/zowe-dependency-scan-pipeline

Zowe Organizational Dependency Scans - Attributions, Vulnerability Reports

Primary LanguageTypeScriptEclipse Public License 2.0EPL-2.0

Zowe Dependency Scan Pipeline(s)

This repository contains multiple scripts and tools which assist us in running various pipelines, mostly scans, against the Zowe Codebase.

Currently, the following scans or pipelines are available:

Name Purpose Repo Path Status
Dependency License Scans Generates NOTICES and TPSR.md, which is a complete collection of dependency licenses, using the zowe manifest from zowe-install-packaging. Scan Location Running in GHA
Dependency SBOM Scans w/ORT Generates SPDX 2.2 SBOMs in a YAML format using the zowe manifest from zowe-install-packaging. The generated SBOMs include all transitive dependencies for supported languages and build tools, which includes Node/NPM/Yarn, Rust/Cargo, and Java/Gradle/Maven. Scan Location Running in GHA
Binary SBOM Scan w/FOSS Generates 1.x RDF SBOMs using the binaries delivered as part of the Zowe release process (PAX, CLI Standalone ZIP). Scan Location Not Running, but present in GHA. This scan could be useful again in the future as SBOM standards evolve to cover more points in the S3C lifecycle, such as source, build, and artifact. This scan would be useful as "artifact" SBOM.
Cleanup Scripts Runs periodic cleanup scripts which help us manage infrastructure resources, such as disk space on persistent build machines and net artifact consumption Artifactory. Scan Location, Scripts, Tooling Running in GHA
Snyk Scans Scans projects for vulnerabilities using the Snyk database and uploads the results to the Zowe Security Squad's Repository Scan Location Possibly deprecated, still Running in GHA. We have access to continuous Snyk scanning through the Linux Foundation, so this pipeline is redundant but may still have some use by uploading scan artifacts for review.
OWASP Scans Scans dependencies for known vulnerabilities and weaknesses using the OWASP CLI. Scan Location Deprecated by other scans run within the community.
Performance Test Suite Contains client, server, and metric capture components that can be setup to run a set of performance tests against Zowe. Code Location Not running. This test suite has been shelved for some time and would require a code review pass to bring it back up to a functioning state.
Docker Build Pipeline Creates Docker containers used to run some of the above actions. Docker files are located here Pipeline Location Running in GHA on-demand