Merge pull request #5 from jfrog/CCS-2-Additional_evidence_examples

Additional evidence examples

Author: carmithersh

.github/workflows/jira-evidence-example.yml

@@ -0,0 +1,100 @@
+name: jira-evidence-example
+
+on:
+  workflow_dispatch:  # This allows manual triggering of the workflow
+  push:
+    branches:
+      - CCS-2-Additional_evidence_examples
+  pull_request:
+      branches:
+        - CCS-2-Additional_evidence_examples
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  docker-build-with-jira-evidence:
+    runs-on: ubuntu-latest
+    env:
+      DOCKER_REPO: 'test-docker-local'
+      IMAGE_NAME: 'my-very-cool-image:${{ github.run_number }}'
+    steps:
+      - name: Install jfrog cli
+        id:   setup-cli
+        uses: jfrog/setup-jfrog-cli@v4
+        env:
+          JF_URL: ${{ vars.ARTIFACTORY_URL }}
+        with:
+         oidc-provider-name: jfrog-github-oidc
+
+      - uses: actions/checkout@v4
+      - name: Log in to Artifactory Docker Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ vars.ARTIFACTORY_URL }}
+          username: ${{ steps.setup-cli.outputs.oidc-user }}
+          password: ${{ steps.setup-cli.outputs.oidc-token }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and Push Docker image
+        uses: docker/build-push-action@v6
+        id: docker-build
+        with:
+          push: true
+          provenance: false
+          platforms: linux/amd64 #, linux/arm64
+          build-args: REPO_URL=${{ vars.JF_URL }}/example-project-docker-dev-remote
+          tags: ${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }}
+
+      - name: add docker package to build
+        run: |
+          echo "${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }}@${{ steps.docker-build.outputs.digest }}" > metadata.json
+          jf rt build-docker-create ${{ env.DOCKER_REPO }} --image-file metadata.json --build-name $GITHUB_WORKFLOW --build-number ${{ github.run_number }}
+
+      - name: Publish build info
+        if: ${{ true }}
+        run: |
+          jf rt build-collect-env
+          jf rt build-add-git
+          jf rt build-publish
+
+      - name: Create JIRA evidence
+        env:
+            jira_token: ${{ secrets.JIRA_TOKEN }}
+            jira_username: ${{ secrets.JIRA_USERNAME }}
+            jira_url: ${{ secrets.JIRA_URL }}
+        run: |
+            BRANCH_NAME=$(git branch --show-current)
+            jira_id=$(echo "$BRANCH_NAME" | sed -E 's/^([^-]+-[0-9]+).*/\1/')
+            echo "The branch name is: $BRANCH_NAME"
+            echo "The jira_id is: $jira_id"
+            # uncomment the line below to use the commit message instead of the branch name
+            #START_COMMIT=$(git log -1 --format="%H %s")
+            #jira_id=$(echo "$BRANCH_NAME" | cut -d' ' -f2)
+          
+            # Check if the jira_id matches the JIRA ID format
+            if [[ $jira_id =~ ^[A-Z]+-[0-9]+$ ]]; then
+                echo "A valid JIRA ID was found in branch name: $jira_id"
+                set +e
+                ./examples/jira-transition-example/bin/jira-transition-checker-linux-amd64 "Done" $jira_id > predicate.json
+                # add --failOnMissingTransition to fail the build if the JIRA does not pass the transition check
+                EXIT_CODE=$?
+                set -e
+                # create evidence only if the jira transition checker was successful
+                if [ $EXIT_CODE -eq 0 ]; then
+                  # Attach evidence onto build using JFrog CLI                
+                  jf evd create \
+                  --build-name $GITHUB_WORKFLOW \
+                  --build-number "${{ github.run_number }}" \
+                  --predicate ./predicate.json \
+                  --predicate-type https://jfrog.com/evidence/build-jira-transition/v1 \
+                  --key "${{ secrets.JIRA_TEST_PKEY }}" \
+                  --key-alias ${{ vars.JIRA_TEST_KEY }}    
+                else
+                  echo "JIRA transition checked completed with an error, or not all JIRAs pass the transition checked"
+                fi
+            else
+                echo "No valid JIRA ID located in branch name: $BRANCH_NAME"
+            fi

.github/workflows/sonar-evidence-example.yml

@@ -0,0 +1,121 @@
+name: sonar-evidence-example
+
+on:
+  workflow_dispatch:  # This allows manual triggering of the workflow
+  push:
+    branches:
+      - CCS-2-Additional_evidence_examples
+  pull_request:
+      branches:
+        - CCS-2-Additional_evidence_examples
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  docker-build-with-sonar-evidence:
+    runs-on: ubuntu-latest
+    env:
+      DOCKER_REPO: 'test-docker-local'
+      IMAGE_NAME: 'my-very-cool-image:${{ github.run_number }}'
+    steps:
+      - name: Display workflow and job names
+        run: |
+          echo "Workflow name: $GITHUB_WORKFLOW"
+          echo "Job name: $GITHUB_JOB"
+
+      - name: Install jfrog cli
+        id:   setup-cli
+        uses: jfrog/setup-jfrog-cli@v4
+        env:
+          JF_URL: ${{ vars.ARTIFACTORY_URL }}
+        with:
+         oidc-provider-name: jfrog-github-oidc
+
+      - uses: actions/checkout@v4
+
+      - name: Install SonarQube Scanner
+        run: |          
+          curl -sL  -sSLo sonar-scanner.zip  https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-6.2.1.4610.zip
+          unzip sonar-scanner.zip
+          export PATH=$PATH:$PWD/sonar-scanner-6.2.1.4610/bin
+          pwd
+          ls -l $PWD/sonar-scanner-6.2.1.4610/bin/
+          echo "$PWD/sonar-scanner-6.2.1.4610/bin"
+      - name: Set up JDK 17
+        uses: actions/setup-java@v4
+        with:
+          java-version: '21' # Specify the desired Java version here
+          distribution: 'temurin' # You can also use 'temurin', 'zulu', etc.
+
+      - name: Run SonarScanner
+        id: run-sonar-scanner
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        run: |
+          $PWD/sonar-scanner-6.2.1.4610/bin/sonar-scanner \
+            -Dsonar.projectKey=test-evidence \
+            -Dsonar.organization=my-evidence-test-org \
+            -Dsonar.host.url=https://sonarcloud.io \
+            -Dsonar.java.jdkHome=$JAVA_HOME \
+            -Dsonar.verbose=true \
+            -Dsonar.token=$SONAR_TOKEN
+          # create evidence from sonar-scan analysis
+          set +e
+          # --FailOnAnalysisFailure causes a failure on gateway-failed sonar analysis 
+          ./examples/sonar-scan-example/bin/sonar-scan-extractor-linux-amd64  --reportTaskFile=$PWD/.scannerwork/report-task.txt > predicate.json
+          EXIT_CODE=$?
+          set -e          
+          # write the exit code to the github output so that it can be used in the evidence creation step
+          echo "------predicate.json------"
+          cat predicate.json
+          echo "------sonar-scan.log------"
+          cat sonar-scan.log
+          echo "------EXIT------"
+          echo "create-sonar-evidence=$EXIT_CODE" 
+          echo "create-sonar-evidence=$EXIT_CODE" >> $GITHUB_OUTPUT 
+     
+
+      - name: Log in to Artifactory Docker Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ vars.ARTIFACTORY_URL }}
+          username: ${{ steps.setup-cli.outputs.oidc-user }}
+          password: ${{ steps.setup-cli.outputs.oidc-token }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and Push Docker image
+        uses: docker/build-push-action@v6
+        id: docker-build
+        with:
+          push: true
+          provenance: false
+          platforms: linux/amd64 #, linux/arm64
+          build-args: REPO_URL=${{ vars.JF_URL }}/example-project-docker-dev-remote
+          tags: ${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }}
+
+      - name: add docker package to build
+        run: |
+          echo "${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }}@${{ steps.docker-build.outputs.digest }}" > metadata.json
+          jf rt build-docker-create ${{ env.DOCKER_REPO }} --image-file metadata.json --build-name $GITHUB_WORKFLOW --build-number ${{ github.run_number }}
+
+      - name: Publish build info
+        if: ${{ true }}
+        run: |
+          jf rt build-collect-env
+          jf rt build-add-git
+          jf rt build-publish         
+
+      - name: Create evidence
+        if: ${{ steps.run-sonar-scanner.outputs.create-sonar-evidence == 0 }}
+        run: |            
+          # Attach evidence onto build using JFrog CLI                
+          jf evd create \
+            --build-name $GITHUB_WORKFLOW \
+            --build-number "${{ github.run_number }}" \
+            --predicate ./predicate.json \
+            --predicate-type https://jfrog.com/evidence/sonar-scan/v1 \
+            --key "${{ secrets.JIRA_TEST_PKEY }}" \
+            --key-alias ${{ vars.JIRA_TEST_KEY }}

.github/workflows/zap-evidence-example.yml

@@ -0,0 +1,59 @@
+name: zap-evidence-example
+
+on:
+  workflow_dispatch:  # This allows manual triggering of the workflow
+  push:
+    branches:
+      - CCS-2-Additional_evidence_examples
+  pull_request:
+      branches:
+        - CCS-2-Additional_evidence_examples
+permissions:
+  id-token: write
+  contents: read
+
+
+jobs:
+  zap-evidence-example:
+    runs-on: ubuntu-latest
+    env:
+      DOCKER_REPO: 'test-docker-local'
+      IMAGE_NAME: 'my-very-cool-image'
+      IMAGE_TAG: '40'
+      BUILD_NAME: 'zap-evidence-example'
+    steps:
+
+      - name: Install jfrog cli
+        id:   setup-cli
+        uses: jfrog/setup-jfrog-cli@v4
+        env:
+          JF_URL: ${{ vars.ARTIFACTORY_URL }}
+        with:
+         oidc-provider-name: jfrog-github-oidc
+
+      - uses: actions/checkout@v4
+
+      - name: ZAP Scan
+        run: |
+          docker pull ghcr.io/zaproxy/zaproxy:stable
+          # zap test the mock site https://www.example.com
+          docker run -v /tmp:/zap/wrk/:rw  -t ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py -t https://www.example.com  -J report_json.json || true
+          echo "Zap completed!"
+          ls -ltr /tmp
+          # create summary json
+          cat /tmp/report_json.json | jq -r '.site[].alerts[].riskcode'   | sort | uniq -c | awk '{print "{\"riskcode\":\"" $2 "\", \"count\":" $1 "},"}' | sed '$ s/,$//' | awk 'BEGIN {print "["} {print} END {print "]"}' > report_summary.json
+          # create full report predicate  
+          jq -s '{summary: .[0], details: .[1]}' report_summary.json /tmp/report_json.json  > summary.json
+          echo "-----------Summary of ZAP scan-----------"
+          cat summary.json
+
+      - name: Evidence on docker
+        run: |  
+         jf evd create \
+          --package-name ${{ env.IMAGE_NAME }} \
+          --package-version "${{ env.IMAGE_TAG }}" \
+          --package-repo-name ${{ env.DOCKER_REPO }} \
+          --key "${{ secrets.JIRA_TEST_PKEY }}" \
+          --key-alias ${{ vars.JIRA_TEST_KEY }} \
+          --predicate ./summary.json \
+          --predicate-type https://jfrog.com/evidence/zap-scan/v1

.gitignore

@@ -0,0 +1,3 @@
+/examples/sonar-scan-example/sonar-scanner-4.6.2.2472-linux/*
+/examples/sonar-scan-example/bin/*
+/examples/jira-transition-example/bin/*

README.md

@@ -190,3 +190,4 @@ When the Evidence service is used in conjunction with JFrog Xray, each Release B
 
 To see a sample rego policy, go [here](https://github.com/jfrog/Evidence-Examples/blob/main/policy/policy.rego).
 For more information about integrating Release Lifecycle Management and Evidence with Xray, see [Scan Release Bundles (v2) with Xray](https://jfrog.com/help/r/jfrog-artifactory-documentation/scan-release-bundles-v2-with-xray).
+

examples/jira-transition-example/README.md

@@ -0,0 +1,28 @@
+# Create JIRA Transition Evidence from the build CI and attach it to the build info
+JIRA is an important tool for tracking issues and managing projects and holds all requirements for software changes as Tasks.
+For compliant software development, it is important to track requirements review and approval process as these confirm proper approval for code changes done and released.
+To allow automation of proper requirements review and approval, we create an evidence of any JIRA linked to the code commits during the build with confirmation it went through approval status before code was committed. 
+Every company defines a different approval status, so in our example we allow the calling code send the name of the transition that shold be checked. 
+
+pre-requisites:
+1. Hold a cloud JIRA server (for selfhosted jira server, few code adjustments are required)
+2. Allow network access from your CI server to Jira server
+3. Define few environment variables: jira_url, jira_token, jira_username
+4. Commit comments must include the JIRA issue ID (e.g. <jira-project-key>-1234)
+
+The example is based on the following steps:
+1. get the relevant commit IDs
+2. extract the JIRA IDs from all the build commits
+3. call the jira-transition-checker utility (use the binary for your build platform) with these arguments: "transition name" JIRA-ID [,JIRA-ID]
+for example:
+ ``./examples/jira-transition-example/bin/jira-transition-checker-linux-amd64 "Finance Approval" JIRA-486 PROJ-111 > predicate.json``
+optional arg: `--failOnMissingTransition` whihc will fail the script if any of the JIRA IDs sent did not pass the transition check 
+4. call the evidence create cli with the predicate.json file
+for example:
+``jf evd create \
+                  --build-name "${{ env.BUILD_NAME }}" \
+                  --build-number "${{ github.run_number }}" \
+                  --predicate ./predicate.json \
+                  --predicate-type https://jfrog.com/evidence/requirements-approval/v1 \
+                  --key "${{ secrets.JIRA_TEST_PKEY }}" \
+                  --key-alias ${{ vars.JIRA_TEST_KEY }}``

examples/jira-transition-example/build-binary.sh

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+
+# Script inspired by https://www.digitalocean.com/community/tutorials/how-to-build-go-executables-for-multiple-platforms-on-ubuntu-16-04
+
+errorExit () {
+    echo; echo "ERROR: $1"; echo
+    exit 1
+}
+
+BIN=jira-transition-checker
+rm -rf bin
+mkdir -p bin
+
+echo "Building $BIN"
+#platforms=("darwin/amd64" "linux/arm64" "linux/amd64" "windows/amd64" "windows/386")
+platforms=("linux/arm64" "linux/amd64" "darwin/arm64" )
+
+for p in "${platforms[@]}"; do
+    platform_array=(${p//\// })
+    GOOS=${platform_array[0]}
+    GOARCH=${platform_array[1]}
+
+    echo -e "\nBuilding"
+    echo "OS:   $GOOS"
+    echo "ARCH: $GOARCH"
+    final_name=$BIN'-'$GOOS'-'$GOARCH
+    if [ "$GOOS" = "windows" ]; then
+        final_name+='.exe'
+    fi
+
+    env GOOS="$GOOS" GOARCH="$GOARCH" go build -o bin/$final_name . || errorExit "Building $final_name failed"
+done
+
+echo -e "\nDone!\nThe following binaries were created in the bin/ directory:"
+ls -1 bin/
+echo