Merge pull request #480 from solarwinds/NH-89337

RL Scanning
solarwinds · Oct 30, 2024 · 16a2ab1 · 16a2ab1
2 parents 3119fae + 190ff05
commit 16a2ab1
Show file tree

Hide file tree

Showing 20 changed files with 184 additions and 13 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -38,6 +38,11 @@ jobs:
       version: ${{ needs.publish.outputs.version }}
     secrets: inherit
 
+  scan:
+    needs: publish
+    uses: ./.github/workflows/scan.yml
+    secrets: inherit
+
   draft:
     needs:
       - publish

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
@@ -0,0 +1,27 @@
+name: Scan packages
+on:
+  workflow_dispatch:
+  workflow_call:
+    secrets:
+      RLPORTAL_ACCESS_TOKEN:
+        required: true
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    env:
+      RLPORTAL_ACCESS_TOKEN: ${{ secrets.RLPORTAL_ACCESS_TOKEN }}
+      YARN_ENABLE_IMMUTABLE_INSTALLS: false
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          lfs: true
+          submodules: true
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+      - run: corepack enable
+
+      - run: yarn install
+      - run: yarn scan
diff --git a/.gitignore b/.gitignore
@@ -8,7 +8,8 @@ node_modules/
 .turbo/
 
 # Package archives
-package.tgz
+*.tgz
+scan/
 
 # Common build outputs
 *.tsbuildinfo

diff --git a/.yarn/versions/b3544001.yml b/.yarn/versions/b3544001.yml
@@ -0,0 +1,9 @@
+declined:
+  - "@solarwinds-apm/bindings"
+  - "@solarwinds-apm/dependencies"
+  - "@solarwinds-apm/histogram"
+  - "@solarwinds-apm/instrumentations"
+  - "@solarwinds-apm/module"
+  - "@solarwinds-apm/proto"
+  - "@solarwinds-apm/sampling"
+  - solarwinds-apm
diff --git a/package.json b/package.json
@@ -19,6 +19,7 @@
     "lint": "prettier --check *.json *.md .github && turbo run lint --continue",
     "lint:fix": "prettier --write *.json *.md .github && turbo run lint:fix --continue",
     "publish": "turbo run build && turbo run release",
+    "scan": "turbo run scan && node scripts/lambda.js solarwinds-apm && node scripts/scan.js",
     "test": "turbo run test --continue",
     "test:watch": "turbo watch test",
     "version:latest": "node scripts/version.js",

diff --git a/packages/bindings/npm/linux-arm64-gnu/package.json b/packages/bindings/npm/linux-arm64-gnu/package.json
@@ -8,7 +8,8 @@
     "directory": "packages/bindings/npm/linux-arm64-gnu"
   },
   "scripts": {
-    "release": "node ../../../../scripts/publish.js"
+    "release": "node ../../../../scripts/publish.js",
+    "scan": "node ../../../../scripts/scan.js"
   },
   "os": [
     "linux"

diff --git a/packages/bindings/npm/linux-arm64-musl/package.json b/packages/bindings/npm/linux-arm64-musl/package.json
@@ -8,7 +8,8 @@
     "directory": "packages/bindings/npm/linux-arm64-musl"
   },
   "scripts": {
-    "release": "node ../../../../scripts/publish.js"
+    "release": "node ../../../../scripts/publish.js",
+    "scan": "node ../../../../scripts/scan.js"
   },
   "os": [
     "linux"

diff --git a/packages/bindings/npm/linux-x64-gnu/package.json b/packages/bindings/npm/linux-x64-gnu/package.json
@@ -8,7 +8,8 @@
     "directory": "packages/bindings/npm/linux-x64-gnu"
   },
   "scripts": {
-    "release": "node ../../../../scripts/publish.js"
+    "release": "node ../../../../scripts/publish.js",
+    "scan": "node ../../../../scripts/scan.js"
   },
   "os": [
     "linux"

diff --git a/packages/bindings/npm/linux-x64-musl/package.json b/packages/bindings/npm/linux-x64-musl/package.json
@@ -8,7 +8,8 @@
     "directory": "packages/bindings/npm/linux-x64-musl"
   },
   "scripts": {
-    "release": "node ../../../../scripts/publish.js"
+    "release": "node ../../../../scripts/publish.js",
+    "scan": "node ../../../../scripts/scan.js"
   },
   "os": [
     "linux"

diff --git a/packages/bindings/package.json b/packages/bindings/package.json
@@ -35,6 +35,7 @@
     "lint": "prettier --check . && eslint . --max-warnings=0 && clang-format src/*.hh src/*/* -n --Werror",
     "lint:fix": "eslint --fix . && prettier --write . && clang-format src/*.hh src/*/* -i --Werror",
     "release": "node ../../scripts/publish.js",
+    "scan": "node ../../scripts/scan.js",
     "test": "swtest",
     "oboe": "node oboe.js"
   },

diff --git a/packages/dependencies/package.json b/packages/dependencies/package.json
@@ -32,6 +32,7 @@
     "lint": "prettier --check . && eslint . --max-warnings=0",
     "lint:fix": "eslint --fix . && prettier --write .",
     "release": "node ../../scripts/publish.js",
+    "scan": "node ../../scripts/scan.js",
     "test": "swtest -p test/tsconfig.json -c src"
   },
   "dependencies": {

diff --git a/packages/histogram/package.json b/packages/histogram/package.json
@@ -31,7 +31,8 @@
     "build": "tsc",
     "lint": "prettier --check . && eslint . --max-warnings=0",
     "lint:fix": "eslint --fix . && prettier --write .",
-    "release": "node ../../scripts/publish.js"
+    "release": "node ../../scripts/publish.js",
+    "scan": "node ../../scripts/scan.js"
   },
   "devDependencies": {
     "@opentelemetry/api": "^1.3.0",

diff --git a/packages/instrumentations/package.json b/packages/instrumentations/package.json
@@ -31,7 +31,8 @@
     "build": "tsc && node ./dist/compatibility.js",
     "lint": "prettier --check . && eslint . --max-warnings=0",
     "lint:fix": "eslint --fix . && prettier --write .",
-    "release": "node ../../scripts/publish.js"
+    "release": "node ../../scripts/publish.js",
+    "scan": "node ../../scripts/scan.js"
   },
   "dependencies": {
     "@opentelemetry/instrumentation": "~0.54.0",

diff --git a/packages/module/package.json b/packages/module/package.json
@@ -32,7 +32,8 @@
     "build": "tsc",
     "lint": "prettier --check . && eslint . --max-warnings=0",
     "lint:fix": "eslint --fix . && prettier --write .",
-    "release": "node ../../scripts/publish.js"
+    "release": "node ../../scripts/publish.js",
+    "scan": "node ../../scripts/scan.js"
   },
   "devDependencies": {
     "@solarwinds-apm/eslint-config": "workspace:^",

diff --git a/packages/proto/package.json b/packages/proto/package.json
@@ -31,7 +31,8 @@
     "build": "node build.js",
     "lint": "prettier --check . && eslint . --max-warnings=0",
     "lint:fix": "eslint --fix . && prettier --write .",
-    "release": "node ../../scripts/publish.js"
+    "release": "node ../../scripts/publish.js",
+    "scan": "node ../../scripts/scan.js"
   },
   "dependencies": {
     "protobufjs": "^7.4.0"

diff --git a/packages/sampling/package.json b/packages/sampling/package.json
@@ -32,6 +32,7 @@
     "lint": "prettier --check . && eslint . --max-warnings=0",
     "lint:fix": "eslint --fix . && prettier --write .",
     "release": "node ../../scripts/publish.js",
+    "scan": "node ../../scripts/scan.js",
     "test": "swtest -p test/tsconfig.json -c src"
   },
   "dependencies": {

diff --git a/packages/solarwinds-apm/package.json b/packages/solarwinds-apm/package.json
@@ -52,6 +52,7 @@
     "lint": "node build.js && prettier --check . && eslint . --max-warnings=0",
     "lint:fix": "node build.js && eslint --fix . && prettier --write .",
     "release": "node ../../scripts/publish.js",
+    "scan": "node ../../scripts/scan.js",
     "test": "swtest -p test/tsconfig.json -c src"
   },
   "dependencies": {

diff --git a/scripts/lambda.js b/scripts/lambda.js
@@ -27,10 +27,10 @@ const { argv } = require("node:process")
 const archiver = require("archiver")
 const ora = require("ora")
 
-const [name, version] = argv.slice(2)
-const apiVersion = JSON.parse(
-  readFileSync("packages/solarwinds-apm/package.json"),
-).peerDependencies["@opentelemetry/api"]
+const json = JSON.parse(readFileSync("packages/solarwinds-apm/package.json"))
+
+const [name, version = json.version] = argv.slice(2)
+const apiVersion = json.peerDependencies["@opentelemetry/api"]
 
 const rm = (...args) => {
   try {

diff --git a/scripts/scan.js b/scripts/scan.js
@@ -0,0 +1,111 @@
+/*
+Copyright 2023-2024 SolarWinds Worldwide, LLC.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+const { execSync } = require("node:child_process")
+const {
+  mkdirSync,
+  readFileSync,
+  readdirSync,
+  createWriteStream,
+} = require("node:fs")
+const { userInfo } = require("node:os")
+const path = require("node:path")
+
+const archiver = require("archiver")
+const ora = require("ora")
+
+const root = path.dirname(__dirname)
+const dir = path.join(root, "scan")
+mkdirSync(dir, { recursive: true })
+
+if (process.cwd() === root) {
+  // We're running in the project root which means we can pack and submit
+  const user = userInfo()
+  const { version } = JSON.parse(
+    readFileSync("packages/solarwinds-apm/package.json", {
+      encoding: "utf-8",
+    }),
+  )
+
+  const spinner = ora("zipping packages")
+
+  const archive = archiver("zip", { zlib: { level: 9 } })
+  archive
+    .on("error", (err) => {
+      spinner.fail(err.message)
+      throw err
+    })
+    .on("warning", (warn) => {
+      spinner.fail(warn.message)
+      throw warn
+    })
+    .on("entry", (e) => {
+      spinner.text = e.name
+      spinner.render()
+    })
+
+  const out = createWriteStream(path.join(dir, "solarwinds-apm.zip"))
+  out.on("error", (err) => {
+    spinner.fail(err.message)
+    throw err
+  })
+
+  archive.pipe(out)
+  for (const file of readdirSync(dir)) {
+    if (file === "solarwinds-apm.zip") {
+      continue
+    }
+
+    // Add every package tarball
+    archive.file(path.join(dir, file), {
+      name: `solarwinds-apm/${version}/${file}`,
+    })
+  }
+  // Add the lambda layer
+  archive.file(path.join(root, "lambda", "layer.zip"), {
+    name: `solarwinds-apm/${version}/lambda.zip`,
+  })
+
+  const command = [
+    "docker run --rm",
+    `-u ${user.uid}:${user.gid}`,
+    `-v ${dir}:/packages`,
+    `-e RLPORTAL_ACCESS_TOKEN=${process.env.RLPORTAL_ACCESS_TOKEN}`,
+    "reversinglabs/rl-scanner-cloud rl-scan",
+    "--rl-portal-server solarwinds",
+    "--rl-portal-org SolarWinds",
+    "--rl-portal-group SaaS-Agents-SWO",
+    `--purl apm-js/solarwinds-apm@${version}`,
+    `--file-path /packages/solarwinds-apm.zip`,
+    "--submit-only",
+    "--replace",
+  ]
+  archive.finalize().then(() => {
+    spinner.succeed("zipped")
+    // Submit everything once it's zipped
+    execSync(command.join(" "), { stdio: "inherit" })
+  })
+} else {
+  // We're running in a package directory, download our tarball from npm
+  const { name, version } = JSON.parse(
+    readFileSync("package.json", {
+      encoding: "utf-8",
+    }),
+  )
+  execSync(`npm pack ${name}@${version} --pack-destination ${dir}`, {
+    stdio: "inherit",
+  })
+}
diff --git a/turbo.json b/turbo.json
@@ -26,6 +26,11 @@
     "release": {
       "dependsOn": ["^release"]
     },
+    "scan": {
+      "dependsOn": [],
+      "inputs": ["package.json"],
+      "outputs": ["*.tgz"]
+    },
     "start": {
       "dependsOn": ["build"]
     },