Fixes for ruby code

Signed-off-by: sandhi <sagarwal@progress.com>

Author: sandhi18

.github/workflows/ci-main-pull-request.yml

@@ -105,7 +105,7 @@ on:
         description: 'Fail pipeline if Trivy finds HIGH or CRITICAL vulnerabilities'
         required: false
         type: boolean
-        default: true
+        default: false
 
       build:
         description: 'CI Build (language-specific)'
@@ -169,15 +169,15 @@ on:
         type: string
       polaris-coverity-clean-command:
         # NEW IN 1.0.7
-        description: 'Coverity clean command, typically done before build stage by language or here as param 1-liner like "mvn clean"'
+        description: 'Coverity clean command, typically done before build stage by language or here as param 1-liner like "mvn clean". Leave empty for buildless analysis (Ruby, Python, etc.)'
         required: false
-        default: 'go clean'
+        default: ''
         type: string
       polaris-coverity-build-command:
         # NEW IN 1.0.7
-        description: 'Coverity build command, typically done in build stage by language or here as param 1-liner like "mvn clean install"'
+        description: 'Coverity build command, typically done in build stage by language or here as param 1-liner like "mvn clean install". Leave empty for buildless analysis (Ruby, Python, etc.)'
         required: false
-        default: 'go build'
+        default: ''
         type: string
       polaris-coverity-args:
         # NEW IN 1.0.7
@@ -374,6 +374,11 @@ on:
         required: false
         type: boolean
         default: false
+      ruby-app-directory:
+        description: 'Subdirectory containing Ruby Gemfile (e.g., "src/supermarket" for repos with non-root Gemfile location). Leave empty if Gemfile is in root.'
+        required: false
+        type: string
+        default: ''
 
       udf1:
         description: 'User defined flag 1'
@@ -716,7 +721,7 @@ jobs:
   run-trivy:
     name: 'Trivy scan'
     if: ${{ inputs.perform-trivy-scan }}
-    uses: chef/common-github-actions/.github/workflows/trivy.yml@sandhi/fix-blackduc-sca
+    uses: chef/common-github-actions/.github/workflows/trivy.yml@main
     needs: checkout
     with:
       version: ${{ inputs.version }}
@@ -1024,11 +1029,6 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: Configure git for private Go modules
-        env:
-          GOPRIVATE: ${{ inputs.go-private-modules }}
-        run: git config --global url."https://${{ secrets.GH_TOKEN }}@github.com/".insteadOf "https://github.com/"
-
       - name: Install build tools for Erlang
         if: inputs.language == 'erlang'
         run: |
@@ -1046,7 +1046,7 @@ jobs:
         if: inputs.language == 'ruby'
         uses: ruby/setup-ruby@v1
         with:
-          ruby-version: '3.0'
+          ruby-version: '3.4'
           bundler-cache: false
 
       - name: Create bundle stub for Erlang SAST scan
@@ -1381,7 +1381,7 @@ jobs:
     name: 'Generating SBOM'
     #    Create software bill-of-materials (SBOM) using SPDX format
     if: ${{ inputs.generate-sbom == true }}
-    uses: chef/common-github-actions/.github/workflows/sbom.yml@sandhi/fix-blackduc-sca
+    uses: chef/common-github-actions/.github/workflows/sbom.yml@main
     needs: checkout # TODO: fix set-application-version
     secrets: inherit
     with:
@@ -1397,6 +1397,7 @@ jobs:
       blackduck-force-low-accuracy-mode: ${{ inputs.blackduck-force-low-accuracy-mode }}
       run-bundle-install: ${{ inputs.run-bundle-install }} # Passed to sbom.yml to generate Gemfile.lock at runtime
       language: ${{ inputs.language }}
+      ruby-app-directory: ${{ inputs.ruby-app-directory }}
 
   quality-dashboard:
     name: 'Reporting to quality dashboard'

.github/workflows/sbom.yml

@@ -77,6 +77,11 @@ on:
         required: false
         type: string
         default: 'ruby'
+      ruby-app-directory:
+        description: 'Subdirectory containing Ruby Gemfile (e.g., "src/supermarket" for repos with non-root Gemfile location). Leave empty if Gemfile is in root.'
+        required: false
+        type: string
+        default: ''
 
 env:
   # Set the default SBOM filename prefix
@@ -207,7 +212,8 @@ jobs:
         uses: ruby/setup-ruby@v1
         with:
           ruby-version: '3.4.2'
-          bundler-cache: true
+          bundler-cache: false
+          working-directory: ${{ inputs.ruby-app-directory != '' && inputs.ruby-app-directory || '.' }}
 
       - name: Set up Erlang/OTP and rebar3
         if: inputs.language == 'erlang'
@@ -225,6 +231,7 @@ jobs:
       - name: generate Gemfile.lock if needed for Ruby projects
         if: ${{ inputs.run-bundle-install == true && inputs.language == 'ruby' }} 
         continue-on-error: true
+        working-directory: ${{ inputs.ruby-app-directory != '' && inputs.ruby-app-directory || '.' }}
         run: |
           if [ ! -f Gemfile.lock ]; then
             bundle install 
@@ -235,7 +242,7 @@ jobs:
         uses: actions/upload-artifact@v4
         continue-on-error: true
         with:
-          path: Gemfile.lock
+          path: ${{ inputs.ruby-app-directory != '' && format('{0}/Gemfile.lock', inputs.ruby-app-directory) || 'Gemfile.lock' }}
           name: ${{ github.event.repository.name }}-Gemfile-lock.txt 
 
       - name: BlackDuck SCA scan
@@ -249,7 +256,8 @@ jobs:
         with:
           blackducksca_url: ${{ secrets.BLACKDUCK_SBOM_URL }}  # BLACKDUCK_URL, should be https://progresssoftware.app.blackduck.com/ 
           blackducksca_token: ${{ secrets.BLACKDUCK_SCA_TOKEN }}  # was BLACKDUCK_API_KEY
-          detect_args: ${{ inputs.blackduck-force-low-accuracy-mode == true && '--detect.excluded.detector.types=PIP --detect.accuracy.required=NONE' || '--detect.excluded.detector.types=PIP' }}
+          blackducksca_scan_full: true  # Force INTELLIGENT scan mode for all branches (uploads results to server)
+          detect_args: ${{ inputs.ruby-app-directory != '' && format('{0} --detect.source.path={1}', inputs.blackduck-force-low-accuracy-mode == true && '--detect.excluded.detector.types=PIP --detect.accuracy.required=NONE' || '--detect.excluded.detector.types=PIP', inputs.ruby-app-directory) || (inputs.blackduck-force-low-accuracy-mode == true && '--detect.excluded.detector.types=PIP --detect.accuracy.required=NONE' || '--detect.excluded.detector.types=PIP') }}
           # blackducksca_scan_failure_severities: 'BLOCKER,CRITICAL'
           # ignore python per https://documentation.blackduck.com/bundle/detect/page/packagemgrs/python.html
 

.github/workflows/trivy.yml

@@ -19,7 +19,7 @@ on:
         description: 'Fail the build if HIGH or CRITICAL vulnerabilities are found'
         required: false
         type: boolean
-        default: true
+        default: false
 
 jobs:
   trivy: