Configure environment variables for CVE scanning

[TheJuanAndOnly99]

Added environment variables for OSS_INDEX_USERNAME and OSS_INDEX_TOKEN in CVE scanning workflow. The secrets have also been added to the repo.

[netlify]

✅ Deploy Preview for fdc3 canceled.

Name	Link
🔨 Latest commit	08a11fb
🔍 Latest deploy log	https://app.netlify.com/projects/fdc3/deploys/69399556a411130008d35429

[github-actions]

[github-actions]

Coverage Report

Commit: 08a11fb
Base: main@3bbce2c

Type	Base	This PR
Total Statements Coverage	97.16%	97.16% (+0%)
Total Branches Coverage	86%	86% (+0%)
Total Functions Coverage	96.13%	96.13% (+0%)
Total Lines Coverage	97.32%	97.32% (+0%)

Details (changed files)

File	Statements	Branches	Functions	Lines

Details (all files)

File	Statements	Branches	Functions	Lines
packages/fdc3-agent-proxy/src/DesktopAgentProxy.ts	100%	100%	100%	100%
packages/fdc3-agent-proxy/src/index.ts	100%	100%	62.5%	100%
packages/fdc3-agent-proxy/src/apps/DefaultAppSupport.ts	88%	50%	100%	88%
packages/fdc3-agent-proxy/src/channels/DefaultChannel.ts	78.94%	77.77%	71.42%	78.94%
packages/fdc3-agent-proxy/src/channels/DefaultChannelSupport.ts	98.71%	100%	94.44%	100%
packages/fdc3-agent-proxy/src/channels/DefaultPrivateChannel.ts	97.5%	66.66%	100%	97.5%
packages/fdc3-agent-proxy/src/heartbeat/DefaultHeartbeatSupport.ts	100%	100%	100%	100%
packages/fdc3-agent-proxy/src/intents/DefaultIntentResolution.ts	100%	100%	100%	100%
packages/fdc3-agent-proxy/src/intents/DefaultIntentSupport.ts	100%	100%	100%	100%
packages/fdc3-agent-proxy/src/listeners/AbstractListener.ts	100%	60%	100%	100%
packages/fdc3-agent-proxy/src/listeners/DefaultContextListener.ts	100%	90%	100%	100%
packages/fdc3-agent-proxy/src/listeners/DefaultIntentListener.ts	100%	77.77%	100%	100%
packages/fdc3-agent-proxy/src/listeners/EventListener.ts	100%	100%	100%	100%
packages/fdc3-agent-proxy/src/listeners/HeartbeatListener.ts	100%	100%	100%	100%
packages/fdc3-agent-proxy/src/listeners/PrivateChannelEventListener.ts	93.33%	72.72%	100%	93.33%
packages/fdc3-agent-proxy/src/messaging/AbstractMessaging.ts	94.59%	100%	80%	94.59%
packages/fdc3-agent-proxy/src/util/AbstractFDC3Logger.ts	100%	94.11%	100%	100%
packages/fdc3-agent-proxy/src/util/Logger.ts	100%	100%	100%	100%
packages/fdc3-agent-proxy/src/util/throwIfUndefined.ts	100%	100%	100%	100%
packages/fdc3-get-agent/src/index.ts	100%	100%	28.57%	100%
packages/fdc3-get-agent/src/messaging/MessagePortMessaging.ts	100%	100%	100%	100%
packages/fdc3-get-agent/src/messaging/message-port.ts	97.43%	86.66%	100%	97.43%
packages/fdc3-get-agent/src/sessionStorage/DesktopAgentDetails.ts	97.36%	89.47%	100%	97.36%
packages/fdc3-get-agent/src/strategies/DesktopAgentPreloadLoader.ts	100%	77.77%	100%	100%
packages/fdc3-get-agent/src/strategies/FailoverHandler.ts	100%	76.47%	100%	100%
packages/fdc3-get-agent/src/strategies/HelloHandler.ts	94%	81.25%	100%	94%
packages/fdc3-get-agent/src/strategies/IdentityValidationHandler.ts	95.65%	73.33%	100%	95.65%
packages/fdc3-get-agent/src/strategies/PostMessageLoader.ts	98.48%	86.95%	100%	98.46%
packages/fdc3-get-agent/src/strategies/Timeouts.ts	100%	100%	100%	100%
packages/fdc3-get-agent/src/strategies/getAgent.ts	100%	100%	100%	100%
packages/fdc3-get-agent/src/ui/AbstractUIComponent.ts	97.14%	71.42%	100%	97.01%
packages/fdc3-get-agent/src/ui/DefaultDesktopAgentChannelSelector.ts	100%	75%	100%	100%
packages/fdc3-get-agent/src/ui/DefaultDesktopAgentIntentResolver.ts	100%	90%	100%	100%
packages/fdc3-get-agent/src/ui/NullChannelSelector.ts	100%	100%	100%	100%
packages/fdc3-get-agent/src/ui/NullIntentResolver.ts	100%	100%	66.66%	100%
packages/fdc3-get-agent/src/util/Logger.ts	100%	100%	100%	100%
packages/fdc3-get-agent/src/util/Uuid.ts	100%	100%	100%	100%
packages/fdc3-standard/src/index.ts	91.3%	70.83%	60%	95%
packages/fdc3-standard/src/api/AppIdentifier.ts	100%	100%	100%	100%
packages/fdc3-standard/src/api/AppIntent.ts	100%	100%	100%	100%
packages/fdc3-standard/src/api/AppMetadata.ts	100%	100%	100%	100%
packages/fdc3-standard/src/api/Channel.ts	100%	100%	100%	100%
packages/fdc3-standard/src/api/ContextMetadata.ts	100%	100%	100%	100%
packages/fdc3-standard/src/api/DesktopAgent.ts	100%	100%	100%	100%
packages/fdc3-standard/src/api/DisplayMetadata.ts	100%	100%	100%	100%
packages/fdc3-standard/src/api/Errors.ts	100%	100%	100%	100%
packages/fdc3-standard/src/api/Events.ts	100%	100%	100%	100%
packages/fdc3-standard/src/api/GetAgent.ts	100%	100%	100%	100%
packages/fdc3-standard/src/api/Icon.ts	100%	100%	100%	100%
packages/fdc3-standard/src/api/Image.ts	100%	100%	100%	100%
packages/fdc3-standard/src/api/ImplementationMetadata.ts	100%	100%	100%	100%
packages/fdc3-standard/src/api/IntentMetadata.ts	100%	100%	100%	100%
packages/fdc3-standard/src/api/IntentResolution.ts	100%	100%	100%	100%
packages/fdc3-standard/src/api/Listener.ts	100%	100%	100%	100%
packages/fdc3-standard/src/api/Methods.ts	94.18%	84.28%	96.29%	95.23%
packages/fdc3-standard/src/api/PrivateChannel.ts	100%	100%	100%	100%
packages/fdc3-standard/src/api/RecommendedChannels.ts	100%	100%	100%	100%
packages/fdc3-standard/src/api/Types.ts	100%	100%	100%	100%
packages/fdc3-standard/src/context/ContextType.ts	100%	100%	100%	100%
packages/fdc3-standard/src/intents/Intents.ts	100%	100%	100%	100%
packages/fdc3-standard/src/internal/contextConfiguration.ts	100%	100%	100%	100%
packages/fdc3-standard/src/internal/intentConfiguration.ts	100%	100%	100%	100%
packages/fdc3-standard/src/internal/typeHelpers.ts	100%	100%	100%	100%
packages/fdc3-standard/src/ui/ChannelSelector.ts	100%	100%	100%	100%
packages/fdc3-standard/src/ui/Connectable.ts	100%	100%	100%	100%
packages/fdc3-standard/src/ui/IntentResolver.ts	100%	100%	100%	100%
toolbox/fdc3-for-web/fdc3-web-impl/src/BasicFDC3Server.ts	100%	100%	100%	100%
toolbox/fdc3-for-web/fdc3-web-impl/src/ServerContext.ts	100%	100%	100%	100%
toolbox/fdc3-for-web/fdc3-web-impl/src/directory/BasicDirectory.ts	96.87%	84.21%	100%	96.55%
toolbox/fdc3-for-web/fdc3-web-impl/src/handlers/BroadcastHandler.ts	96.38%	86.41%	100%	96.12%
toolbox/fdc3-for-web/fdc3-web-impl/src/handlers/HeartbeatHandler.ts	88.23%	71.87%	86.66%	90%
toolbox/fdc3-for-web/fdc3-web-impl/src/handlers/IntentHandler.ts	98.08%	91.66%	100%	97.82%
toolbox/fdc3-for-web/fdc3-web-impl/src/handlers/OpenHandler.ts	97.14%	86.84%	100%	97.14%
toolbox/fdc3-for-web/fdc3-web-impl/src/handlers/support.ts	100%	100%	100%	100%

[kriswest]

LGTM - the check is still failing but may only pass once this is merged??

[TheJuanAndOnly99]

Hi @kriswest yes. The problem is that forks cannot access secrets.

[kriswest]

Hi @kriswest yes. The problem is that forks cannot access secrets.

So it had to be merged before it would work in the scheduled scans - next one happens overnight. Will it be able to scan PRs (so we can use it as a check)?

[kriswest]

No dice, this scheduled scan on main still failed after this merged: https://github.com/finos/FDC3/actions/runs/20106913440/job/57693352931

[TheJuanAndOnly99]

@kriswest I sent you another PR that fixes it #1721 (it fails on CVEs found). Unfortunately it will still not work to scan PRs coming from forks as they can't access the secrets. Not sure how we can work around that securely yet.

[kriswest]

If memory serves it requires a bot of some sort (we need to switch to codecov for the same reason, the forks can't post coverage comments...

It looks like this has been a limitation since 2021 and has never been prioritised: https://community.sonarsource.com/t/code-analysis-on-pull-request-from-forked-repository-with-github-actions/43986

Perhaps that makes this the wrong tool for the job in an OS foundation. We expect to take contributions from new contributors/non-maintainers regularly...

Free alternatives for Sonatype auditjs analyzing PRs from forks include GitHub Dependabot, OWASP Dependency-Check (with CI integration), and Snyk Open Source (free tier), all of which can run on PRs, including those from forks.

Free/OSS alternatives for PR dependency analysis

• GitHub Dependabot: Native to GitHub, fully automated PR updates for vulnerabilities, free for public repos.
• OWASP Dependency-Check: Open-source, uses NVD data, requires CI/CD integration (e.g., GitHub Actions) to run on PRs/forks.
• Snyk Open Source: Free for public/open-source projects, offers CLI and CI integrations (GitHub/GitLab) to scan dependencies in PRs, including from forks.
• npm audit / yarn audit: Built-in CLI tools for Node.js projects, can be integrated into CI/CD for PR checks, though less robust than dedicated SCA tools.

Does FINOS have a view or future plans on this front?

[TheJuanAndOnly99]

@kriswest agree that this is not ideal as the typical workflow is to raise PRs via forks. The TOC is aware and areworking on updating the (outdated) dependency management section of the FINOS community website with new recommended tools. They are looking at it right now so we should have some updated very soon.

[kriswest]

@TheJuanAndOnly99 great to hear the TOC is looking at it - let us know if they update the advice (including if we should switch to whitesource - I believe we're using finos code scanning currently)

[thomassalmon422-a11y]

CCE_Licensing_Agreement_Hardened.pdf