Merge branch 'main' into a1b5dependabot/go_modules/k8s.io/client-go-0…

….28.4

.github/workflows/mend.config

@@ -2,7 +2,8 @@
 # WhiteSource Unified-Agent configuration file for GO
 # GENERAL SCAN MODE: Package Managers only
 ####################################################################
-
+#Configuration Reference: https://docs.mend.io/bundle/unified_agent/page/unified_agent_configuration_parameters.html#General
+
 # !!! Important for WhiteSource "DIST - *" Products:
 # Please set 
 #   checkPolicies=false
@@ -21,33 +22,38 @@ failErrorLevel=ALL
 # failBuildOnPolicyViolation:
 # If the flag is true, the Unified Agent exit code will be the result of the policy check.
 # If the flag is false, the Unified Agent exit code will be the result of the scan.
-forceUpdate.failBuildOnPolicyViolation=false
+forceUpdate.failBuildOnPolicyViolation=true
 # offline parameter is important and need to be false
 offline=false
 
 # ignoreSourceFiles parameter is important and need to be true
 # IMPORTANT: This parameter is going to be deprecated in future
 #            and will be replaced by a new parameter, fileSystemScan. 
-ignoreSourceFiles=true
+# ignoreSourceFiles=true
 # fileSystemScan parameter is important and need to be false as a 
 # replacement for ignoreSourceFiles=true and overrides the 
-# soon-to-be-deprecated ignoreSourceFiles.
-fileSystemScan=false
+# soon-to-be-deprecated ignoreSourceFiles. To scan source files, we need to enable it.
+fileSystemScan=true
 # resolveAllDependencies is important and need to be false
 resolveAllDependencies=false
 
 #wss.connectionTimeoutMinutes=60
 # URL to your WhiteSource server.
 # wss.url=https://sap.whitesourcesoftware.com/agent
-
+
+####################################################################
+# GO Configuration 
+####################################################################
+
 # resolveDependencies parameter is important and need to be true
 #if you are using 'modules' as a dependency manager, then the go.resolveDependencies is set to false.
 #For any other dependency manager, this value is set to true.
 
 go.resolveDependencies=true
 #defaut value for ignoreSourceFiles  is set to false
 # ignoreSourceFiles parameter is important and need to be true
-go.ignoreSourceFiles=true
+# To scan source files, we need to disable it.
+go.ignoreSourceFiles=false
 go.collectDependenciesAtRuntime=false
 # dependencyManager: Determines the Go dependency manager to use when scanning a Go project.
 # Valid values are 'dep', 'godep', 'vndr', 'gogradle', 'glide', 'govendor', 'gopm' and 'vgo' 
@@ -61,12 +67,13 @@ go.collectDependenciesAtRuntime=false
 #Please comment these below 4 lines that has 'go.modules' prefix if you are not using the 'modules' dependency manager.
 # Default value is true. If set to true, it resolves Go Modules dependencies.
 go.modules.resolveDependencies=true
-#default value is true. If set to true, this will ignore Go source files during the scan.
-#go.modules.ignoreSourceFiles=true
+#default value is true. If set to true, this will ignore Go source files during the scan. 
+#To scan source files, we need to disable it.
+go.modules.ignoreSourceFiles=false
 #default value is true. If set to true, removes duplicate dependencies during Go Modules dependency resolution.
 #go.modules.removeDuplicateDependencies=false
 #default value is false. if set to true, scans Go Modules project test dependencies.
-#go.modules.includeTestDependencies=true
+go.modules.includeTestDependencies=true
 ######################
 
 

.github/workflows/mend_scan.yaml

@@ -3,11 +3,28 @@ name: Mend Security Scan
 on:
   schedule:
     - cron:  '0 0 * * 0'
-
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:    
+      - main
+  workflow_dispatch:
+    inputs:
+      logLevel:
+        description: 'Log level'
+        required: true
+        default: 'debug'
+        type: choice
+        options:
+        - info
+        - warning
+        - debug
 jobs:
   mend-scan:
     runs-on: ubuntu-latest
-
+    permissions:
+      pull-requests: write
     steps:
     - name: Checkout Code  
       uses: actions/checkout@v4
@@ -23,6 +40,11 @@ jobs:
       with:
         go-version-file: '${{ github.workspace }}/go.mod'
 
+    - name: 'Setup jq'
+      uses: dcarbone/install-jq-action@v2.1.0
+      with:
+        version: '1.7'
+
     - name: Download Mend Universal Agent
       run: curl https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar -o ./wss-unified-agent.jar
 
@@ -34,4 +56,142 @@ jobs:
         WSS_URL: ${{ secrets.MEND_URL }}
         API_KEY: ${{ secrets.MEND_API_TOKEN }}
         CONFIG_FILE: './.github/workflows/mend.config'
+
+    - name: Generate Report
+      env:
+        USER_KEY: ${{ secrets.MEND_API_USER_KEY }}
+        PROJECT_TOKEN: ${{ secrets.MEND_PROJECT_TOKEN_OCM }}
+        API_KEY: ${{ secrets.MEND_API_ORG_TOKEN }}
+        EMAIL: ${{ secrets.MEND_API_EMAIL }}
+      id: report
+      run: |
+        data=$(cat <<EOF
+        {
+            "email": "${EMAIL}",
+            "orgToken": "${API_KEY}",
+            "userKey": "${USER_KEY}"
+        }
+        EOF
+        )
+        
+        login_token=$(curl -X POST 'https://api-sap.whitesourcesoftware.com/api/v2.0/login' \
+        --header 'Content-Type: application/json' --silent \
+        --data "${data}" | jq -r .retVal.jwtToken )
+        
+        security_vulnerability=$(curl -X GET "https://api-sap.whitesourcesoftware.com/api/v2.0/projects/${PROJECT_TOKEN}/alerts/security?search=status%3Aequals%3AACTIVE%3Bscore%3Abetween%3A6%2C10%3B" \
+        --header 'Content-Type: application/json' --silent \
+        --header "Authorization: Bearer ${login_token}")
+        
+        major_updates_pending=$(curl -X GET "https://api-sap.whitesourcesoftware.com/api/v2.0/projects/${PROJECT_TOKEN}/alerts/legal?search=status%3Aequals%3AACTIVE%3BavailableVersionType%3Aequals%3AMAJOR" \
+        --header 'Content-Type: application/json' --silent \
+        --header "Authorization: Bearer ${login_token}" )
+        
+        requires_review=$(curl -X GET "https://api-sap.whitesourcesoftware.com/api/v2.0/projects/${PROJECT_TOKEN}/libraries/licenses?search=license%3Aequals%3ARequires%20Review" \
+        --header 'Content-Type: application/json' --silent \
+        --header "Authorization: Bearer ${login_token}")
+        
+        high_license_risk=$(curl -X GET "https://api-sap.whitesourcesoftware.com/api/v2.0/projects/${PROJECT_TOKEN}/libraries/licenses?pageSize=1000" \
+        --header 'Content-Type: application/json' --silent \
+        --header "Authorization: Bearer ${login_token}")
+        
+        security_vulnerability_no=$(echo "${security_vulnerability}" | jq .additionalData.totalItems )
+        major_updates_pending_no=$(echo "${major_updates_pending}" | jq -r .additionalData.totalItems )
+        requires_review_no=$(echo "${requires_review}" |jq -r .additionalData.totalItems )
+        high_license_risk_no=$(echo "${high_license_risk}" | jq -r '.retVal[].riskScore.riskScore | select( . != null ) > 52 | select(.==true)'| wc -l )
+        
+        function print {
+          printf "############################################\n$1\n############################################\nMend Scan Tool: https://sap.whitesourcesoftware.com/Wss/WSS.html#!login \n"
+        }
+        
+        function restricted_license {
+          declare -a sap_restricted_licenses=("LGPL" "GPL" "Affero%20GPL" "MPL" "CDDL" "EPL")
+          ret_val=""
+          issue_count=0
+          for key in "${!sap_restricted_licenses[@]}"; do
+            api_resp=$(curl -X GET "https://api-sap.whitesourcesoftware.com/api/v2.0/projects/${PROJECT_TOKEN}/libraries/licenses?search=license%3Aequals%3A${sap_restricted_licenses[$key]}" \
+              --header 'Content-Type: application/json' --silent \
+              --header "Authorization: Bearer ${login_token}")
         
+            api_resp_no=$(echo "${api_resp}" | jq .additionalData.totalItems )
+            issue_count=$((issue_count+api_resp_no))
+        
+            if [[ $api_resp_no -gt 0 ]]
+            then
+              val=$(echo "${api_resp}" | jq -r .retVal[] )
+              ret_val="$ret_val$val"
+            fi
+          done
+          export VIOLATIONS_VERBOSE="${ret_val}"
+          export VIOLATIONS="${issue_count}"
+        }
+        
+        print "HIGH/CRITICAL SECURITY VULNERABILITIES: ${security_vulnerability_no}"
+        if [[ $security_vulnerability_no -gt 0 ]]
+        then
+          echo "${security_vulnerability}" | jq -r .retVal[]
+        fi
+        
+        print "MAJOR UPDATES AVAILABLE: ${major_updates_pending_no}"
+        if [[ $major_updates_pending_no -gt 0 ]]
+        then
+          echo "${major_updates_pending}" | jq -r .retVal[]
+        fi
+        
+        print "LICENSE REQUIRES REVIEW: ${requires_review_no}" "Visit the Mend UI and add correct license"
+        if [[ $requires_review_no -gt 0 ]]
+        then
+          echo "${requires_review}" | jq -r .retVal[]
+        fi
+        
+        print "LICENSE RISK HIGH: ${high_license_risk_no}"
+        if [[ high_license_risk_no -gt 0 ]]
+        then
+          echo "Visit the Mend UI and check High Risk Licenses. Understand Risk Score: https://docs.mend.io/bundle/sca_user_guide/page/understanding_risk_score_attribution_and_license_analysis.html"
+        fi
+        
+        restricted_license
+        
+        print "RESTRICTIED LICENSE FOR ON-PREMISE DELIVERY: ${VIOLATIONS}"
+        if [[ $VIOLATIONS -gt 0 ]]
+        then
+          echo "${VIOLATIONS_VERBOSE}" | jq .
+        fi
+        
+        echo "security_vulnerability_no=$security_vulnerability_no" >> $GITHUB_OUTPUT 
+        echo "major_updates_pending_no=$major_updates_pending_no" >> $GITHUB_OUTPUT
+        echo "requires_review_no=$requires_review_no" >> $GITHUB_OUTPUT
+        echo "high_license_risk_no=$high_license_risk_no" >> $GITHUB_OUTPUT
+        echo "violations=$VIOLATIONS" >> $GITHUB_OUTPUT
+        
+        if [[ $security_vulnerability_no -gt 0 ]] || [[ $major_updates_pending_no -gt 0 ]] || [[ $requires_review_no -gt 0 ]] || [[ high_license_risk_no -gt 0 ]] || [[ violations -gt 0 ]]
+        then
+          echo "status=x" >> $GITHUB_OUTPUT
+        else 
+          echo "status=white_check_mark" >> $GITHUB_OUTPUT
+        fi
+        
+    - name: Check if PR exists
+      uses: 8BitJonny/gh-get-current-pr@2.2.0
+      id: pr_exists
+      with:
+        filterOutClosed: true
+        sha: ${{ github.event.pull_request.head.sha }}
+
+    - name: Comment Mend Status on PR
+      if: ${{ github.event_name != 'schedule' && steps.pr_exists.outputs.pr_found == 'true' }}
+      uses: thollander/actions-comment-pull-request@v2.4.3
+      with:
+        message: |
+          ## Mend Scan Summary: :${{ steps.report.outputs.status }}:
+          ### Repository: ${{ github.repository }}
+          | VIOLATION DESCRIPTION                        | NUMBER OF VIOLATIONS        |
+          | -------------------------------------------- | --------------------------- |
+          | HIGH/CRITICAL SECURITY VULNERABILITIES       | ${{ steps.report.outputs.security_vulnerability_no }} |
+          | MAJOR UPDATES AVAILABLE                      | ${{ steps.report.outputs.major_updates_pending_no }}  |
+          | LICENSE REQUIRES REVIEW                      | ${{ steps.report.outputs.requires_review_no }}        |
+          | LICENSE RISK HIGH                            | ${{ steps.report.outputs.high_license_risk_no }}      |
+          | RESTRICTIED LICENSE FOR ON-PREMISE DELIVERY  | ${{ steps.report.outputs.VIOLATIONS }}                |
+          
+          [Detailed Logs: mend-scan-> Generate Report](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})
+          [Mend UI](https://sap.whitesourcesoftware.com/Wss/WSS.html#!login)
+        comment_tag: tag_mend_scan

cmds/ocm/commands/ocmcmds/components/sign/cmd_test.go

@@ -238,15 +238,15 @@ Error: signing: github.com/mandelsoft/ref:v1: failed resolving component referen
 			buf := bytes.NewBuffer(nil)
 			Expect(env.CatchErrorOutput(buf).Execute("sign", "components", "-s", SIGNATURE, "-K", PRIVKEY, "--repo", ARCH, COMPONENTB+":"+VERSION)).To(HaveOccurred())
 			Expect(buf.String()).To(StringEqualTrimmedWithContext(`
-Error: signing: github.com/mandelsoft/ref:v1: failed resolving component reference ref[github.com/mandelsoft/test:v1]: ocm reference "github.com/mandelsoft/test:v1" not found
+Error: signing: github.com/mandelsoft/ref:v1: failed resolving component reference ref[github.com/mandelsoft/test:v1]: component "github.com/mandelsoft/test" not found in ComponentArchive
 `))
 		})
 
 		It("sign archive", func() {
 			buf := bytes.NewBuffer(nil)
 			Expect(env.CatchErrorOutput(buf).Execute("sign", "components", "-s", SIGNATURE, "-K", PRIVKEY, ARCH)).To(HaveOccurred())
 			Expect(buf.String()).To(StringEqualTrimmedWithContext(`
-Error: signing: github.com/mandelsoft/ref:v1: failed resolving component reference ref[github.com/mandelsoft/test:v1]: ocm reference "github.com/mandelsoft/test:v1" not found
+Error: signing: github.com/mandelsoft/ref:v1: failed resolving component reference ref[github.com/mandelsoft/test:v1]: component "github.com/mandelsoft/test" not found in ComponentArchive
 `))
 		})
 	})

examples/lib/helper/helper.go

@@ -15,14 +15,14 @@ import (
 )
 
 type Config struct {
-	Username   string `json:"username"`
-	Password   string `json:"password"`
-	Component  string `json:"component"`
-	Repository string `json:"repository"`
-	Version    string `json:"version"`
-
-	Target    json.RawMessage `json:"targetRepository"`
-	OCMConfig string          `json:"ocmConfig"`
+	Username   string `json:"username,omitempty"`
+	Password   string `json:"password,omitempty"`
+	Component  string `json:"component,omitempty"`
+	Repository string `json:"repository,omitempty"`
+	Version    string `json:"version,omitempty"`
+
+	Target    json.RawMessage `json:"targetRepository,omitempty"`
+	OCMConfig string          `json:"ocmConfig,omitempty"`
 }
 
 func ReadConfig(path string) (*Config, error) {

examples/lib/tour/01-getting-started/README.md

@@ -0,0 +1,13 @@
+# Basic Usage of OCM Repositories
+
+This [tour](example.go) illustrates the basic usage of the API to
+access component versions in an OCM repository.
+
+You can just call the main program with some config file argument
+with the following content:
+
+```yaml
+component: github.com/mandelsoft/examples/cred1
+repository: ghcr.io/mandelsoft/ocm
+version: 0.1.0
+```

examples/lib/tour/02-composing-a-component-version/example-a.go → examples/lib/tour/02-composing-a-component-version/01-basic-componentversion-creation.go

@@ -279,6 +279,7 @@ func listVersions(repo ocm.Repository, list ...string) error {
 	}
 	return nil
 }
+
 func ComposingAComponentVersionA() error {
 	// yes, we need an OCM context, again
 	ctx := ocm.DefaultContext()

examples/lib/tour/02-composing-a-component-version/README.md

@@ -0,0 +1,10 @@
+# Composing a Component Version
+
+This tor illustrates the basic usage of the API to
+create/compose component versions.
+
+It covers two basic scenarios:
+- [`basic`](01-basic-componentversion-creation.go) Create a component version stored in the filesystem
+- [`compose`](02-composition-version.go) Create a component version stored in memory using a non-persistent composition version.
+
+You can just call the main program with the scenario as argument.

examples/lib/tour/03-working-with-credentials/example-b.go → examples/lib/tour/03-working-with-credentials/02-basic-credential-management.go

@@ -10,7 +10,6 @@ import (
 	"os"
 
 	"github.com/open-component-model/ocm/examples/lib/helper"
-	"github.com/open-component-model/ocm/pkg/common"
 	"github.com/open-component-model/ocm/pkg/contexts/credentials"
 	ociidentity "github.com/open-component-model/ocm/pkg/contexts/credentials/builtin/oci/identity"
 	"github.com/open-component-model/ocm/pkg/contexts/oci"
@@ -19,19 +18,6 @@ import (
 	"github.com/open-component-model/ocm/pkg/errors"
 )
 
-func obfuscate(props common.Properties) string {
-	if pw, ok := props[credentials.ATTR_PASSWORD]; ok {
-		if len(pw) > 5 {
-			pw = pw[:5] + "***"
-		} else {
-			pw = "***"
-		}
-		props = props.Copy()
-		props[credentials.ATTR_PASSWORD] = pw
-	}
-	return props.String()
-}
-
 func UsingCredentialsB(cfg *helper.Config, create bool) error {
 	ctx := ocm.DefaultContext()
 
@@ -137,6 +123,11 @@ func UsingCredentialsB(cfg *helper.Config, create bool) error {
 	if err != nil {
 		return errors.Wrapf(err, "no credentials")
 	}
+	// an error is only provided if something went wrong while determining
+	// the credentials. Delivering NO credentials is a valid result.
+	if creds == nil {
+		return fmt.Errorf("no credentials found")
+	}
 	fmt.Printf("credentials: %s\n", obfuscate(creds.Properties()))
 
 	// Now we can continue with our basic component version composition