[DSD-4199] #329
[DSD-4199] #329
Conversation
#325) * [DSD-4267] removed mock-sdk-jpeg-extractor functionality from mosip-mock-services repo Signed-off-by: techno-467 <prafulrakhade02@gmail.com> * [DSD-4267] removed mock-sdk-jpeg-extractor functionality from mosip-mock-services repo Signed-off-by: techno-467 <prafulrakhade02@gmail.com> * [DSD-4267] removed mock-sdk-jpeg-extractor functionality from mosip-mock-services repo Signed-off-by: techno-467 <prafulrakhade02@gmail.com> --------- Signed-off-by: techno-467 <prafulrakhade02@gmail.com>
…e floating point numbers Signed-off-by: JanardhanBS-SyncByte <janardhan@syncbyte.in>
[MOSIP-31258] The attributes requestedScore and qualityScore should be floating point numbers
…e floating point numbers with return type String Signed-off-by: JanardhanBS-SyncByte <janardhan@syncbyte.in>
Signed-off-by: Sowmya Ujjappa Banakar <sowmya.61022006@ltimindtree.com>
MOSIP-31498 code fix
Signed-off-by: JanardhanBS-SyncByte <72377118+JanardhanBS-SyncByte@users.noreply.github.com>
Signed-off-by: JanardhanBS-SyncByte <72377118+JanardhanBS-SyncByte@users.noreply.github.com>
Signed-off-by: JanardhanBS-SyncByte <72377118+JanardhanBS-SyncByte@users.noreply.github.com>
Signed-off-by: JanardhanBS-SyncByte <72377118+JanardhanBS-SyncByte@users.noreply.github.com>
Signed-off-by: JanardhanBS-SyncByte <72377118+JanardhanBS-SyncByte@users.noreply.github.com>
Signed-off-by: JanardhanBS-SyncByte <72377118+JanardhanBS-SyncByte@users.noreply.github.com>
Signed-off-by: JanardhanBS-SyncByte <72377118+JanardhanBS-SyncByte@users.noreply.github.com>
Signed-off-by: JanardhanBS-SyncByte <72377118+JanardhanBS-SyncByte@users.noreply.github.com>
Signed-off-by: JanardhanBS-SyncByte <janardhan@syncbyte.in>
Signed-off-by: JanardhanBS-SyncByte <janardhan@syncbyte.in>
…iometricsdk.version Signed-off-by: JanardhanBS-SyncByte <janardhan@syncbyte.in>
Signed-off-by: JanardhanBS-SyncByte <janardhan@syncbyte.in>
Signed-off-by: JanardhanBS-SyncByte <janardhan@syncbyte.in>
Signed-off-by: JanardhanBS-SyncByte <janardhan@syncbyte.in>
Signed-off-by: JanardhanBS-SyncByte <janardhan@syncbyte.in>
Signed-off-by: JanardhanBS-SyncByte <janardhan@syncbyte.in>
Signed-off-by: JanardhanBS-SyncByte <janardhan@syncbyte.in>
Signed-off-by: JanardhanBS-SyncByte <janardhan@syncbyte.in>
Signed-off-by: JanardhanBS-SyncByte <janardhan@syncbyte.in>
Signed-off-by: JanardhanBS-SyncByte <janardhan@syncbyte.in>
Signed-off-by: JanardhanBS-SyncByte <janardhan@syncbyte.in>
Signed-off-by: JanardhanBS-SyncByte <janjonny@gmail.com>
* [MOSIP-37853]added skip for deployment in pom Signed-off-by: JanardhanBS-SyncByte <janjonny@gmail.com> * [MOSIP-37853]added skip for deployment in pom Signed-off-by: JanardhanBS-SyncByte <janjonny@gmail.com> --------- Signed-off-by: JanardhanBS-SyncByte <janjonny@gmail.com> Co-authored-by: JanardhanBS-SyncByte <janjonny@gmail.com>
Signed-off-by: JanardhanBS-SyncByte <janjonny@gmail.com>
Signed-off-by: Rakshith B <79500257+Rakshithb1@users.noreply.github.com>
[MOSIP-35637] added sqaush layers
Signed-off-by: JanardhanBS-SyncByte <janjonny@gmail.com>
Signed-off-by: JanardhanBS-SyncByte <janjonny@gmail.com>
* MOSIP-39995 Added ZCG Signed-off-by: kameshsr <kameshsr1338@gmail.com> * MOSIP-39995 Added ZCG Signed-off-by: kameshsr <kameshsr1338@gmail.com> --------- Signed-off-by: kameshsr <kameshsr1338@gmail.com>
[MOSIP-38107]
* Added Test cases for sonar coverage. Signed-off-by: Chetan <chetankumar.h.239@gmail.com> * Added test class for sonar coverage. Signed-off-by: Chetan <chetankumar.h.239@gmail.com> * written test cases for Mock-MDS Signed-off-by: Chetan <chetankumar.h.239@gmail.com> * code coverage-MockMDS Signed-off-by: Chetan <chetankumar.h.239@gmail.com> * resolved some security issues and add test cases for some classes. GitHub Description while commiting: Signed-off-by: Chetan <chetankumar.h.239@gmail.com> Signed-off-by: Chetan <chetankumar.h.239@gmail.com> * Changes in import statements and necessary access modifiers added. Signed-off-by: Chetan <chetankumar.h.239@gmail.com> * Restored deleted application.properties file. Signed-off-by: Chetan <chetankumar.h.239@gmail.com> * Restored application.properties after accidental deletion Signed-off-by: Chetan <chetankumar.h.239@gmail.com> * Added test cases. Signed-off-by: Chetan <chetankumar.h.239@gmail.com> * Revert "Restored application.properties after accidental deletion" Signed-off-by: Chetan <chetankumar.h.239@gmail.com> * reverting back application file Signed-off-by: Chetan <chetankumar.h.239@gmail.com> * Fix DCO signature format Signed-off-by: Chetan <chetankumar.h.239@gmail.com> * Re-add application.properties after accidental deletion Signed-off-by: Chetan <chetankumar.h.239@gmail.com> * modified file Signed-off-by: Chetan <chetankumar.h.239@gmail.com> * remodified Signed-off-by: Chetan <chetankumar.h.239@gmail.com> * unnecessary files deleted. Signed-off-by: Chetan <chetankumar.h.239@gmail.com> * "Added test cases" Signed-off-by: Chetan <chetankumar.h.239@gmail.com> * "Added test cases" Signed-off-by: Chetan <chetankumar.h.239@gmail.com> * changes done Signed-off-by: Chetan <chetankumar.h.239@gmail.com> * text files put as they are. Signed-off-by: Chetan <chetankumar.h.239@gmail.com> * Remove .idea folders Signed-off-by: Chetan <chetankumar.h.239@gmail.com> * mock-mv test cases added Signed-off-by: Chetan <chetankumar.h.239@gmail.com> * Update .gitignore Signed-off-by: Chetan Kumar Hirematha <chetankumar.h.239@gmail.com> Signed-off-by: Chetan <chetankumar.h.239@gmail.com> * naming convention followed. (#1) Signed-off-by: Chetan <chetankumar.h.239@gmail.com> * Recover lost changes * naming convention followed. Signed-off-by: Chetan <chetankumar.h.239@gmail.com> * Fix Surefire plugin to resolve fork error in mock-abis Signed-off-by: Chetan <chetankumar.h.239@gmail.com> --------- Signed-off-by: Chetan <chetankumar.h.239@gmail.com> * Recover lost changes (#3) * naming convention followed. Signed-off-by: Chetan Kumar Hirematha <chetankumar.h.239@gmail.com> * Fix Surefire plugin to resolve fork error in mock-abis Signed-off-by: Chetan Kumar Hirematha <chetankumar.h.239@gmail.com> --------- Signed-off-by: Chetan Kumar Hirematha <chetankumar.h.239@gmail.com> Signed-off-by: Chetan <chetankumar.h.239@gmail.com> --------- Signed-off-by: Chetan <chetankumar.h.239@gmail.com> Signed-off-by: Chetan Kumar Hirematha <chetankumar.h.239@gmail.com>
Signed-off-by: rajapandi1234 <138785181+rajapandi1234@users.noreply.github.com>
* Update pom.xml Signed-off-by: rajapandi1234 <138785181+rajapandi1234@users.noreply.github.com> * Update pom.xml Signed-off-by: rajapandi1234 <138785181+rajapandi1234@users.noreply.github.com> --------- Signed-off-by: rajapandi1234 <138785181+rajapandi1234@users.noreply.github.com>
* Update pom.xml Signed-off-by: rajapandi1234 <138785181+rajapandi1234@users.noreply.github.com> * Update pom.xml Signed-off-by: rajapandi1234 <138785181+rajapandi1234@users.noreply.github.com> --------- Signed-off-by: rajapandi1234 <138785181+rajapandi1234@users.noreply.github.com>
* reverting all jacoco changes Signed-off-by: rajapandi1234 <138785181+rajapandi1234@users.noreply.github.com> * Update pom.xml Signed-off-by: rajapandi1234 <138785181+rajapandi1234@users.noreply.github.com> --------- Signed-off-by: rajapandi1234 <138785181+rajapandi1234@users.noreply.github.com>
Signed-off-by: Dhanendra Sahu <dhanendra@Dhanendras-MacBook-Pro.local> Co-authored-by: Dhanendra Sahu <dhanendra@Dhanendras-MacBook-Pro.local>
* [MOSIP-41674] central sonatype migration changes Signed-off-by: techno-467 <prafulrakhade02@gmail.com> * [MOSIP-41674] central sonatype migration changes Signed-off-by: techno-467 <prafulrakhade02@gmail.com> * [MOSIP-41674] central sonatype migration changes Signed-off-by: techno-467 <prafulrakhade02@gmail.com> * [MOSIP-41674] central sonatype migration changes Signed-off-by: techno-467 <prafulrakhade02@gmail.com> * [MOSIP-41674] central sonatype migration changes Signed-off-by: techno-467 <prafulrakhade02@gmail.com> --------- Signed-off-by: techno-467 <prafulrakhade02@gmail.com> Signed-off-by: Praful Rakhade <prafulrakhade02@gmail.com>
Testing sonar single-module and multi-module changes. Signed-off-by: Mahesh-Binayak <76687012+Mahesh-Binayak@users.noreply.github.com>
* [MOSIP-42148]Update push-trigger.yml removing duplicate word mosip from project name, Signed-off-by: Mahesh-Binayak <76687012+Mahesh-Binayak@users.noreply.github.com> * Update push-trigger.yml --------- Signed-off-by: Mahesh-Binayak <76687012+Mahesh-Binayak@users.noreply.github.com>
* Updated for develop branch Signed-off-by: Chetan Kumar Hirematha <chetankumar.h.239@gmail.com> * mock abis test case updated Signed-off-by: Chetan Kumar Hirematha <chetankumar.h.239@gmail.com> --------- Signed-off-by: Chetan Kumar Hirematha <chetankumar.h.239@gmail.com>
* [MOSIP-43434] [MOSIP-43615] [MOSIP-43648] added changes Signed-off-by: Chandra Keshav Mishra <chandrakeshavmishra@gmail.com> * [MOSIP-43615] corrected os-shell change Signed-off-by: Chandra Keshav Mishra <chandrakeshavmishra@gmail.com> --------- Signed-off-by: Chandra Keshav Mishra <chandrakeshavmishra@gmail.com>
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. 🗂️ Base branches to auto review (1)
Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
* MOSIP-37256: update the readme file - develop Signed-off-by: nagendra0721 <nagendra0718@gmail.com> * MOSIP-37256: update readme file for develop Signed-off-by: nagendra0721 <nagendra0718@gmail.com> * MOSIP-37256: update readme file for develop Signed-off-by: nagendra0721 <nagendra0718@gmail.com> * MOSIP-37256: update readme file for develop Signed-off-by: nagendra0721 <nagendra0718@gmail.com> --------- Signed-off-by: nagendra0721 <nagendra0718@gmail.com>
Signed-off-by: rajapandi1234 <138785181+rajapandi1234@users.noreply.github.com>
Create NOTICE
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| uses: mosip/kattu/.github/workflows/chart-lint-publish.yml@master | ||
| with: | ||
| CHARTS_DIR: ./helm | ||
| CHARTS_URL: https://mosip.github.io/mosip-helm | ||
| REPOSITORY: mosip-helm | ||
| BRANCH: gh-pages | ||
| INCLUDE_ALL_CHARTS: "${{ inputs.INCLUDE_ALL_CHARTS || 'NO' }}" | ||
| IGNORE_CHARTS: "${{ inputs.IGNORE_CHARTS || '\"\"' }}" | ||
| CHART_PUBLISH: "${{ inputs.CHART_PUBLISH || 'YES' }}" | ||
| LINTING_CHART_SCHEMA_YAML_URL: "https://raw.githubusercontent.com/mosip/kattu/master/.github/helm-lint-configs/chart-schema.yaml" | ||
| LINTING_LINTCONF_YAML_URL: "https://raw.githubusercontent.com/mosip/kattu/master/.github/helm-lint-configs/lintconf.yaml" | ||
| LINTING_CHART_TESTING_CONFIG_YAML_URL: "https://raw.githubusercontent.com/mosip/kattu/master/.github/helm-lint-configs/chart-testing-config.yaml" | ||
| LINTING_HEALTH_CHECK_SCHEMA_YAML_URL: "https://raw.githubusercontent.com/mosip/kattu/master/.github/helm-lint-configs/health-check-schema.yaml" | ||
| DEPENDENCIES: "mosip,https://mosip.github.io/mosip-helm;" | ||
| secrets: | ||
| TOKEN: ${{ secrets.ACTION_PAT }} | ||
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 15 days ago
Generally, the fix is to explicitly define a permissions block that scopes the GITHUB_TOKEN to the minimum needed. This can be done at the workflow root (applies to all jobs without their own permissions) or per job. Since this workflow has a single job that calls a reusable workflow which likely needs to read repository contents and possibly write to gh-pages and read workflow metadata, we should set only those permissions that are clearly required.
Without modifying the functionality, we should:
- Add a root‑level
permissionsblock after theon:section (lines 3–42). - Grant
contents: writeto allow publishing Helm charts (push togh-pages), andid-token: writeonly if needed for OIDC (we will omit it since there is no indication it’s used). - Optionally grant
actions: readif the reusable workflow needs to query workflow runs; since we do not see such usage here, we’ll keep it minimal.
Concretely, in .github/workflows/chart-lint-publish.yml, insert:
permissions:
contents: writebetween the on: block (ending at line 42) and the jobs: block (line 44). This limits GITHUB_TOKEN to repository contents write access only, which is the minimum obviously required for linting/publishing charts.
| @@ -41,6 +41,9 @@ | ||
| paths: | ||
| - 'helm/**' | ||
|
|
||
| permissions: | ||
| contents: write | ||
|
|
||
| jobs: | ||
| chart-lint-publish: | ||
| uses: mosip/kattu/.github/workflows/chart-lint-publish.yml@master |
| GPG_SECRET: ${{ secrets.GPG_SECRET }} | ||
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }} | ||
|
|
||
| sonar_analysis_mock_mds: | ||
| needs: build-maven-MockMDS | ||
| if: "${{ github.event_name != 'pull_request' }}" | ||
| uses: mahesh-binayak/kattu/.github/workflows/maven-sonar-analysis-new.yml@MOSIP-42148 | ||
| with: | ||
| SERVICE_LOCATION: MockMDS | ||
| PROJECT_KEY: 'mockmds' | ||
| secrets: | ||
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | ||
| ORG_KEY: ${{ secrets.ORG_KEY }} | ||
| OSSRH_USER: ${{ secrets.OSSRH_USER }} | ||
| OSSRH_SECRET: ${{ secrets.OSSRH_SECRET }} | ||
| OSSRH_TOKEN: ${{ secrets.OSSRH_TOKEN }} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 15 days ago
In general, to fix this issue you should explicitly declare a permissions: block either at the workflow root (to cover all jobs) or on individual jobs, granting only the scopes they actually need. For typical Maven build, publish, and Sonar analysis workflows that don’t push code or manage releases, this can usually be limited to read access on contents and, if needed, checks or statuses write access for reporting.
The single best, least‑intrusive fix here is to add a workflow‑level permissions block right after the name: (and before on:) so that all jobs, including sonar_analysis_mock_abis, run with a restricted GITHUB_TOKEN. Because these jobs mainly build, publish to external Nexus/Sonar using explicit secrets, and don’t appear to push code or releases back into GitHub, we can safely set contents: read as a minimal default. If you know that any called reusable workflow needs to update commit statuses or checks, you could additionally allow checks: write or statuses: write, but since that’s not visible in this snippet, we’ll keep the change minimal and read‑only.
Concretely, in .github/workflows/push-trigger.yml, insert:
permissions:
contents: readright after line 1 (name: Maven Package upon a push) and before the on: section. No imports or other code changes are needed; this is pure workflow configuration.
| @@ -1,5 +1,8 @@ | ||
| name: Maven Package upon a push | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| release: | ||
| types: [published] |
| GPG_SECRET: ${{ secrets.GPG_SECRET }} | ||
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }} | ||
|
|
||
| sonar_analysis_mock_sdk: | ||
| needs: build-maven-mock-sdk | ||
| if: "${{ github.event_name != 'pull_request' }}" | ||
| uses: mahesh-binayak/kattu/.github/workflows/maven-sonar-analysis-new.yml@MOSIP-42148 | ||
| with: | ||
| SERVICE_LOCATION: mock-sdk | ||
| PROJECT_KEY: 'mock-sdk' | ||
| secrets: | ||
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | ||
| ORG_KEY: ${{ secrets.ORG_KEY }} | ||
| OSSRH_USER: ${{ secrets.OSSRH_USER }} | ||
| OSSRH_SECRET: ${{ secrets.OSSRH_SECRET }} | ||
| OSSRH_TOKEN: ${{ secrets.OSSRH_TOKEN }} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 15 days ago
Generally, to fix this issue you should add a permissions: block that explicitly scopes the GITHUB_TOKEN to the minimum rights needed, either at the workflow root (applies to all jobs) or individually per job. The safest and simplest approach here—without altering existing behavior—is to add a root-level permissions: with read-only access to repository contents, which is sufficient for typical build/test/analysis jobs that use external secrets for writes to third-party services.
Concretely, in .github/workflows/push-trigger.yml, just below the name: Maven Package upon a push line and before the on: block, add:
permissions:
contents: readThis sets the default for all jobs, including sonar_analysis_mock_mv and the other reusable-workflow jobs. Since none of the shown jobs obviously require write access to the repository itself (publishing and notifications are handled via OSSRH_*, SONAR_TOKEN, SLACK_WEBHOOK_URL, etc.), this should not break existing functionality while satisfying the CodeQL rule and enforcing least privilege.
| @@ -1,5 +1,8 @@ | ||
| name: Maven Package upon a push | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| release: | ||
| types: [published] |
.github/workflows/push-trigger.yml
Outdated
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 15 days ago
To fix this, we should explicitly scope down the GITHUB_TOKEN permissions for the workflow. The simplest and safest approach is to add a root-level permissions: block (just under the name: or on: section) so all jobs, including sonar_analysis_mock_mds, inherit minimal permissions unless overridden. Since the shown jobs call Maven build/publish and Sonar analysis via reusable workflows and do not need repository write access, we can set permissions: contents: read as a conservative default that allows checking out code but not pushing or modifying repository resources. If later some job needs more, it can override permissions locally.
Concretely, in .github/workflows/push-trigger.yml, add:
permissions:
contents: readnear the top of the file, at the workflow level. No additional imports or definitions are required. This single change will satisfy CodeQL’s requirement that the workflow limit GITHUB_TOKEN permissions and will apply to all jobs that don’t define their own permissions, including the one CodeQL flagged.
| @@ -1,5 +1,8 @@ | ||
| name: Maven Package upon a push | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| release: | ||
| types: [published] |
Signed-off-by: rajapandi1234 <138785181+rajapandi1234@users.noreply.github.com>
Signed-off-by: rajapandi1234 <138785181+rajapandi1234@users.noreply.github.com>
Add files via upload
No description provided.