From 9efe8f0a3285ba6f7fcaabe920adbbc9830fa4fe Mon Sep 17 00:00:00 2001 From: tdruez Date: Tue, 14 Oct 2025 14:52:14 +0400 Subject: [PATCH 01/11] Debug the OSV-scanner workflow failure Signed-off-by: tdruez --- .github/workflows/sca-integration-osv-scanner.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sca-integration-osv-scanner.yml b/.github/workflows/sca-integration-osv-scanner.yml index 07ed803907..94a58087d8 100644 --- a/.github/workflows/sca-integration-osv-scanner.yml +++ b/.github/workflows/sca-integration-osv-scanner.yml @@ -10,6 +10,7 @@ name: Generate SBOM with OSV-Scanner and load into ScanCode.io on: workflow_dispatch: + pull_request: schedule: # Run once a week (every 7 days) at 00:00 UTC on Sunday - cron: "0 0 * * 0" @@ -19,6 +20,9 @@ permissions: env: IMAGE_REFERENCE: "python:3.13.0-slim" + EXPECTED_PACKAGE_COUNT: 100 + EXPECTED_VULNERABLE_PACKAGE_COUNT: 0 + EXPECTED_DEPENDENCY_COUNT: 100 jobs: generate-and-load-sbom: @@ -56,4 +60,4 @@ jobs: - name: Verify SBOM Analysis Results in ScanCode.io shell: bash run: | - scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() >= 100; assert package_manager.vulnerable().count() == 0; assert DiscoveredDependency.objects.count() >= 100" + scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() >= int('${{ env.EXPECTED_PACKAGE_COUNT }}'), str(package_manager.count()); assert package_manager.vulnerable().count() >= int('${{ env.EXPECTED_VULNERABLE_PACKAGE_COUNT }}'), str(package_manager.vulnerable().count()); assert DiscoveredDependency.objects.count() >= int('${{ env.EXPECTED_DEPENDENCY_COUNT }}'), str(DiscoveredDependency.objects.count())" From ed9a8efb8b89ac711badc6d23d860084db40164c Mon Sep 17 00:00:00 2001 From: tdruez Date: Tue, 14 Oct 2025 14:59:06 +0400 Subject: [PATCH 02/11] Debug the OSV-scanner workflow failure Signed-off-by: tdruez --- .github/workflows/sca-integration-osv-scanner.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sca-integration-osv-scanner.yml b/.github/workflows/sca-integration-osv-scanner.yml index 94a58087d8..52f0aa028a 100644 --- a/.github/workflows/sca-integration-osv-scanner.yml +++ b/.github/workflows/sca-integration-osv-scanner.yml @@ -60,4 +60,5 @@ jobs: - name: Verify SBOM Analysis Results in ScanCode.io shell: bash run: | - scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() >= int('${{ env.EXPECTED_PACKAGE_COUNT }}'), str(package_manager.count()); assert package_manager.vulnerable().count() >= int('${{ env.EXPECTED_VULNERABLE_PACKAGE_COUNT }}'), str(package_manager.vulnerable().count()); assert DiscoveredDependency.objects.count() >= int('${{ env.EXPECTED_DEPENDENCY_COUNT }}'), str(DiscoveredDependency.objects.count())" + scanpipe shell --command "from scanpipe.models import DiscoveredPackage; package_manager = DiscoveredPackage.objects; assert package_manager.count() >= int('${{ env.EXPECTED_PACKAGE_COUNT }}'), f'Expected at least ${{ env.EXPECTED_PACKAGE_COUNT }} packages, found {package_manager.count()}'; assert package_manager.vulnerable().count() >= int('${{ env.EXPECTED_VULNERABLE_PACKAGE_COUNT }}'), f'Expected ${{ env.EXPECTED_VULNERABLE_PACKAGE_COUNT }} vulnerable packages, found {package_manager.vulnerable().count()}'" + scanpipe shell --command "from scanpipe.models import DiscoveredDependency; assert DiscoveredDependency.objects.count() >= int('${{ env.EXPECTED_DEPENDENCY_COUNT }}'), f'Expected at least ${{ env.EXPECTED_DEPENDENCY_COUNT }} dependencies, found {DiscoveredDependency.objects.count()}'" From e73ae7634e9a0b275ef4eb18e760cbcf98d76d4b Mon Sep 17 00:00:00 2001 From: tdruez Date: Tue, 14 Oct 2025 15:11:24 +0400 Subject: [PATCH 03/11] Debug the OSV-scanner workflow failure Signed-off-by: tdruez --- .github/workflows/sca-integration-osv-scanner.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/sca-integration-osv-scanner.yml b/.github/workflows/sca-integration-osv-scanner.yml index 52f0aa028a..99baf64b3c 100644 --- a/.github/workflows/sca-integration-osv-scanner.yml +++ b/.github/workflows/sca-integration-osv-scanner.yml @@ -20,9 +20,6 @@ permissions: env: IMAGE_REFERENCE: "python:3.13.0-slim" - EXPECTED_PACKAGE_COUNT: 100 - EXPECTED_VULNERABLE_PACKAGE_COUNT: 0 - EXPECTED_DEPENDENCY_COUNT: 100 jobs: generate-and-load-sbom: @@ -59,6 +56,10 @@ jobs: - name: Verify SBOM Analysis Results in ScanCode.io shell: bash + env: + EXPECTED_PACKAGE_COUNT: 100 + EXPECTED_VULNERABLE_PACKAGE_COUNT: 0 + EXPECTED_DEPENDENCY_COUNT: 90 run: | scanpipe shell --command "from scanpipe.models import DiscoveredPackage; package_manager = DiscoveredPackage.objects; assert package_manager.count() >= int('${{ env.EXPECTED_PACKAGE_COUNT }}'), f'Expected at least ${{ env.EXPECTED_PACKAGE_COUNT }} packages, found {package_manager.count()}'; assert package_manager.vulnerable().count() >= int('${{ env.EXPECTED_VULNERABLE_PACKAGE_COUNT }}'), f'Expected ${{ env.EXPECTED_VULNERABLE_PACKAGE_COUNT }} vulnerable packages, found {package_manager.vulnerable().count()}'" scanpipe shell --command "from scanpipe.models import DiscoveredDependency; assert DiscoveredDependency.objects.count() >= int('${{ env.EXPECTED_DEPENDENCY_COUNT }}'), f'Expected at least ${{ env.EXPECTED_DEPENDENCY_COUNT }} dependencies, found {DiscoveredDependency.objects.count()}'" From ebb125a7599049909a17edcce7eda5debf93486b Mon Sep 17 00:00:00 2001 From: tdruez Date: Tue, 14 Oct 2025 15:32:30 +0400 Subject: [PATCH 04/11] Move the project verification to a dedicated management command Signed-off-by: tdruez --- .../workflows/sca-integration-osv-scanner.yml | 12 ++- .../management/commands/verify-project.py | 99 +++++++++++++++++++ 2 files changed, 106 insertions(+), 5 deletions(-) create mode 100644 scanpipe/management/commands/verify-project.py diff --git a/.github/workflows/sca-integration-osv-scanner.yml b/.github/workflows/sca-integration-osv-scanner.yml index 99baf64b3c..02eb21b457 100644 --- a/.github/workflows/sca-integration-osv-scanner.yml +++ b/.github/workflows/sca-integration-osv-scanner.yml @@ -57,9 +57,11 @@ jobs: - name: Verify SBOM Analysis Results in ScanCode.io shell: bash env: - EXPECTED_PACKAGE_COUNT: 100 - EXPECTED_VULNERABLE_PACKAGE_COUNT: 0 - EXPECTED_DEPENDENCY_COUNT: 90 + EXPECTED_PACKAGE: 100 + EXPECTED_VULNERABLE_PACKAGE: 0 + EXPECTED_DEPENDENCY: 90 run: | - scanpipe shell --command "from scanpipe.models import DiscoveredPackage; package_manager = DiscoveredPackage.objects; assert package_manager.count() >= int('${{ env.EXPECTED_PACKAGE_COUNT }}'), f'Expected at least ${{ env.EXPECTED_PACKAGE_COUNT }} packages, found {package_manager.count()}'; assert package_manager.vulnerable().count() >= int('${{ env.EXPECTED_VULNERABLE_PACKAGE_COUNT }}'), f'Expected ${{ env.EXPECTED_VULNERABLE_PACKAGE_COUNT }} vulnerable packages, found {package_manager.vulnerable().count()}'" - scanpipe shell --command "from scanpipe.models import DiscoveredDependency; assert DiscoveredDependency.objects.count() >= int('${{ env.EXPECTED_DEPENDENCY_COUNT }}'), f'Expected at least ${{ env.EXPECTED_DEPENDENCY_COUNT }} dependencies, found {DiscoveredDependency.objects.count()}'" + scanpipe verify-project --project scancode-action \ + --packages ${{ env.EXPECTED_PACKAGE }} \ + --vulnerable-packages ${{ env.EXPECTED_VULNERABLE_PACKAGE }} \ + --dependencies ${{ env.EXPECTED_DEPENDENCY }} diff --git a/scanpipe/management/commands/verify-project.py b/scanpipe/management/commands/verify-project.py new file mode 100644 index 0000000000..64b3078d3e --- /dev/null +++ b/scanpipe/management/commands/verify-project.py @@ -0,0 +1,99 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# http://nexb.com and https://github.com/aboutcode-org/scancode.io +# The ScanCode.io software is licensed under the Apache License version 2.0. +# Data generated with ScanCode.io is provided as-is without warranties. +# ScanCode is a trademark of nexB Inc. +# +# You may not use this software except in compliance with the License. +# You may obtain a copy of the License at: http://apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. +# +# Data Generated with ScanCode.io is provided on an "AS IS" BASIS, WITHOUT WARRANTIES +# OR CONDITIONS OF ANY KIND, either express or implied. No content created from +# ScanCode.io should be considered or used as legal advice. Consult an Attorney +# for any legal advice. +# +# ScanCode.io is a free software code scanning tool from nexB Inc. and others. +# Visit https://github.com/aboutcode-org/scancode.io for support and download. + +from django.core.management import CommandError + +from scanpipe.management.commands import ProjectCommand + + +class Command(ProjectCommand): + help = "Verify project analysis results against expected counts" + + def add_arguments(self, parser): + super().add_arguments(parser) + parser.add_argument( + "--packages", + type=int, + default=0, + help="Minimum number of packages expected (default: 0)", + ) + parser.add_argument( + "--vulnerable-packages", + type=int, + default=0, + help="Exact number of vulnerable packages expected (default: 0)", + ) + parser.add_argument( + "--dependencies", + type=int, + default=0, + help="Minimum number of dependencies expected (default: 0)", + ) + parser.add_argument( + "--vulnerable-dependencies", + type=int, + default=0, + help="Minimum number of vulnerable dependencies expected (default: 0)", + ) + + def handle(self, *args, **options): + super().handle(*args, **options) + + expected_packages = options["packages"] + expected_vulnerable_packages = options["vulnerable_packages"] + expected_dependencies = options["dependencies"] + expected_vulnerable_dependencies = options["vulnerable_dependencies"] + + project = self.project + packages = project.discoveredpackages + package_count = packages.count() + vulnerable_package_count = packages.vulnerable().count() + dependencies = project.discovereddependencies.all() + dependency_count = dependencies.count() + vulnerable_dependency_count = dependencies.vulnerable().count() + + errors = [] + + if package_count < expected_packages: + errors.append( + f"Expected at least {expected_packages} packages, found {package_count}" + ) + if vulnerable_package_count != expected_vulnerable_packages: + errors.append( + f"Expected exactly {expected_vulnerable_packages} vulnerable packages, " + f"found {vulnerable_package_count}" + ) + if dependency_count < expected_dependencies: + errors.append( + f"Expected at least {expected_dependencies} dependencies, " + f"found {dependency_count}" + ) + if vulnerable_dependency_count < expected_vulnerable_dependencies: + errors.append( + f"Expected at least {expected_vulnerable_dependencies} " + f"vulnerable dependencies, found {vulnerable_dependency_count}" + ) + + if errors: + raise CommandError("Project verification failed:\n" + "\n".join(errors)) + + self.stdout.write(self.style.SUCCESS("Project verification passed.")) From aaca40d6540767b0935a5f7684c877624807dc93 Mon Sep 17 00:00:00 2001 From: tdruez Date: Tue, 14 Oct 2025 15:36:26 +0400 Subject: [PATCH 05/11] Use current branch to install ScanCode.io Signed-off-by: tdruez --- .github/workflows/sca-integration-osv-scanner.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sca-integration-osv-scanner.yml b/.github/workflows/sca-integration-osv-scanner.yml index 02eb21b457..0c8ab20c58 100644 --- a/.github/workflows/sca-integration-osv-scanner.yml +++ b/.github/workflows/sca-integration-osv-scanner.yml @@ -52,7 +52,7 @@ jobs: with: pipelines: "load_sbom" inputs-path: "osv-sbom.spdx.json" - scancodeio-repo-branch: "main" + scancodeio-repo-branch: "sca-integration-workflow-fix" - name: Verify SBOM Analysis Results in ScanCode.io shell: bash From 4d1b0f8471ae18385917507fc322a591fd404d34 Mon Sep 17 00:00:00 2001 From: tdruez Date: Tue, 14 Oct 2025 16:29:25 +0400 Subject: [PATCH 06/11] Move the env to the global workflow env Signed-off-by: tdruez --- .github/workflows/sca-integration-osv-scanner.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/sca-integration-osv-scanner.yml b/.github/workflows/sca-integration-osv-scanner.yml index 0c8ab20c58..9ce3e6602f 100644 --- a/.github/workflows/sca-integration-osv-scanner.yml +++ b/.github/workflows/sca-integration-osv-scanner.yml @@ -20,6 +20,9 @@ permissions: env: IMAGE_REFERENCE: "python:3.13.0-slim" + EXPECTED_PACKAGE: 100 + EXPECTED_VULNERABLE_PACKAGE: 0 + EXPECTED_DEPENDENCY: 90 jobs: generate-and-load-sbom: @@ -56,12 +59,9 @@ jobs: - name: Verify SBOM Analysis Results in ScanCode.io shell: bash - env: - EXPECTED_PACKAGE: 100 - EXPECTED_VULNERABLE_PACKAGE: 0 - EXPECTED_DEPENDENCY: 90 run: | - scanpipe verify-project --project scancode-action \ + scanpipe verify-project \ + --project scancode-action \ --packages ${{ env.EXPECTED_PACKAGE }} \ --vulnerable-packages ${{ env.EXPECTED_VULNERABLE_PACKAGE }} \ --dependencies ${{ env.EXPECTED_DEPENDENCY }} From 8d97ff4fd636c1c0189f0ed8c93e84e83f0c6edb Mon Sep 17 00:00:00 2001 From: tdruez Date: Tue, 14 Oct 2025 16:39:17 +0400 Subject: [PATCH 07/11] Add unit test for the verify-project management command Signed-off-by: tdruez --- .../management/commands/verify-project.py | 2 +- scanpipe/tests/test_commands.py | 43 +++++++++++++++++++ 2 files changed, 44 insertions(+), 1 deletion(-) diff --git a/scanpipe/management/commands/verify-project.py b/scanpipe/management/commands/verify-project.py index 64b3078d3e..41d60b4565 100644 --- a/scanpipe/management/commands/verify-project.py +++ b/scanpipe/management/commands/verify-project.py @@ -96,4 +96,4 @@ def handle(self, *args, **options): if errors: raise CommandError("Project verification failed:\n" + "\n".join(errors)) - self.stdout.write(self.style.SUCCESS("Project verification passed.")) + self.stdout.write("Project verification passed.", self.style.SUCCESS) diff --git a/scanpipe/tests/test_commands.py b/scanpipe/tests/test_commands.py index 1b2d6f688e..32322d425c 100644 --- a/scanpipe/tests/test_commands.py +++ b/scanpipe/tests/test_commands.py @@ -1371,6 +1371,49 @@ def test_scanpipe_management_command_report(self): expected = ("project1", "file.ext", "file", "file.ext", "requires-review") self.assertEqual(expected, row1[0:5]) + def test_scanpipe_management_command_verify_project(self): + project = make_project(name="my_project") + make_package(project, package_url="pkg:generic/name@1.0") + make_dependency(project) + + out = StringIO() + call_command( + "verify-project", + "--project", + project.name, + "--packages", + "1", + "--vulnerable-packages", + "0", + "--dependencies", + "1", + "--vulnerable-dependencies", + "0", + stdout=out, + ) + self.assertIn("Project verification passed.", out.getvalue()) + + out = StringIO() + expected = ( + "Project verification failed:\n" + "Expected at least 5 packages, found 1\n" + "Expected exactly 10 vulnerable packages, found 0\n" + "Expected at least 5 dependencies, found 1" + ) + with self.assertRaisesMessage(CommandError, expected): + call_command( + "verify-project", + "--project", + project.name, + "--packages", + "5", + "--vulnerable-packages", + "10", + "--dependencies", + "5", + stdout=out, + ) + class ScanPipeManagementCommandMixinTest(TestCase): class CreateProjectCommand( From d6533e4f7629be1faf8673cd9282083b2698eca6 Mon Sep 17 00:00:00 2001 From: tdruez Date: Wed, 15 Oct 2025 09:10:41 +0400 Subject: [PATCH 08/11] Remove the command for simpler merge from main Signed-off-by: tdruez --- .../management/commands/verify-project.py | 99 ------------------- scanpipe/tests/test_commands.py | 43 -------- 2 files changed, 142 deletions(-) delete mode 100644 scanpipe/management/commands/verify-project.py diff --git a/scanpipe/management/commands/verify-project.py b/scanpipe/management/commands/verify-project.py deleted file mode 100644 index 41d60b4565..0000000000 --- a/scanpipe/management/commands/verify-project.py +++ /dev/null @@ -1,99 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 -# -# http://nexb.com and https://github.com/aboutcode-org/scancode.io -# The ScanCode.io software is licensed under the Apache License version 2.0. -# Data generated with ScanCode.io is provided as-is without warranties. -# ScanCode is a trademark of nexB Inc. -# -# You may not use this software except in compliance with the License. -# You may obtain a copy of the License at: http://apache.org/licenses/LICENSE-2.0 -# Unless required by applicable law or agreed to in writing, software distributed -# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR -# CONDITIONS OF ANY KIND, either express or implied. See the License for the -# specific language governing permissions and limitations under the License. -# -# Data Generated with ScanCode.io is provided on an "AS IS" BASIS, WITHOUT WARRANTIES -# OR CONDITIONS OF ANY KIND, either express or implied. No content created from -# ScanCode.io should be considered or used as legal advice. Consult an Attorney -# for any legal advice. -# -# ScanCode.io is a free software code scanning tool from nexB Inc. and others. -# Visit https://github.com/aboutcode-org/scancode.io for support and download. - -from django.core.management import CommandError - -from scanpipe.management.commands import ProjectCommand - - -class Command(ProjectCommand): - help = "Verify project analysis results against expected counts" - - def add_arguments(self, parser): - super().add_arguments(parser) - parser.add_argument( - "--packages", - type=int, - default=0, - help="Minimum number of packages expected (default: 0)", - ) - parser.add_argument( - "--vulnerable-packages", - type=int, - default=0, - help="Exact number of vulnerable packages expected (default: 0)", - ) - parser.add_argument( - "--dependencies", - type=int, - default=0, - help="Minimum number of dependencies expected (default: 0)", - ) - parser.add_argument( - "--vulnerable-dependencies", - type=int, - default=0, - help="Minimum number of vulnerable dependencies expected (default: 0)", - ) - - def handle(self, *args, **options): - super().handle(*args, **options) - - expected_packages = options["packages"] - expected_vulnerable_packages = options["vulnerable_packages"] - expected_dependencies = options["dependencies"] - expected_vulnerable_dependencies = options["vulnerable_dependencies"] - - project = self.project - packages = project.discoveredpackages - package_count = packages.count() - vulnerable_package_count = packages.vulnerable().count() - dependencies = project.discovereddependencies.all() - dependency_count = dependencies.count() - vulnerable_dependency_count = dependencies.vulnerable().count() - - errors = [] - - if package_count < expected_packages: - errors.append( - f"Expected at least {expected_packages} packages, found {package_count}" - ) - if vulnerable_package_count != expected_vulnerable_packages: - errors.append( - f"Expected exactly {expected_vulnerable_packages} vulnerable packages, " - f"found {vulnerable_package_count}" - ) - if dependency_count < expected_dependencies: - errors.append( - f"Expected at least {expected_dependencies} dependencies, " - f"found {dependency_count}" - ) - if vulnerable_dependency_count < expected_vulnerable_dependencies: - errors.append( - f"Expected at least {expected_vulnerable_dependencies} " - f"vulnerable dependencies, found {vulnerable_dependency_count}" - ) - - if errors: - raise CommandError("Project verification failed:\n" + "\n".join(errors)) - - self.stdout.write("Project verification passed.", self.style.SUCCESS) diff --git a/scanpipe/tests/test_commands.py b/scanpipe/tests/test_commands.py index 32322d425c..1b2d6f688e 100644 --- a/scanpipe/tests/test_commands.py +++ b/scanpipe/tests/test_commands.py @@ -1371,49 +1371,6 @@ def test_scanpipe_management_command_report(self): expected = ("project1", "file.ext", "file", "file.ext", "requires-review") self.assertEqual(expected, row1[0:5]) - def test_scanpipe_management_command_verify_project(self): - project = make_project(name="my_project") - make_package(project, package_url="pkg:generic/name@1.0") - make_dependency(project) - - out = StringIO() - call_command( - "verify-project", - "--project", - project.name, - "--packages", - "1", - "--vulnerable-packages", - "0", - "--dependencies", - "1", - "--vulnerable-dependencies", - "0", - stdout=out, - ) - self.assertIn("Project verification passed.", out.getvalue()) - - out = StringIO() - expected = ( - "Project verification failed:\n" - "Expected at least 5 packages, found 1\n" - "Expected exactly 10 vulnerable packages, found 0\n" - "Expected at least 5 dependencies, found 1" - ) - with self.assertRaisesMessage(CommandError, expected): - call_command( - "verify-project", - "--project", - project.name, - "--packages", - "5", - "--vulnerable-packages", - "10", - "--dependencies", - "5", - stdout=out, - ) - class ScanPipeManagementCommandMixinTest(TestCase): class CreateProjectCommand( From 1800189d77b4b293710228831902139a3cad23d5 Mon Sep 17 00:00:00 2001 From: tdruez Date: Wed, 15 Oct 2025 09:16:52 +0400 Subject: [PATCH 09/11] Migrate all SCA workflow verification to new verify-project cli cmd Signed-off-by: tdruez --- .github/workflows/sca-integration-anchore.yml | 10 +++++++++- .github/workflows/sca-integration-cdxgen.yml | 10 +++++++++- .github/workflows/sca-integration-depscan.yml | 10 +++++++++- .github/workflows/sca-integration-ort.yml | 11 ++++++++++- .../workflows/sca-integration-osv-scanner.yml | 2 +- .../workflows/sca-integration-sbom-tool.yml | 9 ++++++++- .github/workflows/sca-integration-trivy.yml | 19 ++++++++++++++++++- 7 files changed, 64 insertions(+), 7 deletions(-) diff --git a/.github/workflows/sca-integration-anchore.yml b/.github/workflows/sca-integration-anchore.yml index 07de98219f..d8ac014829 100644 --- a/.github/workflows/sca-integration-anchore.yml +++ b/.github/workflows/sca-integration-anchore.yml @@ -19,6 +19,9 @@ permissions: env: IMAGE_REFERENCE: "python:3.13.0-slim" + EXPECTED_PACKAGE: 3200 + EXPECTED_VULNERABLE_PACKAGE: 40 + EXPECTED_DEPENDENCY: 220 jobs: generate-and-load-sbom: @@ -44,8 +47,13 @@ jobs: with: pipelines: "load_sbom" inputs-path: "anchore-grype-sbom.cdx.json" + scancodeio-repo-branch: "main" - name: Verify SBOM Analysis Results in ScanCode.io shell: bash run: | - scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() > 3200; assert package_manager.vulnerable().count() > 40; assert DiscoveredDependency.objects.count() > 220" + scanpipe verify-project \ + --project scancode-action \ + --packages ${{ env.EXPECTED_PACKAGE }} \ + --vulnerable-packages ${{ env.EXPECTED_VULNERABLE_PACKAGE }} \ + --dependencies ${{ env.EXPECTED_DEPENDENCY }} diff --git a/.github/workflows/sca-integration-cdxgen.yml b/.github/workflows/sca-integration-cdxgen.yml index 0af013ab99..ad7f050fac 100644 --- a/.github/workflows/sca-integration-cdxgen.yml +++ b/.github/workflows/sca-integration-cdxgen.yml @@ -19,6 +19,9 @@ permissions: env: IMAGE_REFERENCE: "python:3.13.0-slim" + EXPECTED_PACKAGE: 340 + EXPECTED_VULNERABLE_PACKAGE: 0 + EXPECTED_DEPENDENCY: 0 jobs: generate-and-load-sbom: @@ -47,8 +50,13 @@ jobs: with: pipelines: "load_sbom" inputs-path: "cdxgen-sbom.cdx.json" + scancodeio-repo-branch: "main" - name: Verify SBOM Analysis Results in ScanCode.io shell: bash run: | - scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() > 340; assert package_manager.vulnerable().count() == 0; assert DiscoveredDependency.objects.count() == 0" + scanpipe verify-project \ + --project scancode-action \ + --packages ${{ env.EXPECTED_PACKAGE }} \ + --vulnerable-packages ${{ env.EXPECTED_VULNERABLE_PACKAGE }} \ + --dependencies ${{ env.EXPECTED_DEPENDENCY }} diff --git a/.github/workflows/sca-integration-depscan.yml b/.github/workflows/sca-integration-depscan.yml index adfb76804f..6b824a6a60 100644 --- a/.github/workflows/sca-integration-depscan.yml +++ b/.github/workflows/sca-integration-depscan.yml @@ -19,6 +19,9 @@ permissions: env: IMAGE_REFERENCE: "python:3.13.0-slim" + EXPECTED_PACKAGE: 220 + EXPECTED_VULNERABLE_PACKAGE: 10 + EXPECTED_DEPENDENCY: 150 jobs: generate-and-load-sbom: @@ -52,8 +55,13 @@ jobs: with: pipelines: "load_sbom" inputs-path: "reports/sbom-docker.vdr.json" + scancodeio-repo-branch: "main" - name: Verify SBOM Analysis Results in ScanCode.io shell: bash run: | - scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() > 220; assert package_manager.vulnerable().count() > 10; assert DiscoveredDependency.objects.count() > 150" + scanpipe verify-project \ + --project scancode-action \ + --packages ${{ env.EXPECTED_PACKAGE }} \ + --vulnerable-packages ${{ env.EXPECTED_VULNERABLE_PACKAGE }} \ + --dependencies ${{ env.EXPECTED_DEPENDENCY }} diff --git a/.github/workflows/sca-integration-ort.yml b/.github/workflows/sca-integration-ort.yml index 98df3236cf..2ccdee1895 100644 --- a/.github/workflows/sca-integration-ort.yml +++ b/.github/workflows/sca-integration-ort.yml @@ -21,6 +21,11 @@ on: permissions: contents: read +env: + EXPECTED_PACKAGE: 5 + EXPECTED_VULNERABLE_PACKAGE: 1 + EXPECTED_DEPENDENCY: 1 + jobs: generate-and-load-sbom: runs-on: ubuntu-24.04 @@ -47,4 +52,8 @@ jobs: - name: Verify SBOM Analysis Results in ScanCode.io shell: bash run: | - scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() >= 5; assert package_manager.vulnerable().count() >= 1; assert DiscoveredDependency.objects.count() >= 1" + scanpipe verify-project \ + --project scancode-action \ + --packages ${{ env.EXPECTED_PACKAGE }} \ + --vulnerable-packages ${{ env.EXPECTED_VULNERABLE_PACKAGE }} \ + --dependencies ${{ env.EXPECTED_DEPENDENCY }} diff --git a/.github/workflows/sca-integration-osv-scanner.yml b/.github/workflows/sca-integration-osv-scanner.yml index 9ce3e6602f..2ee54a3620 100644 --- a/.github/workflows/sca-integration-osv-scanner.yml +++ b/.github/workflows/sca-integration-osv-scanner.yml @@ -55,7 +55,7 @@ jobs: with: pipelines: "load_sbom" inputs-path: "osv-sbom.spdx.json" - scancodeio-repo-branch: "sca-integration-workflow-fix" + scancodeio-repo-branch: "main" - name: Verify SBOM Analysis Results in ScanCode.io shell: bash diff --git a/.github/workflows/sca-integration-sbom-tool.yml b/.github/workflows/sca-integration-sbom-tool.yml index 125926e7a1..01bc2fe96d 100644 --- a/.github/workflows/sca-integration-sbom-tool.yml +++ b/.github/workflows/sca-integration-sbom-tool.yml @@ -19,6 +19,9 @@ permissions: env: IMAGE_REFERENCE: "python:3.13.0-slim" + EXPECTED_PACKAGE: 90 + EXPECTED_VULNERABLE_PACKAGE: 0 + EXPECTED_DEPENDENCY: 90 jobs: generate-and-load-sbom: @@ -57,4 +60,8 @@ jobs: - name: Verify SBOM Analysis Results in ScanCode.io shell: bash run: | - scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() > 90; assert package_manager.vulnerable().count() == 0; assert DiscoveredDependency.objects.count() > 90" + scanpipe verify-project \ + --project scancode-action \ + --packages ${{ env.EXPECTED_PACKAGE }} \ + --vulnerable-packages ${{ env.EXPECTED_VULNERABLE_PACKAGE }} \ + --dependencies ${{ env.EXPECTED_DEPENDENCY }} diff --git a/.github/workflows/sca-integration-trivy.yml b/.github/workflows/sca-integration-trivy.yml index 5e7306fd64..d4f2c2e46f 100644 --- a/.github/workflows/sca-integration-trivy.yml +++ b/.github/workflows/sca-integration-trivy.yml @@ -19,6 +19,9 @@ permissions: env: IMAGE_REFERENCE: "python:3.13.0-slim" + EXPECTED_PACKAGE: 90 + EXPECTED_VULNERABLE_PACKAGE: 40 + EXPECTED_DEPENDENCY: 190 jobs: generate-and-load-sbom: @@ -46,8 +49,22 @@ jobs: with: pipelines: "load_sbom" inputs-path: "trivy-report.sbom.json" + scancodeio-repo-branch: "main" - name: Verify SBOM Analysis Results in ScanCode.io shell: bash run: | - scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() > 90; assert package_manager.vulnerable().count() > 40; assert DiscoveredDependency.objects.count() > 190" + scanpipe verify-project \ + --project scancode-action \ + --packages ${{ env.EXPECTED_PACKAGE }} \ + --vulnerable-packages ${{ env.EXPECTED_VULNERABLE_PACKAGE }} \ + --dependencies ${{ env.EXPECTED_DEPENDENCY }} + + - name: Verify SBOM Analysis Results in ScanCode.io + shell: bash + run: | + scanpipe verify-project \ + --project scancode-action \ + --packages ${{ env.EXPECTED_PACKAGE }} \ + --vulnerable-packages ${{ env.EXPECTED_VULNERABLE_PACKAGE }} \ + --dependencies ${{ env.EXPECTED_DEPENDENCY }} From 97fc3b4abbcd99d232e67d8d876a45e63d6d410c Mon Sep 17 00:00:00 2001 From: tdruez Date: Wed, 15 Oct 2025 09:19:04 +0400 Subject: [PATCH 10/11] Trigger all workflow on PR Signed-off-by: tdruez --- .github/workflows/sca-integration-anchore.yml | 1 + .github/workflows/sca-integration-cdxgen.yml | 1 + .github/workflows/sca-integration-depscan.yml | 1 + .github/workflows/sca-integration-ort.yml | 5 +---- .github/workflows/sca-integration-osv-scanner.yml | 2 +- .github/workflows/sca-integration-sbom-tool.yml | 1 + .github/workflows/sca-integration-trivy.yml | 10 +--------- 7 files changed, 7 insertions(+), 14 deletions(-) diff --git a/.github/workflows/sca-integration-anchore.yml b/.github/workflows/sca-integration-anchore.yml index d8ac014829..ad29e8c2af 100644 --- a/.github/workflows/sca-integration-anchore.yml +++ b/.github/workflows/sca-integration-anchore.yml @@ -9,6 +9,7 @@ name: Generate SBOM with Anchore Grype and load into ScanCode.io # It runs on demand, and once a week (scheduled). on: + pull_request: workflow_dispatch: schedule: # Run once a week (every 7 days) at 00:00 UTC on Sunday diff --git a/.github/workflows/sca-integration-cdxgen.yml b/.github/workflows/sca-integration-cdxgen.yml index ad7f050fac..eba415da84 100644 --- a/.github/workflows/sca-integration-cdxgen.yml +++ b/.github/workflows/sca-integration-cdxgen.yml @@ -9,6 +9,7 @@ name: Generate SBOM with CycloneDX cdxgen and load into ScanCode.io # It runs on demand, and once a week (scheduled). on: + pull_request: workflow_dispatch: schedule: # Run once a week (every 7 days) at 00:00 UTC on Sunday diff --git a/.github/workflows/sca-integration-depscan.yml b/.github/workflows/sca-integration-depscan.yml index 6b824a6a60..a691704e7f 100644 --- a/.github/workflows/sca-integration-depscan.yml +++ b/.github/workflows/sca-integration-depscan.yml @@ -9,6 +9,7 @@ name: Generate SBOM with OWASP dep-scan and load into ScanCode.io # It runs on demand, and once a week (scheduled). on: + pull_request: workflow_dispatch: schedule: # Run once a week (every 7 days) at 00:00 UTC on Sunday diff --git a/.github/workflows/sca-integration-ort.yml b/.github/workflows/sca-integration-ort.yml index 2ccdee1895..483f730b88 100644 --- a/.github/workflows/sca-integration-ort.yml +++ b/.github/workflows/sca-integration-ort.yml @@ -9,14 +9,11 @@ name: Generate SBOM with ORT and load into ScanCode.io # It runs on demand, and once a week (scheduled). on: + pull_request: workflow_dispatch: schedule: # Run once a week (every 7 days) at 00:00 UTC on Sunday - cron: "0 0 * * 0" - pull_request: - push: - branches: - - main permissions: contents: read diff --git a/.github/workflows/sca-integration-osv-scanner.yml b/.github/workflows/sca-integration-osv-scanner.yml index 2ee54a3620..997598222e 100644 --- a/.github/workflows/sca-integration-osv-scanner.yml +++ b/.github/workflows/sca-integration-osv-scanner.yml @@ -9,8 +9,8 @@ name: Generate SBOM with OSV-Scanner and load into ScanCode.io # It runs on demand, and once a week (scheduled). on: - workflow_dispatch: pull_request: + workflow_dispatch: schedule: # Run once a week (every 7 days) at 00:00 UTC on Sunday - cron: "0 0 * * 0" diff --git a/.github/workflows/sca-integration-sbom-tool.yml b/.github/workflows/sca-integration-sbom-tool.yml index 01bc2fe96d..c8a13abbcf 100644 --- a/.github/workflows/sca-integration-sbom-tool.yml +++ b/.github/workflows/sca-integration-sbom-tool.yml @@ -9,6 +9,7 @@ name: Generate SBOM with SBOM tool and load into ScanCode.io # It runs on demand, and once a week (scheduled). on: + pull_request: workflow_dispatch: schedule: # Run once a week (every 7 days) at 00:00 UTC on Sunday diff --git a/.github/workflows/sca-integration-trivy.yml b/.github/workflows/sca-integration-trivy.yml index d4f2c2e46f..eb7c513ae7 100644 --- a/.github/workflows/sca-integration-trivy.yml +++ b/.github/workflows/sca-integration-trivy.yml @@ -9,6 +9,7 @@ name: Generate SBOM with Trivy and load into ScanCode.io # It runs on demand, and once a week (scheduled). on: + pull_request: workflow_dispatch: schedule: # Run once a week (every 7 days) at 00:00 UTC on Sunday @@ -59,12 +60,3 @@ jobs: --packages ${{ env.EXPECTED_PACKAGE }} \ --vulnerable-packages ${{ env.EXPECTED_VULNERABLE_PACKAGE }} \ --dependencies ${{ env.EXPECTED_DEPENDENCY }} - - - name: Verify SBOM Analysis Results in ScanCode.io - shell: bash - run: | - scanpipe verify-project \ - --project scancode-action \ - --packages ${{ env.EXPECTED_PACKAGE }} \ - --vulnerable-packages ${{ env.EXPECTED_VULNERABLE_PACKAGE }} \ - --dependencies ${{ env.EXPECTED_DEPENDENCY }} From 64eb26fe5ac9dd2f5540846da2f701905c08dcdf Mon Sep 17 00:00:00 2001 From: tdruez Date: Wed, 15 Oct 2025 09:27:55 +0400 Subject: [PATCH 11/11] Remove the PR trigger before merging Signed-off-by: tdruez --- .github/workflows/sca-integration-anchore.yml | 1 - .github/workflows/sca-integration-cdxgen.yml | 1 - .github/workflows/sca-integration-depscan.yml | 1 - .github/workflows/sca-integration-ort.yml | 1 - .github/workflows/sca-integration-osv-scanner.yml | 1 - .github/workflows/sca-integration-sbom-tool.yml | 1 - .github/workflows/sca-integration-trivy.yml | 1 - 7 files changed, 7 deletions(-) diff --git a/.github/workflows/sca-integration-anchore.yml b/.github/workflows/sca-integration-anchore.yml index ad29e8c2af..d8ac014829 100644 --- a/.github/workflows/sca-integration-anchore.yml +++ b/.github/workflows/sca-integration-anchore.yml @@ -9,7 +9,6 @@ name: Generate SBOM with Anchore Grype and load into ScanCode.io # It runs on demand, and once a week (scheduled). on: - pull_request: workflow_dispatch: schedule: # Run once a week (every 7 days) at 00:00 UTC on Sunday diff --git a/.github/workflows/sca-integration-cdxgen.yml b/.github/workflows/sca-integration-cdxgen.yml index eba415da84..ad7f050fac 100644 --- a/.github/workflows/sca-integration-cdxgen.yml +++ b/.github/workflows/sca-integration-cdxgen.yml @@ -9,7 +9,6 @@ name: Generate SBOM with CycloneDX cdxgen and load into ScanCode.io # It runs on demand, and once a week (scheduled). on: - pull_request: workflow_dispatch: schedule: # Run once a week (every 7 days) at 00:00 UTC on Sunday diff --git a/.github/workflows/sca-integration-depscan.yml b/.github/workflows/sca-integration-depscan.yml index a691704e7f..6b824a6a60 100644 --- a/.github/workflows/sca-integration-depscan.yml +++ b/.github/workflows/sca-integration-depscan.yml @@ -9,7 +9,6 @@ name: Generate SBOM with OWASP dep-scan and load into ScanCode.io # It runs on demand, and once a week (scheduled). on: - pull_request: workflow_dispatch: schedule: # Run once a week (every 7 days) at 00:00 UTC on Sunday diff --git a/.github/workflows/sca-integration-ort.yml b/.github/workflows/sca-integration-ort.yml index 483f730b88..f5407b1547 100644 --- a/.github/workflows/sca-integration-ort.yml +++ b/.github/workflows/sca-integration-ort.yml @@ -9,7 +9,6 @@ name: Generate SBOM with ORT and load into ScanCode.io # It runs on demand, and once a week (scheduled). on: - pull_request: workflow_dispatch: schedule: # Run once a week (every 7 days) at 00:00 UTC on Sunday diff --git a/.github/workflows/sca-integration-osv-scanner.yml b/.github/workflows/sca-integration-osv-scanner.yml index 997598222e..0edaa49d9c 100644 --- a/.github/workflows/sca-integration-osv-scanner.yml +++ b/.github/workflows/sca-integration-osv-scanner.yml @@ -9,7 +9,6 @@ name: Generate SBOM with OSV-Scanner and load into ScanCode.io # It runs on demand, and once a week (scheduled). on: - pull_request: workflow_dispatch: schedule: # Run once a week (every 7 days) at 00:00 UTC on Sunday diff --git a/.github/workflows/sca-integration-sbom-tool.yml b/.github/workflows/sca-integration-sbom-tool.yml index c8a13abbcf..01bc2fe96d 100644 --- a/.github/workflows/sca-integration-sbom-tool.yml +++ b/.github/workflows/sca-integration-sbom-tool.yml @@ -9,7 +9,6 @@ name: Generate SBOM with SBOM tool and load into ScanCode.io # It runs on demand, and once a week (scheduled). on: - pull_request: workflow_dispatch: schedule: # Run once a week (every 7 days) at 00:00 UTC on Sunday diff --git a/.github/workflows/sca-integration-trivy.yml b/.github/workflows/sca-integration-trivy.yml index eb7c513ae7..d135e00322 100644 --- a/.github/workflows/sca-integration-trivy.yml +++ b/.github/workflows/sca-integration-trivy.yml @@ -9,7 +9,6 @@ name: Generate SBOM with Trivy and load into ScanCode.io # It runs on demand, and once a week (scheduled). on: - pull_request: workflow_dispatch: schedule: # Run once a week (every 7 days) at 00:00 UTC on Sunday