Integrate rl-scanner (#335)

Author: kailash-b

.github/actions/rl-scanner/action.yml

@@ -0,0 +1,71 @@
+name: 'Reversing Labs Scanner'
+description: 'Runs the Reversing Labs scanner on a specified artifact.'
+inputs:
+  artifact-path:
+    description: 'Path to the artifact to be scanned.'
+    required: true
+  version:
+    description: 'Version of the artifact.'
+    required: true
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Set up Python
+      uses: actions/setup-python@v4
+      with:
+        python-version: '3.10'
+
+    - name: Install Python dependencies
+      shell: bash
+      run: |
+        pip install boto3 requests
+
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v1
+      with:
+        role-to-assume: ${{ env.PRODSEC_TOOLS_ARN }}
+        aws-region: us-east-1
+        mask-aws-account-id: true
+
+    - name: Install RL Wrapper
+      shell: bash
+      run: |
+        pip install rl-wrapper>=1.0.0 --index-url "https://${{ env.PRODSEC_TOOLS_USER }}:${{ env.PRODSEC_TOOLS_TOKEN }}@a0us.jfrog.io/artifactory/api/pypi/python-local/simple"
+
+    - name: Run RL Scanner
+      shell: bash
+      env:
+        RLSECURE_LICENSE: ${{ env.RLSECURE_LICENSE }}
+        RLSECURE_SITE_KEY: ${{ env.RLSECURE_SITE_KEY }}
+        SIGNAL_HANDLER_TOKEN: ${{ env.SIGNAL_HANDLER_TOKEN }}
+        PYTHONUNBUFFERED: 1
+      run: |
+        if [ ! -f "${{ inputs.artifact-path }}" ]; then
+          echo "Artifact not found: ${{ inputs.artifact-path }}"
+          exit 1
+        fi
+
+        rl-wrapper \
+          --artifact "${{ inputs.artifact-path }}" \
+          --name "${{ github.event.repository.name }}" \
+          --version "${{ inputs.version }}" \
+          --repository "${{ github.repository }}" \
+          --commit "${{ github.sha }}" \
+          --build-env "github_actions" \
+          --suppress_output
+
+        # Check the outcome of the scanner
+        if [ $? -ne 0 ]; then
+          echo "RL Scanner failed."
+          echo "scan-status=failed" >> $GITHUB_ENV
+          exit 1
+        else
+          echo "RL Scanner passed."
+          echo "scan-status=success" >> $GITHUB_ENV
+        fi
+
+outputs:
+  scan-status:
+    description: 'The outcome of the scan process.'
+    value: ${{ env.scan-status }}

.github/workflows/release.yml

@@ -6,20 +6,20 @@ on:
       - closed
   workflow_dispatch:
 
-
 permissions:
   contents: write
+  id-token: write
 
 ### TODO: Replace instances of './.github/workflows/' w/ `auth0/dx-sdk-actions/workflows` and append `@latest` after the common `dx-sdk-actions` repo is made public.
 ### TODO: Also remove `get-prerelease`, `get-release-notes`, `get-version`, `release-create`, and `tag-exists` actions from this repo's .github/actions folder once the repo is public.
 
 jobs:
+
   build:
     name: Build
     runs-on: windows-latest
     environment: 'release'
     if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/'))
-
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -57,10 +57,130 @@ jobs:
           retention-days: 1
           compression-level: 9
 
+  rl-scanner-android:
+    needs: build    
+    uses: ./.github/workflows/rl-secure.yml
+    with:
+      nuspec-file: "nuget/Auth0.OidcClient.Android.nuspec"
+      artifact-name: "Auth0.OidcClient.Android.tgz"
+      project-path: "src/Auth0.OidcClient.Android"
+    secrets:
+      RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
+      RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
+      SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
+      PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }}
+      PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }}
+      PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }}
+
+  rl-scanner-androidx:
+    needs: build    
+    uses: ./.github/workflows/rl-secure.yml    
+    with:
+      nuspec-file: "nuget/Auth0.OidcClient.AndroidX.nuspec"
+      artifact-name: "Auth0.OidcClient.AndroidX.tgz"
+      project-path: "src/Auth0.OidcClient.AndroidX"
+    secrets:
+      RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
+      RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
+      SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
+      PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }}
+      PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }}
+      PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }}
+
+  rl-scanner-iOS:
+    needs: build    
+    uses: ./.github/workflows/rl-secure.yml
+    with:
+      nuspec-file: "nuget/Auth0.OidcClient.iOS.nuspec"
+      artifact-name: "Auth0.OidcClient.iOS.tgz"
+      project-path: "src/Auth0.OidcClient.iOS"
+    secrets:
+      RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
+      RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
+      SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
+      PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }}
+      PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }}
+      PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }}
+
+  rl-scanner-core:
+    needs: build    
+    uses: ./.github/workflows/rl-secure.yml
+    with:
+      nuspec-file: "nuget/Auth0.OidcClient.Core.nuspec"
+      artifact-name: "Auth0.OidcClient.Core.tgz"
+      project-path: "src/Auth0.OidcClient.Core"
+    secrets:
+      RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
+      RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
+      SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
+      PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }}
+      PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }}
+      PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }}
+
+  rl-scanner-wpf:
+    needs: build    
+    uses: ./.github/workflows/rl-secure.yml
+    with:
+      nuspec-file: "nuget/Auth0.OidcClient.WPF.nuspec"
+      artifact-name: "Auth0.OidcClient.WPF.tgz"
+      project-path: "src/Auth0.OidcClient.WPF"
+    secrets:
+      RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
+      RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
+      SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
+      PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }}
+      PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }}
+      PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }}
+
+  rl-scanner-winforms:
+    needs: build    
+    uses: ./.github/workflows/rl-secure.yml
+    with:
+      nuspec-file: "nuget/Auth0.OidcClient.WinForms.nuspec"
+      artifact-name: "Auth0.OidcClient.WinForms.tgz"
+      project-path: "src/Auth0.OidcClient.WinForms"
+    secrets:
+      RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
+      RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
+      SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
+      PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }}
+      PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }}
+      PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }}
+
+  rl-scanner-uwp:
+      needs: build    
+      uses: ./.github/workflows/rl-secure.yml
+      with:
+        nuspec-file: "nuget/Auth0.OidcClient.UWP.nuspec"
+        artifact-name: "Auth0.OidcClient.UWP.tgz"
+        project-path: "src/Auth0.OidcClient.UWP"
+      secrets:
+        RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
+        RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
+        SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
+        PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }}
+        PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }}
+        PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }}
+
+  rl-scanner-maui:
+    needs: build    
+    uses: ./.github/workflows/rl-secure.yml
+    with:
+      nuspec-file: "nuget/Auth0.OidcClient.MAUI.nuspec"
+      artifact-name: "Auth0.OidcClient.MAUI.tgz"
+      project-path: "src/Auth0.OidcClient.MAUI"
+    secrets:
+      RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
+      RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
+      SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
+      PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }}
+      PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }}
+      PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }}
+
   android:
     name: Android
     uses: ./.github/workflows/nuget-release.yml
-    needs: build
+    needs: [rl-scanner-android,rl-scanner-androidx,rl-scanner-iOS,rl-scanner-core,rl-scanner-wpf,rl-scanner-winforms,rl-scanner-uwp,rl-scanner-maui]
     with:
       tag-prefix: 'android-'
       project-path: "src/Auth0.OidcClient.Android"
@@ -72,7 +192,7 @@ jobs:
   androidx:
     name: AndroidX
     uses: ./.github/workflows/nuget-release.yml
-    needs: build
+    needs: [rl-scanner-android,rl-scanner-androidx,rl-scanner-iOS,rl-scanner-core,rl-scanner-wpf,rl-scanner-winforms,rl-scanner-uwp,rl-scanner-maui]
     with:
       tag-prefix: 'androidx-'
       project-path: "src/Auth0.OidcClient.AndroidX"
@@ -84,7 +204,7 @@ jobs:
   ios:
     name: iOS
     uses: ./.github/workflows/nuget-release.yml
-    needs: build
+    needs: [rl-scanner-android,rl-scanner-androidx,rl-scanner-iOS,rl-scanner-core,rl-scanner-wpf,rl-scanner-winforms,rl-scanner-uwp,rl-scanner-maui]
     with:
       tag-prefix: 'ios-'
       project-path: "src/Auth0.OidcClient.iOS"
@@ -96,7 +216,7 @@ jobs:
   core:
     name: Core
     uses: ./.github/workflows/nuget-release.yml
-    needs: build
+    needs: [rl-scanner-android,rl-scanner-androidx,rl-scanner-iOS,rl-scanner-core,rl-scanner-wpf,rl-scanner-winforms,rl-scanner-uwp,rl-scanner-maui]
     with:
       tag-prefix: 'core-'
       project-path: "src/Auth0.OidcClient.Core"
@@ -108,7 +228,7 @@ jobs:
   wpf:
     name: WPF
     uses: ./.github/workflows/nuget-release.yml
-    needs: build
+    needs: [rl-scanner-android,rl-scanner-androidx,rl-scanner-iOS,rl-scanner-core,rl-scanner-wpf,rl-scanner-winforms,rl-scanner-uwp,rl-scanner-maui]
     with:
       tag-prefix: 'wpf-'
       project-path: "src/Auth0.OidcClient.WPF"
@@ -120,7 +240,7 @@ jobs:
   winforms:
     name: WinForms
     uses: ./.github/workflows/nuget-release.yml
-    needs: build
+    needs: [rl-scanner-android,rl-scanner-androidx,rl-scanner-iOS,rl-scanner-core,rl-scanner-wpf,rl-scanner-winforms,rl-scanner-uwp,rl-scanner-maui]
     with:
       tag-prefix: 'winforms-'
       project-path: "src/Auth0.OidcClient.WinForms"
@@ -132,7 +252,7 @@ jobs:
   uwp:
     name: UWP
     uses: ./.github/workflows/nuget-release.yml
-    needs: build
+    needs: [rl-scanner-android,rl-scanner-androidx,rl-scanner-iOS,rl-scanner-core,rl-scanner-wpf,rl-scanner-winforms,rl-scanner-uwp,rl-scanner-maui]
     with:
       tag-prefix: 'uwp-'
       project-path: "src/Auth0.OidcClient.UWP"
@@ -144,7 +264,7 @@ jobs:
   maui:
     name: MAUI
     uses: ./.github/workflows/nuget-release.yml
-    needs: build
+    needs: [rl-scanner-android,rl-scanner-androidx,rl-scanner-iOS,rl-scanner-core,rl-scanner-wpf,rl-scanner-winforms,rl-scanner-uwp,rl-scanner-maui]
     with:
       tag-prefix: 'maui-'
       project-path: "src/Auth0.OidcClient.MAUI"
@@ -158,7 +278,7 @@ jobs:
     if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/'))
     runs-on: windows-latest
     environment: release
-    needs: build
+    needs: [rl-scanner-android,rl-scanner-androidx,rl-scanner-iOS,rl-scanner-core,rl-scanner-wpf,rl-scanner-winforms,rl-scanner-uwp,rl-scanner-maui]
 
     steps:
       - name: Checkout code

.github/workflows/rl-secure.yml

@@ -0,0 +1,83 @@
+name: RL-Secure Workflow
+run-name: rl-scanner
+
+on:
+  workflow_call:
+    inputs:
+      nuspec-file:
+        type: string        
+        required: true
+      artifact-name:
+        type: string
+        required: true
+      project-path:
+        type: string
+        required: true
+    secrets:
+      RLSECURE_LICENSE:
+        required: true
+      RLSECURE_SITE_KEY:
+        required: true
+      SIGNAL_HANDLER_TOKEN:
+        required: true
+      PRODSEC_TOOLS_USER:
+        required: true
+      PRODSEC_TOOLS_TOKEN:
+        required: true
+      PRODSEC_TOOLS_ARN:
+        required: true
+
+jobs:
+  rl-scanner:
+    name: Run Reversing Labs scanner
+    if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/'))
+    runs-on: ubuntu-latest
+    outputs:
+      scan-status: ${{ steps.rl-scan-conclusion.outcome }}
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup .NET
+        uses: actions/setup-dotnet@v3
+        with:
+          dotnet-version: 6.0.x
+    
+      - uses: actions/download-artifact@v4
+        with:
+          path: './src'
+          name: build
+
+      - name: Create NuGet packages
+        shell: pwsh
+        run: |          
+            nuget pack ${{ inputs.nuspec-file }} -OutputDirectory ${{ github.workspace }}/nuget
+    
+      - name: Create tgz build artifact
+        run: |
+          tar -czvf ${{ github.workspace }}/${{ inputs.artifact-name }} ${{ github.workspace }}/nuget
+      
+      - id: get_version
+        uses: ./.github/actions/get-version
+        with:
+          working-directory: ${{ inputs.project-path }}
+
+      - name: Run RL Scanner
+        id: rl-scan-conclusion
+        uses: ./.github/actions/rl-scanner
+        with:
+          artifact-path: ${{ github.workspace }}/${{ inputs.artifact-name }}
+          version: "${{ steps.get_version.outputs.version }}"
+        env:
+          RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
+          RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
+          SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
+          PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }}
+          PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }}
+          PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }}
+        
+      - name: Output scan result
+        run: echo "scan-status=${{ steps.rl-scan-conclusion.outcome }}" >> $GITHUB_ENV