From 8d4a87d4b26a895149c3c488449414b668df6f87 Mon Sep 17 00:00:00 2001 From: Stephen Fuqua Date: Thu, 9 May 2024 16:11:34 -0500 Subject: [PATCH] Npgsql and scorecard (#247) --- .github/CODEOWNERS | 1 + .github/dependabot.yml | 19 +++++ .github/workflows/build.yml | 7 ++ .github/workflows/codeql.yml | 8 +++ .github/workflows/create-pre-release.yml | 2 + .github/workflows/dependencies.yml | 11 ++- .github/workflows/scorecard.yml | 72 +++++++++++++++++++ README.md | 2 + SECURITY.md | 13 ++++ build.ps1 | 10 +-- .../EdFi.AnalyticsMiddleTier.Common.csproj | 2 +- .../NpgsqlConnectionStringValidator.cs | 8 --- 12 files changed, 140 insertions(+), 15 deletions(-) create mode 100644 .github/CODEOWNERS create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/scorecard.yml create mode 100644 SECURITY.md diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 00000000..9a91e4cf --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1 @@ +.github/**/* @Ed-Fi-Alliance-OSS/ed-fi-tech diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..9c6ed6b4 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,19 @@ +/* + * SPDX-License-Identifier: Apache-2.0 + * Licensed to the Ed-Fi Alliance under one or more agreements. + * The Ed-Fi Alliance licenses this file to you under the Apache License, Version 2.0. + * See the LICENSE and NOTICES files in the project root for more information. + */ + +# SPDX-License-Identifier: Apache-2.0 +# Licensed to the Ed-Fi Alliance under one or more agreements. +# The Ed-Fi Alliance licenses this file to you under the Apache License, Version 2.0. +# See the LICENSE and NOTICES files in the project root for more information. + +version: 2 +updates: + - package-ecosystem: nuget + directory: src/ + target-branch: dependabot-updates + schedule: + interval: weekly diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ff8c7a3c..09b69888 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -12,6 +12,13 @@ on: pull_request: workflow_dispatch: +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + + +permissions: read-all + env: CONFIGURATION: "Release" GA_USE_GITHUB_ENV: "true" diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 6d39bfb9..c4e56d43 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -14,6 +14,14 @@ on: push: branches: - main + workflow_dispatch: + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + + +permissions: read-all jobs: analyze: diff --git a/.github/workflows/create-pre-release.yml b/.github/workflows/create-pre-release.yml index 5a8cfcee..5c46ee4b 100644 --- a/.github/workflows/create-pre-release.yml +++ b/.github/workflows/create-pre-release.yml @@ -21,6 +21,8 @@ on: required: true default: 'false' +permissions: read-all + env: CONFIGURATION: "Release" PUBLISH_FOLDER: "./publish/" diff --git a/.github/workflows/dependencies.yml b/.github/workflows/dependencies.yml index bb064ec2..6cef5d34 100644 --- a/.github/workflows/dependencies.yml +++ b/.github/workflows/dependencies.yml @@ -11,6 +11,14 @@ on: - main paths: - 'src/**' + workflow_dispatch: + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +permissions: read-all + jobs: scan-actions: @@ -35,4 +43,5 @@ jobs: uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Dependency Review ("Dependabot on PR") - uses: actions/dependency-review-action@7bbfa034e752445ea40215fff1c3bf9597993d3f # v3.1.3 \ No newline at end of file + if: ${{ github.event_name == 'pull_request' && !github.event.repository.fork }} + uses: actions/dependency-review-action@9129d7d40b8c12c1ed0f60400d00c92d437adcce # v4.1.3 \ No newline at end of file diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 00000000..09439b31 --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,72 @@ +# Originally sourced from GitHub with implicit lack of license + +name: Scorecard supply-chain security +on: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '15 23 * * 0' + push: + branches: [ "main" ] + workflow_dispatch: + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + # Uncomment the permissions below if installing in a private repository. + # contents: read + # actions: read + + steps: + - name: Checkout code + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + + - name: Run analysis + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + with: + results_file: scorecard.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecard on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + #repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: Upload artifact + uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0 + with: + name: Scorecard SARIF file + path: scorecard.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: Upload to code-scanning + uses: github/codeql-action/upload-sarif@cf7e9f23492505046de9a37830c3711dd0f25bb3 # codeql-bundle-v2.16.2 + with: + sarif_file: scorecard.sarif diff --git a/README.md b/README.md index 40e82516..27440b92 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,7 @@ # Ed-Fi-Analytics-Middle-Tier +[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/Ed-Fi-Alliance-OSS/Ed-Fi-Analytics-Middle-Tier/badge)](https://securityscorecards.dev/viewer/?uri=github.com/Ed-Fi-Alliance-OSS/Ed-Fi-Analytics-Middle-Tier) + The Analytics Middle Tier is a set of denormalized analytics views over the Ed-Fi ODS database tables, satisfying the user story: > As a district data analyst, I want to build intelligent reporting on the Ed-Fi ODS with minimal learning curve and low risk of breaking changes, so that I can deliver timely data to educators and administrators. diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..fbef46f9 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,13 @@ +# Security + +If you find a significant vulnerability, or evidence of one, please report it +privately. + +We prefer that you use the [GitHub mechanism for privately reporting a +vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability). +Under the [main repository's security +tab](https://github.com/Ed-Fi-Alliance-OSS/Ed-Fi-Analytics-Middle-Tier/security), click "Report a +vulnerability" to open the advisory form. + +If you have any further concerns that are not addressed by this process, please +submit a case through the [Ed-Fi Community Hub](https://success.ed-fi.org) diff --git a/build.ps1 b/build.ps1 index af731604..e72d11b7 100644 --- a/build.ps1 +++ b/build.ps1 @@ -44,7 +44,7 @@ param( # Command to execute, defaults to "Build". [string] - [ValidateSet("Clean", "Build", "Publish", "CreateZip", "UnitTest", "IntegrationTest")] + [ValidateSet("DotnetClean", "Build", "Publish", "CreateZip", "UnitTest", "IntegrationTest")] $Command = "Build", [switch] $SelfContained, @@ -78,7 +78,7 @@ $publishFddZipFile = "$publishFddDirectoryName-$Version.zip" $publishScdZipFile = "$publishScdDirectoryName-$Version.zip" $testProjectName = "EdFi.AnalyticsMiddleTier.Tests" -function Clean { +function DotnetClean { Invoke-Execute { dotnet clean $solutionRoot -c $Configuration --nologo -v minimal } } @@ -198,7 +198,7 @@ function IntegrationTests { function Invoke-Build { Write-Host "Building Version $Version" -ForegroundColor Cyan - Invoke-Step { Clean } + Invoke-Step { DotnetClean } Invoke-Step { AssemblyInfo } Invoke-Step { Compile } } @@ -209,7 +209,7 @@ function Invoke-Publish { } function Invoke-Clean { - Invoke-Step { Clean } + Invoke-Step { DotnetClean } } function Invoke-PublishClean { @@ -231,7 +231,7 @@ function Invoke-CreateZip { Invoke-Main { switch ($Command) { - Clean { + DotnetClean { Invoke-Clean Invoke-PublishClean } diff --git a/src/EdFi.AnalyticsMiddleTier.Common/EdFi.AnalyticsMiddleTier.Common.csproj b/src/EdFi.AnalyticsMiddleTier.Common/EdFi.AnalyticsMiddleTier.Common.csproj index 305b1197..a0548bf2 100644 --- a/src/EdFi.AnalyticsMiddleTier.Common/EdFi.AnalyticsMiddleTier.Common.csproj +++ b/src/EdFi.AnalyticsMiddleTier.Common/EdFi.AnalyticsMiddleTier.Common.csproj @@ -9,7 +9,7 @@ - + diff --git a/src/EdFi.AnalyticsMiddleTier.Common/NpgsqlConnectionStringValidator.cs b/src/EdFi.AnalyticsMiddleTier.Common/NpgsqlConnectionStringValidator.cs index 686ef0b4..7e9bc356 100644 --- a/src/EdFi.AnalyticsMiddleTier.Common/NpgsqlConnectionStringValidator.cs +++ b/src/EdFi.AnalyticsMiddleTier.Common/NpgsqlConnectionStringValidator.cs @@ -29,14 +29,6 @@ public bool IsConnectionStringValid(out string errorMessage) errorMessage = $"{Environment.NewLine}Please specify a data source using the Data Source or Server keyword."; } - if (!connectionStringBuilder.IntegratedSecurity && - (string.IsNullOrWhiteSpace(connectionStringBuilder.Username) || - string.IsNullOrWhiteSpace(connectionStringBuilder.Password))) - { - errorMessage = - $"{errorMessage}{Environment.NewLine}Please specify an authentication method using an integrated security or providing a user id and password."; - } - if (string.IsNullOrWhiteSpace(connectionStringBuilder.Database)) { errorMessage = $"{errorMessage}{Environment.NewLine}Please specify a database using the Database or Initial Catalog keyword.";