#!/bin/bash ###### Information ############################################################################ # Copyright OpenSearch Contributors # SPDX-License-Identifier: Apache-2.0 # # The OpenSearch Contributors require contributions made to # this file be licensed under the Apache-2.0 license or a # compatible open source license. # Name: wss-scan.sh # Language: Shell # # About: This script is to scan the OpenSearch distros for vulnerabilities and licenses # It will scan the repositories and send the WhiteSource link to the mail # of the user. # # Prerequisites: Need to install Java 11 # Export JAVA_HOME env variable to the JDK path # Add JAVA_HOME to PATH variable # Need to set the recepient mail in wss-scan.config for local run # WhiteSource API key is needed for local run, The API Key can be retrieved from the # WhiteSource Admin Console of your account.Use the below command to export the API key # export wss_apikey=$(APIKEY) # # Usage: ./wss-scan.sh # ############################################################################################### set -e # Generate temporary `settings.gradle` file based on the name in `build.gradle` function generate_settings_gradle() { settings_gradle_content="rootProject.name = 'opensearch-$1'" echo $settings_gradle_content > settings.gradle cat settings.gradle } java -version; gradle -v; mvn -v; node -v; npm -v; yarn -v if [ ! -f "wss-unified-agent.jar" ] then # Download the WhiteSource Agent curl https://unified-agent.s3.amazonaws.com/wss-unified-agent-21.11.2.1.jar --output wss-unified-agent.jar fi # scan the config file for the user configurations # wss-scan.config has to be present in the same working directory as the script echo "Run before source" . ./wss-scan.config echo $gitRepos # change comma to whitespace gitRepos=${gitRepos//,/$'\n'} basepath=$baseDirPath"/repos" echo "Cleaning up scan directories if already present" rm -rf $basepath echo "Cleaning up temp file that will affect scan" rm -rf /tmp/ws* mkdir -p $basepath # clone the desired Repos for scanning for repo in $gitRepos do echo "Cloning repo "$gitBasePath$repo if [ ${repo} == "OpenSearch" ] then echo "Cloning "$repo" at branch 2.x" git clone -b 2.x "$gitBasePath$repo".git ${basepath}/${repo} # /qa/ in OpenSearch repo contains all files related to the previous version of ODFE. # WhiteSource will attept to download them and take hours to build or timeout error. # Remove /qa/ because it's irrelevant to OpenSearch. rm -rf ${basepath}/${repo}/qa else echo "Cloning "$repo" at main branch" git clone "$gitBasePath$repo".git ${basepath}/${repo} fi done echo -n > info.txt target_main='OpenSearch' target_1_3='OpenSearch_1_3' # scan the Repos using the WhiteSource Unified Agent for repo in $gitRepos do repo_path=$basepath"/"$repo if [ -d "$repo_path" ] then cd $repo_path echo "Scanning repo: "$gitBasePath$repo " Project: " $repo if [ -e "build.gradle" ] then echo "build.gradle for $repo exist in root" if [ ! -e "settings.gradle" ] then echo "settings.gradle not exist in $repo, create one based on build.gradle name" generate_settings_gradle $repo else echo "settings.gradle exist $repo" fi else # Exceptions for some repos that have `build.gradle` in sub-folder if [ ${repo} == "observability" ] then cd $repo_path/opensearch-observability generate_settings_gradle $repo else echo "build.gradle for $repo not exist, either dashboards repo or missing necessary files" fi fi java -jar $baseDirPath/wss-unified-agent.jar -c $baseDirPath/wss-unified-agent.config -d $repo_path -apiKey $wss_apikey -product "$target_main" -project $repo cd $repo_path && git checkout 1.3 && cd - java -jar $baseDirPath/wss-unified-agent.jar -c $baseDirPath/wss-unified-agent.config -d $repo_path -apiKey $wss_apikey -product "$target_1_3" -project $repo cd $baseDirPath && pwd else echo "Scanning failed for repo: "$gitBasePath$repo " Project: " $repo fi done # remove the WhiteSource unified Jar rm $baseDirPath/wss-unified-agent.jar echo "WhiteSource vulnerability scan completed"