "Run Mend code scan" 64 | $HOME/mend code -------------------------------------------------------------------------------- /CI-CD/TeamCity/Unified Agent/TeamCity.sh: -------------------------------------------------------------------------------- 1 | # # Define the parameters: 2 | # Go to the build settings and click on "Parameters". 3 | # Define the following variables: 4 | # env.WS_APIKEY={Your apiKey here} 5 | # env.WS_PRODUCTNAME=TC_%system.teamcity.projectName% 6 | # env.WS_PROJECTNAME=%system.teamcity.buildType.id% 7 | # env.WS_WSS_URL=https://saas.mend.io 8 | 9 | # Create the following build step: 10 | # Runner type: Commandline 11 | # Step Name: Mend SCA Scan 12 | # Run: Custom Script 13 | # The Unified Agent scan should be called AFTER a package manager build step such as "mvn clean install -DskipTests=true" or "npm install --only=prod" 14 | 15 | echo "Downloading Mend" 16 | if ! [ -f ./wss-unified-agent.jar ]; then 17 | curl -fSL -R -JO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 18 | if [[ "${'$'}(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256)" != "${'$'}(sha256sum wss-unified-agent.jar)" ]]; then 19 | echo "Integrity Check Failed" 20 | fi 21 | fi 22 | echo "Execute Mend" 23 | java -jar wss-unified-agent.jar -------------------------------------------------------------------------------- /CI-CD/[Generic]/Mend CLI/CLIPolicyCheck.md: -------------------------------------------------------------------------------- 1 | # SCA and SAST Policy Check 2 | Policy Check can be added as part of the dependencies(dep) and code scans. 3 | > **_NOTE:_** 4 | We recommend to avoid breaking builds unless you have carefully defined your policies and change management processes, as this can cause significant disruptions to existing workflows and create opposition to these changes. 5 | 6 | When the scan fails on a Policy Check, for both dep and code, the exit code for the CLI execution changes from `0` to `9` 7 | 8 | ## [Dependencies Policy Check](https://docs.mend.io/bundle/integrations/page/use_the_mend_cli_sca_policy_check_for_build_control.html) 9 | After defining the policies in Mend SCA UI, use the following command to trigger a policy check: 10 | ```shell 11 | mend dep --fail-policy # without upload scan to Mend User Interface 12 | or 13 | mend dep -u --fail-policy # with upload scan to Mend User Interface 14 | ``` 15 | The output for the run will be: 16 | ```shell 17 | Detected 1 Policy violation 18 | +----------------------------------+---------------------+-------------------------------------------------------+ 19 | | LIBRARY | POLICY TYPE | POLICY NAME | 20 | +----------------------------------+---------------------+-------------------------------------------------------+ 21 | | javax.mail-1.5.1.jar | License | [License] [ORG] Block GPL | 22 | +----------------------------------+---------------------+-------------------------------------------------------+ 23 | ``` 24 | ## Code Policy Check 25 | The code Policy Check is defined based on the results of the scan using thresholds. 26 | The thresholds definition can be found [here](https://docs.mend.io/bundle/integrations/page/configure_the_mend_cli_for_sast.html#Mend-CLI-SAST---Threshold-parameters) 27 | 28 | Example for setting threshold to return failure exit code if one ore more high findings is found with the ```mend code``` command 29 | ```shell 30 | export MEND_SAST_THRESHOLD_HIGH=1 31 | ``` 32 | Once a threshold is matched, the following will be added to the scan stdout: 33 | ```shell 34 | Warning: Scan contains 10 high severity findings, but threshold is set to 1. Scan exited with return code 9 35 | ``` 36 | 37 | ## Handle the Exit Code 38 | It is the user's responsibility to capture and handle the exit code that is returned from the Mend Unified CLI. Below is a quick generic example followed by a more advanced example for Azure DevOps. 39 | 40 | ### Generic Example 41 | ```shell 42 | echo "Downloading Mend CLI" 43 | curl https://downloads.mend.io/cli/linux_amd64/mend -o /usr/local/bin/mend && chmod +x /usr/local/bin/mend 44 | echo "Run Mend dependencies scan" 45 | mend dep -u 46 | export dep_exit=$? 47 | if [[ "$dep_exit" == "9" ]]; then 48 | echo "Dependency scan policy violation" 49 | ### Add error handling logic here 50 | else 51 | echo "No policy violations found in dependencies scan" 52 | fi 53 | echo "Start Mend code scan" 54 | mend code 55 | export code_exit=$? 56 | if [[ "$code_exit" == "9" ]]; then 57 | echo "Code scan threshold violation" 58 | ### Add error handling logic here 59 | else 60 | echo "No policy violations found in code scan" 61 | fi 62 | ``` 63 | 64 | ### [Azure DevOps Example](../../AzureDevOps/Mend%20CLI/AzureDevOps-advanced-linux.yml) 65 | Notice in the AzDO example that the pipeline has a command to surface warnings instead of errors. This is recommended to alert developers of security vulnerabilities vs breaking the pipeline with ```exit=1``` or a similar fashion -------------------------------------------------------------------------------- /CI-CD/[Generic]/Mend CLI/UnifiedCLI-scan.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # ******** Mend Unified CLI Template for Bash ******** 4 | # 5 | # You may wish to alter this file to override the build tool and Mend scanning technologies. 6 | # 7 | # For more configuration options, please check the technical documentation portal: 8 | # 📚 https://docs.mend.io/bundle/integrations/page/scan_with_the_mend_cli.html 9 | # 10 | # ******** Description ******** 11 | # mend dep will automatically use package managers and file system scanning to detect open source components. 12 | # mend code will automatically detect languages and frameworks used in your projects to scan for code weaknesses. 13 | # mend image will scan the local image:tag for open source components and secrets. 14 | 15 | # If you are NOT using a service user, and have multiple organizations, don't forget to scall the scope -s parameter to set the organization 16 | 17 | # Download the Mend CLI and give execute permissions 18 | echo "Downloading Mend CLI" 19 | curl https://downloads.mend.io/cli/linux_amd64/mend -o /usr/local/bin/mend && chmod +x /usr/local/bin/mend 20 | 21 | # Add environment variables for authentication 22 | export MEND_EMAIL=your-email 23 | export MEND_USER_KEY=your-mend-user-key 24 | export MEND_URL="https://saas.mend.io" 25 | 26 | # Add your package manager build (see Maven and NPM examples below) 27 | ## mvn clean install 28 | ## npm install --only=prod 29 | 30 | # The mend dep scan should be called AFTER a package manager build step such as "mvn clean install -DskipTests=true" or "npm install --only=prod" 31 | # Run a Mend Software Composition Analysis Scan 32 | echo "Run Mend dependencies scan" 33 | mend dep -u 34 | 35 | # Run a Mend Static Application Security Analysis Scan 36 | echo "Run Mend code scan" 37 | mend code 38 | 39 | # Build your image (basic docker example below) 40 | export IMAGENAME=mydockerimage 41 | export IMAGETAG=1.0 42 | docker build . -t $IMAGENAME:$IMAGETAG 43 | 44 | # Run a Mend Container Image Scan 45 | echo "Run Mend image scan" 46 | mend image $IMAGENAME:$IMAGETAG -------------------------------------------------------------------------------- /CI-CD/[Generic]/Unified Agent/Policy-Check/README.md: -------------------------------------------------------------------------------- 1 | # Mend Unified Agent(UA) Policy Check Examples 2 | 3 | ## [Video Explanation](https://youtu.be/LlK2ZADW0gk) 4 | 5 | ## Prerequisites 6 | - Use environment variables or a blank config file with only the necessary changes in order to utiliize Mend Unified Agent defaults as shown on the [Getting Starting with Unified Agent documentation](https://docs.mend.io/bundle/unified_agent/page/getting_started_with_the_unified_agent.html#Setting-Up-the-Unified-Agent) 7 | 8 | - The most important policy should always be first in the priority list since policies are triggered per library 9 | 10 | ## Recommendations 11 | - The Unified Agent will exit with a -2 code that will break the majority of pipeline tools. It is highly recommended to use the [Unified CLI](../../Mend%20CLI/CLIPolicyCheck.md) instead if your {package manager is supported}(https://docs.mend.io/bundle/integrations/page/configure_the_mend_cli_for_sca.html#Mend-CLI-SCA-supported-languages). 12 | - When using the default [UA parameters](https://docs.mend.io/bundle/unified_agent/page/unified_agent_configuration_parameters.html#Policies) the below paramaters should be added to a blank config file or as environment variables to achieve the desired affects 13 | 14 | ### Main or Default Branch 15 | Even though updateInventory=true by default the UA exits with a fail so the blocked results will **NOT** be in the user interface. Violations will need to be viewed in the policyRejectionSummary.json & checkPolicies-json.txt within the whitesource folder 16 | 17 | - To block/reject only on newly added dependencies add the following parameter: ```WS_CHECKPOLICIES=TRUE``` 18 | 19 | - To block/reject all dependencies add the following parameters: 20 | ``` 21 | WS_CHECKPOLICIES=TRUE 22 | WS_FORCECHECKALLDEPENDENCIES=true 23 | ``` 24 | 25 | ### Feature, Hotfix, or Development branch 26 | - Use the same product and project name as the default branch, the below script is useful when an environment variable is not available in your CI/CD system such as github action's ```${{github.event.repository.default_branch}}``` 27 | ``` 28 | export WS_PROJECTNAME=$(git remote show $(git remote) | grep 'HEAD branch' | cut -d' ' -f5) 29 | ``` 30 | 31 | - Block only newly added dependencies and do not update default branch project 32 | ``` 33 | WS_CHECKPOLICIES=TRUE 34 | WS_UPDATEINVENTORY=FALSE 35 | ``` 36 | 37 | 38 | ### Additional Configurations 39 | Useful for Proof of Concepts, but not recommended in production 40 | 41 | - View new & existing library scan results in the UI for a broken build 42 | ``` 43 | WS_CHECKPOLICIES=true 44 | WS_FORCECHECKALLDEPENDENCIES=true 45 | WS_FORCEUPDATE=true 46 | WS_FORCEUPDATE_FAILBUILDONPOLICYVIOLATION=true 47 | ``` -------------------------------------------------------------------------------- /CI-CD/[Generic]/Unified Agent/Policy-Check/mendpolicycheck-default.yml: -------------------------------------------------------------------------------- 1 | name: Mend Unified Agent Scan + Policy Check for Default Branch 2 | 3 | on: 4 | push: 5 | branches: 6 | - master 7 | - main 8 | 9 | jobs: 10 | build: 11 | runs-on: ubuntu-latest 12 | steps: 13 | - name: Checkout 14 | uses: actions/checkout@v2 15 | # Replace lines 14-6 with your relevant build steps 16 | - uses: actions/setup-node@v3 17 | with: 18 | node-version: 14 19 | 20 | - name: Mend Unified Agent Scan 21 | env: 22 | WS_APIKEY: ${{secrets.APIKEY}} 23 | WS_USERKEY: ${{secrets.USERKEY}} 24 | WS_WSS_URL: https://saas.mend.io/agent 25 | WS_PRODUCTNAME: ${{github.event.repository.name}} 26 | WS_PROJECTNAME: ${{github.event.repository.name}}_${{github.ref_name}} 27 | WS_CHECKPOLICIES: TRUE 28 | run: | 29 | echo Downloading Mend Unified Agent 30 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 31 | if [[ "$(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256)" != "$(sha256sum wss-unified-agent.jar)" ]] ; then 32 | echo "Integrity Check Failed" 33 | else 34 | echo "Integrity Check Passed" 35 | echo Starting Mend Scan 36 | java -jar wss-unified-agent.jar 37 | fi 38 | - name: 'Upload WhiteSource folder' 39 | uses: actions/upload-artifact@v2 40 | if: failure() 41 | with: 42 | name: WhiteSource 43 | path: whitesource 44 | retention-days: 1 45 | -------------------------------------------------------------------------------- /CI-CD/[Generic]/Unified Agent/Policy-Check/mendpolicycheck-feature.yml: -------------------------------------------------------------------------------- 1 | name: Mend Unified Agent Scan + Policy Check for Feature Branch 2 | 3 | on: 4 | push: 5 | branches: [ feature/* ] 6 | 7 | jobs: 8 | build: 9 | runs-on: ubuntu-latest 10 | steps: 11 | - name: Checkout 12 | uses: actions/checkout@v2 13 | # Replace lines 14-6 with your relevant build steps 14 | - uses: actions/setup-node@v3 15 | with: 16 | node-version: 14 17 | 18 | - name: Mend Unified Agent Scan 19 | env: 20 | WS_APIKEY: ${{secrets.APIKEY}} 21 | WS_USERKEY: ${{secrets.USERKEY}} 22 | WS_WSS_URL: https://saas.mend.io/agent 23 | WS_PRODUCTNAME: ${{github.event.repository.name}} 24 | WS_PROJECTNAME: ${{github.event.repository.name}}_${{github.event.repository.default_branch}} 25 | WS_CHECKPOLICIES: TRUE 26 | WS_UPDATEINVENTORY: FALSE 27 | run: | 28 | echo Downloading Mend Unified Agent 29 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 30 | if [[ "$(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256)" != "$(sha256sum wss-unified-agent.jar)" ]] ; then 31 | echo "Integrity Check Failed" 32 | else 33 | echo "Integrity Check Passed" 34 | echo Starting Mend Scan 35 | java -jar wss-unified-agent.jar 36 | fi 37 | - name: 'Upload WhiteSource folder' 38 | uses: actions/upload-artifact@v2 39 | if: failure() 40 | with: 41 | name: WhiteSource 42 | path: whitesource 43 | retention-days: 1 44 | -------------------------------------------------------------------------------- /CI-CD/[Generic]/Unified Agent/Prioritize/Java/Multi-Module/Gradle/github-action.yml: -------------------------------------------------------------------------------- 1 | name: Mend Prioritize Java with Gradle 2 | 3 | on: 4 | push: 5 | branches: [ release* ] 6 | pull_request: 7 | branches: [ release* ] 8 | 9 | jobs: 10 | Mend-Prioritize: 11 | 12 | runs-on: ubuntu-latest 13 | 14 | steps: 15 | - uses: actions/checkout@v2 16 | - name: Set up JDK 17 | uses: actions/setup-java@v2 18 | with: 19 | java-version: '8' 20 | distribution: 'adopt' 21 | - uses: actions/cache@v2 22 | with: 23 | path: | 24 | ~/.gradle/caches 25 | ~/.gradle/wrapper 26 | key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }} 27 | restore-keys: | 28 | ${{ runner.os }}-gradle- 29 | 30 | - name: Grant execute permission for gradlew 31 | run: chmod +x gradlew 32 | - name: Build with Gradle 33 | run: ./gradlew build -x test 34 | - name: Mend Prioritize Scan 35 | env: 36 | GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} 37 | WS_APIKEY: ${{secrets.APIKEY}} 38 | WS_USERKEY: ${{secrets.USERKEY}} 39 | run: | 40 | cat < eua.config 41 | apiKey=$WS_APIKEY 42 | userKey=$WS_USERKEY 43 | wss.url=https://saas.mend.io/agent 44 | productName=GH_${{ github.event.repository.name }} 45 | projectName=${{ github.ref }}_Prioritize 46 | enableImpactAnalysis=true 47 | resolveAllDependencies=false 48 | gradle.resolveDependencies=true 49 | gradle.aggregateModules=true 50 | fileSystemScan=false 51 | generateProjectDetailsJson=true 52 | EOF 53 | cat eua.config 54 | echo config created successfully 55 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 56 | curl -LJO https://unified-agent.s3.amazonaws.com/xModuleAnalyzer/xModuleAnalyzer.jar 57 | echo Mend Unified Agent downloaded successfully 58 | java -jar wss-unified-agent.jar -d $PWD -analyzeMultiModule multimodule.txt 59 | echo 'multimodule.txt contents' 60 | cat multimodule.txt 61 | java -jar xModuleAnalyzer.jar -xModulePath multimodule.txt -fsaJarPath ./wss-unified-agent.jar -c ./eua.config -aggregateModules true 62 | -------------------------------------------------------------------------------- /CI-CD/[Generic]/Unified Agent/Prioritize/Java/Multi-Module/Maven/azure-pipelines.yml: -------------------------------------------------------------------------------- 1 | trigger: 2 | - release* 3 | 4 | pool: 5 | vmImage: 'ubuntu-latest' 6 | 7 | steps: 8 | - task: Maven@3 9 | inputs: 10 | mavenPomFile: 'pom.xml' 11 | goals: 'clean install' 12 | mavenOptions: -DskipTests=true 13 | publishJUnitResults: false 14 | javaHomeOption: 'JDKVersion' 15 | jdkVersionOption: '1.11' 16 | mavenVersionOption: 'Default' 17 | mavenAuthenticateFeed: false 18 | effectivePomSkip: false 19 | sonarQubeRunAnalysis: false 20 | - task: CmdLine@2 21 | inputs: 22 | script: | 23 | cat < eua.config 24 | apiKey=$(APIKEY) 25 | userKey=$(USERKEY) 26 | wss.url=https://saas.mend.io/agent 27 | productName=$(System.TeamProject) 28 | projectName=$(Build.Repository.Name)_$(Build.SourceBranchName)_Prioritize 29 | enableImpactAnalysis=true 30 | resolveAllDependencies=false 31 | maven.resolveDependencies=true 32 | maven.aggregateModules=true 33 | fileSystemScan=false 34 | generateProjectDetailsJson=true 35 | EOF 36 | cat eua.config 37 | - task: CmdLine@2 38 | inputs: 39 | script: | 40 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 41 | curl -LJO https://unified-agent.s3.amazonaws.com/xModuleAnalyzer/xModuleAnalyzer.jar 42 | java -jar wss-unified-agent.jar -d $PWD -analyzeMultiModuleExclusions '**/*internal* **/*original* **/*sources.jar' -analyzeMultiModule multimodule.txt 43 | echo 'multimodule.txt contents' 44 | cat multimodule.txt 45 | java -jar xModuleAnalyzer.jar -xModulePath multimodule.txt -fsaJarPath ./wss-unified-agent.jar -c ./eua.config -aggregateModules true 46 | -------------------------------------------------------------------------------- /CI-CD/[Generic]/Unified Agent/Prioritize/Java/Multi-Module/Maven/github-action.yml: -------------------------------------------------------------------------------- 1 | name: Mend Prioritize Java with Maven 2 | 3 | on: 4 | push: 5 | branches: [ release* ] 6 | pull_request: 7 | branches: [ release* ] 8 | 9 | jobs: 10 | build: 11 | 12 | runs-on: ubuntu-latest 13 | 14 | steps: 15 | - uses: actions/checkout@v2 16 | - name: Set up JDK 17 | uses: actions/setup-java@v2 18 | with: 19 | java-version: '8' 20 | distribution: 'adopt' 21 | 22 | - name: Cache local Maven repository 23 | uses: actions/cache@v2 24 | with: 25 | path: ~/.m2/repository 26 | key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} 27 | restore-keys: | 28 | ${{ runner.os }}-maven- 29 | 30 | - name: Build with Maven 31 | run: mvn clean install -DskipTests=true 32 | 33 | - name: Mend Unified Agent Scan 34 | env: 35 | GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} 36 | WS_APIKEY: ${{secrets.APIKEY}} 37 | WS_USERKEY: ${{secrets.USERKEY}} 38 | run: | 39 | cat < eua.config 40 | apiKey=$WS_APIKEY 41 | userKey=$WS_USERKEY 42 | wss.url=https://saas.mend.io/agent 43 | productName=GH_${{ github.event.repository.name }} 44 | projectName=${{ github.ref }}_Prioritize 45 | enableImpactAnalysis=true 46 | resolveAllDependencies=false 47 | maven.resolveDependencies=true 48 | maven.aggregateModules=true 49 | fileSystemScan=false 50 | generateProjectDetailsJson=true 51 | EOF 52 | cat eua.config 53 | echo config created successfully 54 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 55 | curl -LJO https://unified-agent.s3.amazonaws.com/xModuleAnalyzer/xModuleAnalyzer.jar 56 | echo Mend Unified Agent downloaded successfully 57 | java -jar wss-unified-agent.jar -d $PWD -analyzeMultiModuleExclusions '**/*internal* **/*original* **/*sources.jar' -analyzeMultiModule multimodule.txt 58 | echo 'multimodule.txt contents' 59 | cat multimodule.txt 60 | java -jar xModuleAnalyzer.jar -xModulePath multimodule.txt -fsaJarPath ./wss-unified-agent.jar -c ./eua.config -aggregateModules true 61 | -------------------------------------------------------------------------------- /CI-CD/[Generic]/Unified Agent/Prioritize/Java/Multi-Module/Maven/gitlab-ci.yml: -------------------------------------------------------------------------------- 1 | # add APIKEY as an environment variable - https://gitlab.com/help/ci/variables/README 2 | image: maven:3.8-openjdk-8 3 | build: 4 | stage: build 5 | only: 6 | - merge_requests 7 | script: | 8 | mvn clean install -DskipTests=true 9 | echo build completed successfully 10 | cat < eua.config 11 | apiKey=$APIKEY 12 | userKey=$USERKEY 13 | wss.url=https://saas.mend.io/agent 14 | productName=GL_$CI_PROJECT_DIR 15 | projectName=$CI_COMMIT_BRANCH-_Prioritize 16 | enableImpactAnalysis=true 17 | resolveAllDependencies=false 18 | maven.resolveDependencies=true 19 | maven.aggregateModules=true 20 | fileSystemScan=false 21 | generateProjectDetailsJson=true 22 | EOF 23 | cat eua.config 24 | echo config created successfully 25 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 26 | curl -LJO https://unified-agent.s3.amazonaws.com/xModuleAnalyzer/xModuleAnalyzer.jar 27 | echo Mend Unified Agent downloaded successfully 28 | java -jar wss-unified-agent.jar -d $PWD -analyzeMultiModuleExclusions '**/*internal* **/*original* **/*sources.jar' -analyzeMultiModule multimodule.txt 29 | echo 'multimodule.txt contents' 30 | cat multimodule.txt 31 | java -jar xModuleAnalyzer.jar -xModulePath multimodule.txt -fsaJarPath ./wss-unified-agent.jar -c ./eua.config -aggregateModules true 32 | -------------------------------------------------------------------------------- /CI-CD/[Generic]/Unified Agent/Prioritize/Java/Single-Module/Gradle/github-action.yml: -------------------------------------------------------------------------------- 1 | # replace .war with .ear or the following for WARFILE if needed 2 | # JARFILE=$(find ./build/libs -type f -wholename "*.jar" ! -wholename "*javadoc*" ! -wholename "*groovydoc*" ! -wholename "*sources*") 3 | name: Whitesource Prioritize Java with Gradle 4 | 5 | on: 6 | push: 7 | branches: [ release* ] 8 | pull_request: 9 | branches: [ release* ] 10 | 11 | jobs: 12 | build: 13 | 14 | runs-on: ubuntu-latest 15 | 16 | steps: 17 | - uses: actions/checkout@v2 18 | - name: Set up JDK 19 | uses: actions/setup-java@v2 20 | with: 21 | java-version: '8' 22 | distribution: 'adopt' 23 | - uses: actions/cache@v2 24 | with: 25 | path: | 26 | ~/.gradle/caches 27 | ~/.gradle/wrapper 28 | key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }} 29 | restore-keys: | 30 | ${{ runner.os }}-gradle- 31 | 32 | - name: Grant execute permission for gradlew 33 | run: chmod +x gradlew 34 | - name: Build with Gradle 35 | run: ./gradlew build -x test 36 | - name: WhiteSource Unified Agent Scan 37 | env: 38 | GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} 39 | WS_APIKEY: ${{secrets.APIKEY}} 40 | WS_USERKEY: ${{secrets.USERKEY}} 41 | WS_WSS_URL: https://saas.mend.io/agent 42 | WS_PRODUCTNAME: GH_${{github.event.repository.name}} 43 | WS_PROJECTNAME: ${{github.ref}}_Prioritize 44 | WS_ENABLEIMPACTANALYSIS: true 45 | WS_RESOLVEALLDEPENDENCIES: false 46 | WS_GRADLE_RESOLVEDEPENDENCIES: true 47 | WS_GRADLE_AGGREGATEMODULES: true 48 | WS_FILESYSTEMSCAN: false 49 | WS_GENERATEPROJECTDETAILSJSON: true 50 | run: | 51 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 52 | echo Unified Agent downloaded successfully 53 | if [[ "$(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256)" != "$(sha256sum wss-unified-agent.jar)" ]] ; then 54 | echo "Integrity Check Failed" 55 | else 56 | echo "Integrity Check Passed" 57 | WARFILE=$(find ./build/libs -type f -wholename "*.war") 58 | echo $WARFILE will be added to appPath 59 | echo Starting WhiteSource Scan 60 | java -jar wss-unified-agent.jar -appPath $WARFILE -d ./ 61 | fi 62 | -------------------------------------------------------------------------------- /CI-CD/[Generic]/Unified Agent/Prioritize/Java/Single-Module/Gradle/prioritize.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #### Prerequisite commands & installs 4 | # apt-get update 5 | # apt-get install -y curl git openjdk-8-jdk nano 6 | 7 | #### Clone your repo & run script 8 | # git clone && cd ./ 9 | # chmod +x ./prioritize.sh 10 | # ./prioritize.sh 11 | 12 | #### Build application & check JAVA_HOME 13 | echo JAVA_HOME:$JAVA_HOME 14 | ./gradlew build -x test 15 | 16 | #### Run WS Prioritize 17 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 18 | echo Unified Agent downloaded successfully 19 | if [[ "$(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256)" != "$(sha256sum wss-unified-agent.jar)" ]] ; then 20 | echo "Integrity Check Failed" 21 | else 22 | echo "Integrity Check Passed" 23 | fi 24 | # replace .war with .ear or the following for WARFILE if needed 25 | # JARFILE=$(find ./build/libs -type f -wholename "*.jar" ! -wholename "*javadoc*" ! -wholename "*groovydoc*" ! -wholename "*sources*") 26 | export WARFILE=$(find ./build/libs -type f -wholename "*.war") 27 | echo $WARFILE will be added to appPath 28 | echo Starting WhiteSource Prioritize Scan 29 | export WS_APIKEY= 30 | export WS_USERKEY= 31 | export WS_WSS_URL=https://saas.mend.io/agent 32 | export WS_ENABLEIMPACTANALYSIS=true 33 | export WS_RESOLVEALLDEPENDENCIES=false 34 | export WS_GRADLE_RESOLVEDEPENDENCIES=true 35 | export WS_GRADLE_AGGREGATEMODULES=true 36 | export WS_FILESYSTEMSCAN=false 37 | export WS_PRODUCTNAME=$(git config --get remote.origin.url | awk -F "/" '{print $4}') 38 | export WS_PROJECTNAME=$(git config --get remote.origin.url | awk -F "/" '{print $5}' | awk -F "." '{print $1}')-Prioritize 39 | java -jar wss-unified-agent.jar -appPath $WARFILE -d ./ 40 | -------------------------------------------------------------------------------- /CI-CD/[Generic]/Unified Agent/Prioritize/Java/Single-Module/Maven/azure-pipelines.yml: -------------------------------------------------------------------------------- 1 | # replace .war with .jar or .ear if needed 2 | trigger: 3 | - release* 4 | 5 | pool: 6 | vmImage: 'ubuntu-latest' 7 | 8 | steps: 9 | - task: Maven@3 10 | inputs: 11 | mavenPomFile: 'pom.xml' 12 | goals: 'clean install' 13 | mavenOptions: -DskipTests=true 14 | publishJUnitResults: false 15 | javaHomeOption: 'JDKVersion' 16 | jdkVersionOption: '1.11' 17 | mavenVersionOption: 'Default' 18 | mavenAuthenticateFeed: false 19 | effectivePomSkip: false 20 | sonarQubeRunAnalysis: false 21 | 22 | - script: | 23 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 24 | echo Unified Agent downloaded successfully 25 | WARFILE=$(find ./ -type f -wholename "*/target/*.war") 26 | echo $WARFILE will be added to appPath 27 | java -jar wss-unified-agent.jar -appPath $WARFILE -d ./ 28 | env: 29 | WS_APIKEY: $(APIKEY) 30 | WS_USERKEY: $(USERKEY) 31 | WS_WSS_URL: https://saas.mend.io/agent 32 | WS_PRODUCTNAME: AZDO_$(System.TeamProject) 33 | WS_PROJECTNAME: $(Build.Repository.Name)_$(Build.SourceBranchName)_Prioritize 34 | WS_ENABLEIMPACTANALYSIS: true 35 | WS_RESOLVEALLDEPENDENCIES: false 36 | WS_MAVEN_RESOLVEDEPENDENCIES: true 37 | WS_MAVEN_AGGREGATEMODULES: true 38 | WS_FILESYSTEMSCAN: false 39 | WS_EXCLUDES: '**/build/** **/tests/**' 40 | displayName: 'Unified Agent Prioritize Scan' 41 | -------------------------------------------------------------------------------- /CI-CD/[Generic]/Unified Agent/Prioritize/Java/Single-Module/Maven/github-action-workshop.yml: -------------------------------------------------------------------------------- 1 | name: Whitesource Prioritize Java with Maven & Github Issue comments 2 | 3 | on: 4 | push: 5 | branches: [ master ] 6 | 7 | jobs: 8 | build: 9 | env: 10 | GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} 11 | WS_APIKEY: ${{secrets.APIKEY}} 12 | WS_USERKEY: ${{secrets.USERKEY}} 13 | WS_WSS_URL: https://saas.mend.io/agent 14 | WS_PRODUCTNAME: GH_${{github.event.repository.name}} 15 | WS_PROJECTNAME: ${{github.event.repository.name}}_${{github.ref_name}}_Prioritize 16 | 17 | runs-on: ubuntu-latest 18 | 19 | steps: 20 | - uses: actions/checkout@v2 21 | - name: Set up JDK 22 | uses: actions/setup-java@v2 23 | with: 24 | java-version: '8' 25 | distribution: 'adopt' 26 | - name: Cache local Maven repository 27 | uses: actions/cache@v2 28 | with: 29 | path: ~/.m2/repository 30 | key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} 31 | restore-keys: | 32 | ${{ runner.os }}-maven- 33 | 34 | - name: Build with Maven 35 | run: mvn clean install -DskipTests=true 36 | - name: WhiteSource Unified Agent Scan 37 | env: 38 | WS_ENABLEIMPACTANALYSIS: true 39 | WS_RESOLVEALLDEPENDENCIES: false 40 | WS_MAVEN_RESOLVEDEPENDENCIES: true 41 | WS_MAVEN_AGGREGATEMODULES: true 42 | WS_FILESYSTEMSCAN: false 43 | WS_GENERATEPROJECTDETAILSJSON: true 44 | run: | 45 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 46 | echo Unified Agent downloaded successfully 47 | WARFILE=$(find ./ -type f -wholename "*/target/*.war") 48 | echo $WARFILE will be added to appPath 49 | java -jar wss-unified-agent.jar -appPath $WARFILE -d ./ 50 | - name: Check Project State 51 | run: | 52 | curl -LJO https://raw.githubusercontent.com/mend-toolkit/mend-examples/main/Scripts/check-project-state.sh 53 | chmod +x ./check-project-state.sh && ./check-project-state.sh 54 | - name: Prioritize GH Issue Comments 55 | run: | 56 | curl -LJO https://raw.githubusercontent.com/mend-toolkit/mend-examples/main/Scripts/ghissue-eua.sh 57 | chmod +x ./ghissue-eua.sh && ./ghissue-eua.sh 58 | 59 | -------------------------------------------------------------------------------- /CI-CD/[Generic]/Unified Agent/Prioritize/Java/Single-Module/Maven/github-action.yml: -------------------------------------------------------------------------------- 1 | # replace .war with .jar or .ear if needed 2 | name: Whitesource Prioritize Java with Maven 3 | 4 | on: 5 | push: 6 | branches: [ main ] 7 | 8 | jobs: 9 | build: 10 | env: 11 | GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} 12 | WS_APIKEY: ${{secrets.APIKEY}} 13 | WS_USERKEY: ${{secrets.USERKEY}} 14 | WS_WSS_URL: https://saas.mend.io/agent 15 | WS_PRODUCTNAME: GH_${{github.event.repository.name}} 16 | WS_PROJECTNAME: ${{github.event.repository.name}}_${{github.ref_name}}_Prioritize 17 | 18 | runs-on: ubuntu-latest 19 | 20 | steps: 21 | - uses: actions/checkout@v2 22 | - name: Set up JDK 23 | uses: actions/setup-java@v2 24 | with: 25 | java-version: '8' 26 | distribution: 'adopt' 27 | - name: Cache local Maven repository 28 | uses: actions/cache@v2 29 | with: 30 | path: ~/.m2/repository 31 | key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} 32 | restore-keys: | 33 | ${{ runner.os }}-maven- 34 | 35 | - name: Build with Maven 36 | run: mvn clean install -DskipTests=true 37 | - name: WhiteSource Unified Agent Scan 38 | env: 39 | WS_ENABLEIMPACTANALYSIS: true 40 | WS_RESOLVEALLDEPENDENCIES: false 41 | WS_MAVEN_RESOLVEDEPENDENCIES: true 42 | WS_MAVEN_AGGREGATEMODULES: true 43 | WS_FILESYSTEMSCAN: false 44 | WS_GENERATEPROJECTDETAILSJSON: true 45 | run: | 46 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 47 | echo Unified Agent downloaded successfully 48 | WARFILE=$(find ./ -type f -wholename "*/target/*.war") 49 | echo $WARFILE will be added to appPath 50 | java -jar wss-unified-agent.jar -appPath $WARFILE -d ./ 51 | -------------------------------------------------------------------------------- /CI-CD/[Generic]/Unified Agent/Prioritize/Java/Single-Module/Maven/gitlab-ci.yml: -------------------------------------------------------------------------------- 1 | # add APIKEY as an environment variable - https://gitlab.com/help/ci/variables/README 2 | image: maven:3.8-openjdk-8 3 | build: 4 | stage: build 5 | only: 6 | - merge_requests 7 | script: | 8 | mvn clean install -DskipTests=true 9 | echo build completed successfully 10 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 11 | echo Unified Agent downloaded successfully 12 | WARFILE=$(find ./ -type f -wholename "*/target/*.war") 13 | echo $WARFILE will be added to appPath 14 | export WS_APIKEY=$APIKEY 15 | export WS_USERKEY=$USERKEY 16 | export WS_WSS_URL=https://saas.mend.io/agent 17 | export WS_ENABLEIMPACTANALYSIS=true 18 | export WS_RESOLVEALLDEPENDENCIES=false 19 | export WS_MAVEN_RESOLVEDEPENDENCIES=true 20 | export WS_MAVEN_AGGREGATEMODULES=true 21 | export WS_FILESYSTEMSCAN=false 22 | export WS_PRODUCTNAME=GL_$CI_PROJECT_DIR 23 | export WS_PROJECTNAME=$CI_COMMIT_BRANCH-Prioritize 24 | java -jar wss-unified-agent.jar -appPath $WARFILE -d ./ -------------------------------------------------------------------------------- /CI-CD/[Generic]/Unified Agent/Prioritize/Java/Single-Module/Maven/prioritize.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #### Prerequisite commands & installs 4 | # apt-get update 5 | # apt-get install -y curl git openjdk-8-jdk nano 6 | 7 | #### Install Maven 8 | # curl -LJO https://mirrors.ocf.berkeley.edu/apache/maven/maven-3/3.6.3/binaries/apache-maven-3.6.3-bin.tar.gz 9 | # tar -xvf ./apache-maven-3.6.3-bin.tar.gz -C /opt 10 | # ln -s /opt/apache-maven-3.6.3 /opt/maven 11 | # rm ./apache-maven-3.6.3-bin.tar.gz 12 | # nano /etc/profile.d/maven.sh 13 | 14 | ## Add the following into the maven.sh file and change jdk 15 | # export JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64 16 | # export M2_HOME=/opt/maven 17 | # export MAVEN_HOME=/opt/maven 18 | # export PATH=${M2_HOME}/bin:${PATH} 19 | # export MAVEN_CONFIG=/root/.m2 20 | 21 | ## Make the script runable 22 | # chmod +x /etc/profile.d/maven.sh 23 | # source /etc/profile.d/maven.sh 24 | # mvn -version 25 | 26 | #### Clone your repo & run script 27 | # git clone && cd ./ 28 | # chmod +x ./prioritize.sh 29 | # ./prioritize.sh 30 | 31 | #### Build application & check JAVA_HOME 32 | echo JAVA_HOME: $JAVA_HOME 33 | mvn clean install -DskipTests=true 34 | 35 | #### Run WS Prioritize 36 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 37 | echo Unified Agent downloaded successfully 38 | # replace .war with .jar or .ear if needed 39 | export WARFILE=$(find ./ -type f -wholename "*/target/*.war") 40 | echo $WARFILE will be added to appPath 41 | export WS_APIKEY= 42 | export WS_USERKEY= 43 | export WS_WSS_URL=https://saas.mend.io/agent 44 | export WS_ENABLEIMPACTANALYSIS=true 45 | export WS_RESOLVEALLDEPENDENCIES=false 46 | export WS_MAVEN_RESOLVEDEPENDENCIES=true 47 | export WS_MAVEN_AGGREGATEMODULES=true 48 | export WS_FILESYSTEMSCAN=false 49 | export WS_PRODUCTNAME=$(git config --get remote.origin.url | awk -F "/" '{print $4}') 50 | export WS_PROJECTNAME=$(git config --get remote.origin.url | awk -F "/" '{print $5}' | awk -F "." '{print $1}')-Prioritize 51 | java -jar wss-unified-agent.jar -appPath $WARFILE -d ./ 52 | -------------------------------------------------------------------------------- /CI-CD/[Generic]/Unified Agent/Prioritize/JavaScript/azure-pipelines.yml: -------------------------------------------------------------------------------- 1 | # Node.js 2 | # Build a general Node.js project with npm. 3 | # Add steps that analyze code, save build artifacts, deploy, and more: 4 | # https://docs.microsoft.com/azure/devops/pipelines/languages/javascript 5 | 6 | trigger: 7 | - master 8 | 9 | pool: 10 | vmImage: ubuntu-latest 11 | 12 | steps: 13 | - task: NodeTool@0 14 | inputs: 15 | versionSpec: '12.x' 16 | displayName: 'Install Node.js' 17 | 18 | - script: | 19 | npm install --only=prod 20 | displayName: 'npm install' 21 | 22 | - script: | 23 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 24 | echo Unified Agent downloaded successfully 25 | if [[ "$(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256)" != "$(sha256sum wss-unified-agent.jar)" ]] ; then 26 | echo "Integrity Check Failed" 27 | else 28 | echo "Integrity Check Passed" 29 | echo "Starting Mend Scan" 30 | fi 31 | java -jar wss-unified-agent.jar -appPath ./package.json -d ./ 32 | 33 | env: 34 | WS_APIKEY: $(APIKEY) 35 | WS_USERKEY: $(USERKEY) 36 | WS_WSS_URL: $(WSS_URL) 37 | WS_PRODUCTNAME: AZDO_$(System.TeamProject) 38 | WS_PROJECTNAME: $(Build.Repository.Name)_$(Build.SourceBranchName)_Prioritize 39 | WS_ENABLEIMPACTANALYSIS: true 40 | WS_RESOLVEALLDEPENDENCIES: false 41 | WS_FILESYSTEMSCAN: false 42 | WS_NPM_RESOLVEDEPENDENCIES: true 43 | WS_NPM_RESOLVELOCKFILE: false 44 | 45 | displayName: 'Mend Unified Agent Prioritize Scan' 46 | -------------------------------------------------------------------------------- /CI-CD/[Generic]/Unified Agent/Prioritize/JavaScript/github-action.yml: -------------------------------------------------------------------------------- 1 | name: Mend NPM Prioritize Scan 2 | 3 | on: 4 | push: 5 | branches: [ release* ] 6 | pull_request: 7 | branches: [ release* ] 8 | 9 | jobs: 10 | Mend-Prioritize: 11 | runs-on: ubuntu-latest 12 | 13 | strategy: 14 | fail-fast: false 15 | matrix: 16 | node-version: ["12.x"] 17 | 18 | steps: 19 | - name: Checkout https://github.com/${{ github.repository }}@${{ github.ref }} 20 | uses: actions/checkout@v2 21 | with: 22 | persist-credentials: false 23 | 24 | - name: Set up Node.js ${{ matrix.node-version }} 25 | uses: actions/setup-node@v1 26 | with: 27 | node-version: ${{ matrix.node-version }} 28 | 29 | - uses: actions/cache@v2 30 | with: 31 | path: ~/.npm 32 | key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} 33 | restore-keys: | 34 | ${{ runner.os }}-node- 35 | 36 | - name: Install dependencies 37 | run: npm install --only=prod 38 | 39 | - name: Mend Unified Agent Scan 40 | env: 41 | GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} 42 | WS_APIKEY: ${{secrets.APIKEY}} 43 | WS_USERKEY: ${{secrets.USERKEY}} 44 | WS_WSS_URL: https://saas.mend.io/agent 45 | WS_PRODUCTNAME: GH_${{github.event.repository.name}} 46 | WS_PROJECTNAME: ${{github.ref}}_Prioritize 47 | WS_ENABLEIMPACTANALYSIS: true 48 | WS_RESOLVEALLDEPENDENCIES: false 49 | WS_NPM_RESOLVEDEPENDENCIES: true 50 | WS_NPM_RESOLVELOCKFILE: false 51 | WS_FILESYSTEMSCAN: false 52 | WS_GENERATEPROJECTDETAILSJSON: true 53 | run: | 54 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 55 | echo Unified Agent downloaded successfully 56 | if [[ "$(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256)" != "$(sha256sum wss-unified-agent.jar)" ]] ; then 57 | echo "Integrity Check Failed" 58 | else 59 | echo "Integrity Check Passed" 60 | echo "Starting Mend Scan" 61 | fi 62 | java -jar wss-unified-agent.jar -appPath ./package.json -d ./ 63 | -------------------------------------------------------------------------------- /CI-CD/[Generic]/Unified Agent/Prioritize/JavaScript/prioritize.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #### Prerequisite commands & installs 4 | # apt-get update 5 | # apt-get install -y curl git openjdk-8-jdk nano 6 | 7 | #### Install Nodejs 8 | # curl -fsSL https://deb.nodesource.com/setup_12.x | bash - 9 | # apt-get install -y nodejs 10 | 11 | #### Clone your repo & run script 12 | # git clone && cd ./ 13 | # chmod +x ./prioritize.sh 14 | # ./prioritize.sh 15 | 16 | #### Build application & check JAVA_HOME 17 | echo JAVA_HOME: $JAVA_HOME 18 | npm install --only=prod 19 | 20 | #### Run WS Prioritize 21 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 22 | echo Unified Agent downloaded successfully 23 | if [[ "$(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256)" != "$(sha256sum wss-unified-agent.jar)" ]] ; then 24 | echo "Integrity Check Failed" 25 | else 26 | echo "Integrity Check Passed" 27 | echo "Starting Mend Scan" 28 | fi 29 | export WS_APIKEY= 30 | export WS_USERKEY= 31 | export WS_WSS_URL=https://saas.mend.io/agent 32 | export WS_ENABLEIMPACTANALYSIS=true 33 | export WS_RESOLVEALLDEPENDENCIES=false 34 | export WS_NPM_RESOLVEDEPENDENCIES=true 35 | export WS_NPM_RESOLVELOCKFILE=false 36 | export WS_FILESYSTEMSCAN=false 37 | export WS_PRODUCTNAME=$(git config --get remote.origin.url | awk -F "/" '{print $4}') 38 | export WS_PROJECTNAME=$(git config --get remote.origin.url | awk -F "/" '{print $5}' | awk -F "." '{print $1}')-Prioritize 39 | java -jar wss-unified-agent.jar -appPath ./package.json -d ./ 40 | -------------------------------------------------------------------------------- /CI-CD/[Generic]/Unified Agent/Prioritize/Python/github-action.yml: -------------------------------------------------------------------------------- 1 | name: Mend Prioritize Python 2 | 3 | on: 4 | push: 5 | branches: [ release* ] 6 | pull_request: 7 | branches: [ release* ] 8 | 9 | jobs: 10 | prioritize: 11 | 12 | runs-on: ubuntu-latest 13 | strategy: 14 | matrix: 15 | python-version: [3.7] 16 | 17 | steps: 18 | - uses: actions/checkout@v2 19 | - name: Set up Python ${{ matrix.python-version }} 20 | uses: actions/setup-python@v2 21 | with: 22 | python-version: ${{ matrix.python-version }} 23 | 24 | - uses: actions/cache@v2 25 | with: 26 | path: ~/.cache/pip 27 | key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }} 28 | restore-keys: | 29 | ${{ runner.os }}-pip- 30 | 31 | 32 | - name: Install dependencies 33 | run: | 34 | python -m pip install --upgrade pip 35 | pip install virtualenv --user 36 | pip install -r requirements.txt 37 | 38 | - name: Mend Prioritize Scan 39 | env: 40 | GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} 41 | WS_APIKEY: ${{secrets.APIKEY}} 42 | WS_USERKEY: ${{secrets.USERKEY}} 43 | WS_WSS_URL: https://saas.mend.io/agent 44 | WS_PRODUCTNAME: GH_${{github.event.repository.name}} 45 | WS_PROJECTNAME: ${{github.ref}}_Prioritize 46 | WS_ENABLEIMPACTANALYSIS: true 47 | WS_RESOLVEALLDEPENDENCIES: false 48 | WS_PYTHON_RESOLVEDEPENDENCIES: true 49 | WS_FILESYSTEMSCAN: false 50 | WS_GENERATEPROJECTDETAILSJSON: true 51 | run: | 52 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 53 | echo Unified Agent downloaded successfully 54 | if [[ "$(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256)" != "$(sha256sum wss-unified-agent.jar)" ]] ; then 55 | echo "Integrity Check Failed" 56 | else 57 | echo "Integrity Check Passed" 58 | echo "Starting Mend Scan" 59 | fi 60 | java -jar wss-unified-agent.jar -appPath ./requirements.txt -d ./ -------------------------------------------------------------------------------- /CI-CD/[Generic]/Unified Agent/Prioritize/Scala/SBT-Maven/github-action.yml: -------------------------------------------------------------------------------- 1 | name: Mend Prioritize Scala with SBT & Maven 2 | 3 | on: 4 | push: 5 | branches: [ release* ] 6 | pull_request: 7 | branches: [ release* ] 8 | 9 | jobs: 10 | build: 11 | 12 | runs-on: ubuntu-latest 13 | 14 | steps: 15 | - uses: actions/checkout@v2 16 | - name: Set up JDK 17 | uses: actions/setup-java@v2 18 | with: 19 | java-version: '8' 20 | distribution: 'adopt' 21 | - name: SBT Package 22 | run: | 23 | sbt package 24 | sbt makePom 25 | mv $(find ./ -type f -wholename "*/target/*.pom") ./pom.xml 26 | mvn clean install -DskipTests=true 27 | 28 | - name: Mend Unified Agent Scan 29 | continue-on-error: true 30 | env: 31 | GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} 32 | WS_APIKEY: ${{secrets.APIKEY}} 33 | WS_USERKEY: ${{secrets.USERKEY}} 34 | WS_WSS_URL: https://saas.mend.io/agent 35 | WS_PRODUCTNAME: GH_${{github.event.repository.name}} 36 | WS_PROJECTNAME: ${{github.ref}}_Prioritize 37 | WS_ENABLEIMPACTANALYSIS: true 38 | WS_RESOLVEALLDEPENDENCIES: false 39 | WS_MAVEN_RESOLVEDEPENDENCIES: true 40 | WS_MAVEN_AGGREGATEMODULES: true 41 | WS_FILESYSTEMSCAN: false 42 | WS_GENERATEPROJECTDETAILSJSON: true 43 | run: | 44 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 45 | echo Unified Agent downloaded successfully 46 | if [[ "$(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256)" != "$(sha256sum wss-unified-agent.jar)" ]] ; then 47 | echo "Integrity Check Failed" 48 | else 49 | echo "Integrity Check Passed" 50 | echo "Starting Mend WhiteSource Scan" 51 | fi 52 | JARFILE=$(find ./ -type f -wholename "*/target/*.jar") 53 | echo $JARFILE will be added to appPath 54 | java -jar wss-unified-agent.jar -appPath $JARFILE -d ./ -------------------------------------------------------------------------------- /CI-CD/[Generic]/Unified Agent/UA-SCA.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Generic example for scanning for dependencies with the Mend Unified Agent 3 | # The Unified Agent scan should be called AFTER a package manager build step such as "mvn clean install -DskipTests=true" or "npm install --only=prod" 4 | 5 | export WS_APIKEY= 6 | export WS_USERKEY= 7 | export WS_PRODUCTNAME= 8 | export WS_PROJECTNAME= 9 | export WS_WSS_URL=https://saas.mend.io/agent 10 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 11 | echo Mend Unified Agent downloaded successfully 12 | if [[ "$(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256)" != "$(sha256sum wss-unified-agent.jar)" ]] ; then 13 | echo "Integrity Check Failed" 14 | else 15 | echo "Integrity Check Passed" 16 | echo Starting Mend Scan 17 | java -jar wss-unified-agent.jar 18 | fi -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ![Logo](https://mend-toolkit-resources-public.s3.amazonaws.com/img/mend-io-logo-horizontal.svg) 2 | 3 | [![License](https://img.shields.io/badge/License-Apache%202.0-yellowgreen.svg)](https://opensource.org/licenses/Apache-2.0) 4 | 5 | # Mend Examples 6 | This repository contains examples of different ways to scan and retrieve results within the [Mend platform](https://docs.mend.io/). 7 | 8 | If you can't find something, use [GitHub's search]((https://docs.github.com/en/search-github/getting-started-with-searching-on-github/about-searching-on-github)) to search in this repository. 9 | 10 | 11 | ## SCM Integration 12 | #### [Self Hosted Repo Integration Setup](Repo-Integration) 13 | 14 | ## CI-CD 15 | #### [CI-CD by Platform](./CI-CD/) 16 | #### [Policy Check Examples (Unified Agent)](CI-CD/%5BGeneric%5D/Unified%20Agent/Policy-Check) 17 | #### [Mend Prioritize Scans by Language](CI-CD/%5BGeneric%5D/Unified%20Agent/Prioritize) 18 | 19 | ## Scripts 20 | #### [Mend SAST](./Scripts/Mend%20SAST/) 21 | #### [Mend SCA](./Scripts/Mend%20SCA/) 22 | 23 | -------------------------------------------------------------------------------- /Repo-Integration/Binaries/update-java-ca-certificates/LICENSE: -------------------------------------------------------------------------------- 1 | update-java-ca-certificates 2 | Copyright © 2022 Swisscom (Schweiz) AG 3 | 4 | Permission is hereby granted, free of charge, to any person obtaining 5 | a copy of this software and associated documentation files (the "Software"), 6 | to deal in the Software without restriction, including without limitation 7 | the rights to use, copy, modify, merge, publish, distribute, sublicense, 8 | and/or sell copies of the Software, and to permit persons to whom the 9 | Software is furnished to do so, subject to the following conditions: 10 | 11 | The above copyright notice and this permission notice shall be included 12 | in all copies or substantial portions of the Software. 13 | 14 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 15 | EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES 16 | OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. 17 | IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 18 | DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, 19 | TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE 20 | OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 21 | -------------------------------------------------------------------------------- /Repo-Integration/Binaries/update-java-ca-certificates/update-java-ca-certificates: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mend-toolkit/mend-examples/e6161d48a4cac380a8b4f139a0096bf55e628f93/Repo-Integration/Binaries/update-java-ca-certificates/update-java-ca-certificates -------------------------------------------------------------------------------- /Repo-Integration/Encryption/README.md: -------------------------------------------------------------------------------- 1 | ## Encrypting Private Registry Credentials for hostRule Configurations 2 | 3 | Mend Repository Integration customers often require encrypted credentials to access private registries for package resolution. 4 | 5 | Typically, users can encrypt credentials through the following methods: 6 | 7 | - **Cloud-Hosted Integrations:** [Mend Repo Integration Encryption page](https://mend-resources.mend.io/index-gh.html) 8 | - Relevant Integrations: [Github.com](https://docs.mend.io/bundle/integrations/page/configure_mend_for_github_com_to_resolve_your_private_dependencies.html), [Azure Repos](https://docs.mend.io/bundle/integrations/page/configure_mend_for_azure_repos_to_resolve_your_private_dependencies.html), [BitBucket Cloud](https://docs.mend.io/bundle/integrations/page/installation_of_mend_for_bitbucket_cloud.html#Handling-Private-Registries-and-Authenticated-Repositories) 9 | - **Self-Hosted Repository Integrations:** Using a page with a public key created by the user 10 | - Relevant Integrations: [GitHub Enterprise](https://docs.mend.io/bundle/integrations/page/configure_mend_for_github_enterprise_to_resolve_your_private_dependencies.html), [BitBucket Datacenter](https://docs.mend.io/bundle/integrations/page/mend_for_bitbucket_server_and_data_center.html#Handling-Private-Registries-and-Authenticated-Repositories), [Gitlab Server](https://docs.mend.io/bundle/integrations/page/installing_mend_for_gitlab.html#Handling-Private-Registries-and-Authenticated-Repositories) 11 | - **Renovate:** [Renovate Encryption page](https://app.renovatebot.com/encrypt) 12 | - Documentation: [Renovate Encryption](https://docs.renovatebot.com/getting-started/private-packages/#encryption-and-the-mend-renovate-app) 13 | 14 | This script provides an alternative to these methods for encryption. 15 | 16 | Requirements: 17 | ``` 18 | Python 3.9+ 19 | ``` 20 | 21 | Installation steps: 22 | ``` 23 | pip install -r pgpy==0.6.0 24 | ``` 25 | 26 | 27 | Usage: 28 | ``` 29 | usage: encrypt_credentials.py [-h] -o ORGANIZATION [-r REPOSITORY] -v SECRET_VALUE [-k PUBLIC_KEY_FILE | -rk | --renovate-key | --no-renovate-key] 30 | 31 | A script replacement for the Mend.io Host Rule encryption web pages 32 | 33 | optional arguments: 34 | -h, --help show this help message and exit 35 | -o ORGANIZATION, --organization ORGANIZATION 36 | Organization Name (Environment Variable: ORGANIZATION) 37 | -r REPOSITORY, --repository REPOSITORY 38 | Repository Name (Optional) (Environment Variable: REPOSITORY) 39 | -v SECRET_VALUE, --secret-value SECRET_VALUE 40 | Secret Value (Environment Variable: SECRET_VALUE) 41 | -k PUBLIC_KEY_FILE, --public-key-file PUBLIC_KEY_FILE 42 | Public Key File (Optional, Default: Cloud Repository Integration Public Key) (Environment Variable: PUBLIC_KEY_FILE) 43 | -rk, --renovate-key, --no-renovate-key 44 | Whether to use the Renovate Public key for renovate.json files (default: False) 45 | ``` 46 | 47 | Examples: 48 | 49 | Create encrypted credentials for the self-hosted repository integration 50 | ``` 51 | python3 encrypt_credentials.py -o "" -r "" -v "" 52 | ``` 53 | 54 | Create encrypted credentials for a self-hosted integration 55 | ``` 56 | python3 encrypt_credentials.py -o "" -r "" -v "" -k "./secret_key.pem" 57 | ``` 58 | 59 | Create encrypted credentials for Renovate-specific configurations in a ``renovate.json`` 60 | ``` 61 | python3 encrypt_credentials.py -o "" -r "" -v "" -rk 62 | ``` 63 | 64 |
65 | Output: 66 | 67 | The script outputs the encrypted credentials in the following format: 68 | ``` 69 | Encrypted Secret Value: 70 | wcBMA8xOaBJvzJNbAQxxxxxxxxxxxxxxxxxxxxxxxx... 71 | ``` 72 | -------------------------------------------------------------------------------- /Repo-Integration/Private-Registries-No-HostRules/Conda/.condarc: -------------------------------------------------------------------------------- 1 | channel_alias: https://${CONDA_USER_ENCODED}:${CONDA_PASS}@${CONDA_CHANNEL} 2 | 3 | channels: 4 | - https://${CONDA_USER_ENCODED}:${CONDA_PASS}@${CONDA_CHANNEL} 5 | 6 | default_channels: 7 | - https://${CONDA_USER_ENCODED}:${CONDA_PASS}@${CONDA_CHANNEL} 8 | 9 | ssl_verify: true 10 | -------------------------------------------------------------------------------- /Repo-Integration/Private-Registries-No-HostRules/Conda/docker-compose.yaml: -------------------------------------------------------------------------------- 1 | version: "2" 2 | services: 3 | 4 | 5 | remediate: 6 | image: wss-remediate:latest 7 | container_name: remediate-server 8 | environment: 9 | LOG_LEVEL: DEBUG 10 | CONDA_USER: 11 | CONDA_PASS: 12 | CONDA_REGISTRY: https://.jfrog.io/artifactory/api/pypi/default-pypi/simple 13 | ports: 14 | - "8080:8080" 15 | volumes: 16 | - "/path/to/prop.json:/etc/usr/local/whitesource/conf/prop.json" 17 | - "/path/to/config.js:/usr/src/app/config.js" 18 | restart: always 19 | extra_hosts: 20 | - "repo.anaconda.com:127.0.0.1" 21 | - "conda.anaconda.com:127.0.0.1" 22 | logging: 23 | driver: local 24 | options: 25 | max-size: 1m 26 | max-file: "5" 27 | 28 | 29 | app: 30 | image: wss-ghe-app:latest 31 | container_name: wss-ghe-app 32 | environment: 33 | LOG_LEVEL: DEBUG 34 | ports: 35 | - "9494:9494" 36 | - "5678:5678" 37 | volumes: 38 | - "/path/to/prop.json:/etc/usr/local/whitesource/conf/prop.json" 39 | depends_on: 40 | - remediate 41 | logging: 42 | driver: local 43 | options: 44 | max-size: 1m 45 | max-file: "5" 46 | 47 | 48 | scanner: 49 | image: wss-scanner:latest 50 | container_name: wss-scanner-ghe 51 | environment: 52 | EXTERNAL_LOG_IN_CONSOLE: true 53 | LOG_LEVEL: DEBUG 54 | CONDA_CHANNEL: .jfrog.io/artifacotry/api/pypi/default-conda 55 | CONDA_USER_ENCODED: 56 | CONDA_PASS: 57 | ports: 58 | - "9393:9393" 59 | volumes: 60 | - "/path/to/prop.json:/etc/usr/local/whitesource/conf/prop.json" 61 | - "/path/to/.condarc:/home/wss-scanner/.condarc" 62 | extra_hosts: 63 | - "repo.anaconda.com:127.0.0.1" 64 | - "conda.anaconda.com:127.0.0.1" 65 | restart: always 66 | depends_on: 67 | - app 68 | logging: 69 | driver: local 70 | options: 71 | max-size: 1m 72 | max-file: "5" 73 | 74 | 75 | networks: 76 | default: 77 | name: my_bridge 78 | external: false 79 | -------------------------------------------------------------------------------- /Repo-Integration/Private-Registries-No-HostRules/Docker/config.js: -------------------------------------------------------------------------------- 1 | module.exports = { 2 | "packageRules": [ 3 | { 4 | // This is an example of specifying custom versioning for a package. Each package in docker typically has its own versioning scheme. 5 | // So if a specific package needs to be checked for updates, then this can be added to config.js or to renovate configuration inside of the repository. 6 | "matchDatasources": [ "docker" ], 7 | "matchPackageNames": [ "repository/package" ], 8 | "versioning": "semver" 9 | }], 10 | "hostRules": [ 11 | { 12 | "hostType": "docker", 13 | "matchHost": process.env.DOCKER_REGISTRY, 14 | "username": process.env.DOCKER_USER, 15 | "password": process.env.DOCKER_PASS 16 | } 17 | ] 18 | } 19 | -------------------------------------------------------------------------------- /Repo-Integration/Private-Registries-No-HostRules/Docker/docker-compose.yaml: -------------------------------------------------------------------------------- 1 | version: "3" 2 | services: 3 | 4 | remediate: 5 | image: wss-remediate:latest 6 | container_name: remediate-server 7 | environment: 8 | LOG_LEVEL: "DEBUG" 9 | DOCKER_REGISTRY: "https://.jfrog.io" 10 | DOCKER_USER: "" 11 | DOCKER_PASS: "" 12 | ports: 13 | - "8083:8080" 14 | volumes: 15 | - "/path/to/prop.json:/etc/usr/local/whitesource/conf/prop.json" 16 | - "/path/to/config.js:/usr/src/app/config.js" 17 | restart: always 18 | extra_hosts: 19 | - "index.docker.io:127.0.0.1" 20 | - "auth.docker.io:127.0.0.1" 21 | logging: 22 | driver: local 23 | options: 24 | max-size: 1m 25 | max-file: "5" 26 | 27 | 28 | app: 29 | build: 30 | context: wss-ghe-app/docker 31 | dockerfile: Dockerfile 32 | image: wss-ghe-app:{app-version} 33 | container_name: wss-ghe-app 34 | environment: 35 | LOG_LEVEL: "DEBUG" 36 | ports: 37 | - "9494:9494" 38 | - "5678:5678" 39 | volumes: 40 | - "/path/to/prop.json:/etc/usr/local/whitesource/conf/prop.json" 41 | restart: always 42 | depends_on: 43 | - remediate 44 | logging: 45 | driver: local 46 | options: 47 | max-size: 1m 48 | max-file: "5" 49 | 50 | 51 | scanner: 52 | build: 53 | context: wss-scanner/docker 54 | dockerfile: Dockerfilefull 55 | image: wss-scanner:{scanner-version} 56 | container_name: wss-scanner-ghe 57 | env_file: 58 | - "~/ghe-config/package-settings.env" 59 | environment: 60 | EXTERNAL_LOG_IN_CONSOLE: "true" 61 | LOG_LEVEL: "DEBUG" 62 | ports: 63 | - "9393:9393" 64 | - "4000:4000" 65 | volumes: 66 | - "/path/to/prop.json:/etc/usr/local/whitesource/conf/prop.json" 67 | restart: always 68 | depends_on: 69 | - app 70 | logging: 71 | driver: local 72 | options: 73 | max-size: 1m 74 | max-file: "5" 75 | 76 | 77 | networks: 78 | default: 79 | name: my_bridge 80 | external: false 81 | -------------------------------------------------------------------------------- /Repo-Integration/Private-Registries-No-HostRules/Go/docker-compose.yaml: -------------------------------------------------------------------------------- 1 | version: "2" 2 | services: 3 | 4 | 5 | remediate: 6 | image: wss-remediate:latest 7 | container_name: remediate-server 8 | environment: 9 | LOG_LEVEL: DEBUG 10 | GOPROXY: https://:@.jfrog.io/artifactory/api/go/default-go/ 11 | ports: 12 | - "8080:8080" 13 | volumes: 14 | - "/path/to/prop.json:/etc/usr/local/whitesource/conf/prop.json" 15 | - "/path/to/config.js:/usr/src/app/config.js" 16 | restart: always 17 | logging: 18 | driver: local 19 | options: 20 | max-size: 1m 21 | max-file: "5" 22 | 23 | 24 | app: 25 | image: wss-ghe-app:latest 26 | container_name: wss-ghe-app 27 | environment: 28 | LOG_LEVEL: DEBUG 29 | ports: 30 | - "9494:9494" 31 | - "5678:5678" 32 | volumes: 33 | - "/path/to/prop.json:/etc/usr/local/whitesource/conf/prop.json" 34 | depends_on: 35 | - remediate 36 | logging: 37 | driver: local 38 | options: 39 | max-size: 1m 40 | max-file: "5" 41 | 42 | 43 | scanner: 44 | image: wss-scanner:latest 45 | container_name: wss-scanner-ghe 46 | environment: 47 | WS_UA_LOG_IN_CONSOLE: true 48 | LOG_LEVEL: DEBUG 49 | GOPROXY: https://:@.jfrog.io/artifactory/api/go/default-go/ 50 | ports: 51 | - "9393:9393" 52 | volumes: 53 | - "/path/to/prop.json:/etc/usr/local/whitesource/conf/prop.json" 54 | restart: always 55 | depends_on: 56 | - app 57 | logging: 58 | driver: local 59 | options: 60 | max-size: 1m 61 | max-file: "5" 62 | 63 | 64 | networks: 65 | default: 66 | name: my_bridge 67 | external: false 68 | -------------------------------------------------------------------------------- /Repo-Integration/Private-Registries-No-HostRules/Gradle/Groovy/config.js: -------------------------------------------------------------------------------- 1 | module.exports = { 2 | "packageRules": [{ 3 | "matchManagers": [ "gradle", "gradle-wrapper" ], 4 | "registryUrls": [ process.env.MVN_RELEASE, process.env.GRADLE_PLUGIN_REGISTRY ] 5 | }], 6 | "hostRules" : [ 7 | { 8 | "hostType": "maven", 9 | "matchHost": process.env.MVN_RELEASE, 10 | "username": process.env.MVN_USER, 11 | "password": process.env.MVN_PASS 12 | }, 13 | { 14 | "hostType": "maven", 15 | "matchHost": process.env.GRADLE_PLUGIN_REGISTRY, 16 | "username": process.env.GRADLE_PLUGIN_USER, 17 | "password": process.env.GRADLE_PLUGIN_PASS 18 | } 19 | ] 20 | } 21 | -------------------------------------------------------------------------------- /Repo-Integration/Private-Registries-No-HostRules/Gradle/Groovy/docker-compose.yaml: -------------------------------------------------------------------------------- 1 | version: "2" 2 | services: 3 | 4 | 5 | remediate: 6 | image: wss-remediate:latest 7 | container_name: remediate-server 8 | environment: 9 | LOG_LEVEL: DEBUG 10 | MVN_USER: 11 | MVN_PASS: 12 | MVN_BASE_URL: https://.jfrog.io/artifactory 13 | MVN_RELEASE: https://.jfrog.io/artifactory/libs-release 14 | GRADLE_PLUGIN_REGISTRY: https://.jfrog.io/artifactory/libs-snapshot # Should point to a Gradle Plugin Repository (https://plugins.gradle.org/m2/) 15 | GRADLE_PLUGIN_USER: 16 | GRADLE_PLUGIN_PASS: 17 | ports: 18 | - "8080:8080" 19 | volumes: 20 | - "/path/to/prop.json:/etc/usr/local/whitesource/conf/prop.json" 21 | - "/path/to/config.js:/usr/src/app/config.js" 22 | restart: always 23 | extra_hosts: 24 | - "repo.maven.apache.org:127.0.0.1" 25 | - "repo1.maven.apache.org:127.0.0.1" 26 | - "repo2.maven.apache.org:127.0.0.1" 27 | - "plugins.gradle.org:127.0.0.1" 28 | logging: 29 | driver: local 30 | options: 31 | max-size: 1m 32 | max-file: "5" 33 | 34 | 35 | app: 36 | image: wss-ghe-app:latest 37 | container_name: wss-ghe-app 38 | environment: 39 | LOG_LEVEL: DEBUG 40 | ports: 41 | - "9494:9494" 42 | - "5678:5678" 43 | volumes: 44 | - "/path/to/prop.json:/etc/usr/local/whitesource/conf/prop.json" 45 | depends_on: 46 | - remediate 47 | logging: 48 | driver: local 49 | options: 50 | max-size: 1m 51 | max-file: "5" 52 | 53 | 54 | scanner: 55 | image: wss-scanner:latest 56 | container_name: wss-scanner-ghe 57 | extra_hosts: 58 | - "repo.maven.apache.org:127.0.0.1" 59 | - "repo1.maven.apache.org:127.0.0.1" 60 | - "repo2.maven.apache.org:127.0.0.1" 61 | - "plugins.gradle.org:127.0.0.1" 62 | environment: 63 | WS_UA_LOG_IN_CONSOLE: true 64 | LOG_LEVEL: DEBUG 65 | MVN_USER: 66 | MVN_PASS: 67 | MVN_RELEASE: https://.jfrog.io/artifactory/libs-release 68 | GRADLE_PLUGIN_REGISTRY: https://.jfrog.io/artifactory/libs-snapshot # Same as above 69 | GRADLE_PLUGIN_USER: 70 | GRADLE_PLUGIN_PASS: 71 | ports: 72 | - "9393:9393" 73 | volumes: 74 | - "/path/to/prop.json:/etc/usr/local/whitesource/conf/prop.json" 75 | - "/path/to/gradle.properties:/home/wss-scanner/.gradle/gradle.properties" # Optional 76 | - "/path/to/init.gradle:/home/wss-scanner/.gradle/init.gradle" # Required 77 | restart: always 78 | depends_on: 79 | - app 80 | logging: 81 | driver: local 82 | options: 83 | max-size: 1m 84 | max-file: "5" 85 | 86 | 87 | networks: 88 | default: 89 | name: my_bridge 90 | external: false 91 | -------------------------------------------------------------------------------- /Repo-Integration/Private-Registries-No-HostRules/Gradle/Groovy/gradle.properties: -------------------------------------------------------------------------------- 1 | repositoryUrl=https://.jfrog.io/artifactory/ 2 | repositoryUsername= 3 | repositoryPassword= 4 | 5 | pluginRepositoryUrl=https://.jfrog.io/artifactory/ 6 | pluginRepositoryUsername= 7 | pluginRepositoryPassword= 8 | -------------------------------------------------------------------------------- /Repo-Integration/Private-Registries-No-HostRules/Gradle/Groovy/init.gradle: -------------------------------------------------------------------------------- 1 | import java.util.Properties 2 | 3 | Properties readPropertiesFromFile(File file) { 4 | if (file.exists()) { 5 | Properties properties = new Properties() 6 | properties.load(new FileInputStream(file)) 7 | return properties 8 | } else { 9 | return null 10 | } 11 | } 12 | 13 | println("Loading JFROG Repository") 14 | def projectPropertiesFile = new File(".", "gradle.properties") 15 | def projectProperties = readPropertiesFromFile(projectPropertiesFile) 16 | 17 | def globalPropertiesFile = new File(gradle.gradleUserHomeDir, 'gradle.properties') 18 | def globalProperties = readPropertiesFromFile(globalPropertiesFile) 19 | 20 | def repositoryUrl = projectProperties?.getProperty("repositoryUrl") ?: globalProperties?.getProperty("repositoryUrl") ?: System?.getenv("MAVEN_REGISTRY") 21 | def repositoryUsername = projectProperties?.getProperty("repositoryUsername") ?: globalProperties?.getProperty("repositoryUsername") ?: System?.getenv("MAVEN_USER") 22 | def repositoryPassword = projectProperties?.getProperty("repositoryPassword") ?: globalProperties?.getProperty("repositoryPassword") ?: System?.getenv("MAVEN_PASS") 23 | 24 | //Should point to a registry with an upstream remote of: https://plugins.gradle.org/m2/ 25 | def pluginRepositoryUrl = projectProperties?.getProperty("pluginRepositoryUrl") ?: globalProperties?.getProperty("pluginRepositoryUrl") ?: System?.getenv("GRADLE_PLUGIN_REGISTRY") 26 | def pluginRepositoryUsername = projectProperties?.getProperty("pluginRepositoryUsername") ?: globalProperties?.getProperty("pluginRepositoryUsername") ?: System?.getenv("GRADLE_PLUGIN_USER") 27 | def pluginRepositoryPassword = projectProperties?.getProperty("pluginRepositoryPassword") ?: globalProperties?.getProperty("pluginRepositoryPassword") ?: System?.getenv("GRADLE_PLUGIN_PASS") 28 | 29 | // Plugin repositories section using the same variables 30 | 31 | settingsEvaluated { settings -> 32 | settings.dependencyResolutionManagement { 33 | repositoriesMode.set(RepositoriesMode.PREFER_SETTINGS) 34 | repositories { 35 | maven { 36 | url repositoryUrl?.toString() 37 | credentials { 38 | username = repositoryUsername?.toString() 39 | password = repositoryPassword?.toString() 40 | } 41 | } 42 | } 43 | } 44 | settings.pluginManagement { 45 | repositories { 46 | maven { 47 | url repositoryUrl?.toString() 48 | credentials { 49 | username = repositoryUsername?.toString() 50 | password = repositoryPassword?.toString() 51 | } 52 | } 53 | maven { 54 | url pluginRepositoryUrl?.toString() 55 | credentials { 56 | username = pluginRepositoryUsername?.toString() 57 | password = pluginRepositoryPassword?.toString() 58 | } 59 | } 60 | } 61 | } 62 | } 63 | -------------------------------------------------------------------------------- /Repo-Integration/Private-Registries-No-HostRules/Gradle/Kotlin/config.js: -------------------------------------------------------------------------------- 1 | module.exports = { 2 | "packageRules": [{ 3 | "matchManagers": [ "gradle", "gradle-wrapper" ], 4 | "registryUrls": [ process.env.MAVEN_REGISTRY, process.env.GRADLE_PLUGIN_REGISTRY ] 5 | }], 6 | "hostRules" : [ 7 | { 8 | "hostType": "maven", 9 | "matchHost": process.env.MVN_BASE_URL, 10 | "username": process.env.MVN_USER, 11 | "password": process.env.MVN_PASS 12 | }, 13 | { 14 | "hostType": "maven", 15 | "matchHost": process.env.GRADLE_PLUGIN_REGISTRY, 16 | "username": process.env.GRADLE_PLUGIN_USER, 17 | "password": process.env.GRADLE_PLUGIN_PASS 18 | } 19 | ] 20 | } 21 | -------------------------------------------------------------------------------- /Repo-Integration/Private-Registries-No-HostRules/Gradle/Kotlin/docker-compose.yaml: -------------------------------------------------------------------------------- 1 | version: "2" 2 | services: 3 | 4 | 5 | remediate: 6 | image: wss-remediate:latest 7 | container_name: remediate-server 8 | environment: 9 | LOG_LEVEL: DEBUG 10 | MVN_USER: 11 | MVN_PASS: 12 | MVN_BASE_URL: https://.jfrog.io/artifactory 13 | MVN_RELEASE: https://.jfrog.io/artifactory/libs-release 14 | GRADLE_PLUGIN_REGISTRY: https://.jfrog.io/artifactory/libs-snapshot # Should point to a Gradle Plugin Repository (https://plugins.gradle.org/m2/) 15 | GRADLE_PLUGIN_USER: 16 | GRADLE_PLUGIN_PASS: 17 | ports: 18 | - "8080:8080" 19 | volumes: 20 | - "/path/to/prop.json:/etc/usr/local/whitesource/conf/prop.json" 21 | - "/path/to/config.js:/usr/src/app/config.js" 22 | restart: always 23 | extra_hosts: 24 | - "repo.maven.apache.org:127.0.0.1" 25 | - "repo1.maven.apache.org:127.0.0.1" 26 | - "repo2.maven.apache.org:127.0.0.1" 27 | - "plugins.gradle.org:127.0.0.1" 28 | logging: 29 | driver: local 30 | options: 31 | max-size: 1m 32 | max-file: "5" 33 | 34 | 35 | app: 36 | image: wss-ghe-app:latest 37 | container_name: wss-ghe-app 38 | environment: 39 | LOG_LEVEL: DEBUG 40 | ports: 41 | - "9494:9494" 42 | - "5678:5678" 43 | volumes: 44 | - "/path/to/prop.json:/etc/usr/local/whitesource/conf/prop.json" 45 | depends_on: 46 | - remediate 47 | logging: 48 | driver: local 49 | options: 50 | max-size: 1m 51 | max-file: "5" 52 | 53 | 54 | scanner: 55 | image: wss-scanner:latest 56 | container_name: wss-scanner-ghe 57 | extra_hosts: 58 | - "repo.maven.apache.org:127.0.0.1" 59 | - "repo1.maven.apache.org:127.0.0.1" 60 | - "repo2.maven.apache.org:127.0.0.1" 61 | - "plugins.gradle.org:127.0.0.1" 62 | environment: 63 | WS_UA_LOG_IN_CONSOLE: true 64 | LOG_LEVEL: DEBUG 65 | MVN_USER: 66 | MVN_PASS: 67 | MVN_RELEASE: https://.jfrog.io/artifactory/libs-release 68 | GRADLE_PLUGIN_REGISTRY: https://.jfrog.io/artifactory/libs-snapshot # Same as above 69 | GRADLE_PLUGIN_USER: 70 | GRADLE_PLUGIN_PASS: 71 | ports: 72 | - "9393:9393" 73 | volumes: 74 | - "/path/to/prop.json:/etc/usr/local/whitesource/conf/prop.json" 75 | - "/path/to/gradle.properties:/home/wss-scanner/.gradle/gradle.properties" # Optional 76 | - "/path/to/init.gradle.kts:/home/wss-scanner/.gradle/init.gradle.kts" # Required 77 | restart: always 78 | depends_on: 79 | - app 80 | logging: 81 | driver: local 82 | options: 83 | max-size: 1m 84 | max-file: "5" 85 | 86 | 87 | networks: 88 | default: 89 | name: my_bridge 90 | external: false 91 | -------------------------------------------------------------------------------- /Repo-Integration/Private-Registries-No-HostRules/Gradle/Kotlin/gradle.properties: -------------------------------------------------------------------------------- 1 | repositoryUrl=https://.jfrog.io/artifactory/ 2 | repositoryUsername= 3 | repositoryPassword= 4 | 5 | pluginRepositoryUrl=https://.jfrog.io/artifactory/ 6 | pluginRepositoryUsername= 7 | pluginRepositoryPassword= 8 | -------------------------------------------------------------------------------- /Repo-Integration/Private-Registries-No-HostRules/Gradle/Kotlin/init.gradle.kts: -------------------------------------------------------------------------------- 1 | import java.io.File 2 | import java.io.FileInputStream 3 | import java.util.* 4 | 5 | fun readPropertiesFromFile(file: File): Properties? { 6 | return if (file.exists()) { 7 | Properties().apply { 8 | file.inputStream().use { input -> load(input) } 9 | } 10 | } else { 11 | null 12 | } 13 | } 14 | 15 | println("Loading JFROG Repository") 16 | val projectPropertiesFile = File("gradle.properties") 17 | val projectProperties = readPropertiesFromFile(projectPropertiesFile) 18 | 19 | val globalPropertiesFile = gradle.gradleUserHomeDir.resolve("gradle.properties") 20 | val globalProperties = readPropertiesFromFile(globalPropertiesFile) 21 | 22 | val repositoryUrl = projectProperties?.getProperty("repositoryUrl") ?: globalProperties?.getProperty("repositoryUrl") ?: System.getenv("MAVEN_REGISTRY") 23 | val repositoryUsername = projectProperties?.getProperty("repositoryUsername") ?: globalProperties?.getProperty("repositoryUsername") ?: System.getenv("MAVEN_USER") 24 | val repositoryPassword = projectProperties?.getProperty("repositoryPassword") ?: globalProperties?.getProperty("repositoryPassword") ?: System.getenv("MAVEN_PASS") 25 | 26 | //Should point to a registry with an upstream remote of: https://plugins.gralde.org/m2/ 27 | val pluginRepositoryUrl = projectProperties?.getProperty("pluginRepositoryUrl") ?: globalProperties?.getProperty("pluginRepositoryUrl") ?: System.getenv("GRADLE_PLUGIN_REGISTRY") 28 | val pluginRepositoryUsername = projectProperties?.getProperty("pluginRepositoryUsername") ?: globalProperties?.getProperty("pluginRepositoryUsername") ?: System.getenv("GRADLE_PLUGIN_USER") 29 | val pluginRepositoryPassword = projectProperties?.getProperty("pluginRepositoryPassword") ?: globalProperties?.getProperty("pluginRepositoryPassword") ?: System.getenv("GRADLE_PLUGIN_PASS") 30 | 31 | // Plugin repositories section using the same variables 32 | settingsEvaluated { 33 | dependencyResolutionManagement { 34 | repositoriesMode.set(RepositoriesMode.PREFER_SETTINGS) 35 | repositories { 36 | maven { 37 | url = uri(repositoryUrl.toString()) 38 | credentials { 39 | username = repositoryUsername.toString() 40 | password = repositoryPassword.toString() 41 | } 42 | } 43 | } 44 | } 45 | pluginManagement { 46 | repositories { 47 | maven { 48 | url = uri(repositoryUrl.toString()) 49 | credentials { 50 | username = repositoryUsername.toString() 51 | password = repositoryPassword.toString() 52 | } 53 | } 54 | maven { 55 | url = uri(pluginRepositoryUrl.toString()) 56 | credentials { 57 | username = pluginRepositoryUsername.toString() 58 | password = pluginRepositoryPassword.toString() 59 | } 60 | } 61 | } 62 | } 63 | } 64 | -------------------------------------------------------------------------------- /Repo-Integration/Private-Registries-No-HostRules/Maven/config.js: -------------------------------------------------------------------------------- 1 | module.exports = { 2 | "packageRules": [{ 3 | "matchManagers": ["maven", "maven-wrapper"], 4 | "registryUrls": [ process.env.MVN_RELEASE, process.env.MVN_SNAPSHOT ] 5 | }], 6 | "hostRules": [ 7 | { 8 | "hostType": "maven", 9 | "matchHost": process.env.MVN_BASE_URL, 10 | "username": process.env.MVN_USER, 11 | "password": process.env.MVN_PASS 12 | } 13 | ] 14 | } 15 | -------------------------------------------------------------------------------- /Repo-Integration/Private-Registries-No-HostRules/Maven/docker-compose.yaml: -------------------------------------------------------------------------------- 1 | version: "2" 2 | services: 3 | 4 | 5 | remediate: 6 | image: wss-remediate:latest 7 | container_name: remediate-server 8 | environment: 9 | LOG_LEVEL: DEBUG 10 | MVN_USER: 11 | MVN_PASS: 12 | MVN_BASE_URL: https://.jfrog.io/artifactory 13 | MVN_RELEASE: https://.jfrog.io/artifactory/libs-release 14 | MVN_SNAPSHOT: https://.jfrog.io/artifactory/libs-snapshot 15 | ports: 16 | - "8080:8080" 17 | volumes: 18 | - "/path/to/prop.json:/etc/usr/local/whitesource/conf/prop.json" 19 | - "/path/to/config.js:/usr/src/app/config.js" 20 | restart: always 21 | extra_hosts: 22 | - "repo.maven.apache.org:127.0.0.1" 23 | - "repo1.maven.apache.org:127.0.0.1" 24 | - "repo2.maven.apache.org:127.0.0.1" 25 | logging: 26 | driver: local 27 | options: 28 | max-size: 1m 29 | max-file: "5" 30 | 31 | 32 | app: 33 | image: wss-ghe-app:latest 34 | container_name: wss-ghe-app 35 | environment: 36 | LOG_LEVEL: DEBUG 37 | ports: 38 | - "9494:9494" 39 | - "5678:5678" 40 | volumes: 41 | - "/path/to/prop.json:/etc/usr/local/whitesource/conf/prop.json" 42 | depends_on: 43 | - remediate 44 | logging: 45 | driver: local 46 | options: 47 | max-size: 1m 48 | max-file: "5" 49 | 50 | 51 | scanner: 52 | image: wss-scanner:latest 53 | container_name: wss-scanner-ghe 54 | extra_hosts: 55 | - "repo.maven.apache.org:127.0.0.1" 56 | - "repo1.maven.apache.org:127.0.0.1" 57 | - "repo2.maven.apache.org:127.0.0.1" 58 | environment: 59 | WS_UA_LOG_IN_CONSOLE: true 60 | LOG_LEVEL: DEBUG 61 | MVN_USER: 62 | MVN_PASS: 63 | MVN_RELEASE: https://.jfrog.io/artifactory/libs-release 64 | MVN_SNAPSHOT: https://.jfrog.io/artifactory/libs-snapshot 65 | ports: 66 | - "9393:9393" 67 | volumes: 68 | - "/path/to/prop.json:/etc/usr/local/whitesource/conf/prop.json" 69 | - "/path/to/settings.xml:/home/wss-scanner/.m2/settings.xml" 70 | restart: always 71 | depends_on: 72 | - app 73 | logging: 74 | driver: local 75 | options: 76 | max-size: 1m 77 | max-file: "5" 78 | 79 | 80 | networks: 81 | default: 82 | name: my_bridge 83 | external: false 84 | -------------------------------------------------------------------------------- /Repo-Integration/Private-Registries-No-HostRules/Maven/settings.xml: -------------------------------------------------------------------------------- 1 | 2 | 4 | 5 | 6 | ${env.MVN_USER} 7 | ${env.MVN_PASS} 8 | central 9 | 10 | 11 | ${env.MVN_USER} 12 | ${env.MVN_PASS} 13 | snapshots 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | false 22 | 23 | central 24 | libs-release 25 | ${env.MVN_RELEASE} 26 | 27 | 28 | 29 | snapshots 30 | libs-snapshot 31 | ${env.MVN_SNAPSHOT} 32 | 33 | 34 | 35 | 36 | 37 | false 38 | 39 | central 40 | libs-release 41 | ${env.MVN_RELEASE} 42 | 43 | 44 | 45 | snapshots 46 | libs-snapshot 47 | ${env.MVN_SNAPSHOT} 48 | 49 | 50 | artifactory 51 | 52 | 53 | 54 | artifactory 55 | 56 | -------------------------------------------------------------------------------- /Repo-Integration/Private-Registries-No-HostRules/NPM/.npmrc: -------------------------------------------------------------------------------- 1 | email = ${NPM_EMAIL} 2 | always-auth = true 3 | registry = ${NPM_REGISTRY} 4 | -------------------------------------------------------------------------------- /Repo-Integration/Private-Registries-No-HostRules/NPM/config.js: -------------------------------------------------------------------------------- 1 | module.exports = { 2 | "packageRules": [{ 3 | "matchManagers": ["npm"], 4 | "registryUrls": [ process.env.NPM_REGISTRY ] 5 | }], 6 | "hostRules": [ 7 | { 8 | "hostType": "npm", 9 | "matchHost": process.env.NPM_REGISTRY, 10 | "username": process.env.NPM_EMAIL, 11 | "password": process.env.NPM_PASS 12 | } 13 | ] 14 | } 15 | -------------------------------------------------------------------------------- /Repo-Integration/Private-Registries-No-HostRules/NPM/docker-compose.yaml: -------------------------------------------------------------------------------- 1 | version: "2" 2 | services: 3 | 4 | 5 | remediate: 6 | image: wss-remediate:latest 7 | container_name: remediate-server 8 | environment: 9 | LOG_LEVEL: DEBUG 10 | NPM_EMAIL: 11 | NPM_PASS: 12 | NPM_REGISTRY: https://.jfrog.io/artifactory/api/npm/default-npm/ 13 | ports: 14 | - "8080:8080" 15 | volumes: 16 | - "/path/to/prop.json:/etc/usr/local/whitesource/conf/prop.json" 17 | - "/path/to/config.js:/usr/src/app/config.js" 18 | restart: always 19 | extra_hosts: 20 | - "registry.npmjs.org:127.0.0.1" 21 | logging: 22 | driver: local 23 | options: 24 | max-size: 1m 25 | max-file: "5" 26 | 27 | 28 | app: 29 | image: wss-ghe-app:latest 30 | container_name: wss-ghe-app 31 | environment: 32 | LOG_LEVEL: DEBUG 33 | ports: 34 | - "9494:9494" 35 | - "5678:5678" 36 | volumes: 37 | - "/path/to/prop.json:/etc/usr/local/whitesource/conf/prop.json" 38 | depends_on: 39 | - remediate 40 | logging: 41 | driver: local 42 | options: 43 | max-size: 1m 44 | max-file: "5" 45 | 46 | 47 | scanner: 48 | image: wss-scanner:latest 49 | container_name: wss-scanner-ghe 50 | extra_hosts: 51 | - "registry.npmjs.org:127.0.0.1" 52 | environment: 53 | WS_UA_LOG_IN_CONSOLE: true 54 | LOG_LEVEL: DEBUG 55 | NPM_EMAIL: 56 | NPM_REGISTRY: https://.jfrog.io/artifactory/api/npm/default-npm/ 57 | # This must be specified in the docker-compose.yaml file as .env files do not allow processing special characters in the environment variable name. 58 | NPM_CONFIG_//.jfrog.io/artifactory/api/npm/default-npm/:_auth: # The NPM auth token is a b64 representation of username:password 59 | ports: 60 | - "9393:9393" 61 | volumes: 62 | - "/path/to/prop.json:/etc/usr/local/whitesource/conf/prop.json" 63 | - "/path/to/.npmrc:/home/wss-scanner/.npmrc" 64 | restart: always 65 | depends_on: 66 | - app 67 | logging: 68 | driver: local 69 | options: 70 | max-size: 1m 71 | max-file: "5" 72 | 73 | 74 | networks: 75 | default: 76 | name: my_bridge 77 | external: false 78 | -------------------------------------------------------------------------------- /Repo-Integration/Private-Registries-No-HostRules/NuGet/NuGet.Config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /Repo-Integration/Private-Registries-No-HostRules/NuGet/config.js: -------------------------------------------------------------------------------- 1 | module.exports = { 2 | "packageRules": [{ 3 | "matchManagers": [ "nuget" ], 4 | "registryUrls": [ process.env.NUGET_REGISTRY ] 5 | }], 6 | "hostRules": [ 7 | { 8 | "hostType": "nuget", 9 | "matchHost": process.env.NUGET_REGISTRY, 10 | "userName": process.env.NUGET_USER, 11 | "password": process.env.NUGET_PASS 12 | } 13 | ] 14 | } 15 | -------------------------------------------------------------------------------- /Repo-Integration/Private-Registries-No-HostRules/NuGet/docker-compose.yaml: -------------------------------------------------------------------------------- 1 | version: "3" 2 | services: 3 | 4 | remediate: 5 | image: wss-remediate:latest 6 | container_name: remediate-server 7 | environment: 8 | LOG_LEVEL: "DEBUG" 9 | NUGET_REGISTRY: "https://.jfrog.io/artifactory/api/nuget/default-nuget" 10 | NUGET_USER: "" 11 | NUGET_PASS: "" 12 | ports: 13 | - "8083:8080" 14 | volumes: 15 | - "/path/to/prop.json:/etc/usr/local/whitesource/conf/prop.json" 16 | - "/path/to/config.js:/usr/src/app/config.js" 17 | restart: always 18 | extra_hosts: 19 | - "api.nuget.org:127.0.0.1" 20 | logging: 21 | driver: local 22 | options: 23 | max-size: 1m 24 | max-file: "5" 25 | 26 | 27 | app: 28 | build: 29 | context: wss-ghe-app/docker 30 | dockerfile: Dockerfile 31 | image: wss-ghe-app:24.2.2 32 | container_name: wss-ghe-app 33 | environment: 34 | LOG_LEVEL: "DEBUG" 35 | ports: 36 | - "9494:9494" 37 | - "5678:5678" 38 | volumes: 39 | - "/path/to/prop.json:/etc/usr/local/whitesource/conf/prop.json" 40 | restart: always 41 | depends_on: 42 | - remediate 43 | logging: 44 | driver: local 45 | options: 46 | max-size: 1m 47 | max-file: "5" 48 | 49 | 50 | scanner: 51 | image: wss-scanner:latest 52 | container_name: wss-scanner-ghe 53 | environment: 54 | EXTERNAL_LOG_IN_CONSOLE: "true" 55 | LOG_LEVEL: "DEBUG" 56 | NUGET_REGISTRY: "https://.jfrog.io/artifactory/api/nuget/default-nuget" 57 | NUGET_USER: "" 58 | NUGET_PASS: "" 59 | ports: 60 | - "9393:9393" 61 | - "4000:4000" 62 | volumes: 63 | - "/path/to/prop.json:/etc/usr/local/whitesource/conf/prop.json" 64 | # NOTE: This must be named exactly like below to override the nuget.config file created by the container. 65 | - "/path/to/NuGet.Config:/home/wss-scanner/.nuget/NuGet/NuGet.Config" 66 | restart: always 67 | extra_hosts: 68 | - "api.nuget.org:127.0.0.1" 69 | depends_on: 70 | - app 71 | logging: 72 | driver: local 73 | options: 74 | max-size: 1m 75 | max-file: "5" 76 | 77 | 78 | networks: 79 | default: 80 | name: my_bridge 81 | external: false 82 | -------------------------------------------------------------------------------- /Repo-Integration/Private-Registries-No-HostRules/PIP/config.js: -------------------------------------------------------------------------------- 1 | module.exports = { 2 | "packageRules": [{ 3 | "matchManagers": [ "pip-compile", "pip_requirements", "pip_setup", "pipenv", "setup-cfg" ], 4 | "registryUrls": [ process.env.PIP_REGISTRY ] 5 | }], 6 | "hostRules": [ 7 | { 8 | "hostType": "pypi", 9 | "matchHost": process.env.PIP_REGISTRY, 10 | "username": process.env.PIP_USER, 11 | "password": process.env.PIP_PASS 12 | } 13 | ] 14 | } 15 | -------------------------------------------------------------------------------- /Repo-Integration/Private-Registries-No-HostRules/PIP/docker-compose.yaml: -------------------------------------------------------------------------------- 1 | version: "2" 2 | services: 3 | 4 | 5 | remediate: 6 | image: wss-remediate:latest 7 | container_name: remediate-server 8 | environment: 9 | LOG_LEVEL: DEBUG 10 | PIP_USER: 11 | PIP_PASS: 12 | PIP_REGISTRY: https://.jfrog.io/artifactory/api/pypi/default-pypi/simple 13 | ports: 14 | - "8080:8080" 15 | volumes: 16 | - "/path/to/prop.json:/etc/usr/local/whitesource/conf/prop.json" 17 | - "/path/to/config.js:/usr/src/app/config.js" 18 | restart: always 19 | extra_hosts: 20 | - "files.pythonhosted.org:127.0.0.1" 21 | - "pypi.org:127.0.0.1" 22 | logging: 23 | driver: local 24 | options: 25 | max-size: 1m 26 | max-file: "5" 27 | 28 | 29 | app: 30 | image: wss-ghe-app:latest 31 | container_name: wss-ghe-app 32 | environment: 33 | LOG_LEVEL: DEBUG 34 | ports: 35 | - "9494:9494" 36 | - "5678:5678" 37 | volumes: 38 | - "/path/to/prop.json:/etc/usr/local/whitesource/conf/prop.json" 39 | depends_on: 40 | - remediate 41 | logging: 42 | driver: local 43 | options: 44 | max-size: 1m 45 | max-file: "5" 46 | 47 | 48 | scanner: 49 | image: wss-scanner:latest 50 | container_name: wss-scanner-ghe 51 | extra_hosts: 52 | - "files.pythonhosted.org:127.0.0.1" 53 | - "pypi.org:127.0.0.1" 54 | environment: 55 | EXTERNAL_LOG_IN_CONSOLE: true 56 | LOG_LEVEL: DEBUG 57 | PIP_INDEX_URL: https://:@.jfrog.io/artifactory/api/pypi/default-pypi/simple 58 | ports: 59 | - "9393:9393" 60 | volumes: 61 | - "/path/to/prop.json:/etc/usr/local/whitesource/conf/prop.json" 62 | extra_hosts: 63 | - "files.pythonhosted.org:127.0.0.1" 64 | - "pypi.org:127.0.0.1" 65 | restart: always 66 | depends_on: 67 | - app 68 | logging: 69 | driver: local 70 | options: 71 | max-size: 1m 72 | max-file: "5" 73 | 74 | 75 | networks: 76 | default: 77 | name: my_bridge 78 | external: false 79 | -------------------------------------------------------------------------------- /Repo-Integration/Private-Registries-No-HostRules/Poetry/config.js: -------------------------------------------------------------------------------- 1 | module.exports = { 2 | "packageRules": [{ 3 | "matchManagers": [ "poetry", "pep621" ] // PEP621 is used for poetry core version and more 4 | "registryUrls": [ process.env.POETRY_REPOSITORIES_MAIN_URL ] 5 | }], 6 | "hostRules": [{ 7 | "hostType": "pypi", 8 | "matchHost": process.env.POETRY_REPOSITORIES_MAIN_URL, 9 | "username": process.env.POETRY_HTTP_BASIC_MAIN_USERNAME, 10 | "password": process.env.POETRY_HTTP_BASIC_MAIN_PASSWORD 11 | }] 12 | } 13 | -------------------------------------------------------------------------------- /Repo-Integration/Private-Registries-No-HostRules/Poetry/docker-compose.yaml: -------------------------------------------------------------------------------- 1 | version: "2" 2 | services: 3 | 4 | remediate-server: 5 | image: wss-remediate:latest 6 | container_name: remediate-server 7 | environment: 8 | LOG_LEVEL: DEBUG 9 | POETRY_REPOSITORIES_MAIN_URL: "https://.jfrog.io/artifactory/api/pypi/simple" 10 | POETRY_HTTP_BASIC_MAIN_USERNAME: "" # Can be an email address that is not urlencoded 11 | POETRY_HTTP_BASIC_MAIN_PASSWORD: "" 12 | ports: 13 | - "8080:8080" 14 | volumes: 15 | - "/path/to/prop.json:/etc/usr/local/whitesource/conf/prop.json" 16 | - "/path/to/config.js:/usr/src/app/config.js" 17 | restart: always 18 | extra_hosts: 19 | - "files.pythonhosted.org:127.0.0.1" 20 | - "pypi.org:127.0.0.1" 21 | logging: 22 | driver: local 23 | options: 24 | max-size: 1m 25 | max-file: "5" 26 | 27 | app: 28 | image: wss-ghe-app:latest 29 | container_name: wss-ghe-app 30 | environment: 31 | LOG_LEVEL: DEBUG 32 | ports: 33 | - "9494:9494" 34 | - "5678:5678" 35 | volumes: 36 | - "/path/to/prop.json:/etc/usr/local/whitesource/conf/prop.json" 37 | logging: 38 | driver: local 39 | options: 40 | max-size: 1m 41 | max-file: "5" 42 | 43 | 44 | scanner: 45 | image: wss-scanner:latest 46 | container_name: wss-scanner-ghe 47 | environment: 48 | EXTERNAL_LOG_IN_CONSOLE: "true" 49 | LOG_LEVEL: DEBUG 50 | POETRY_REPOSITORIES_MAIN_URL: "https://.jfrog.io/artifactory/api/pypi/simple" 51 | POETRY_HTTP_BASIC_MAIN_USERNAME: "" 52 | POETRY_HTTP_BASIC_MAIN_PASSWORD: "" 53 | extra_hosts: 54 | - "files.pythonhosted.org:127.0.0.1" 55 | - "pypi.org:127.0.0.1" 56 | ports: 57 | - "9393:9393" 58 | volumes: 59 | - "/path/to/prop.json:/etc/usr/local/whitesource/conf/prop.json" 60 | restart: always 61 | depends_on: 62 | - app 63 | logging: 64 | driver: local 65 | options: 66 | max-size: 1m 67 | max-file: "5" 68 | 69 | 70 | networks: 71 | default: 72 | name: my_bridge 73 | external: false 74 | -------------------------------------------------------------------------------- /Repo-Integration/Private-Registries-No-HostRules/Ruby/config.js: -------------------------------------------------------------------------------- 1 | module.exports = { 2 | "packageRules": [{ 3 | "matchManagers": ["bundler", "puppet"], 4 | "registryUrls": ["process.env.RUBY_REGISTRY"] 5 | }], 6 | "hostRules": [{ 7 | "hostType": "rubygems", 8 | "matchHost": process.env.RUBY_REGISTRY, 9 | "username": process.env.RUBY_USER, 10 | "password": process.env.RUBY_PASS 11 | }] 12 | } 13 | -------------------------------------------------------------------------------- /Repo-Integration/Private-Registries-No-HostRules/Ruby/docker-compose.yaml: -------------------------------------------------------------------------------- 1 | version: "2" 2 | services: 3 | 4 | 5 | remediate: 6 | image: wss-remediate:latest 7 | container_name: remediate-server 8 | environment: 9 | LOG_LEVEL: DEBUG 10 | RUBY_REGISTRY: "https://.jfrog.io/artifactory/default-ruby" 11 | RUBY_USER: "" 12 | RUBY_PASS: "" 13 | ports: 14 | - "8080:8080" 15 | volumes: 16 | - "/path/to/prop.json:/etc/usr/local/whitesource/conf/prop.json" 17 | - "/path/to/config.js:/usr/src/app/config.js" 18 | restart: always 19 | extra_hosts: 20 | - "rubygems.org:127.0.0.1" 21 | logging: 22 | driver: local 23 | options: 24 | max-size: 1m 25 | max-file: "5" 26 | 27 | 28 | app: 29 | image: wss-ghe-app:latest 30 | container_name: wss-ghe-app 31 | environment: 32 | LOG_LEVEL: DEBUG 33 | ports: 34 | - "9494:9494" 35 | - "5678:5678" 36 | volumes: 37 | - "/path/to/prop.json:/etc/usr/local/whitesource/conf/prop.json" 38 | depends_on: 39 | - remediate 40 | logging: 41 | driver: local 42 | options: 43 | max-size: 1m 44 | max-file: "5" 45 | 46 | scanner: 47 | image: wss-scanner:latest 48 | container_name: wss-scanner-ghe 49 | extra_hosts: 50 | - "rubygems.org:127.0.0.1" 51 | environment: 52 | EXTERNAL_LOG_IN_CONSOLE: true 53 | LOG_LEVEL: DEBUG 54 | GEM_HOST: "https://.jfrog.io/artifactory/api/gems/default-ruby" 55 | GEM_API_KEY: "" 56 | ports: 57 | - "9393:9393" 58 | volumes: 59 | - "/path/to/prop.json:/etc/usr/local/whitesource/conf/prop.json" 60 | extra_hosts: 61 | - "rubygems.org:127.0.0.1" 62 | restart: always 63 | depends_on: 64 | - app 65 | logging: 66 | driver: local 67 | options: 68 | max-size: 1m 69 | max-file: "5" 70 | 71 | 72 | networks: 73 | default: 74 | name: my_bridge 75 | external: false 76 | -------------------------------------------------------------------------------- /Repo-Integration/Renovate/README.md: -------------------------------------------------------------------------------- 1 | > [!Warning] 2 | The files in this folder may change in the future. It is only recommended to point directly to them for a limited time while testing the solution. For production usage, it is recommended to maintain these files in your own repository. 3 | 4 | 5 | To maintain these files locally, please refer to the [Renovate preset documentation](https://docs.renovatebot.com/config-presets/) for more details. The below example explains how to create a [local](https://docs.renovatebot.com/config-presets/#local-presets) smart-merge preset locally for Azure DevOps or Bitbucket. 6 | - Copy [smart-merge.json](./smart-merge.json) into the root folder of your whitesource-config repository 7 | - Update the repo-config.json ```remediateSettings``` section with the following 8 | ```json 9 | { 10 | "remediateSettings": { 11 | "workflowRules": { 12 | "enabled": false 13 | }, 14 | "enableRenovate": true, 15 | "extends": [ 16 | "config:recommended", 17 | "mergeConfidence:all-badges", 18 | "local>whitesource-config/whitesource-config:smart-merge" 19 | ] 20 | } 21 | } 22 | ``` 23 | 24 | In all .whitesource file update examples, you should replace the inherited organization from "myorganization" to the organization/project where the whitesource-config repository is located. 25 | 26 | # SCA 27 | ## [Remediate & Renovate](https://docs.mend.io/bundle/integrations/page/mend_remediate_and_renovate.html) 28 | 29 | ### Renovate + [Smart Merge Control](https://docs.mend.io/bundle/integrations/page/boost_your_pull_request_confidence_using_mend_renovate_s_smart_merge_control.html) 30 | - Do NOT enable Remediate "workflowRules" with this setting as Security fixes may sit in the dependency dashboard due to low and neutral confidence 31 | ```json 32 | { 33 | "settingsInheritedFrom": "myorganization/whitesource-config@main", 34 | "remediateSettings": { 35 | "workflowRules": { 36 | "enabled": false 37 | }, 38 | "enableRenovate": true, 39 | "extends": [ 40 | "config:recommended", 41 | "mergeConfidence:all-badges", 42 | "github>mend-toolkit/mend-examples//Repo-Integration/Renovate/smart-merge" 43 | ] 44 | } 45 | } 46 | ``` 47 | ## Reachability Analysis 48 | - This feature is currently in closed beta and should not be enabled without Mend Field Engineering assistance. 49 | ```json 50 | { 51 | "settingsInheritedFrom": "myorganization/whitesource-config@main", 52 | "scanSettings": { 53 | "enableReachability": true 54 | }, 55 | "checkRunSettings": { 56 | "strictMode": "warning" 57 | } 58 | } 59 | ``` -------------------------------------------------------------------------------- /Repo-Integration/Renovate/smart-merge.json: -------------------------------------------------------------------------------- 1 | { 2 | "packageRules": [ 3 | { 4 | "groupName": "Mend: high confidence minor and patch dependency updates", 5 | "matchUpdateTypes": ["minor", "patch"], 6 | "matchConfidence": ["very high", "high"] 7 | }, 8 | { 9 | "matchConfidence": ["low"], 10 | "dependencyDashboardApproval": true, 11 | "commitMessagePrefix": "[LOW] " 12 | }, 13 | { 14 | "matchConfidence": ["neutral"], 15 | "dependencyDashboardApproval": true, 16 | "commitMessagePrefix": "[NEUTRAL] " 17 | } 18 | ] 19 | } 20 | -------------------------------------------------------------------------------- /Repo-Integration/SAST/2nd-gen-engines/mendsastcli-config.json: -------------------------------------------------------------------------------- 1 | { 2 | "scans": { 3 | "javaEngineGeneration" : 2, 4 | "jsEngineGeneration": 2, 5 | "csharpEngineGeneration": 2 6 | } 7 | } -------------------------------------------------------------------------------- /Repo-Integration/SAST/IncreaseTimeout/mendsastcli-config.json: -------------------------------------------------------------------------------- 1 | { 2 | "scans": { 3 | "timeouts": { 4 | "perLanguage": 480, 5 | "perFile": 300 6 | } 7 | } 8 | } -------------------------------------------------------------------------------- /Repo-Integration/SAST/README.md: -------------------------------------------------------------------------------- 1 | **Warning** the files in this folder may change in the future. It is only recommended to point directly to them for a limited time while testing the solution. For production usage, it is recommended to maintain these files in your own repository. 2 | 3 | In all .whitesource file update examples, you should replace the inherited organization from "myorganization" to the organization/project where the whitesource-config repository is located. 4 | 5 | # SAST 6 | ## [2nd Generation Engines](https://docs.mend.io/bundle/integrations/page/configure_the_mend_cli_for_sast.html#Mend-CLI-SAST---General-scan-parameters) 7 | The below configuration is the same as running ```mend sast -j 2 --js 2 --cs 2``` with the CLI 8 | ```json 9 | { 10 | "settingsInheritedFrom": "myorganization/whitesource-config@main", 11 | "scanSettingsSAST": { 12 | "configExternalURL": "https://raw.githubusercontent.com/mend-toolkit/mend-examples/main/Repo-Integration/configs/SAST/2nd-gen-engines/mendsastcli-config.json" 13 | } 14 | } 15 | ``` 16 | ## Increase Timeout 17 | The below configuration increases the perFile timeout to 300 seconds, but leaves the default of 480 minutes per language. See [timeout parameters](https://docs.mend.io/bundle/mend_sast/page/cli_parameters.html#Timeouts) for more information. 18 | ```json 19 | { 20 | "settingsInheritedFrom": "myorganization/whitesource-config@main", 21 | "scanSettingsSAST": { 22 | "configExternalURL": "https://raw.githubusercontent.com/mend-toolkit/mend-examples/main/Repo-Integration/configs/SAST/IncreaseTimeout/mendsastcli-config.json" 23 | } 24 | } 25 | ``` 26 | -------------------------------------------------------------------------------- /Repo-Integration/Schemas/README.md: -------------------------------------------------------------------------------- 1 | # mend-integration-schemas 2 | This document describes how to reference the [Mend Repository Integrations JSON schema](https://githubusercontent.com/mend-toolkit/mend-examples/main/Repo-Integration/Schemas/ghc-integration-schema.json) in your ``.whitesource`` or ``repo-config.json`` files. Referencing the schema enables IDE validation using the VSCode JSON Language Service. 3 | 4 | ### Prerequisites 5 | - A ``.whitesource`` or ``repo-config.json`` file for your Mend integration configuration. 6 | - An IDE that supports the VSCode JSON Language Service, such as VS Code or Neovim. 7 | 8 | Referencing the Schema 9 | 10 | Two reference the schema, the configuration file should include a ``$schema`` property at the root of the file. 11 | For example: 12 | ```json 13 | { 14 | "$schema": "https://raw.githubusercontent.com/mend-toolkit/mend-examples/main/Repo-Integration/Schemas/ghc-integration-schema.json", 15 | // Your configuration properties here 16 | } 17 | ``` 18 | In this example, the ``$schema`` property points directly to the Mend Integrations Schema URL. This instructs the IDE to use the referenced schema for validation purposes. 19 | 20 | ### IDE Setup 21 | Once you've referenced the schema in your configuration file, your IDE should automatically pick it up and provide validation for the contents of your ``.whitesource`` or ``repo-config.json`` file. This can include features like syntax highlighting, error checking, and autocompletion based on the schema definitions. 22 | 23 | Additional Notes: 24 | - Ensure your IDE has proper support for referencing external JSON schemas. Refer to your IDE's documentation for configuration options related to JSON schema validation. 25 | - The Mend integrations schema contains specific definitions for the Mend Github.com integration configuration. Make sure to consult the Mend documentation for details on the expected structure and properties within the schema. There are also descriptions on each property explaining its purpose. 26 | -------------------------------------------------------------------------------- /Repo-Integration/Self-Managed/docker-compose-no-graylog.yaml: -------------------------------------------------------------------------------- 1 | services: 2 | 3 | remediate: 4 | build: 5 | context: ${BASE_DIR}/${VERSION}/wss-remediate/docker 6 | image: wss-remediate:${REMEDIATE} 7 | container_name: remediate-server 8 | env_file: 9 | - .env 10 | ports: 11 | - "8582:8080" 12 | volumes: 13 | - ${BASE_DIR}/prop.json:/etc/usr/local/whitesource/conf/prop.json 14 | restart: always 15 | logging: 16 | driver: local 17 | options: 18 | max-size: 1m 19 | max-file: "5" 20 | 21 | app: 22 | build: 23 | context: ${BASE_DIR}/${VERSION}/wss-${SCM}-app/docker 24 | image: wss-${SCM}-app:${CONTROLLER} 25 | container_name: wss-${SCM}-app 26 | env_file: 27 | - .env 28 | ports: 29 | - "9494:9494" 30 | - "5678:5678" 31 | volumes: 32 | - ${BASE_DIR}/:/etc/usr/local/whitesource/conf/ 33 | restart: always 34 | logging: 35 | driver: local 36 | options: 37 | max-size: 1m 38 | max-file: "5" 39 | 40 | scanner: 41 | build: 42 | context: ${BASE_DIR}/${VERSION}/wss-scanner/docker 43 | dockerfile: Dockerfilefull 44 | image: wss-scanner:${SCANNER} 45 | container_name: wss-scanner 46 | env_file: 47 | - .env 48 | ports: 49 | - "9393:9393" 50 | volumes: 51 | - ${BASE_DIR}/:/etc/usr/local/whitesource/conf/ 52 | restart: always 53 | logging: 54 | driver: local 55 | options: 56 | max-size: 1m 57 | max-file: "5" 58 | 59 | networks: 60 | default: 61 | name: ${SCM}_bridge 62 | external: false 63 | -------------------------------------------------------------------------------- /Repo-Integration/Self-Managed/docker-compose-sast.yaml: -------------------------------------------------------------------------------- 1 | services: 2 | 3 | remediate: 4 | build: 5 | context: ${BASE_DIR}/${VERSION}/wss-remediate/docker 6 | image: wss-remediate:${REMEDIATE} 7 | container_name: remediate-server 8 | env_file: 9 | - .env 10 | ports: 11 | - "8582:8080" 12 | volumes: 13 | - ${BASE_DIR}/prop.json:/etc/usr/local/whitesource/conf/prop.json 14 | restart: always 15 | logging: 16 | driver: local 17 | options: 18 | max-size: 1m 19 | max-file: "5" 20 | 21 | app: 22 | build: 23 | context: ${BASE_DIR}/${VERSION}/wss-${SCM}-app/docker 24 | image: wss-${SCM}-app:${CONTROLLER} 25 | container_name: wss-${SCM}-app 26 | env_file: 27 | - .env 28 | - .env-sast 29 | ports: 30 | - "9494:9494" 31 | - "5678:5678" 32 | volumes: 33 | - ${BASE_DIR}/:/etc/usr/local/whitesource/conf/ 34 | depends_on: 35 | - remediate 36 | restart: always 37 | logging: 38 | driver: local 39 | options: 40 | max-size: 1m 41 | max-file: "5" 42 | 43 | scanner: 44 | build: 45 | context: ${BASE_DIR}/${VERSION}/wss-scanner/docker 46 | dockerfile: Dockerfilefull 47 | image: wss-scanner:${SCANNER} 48 | container_name: wss-scanner 49 | env_file: 50 | - .env 51 | ports: 52 | - "9393:9393" 53 | volumes: 54 | - ${BASE_DIR}/:/etc/usr/local/whitesource/conf/ 55 | restart: always 56 | logging: 57 | driver: local 58 | options: 59 | max-size: 1m 60 | max-file: "5" 61 | 62 | scanner-sast: 63 | image: wss-scanner:${SCANNER} 64 | container_name: wss-scanner-sast 65 | env_file: 66 | - .env 67 | - .env-sast 68 | ports: 69 | - "9292:9292" 70 | volumes: 71 | - ${BASE_DIR}/:/etc/usr/local/whitesource/conf/ 72 | restart: always 73 | logging: 74 | driver: local 75 | options: 76 | max-size: 1m 77 | max-file: "5" 78 | 79 | networks: 80 | default: 81 | name: ${SCM}_bridge 82 | external: false 83 | -------------------------------------------------------------------------------- /Repo-Integration/Self-Managed/docker-compose.yaml: -------------------------------------------------------------------------------- 1 | services: 2 | 3 | remediate: 4 | build: 5 | context: ${BASE_DIR}/${VERSION}/wss-remediate/docker 6 | image: wss-remediate:${REMEDIATE} 7 | container_name: remediate-server 8 | env_file: 9 | - .env 10 | ports: 11 | - "8582:8080" 12 | volumes: 13 | - ${BASE_DIR}/prop.json:/etc/usr/local/whitesource/conf/prop.json 14 | depends_on: 15 | graylog: 16 | condition: "service_healthy" 17 | restart: always 18 | logging: 19 | driver: syslog 20 | options: 21 | syslog-address: "tcp://0.0.0.0:5140" 22 | tag: "remediate-server" 23 | 24 | app: 25 | build: 26 | context: ${BASE_DIR}/${VERSION}/wss-${SCM}-app/docker 27 | image: wss-${SCM}-app:${CONTROLLER} 28 | container_name: wss-${SCM}-app 29 | env_file: 30 | - .env 31 | ports: 32 | - "9494:9494" 33 | - "5678:5678" 34 | volumes: 35 | - ${BASE_DIR}/:/etc/usr/local/whitesource/conf/ 36 | depends_on: 37 | graylog: 38 | condition: "service_healthy" 39 | remediate: 40 | condition: "service_started" 41 | restart: always 42 | logging: 43 | driver: syslog 44 | options: 45 | syslog-address: "tcp://0.0.0.0:5140" 46 | tag: wss-${SCM}-app 47 | 48 | scanner: 49 | build: 50 | context: ${BASE_DIR}/${VERSION}/wss-scanner/docker 51 | dockerfile: Dockerfilefull 52 | image: wss-scanner:${SCANNER} 53 | container_name: wss-scanner 54 | env_file: 55 | - .env 56 | ports: 57 | - "9393:9393" 58 | volumes: 59 | - ${BASE_DIR}/:/etc/usr/local/whitesource/conf/ 60 | depends_on: 61 | graylog: 62 | condition: "service_healthy" 63 | remediate: 64 | condition: "service_started" 65 | restart: always 66 | logging: 67 | driver: syslog 68 | options: 69 | syslog-address: "tcp://0.0.0.0:5140" 70 | tag: "wss-scanner" 71 | 72 | mongodb: 73 | image: "mongo:8.0" 74 | hostname: "mongodb" 75 | volumes: 76 | - "mongodb_data:/data/db" 77 | restart: "on-failure" 78 | 79 | datanode: 80 | image: "graylog/graylog-datanode:6.1" 81 | hostname: "datanode-1" 82 | env_file: 83 | - .env 84 | ulimits: 85 | memlock: 86 | hard: -1 87 | soft: -1 88 | nofile: 89 | soft: 65536 90 | hard: 65536 91 | ports: 92 | - "8999:8999/tcp" #DataNode API 93 | - "9200:9200/tcp" 94 | - "9300:9300/tcp" 95 | volumes: 96 | - "graylog-datanode:/var/lib/graylog-datanode" 97 | restart: "on-failure" 98 | depends_on: 99 | - "mongodb" 100 | 101 | graylog: 102 | image: "graylog/graylog:6.1" 103 | hostname: "graylog-server" 104 | depends_on: 105 | mongodb: 106 | condition: "service_started" 107 | extra_hosts: 108 | - "host.docker.internal:host-gateway" 109 | entrypoint: "/usr/bin/tini -- wait-for-it datanode:9200 -- /docker-entrypoint.sh" 110 | env_file: 111 | - .env 112 | ports: 113 | - "5140:5140/udp" #Syslog 114 | - "5140:5140/tcp" #Syslog 115 | - "9000:9000/tcp" #Server API 116 | volumes: 117 | - "graylog_data:/usr/share/graylog/data/data" 118 | - "graylog_config:/usr/share/graylog/data/config" 119 | - "graylog_journal:/usr/share/graylog/data/journal" 120 | - "${MEND_DIR}/graylog/:/usr/share/graylog/data/contentpacks" 121 | healthcheck: 122 | test: "bash -c 'printf \"GET / HTTP/1.1\n\n\" > /dev/tcp/0.0.0.0/5140; exit $?;'" 123 | interval: 30s 124 | timeout: 5s 125 | retries: 10 126 | restart: "on-failure" 127 | 128 | volumes: 129 | mongodb_data: 130 | graylog-datanode: 131 | graylog_data: 132 | graylog_journal: 133 | graylog_config: 134 | 135 | networks: 136 | default: 137 | name: ${SCM}_bridge 138 | external: false 139 | -------------------------------------------------------------------------------- /Repo-Integration/Self-Managed/images/graylog_widget_creation.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mend-toolkit/mend-examples/e6161d48a4cac380a8b4f139a0096bf55e628f93/Repo-Integration/Self-Managed/images/graylog_widget_creation.png -------------------------------------------------------------------------------- /Repo-Integration/Self-Managed/images/memory_usage_extractor_example.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mend-toolkit/mend-examples/e6161d48a4cac380a8b4f139a0096bf55e628f93/Repo-Integration/Self-Managed/images/memory_usage_extractor_example.png -------------------------------------------------------------------------------- /Repo-Integration/Silent-Onboarding/README.md: -------------------------------------------------------------------------------- 1 | ![Logo](https://mend-toolkit-resources-public.s3.amazonaws.com/img/mend-io-logo-horizontal.svg) 2 | 3 | # Silent-Onboarding 4 | This repository contains example repo-config.json for implementing [Silent Onboarding](https://docs.mend.io/bundle/wsk/page/silent_onboarding_for_repository_integrations.html) with the Mend Repository integrations. Please follow the linked documentation for a guided experience for implementing silent onboarding. 5 | 6 | # Global-config.json 7 | No global-config.json file is provided in this repository as the file only needs one configuration: 8 | 9 | ``` 10 | { 11 | "repoConfigMode": "nowhitesourceFile" 12 | } 13 | ``` 14 | -------------------------------------------------------------------------------- /Repo-Integration/Silent-Onboarding/azure-repo-config.json: -------------------------------------------------------------------------------- 1 | { 2 | "scanSettings": { 3 | "configMode": "AUTO", 4 | "configExternalURL": "", 5 | "baseBranches": [] 6 | }, 7 | "pullRequestStatusSettings": { 8 | "vulnerablePullRequestStatus": "none", 9 | "displayMode": "diff", 10 | "useMendStatusNames": true 11 | }, 12 | "issueSettings": { 13 | "minSeverityLevel": "NONE", 14 | "issueType": "DEPENDENCY" 15 | }, 16 | "remediateSettings": { 17 | "workflowRules": { 18 | "enabled": false 19 | } 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /Repo-Integration/Silent-Onboarding/bitbucket-repo-config.json: -------------------------------------------------------------------------------- 1 | { 2 | "scanSettings": { 3 | "configMode": "AUTO", 4 | "configExternalURL": "", 5 | "baseBranches": [] 6 | }, 7 | "buildSettings": { 8 | "createBuildStatus": false, 9 | "displayMode": "diff", 10 | "failBuilds": "false" 11 | }, 12 | "issueSettings": { 13 | "minSeverityLevel": "NONE", 14 | "issueType": "DEPENDENCY" 15 | }, 16 | "remediateSettings": { 17 | "workflowRules": { 18 | "enabled": false 19 | } 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /Repo-Integration/Silent-Onboarding/github-repo-config.json: -------------------------------------------------------------------------------- 1 | { 2 | "scanSettings": { 3 | "configMode": "AUTO", 4 | "configExternalURL": "", 5 | "baseBranches": [] 6 | }, 7 | "checkRunSettings": { 8 | "vulnerableCheckRunConclusionLevel": "NONE", 9 | "displayMode": "diff", 10 | "useMendCheckNames": true 11 | }, 12 | "issueSettings": { 13 | "minSeverityLevel": "NONE", 14 | "issueType": "DEPENDENCY" 15 | }, 16 | "remediateSettings": { 17 | "workflowRules": { 18 | "enabled": false 19 | } 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /SAST CLI/3rd Party Results Consumption/README.md: -------------------------------------------------------------------------------- 1 | [![Logo](https://mend-toolkit-resources-public.s3.amazonaws.com/img/mend-io-logo-horizontal.svg)](https://www.mend.io) 2 | 3 | # Mend 3rd Party Result Consumption Example 4 | This script demonstrates how to convert third-party SAST findings into a format compatible with [Mend CLI](https://docs.mend.io/platform/latest/download-the-mend-cli). It shows how to transform JSON output from [Brakeman](https://github.com/presidentbeef/brakeman) into Mend's standardized format that can be consumed by the Mend CLI. 5 | 6 | # Requirements 7 | 8 | - Mend requires access to the code base in order to import 3rd party results. Access to the code base will allow Mend to keep track of suppressed vulnerabilities as well as generate snippets like a regular Mend scan. 9 | 10 | - In order to import results, the file to be imported must a pre-defined schema found in the [Mend documentation](https://docs.mend.io/platform/latest/integrate-third-party-code-scan-results-into-mend-#Integratethird-partyCodeScanResultsintoMendSAST-JSONSchema). 11 | Below is the minumum viable input file. Each field in the JSON below is required. 12 | > [!NOTE] 13 | > Each CWE must have a unique name. If a duplicate name is provided, the all types of the same name will be reported under the last read CWE with that name. 14 | 15 | ```json 16 | { 17 | "tool": { 18 | "name": "Brakeman", 19 | "version": "x.x.x" 20 | }, 21 | "run": { 22 | "language": "Ruby", 23 | "findings": [ 24 | { 25 | "type": { 26 | "name": "SQL Injection Check - SQL Injection", 27 | "severity": "unknown", 28 | "cwe": 89 29 | }, 30 | "description": "Potential SQL injection vulnerability", 31 | "sink": { 32 | "name": "User.find_by_name", 33 | "file": "app/models/user.rb", 34 | "line": 42 35 | } 36 | } 37 | ] 38 | } 39 | } 40 | ``` 41 | # Running the Example 42 | 43 | This script was tested by running brakeman to generate results against [Railsgoat](https://github.com/OWASP/railsgoat). 44 | 45 | ## Prerequisites 46 | 47 | - `jq` JSON processor 48 | - `xargs` command line tool 49 | - Installed by default on most Unix-like systems 50 | - A Brakeman output file in JSON format 51 | - One is provided in the repo. 52 | - A Mend user account to [authenticate to the Mend CLI](https://docs.mend.io/platform/latest/authenticate-your-login-for-the-mend-cli) 53 | 54 | ### Installation 55 | 56 | ```bash 57 | # Install jq 58 | apt install -y jq 59 | mend auth login 60 | ``` 61 | 62 | ## Usage 63 | 64 | ```bash 65 | ./mend_convert_brakeman.sh 66 | ``` 67 | 68 | Example: 69 | ```bash 70 | ./mend_convert_brakeman.sh results.json converted_results.json 71 | mend code import --input-file converted_results --scope "//" 72 | ``` 73 | 74 | 75 | ## Note 76 | 77 | The script uses `xargs` for parallel processing of 3rd party findings, with the number of parallel processes calculated as 75% of available CPU cores. 78 | -------------------------------------------------------------------------------- /SAST CLI/README.md: -------------------------------------------------------------------------------- 1 | ![Logo](https://mend-toolkit-resources-public.s3.amazonaws.com/img/mend-io-logo-horizontal.svg) 2 | 3 | # SAST CLI Examples by CI/CD Tool 4 | It is recommended to use the [Mend CLI](https://docs.mend.io/bundle/cli/page/scan_with_mend_s_unified_cli.html) as it will download the latest SAST CLI, the preferred method for running Mend SAST scans. 5 | 6 | All previous examples can be found in the commit history before April 19, 2023. 7 | 8 | -------------------------------------------------------------------------------- /Scripts/Committers/dedup-repo.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | if [ -z "$SCM" ] 3 | then 4 | echo "Please export the SCM variable with your source control prefix such as https://github.com" 5 | exit 6 | else 7 | file=$1 8 | lines=`cat ${file}` 9 | fi 10 | 11 | if [ -z "$1" ] 12 | then 13 | echo "Please pass a text file to read repositories from such as repos.txt" 14 | exit 15 | else 16 | file=$1 17 | lines=`cat ${file}` 18 | fi 19 | 20 | for line in $lines; do 21 | # Removes @branchname from repoFullName results and replaces with .git 22 | url=$(echo "$line" | sed 's|@.*|.git|') 23 | 24 | # Adds the $SCM variable as a prefix to repoFullName results 25 | if [[ ! $url =~ ^https:// ]]; then 26 | url="$SCM/$url" 27 | fi 28 | printf '%s\n' $url >> urlfix.txt 29 | 30 | done 31 | 32 | awk '!seen[$0]++' urlfix.txt >> deduprepos.txt 33 | rm urlfix.txt -------------------------------------------------------------------------------- /Scripts/Committers/get-committers.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # ******** Mend Script to clone git repositories and obtain committer data ******** 4 | 5 | # ******** Description ******** 6 | # This script clones git repositories from a text file and then runs a git command to determine what email addresses committed to the codebase within the last year 7 | # 8 | # Prerequisites: 9 | # apt install -y git sed 10 | 11 | # Login with git credentials 12 | 13 | # Update with your desired date to start from 14 | BEGIN_DATE="01 Jan 2023" 15 | # Update with your desired source control manager prefix 16 | SCM=https://github.com 17 | workdir=$PWD 18 | 19 | if [ -z "$1" ] 20 | then 21 | echo "Please pass a text file to read repositories from such as deduprepos.txt" 22 | exit 23 | else 24 | file=$1 25 | lines=`cat ${file}` 26 | fi 27 | 28 | for line in $lines; do 29 | cd $workdir 30 | echo "Cloning $line" 31 | git clone --filter=blob:none --no-checkout $line $workdir/currentrepo 32 | 33 | # Handle error if the repo no longer exists 34 | if [ $? -ne 0 ] 35 | then 36 | echo "[ERROR] Git repository at $line was not cloned" 37 | printf '%s\n' $line >> $workdir/uncloned.txt 38 | else 39 | cd $workdir/currentrepo 40 | 41 | # Pull the committers emails based on the $BEGIN_DATE variable 42 | COMMITTERS=$(git shortlog -sce --since="$BEGIN_DATE" | sed 's/^ *\([0-9]*\) \(.*\) <\([^>]*\)>$/\3/') 43 | echo "Found the following committers" 44 | echo "-----------------" 45 | printf '%s\n' $COMMITTERS 46 | 47 | # Saves the committers emails to a file for later use 48 | printf '%s\n' $COMMITTERS >> $workdir/committers.txt 49 | 50 | # Cleans up cloned directory 51 | cd $workdir && rm -rf $workdir/currentrepo 52 | fi 53 | 54 | done 55 | -------------------------------------------------------------------------------- /Scripts/Mend CN/README.md: -------------------------------------------------------------------------------- 1 | ![Logo](https://mend-toolkit-resources-public.s3.amazonaws.com/img/mend-io-logo-horizontal.svg) 2 | 3 | # Mend CN Scripts 4 | This folder contains scripts for use alongside Mend Container Scanning within a CI/CD pipeline using the Mend CLI. 5 | 6 | - [Get Image Vulnerabilities](#get-image-vulnerabilities) 7 | - [Create Traceability Tags](#create-traceability-tags) 8 | 9 | ## Get Image Vulnerabilities 10 | 11 | [get-image-vulnerabilities.sh](get-image-vulnerabilities.sh) 12 | 13 | This script pulls all of the image scans inside of a Mend Organization and then retrieves all vulnerabilities for each. The results is a ``.csv`` file that has the following columns: 14 | - Image Name 15 | - Image Tag 16 | - Vulnerability ID 17 | - Description 18 | - EPSS 19 | - Published Date 20 | - Last Modified Date 21 | - Package Name 22 | - Source Package Name 23 | - Package Version 24 | - Package Type 25 | - Found In Layer 26 | - Is From Base Layer (boolean) 27 | - Layer Number 28 | - CVSS Score 29 | - CVSS Severity 30 | - Fix Version 31 | - Has Fix (boolean) 32 | - Reference Urls 33 | - Type 34 | - Vendor Severity 35 | - Risk 36 | - Score 37 | 38 | Feel free to edit the script to remove the columns unnecessary for your needs. 39 |
40 | 41 | **Prerequisites:** 42 | 43 | * `jq` and `curl` must be installed 44 | * Environment Variables: 45 | - MEND_USER_KEY 46 | - MEND_EMAIL 47 | - WS_APIKEY 48 | - MEND_URL 49 | 50 |
51 | 52 | **Execution:** 53 | 54 | ``` 55 | export MEND_URL=https://saas.mend.io 56 | export WS_APIKEY=x 57 | export MEND_USER_KEY=x 58 | curl -LJO https://raw.githubusercontent.com/mend-toolkit/mend-examples/main/Scripts/Mend CN/get-image-vulnerabilities.sh 59 | chmod +x ./get-image-vulnerabilities.sh && ./get-image-vulnerabilities.sh 60 | ``` 61 | 62 | 63 | ## Create Traceability Tags 64 | 65 | [create-traceability-tags.sh](create-traceability-tags.sh) 66 | 67 | This script adds ``LABEL`` directives to each Dockerfile in a repository that is found. Requirements: 68 | 1. The project must be a repository. 69 | 2. Only files named "Dockerfile" will get edited. 70 | 71 | This script gets the ``origin`` remote from the Git Repository, as well as the relative path to each Dockerfile, and adds that as labels in each in the following format: 72 | ```Dockerfile 73 | LABEL org.opencontainers.image.source= 74 | LABEL io.mend.image.dockerfile.path= 75 | ``` 76 | 77 | > [!NOTE] 78 | > The results of this should be committed as this script is run on the fly, and does not make any lasting changes on the repository. 79 | 80 |
81 | 82 | **Prerequisites:** 83 | 84 | - apt-get install sed git 85 | 86 |
87 | 88 | **Execution:** 89 | 90 | ```sh 91 | cd $PROJECT_DIR 92 | curl -LJO https://raw.githubusercontent.com/mend-toolkit/mend-examples/main/Scripts/Mend%20CN/create-traceability-tags.sh 93 | chmod +x ./create-traceability-tags.sh && ./create-traceability-tags.sh 94 | ``` 95 | 96 |
97 |
98 | -------------------------------------------------------------------------------- /Scripts/Mend CN/create-traceability-tags.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # ******** Mend Script to add Traceability labels to Dockerfiles that are to be scanned ******** 4 | # 5 | # Users should edit this file to change any behavior with the labels that is needed. 6 | # 7 | # ******** Description ******** 8 | # This script should be run at the root of a repository to add labels to Dockerfiles required for 9 | # traceability in Mend Container Image scanning. This script can be added into any pipeline 10 | # to automatically add this information before building a container and running a scan. 11 | # 12 | # Requirements: 13 | # apt-get install sed git 14 | 15 | # Function to check for and add labels 16 | check_and_add_labels() { 17 | local dockerfile_path="$1" 18 | echo $dockerfile_path 19 | 20 | grep -Eq 'LABEL io\.mend\.image\.dockerfile\.path=.*' "$dockerfile_path" 21 | mend_label=$? 22 | 23 | if [[ $mend_label -eq 0 ]]; then 24 | echo "Mend Label already exists in $dockerfile_path" 25 | else 26 | source_dir=${dockerfile_path:2} 27 | sed -i "/^FROM/a LABEL io.mend.image.dockerfile.path=$source_dir" "$dockerfile_path" 28 | fi 29 | 30 | grep -Eq 'LABEL org\.opencontainers\.image\.source=.*' "$dockerfile_path" 31 | oci_label=$? 32 | 33 | if [[ $oci_label -eq 0 ]]; then 34 | echo "OCI Label already exist in $dockerfile_path" 35 | else 36 | source_url=$(git config --get remote.origin.url 2>/dev/null) 37 | source_url=${source_url%\.git} 38 | 39 | sed -i "/^FROM/a LABEL org.opencontainers.image.source=$source_url" "$dockerfile_path" 40 | fi 41 | 42 | echo "Labels added to $dockerfile_path" 43 | } 44 | 45 | # Find all Dockerfiles 46 | find . -name Dockerfile -type f -print | while read -r dockerfile_path; do 47 | check_and_add_labels "$dockerfile_path" 48 | done 49 | 50 | echo "Finished processing Dockerfiles" 51 | echo "It is recommended to commit these changes to your repository for future scans" 52 | -------------------------------------------------------------------------------- /Scripts/Mend SAST/README.md: -------------------------------------------------------------------------------- 1 | ![Logo](https://mend-toolkit-resources-public.s3.amazonaws.com/img/mend-io-logo-horizontal.svg) 2 | 3 | # Mend SAST Scripts 4 | This folder contains scripts for use with the Mend SAST platform. 5 | 6 | ## SAST Scan CleanUp Utility 7 | 8 | Python script delete any scans older than the specified date and generate reports before deletion. 9 | * The reports are saved in the designated location as follows: _[WORKING_DIRECTORY]/Mend/Reports/[REPORT NAME] 10 | * This can be overridden by specifying _-o /--outputDir_ 11 | * To review the outcome before actual deletion use _-y true_ / _--dryRun=True_ flag. It will _NOT_ delete any project nor create reports 12 | * By default, the tool generates csv reports. By specifying _-t_ / _--reportFormat=_ it is possible to specify different formats. See flags below for all support formats 13 | * The full parameters list is available below 14 | 15 |
16 | 17 | **Prerequisites** 18 | 19 | Python 3.8+ 20 | 21 | **Execution** 22 | 23 | ```shell 24 | python3 cleanup_tool_sast.py -k -a -r 25 | ``` 26 | **note:** The scripts runs all calls in HTTPS. This does not need to be added to your URL 27 | 28 | **Example** 29 | 30 | ```shell 31 | python3 cleanup_tool_sast.py -k XXX -a saas.mend.io -r 30 32 | ``` 33 | 34 | ** Full Usage flags: ** 35 | ```shell 36 | usage: python3 cleanup_tool_sast.py -k API_TOKEN -a MEND_URL [-t REPORT_FORMAT] [-o OUTPUT_DIR] [-r DAYS_TO_KEEP] [-y DRY_RUN] [-s SKIP_REPORT_GENERATION] [-j SKIP_PROJECT_DELETION] 37 | 38 | cleanup_tool_sast.py -k apiToken 39 | 40 | required arguments: 41 | -k MEND_API_TOKEN, --apiToken 42 | Mend SAST Api Token 43 | -a MEND_URL, --mendUrl 44 | Mend URL 45 | 46 | optional arguments: 47 | -t REPORT_FORMAT, --reportFormat 48 | Report format to generate. Supported formats (csv, pdf, html, xml, json, sarif) 49 | default csv 50 | -o OUTPUT_DIR, --outputDir 51 | Output directory 52 | default [Working_Directory]/Mend/Reports 53 | -r DAYS_TO_KEEP, --daysToKeep 54 | Number of days to keep (overridden by --dateToKeep) 55 | -d DATE_TO_KEEP, --dateToKeep 56 | Date of latest scan to keep in YYYY-MM-DD format 57 | -y DRY_RUN, --dryRun 58 | Logging the projects that are supposed to be deleted without deleting and creating reports 59 | default False 60 | -s SKIP_REPORT_GENERATION, --skipReportGeneration 61 | Skip report generation step 62 | default False 63 | -j SKIP_PROJECT_DELETION, --skipProjectDeletion 64 | Skip project deletion step 65 | default False 66 | ``` 67 | 68 | **note:** The optimal cleanup scope is derived from the size of the environment, Mend scope size (memory and CPU) allocated for the server, and runtime time constraints. -------------------------------------------------------------------------------- /Scripts/Mend SCA/cache-ua.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # ******** Mend Script to cache the latest version of the Unified Agent for pipeline efficiency ******** 4 | # 5 | # Users should edit this file to change behavior however needed 6 | # For more information on the Unified Agent users can access the following URL: 7 | # 📚 https://docs.mend.io/bundle/unified_agent/page/getting_started_with_the_unified_agent.html#Downloading-the-Unified-Agent 8 | # 9 | # ******** Description ******** 10 | # This script pulls the latest version of the Unified Agent and stores it in a directory specified by "UADir". 11 | # Any subsequent runs will determine if the current version is the latest version, and if not then it is replaced. 12 | 13 | # Prerequisites: 14 | # apt install jq curl 15 | # export UNIFIED_AGENT_DIR - (/path/to/directory/containing/wss-unified-agent/) 16 | 17 | latestUAPath="$(find $UNIFIED_AGENT_DIR -name "wss-unified-agent.jar")" 18 | 19 | if [ -f "$latestUAPath" ]; then 20 | curVerDate="$(stat -c %Y $latestUAPath)" 21 | if [[ "$(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256 | cut -d " " -f 1)" != "$(sha256sum $UNIFIED_AGENT_DIR/wss-unified-agent.jar | cut -d " " -f 1)" ]] ; then 22 | echo "No newer versions" 23 | exit 0 24 | fi 25 | fi 26 | 27 | latestVersion="$(curl -s -H "Accept: application/vnd.github.v3+json" "https://api.github.com/repos/whitesource/unified-agent-distribution/releases" | jq -rs '.[] | sort_by(.published_at) | last | .tag_name')" 28 | echo "Downloading the latest version of Mend Unified Agent - ($latestVersion)" 29 | curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar -o $UNIFIED_AGENT_DIR/wss-unified-agent.jar 30 | if [[ "$(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256 | cut -d " " -f 1)" != "$(sha256sum $UNIFIED_AGENT_DIR/wss-unified-agent.jar | cut -d " " -f 1)" ]] ; then 31 | echo "Integrity Check Failed" 32 | exit 1 33 | else 34 | echo "Integrity Check Passed" 35 | echo "Starting Mend Scan" 36 | fi 37 | -------------------------------------------------------------------------------- /Scripts/Mend SCA/check-project-state.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # NOTE: It is currently recommended to use the MEND CLI over the Mend Unified Agent. 4 | # The Mend CLI will automatically wait for the project to finish processing on the mend server 5 | # before printing results, and so with that utility this script is not required. 6 | # 7 | # ******** Mend Script to List Policy Violations after a Unified Agent Scan ******** 8 | # 9 | # Users should edit this file to change the behavior of the script as needed. 10 | # 11 | # ******** Description ******** 12 | # This script will continually check with Mend Servers to determine whether the scan has finished 13 | # Processing on Mend Servers. Once the process has finished, then it will exit without error. 14 | 15 | # Prerequisites: 16 | # apt install jq 17 | # WS_GENERATEPROJECTDETAILSJSON: true 18 | # WS_USERKEY 19 | # WS_WSS_URL 20 | # WS_APIKEY 21 | # WS_GRADLE_AGGREGATEMODULES or WS_MAVEN_AGGREGATEMODULES - If used Maven and Grade 22 | 23 | checkFreq=5 24 | [[ -z $checkFreq ]] && checkFreq=5 25 | WS_PROJECTTOKEN=$(jq -r '.projects | .[] | .projectToken' ./whitesource/scanProjectDetails.json) 26 | WS_API_URL="$(echo "$WS_WSS_URL" | sed 's|agent|api/v1.3|')" 27 | REQUEST_TOKEN=$(curl -s -X POST -H "Content-Type: application/json" -d '{"requestType":"getProjectLastModification", "userKey": "'$WS_USERKEY'", "projectToken":"'$WS_PROJECTTOKEN'"}' $WS_API_URL | jq -r '.projectLastModifications[0].extraData.requestToken') 28 | 29 | ready=false 30 | while [[ $ready = "false" ]] ; do 31 | resProcess="$(curl -s -X POST -H "Content-Type: application/json" -d '{"requestType":"getRequestState", "userKey": "'$WS_USERKEY'", "orgToken":"'$WS_APIKEY'", "requestToken":"'$REQUEST_TOKEN'"}' $WS_API_URL)" 32 | repStatus="$(echo "$resProcess" | jq -r '.requestState')" 33 | 34 | if [[ $repStatus = "FINISHED" ]] ; then 35 | ready=true 36 | echo "Project information has been uploaded successfullly\!" 37 | elif [[ $repStatus = "IN_PROGRESS" ]] ; then 38 | echo "Scan is still processing..." 39 | sleep $checkFreq 40 | fi 41 | done 42 | -------------------------------------------------------------------------------- /Scripts/Mend SCA/delete-ua-proj.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # ******** Mend Script to Delete a Project after a Unified Agent Scan ******** 4 | # 5 | # Users should edit this file to change the behavior of the script as needed. 6 | 7 | # Prerequisites: 8 | # apt install jq curl awk 9 | # MEND_EMAIL - Should be the email for the userKey used below 10 | # WS_GENERATEPROJECTDETAILSJSON=true 11 | # WS_USERKEY 12 | # WS_WSS_URL 13 | # WS_GENERATESCANREPORT=true 14 | # alternatively, a risk report could be generated as shown in [Reports Within a Pipeline for UA](#reports-within-a-pipeline-for-ua) 15 | 16 | 17 | WS_PROJECTTOKEN=$(jq -r '.projects | .[] | .projectToken' ./whitesource/scanProjectDetails.json) 18 | MEND_URL=$(echo $WS_WSS_URL | awk -F "/agent" '{print $1}') 19 | 20 | 21 | function login() { 22 | MEND_API_URL="$(echo "${MEND_URL}" | sed -E 's/(saas|app)(.*)/api-\1\2\/api\/v2.0/g')" 23 | 24 | if [[ -n "${WS_USERKEY}" ]]; then 25 | MEND_USER_KEY="${WS_USERKEY}" 26 | else 27 | echo "Error: WS_USERKEY or MEND_USER_KEY is not set. Please set it before proceeding." 28 | fi 29 | 30 | if [ -z "$MEND_ORG_UUID" ]; then 31 | echo "MEND_ORG_UUID environment variable was not provided." 32 | echo -e "The Login API will default to the last organization this user accessed in the MEND UI.\n" 33 | LOGIN_BODY="{\"email\": \"$MEND_EMAIL\", \"userKey\": \"$MEND_USER_KEY\" }" 34 | else 35 | echo -e "Logging in with provided API key.\n" 36 | LOGIN_BODY="{\"email\": \"$MEND_EMAIL\", \"userKey\": \"$MEND_USER_KEY\", \"orgToken\": \"$MEND_ORG_UUID\"}" 37 | fi 38 | 39 | # Log into API 2.0 and get the JWT Token, Organization UUID, and Organization Name 40 | LOGIN_RESPONSE=$(curl -s -X POST --location "$MEND_API_URL/login" --header 'Content-Type: application/json' --data-raw "${LOGIN_BODY}") 41 | 42 | JWT_TOKEN=$(echo "$LOGIN_RESPONSE" | jq -r '.retVal.jwtToken') 43 | MEND_ORG_UUID=$(echo "$LOGIN_RESPONSE" | jq -r '.retVal.orgUuid') 44 | MEND_ORG_NAME=$(echo "$LOGIN_RESPONSE" | jq -r '.retVal.orgName') 45 | } 46 | 47 | function delete_project() { 48 | curl -s --request DELETE --location "$MEND_API_URL/projects/$WS_PROJECTTOKEN" --header 'Content-Type: application/json' --header "Authorization: Bearer $JWT_TOKEN" 49 | echo "Successfully deleted project with projectToken ${WS_PROJECTTOKEN}" 50 | } 51 | 52 | 53 | login 54 | 55 | delete_project -------------------------------------------------------------------------------- /Scripts/Mend SCA/group-permissions.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # ******** Mend script to add organization user role to a group ******** 4 | # 5 | # Users should edit this file to change the behavior of the script as needed. 6 | 7 | # Prerequisites: 8 | # apt install jq curl 9 | # MEND_EMAIL - Should be the email for the userKey used below 10 | # MEND_USER_KEY 11 | # MEND_URL 12 | # MEND_ORG_UUID - optional for selecting a different organization 13 | 14 | group_name=$1 15 | group_role=$2 #Valid Roles are "DEFAULT_APPROVER" "ADMIN" "ALERT_EMAIL_RECEIVER" "ALERTS_IGNORER" "LICENSE_AND_COPYRIGHT_ASSIGNER" "AUDITOR" "USER" "PRODUCT_INTEGRATOR" 16 | 17 | 18 | 19 | function login() { 20 | MEND_API_URL="$(echo "${MEND_URL}" | sed -E 's/(saas|app)(.*)/api-\1\2\/api\/v2.0/g')" 21 | 22 | if [ -z "${MEND_EMAIL}" ]; then 23 | echo "MEND_EMAIL is not set. Please set it before proceeding." 24 | exit 1 25 | fi 26 | 27 | if [ -z "${MEND_USER_KEY}" ]; then 28 | echo "MEND_USER_KEY is not set. Please set it before proceeding." 29 | exit 1 30 | fi 31 | 32 | if [ -z "${MEND_URL}" ]; then 33 | echo "MEND_URL is not set. Please set it before proceeding." 34 | exit 1 35 | fi 36 | 37 | if [ -z "$MEND_ORG_UUID" ]; then 38 | echo "MEND_ORG_UUID environment variable was not provided." 39 | echo -e "The Login API will default to the last organization this user accessed in the MEND UI.\n" 40 | LOGIN_BODY="{\"email\": \"$MEND_EMAIL\", \"userKey\": \"$MEND_USER_KEY\" }" 41 | else 42 | echo -e "Logging in with provided API key.\n" 43 | LOGIN_BODY="{\"email\": \"$MEND_EMAIL\", \"userKey\": \"$MEND_USER_KEY\", \"orgToken\": \"$MEND_ORG_UUID\"}" 44 | fi 45 | 46 | # Log into API 2.0 and get the JWT Token, Organization UUID, and Organization Name 47 | LOGIN_RESPONSE=$(curl -s -X POST --location "$MEND_API_URL/login" --header 'Content-Type: application/json' --data-raw "${LOGIN_BODY}") 48 | 49 | JWT_TOKEN=$(echo "$LOGIN_RESPONSE" | jq -r '.retVal.jwtToken') 50 | MEND_ORG_UUID=$(echo "$LOGIN_RESPONSE" | jq -r '.retVal.orgUuid') 51 | MEND_ORG_NAME=$(echo "$LOGIN_RESPONSE" | jq -r '.retVal.orgName') 52 | } 53 | 54 | function find_group() { 55 | GROUPS_RESPONSE=$(curl -s --location "$MEND_API_URL/orgs/$MEND_ORG_UUID/groups" --header "Content-Type: application/json" --header "Authorization: Bearer $JWT_TOKEN") 56 | GROUPS_ERROR=$(echo "$GROUPS_RESPONSE" | jq '.retVal.errorMessage') 57 | if [ -z "$GROUPS_ERROR" ]; then 58 | list_groups 59 | else 60 | echo "Error getting list of organization groups - $GROUPS_ERROR" 61 | exit 1 62 | fi 63 | 64 | } 65 | 66 | function list_groups(){ 67 | if [ -z "$group_name" ]; then 68 | echo "Please add a group name from the list when calling the script." 69 | echo "Example: ./group-permissions.sh mygroupname" 70 | echo "$GROUPS_RESPONSE" | jq -r '.retVal[] | {name: .name, uuid: .uuid}' 71 | exit 1 72 | else 73 | set_permissions 74 | fi 75 | } 76 | 77 | function set_permissions() { 78 | GROUP_UUID=$(echo "$GROUPS_RESPONSE" | jq --arg name_to_find $group_name -r '.retVal[] | select(.name == $name_to_find) .uuid') 79 | if [ -z "$group_role" ]; then 80 | echo "group_role not set, USER role will be used by default, set a desired role other than USER as the 2nd variable" 81 | echo "https://docs.mend.io/bundle/mend-api-2-0/page/index.html#tag/User-Management-Groups/operation/addGroupRoles" 82 | group_role="USER" 83 | 84 | fi 85 | 86 | echo "Adding organization level $group_role permissions to group $group_name with uuid of $GROUP_UUID" 87 | ADDROLE_BODY="{\"contextType\": \"orgs\", \"contextToken\": \"$MEND_ORG_UUID\", \"role\": \"$group_role\"}" 88 | ADDROLE_RESPONSE=$(curl -s --location "$MEND_API_URL/orgs/$MEND_ORG_UUID/groups/$GROUP_UUID/roles" --header "Content-Type: application/json" --header "Authorization: Bearer $JWT_TOKEN" -d "${ADDROLE_BODY}") 89 | echo $ADDROLE_RESPONSE | jq . 90 | 91 | } 92 | 93 | 94 | login 95 | 96 | find_group 97 | -------------------------------------------------------------------------------- /Scripts/Mend SCA/list-policy-violations.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # NOTE: It is currently recommended to use the MEND CLI over the Mend Unified Agent. 4 | # The Mend CLI will automatically list policy violations, and so with that utility 5 | # this script is not required. 6 | # 7 | # ******** Mend Script to List Policy Violations after a Unified Agent Scan ******** 8 | # 9 | # Users should edit this file to change the behavior of the script as needed. 10 | # 11 | # ******** Description ******** 12 | # This script parses the policyRejectionSummary.json file, following a Mend Unified Agent scan, and prints to the stdout the policies 13 | # that where violated, as well as the libraries that violated them. 14 | # The policyRejectionSummary.json file is created automatically under the agent log directory (./whitesource) during a scan that's configured 15 | # to check policies. Every policy check overwrites this file, so this list is always specific to the last scan (that had policy check enabled). 16 | 17 | # Prerequisites: 18 | # apt install jq 19 | # WS_CHECKPOLICIES: true 20 | # MEND_PRODUCTNAME: 21 | # MEND_PROJECTNAME: 22 | 23 | jsonFile="./whitesource/policyRejectionSummary.json" 24 | 25 | ShowLibSystemPath=false 26 | if [[ "$1" =~ ^(--includePath|-p)$ ]] ; then 27 | ShowLibSystemPath=true 28 | fi 29 | 30 | echo "" 31 | echo "Mend Policy Violations" 32 | echo "=============================" 33 | if [[ ! -f $jsonFile ]] ; then 34 | echo "[ERROR] File not found: $jsonFile" 35 | echo "Make sure to specify the correct working directory and that the last agent scan had WS_CHECKPOLICIES=true" 36 | exit 37 | fi 38 | 39 | if [[ -v WS_PRODUCTNAME ]]; then echo "Product: $WS_PRODUCTNAME" ; fi 40 | if [[ -v WS_PROJECTNAME ]]; then echo "Product: $WS_PROJECTNAME" ; fi 41 | 42 | libCount="$(cat $jsonFile | jq -r '.summary.totalRejectedLibraries')" 43 | if (($libCount == 0)) ; then 44 | echo "All dependencies conform with open source policies." 45 | echo "" 46 | exit 47 | fi 48 | echo "Total Rejected Libraries: $libCount" 49 | echo "" 50 | 51 | cat $jsonFile | jq -c '.rejectingPolicies[]' | while read oPolicy; do 52 | for policy in "${oPolicy[@]}" ; do 53 | echo "Policy Name: $(echo "${policy//\\/\\\\}" | jq -r '(.policyName)')" 54 | echo "Policy Type: $(echo "${policy//\\/\\\\}" | jq -r '(.filterType)')" 55 | echo "Rejected Libraries:" 56 | if $ShowLibSystemPath ; then 57 | echo "$(echo "${policy//\\/\\\\}" | jq -r '.rejectedLibraries[] | (" " + .name + " (" + .systemPath + ")")')" 58 | else 59 | echo "$(echo "${policy//\\/\\\\}" | jq -r '.rejectedLibraries[] | (" " + .name)')" 60 | fi 61 | echo "" 62 | done 63 | done 64 | -------------------------------------------------------------------------------- /Scripts/Mend SCA/pending-task-cleanup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # ******** Mend Script to cleanup all Pending Tasks in an organization ******** 4 | # 5 | # Users should edit this file to change any behavior as needed. 6 | # 7 | # For more information on the APIs used, please check our REST API documentation page: 8 | # 📚 https://docs.mend.io/bundle/api_sca/page/http_api_v1_3_and_v1_4.html 9 | # 10 | # ******** Description ******** 11 | # This script pulls all of open pending tasks for an organization and calls the "closePendingTask" 12 | # API request for each task to ensure they are all closed. 13 | 14 | # This script utilizes the Mend Org UUID to call the API Requests. 15 | # If the new Mend Unified Platform is not in use, then the user can get the Organization UUID for a specific organization by running the following API request: 16 | # 📚 https://docs.mend.io/bundle/mend-api-2-0/page/index.html#tag/Access-Management-Organizations/operation/getUserDomains 17 | 18 | # Prerequisites: 19 | # apt install jq curl 20 | # MEND_USER_KEY - An administrator's userkey 21 | # MEND_ORG_UUID - API Key for organization (optional) 22 | # MEND_URL - e.g. https://saas.mend.io/ 23 | 24 | # Check if MEND_URL is set in the environment 25 | if [ -z "$MEND_URL" ]; then 26 | echo "Warning: MEND_URL is not set in the environment." 27 | echo "Please set it to something similar to 'https://saas.mend.io'" 28 | exit 1 29 | fi 30 | 31 | # Set your base API endpoint URLs 32 | API_VERSION="v1.4" 33 | 34 | # Check if WS_APIKEY is set in the environment 35 | if [ -z "$MEND_ORG_UUID" ]; then 36 | echo "Warning: WS_APIKEY is not set in the environment." 37 | exit 1 38 | fi 39 | 40 | # Check if MEND_USER_KEY is set in the environment 41 | if [ -z "$MEND_USER_KEY" ]; then 42 | echo "Warning: MEND_USER_KEY is not set in the environment." 43 | exit 1 44 | fi 45 | 46 | # Make the API request using curl for getDomainPendingTasks 47 | GET_TASKS_API="$MEND_URL/api/$API_VERSION" 48 | GET_TASKS_PAYLOAD=$(cat <