Skip to content

v2 Software Composition Analysis #485

v2 Software Composition Analysis

v2 Software Composition Analysis #485

Workflow file for this run

# SCA Scan
name: v2 Software Composition Analysis
on:
# Run this workflow everyday at 6:05pm Singapore Time (10:05am UTC)
schedule:
- cron: '5 10 * * *'
# Run this workflow manually from Actions tab
workflow_dispatch:
# Allow one concurrent deployment
concurrency:
group: ${{ github.repository }}-${{ github.workflow }}
cancel-in-progress: true
jobs:
aiverify-apigw:
runs-on: ubuntu-latest
timeout-minutes: 60
permissions:
contents: write
security-events: write
concurrency:
group: BlackDuckPolaris-SCA-SAST-Scan
steps:
- name: Checkout Code
uses: actions/checkout@v4
with:
ref: main
repository: aiverify-foundation/aiverify
submodules: recursive
- name: Set up Python 3.11
uses: actions/setup-python@v5
with:
python-version: "3.11"
- name: Install APIGW
run: |
cd aiverify-apigw
python3 -m venv .venv
source .venv/bin/activate
pip install .
pip freeze > requirements.txt
- name: Polaris SCA SAST Scan
id: polaris-sca-scan-apigw
if: ${{ ! cancelled() }}
uses: blackduck-inc/black-duck-security-scan@v2
with:
### SCANNING: Required fields
polaris_server_url: ${{ vars.POLARIS_SERVER_URL }}
polaris_access_token: ${{ secrets.POLARIS_ACCESS_TOKEN }}
polaris_assessment_types: "SCA,SAST"
project_source_excludes: "tests/**"
### SCANNING: Optional fields
polaris_application_name: "AIVT"
polaris_project_name: "aiverify-apigw"
polaris_branch_name: "main"
### SARIF report parameters
polaris_reports_sarif_create: true
### Signature scan
polaris_test_sca_type: "SCA-PACKAGE,SCA-SIGNATURE"
### Mark build status if policy violating issues are found
mark_build_status: "success"
- name: Cleanup APIGW
run: |
rm -rf .venv
cd ${GITHUB_WORKSPACE}
Software-Composition-Analysis:
runs-on: ubuntu-latest
timeout-minutes: 60
steps:
- name: Checkout Code
uses: actions/checkout@v4
with:
ref: main
repository: aiverify-foundation/aiverify
submodules: recursive
- name: Set up Python 3.11
uses: actions/setup-python@v5
with:
python-version: "3.11"
- name: Install & Scan APIGW
run: |
cd aiverify-apigw
python3 -m venv .venv
source .venv/bin/activate
pip install .
pip freeze > requirements.txt
rm -rf .venv
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
bash <(curl -s -L https://detect.blackduck.com/detect9.sh) --blackduck.url=https://blackduck.aipo-imda.net/ --blackduck.api.token=${{ secrets.BLACKDUCK_TOKEN }} --detect.detector.search.depth=0 --detect.project.name=aiverify-apigw --detect.project.version.name=v2.x --detect.source.path=. --detect.code.location.name="aiverify-apigw_v2.x" --detect.excluded.directories=.venv,tests --blackduck.trust.cert=true --detect.notices.report=true --detect.notices.report.path=.
mv aiverify_apigw_v2_x_Black_Duck_Notices_Report.txt NOTICE.md
deactivate
rm -rf .venv
cd ${GITHUB_WORKSPACE}
- name: Install & Scan SHARED LIBRARY
run: |
cd aiverify-shared-library
rm package-lock.json
npm install --omit=dev --omit=optional
bash <(curl -s -L https://detect.blackduck.com/detect9.sh) --blackduck.url=https://blackduck.aipo-imda.net/ --blackduck.api.token=${{ secrets.BLACKDUCK_TOKEN }} --detect.detector.search.depth=0 --detect.project.name=aiverify-shared-library --detect.project.version.name=v2.x --detect.source.path=. --detect.code.location.name="aiverify-shared-library_v2.x" --detect.excluded.directories=tests --blackduck.trust.cert=true --detect.notices.report=true --detect.notices.report.path=.
mv aiverify_shared_library_v2_x_Black_Duck_Notices_Report.txt NOTICE.md
npm cache clean --force
cd ${GITHUB_WORKSPACE}
- name: Install & Scan PORTAL
run: |
cd aiverify-portal
rm package-lock.json
npm install --omit=dev --omit=optional
bash <(curl -s -L https://detect.blackduck.com/detect9.sh) --blackduck.url=https://blackduck.aipo-imda.net/ --blackduck.api.token=${{ secrets.BLACKDUCK_TOKEN }} --detect.detector.search.depth=0 --detect.project.name=aiverify-portal --detect.project.version.name=v2.x --detect.source.path=. --detect.code.location.name="aiverify-portal_v2.x" --detect.excluded.directories=tests --blackduck.trust.cert=true --detect.notices.report=true --detect.notices.report.path=.
mv aiverify_portal_v2_x_Black_Duck_Notices_Report.txt NOTICE.md
npm cache clean --force
cd ${GITHUB_WORKSPACE}
- name: Install & Scan TEST ENGINE
run: |
cd aiverify-test-engine
python3 -m venv .venv
source .venv/bin/activate
pip install ".[all]"
pip freeze > requirements.txt
deactivate
rm -rf .venv
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
cat requirements.txt
bash <(curl -s -L https://detect.blackduck.com/detect9.sh) --blackduck.url=https://blackduck.aipo-imda.net/ --blackduck.api.token=${{ secrets.BLACKDUCK_TOKEN }} --detect.detector.search.depth=0 --detect.project.name=aiverify-test-engine --detect.project.version.name=v2.x --detect.source.path=. --detect.code.location.name="aiverify-test-engine_v2.x" --detect.excluded.directories=tests --blackduck.trust.cert=true --detect.notices.report=true --detect.notices.report.path=. --detect.tools.excluded=SIGNATURE_SCAN
mv aiverify_test_engine_v2_x_Black_Duck_Notices_Report.txt NOTICE.md
deactivate
rm -rf .venv
cd ${GITHUB_WORKSPACE}
- name: Install & Scan TEST ENGINE WORKER
run: |
cd aiverify-test-engine-worker
python3 -m venv .venv
source .venv/bin/activate
pip install .
pip freeze > requirements.txt
deactivate
rm -rf .venv
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
cat requirements.txt
bash <(curl -s -L https://detect.blackduck.com/detect9.sh) --blackduck.url=https://blackduck.aipo-imda.net/ --blackduck.api.token=${{ secrets.BLACKDUCK_TOKEN }} --detect.detector.search.depth=0 --detect.project.name=aiverify-test-engine-worker --detect.project.version.name=v2.x --detect.source.path=. --detect.code.location.name="aiverify-test-engine-worker_v2.x" --detect.excluded.directories=.venv,tests --blackduck.trust.cert=true --detect.notices.report=true --detect.notices.report.path=.
mv aiverify_test_engine_worker_v2_x_Black_Duck_Notices_Report.txt NOTICE.md
deactivate
rm -rf .venv
cd ${GITHUB_WORKSPACE}
- name: Install & Scan Accumulated Local Effects
run: |
cd stock-plugins/aiverify.stock.accumulated-local-effect/algorithms/accumulated_local_effect
python3 -m venv .venv
source .venv/bin/activate
pip install .
pip freeze > requirements.txt
deactivate
rm -rf .venv
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
bash <(curl -s -L https://detect.blackduck.com/detect9.sh) --blackduck.url=https://blackduck.aipo-imda.net/ --blackduck.api.token=${{ secrets.BLACKDUCK_TOKEN }} --detect.detector.search.depth=0 --detect.project.name=accumulated-local-effect --detect.project.version.name=v2.x --detect.source.path=. --detect.code.location.name="accumulated-local-effect_v2.x" --detect.excluded.directories=.venv,tests --blackduck.trust.cert=true --detect.notices.report=true --detect.notices.report.path=.
mv accumulated_local_effect_v2_x_Black_Duck_Notices_Report.txt NOTICE.md
deactivate
rm -rf .venv
cd ${GITHUB_WORKSPACE}
- name: Install & Scan Decorators
run: |
cd stock-plugins/aiverify.stock.decorators
npm install
bash <(curl -s -L https://detect.blackduck.com/detect9.sh) --blackduck.url=https://blackduck.aipo-imda.net/ --blackduck.api.token=${{ secrets.BLACKDUCK_TOKEN }} --detect.detector.search.depth=0 --detect.project.name=decorators --detect.project.version.name=v2.x --detect.source.path=. --detect.code.location.name="decorators_v2.x" --detect.excluded.directories=.venv,tests --blackduck.trust.cert=true --detect.notices.report=true --detect.notices.report.path=.
mv decorators_v2_x_Black_Duck_Notices_Report.txt NOTICE.md
npm cache clean --force
cd ${GITHUB_WORKSPACE}
- name: Install & Scan Fairness Metric ToolBox For Classification
run: |
cd stock-plugins/aiverify.stock.fairness-metrics-toolbox-for-classification/algorithms/fairness_metrics_toolbox_for_classification
python3 -m venv .venv
source .venv/bin/activate
pip install .
pip freeze > requirements.txt
deactivate
rm -rf .venv
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
bash <(curl -s -L https://detect.blackduck.com/detect9.sh) --blackduck.url=https://blackduck.aipo-imda.net/ --blackduck.api.token=${{ secrets.BLACKDUCK_TOKEN }} --detect.detector.search.depth=0 --detect.project.name=fairness-metrics-toolbox-for-classification --detect.project.version.name=v2.x --detect.source.path=. --detect.code.location.name="fairness-metrics-toolbox-for-classification_v2.x" --detect.excluded.directories=.venv,tests --blackduck.trust.cert=true --detect.notices.report=true --detect.notices.report.path=.
mv fairness_metrics_toolbox_for_classification_v2_x_Black_Duck_Notices_Report.txt NOTICE.md
deactivate
rm -rf .venv
cd ${GITHUB_WORKSPACE}
- name: Install & Scan Fairness Metric ToolBox For Regression
run: |
cd stock-plugins/aiverify.stock.fairness-metrics-toolbox-for-regression/algorithms/fairness_metrics_toolbox_for_regression
python3 -m venv .venv
source .venv/bin/activate
pip install .
pip freeze > requirements.txt
deactivate
rm -rf .venv
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
bash <(curl -s -L https://detect.blackduck.com/detect9.sh) --blackduck.url=https://blackduck.aipo-imda.net/ --blackduck.api.token=${{ secrets.BLACKDUCK_TOKEN }} --detect.detector.search.depth=0 --detect.project.name=fairness-metrics-toolbox-for-regression --detect.project.version.name=v2.x --detect.source.path=. --detect.code.location.name="fairness-metrics-toolbox-for-regression_v2.x" --detect.excluded.directories=.venv,tests --blackduck.trust.cert=true --detect.notices.report=true --detect.notices.report.path=.
mv fairness_metrics_toolbox_for_regression_v2_x_Black_Duck_Notices_Report.txt NOTICE.md
deactivate
rm -rf .venv
cd ${GITHUB_WORKSPACE}
- name: Install & Scan Blur Corruptions
run: |
cd aiverify-test-engine
python3 -m venv .venv
source .venv/bin/activate
pip install ".[all]"
cd ${GITHUB_WORKSPACE}
cd stock-plugins/aiverify.stock.image-corruption-toolbox/algorithms/blur_corruptions
pip install .
pip freeze > requirements.txt
deactivate
rm -rf .venv
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
bash <(curl -s -L https://detect.blackduck.com/detect9.sh) --blackduck.url=https://blackduck.aipo-imda.net/ --blackduck.api.token=${{ secrets.BLACKDUCK_TOKEN }} --detect.detector.search.depth=0 --detect.project.name=blur-corruptions --detect.project.version.name=v2.x --detect.source.path=. --detect.code.location.name="blur-corruptions_v2.x" --detect.excluded.directories=.venv,tests --blackduck.trust.cert=true --detect.notices.report=true --detect.notices.report.path=.
mv blur_corruptions_v2_x_Black_Duck_Notices_Report.txt NOTICE.md
deactivate
rm -rf .venv
cd ${GITHUB_WORKSPACE}
- name: Install & Scan Digital Corruptions
run: |
cd aiverify-test-engine
python3 -m venv .venv
source .venv/bin/activate
pip install ".[all]"
cd ${GITHUB_WORKSPACE}
cd stock-plugins/aiverify.stock.image-corruption-toolbox/algorithms/digital_corruptions
pip install .
pip freeze > requirements.txt
deactivate
rm -rf .venv
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
bash <(curl -s -L https://detect.blackduck.com/detect9.sh) --blackduck.url=https://blackduck.aipo-imda.net/ --blackduck.api.token=${{ secrets.BLACKDUCK_TOKEN }} --detect.detector.search.depth=0 --detect.project.name=digital-corruptions --detect.project.version.name=v2.x --detect.source.path=. --detect.code.location.name="digital-corruptions_v2.x" --detect.excluded.directories=.venv,tests --blackduck.trust.cert=true --detect.notices.report=true --detect.notices.report.path=.
mv digital_corruptions_v2_x_Black_Duck_Notices_Report.txt NOTICE.md
deactivate
rm -rf .venv
cd ${GITHUB_WORKSPACE}
- name: Install & Scan Environment Corruptions
run: |
cd aiverify-test-engine
python3 -m venv .venv
source .venv/bin/activate
pip install ".[all]"
cd ${GITHUB_WORKSPACE}
cd stock-plugins/aiverify.stock.image-corruption-toolbox/algorithms/environment_corruptions
pip install .
pip freeze > requirements.txt
deactivate
rm -rf .venv
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
bash <(curl -s -L https://detect.blackduck.com/detect9.sh) --blackduck.url=https://blackduck.aipo-imda.net/ --blackduck.api.token=${{ secrets.BLACKDUCK_TOKEN }} --detect.detector.search.depth=0 --detect.project.name=environment-corruptions --detect.project.version.name=v2.x --detect.source.path=. --detect.code.location.name="environment-corruptions_v2.x" --detect.excluded.directories=.venv,tests --blackduck.trust.cert=true --detect.notices.report=true --detect.notices.report.path=.
mv environment_corruptions_v2_x_Black_Duck_Notices_Report.txt NOTICE.md
deactivate
rm -rf .venv
cd ${GITHUB_WORKSPACE}
- name: Install & Scan General Corruptions
run: |
cd aiverify-test-engine
python3 -m venv .venv
source .venv/bin/activate
pip install ".[all]"
cd ${GITHUB_WORKSPACE}
cd stock-plugins/aiverify.stock.image-corruption-toolbox/algorithms/general_corruptions
pip install .
pip freeze > requirements.txt
deactivate
rm -rf .venv
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
bash <(curl -s -L https://detect.blackduck.com/detect9.sh) --blackduck.url=https://blackduck.aipo-imda.net/ --blackduck.api.token=${{ secrets.BLACKDUCK_TOKEN }} --detect.detector.search.depth=0 --detect.project.name=general-corruptions --detect.project.version.name=v2.x --detect.source.path=. --detect.code.location.name="general-corruptions_v2.x" --detect.excluded.directories=.venv,tests --blackduck.trust.cert=true --detect.notices.report=true --detect.notices.report.path=.
mv general_corruptions_v2_x_Black_Duck_Notices_Report.txt NOTICE.md
deactivate
rm -rf .venv
cd ${GITHUB_WORKSPACE}
- name: Install & Scan Partial Dependence Plot
run: |
cd stock-plugins/aiverify.stock.partial-dependence-plot/algorithms/partial_dependence_plot
python3 -m venv .venv
source .venv/bin/activate
pip install .
pip freeze > requirements.txt
deactivate
rm -rf .venv
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
bash <(curl -s -L https://detect.blackduck.com/detect9.sh) --blackduck.url=https://blackduck.aipo-imda.net/ --blackduck.api.token=${{ secrets.BLACKDUCK_TOKEN }} --detect.detector.search.depth=0 --detect.project.name=partial-dependence-plot --detect.project.version.name=v2.x --detect.source.path=. --detect.code.location.name="partial-dependence-plot_v2.x" --detect.excluded.directories=.venv,tests --blackduck.trust.cert=true --detect.notices.report=true --detect.notices.report.path=.
mv partial_dependence_plot_v2_x_Black_Duck_Notices_Report.txt NOTICE.md
deactivate
rm -rf .venv
cd ${GITHUB_WORKSPACE}
- name: Install & Scan Robustness ToolBox
run: |
cd stock-plugins/aiverify.stock.robustness-toolbox/algorithms/robustness_toolbox
python3 -m venv .venv
source .venv/bin/activate
pip install .
pip freeze > requirements.txt
deactivate
rm -rf .venv
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
bash <(curl -s -L https://detect.blackduck.com/detect9.sh) --blackduck.url=https://blackduck.aipo-imda.net/ --blackduck.api.token=${{ secrets.BLACKDUCK_TOKEN }} --detect.detector.search.depth=0 --detect.project.name=robustness-toolbox --detect.project.version.name=v2.x --detect.source.path=. --detect.code.location.name="robustness-toolbox_v2.x" --detect.excluded.directories=.venv,tests --blackduck.trust.cert=true --detect.notices.report=true --detect.notices.report.path=.
mv robustness_toolbox_v2_x_Black_Duck_Notices_Report.txt NOTICE.md
deactivate
rm -rf .venv
cd ${GITHUB_WORKSPACE}
- name: Install & Scan SHAP ToolBox
run: |
cd stock-plugins/aiverify.stock.shap-toolbox/algorithms/shap_toolbox
python3 -m venv .venv
source .venv/bin/activate
pip install .
pip freeze > requirements.txt
deactivate
rm -rf .venv
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
bash <(curl -s -L https://detect.blackduck.com/detect9.sh) --blackduck.url=https://blackduck.aipo-imda.net/ --blackduck.api.token=${{ secrets.BLACKDUCK_TOKEN }} --detect.detector.search.depth=0 --detect.project.name=shap-toolbox --detect.project.version.name=v2.x --detect.source.path=. --detect.code.location.name="shap-toolbox_v2.x" --detect.excluded.directories=.venv,tests --blackduck.trust.cert=true --detect.notices.report=true --detect.notices.report.path=.
mv shap_toolbox_v2_x_Black_Duck_Notices_Report.txt NOTICE.md
deactivate
rm -rf .venv
cd ${GITHUB_WORKSPACE}
- name: Install & Scan Veritas
run: |
cd stock-plugins/aiverify.stock.veritas/algorithms/veritastool
python3 -m venv .venv
source .venv/bin/activate
pip install .
pip freeze > requirements.txt
deactivate
rm -rf .venv
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
bash <(curl -s -L https://detect.blackduck.com/detect9.sh) --blackduck.url=https://blackduck.aipo-imda.net/ --blackduck.api.token=${{ secrets.BLACKDUCK_TOKEN }} --detect.detector.search.depth=0 --detect.project.name=veritas --detect.project.version.name=v2.x --detect.source.path=. --detect.code.location.name="veritas_v2.x" --detect.excluded.directories=.venv,tests --blackduck.trust.cert=true --detect.notices.report=true --detect.notices.report.path=.
mv veritas_v2_x_Black_Duck_Notices_Report.txt NOTICE.md
deactivate
rm -rf .venv
cd ${GITHUB_WORKSPACE}
# - name: Commit All Notices File
# env:
# GH_TOKEN: ${{ github.token }}
# run: |
# git config --global user.name github-actions
# git config --global user.email github-actions@github.com
# git pull
# git branch update-notices
# git switch update-notices
# git add .
# git commit -m "Update All Notices File"
# git push --set-upstream origin update-notices
# - name: Create & Merge Pull Request
# env:
# GH_TOKEN: ${{ github.token }}
# run: |
# gh pr create --base update-scan --title "Update All Notices File" --body "Update All Notices File" --head $(git branch --show-current)
# gh pr merge --merge --admin