This repository contains multiple scripts and tools which assist us in running various pipelines, mostly scans, against the Zowe Codebase.
Currently, the following scans or pipelines are available:
| Name | Purpose | Repo Path | Status |
|---|---|---|---|
| Dependency License Scans | Generates NOTICES and TPSR.md, which is a complete collection of dependency licenses, using the zowe manifest from zowe-install-packaging. | Scan Location | Running in GHA |
| Dependency SBOM Scans w/ORT | Generates SPDX 2.2 SBOMs in a YAML format using the zowe manifest from zowe-install-packaging. The generated SBOMs include all transitive dependencies for supported languages and build tools, which includes Node/NPM/Yarn, Rust/Cargo, and Java/Gradle/Maven. | Scan Location | Running in GHA |
| Binary SBOM Scan w/FOSS | Generates 1.x RDF SBOMs using the binaries delivered as part of the Zowe release process (PAX, CLI Standalone ZIP). | Scan Location | Not Running, but present in GHA. This scan could be useful again in the future as SBOM standards evolve to cover more points in the S3C lifecycle, such as source, build, and artifact. This scan would be useful as "artifact" SBOM. |
| Cleanup Scripts | Runs periodic cleanup scripts which help us manage infrastructure resources, such as disk space on persistent build machines and net artifact consumption Artifactory. | Scan Location, Scripts, Tooling | Running in GHA |
| Snyk Scans | Scans projects for vulnerabilities using the Snyk database and uploads the results to the Zowe Security Squad's Repository | Scan Location | Possibly deprecated, still Running in GHA. We have access to continuous Snyk scanning through the Linux Foundation, so this pipeline is redundant but may still have some use by uploading scan artifacts for review. |
| OWASP Scans | Scans dependencies for known vulnerabilities and weaknesses using the OWASP CLI. | Scan Location | Deprecated by other scans run within the community. |
| Performance Test Suite | Contains client, server, and metric capture components that can be setup to run a set of performance tests against Zowe. | Code Location | Not running. This test suite has been shelved for some time and would require a code review pass to bring it back up to a functioning state. |
| Docker Build Pipeline | Creates Docker containers used to run some of the above actions. Docker files are located here | Pipeline Location | Running in GHA on-demand |