databricks-jdbc/.github/workflows/vulnerabilityCatcher.yml at 69dbd3b13f3ff9727190a5ee81b0d2969ea56717 · databricks/databricks-jdbc · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
name: Weekly Security Scan

on:
  schedule:
    - cron: '0 0 * * 0'  # Run every Sunday at midnight UTC
  workflow_dispatch:  # Allow manual triggering

permissions:
  id-token: write
  contents: read

jobs:
  security-scan:
    runs-on:
      group: databricks-protected-runner-group
      labels: linux-ubuntu-latest

    steps:
      - name: Checkout repository
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          ref: main  # Explicitly check out main branch

      - name: Set up JDK 11
        uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4
        with:
          java-version: '11'
          distribution: 'temurin'
          cache: maven

      - name: Get JFrog OIDC token
        run: |
          set -euo pipefail

          # Get GitHub OIDC ID token
          ID_TOKEN=$(curl -sLS \
            -H "User-Agent: actions/oidc-client" \
            -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
            "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=jfrog-github" | jq .value | tr -d '"')
          echo "::add-mask::${ID_TOKEN}"

          # Exchange for JFrog access token
          ACCESS_TOKEN=$(curl -sLS -XPOST -H "Content-Type: application/json" \
            "https://databricks.jfrog.io/access/api/v1/oidc/token" \
            -d "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"${ID_TOKEN}\", \"provider_name\": \"github-actions\"}" | jq .access_token | tr -d '"')
          echo "::add-mask::${ACCESS_TOKEN}"

          if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
            echo "FAIL: Could not extract JFrog access token"
            exit 1
          fi

          echo "JFROG_ACCESS_TOKEN=${ACCESS_TOKEN}" >> "$GITHUB_ENV"

          echo "JFrog OIDC token obtained successfully"

      - name: Configure maven
        run: |
          set -euo pipefail

          mkdir -p ~/.m2
          cat > ~/.m2/settings.xml << EOF
          <settings>
            <mirrors>
              <mirror>
                <id>jfrog-central</id>
                <mirrorOf>*</mirrorOf>
                <url>https://databricks.jfrog.io/artifactory/db-maven/</url>
              </mirror>
            </mirrors>
            <servers>
              <server>
                <id>jfrog-central</id>
                <username>gha-service-account</username>
                <password>${JFROG_ACCESS_TOKEN}</password>
              </server>
            </servers>
          </settings>
          EOF

          echo "Maven configured to use JFrog registry"

      - name: Run OWASP Dependency Check
        run: mvn -pl jdbc-core org.owasp:dependency-check-maven:check -Dnvd.api.key=${{ secrets.NVD_API_KEY }}

      - name: Check for vulnerabilities
        id: check_vulnerabilities
        run: |
          if grep -q "CVSS score >= 7" jdbc-core/target/dependency-check-report.html; then
            echo "has_vulnerabilities=true" >> $GITHUB_OUTPUT
            echo "Critical or high vulnerabilities found (CVSS score >= 7)"
            # Generate a simple HTML report for email
            echo "<!DOCTYPE html><html><head><title>JDBC Driver Security Scan Results</title></head><body>" > security-scan-report.html
            echo "<h1>Security Vulnerabilities Found</h1>" >> security-scan-report.html
            echo "<p>Critical or high vulnerabilities (CVSS score >= 7) were found in the weekly scan of the JDBC driver.</p>" >> security-scan-report.html
            echo "<p>Please check the full report in the GitHub Actions artifacts: <a href='https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}'>View Artifacts</a></p>" >> security-scan-report.html
            echo "</body></html>" >> security-scan-report.html
            exit 1
          else
            echo "has_vulnerabilities=false" >> $GITHUB_OUTPUT
            echo "No critical or high vulnerabilities found"
          fi

      - name: Send Email
        if: steps.check_vulnerabilities.outputs.has_vulnerabilities == 'true'
        uses: dawidd6/action-send-mail@4226df7daafa6fc901a43789c49bf7ab309066e7 # v3
        with:
          server_address: smtp.gmail.com
          server_port: 465
          username: ${{ secrets.SMTP_USERNAME }}
          password: ${{ secrets.SMTP_PASSWORD }}
          subject: OSS JDBC Driver Security Scan - 🚨 Vulnerabilities Found
          html_body: file://security-scan-report.html
          to: ${{ secrets.EMAIL_RECIPIENTS }}
          from: JDBC Security Scanner
          content_type: text/html

      - name: Upload Report as Artifact
        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: security-scan-reports
          path: |
            jdbc-core/target/dependency-check-report.html
            jdbc-core/target/dependency-check-report.json
            security-scan-report.html