From c2048a8bc0a3ea0c2082c7b7b75ec70f2e5d4d6d Mon Sep 17 00:00:00 2001
From: pvannierop <pim@thehyve.nl>
Date: Fri, 14 Feb 2025 14:44:55 +0100
Subject: [PATCH 1/2] Fix gradle build

---
 build.gradle | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/build.gradle b/build.gradle
index 513e1bd9..42e1fb55 100644
--- a/build.gradle
+++ b/build.gradle
@@ -1,9 +1,19 @@
+buildscript {
+    repositories {
+        maven {
+            url = uri("https://plugins.gradle.org/m2/")
+        }
+        maven {
+            url = uri("https://nexus.web.cern.ch/nexus/content/repositories/public/")
+        }
+    }
+}
+
 plugins {
     // Apply the java plugin to add support for Java
     id 'java'
     id 'application'
-    id 'com.jfrog.bintray' version '1.8.1' apply false
-
+    id 'com.jfrog.bintray' version '1.8.5' apply false
 }
 
 //---------------------------------------------------------------------------//

From ff12d2396a53128abe247804f83860a07e4f36b6 Mon Sep 17 00:00:00 2001
From: pvannierop <pim@thehyve.nl>
Date: Fri, 14 Feb 2025 14:45:15 +0100
Subject: [PATCH 2/2] Add weekly Snyk Docker image scan to Github actions

---
 .github/workflows/scheduled-snyk-docker.yaml | 37 +++++++++++++++++++
 .github/workflows/scheduled-snyk.yaml        | 38 ++++++++++++++++++++
 .github/workflows/snyk.yaml                  | 27 ++++++++++++++
 .snyk                                        |  5 +++
 4 files changed, 107 insertions(+)
 create mode 100644 .github/workflows/scheduled-snyk-docker.yaml
 create mode 100644 .github/workflows/scheduled-snyk.yaml
 create mode 100644 .github/workflows/snyk.yaml
 create mode 100644 .snyk

diff --git a/.github/workflows/scheduled-snyk-docker.yaml b/.github/workflows/scheduled-snyk-docker.yaml
new file mode 100644
index 00000000..b86dcd46
--- /dev/null
+++ b/.github/workflows/scheduled-snyk-docker.yaml
@@ -0,0 +1,37 @@
+name: Snyk scheduled Docker base image scan
+
+on:
+  schedule:
+    - cron: '0 3 * * 1'
+  workflow_dispatch:
+
+env:
+    DOCKER_IMAGE: radarbase/radar-backend
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/docker@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          image: ${{ env.DOCKER_IMAGE }}
+          args: >-
+            --file=Dockerfile
+            --fail-on=upgradable
+            --severity-threshold=high
+            --policy-path=.snyk
+            --exclude-app-vulns
+            --org=radar-base
+            --sarif-file-output=snyk.sarif
+
+      # Detected vulnerabilities will appear on Github in Security->Code_scanning_alerts tab
+      - name: Upload Fitbit result to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: snyk.sarif
\ No newline at end of file
diff --git a/.github/workflows/scheduled-snyk.yaml b/.github/workflows/scheduled-snyk.yaml
new file mode 100644
index 00000000..bbe34f2b
--- /dev/null
+++ b/.github/workflows/scheduled-snyk.yaml
@@ -0,0 +1,38 @@
+name: Snyk scheduled code base scan
+
+on:
+  schedule:
+    - cron: '0 2 * * 1'
+  workflow_dispatch:
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node
+        with:
+          node-version: 16
+          cache: npm
+
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/gradle-jdk17@master
+        continue-on-error: true # To make sure that SARIF upload gets called
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: >-
+            --all-projects
+            --configuration-matching='^runtimeClasspath$'
+            --fail-on=upgradable
+            --severity-threshold=high
+            --policy-path=.snyk
+            --org=radar-base
+            --sarif-file-output=snyk.sarif
+
+      # Detected vulnerabilities will appear on Github in Security->Code_scanning_alerts tab
+      - name: Upload result to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: snyk.sarif
diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml
new file mode 100644
index 00000000..4aa6939e
--- /dev/null
+++ b/.github/workflows/snyk.yaml
@@ -0,0 +1,27 @@
+name: Snyk test on PR commits
+
+on:
+  pull_request:
+    branches:
+      - main
+      - dev
+      - release-*
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/gradle-jdk17@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: >-
+            --all-projects
+            --configuration-matching="^runtimeClasspath$"
+            --severity-threshold=high
+            --fail-on=upgradable
+            --org=radar-base
+            --policy-path=.snyk
diff --git a/.snyk b/.snyk
new file mode 100644
index 00000000..2b62034f
--- /dev/null
+++ b/.snyk
@@ -0,0 +1,5 @@
+# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
+version: v1.25.0
+# ignores vulnerabilities until expiry date; change duration by modifying expiry date
+ignore:
+patch: {}