From 445c9b83e49c1e8d419811a987da0bc6bbce9376 Mon Sep 17 00:00:00 2001 From: JuanfeSanahuja Date: Tue, 16 Sep 2025 16:37:24 +0200 Subject: [PATCH 01/35] pom: Update avro to 1.11.4 #TASK-7908 --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index eb71ba27..75fc8969 100644 --- a/pom.xml +++ b/pom.xml @@ -22,7 +22,7 @@ 2.14.3 3.14.0 1.7.36 - 1.7.7 + 1.11.4 4.11.5 8.8.2 1.69 From c6e01f8156c99aeb31b75ac775e5ba3922e0e74e Mon Sep 17 00:00:00 2001 From: JuanfeSanahuja Date: Wed, 17 Sep 2025 15:47:40 +0200 Subject: [PATCH 02/35] Compare vulnerabilities workflow #TASK-7908 --- .github/workflows/compare-vulnerabilities.yml | 263 +----------------- 1 file changed, 8 insertions(+), 255 deletions(-) diff --git a/.github/workflows/compare-vulnerabilities.yml b/.github/workflows/compare-vulnerabilities.yml index 0c7a98cd..e0fcd774 100644 --- a/.github/workflows/compare-vulnerabilities.yml +++ b/.github/workflows/compare-vulnerabilities.yml @@ -14,260 +14,13 @@ on: jobs: compare-sbom-grype: - runs-on: ubuntu-latest - env: - REPORT_DIR: reports + runs-on: ${{ vars.UBUNTU_VERSION }} steps: - - name: Prepare workspace - run: | - set -euo pipefail - mkdir -p "${REPORT_DIR}" - - - name: Checkout branch A - uses: actions/checkout@v4 - with: - ref: ${{ github.event.inputs.branch_a }} - path: branchA - fetch-depth: 0 - - - name: Checkout branch B - uses: actions/checkout@v4 - with: - ref: ${{ github.event.inputs.branch_b }} - path: branchB - fetch-depth: 0 - - - name: Install dependencies (jq, unzip) - run: | - sudo apt-get update - sudo apt-get install -y jq unzip - - - name: Install Syft - run: | - set -euo pipefail - curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sudo sh -s -- -b /usr/local/bin - syft version - - - name: Install Grype - run: | - set -euo pipefail - curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sudo sh -s -- -b /usr/local/bin - grype version - - - name: Generate SBOM for branch A (CycloneDX JSON) - run: | - set -euo pipefail - syft dir:./branchA -o cyclonedx-json="${REPORT_DIR}/branchA-sbom.cdx.json" - - - name: Generate SBOM for branch B (CycloneDX JSON) - run: | - set -euo pipefail - syft dir:./branchB -o cyclonedx-json="${REPORT_DIR}/branchB-sbom.cdx.json" - - - name: Scan SBOM with Grype (branch A) - run: | - set -euo pipefail - grype sbom:"${REPORT_DIR}/branchA-sbom.cdx.json" -o json > "${REPORT_DIR}/branchA-grype.json" - - - name: Scan SBOM with Grype (branch B) - run: | - set -euo pipefail - grype sbom:"${REPORT_DIR}/branchB-sbom.cdx.json" -o json > "${REPORT_DIR}/branchB-grype.json" - - - name: "debug - show match counts and sample (for troubleshooting)" - id: debug - run: | - set -euo pipefail - echo "---- branchA summary ----" - if [ -f "${REPORT_DIR}/branchA-grype.json" ]; then - jq '.matches | length' "${REPORT_DIR}/branchA-grype.json" || true - jq '.matches[0:5]' "${REPORT_DIR}/branchA-grype.json" || true - else - echo "branchA-grype.json missing" - fi - echo "---- branchB summary ----" - if [ -f "${REPORT_DIR}/branchB-grype.json" ]; then - jq '.matches | length' "${REPORT_DIR}/branchB-grype.json" || true - jq '.matches[0:5]' "${REPORT_DIR}/branchB-grype.json" || true - else - echo "branchB-grype.json missing" - fi - - - name: Generate comparison report (table + full MD) - id: gen_report - run: | - set -euo pipefail - A_BRANCH="${{ github.event.inputs.branch_a }}" - B_BRANCH="${{ github.event.inputs.branch_b }}" - A_GRYPE="${REPORT_DIR}/branchA-grype.json" - B_GRYPE="${REPORT_DIR}/branchB-grype.json" - OUT="${REPORT_DIR}/comparison-report.md" - mkdir -p "$(dirname "$OUT")" - - # comprueba que los JSON existen - if [ ! -s "$A_GRYPE" ]; then - echo "ERROR: ${A_GRYPE} not found or empty" >&2 - exit 1 - fi - if [ ! -s "$B_GRYPE" ]; then - echo "ERROR: ${B_GRYPE} not found or empty" >&2 - exit 1 - fi - - # --- extraer entradas formateadas: ID|pkg:version|SEVERITY --- - jq -r '[ .matches[]? as $m | - ($m.vulnerability.id // "-") as $id | - ( if ($m.artifact | type) == "object" - then (($m.artifact.name // $m.artifact.id // "-") + ":" + ($m.artifact.version // "-")) - else (($m.artifact // "-") + ":" + "-") - end) as $pv | - (($id + "|" + $pv + "|" + (($m.vulnerability.severity // "") | ascii_upcase))) - ] | .[]' "$A_GRYPE" | sort -u > /tmp/a_entries.txt || true - - jq -r '[ .matches[]? as $m | - ($m.vulnerability.id // "-") as $id | - ( if ($m.artifact | type) == "object" - then (($m.artifact.name // $m.artifact.id // "-") + ":" + ($m.artifact.version // "-")) - else (($m.artifact // "-") + ":" + "-") - end) as $pv | - (($id + "|" + $pv + "|" + (($m.vulnerability.severity // "") | ascii_upcase))) - ] | .[]' "$B_GRYPE" | sort -u > /tmp/b_entries.txt || true - - # union de entradas (unique) - cat /tmp/a_entries.txt /tmp/b_entries.txt | sort -u > /tmp/all_entries.txt || true - - # --- crear archivo ordenado por severidad desc (rank) y luego por ID --- - awk -F'|' ' - BEGIN { - map["CRITICAL"]=5; map["HIGH"]=4; map["MEDIUM"]=3; map["LOW"]=2; map["UNKNOWN"]=1; - } - { - id=$1; pv=$2; sev=toupper($3); - rank = (sev in map ? map[sev] : 0); - # output: rank|sev|id|pv - printf("%d|%s|%s|%s\n", rank, sev, id, pv); - } - ' /tmp/all_entries.txt | sort -t'|' -k1,1nr -k3,3 | cut -d'|' -f2- > /tmp/all_sorted.txt || true - - # --- START MD FILE --- - echo "# Vulnerability comparison: ${A_BRANCH} **vs** ${B_BRANCH}" > "${OUT}" - echo "" >> "${OUT}" - - # --- TABLE requested: Severity | VulnerabilityID | package:version | branches --- - echo "| Severity | VulnerabilityID | package:version | branches |" >> "${OUT}" - echo "|---|---|---|---|" >> "${OUT}" - - if [ -s /tmp/all_sorted.txt ]; then - while IFS= read -r line; do - # line format: SEV|ID|PKG:VER - sev=$(echo "$line" | awk -F'|' '{print $1}') - id=$(echo "$line" | awk -F'|' '{print $2}') - pv=$(echo "$line" | awk -F'|' '{print $3}') - - inA=0; inB=0 - # membership checks use original a_entries/b_entries (ID|pkg|sev) - entry="${id}|${pv}|${sev}" - if grep -Fxq "$entry" /tmp/a_entries.txt 2>/dev/null; then inA=1; fi - if grep -Fxq "$entry" /tmp/b_entries.txt 2>/dev/null; then inB=1; fi - - if [ "$inA" -eq 1 ] && [ "$inB" -eq 1 ]; then - branches="**BOTH**" - elif [ "$inA" -eq 1 ]; then - branches="${A_BRANCH}" - else - branches="${B_BRANCH}" - fi - - echo "| ${sev} | ${id} | ${pv} | ${branches} |" >> "${OUT}" - done < /tmp/all_sorted.txt - else - echo "| - | - | - | - |" >> "${OUT}" - echo "" >> "${OUT}" - fi - - echo "" >> "${OUT}" - # --- Totals y resto del MD (se mantienen para contexto) --- - totalA=$(jq -r '[ .matches[]?.vulnerability?.id ] | unique | length' "${A_GRYPE}" 2>/dev/null || echo 0) - totalB=$(jq -r '[ .matches[]?.vulnerability?.id ] | unique | length' "${B_GRYPE}" 2>/dev/null || echo 0) - echo "- **Total unique vulnerability IDs**: ${totalA} (${A_BRANCH}) | ${totalB} (${B_BRANCH})" >> "${OUT}" - echo "" >> "${OUT}" - - # tabla de severidad (como antes) - echo "| Severity | ${A_BRANCH} | ${B_BRANCH} |" >> "${OUT}" - echo "|---:|---:|---:|" >> "${OUT}" - for sev in CRITICAL HIGH MEDIUM LOW UNKNOWN; do - ca=$(jq --arg s "$sev" '[ .matches[]?.vulnerability? | select((.severity // "") | ascii_upcase == $s) | .id ] | unique | length' "${A_GRYPE}" 2>/dev/null || echo 0) - cb=$(jq --arg s "$sev" '[ .matches[]?.vulnerability? | select((.severity // "") | ascii_upcase == $s) | .id ] | unique | length' "${B_GRYPE}" 2>/dev/null || echo 0) - echo "| $sev | $ca | $cb |" >> "${OUT}" - done - - echo "" >> "${OUT}" - echo "----" >> "${OUT}" - echo "Artifacts included:" >> "${OUT}" - echo "- ${REPORT_DIR}/branchA-sbom.cdx.json" >> "${OUT}" - echo "- ${REPORT_DIR}/branchB-sbom.cdx.json" >> "${OUT}" - echo "- ${REPORT_DIR}/branchA-grype.json" >> "${OUT}" - echo "- ${REPORT_DIR}/branchB-grype.json" >> "${OUT}" - echo "- ${REPORT_DIR}/comparison-report.md (this file)" >> "${OUT}" - - - - name: Create ZIP of reports - run: | - set -euo pipefail - cd "${REPORT_DIR}" - zip -r comparison-artifacts.zip . || true - - - name: "Publish table to GitHub Actions summary (only the table, sorted)" - if: always() - run: | - set -euo pipefail - SUMMARY="$GITHUB_STEP_SUMMARY" - A_BRANCH="${{ github.event.inputs.branch_a }}" - B_BRANCH="${{ github.event.inputs.branch_b }}" - - # Si no hay sorted file, intenta generarlo a partir de /tmp/all_entries.txt - if [ ! -s /tmp/all_sorted.txt ] && [ -s /tmp/all_entries.txt ]; then - awk -F'|' ' - BEGIN { map["CRITICAL"]=5; map["HIGH"]=4; map["MEDIUM"]=3; map["LOW"]=2; map["UNKNOWN"]=1; } - { - id=$1; pv=$2; sev=toupper($3); - rank = (sev in map ? map[sev] : 0); - printf("%d|%s|%s|%s\n", rank, sev, id, pv); - } - ' /tmp/all_entries.txt | sort -t'|' -k1,1nr -k3,3 | cut -d'|' -f2- > /tmp/all_sorted.txt || true - fi - - # Header table for summary - echo "| Severity | VulnerabilityID | package:version | branches |" >> "$SUMMARY" - echo "|---|---|---|---|" >> "$SUMMARY" - - if [ -s /tmp/all_sorted.txt ]; then - while IFS= read -r line; do - sev=$(echo "$line" | awk -F'|' '{print $1}') - id=$(echo "$line" | awk -F'|' '{print $2}') - pv=$(echo "$line" | awk -F'|' '{print $3}') - - inA=0; inB=0 - entry="${id}|${pv}|${sev}" - if grep -Fxq "$entry" /tmp/a_entries.txt 2>/dev/null; then inA=1; fi - if grep -Fxq "$entry" /tmp/b_entries.txt 2>/dev/null; then inB=1; fi - - if [ "$inA" -eq 1 ] && [ "$inB" -eq 1 ]; then - branches="**BOTH**" - elif [ "$inA" -eq 1 ]; then - branches="${A_BRANCH}" - else - branches="${B_BRANCH}" - fi - - echo "| ${sev} | ${id} | ${pv} | ${branches} |" >> "$SUMMARY" - done < /tmp/all_sorted.txt - else - echo "| - | - | - | - |" >> "$SUMMARY" - fi - - - name: Upload artifacts (reports) - uses: actions/upload-artifact@v4 + - name: Vulnerability Diff (Syft+Grype) + uses: sec-open/vuln-diff-action@v1 with: - name: vuln-comparison-${{ github.run_id }}-${{ github.event.inputs.branch_a }}-vs-${{ github.event.inputs.branch_b }}-$(date +%s) - path: ${{ env.REPORT_DIR }} + base_ref: main # o la que quieras comparar como base + head_ref: feature/xyz # tu rama a comparar + build_command: "mvn -q -DskipTests package" + min_severity: "LOW" # o HIGH si quieres ver solo HIGH/CRITICAL + write_summary: "true" \ No newline at end of file From 7a36b758670cdbf81546b24430ec1c20f192aa3a Mon Sep 17 00:00:00 2001 From: JuanfeSanahuja Date: Wed, 17 Sep 2025 15:50:24 +0200 Subject: [PATCH 03/35] Compare vulnerabilities workflow #TASK-7908 --- .github/workflows/compare-vulnerabilities.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/compare-vulnerabilities.yml b/.github/workflows/compare-vulnerabilities.yml index e0fcd774..30a7d3e8 100644 --- a/.github/workflows/compare-vulnerabilities.yml +++ b/.github/workflows/compare-vulnerabilities.yml @@ -19,8 +19,8 @@ jobs: - name: Vulnerability Diff (Syft+Grype) uses: sec-open/vuln-diff-action@v1 with: - base_ref: main # o la que quieras comparar como base - head_ref: feature/xyz # tu rama a comparar + base_ref: ${{ github.event.inputs.branch_a }} # o la que quieras comparar como base + head_ref: ${{ github.event.inputs.branch_b }} # tu rama a comparar build_command: "mvn -q -DskipTests package" min_severity: "LOW" # o HIGH si quieres ver solo HIGH/CRITICAL write_summary: "true" \ No newline at end of file From 44eaf4d1494676e1a1d26fd893d30afb4815de39 Mon Sep 17 00:00:00 2001 From: JuanfeSanahuja Date: Wed, 17 Sep 2025 16:02:19 +0200 Subject: [PATCH 04/35] Compare vulnerabilities workflow #TASK-7908 --- .github/workflows/compare-vulnerabilities.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/compare-vulnerabilities.yml b/.github/workflows/compare-vulnerabilities.yml index 30a7d3e8..0899cef0 100644 --- a/.github/workflows/compare-vulnerabilities.yml +++ b/.github/workflows/compare-vulnerabilities.yml @@ -16,6 +16,10 @@ jobs: compare-sbom-grype: runs-on: ${{ vars.UBUNTU_VERSION }} steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 - name: Vulnerability Diff (Syft+Grype) uses: sec-open/vuln-diff-action@v1 with: From 63b02c81138430226896a8ebda28617f80b73f16 Mon Sep 17 00:00:00 2001 From: JuanfeSanahuja Date: Wed, 17 Sep 2025 16:58:27 +0200 Subject: [PATCH 05/35] Compare vulnerabilities workflow #TASK-7908 --- .github/workflows/compare-vulnerabilities.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/compare-vulnerabilities.yml b/.github/workflows/compare-vulnerabilities.yml index 0899cef0..3b338b8a 100644 --- a/.github/workflows/compare-vulnerabilities.yml +++ b/.github/workflows/compare-vulnerabilities.yml @@ -20,11 +20,13 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + ref: TASK-7908 + fetch-tags: true - name: Vulnerability Diff (Syft+Grype) uses: sec-open/vuln-diff-action@v1 with: - base_ref: ${{ github.event.inputs.branch_a }} # o la que quieras comparar como base - head_ref: ${{ github.event.inputs.branch_b }} # tu rama a comparar + base_ref: ${{ github.event.inputs.branch_a }} + head_ref: ${{ github.event.inputs.branch_b }} build_command: "mvn -q -DskipTests package" - min_severity: "LOW" # o HIGH si quieres ver solo HIGH/CRITICAL + min_severity: "LOW" write_summary: "true" \ No newline at end of file From 784c54278e555b4f078acf377c1176e4104d9ad7 Mon Sep 17 00:00:00 2001 From: JuanfeSanahuja Date: Wed, 17 Sep 2025 17:00:21 +0200 Subject: [PATCH 06/35] Compare vulnerabilities workflow #TASK-7908 --- .github/workflows/compare-vulnerabilities.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/compare-vulnerabilities.yml b/.github/workflows/compare-vulnerabilities.yml index 3b338b8a..d67342b9 100644 --- a/.github/workflows/compare-vulnerabilities.yml +++ b/.github/workflows/compare-vulnerabilities.yml @@ -20,7 +20,13 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 - ref: TASK-7908 + ref: ${{ github.event.inputs.branch_a }} + fetch-tags: true + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + ref: ${{ github.event.inputs.branch_b }} fetch-tags: true - name: Vulnerability Diff (Syft+Grype) uses: sec-open/vuln-diff-action@v1 From bb460d96088c6eac942d4fe98c24ce1300e5f8ff Mon Sep 17 00:00:00 2001 From: JuanfeSanahuja Date: Wed, 17 Sep 2025 17:05:40 +0200 Subject: [PATCH 07/35] Compare vulnerabilities workflow #TASK-7908 --- .github/workflows/compare-vulnerabilities.yml | 32 +++++++++++-------- 1 file changed, 18 insertions(+), 14 deletions(-) diff --git a/.github/workflows/compare-vulnerabilities.yml b/.github/workflows/compare-vulnerabilities.yml index d67342b9..86000227 100644 --- a/.github/workflows/compare-vulnerabilities.yml +++ b/.github/workflows/compare-vulnerabilities.yml @@ -4,35 +4,39 @@ on: workflow_dispatch: inputs: branch_a: - description: 'First branch to compare (e.g. main)' + description: 'Base branch (e.g. develop)' required: true default: 'develop' branch_b: - description: 'Second branch to compare (e.g. feature/fix-branch)' + description: 'Head branch (e.g. TASK-1234)' required: true - default: '' jobs: compare-sbom-grype: runs-on: ${{ vars.UBUNTU_VERSION }} + steps: - - name: Checkout - uses: actions/checkout@v4 - with: - fetch-depth: 0 - ref: ${{ github.event.inputs.branch_a }} - fetch-tags: true - - name: Checkout + # 1) Checkout only the HEAD branch + - name: Checkout head branch uses: actions/checkout@v4 with: - fetch-depth: 0 ref: ${{ github.event.inputs.branch_b }} + fetch-depth: 0 fetch-tags: true + + # 2) Explicitly fetch the BASE branch so it exists locally + - name: Fetch base branch + run: | + git fetch origin ${{ github.event.inputs.branch_a }}:refs/remotes/origin/${{ github.event.inputs.branch_a }} + + # 3) Run the vulnerability diff action - name: Vulnerability Diff (Syft+Grype) uses: sec-open/vuln-diff-action@v1 with: - base_ref: ${{ github.event.inputs.branch_a }} - head_ref: ${{ github.event.inputs.branch_b }} + # Use refs that are guaranteed to exist locally + base_ref: refs/remotes/origin/${{ github.event.inputs.branch_a }} + head_ref: ${{ github.sha }} # safer than branch name to avoid worktree conflicts build_command: "mvn -q -DskipTests package" min_severity: "LOW" - write_summary: "true" \ No newline at end of file + write_summary: "true" + path: "." From 4fb86ca3a075f02d2f8908b53ff46a1a51c7d4da Mon Sep 17 00:00:00 2001 From: JuanfeSanahuja Date: Wed, 17 Sep 2025 17:43:34 +0200 Subject: [PATCH 08/35] Added clean to build command #TASK-7908 --- .github/workflows/compare-vulnerabilities.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/compare-vulnerabilities.yml b/.github/workflows/compare-vulnerabilities.yml index 86000227..95bf6b9c 100644 --- a/.github/workflows/compare-vulnerabilities.yml +++ b/.github/workflows/compare-vulnerabilities.yml @@ -36,7 +36,7 @@ jobs: # Use refs that are guaranteed to exist locally base_ref: refs/remotes/origin/${{ github.event.inputs.branch_a }} head_ref: ${{ github.sha }} # safer than branch name to avoid worktree conflicts - build_command: "mvn -q -DskipTests package" + build_command: "mvn -q -DskipTests clean package" min_severity: "LOW" write_summary: "true" path: "." From 17e2e68a583a2a047797a8a90f82d034ecbb1826 Mon Sep 17 00:00:00 2001 From: JuanfeSanahuja Date: Wed, 17 Sep 2025 17:56:02 +0200 Subject: [PATCH 09/35] Added clean to build command #TASK-7908 --- .github/workflows/compare-vulnerabilities.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/compare-vulnerabilities.yml b/.github/workflows/compare-vulnerabilities.yml index 95bf6b9c..e1ee211b 100644 --- a/.github/workflows/compare-vulnerabilities.yml +++ b/.github/workflows/compare-vulnerabilities.yml @@ -1,5 +1,5 @@ name: Compare vulnerabilities (Syft SBOM -> Grype) between two branches (robust) - +run-name: 'Compare vulnerabilities between (Base) ${{ inputs.branch_a }} and (Base) ${{ inputs.branch_b }} by @${{ github.actor }}' on: workflow_dispatch: inputs: @@ -16,7 +16,7 @@ jobs: runs-on: ${{ vars.UBUNTU_VERSION }} steps: - # 1) Checkout only the HEAD branch + # 1) Checkout head branch only - name: Checkout head branch uses: actions/checkout@v4 with: @@ -24,19 +24,19 @@ jobs: fetch-depth: 0 fetch-tags: true - # 2) Explicitly fetch the BASE branch so it exists locally + # 2) Ensure base branch exists locally (fetch) - name: Fetch base branch run: | git fetch origin ${{ github.event.inputs.branch_a }}:refs/remotes/origin/${{ github.event.inputs.branch_a }} - # 3) Run the vulnerability diff action + # 3) Run the action - name: Vulnerability Diff (Syft+Grype) uses: sec-open/vuln-diff-action@v1 with: - # Use refs that are guaranteed to exist locally - base_ref: refs/remotes/origin/${{ github.event.inputs.branch_a }} - head_ref: ${{ github.sha }} # safer than branch name to avoid worktree conflicts + base_ref: ${{ github.event.inputs.branch_a }} # pass 'develop' + head_ref: ${{ github.event.inputs.branch_b }} # pass 'TASK-7908' build_command: "mvn -q -DskipTests clean package" min_severity: "LOW" write_summary: "true" path: "." + From d143998f1e3b1cdd610ce662f8570b4670dc66ec Mon Sep 17 00:00:00 2001 From: JuanfeSanahuja Date: Wed, 17 Sep 2025 18:10:01 +0200 Subject: [PATCH 10/35] Added zookeper version 3.9.3 #TASK-7908 --- pom.xml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/pom.xml b/pom.xml index 75fc8969..bd54c195 100644 --- a/pom.xml +++ b/pom.xml @@ -22,6 +22,7 @@ 2.14.3 3.14.0 1.7.36 + 3.9.3 1.11.4 4.11.5 8.8.2 @@ -141,6 +142,11 @@ test true + + org.apache.zookeeper + zookeeper + ${zookeeper.version} + org.apache.avro avro From e6d0193350c15e850d138e97cb4d3fe55f03b1e8 Mon Sep 17 00:00:00 2001 From: JuanfeSanahuja Date: Thu, 18 Sep 2025 13:41:49 +0200 Subject: [PATCH 11/35] Added report pdf --- .github/workflows/compare-vulnerabilities.yml | 7 ++++--- pom.xml | 8 +------- 2 files changed, 5 insertions(+), 10 deletions(-) diff --git a/.github/workflows/compare-vulnerabilities.yml b/.github/workflows/compare-vulnerabilities.yml index e1ee211b..2be1e895 100644 --- a/.github/workflows/compare-vulnerabilities.yml +++ b/.github/workflows/compare-vulnerabilities.yml @@ -35,8 +35,9 @@ jobs: with: base_ref: ${{ github.event.inputs.branch_a }} # pass 'develop' head_ref: ${{ github.event.inputs.branch_b }} # pass 'TASK-7908' - build_command: "mvn -q -DskipTests clean package" - min_severity: "LOW" + build_command: "" write_summary: "true" - path: "." + upload_artifact: "true" + report_pdf: "true" + min_severity: "LOW" diff --git a/pom.xml b/pom.xml index bd54c195..f51f43e0 100644 --- a/pom.xml +++ b/pom.xml @@ -22,10 +22,9 @@ 2.14.3 3.14.0 1.7.36 - 3.9.3 1.11.4 4.11.5 - 8.8.2 + 8.11.4 1.69 1.10.12 2.4.0 @@ -142,11 +141,6 @@ test true - - org.apache.zookeeper - zookeeper - ${zookeeper.version} - org.apache.avro avro From 958908dd0120c1e96361cb4f0164e62021fce836 Mon Sep 17 00:00:00 2001 From: JuanfeSanahuja Date: Thu, 18 Sep 2025 14:06:12 +0200 Subject: [PATCH 12/35] Restore solr version to 8.8.2 --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index f51f43e0..75fc8969 100644 --- a/pom.xml +++ b/pom.xml @@ -24,7 +24,7 @@ 1.7.36 1.11.4 4.11.5 - 8.11.4 + 8.8.2 1.69 1.10.12 2.4.0 From 809a737666e2b066f82b2307ce75c516ef47213c Mon Sep 17 00:00:00 2001 From: JuanfeSanahuja Date: Fri, 19 Sep 2025 01:35:35 +0200 Subject: [PATCH 13/35] Added compare-vulnerabilities in PR #TASK-7908 --- .../workflows/compare-vulnerabilities-PR.yml | 41 +++++++++++++++++++ .github/workflows/compare-vulnerabilities.yml | 2 +- 2 files changed, 42 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/compare-vulnerabilities-PR.yml diff --git a/.github/workflows/compare-vulnerabilities-PR.yml b/.github/workflows/compare-vulnerabilities-PR.yml new file mode 100644 index 00000000..08c5bc25 --- /dev/null +++ b/.github/workflows/compare-vulnerabilities-PR.yml @@ -0,0 +1,41 @@ +name: PR – Vulnerability guard +run-name: 'Compare vulnerabilities between (Base) ${{ github.event.pull_request.base.ref }} and (Head) ${{ github.event.pull_request.head.ref }} (${{ github.event.pull_request.head.sha }}) by @${{ github.actor }}' +on: + pull_request: + types: [ opened, synchronize, reopened ] + +permissions: + contents: read + pull-requests: write # needed to create/update PR comments + +jobs: + compare-branches: + runs-on: ${{ vars.UBUNTU_VERSION }} + + steps: + # 1) Checkout head branch only + - name: Checkout PR head + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + fetch-depth: 0 + fetch-tags: true + + - name: Ensure base is available + run: | + git fetch origin ${{ github.event.pull_request.base.ref }}:refs/remotes/origin/${{ github.event.pull_request.base.ref }} --tags --prune + + # 3) Run the action + - name: Vulnerability Diff (Syft+Grype) + uses: sec-open/vuln-diff-action@v1 + with: + base_ref: ${{ github.event.pull_request.base.ref }} + head_ref: ${{ github.event.pull_request.head.sha }} + build_command: "" + write_summary: "true" + upload_artifact: "true" + report_pdf: "true" + min_severity: "LOW" + pr_comment: "true" # << habilita comentario en PR + pr_comment_marker: "" + github_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/compare-vulnerabilities.yml b/.github/workflows/compare-vulnerabilities.yml index 2be1e895..b9373c12 100644 --- a/.github/workflows/compare-vulnerabilities.yml +++ b/.github/workflows/compare-vulnerabilities.yml @@ -12,7 +12,7 @@ on: required: true jobs: - compare-sbom-grype: + compare-branches: runs-on: ${{ vars.UBUNTU_VERSION }} steps: From 23cfb51bdf01988a7544a626fd2ebe4f85ede12d Mon Sep 17 00:00:00 2001 From: JuanfeSanahuja Date: Fri, 19 Sep 2025 01:41:19 +0200 Subject: [PATCH 14/35] Change solr.version to 8.11.4 #TASK-7908 --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 75fc8969..f51f43e0 100644 --- a/pom.xml +++ b/pom.xml @@ -24,7 +24,7 @@ 1.7.36 1.11.4 4.11.5 - 8.8.2 + 8.11.4 1.69 1.10.12 2.4.0 From 091ea3f97690ab5d0a6ca3e3d473e75c8575337a Mon Sep 17 00:00:00 2001 From: JuanfeSanahuja Date: Fri, 19 Sep 2025 10:04:13 +0200 Subject: [PATCH 15/35] Restore solr version to 8.8.2 --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index f51f43e0..75fc8969 100644 --- a/pom.xml +++ b/pom.xml @@ -24,7 +24,7 @@ 1.7.36 1.11.4 4.11.5 - 8.11.4 + 8.8.2 1.69 1.10.12 2.4.0 From c5565cf65c004d089ced98d1fc006577a8d2d86f Mon Sep 17 00:00:00 2001 From: JuanfeSanahuja Date: Fri, 19 Sep 2025 10:17:56 +0200 Subject: [PATCH 16/35] Change solr.version to 8.11.4 #TASK-7908 --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 75fc8969..f51f43e0 100644 --- a/pom.xml +++ b/pom.xml @@ -24,7 +24,7 @@ 1.7.36 1.11.4 4.11.5 - 8.8.2 + 8.11.4 1.69 1.10.12 2.4.0 From a745de9a1a6475895968cfe845836d155e1f465a Mon Sep 17 00:00:00 2001 From: JuanfeSanahuja Date: Fri, 19 Sep 2025 11:59:54 +0200 Subject: [PATCH 17/35] Restore solr version to 8.8.2 and add webhook to slack --- .github/workflows/compare-vulnerabilities-PR.yml | 1 + pom.xml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/compare-vulnerabilities-PR.yml b/.github/workflows/compare-vulnerabilities-PR.yml index 08c5bc25..a1c79c13 100644 --- a/.github/workflows/compare-vulnerabilities-PR.yml +++ b/.github/workflows/compare-vulnerabilities-PR.yml @@ -39,3 +39,4 @@ jobs: pr_comment: "true" # << habilita comentario en PR pr_comment_marker: "" github_token: ${{ secrets.GITHUB_TOKEN }} + slack_webhook_url: ${{ secrets.SLACK_SECURITY_WEBHOOK_URL }} \ No newline at end of file diff --git a/pom.xml b/pom.xml index f51f43e0..75fc8969 100644 --- a/pom.xml +++ b/pom.xml @@ -24,7 +24,7 @@ 1.7.36 1.11.4 4.11.5 - 8.11.4 + 8.8.2 1.69 1.10.12 2.4.0 From 82e1b90d2cc8b55f5a5cbac96b2758b416f49def Mon Sep 17 00:00:00 2001 From: JuanfeSanahuja Date: Fri, 19 Sep 2025 12:00:48 +0200 Subject: [PATCH 18/35] Change solr.version to 8.11.4 #TASK-7908 --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 75fc8969..f51f43e0 100644 --- a/pom.xml +++ b/pom.xml @@ -24,7 +24,7 @@ 1.7.36 1.11.4 4.11.5 - 8.8.2 + 8.11.4 1.69 1.10.12 2.4.0 From 3fee46027037315c12dda0726e54f44f3ed2b1d1 Mon Sep 17 00:00:00 2001 From: JuanfeSanahuja Date: Fri, 19 Sep 2025 12:24:24 +0200 Subject: [PATCH 19/35] Restore solr version to 8.8.2 and add webhook to slack --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index f51f43e0..75fc8969 100644 --- a/pom.xml +++ b/pom.xml @@ -24,7 +24,7 @@ 1.7.36 1.11.4 4.11.5 - 8.11.4 + 8.8.2 1.69 1.10.12 2.4.0 From 723e3fd2ae46fa1cd326ed3dc26f2de756d459ff Mon Sep 17 00:00:00 2001 From: JuanfeSanahuja Date: Fri, 19 Sep 2025 12:25:43 +0200 Subject: [PATCH 20/35] Change solr.version to 8.11.4 #TASK-7908 --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 75fc8969..f51f43e0 100644 --- a/pom.xml +++ b/pom.xml @@ -24,7 +24,7 @@ 1.7.36 1.11.4 4.11.5 - 8.8.2 + 8.11.4 1.69 1.10.12 2.4.0 From 47ef88890e336ca25d6dd0798de6b0a181d9921c Mon Sep 17 00:00:00 2001 From: JuanfeSanahuja Date: Tue, 23 Sep 2025 12:56:36 +0200 Subject: [PATCH 21/35] Test release v2 alpha vuln-diff --- .github/workflows/compare-vulnerabilities-PR.yml | 11 +++++++---- .github/workflows/compare-vulnerabilities.yml | 5 ++++- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/.github/workflows/compare-vulnerabilities-PR.yml b/.github/workflows/compare-vulnerabilities-PR.yml index a1c79c13..341428bf 100644 --- a/.github/workflows/compare-vulnerabilities-PR.yml +++ b/.github/workflows/compare-vulnerabilities-PR.yml @@ -27,16 +27,19 @@ jobs: # 3) Run the action - name: Vulnerability Diff (Syft+Grype) - uses: sec-open/vuln-diff-action@v1 + uses: sec-open/vuln-diff-action@release-2.x.x with: base_ref: ${{ github.event.pull_request.base.ref }} head_ref: ${{ github.event.pull_request.head.sha }} build_command: "" write_summary: "true" upload_artifact: "true" - report_pdf: "true" min_severity: "LOW" - pr_comment: "true" # << habilita comentario en PR + report_html: "true" + report_pdf: "true" + pr_comment: "true" + artifact_name: "vulnerability-diff-${{ github.event.inputs.branch_a }}-vs-${{ github.event.inputs.branch_b }}" pr_comment_marker: "" github_token: ${{ secrets.GITHUB_TOKEN }} - slack_webhook_url: ${{ secrets.SLACK_SECURITY_WEBHOOK_URL }} \ No newline at end of file + slack_webhook_url: ${{ secrets.SLACK_SECURITY_WEBHOOK_URL }} + title_logo_url: "https://zettagenomics.com/wp-content/uploads/2022/10/Zetta-reversed-out-full-logo-dark-background.png" \ No newline at end of file diff --git a/.github/workflows/compare-vulnerabilities.yml b/.github/workflows/compare-vulnerabilities.yml index b9373c12..686680f9 100644 --- a/.github/workflows/compare-vulnerabilities.yml +++ b/.github/workflows/compare-vulnerabilities.yml @@ -31,13 +31,16 @@ jobs: # 3) Run the action - name: Vulnerability Diff (Syft+Grype) - uses: sec-open/vuln-diff-action@v1 + uses: sec-open/vuln-diff-action@release-2.x.x with: base_ref: ${{ github.event.inputs.branch_a }} # pass 'develop' head_ref: ${{ github.event.inputs.branch_b }} # pass 'TASK-7908' build_command: "" write_summary: "true" upload_artifact: "true" + artifact_name: "vulnerability-diff-${{ github.event.inputs.branch_a }}-vs-${{ github.event.inputs.branch_b }}" + report_html: "true" report_pdf: "true" min_severity: "LOW" + title_logo_url: "https://zettagenomics.com/wp-content/uploads/2022/10/Zetta-reversed-out-full-logo-dark-background.png" From 59e18129b30e76c4ee9120eea710c5e0169fe39b Mon Sep 17 00:00:00 2001 From: JuanfeSanahuja Date: Tue, 23 Sep 2025 12:59:00 +0200 Subject: [PATCH 22/35] Test release v2 alpha vuln-diff --- .github/workflows/compare-vulnerabilities-PR.yml | 2 +- .github/workflows/compare-vulnerabilities.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/compare-vulnerabilities-PR.yml b/.github/workflows/compare-vulnerabilities-PR.yml index 341428bf..6cafc175 100644 --- a/.github/workflows/compare-vulnerabilities-PR.yml +++ b/.github/workflows/compare-vulnerabilities-PR.yml @@ -27,7 +27,7 @@ jobs: # 3) Run the action - name: Vulnerability Diff (Syft+Grype) - uses: sec-open/vuln-diff-action@release-2.x.x + uses: sec-open/vuln-diff-action@v2.0.0-alpha.1 with: base_ref: ${{ github.event.pull_request.base.ref }} head_ref: ${{ github.event.pull_request.head.sha }} diff --git a/.github/workflows/compare-vulnerabilities.yml b/.github/workflows/compare-vulnerabilities.yml index 686680f9..e152d14e 100644 --- a/.github/workflows/compare-vulnerabilities.yml +++ b/.github/workflows/compare-vulnerabilities.yml @@ -31,7 +31,7 @@ jobs: # 3) Run the action - name: Vulnerability Diff (Syft+Grype) - uses: sec-open/vuln-diff-action@release-2.x.x + uses: sec-open/vuln-diff-action@v2.0.0-alpha.1 with: base_ref: ${{ github.event.inputs.branch_a }} # pass 'develop' head_ref: ${{ github.event.inputs.branch_b }} # pass 'TASK-7908' From e444e433cf3a2b75a231b2b608d7a1c799f4ce67 Mon Sep 17 00:00:00 2001 From: JuanfeSanahuja Date: Thu, 25 Sep 2025 16:07:17 +0200 Subject: [PATCH 23/35] Test release v2 alpha vuln-diff --- .github/workflows/compare-vulnerabilities.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/compare-vulnerabilities.yml b/.github/workflows/compare-vulnerabilities.yml index e152d14e..27cc41a5 100644 --- a/.github/workflows/compare-vulnerabilities.yml +++ b/.github/workflows/compare-vulnerabilities.yml @@ -1,5 +1,5 @@ name: Compare vulnerabilities (Syft SBOM -> Grype) between two branches (robust) -run-name: 'Compare vulnerabilities between (Base) ${{ inputs.branch_a }} and (Base) ${{ inputs.branch_b }} by @${{ github.actor }}' +run-name: 'Compare vulnerabilities between (Base) ${{ inputs.branch_a }} and (head) ${{ inputs.branch_b }} by @${{ github.actor }}' on: workflow_dispatch: inputs: From 793b1923be9db3aaa0b415fb72c413d83429faf0 Mon Sep 17 00:00:00 2001 From: JuanfeSanahuja Date: Thu, 25 Sep 2025 17:30:56 +0200 Subject: [PATCH 24/35] Test release v2 alpha vuln-diff --- .github/workflows/compare-vulnerabilities.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/compare-vulnerabilities.yml b/.github/workflows/compare-vulnerabilities.yml index 27cc41a5..61b1863e 100644 --- a/.github/workflows/compare-vulnerabilities.yml +++ b/.github/workflows/compare-vulnerabilities.yml @@ -1,5 +1,5 @@ name: Compare vulnerabilities (Syft SBOM -> Grype) between two branches (robust) -run-name: 'Compare vulnerabilities between (Base) ${{ inputs.branch_a }} and (head) ${{ inputs.branch_b }} by @${{ github.actor }}' +run-name: 'Compare vulnerabilities between ${{ inputs.branch_a }} (base) and ${{ inputs.branch_b }} (head) by @${{ github.actor }}' on: workflow_dispatch: inputs: From 3faf0d5639a39ad1fffd87b0e3dddd679ba99485 Mon Sep 17 00:00:00 2001 From: JuanfeSanahuja Date: Wed, 1 Oct 2025 12:54:38 +0200 Subject: [PATCH 25/35] change solr to 8.8.2 --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index f51f43e0..75fc8969 100644 --- a/pom.xml +++ b/pom.xml @@ -24,7 +24,7 @@ 1.7.36 1.11.4 4.11.5 - 8.11.4 + 8.8.2 1.69 1.10.12 2.4.0 From 40386f903d3be86de443fbd8414307b1ccc5f522 Mon Sep 17 00:00:00 2001 From: JuanfeSanahuja Date: Fri, 3 Oct 2025 11:48:22 +0200 Subject: [PATCH 26/35] Add jdk in vuln diff --- .github/workflows/compare-vulnerabilities-PR.yml | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/.github/workflows/compare-vulnerabilities-PR.yml b/.github/workflows/compare-vulnerabilities-PR.yml index 6cafc175..821cf195 100644 --- a/.github/workflows/compare-vulnerabilities-PR.yml +++ b/.github/workflows/compare-vulnerabilities-PR.yml @@ -21,9 +21,17 @@ jobs: fetch-depth: 0 fetch-tags: true - - name: Ensure base is available - run: | - git fetch origin ${{ github.event.pull_request.base.ref }}:refs/remotes/origin/${{ github.event.pull_request.base.ref }} --tags --prune + - name: Set up JDK 8 + uses: actions/setup-java@v4 + with: + distribution: 'temurin' + java-version: '8' + cache: 'maven' + + # + # - name: Ensure base is available + # run: | + # git fetch origin ${{ github.event.pull_request.base.ref }}:refs/remotes/origin/${{ github.event.pull_request.base.ref }} --tags --prune # 3) Run the action - name: Vulnerability Diff (Syft+Grype) @@ -31,7 +39,6 @@ jobs: with: base_ref: ${{ github.event.pull_request.base.ref }} head_ref: ${{ github.event.pull_request.head.sha }} - build_command: "" write_summary: "true" upload_artifact: "true" min_severity: "LOW" From a84aeb5532741b3bf268f5a6e64171b8b1a54afd Mon Sep 17 00:00:00 2001 From: JuanfeSanahuja Date: Fri, 3 Oct 2025 11:56:26 +0200 Subject: [PATCH 27/35] Change solr version to 8.11.4 --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 75fc8969..f51f43e0 100644 --- a/pom.xml +++ b/pom.xml @@ -24,7 +24,7 @@ 1.7.36 1.11.4 4.11.5 - 8.8.2 + 8.11.4 1.69 1.10.12 2.4.0 From 769493dace02ab8597b468fab6f2a9910bf09211 Mon Sep 17 00:00:00 2001 From: JuanfeSanahuja Date: Fri, 3 Oct 2025 12:41:29 +0200 Subject: [PATCH 28/35] Change comment --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index f51f43e0..7e637b61 100644 --- a/pom.xml +++ b/pom.xml @@ -18,7 +18,7 @@ commons-datastore - + 2.14.3 3.14.0 1.7.36 From bae627c114ea14c52e5cd19c0604acec0314a14a Mon Sep 17 00:00:00 2001 From: JuanfeSanahuja Date: Mon, 6 Oct 2025 17:28:18 +0200 Subject: [PATCH 29/35] Vulnerability Diff fase 1 --- .github/workflows/compare-vulnerabilities.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/compare-vulnerabilities.yml b/.github/workflows/compare-vulnerabilities.yml index 61b1863e..744bc2cb 100644 --- a/.github/workflows/compare-vulnerabilities.yml +++ b/.github/workflows/compare-vulnerabilities.yml @@ -35,12 +35,12 @@ jobs: with: base_ref: ${{ github.event.inputs.branch_a }} # pass 'develop' head_ref: ${{ github.event.inputs.branch_b }} # pass 'TASK-7908' - build_command: "" - write_summary: "true" - upload_artifact: "true" - artifact_name: "vulnerability-diff-${{ github.event.inputs.branch_a }}-vs-${{ github.event.inputs.branch_b }}" - report_html: "true" - report_pdf: "true" - min_severity: "LOW" - title_logo_url: "https://zettagenomics.com/wp-content/uploads/2022/10/Zetta-reversed-out-full-logo-dark-background.png" +# build_command: "" +# write_summary: "true" +# upload_artifact: "true" +# artifact_name: "vulnerability-diff-${{ github.event.inputs.branch_a }}-vs-${{ github.event.inputs.branch_b }}" +# report_html: "true" +# report_pdf: "true" +# min_severity: "LOW" +# title_logo_url: "https://zettagenomics.com/wp-content/uploads/2022/10/Zetta-reversed-out-full-logo-dark-background.png" From a32aeffbbd576028e9fbf445cec2a7d4a330ea9c Mon Sep 17 00:00:00 2001 From: JuanfeSanahuja Date: Tue, 7 Oct 2025 14:18:35 +0200 Subject: [PATCH 30/35] Refactor PR and vuln-diff --- .../workflows/compare-vulnerabilities-PR.yml | 20 ++++++++++--------- .github/workflows/compare-vulnerabilities.yml | 11 +++++----- 2 files changed, 17 insertions(+), 14 deletions(-) diff --git a/.github/workflows/compare-vulnerabilities-PR.yml b/.github/workflows/compare-vulnerabilities-PR.yml index 821cf195..cf0fd5a4 100644 --- a/.github/workflows/compare-vulnerabilities-PR.yml +++ b/.github/workflows/compare-vulnerabilities-PR.yml @@ -39,14 +39,16 @@ jobs: with: base_ref: ${{ github.event.pull_request.base.ref }} head_ref: ${{ github.event.pull_request.head.sha }} - write_summary: "true" - upload_artifact: "true" - min_severity: "LOW" - report_html: "true" - report_pdf: "true" - pr_comment: "true" - artifact_name: "vulnerability-diff-${{ github.event.inputs.branch_a }}-vs-${{ github.event.inputs.branch_b }}" - pr_comment_marker: "" github_token: ${{ secrets.GITHUB_TOKEN }} slack_webhook_url: ${{ secrets.SLACK_SECURITY_WEBHOOK_URL }} - title_logo_url: "https://zettagenomics.com/wp-content/uploads/2022/10/Zetta-reversed-out-full-logo-dark-background.png" \ No newline at end of file + +# write_summary: "true" +# upload_artifact: "true" +# min_severity: "LOW" +# report_html: "true" +# report_pdf: "true" +# pr_comment: "true" +# artifact_name: "vulnerability-diff-${{ github.event.inputs.branch_a }}-vs-${{ github.event.inputs.branch_b }}" +# pr_comment_marker: "" + +# title_logo_url: "https://zettagenomics.com/wp-content/uploads/2022/10/Zetta-reversed-out-full-logo-dark-background.png" \ No newline at end of file diff --git a/.github/workflows/compare-vulnerabilities.yml b/.github/workflows/compare-vulnerabilities.yml index 744bc2cb..e02b992e 100644 --- a/.github/workflows/compare-vulnerabilities.yml +++ b/.github/workflows/compare-vulnerabilities.yml @@ -24,11 +24,12 @@ jobs: fetch-depth: 0 fetch-tags: true - # 2) Ensure base branch exists locally (fetch) - - name: Fetch base branch - run: | - git fetch origin ${{ github.event.inputs.branch_a }}:refs/remotes/origin/${{ github.event.inputs.branch_a }} - + - name: Set up JDK 8 + uses: actions/setup-java@v4 + with: + distribution: 'temurin' + java-version: '8' + cache: 'maven' # 3) Run the action - name: Vulnerability Diff (Syft+Grype) uses: sec-open/vuln-diff-action@v2.0.0-alpha.1 From 2b9cefbde820e157a18d310475df65d7fd5b208c Mon Sep 17 00:00:00 2001 From: JuanfeSanahuja Date: Tue, 7 Oct 2025 18:42:52 +0200 Subject: [PATCH 31/35] Update html logo vuln-diff #TASK-7908 --- .github/workflows/compare-vulnerabilities-PR.yml | 1 + .github/workflows/compare-vulnerabilities.yml | 3 +++ 2 files changed, 4 insertions(+) diff --git a/.github/workflows/compare-vulnerabilities-PR.yml b/.github/workflows/compare-vulnerabilities-PR.yml index cf0fd5a4..c9e27deb 100644 --- a/.github/workflows/compare-vulnerabilities-PR.yml +++ b/.github/workflows/compare-vulnerabilities-PR.yml @@ -41,6 +41,7 @@ jobs: head_ref: ${{ github.event.pull_request.head.sha }} github_token: ${{ secrets.GITHUB_TOKEN }} slack_webhook_url: ${{ secrets.SLACK_SECURITY_WEBHOOK_URL }} + html_logo_url: "https://zettagenomics.com/wp-content/uploads/2022/10/Zetta-reversed-out-full-logo-dark-background.png" # write_summary: "true" # upload_artifact: "true" diff --git a/.github/workflows/compare-vulnerabilities.yml b/.github/workflows/compare-vulnerabilities.yml index e02b992e..433e84a1 100644 --- a/.github/workflows/compare-vulnerabilities.yml +++ b/.github/workflows/compare-vulnerabilities.yml @@ -36,6 +36,9 @@ jobs: with: base_ref: ${{ github.event.inputs.branch_a }} # pass 'develop' head_ref: ${{ github.event.inputs.branch_b }} # pass 'TASK-7908' + html_logo_url: "https://zettagenomics.com/wp-content/uploads/2022/10/Zetta-reversed-out-full-logo-dark-background.png" + + # build_command: "" # write_summary: "true" # upload_artifact: "true" From 4a0ce9dc467ce7c2cb8aefe8beb4d1a6bcef3496 Mon Sep 17 00:00:00 2001 From: JuanfeSanahuja Date: Mon, 13 Oct 2025 16:09:07 +0200 Subject: [PATCH 32/35] Prepare reusable Compare vulnerabilities #TASK-7908 --- .github/workflows/compare-vulnerabilities.yml | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/.github/workflows/compare-vulnerabilities.yml b/.github/workflows/compare-vulnerabilities.yml index 433e84a1..c2e5b1ed 100644 --- a/.github/workflows/compare-vulnerabilities.yml +++ b/.github/workflows/compare-vulnerabilities.yml @@ -1,6 +1,21 @@ -name: Compare vulnerabilities (Syft SBOM -> Grype) between two branches (robust) +name: Compare vulnerabilities (Syft SBOM -> Grype) between two branches run-name: 'Compare vulnerabilities between ${{ inputs.branch_a }} (base) and ${{ inputs.branch_b }} (head) by @${{ github.actor }}' on: + workflow_call: + inputs: + branch_a: + type: string + description: 'Base branch (e.g. develop)' + required: true + branch_b: + type: string + description: 'Head branch (e.g. TASK-1234)' + required: true + secrets: + GITHUB_TOKEN: + required: true + SLACK_SECURITY_WEBHOOK_URL: + required: false workflow_dispatch: inputs: branch_a: From 1727a95ca00a40217d6aadeae3e489c0ac90b964 Mon Sep 17 00:00:00 2001 From: JuanfeSanahuja Date: Tue, 14 Oct 2025 13:00:07 +0200 Subject: [PATCH 33/35] Added purpeteer cache --- .github/workflows/compare-vulnerabilities.yml | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/.github/workflows/compare-vulnerabilities.yml b/.github/workflows/compare-vulnerabilities.yml index c2e5b1ed..237fb204 100644 --- a/.github/workflows/compare-vulnerabilities.yml +++ b/.github/workflows/compare-vulnerabilities.yml @@ -12,10 +12,9 @@ on: description: 'Head branch (e.g. TASK-1234)' required: true secrets: - GITHUB_TOKEN: - required: true SLACK_SECURITY_WEBHOOK_URL: required: false + workflow_dispatch: inputs: branch_a: @@ -31,13 +30,17 @@ jobs: runs-on: ${{ vars.UBUNTU_VERSION }} steps: - # 1) Checkout head branch only - name: Checkout head branch uses: actions/checkout@v4 with: ref: ${{ github.event.inputs.branch_b }} fetch-depth: 0 fetch-tags: true + - name: Restore Puppeteer cache + uses: actions/cache@v4 + with: + path: ~/.cache/puppeteer + key: puppeteer-${{ runner.os }} - name: Set up JDK 8 uses: actions/setup-java@v4 @@ -53,6 +56,13 @@ jobs: head_ref: ${{ github.event.inputs.branch_b }} # pass 'TASK-7908' html_logo_url: "https://zettagenomics.com/wp-content/uploads/2022/10/Zetta-reversed-out-full-logo-dark-background.png" + - name: Save Puppeteer cache + if: always() + uses: actions/cache@v4 + with: + path: ~/.cache/puppeteer + key: puppeteer-${{ runner.os }} + # build_command: "" # write_summary: "true" From 45eb6697a5785334653f55de3490fc0c7bf235c4 Mon Sep 17 00:00:00 2001 From: JuanfeSanahuja Date: Fri, 21 Nov 2025 09:58:28 +0100 Subject: [PATCH 34/35] cicd: Update alpha 3 vuln-diff-action #TASK-7908 --- .github/workflows/compare-vulnerabilities.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/compare-vulnerabilities.yml b/.github/workflows/compare-vulnerabilities.yml index 237fb204..70650b0b 100644 --- a/.github/workflows/compare-vulnerabilities.yml +++ b/.github/workflows/compare-vulnerabilities.yml @@ -50,7 +50,7 @@ jobs: cache: 'maven' # 3) Run the action - name: Vulnerability Diff (Syft+Grype) - uses: sec-open/vuln-diff-action@v2.0.0-alpha.1 + uses: sec-open/vuln-diff-action@v2.0.0-alpha.3 with: base_ref: ${{ github.event.inputs.branch_a }} # pass 'develop' head_ref: ${{ github.event.inputs.branch_b }} # pass 'TASK-7908' From 6ea5bda43331f60dd07514b84dc9a1eded4e4515 Mon Sep 17 00:00:00 2001 From: JuanfeSanahuja Date: Fri, 21 Nov 2025 10:08:14 +0100 Subject: [PATCH 35/35] cicd: downgrade solr pom 8.11.4 to 8.8.2 #TASK-7908 --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 7e637b61..79eb1f45 100644 --- a/pom.xml +++ b/pom.xml @@ -24,7 +24,7 @@ 1.7.36 1.11.4 4.11.5 - 8.11.4 + 8.8.2 1.69 1.10.12 2.4.0