From e4b1f8023034807ebba7de54a50f5080e1a806a6 Mon Sep 17 00:00:00 2001 From: yuvalavr24 Date: Tue, 5 Nov 2024 12:03:28 +0200 Subject: [PATCH] Scan model-compression-kit in Black Duck --- .github/workflows/black_duck_scan.yml | 116 ++++++++++++++++++++++++++ 1 file changed, 116 insertions(+) create mode 100644 .github/workflows/black_duck_scan.yml diff --git a/.github/workflows/black_duck_scan.yml b/.github/workflows/black_duck_scan.yml new file mode 100644 index 000000000..55c9d23a5 --- /dev/null +++ b/.github/workflows/black_duck_scan.yml @@ -0,0 +1,116 @@ +name: Black Duck Scan +on: + push: + branches: + [ add_blackduck_scan ] + + +env: + BLACKDUCK_PROJECT_NAME: ${{ github.event.repository.name }} + BLACKDUCK_VERSION_NAME: "latest" + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} + +jobs: + blackduck: + name: Black-Duck action + runs-on: ubuntu-latest + continue-on-error: true + steps: + - name: Checkout Source + uses: actions/checkout@v4 + - name: Install Python 🔧 + uses: actions/setup-python@v4 + with: + python-version: '3.8' + - name: Build Wheel + id: get_version + run: | + python -m pip install --upgrade pip + pip install -r requirements.txt + pip install twine + python setup.py bdist_wheel + unzip -o ./dist/model_compression_toolkit-2.2.0-py3-none-any.whl -d ./dist + version=$(python -c 'import model_compression_toolkit; print(model_compression_toolkit.__version__)') + echo "model_compression_version=$version" >> $GITHUB_OUTPUT + - name: Black Duck Full Scan + uses: synopsys-sig/synopsys-action@v1.12.0 + env: + DETECT_PROJECT_NAME: ${{ env.BLACKDUCK_PROJECT_NAME }} + DETECT_PROJECT_VERSION_NAME: ${{ env.BLACKDUCK_VERSION_NAME }} + DETECT_PIP_REQUIREMENTS_PATH: requirements.txt + DETECT_BLACKDUCK_SIGNATURE_SCANNER_PATHS: dist/model_compression_toolkit + DETECT_BLACKDUCK_SIGNATURE_SCANNER_SNIPPET_MATCHING: SNIPPET_MATCHING + DETECT_RISK_REPORT_PDF: true + DETECT_TIMEOUT: 360000 + with: + blackduck_url: ${{ secrets.BLACKDUCK_URL }} + blackduck_token: ${{ secrets.BLACKDUCK_API_TOKEN }} + - name: Handle Black Duck scan failure + if: ${{ failure() }} + shell: bash + run: | + echo "No report was created due to a failure in black duck scan" > model_compression_scan_${{ steps.get_version.outputs.model_compression_version }}.json + cat model_compression_scan_${{ steps.get_version.outputs.model_compression_version }}.json + mkdir model_compression_scan_${{ steps.get_version.outputs.model_compression_version }} + cp -r ./model_compression_scan_${{ steps.get_version.outputs.model_compression_version }}.json model_compression_scan_${{ steps.get_version.outputs.model_compression_version }} + ls model_compression_scan_${{ steps.get_version.outputs.model_compression_version }} + text="The Black-Duck scan failed; therefore, the JSON report created is a dump report.There are no PDF/ver_src reports" + echo "::warning::$text" + - name: Verify Black Duck Sources Scan + if: ${{ success() }} + uses: ssi-dnn/sdsp-converter-actions/black-duck-verify-sources@main + with: + BLACKDUCK_API_TOKEN: ${{ secrets.BLACKDUCK_API_TOKEN }} + BLACKDUCK_PROJECT_NAME: ${{ env.BLACKDUCK_PROJECT_NAME }} + BLACKDUCK_VERSION_NAME: ${{ env.BLACKDUCK_VERSION_NAME }} + BLACKDUCK_SUB_PROJECTS_NAME: ${{ env.BLACKDUCK_SUB_PROJECTS_NAME }} + BLACKDUCK_VERIFY_SOURCES_JSON: model_compression_ver_src_${{ steps.get_version.outputs.model_compression_version }}.json + - name: Get Black Duck Scan Result + if: ${{ success() }} + uses: ssi-dnn/sdsp-converter-actions/black-duck-tool@main + with: + BLACKDUCK_API_TOKEN: ${{ secrets.BLACKDUCK_API_TOKEN }} + BLACKDUCK_PROJECT_NAME: ${{ env.BLACKDUCK_PROJECT_NAME }} + BLACKDUCK_VERSION_NAME: ${{ env.BLACKDUCK_VERSION_NAME }} + BLACKDUCK_REPORT_FILE_NAME: model_compression_scan_${{ steps.get_version.outputs.model_compression_version }}.json + - name: Create black duck dir + if: ${{ success() }} + run: | + ls + mkdir model_compression_scan_${{ steps.get_version.outputs.model_compression_version }} + pdf_project_name=$(echo "${{ env.BLACKDUCK_PROJECT_NAME }}" | tr '-' '_') + echo $pdf_project_name + cp -r ./model_compression_scan_${{ steps.get_version.outputs.model_compression_version }}.json model_compression_scan_${{ steps.get_version.outputs.model_compression_version }} + cp -r ./model_compression_ver_src_${{ steps.get_version.outputs.model_compression_version }}.json model_compression_scan_${{ steps.get_version.outputs.model_compression_version }} + cp -r ./${pdf_project_name}_${{ env.BLACKDUCK_VERSION_NAME }}_BlackDuck_RiskReport.pdf model_compression_scan_${{ steps.get_version.outputs.model_compression_version }} + ls model_compression_scan_${{ steps.get_version.outputs.model_compression_version }} + - name: Upload scan result + if: ${{ always() }} + uses: actions/upload-artifact@v4 + env: + file_path: ./model_compression_scan_${{ steps.get_version.outputs.model_compression_version }} + with: + name: bd-scan-result + path: ${{ env.file_path }} + retention-days: 1 + outputs: + model_compression_version: ${{ steps.get_version.outputs.model_compression_version }} + + + save_blackduck_scan_result: + name: Save scan result - Black-Duck + needs: [ blackduck ] + env: + PATH_TO_SAVE: /home/sdsprobot/blackduck_scans/model_compression_scans/model_compression_scan_${{ needs.blackduck.outputs.model_compression_version }}/ + runs-on: + group: DNN01 + labels: self-hosted + steps: + - name: Download artifact + uses: actions/download-artifact@v4 + with: + name: bd-scan-result + path: ${{ env.PATH_TO_SAVE }} \ No newline at end of file