I was just wondering what is process of scanning python repo in OWASP Dependency-Check Plugin . I have a python repo where lots of python files are there. I have configured scanpath like /**/*.py, But I see reports like depependency-check-report.xml with 0 unique warnings and 0 duplicates. Then I scanned another test repo from github and got same result. Am i missing something here? There should some reports.
I have ended up by downloading and running cli. something like below.
wget http://dl.bintray.com/jeremy-long/owasp/dependency-check-3.0.2-release.zip
unzip dependency-check-3.0.2-release.zip
/home/ec2-user/dependency-check/bin/dependency-check.sh --project "Dev" --scan "/src/python" --format "XML" --disableNSP "true" --enableExperimental --disablePyDist "false" --disablePyPkg "false"
dependencyCheckPublisher canComputeNew: false, defaultEncoding: '', healthy: '0', pattern: '', unHealthy: '1000'
Related
I'm new to TravisCI and this may be a very silly question, but I'm trying to write the travis config in a way that it only deploys to Firebase when the current branch is master.
That is, only when code is pushed to master or when a PR is merged with master, the firebase deploy command executes. The deploy command should be not be executed when other branches are pushed to, or when PRs are made.
Here's what I have so far:
language: node_js
node_js: 12.16.1
script: echo "Running travis-ci"
install:
- npm install -g firebase-tools
- npm i react-scripts
script:
- yarn add react
- yarn test
- if [ "$TRAVIS_BRANCH" = "master" ]; then yarn build; fi
- if [ "$TRAVIS_BRANCH" = "master" ]; then firebase deploy --project testproj8876 --token $FIREBASE_TOKEN; fi
branches:
only:
- master
Since I'm not too familiar with the conventions yet, any improvements/suggestions would also be greatly appreciated.
Google Firebase is supported directly by Travis. See here.
Thereby, I recommend using the solution described in the link above.
deploy:
provider: firebase
token:
secure: "YOUR ENCRYPTED token"
As for your condition, you can check one of my .travis.yml file here and the documentation there (Conditional Deployments)
The following part is what you need:
deploy:
cleanup: false
on:
branch:
- master
If you still have questions, feel free to ask.
I am studying to automate the build and deployment of my google app engine application in Travis, so far it allows me to have static or predefined version name during deployment in .travis.yml.
Is there any way to make it dynamically generated at runtime? Like for example below in my .travis.yml file, I have deployment for production and staging version of the application, both are named or labeled as production and qa-staging, and I would like to suffix the version names with a timestamp or anything as long as it would be unique every successful build and deployment.
language: node_js
node_js:
- "10"
before_install:
- openssl aes-256-cbc -K $encrypted_c423808ed406_key -iv $encrypted_c423808ed406_iv
-in gae-creds.json.enc -out gae-creds.json -d
- chmod +x test.sh
- cat gae-creds.json
install:
- npm install
script:
- "./test.sh"
deploy:
- provider: gae
skip_cleanup: true
keyfile: gae-creds.json
project: traviscicd
no_promote: true
version: qa-staging
on:
branch: staging
- provider: gae
skip_cleanup: true
keyfile: gae-creds.json
project: traviscicd
version: production
on:
branch: master
Have you tried with https://yaml.org/type/timestamp.html ?
Im not sure if the context is the correct but seems a good and elegant option for your yaml file.
Perhaps you can use go generate to generate a version string that can be included? You need to run go generate as part of the build process for it to work, though.
I'm tying to write tests for my google cloud app. I read the documents and it seems the only way to run the test locally is the running the command goapp test in the test package directory. But when I run the command I get the error go: GOPATH entry is relative; must be absolute path: "".
I'm pretty sure my GOPATH is set absolutely. Here are the results when I run the command go env | grep GOPATH:
GOPATH=":/home/mohammad/go:/home/mohammad/go/src/gitlab.com/gc-auth"
Also getting the same output when I run echo $GOPATH.
Any help is appreciated.
PS: I have ubuntu 18.04 and my go version is 1.10.4
results of gcloud version:
Google Cloud SDK 228.0.0
app-engine-go
app-engine-python 1.9.80
bq 2.0.39
cloud-datastore-emulator 2.0.2
core 2018.12.07
gsutil 4.34
GOPATH=":/home/mohammad/go:/home/mohammad/go/src/gitlab.com/gc-auth"
The GOPATH starts with an empty path (which is technically relative), followed by two absolute paths. The error message is correct.
The CircleCI appengine documentation suggests using a password to do deployment. How can I use the oauth2 flow instead of using passwords? I don't want to share my Google password.
Do I generate a ~/.appcfg_oauth2_tokens_java file, from token data stored as environment variables in CircleCI? Is there a simpler way?
I solved the issue this way:
deployment:
appengine:
branch: master
commands:
- erb .appcfg_oauth2_tokens_java.json > ~/.appcfg_oauth2_tokens_java # requires ENV in circle ci
- mvn -DskipTests=true appengine:update # tests have already been run
.appcfg_oauth2_tokens_java.json:
{
"credentials": {
"ubuntu": {
"access_token": "<%= ENV["GOOGLE_ACCESS_TOKEN"] %>",
"expiration_time_millis": 1431552739090,
"refresh_token": "<%= ENV["GOOGLE_REFRESH_TOKEN"] %>"
}
}
}
Then in CircleCI, configure the ENV variables for the two tokens. I got the tokens by locally running mvn appengine:update and going through the oAuth2 dance. Note: You may have to remove your existing ~/.appcfg_oauth2_tokens_java file first.
Reading the AppEngine SDK docs, it sounds like that would be a good approach. There is not a built-in way to do that on CircleCI.
If you don't want to use any user-related credential, you can leverage service accounts, like mentioned in this blog post:
Continuous Deployment with Google App Engine and CircleCI
I solved it this way on the latest GAE SDK 1.9.34 for Java.
Assuming you have a Base64 encoded ENV Variable with your JSON key for a service account you've created on the GCloud project:
dependencies:
pre:
- echo $GOOGLE_CLIENT_SECRET | base64 --decode > ${HOME}/client-secret.json
And then in the deployment section:
- $HOME/appengine-java-sdk-$APP_ENGINE_VERSION/bin/appcfg.sh -A $GCLOUD_PROJECT -M $GCLOUD_MODULE -V $BUILD_VERSION --service_account_json_key_file=$HOME/client-secret.json update $WAR_FOLDER
The --service_account_json_key_file doesn't seem to appear as an option when you use appcfg.sh help but it is there, and does work.
I am trying to install Cakephp Ratchet Plugin in existing project.
My CakePHP version is 2.4.3.
It says to follow this link which has following steps:
$ cd myproject/app/
$ curl -s https://getcomposer.org/installer | php
$ php composer.phar require --no-update opauth/opauth:dev-wip/1.0 opauth/twitter:dev- wip/1.0
$ php composer.phar config vendor-dir Vendor
$ php composer.phar install
I am not very familiar with composer and when i do the last step,it shows following error....
Your requirements could not be resolved to an installable set of packages.
Problem 1
- The requested package opauth/opauth could not be found in any version, there may be a typo in the package name.
Problem 2
- The requested package opauth/twitter could not be found in any version, there may be a typo in the package name.
Potential causes:
- A typo in the package name
- The package is not available in a stable-enough version according to your minimum-stability setting
EDIT:
Composer.json is like this
{
"require": {
"opauth/opauth": "dev-wip/1.0",
"opauth/twitter": "dev-wip/1.0"
},
"config": {
"vendor-dir": "Vendor"
}
}
As already mentioned in my comment, the Ratchet Plugin has nothing to do with Opauth, the linked article over at ceeram.github.io should only serve as an example on how to configure Composer and the CakePHP bootstrap.
However, for Composer autoloading in CakePHP I'd recommend to refer to the CakePHP cookbook, even if you're not including CakePHP itself via Composer:
http://book.cakephp.org/2.0/en/installation/advanced-installation.html
Long story short, what the "Getting Started / 2. Composer" section of the plugin docs want you to do, is to require the ratchet plugin, to make sure the vendor dir points to /app/Vendor/, and to include the Composer autoloader in your bootstrap.php.
composer.json (assuming it's placed in /app)
{
"require": {
"wyrihaximus/ratchet": "dev-master"
},
"config": {
"vendor-dir": "Vendor"
}
}
bootstrap.php (as per Cookbook)
// Load Composer autoload.
require APP . '/Vendor/autoload.php';
// Remove and re-prepend CakePHP's autoloader as Composer thinks it is the
// most important.
// See: http://goo.gl/kKVJO7
spl_autoload_unregister(array('App', 'load'));
spl_autoload_register(array('App', 'load'), true, true);
Run composer install or composer update and you should be good.