@eeacms/volto-bise-policy 1.3.2 → 1.3.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,133 @@
1
+ name: Betterleaks
2
+
3
+ on:
4
+ push:
5
+ pull_request:
6
+
7
+ permissions:
8
+ contents: read
9
+
10
+ jobs:
11
+ scan:
12
+ name: Scan for secrets
13
+ runs-on: ubuntu-latest
14
+ env:
15
+ SMTP_URL: ${{ secrets.SMTP_URL }}
16
+ SMTP_PORT: ${{ secrets.SMTP_PORT || '25' }}
17
+ SMTP_EMAIL: ${{ secrets.SMTP_EMAIL }}
18
+ SMTP_PASSWORD: ${{ secrets.SMTP_PASSWORD }}
19
+ steps:
20
+ - name: Checkout repository
21
+ uses: actions/checkout@v4
22
+ with:
23
+ fetch-depth: 1
24
+ ref: ${{ github.event.pull_request.head.sha || github.sha }}
25
+
26
+ - name: Run Betterleaks
27
+ id: betterleaks
28
+ continue-on-error: true
29
+ uses: dortort/betterleaks-action@v0.1.0
30
+ with:
31
+ github-token: ${{ secrets.GITHUB_TOKEN }}
32
+ scan-mode: dir
33
+ scan-path: .
34
+ config: .gitleaks.toml
35
+ report-format: json
36
+ report-path: betterleaks-report.json
37
+ redact: "true"
38
+ no-color: "true"
39
+ no-banner: "true"
40
+ fail-on-leak: "true"
41
+
42
+ - name: Upload Betterleaks report
43
+ if: always()
44
+ uses: actions/upload-artifact@v4
45
+ with:
46
+ name: betterleaks-report
47
+ path: betterleaks-report.json
48
+ if-no-files-found: ignore
49
+
50
+ - name: Build Betterleaks email summary
51
+ id: leak_summary
52
+ if: steps.betterleaks.outcome == 'failure'
53
+ shell: bash
54
+ run: |
55
+ if [[ -s betterleaks-report.json ]]; then
56
+ jq -r '
57
+ def one_line:
58
+ tostring
59
+ | gsub("[\r\n]+"; " ")
60
+ | if length > 240 then .[0:240] + "..." else . end;
61
+
62
+ .[:20][]
63
+ | "- " + (.RuleID // "unknown-rule")
64
+ + " at " + (.File // "unknown-file")
65
+ + ":" + ((.StartLine // 0) | tostring)
66
+ + "\n match: " + ((.Match // .Secret // "REDACTED") | one_line)
67
+ ' betterleaks-report.json > betterleaks-email-summary.txt
68
+
69
+ count="$(jq 'length' betterleaks-report.json)"
70
+ if (( count > 20 )); then
71
+ {
72
+ echo ""
73
+ echo "... and $((count - 20)) more finding(s). Download the artifact for full details."
74
+ } >> betterleaks-email-summary.txt
75
+ fi
76
+ else
77
+ echo "No JSON report was generated. Download the workflow logs for details." > betterleaks-email-summary.txt
78
+ fi
79
+
80
+ {
81
+ echo "text<<BETTERLEAKS_SUMMARY"
82
+ cat betterleaks-email-summary.txt
83
+ echo "BETTERLEAKS_SUMMARY"
84
+ } >> "$GITHUB_OUTPUT"
85
+
86
+ - name: Resolve committer email
87
+ id: committer
88
+ if: steps.betterleaks.outcome == 'failure'
89
+ shell: bash
90
+ run: |
91
+ committer_email="$(git log -1 --format='%ce')"
92
+ author_email="$(git log -1 --format='%ae')"
93
+ email="$committer_email"
94
+ if [[ -z "$email" || "$email" == *"noreply.github.com"* ]]; then
95
+ email="$author_email"
96
+ fi
97
+ if [[ "$email" =~ ^[^[:space:]@]+@[^[:space:]@]+\.[^[:space:]@]+$ && "$email" != *"noreply.github.com"* ]]; then
98
+ echo "email=$email" >> "$GITHUB_OUTPUT"
99
+ else
100
+ echo "No deliverable committer email found; skipping Betterleaks email notification."
101
+ echo "email=" >> "$GITHUB_OUTPUT"
102
+ fi
103
+
104
+ - name: Email committer on Betterleaks failure
105
+ if: steps.betterleaks.outcome == 'failure' && steps.committer.outputs.email != '' && env.SMTP_URL != '' && env.SMTP_EMAIL != ''
106
+ uses: dawidd6/action-send-mail@v18
107
+ with:
108
+ server_address: ${{ env.SMTP_URL }}
109
+ server_port: ${{ env.SMTP_PORT }}
110
+ secure: ${{ env.SMTP_PORT == '465' }}
111
+ username: ${{ env.SMTP_EMAIL }}
112
+ password: ${{ env.SMTP_PASSWORD }}
113
+ from: ${{ env.SMTP_EMAIL }}
114
+ to: ${{ steps.committer.outputs.email }}
115
+ subject: "[Betterleaks] Secret scan failed in ${{ github.repository }}"
116
+ body: |
117
+ Betterleaks detected one or more potential secrets.
118
+
119
+ Repository: ${{ github.repository }}
120
+ Branch: ${{ github.ref_name }}
121
+ Commit: ${{ github.sha }}
122
+ Workflow run: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
123
+
124
+ Findings:
125
+ ${{ steps.leak_summary.outputs.text }}
126
+
127
+ Download the betterleaks-report artifact from the workflow run for details.
128
+
129
+ - name: Fail if Betterleaks found leaks
130
+ if: steps.betterleaks.outcome == 'failure'
131
+ run: |
132
+ echo "Betterleaks detected one or more secrets. Download the betterleaks-report artifact from this workflow run for details."
133
+ exit 1
package/.gitleaks.toml ADDED
@@ -0,0 +1,89 @@
1
+ title = "Betterleaks config"
2
+
3
+ [extend]
4
+ useDefault = true
5
+
6
+ [[rules]]
7
+ id = "secret-literal-assignment"
8
+ description = "Secret-like literal assignment in source, YAML, env and config files"
9
+ regex = '''(?i)([A-Za-z0-9_.-]*(?:password|passwd|pwd|api[_-]?key|apikey|access[_-]?key|secret[_-]?access[_-]?key|private[_-]?key|client[_-]?secret|consumer[_-]?key|consumer[_-]?secret|(?:auth|access|refresh|session|api|bearer|id|jwt|csrf|xsrf|oauth)[_-]?token|translate[_-]?auth|translation[_-]?auth|auth[_-]?password|auth[_-]?key|auth[_-]?credentials|database[_-]?url|connection[_-]?string)[A-Za-z0-9_.-]*)[ \t]*[:=][ \t]*["'']?([^"''[:space:]#{}$.][^"''\n#{}]{2,})["'']?'''
10
+ secretGroup = 2
11
+ keywords = [
12
+ "password",
13
+ "passwd",
14
+ "pwd",
15
+ "api_key",
16
+ "apikey",
17
+ "access_key",
18
+ "private_key",
19
+ "client_secret",
20
+ "consumer_key",
21
+ "consumer_secret",
22
+ "auth_token",
23
+ "access_token",
24
+ "refresh_token",
25
+ "session_token",
26
+ "api_token",
27
+ "bearer_token",
28
+ "id_token",
29
+ "jwt_token",
30
+ "csrf_token",
31
+ "xsrf_token",
32
+ "oauth_token",
33
+ "translate_auth",
34
+ "translation_auth",
35
+ "auth_password",
36
+ "auth_key",
37
+ "auth_credentials",
38
+ "database_url",
39
+ "connection_string"
40
+ ]
41
+ tags = ["literal-secret"]
42
+
43
+ [[rules]]
44
+ id = "env-short-secret-assignment"
45
+ description = "Uppercase env-style PASS/TOKEN/SECRET assignment"
46
+ regex = '''\b((?:PASS|TOKEN|SECRET|[A-Z0-9_]*(?:_PASS|_TOKEN|_SECRET|PASS_|TOKEN_|SECRET_)[A-Z0-9_]*))[ \t]*[:=][ \t]*["'']?([^"''[:space:]#{}$.][^"''\n#{}]{2,})["'']?'''
47
+ secretGroup = 2
48
+ keywords = [
49
+ "PASS",
50
+ "TOKEN",
51
+ "SECRET"
52
+ ]
53
+ tags = ["env", "literal-secret"]
54
+
55
+ [[rules]]
56
+ id = "standalone-sk-token"
57
+ description = "Standalone sk-* token not attached to a secret-like variable name"
58
+ regex = '''(?i)\b(sk-[A-Za-z0-9][A-Za-z0-9_-]{20,})\b'''
59
+ secretGroup = 1
60
+ entropy = 2.5
61
+ keywords = ["sk-"]
62
+ tags = ["standalone-token", "generic"]
63
+
64
+ [[rules]]
65
+ id = "dotenv-only-jest-setup"
66
+ description = ".env may only contain the committed Jest setup lines"
67
+ path = '''(?i)(^|/)\.env$'''
68
+ regex = '''(?m)^(.+)$'''
69
+ secretGroup = 1
70
+ tags = ["file", "dotenv"]
71
+ [[rules.allowlists]]
72
+ regexTarget = "match"
73
+ regexes = [
74
+ '''^JEST_USE_SETUP=OFF # Jest configuration variables: ON, OFF\r?$''',
75
+ ]
76
+
77
+ [[rules]]
78
+ id = "forbidden-secret-file"
79
+ description = "Forbidden secret-bearing file committed to repository"
80
+ path = '''(?i)(^|/)(\.env\..*|\.npmrc|\.pypirc|id_rsa|id_ed25519|.*\.(pem|key|p12|pfx|jks|kubeconfig))$'''
81
+ regex = '''(?s).{1,}'''
82
+ tags = ["file", "secret-file"]
83
+
84
+ [[allowlists]]
85
+ description = "Allow Jenkins SonarQube token environment variable reference"
86
+ regexTarget = "match"
87
+ regexes = [
88
+ '''SONAR_AUTH_TOKEN''',
89
+ ]
package/CHANGELOG.md CHANGED
@@ -4,11 +4,25 @@ All notable changes to this project will be documented in this file. Dates are d
4
4
 
5
5
  Generated by [`auto-changelog`](https://github.com/CookPete/auto-changelog).
6
6
 
7
- ### [1.3.2](https://github.com/eea/volto-bise-policy/compare/1.3.1...1.3.2) - 24 June 2026
7
+ ### [1.3.4](https://github.com/eea/volto-bise-policy/compare/1.3.3...1.3.4) - 9 July 2026
8
8
 
9
9
  #### :hammer_and_wrench: Others
10
10
 
11
- - remove CountryFlag customization from volto-bise-policy [Claudia Ifrim - [`b30ebf9`](https://github.com/eea/volto-bise-policy/commit/b30ebf985814b68aba43ee4f08586106e133d939)]
11
+ - enable attributions for osm [Claudia Ifrim - [`de583af`](https://github.com/eea/volto-bise-policy/commit/de583af4eff7c7a3a91a9845eb372e2bfa86fec1)]
12
+ ### [1.3.3](https://github.com/eea/volto-bise-policy/compare/1.3.2...1.3.3) - 9 July 2026
13
+
14
+ #### :house: Internal changes
15
+
16
+ - chore: [JENKINSFILE] sanitize sonarqube command [valentinab25 - [`8e2dc1a`](https://github.com/eea/volto-bise-policy/commit/8e2dc1a14f3230f197f009a76bf87587724b6e3a)]
17
+
18
+ #### :hammer_and_wrench: Others
19
+
20
+ - test: pin Chromium version 149 to work with Cypress [valentinab25 - [`5841387`](https://github.com/eea/volto-bise-policy/commit/5841387ae59380ee15af8c82a4df81c4767e1b7c)]
21
+ - Update Betterleaks email notification [Dobricean Ioan Dorian - [`45fae4c`](https://github.com/eea/volto-bise-policy/commit/45fae4cea316af3d3b846d4d7754e63bd7baeaac)]
22
+ - Update Betterleaks config documentation [Dobricean Ioan Dorian - [`e6742c2`](https://github.com/eea/volto-bise-policy/commit/e6742c23bffe88fef239354723dc8ae9aba94469)]
23
+ - Fix betterleaks findings [Dobricean Ioan Dorian - [`b9ef9ba`](https://github.com/eea/volto-bise-policy/commit/b9ef9baf5f6b1036e8d83f90a582298c3688a7ba)]
24
+ ### [1.3.2](https://github.com/eea/volto-bise-policy/compare/1.3.1...1.3.2) - 24 June 2026
25
+
12
26
  ### [1.3.1](https://github.com/eea/volto-bise-policy/compare/1.3.0...1.3.1) - 23 June 2026
13
27
 
14
28
  ### [1.3.0](https://github.com/eea/volto-bise-policy/compare/1.3.0-beta.2...1.3.0) - 22 June 2026
package/README.md CHANGED
@@ -80,6 +80,65 @@ See [RELEASE.md](https://github.com/eea/volto-bise-policy/blob/master/RELEASE.md
80
80
 
81
81
  See [DEVELOP.md](https://github.com/eea/volto-bise-policy/blob/master/DEVELOP.md).
82
82
 
83
+ ## Secret Scanning
84
+
85
+ This repository uses the Betterleaks GitHub Action to scan the current
86
+ repository content on every push and pull request. The scan uses the rules in
87
+ `.gitleaks.toml` and uploads a `betterleaks-report` artifact when a finding is
88
+ detected.
89
+
90
+ If the optional SMTP secrets are configured, failed scans also send an email to
91
+ the last commit committer. The workflow expects these repository or
92
+ organization secrets:
93
+
94
+ - `SMTP_URL`
95
+ - `SMTP_PORT` (optional, defaults to `25`)
96
+ - `SMTP_EMAIL`
97
+ - `SMTP_PASSWORD` (optional if the SMTP server does not require authentication)
98
+
99
+ Port `465` is sent with direct TLS; other ports use the default SMTP handshake.
100
+ The email includes a short finding summary from the redacted Betterleaks report,
101
+ including the redacted matched line from each finding.
102
+
103
+ There are three common outcomes:
104
+
105
+ 1. **Everything is OK.** The `Betterleaks / Scan for secrets` check is green and
106
+ no action is needed. Regular references to runtime values are OK, for example:
107
+
108
+ ```js
109
+ const tokenFromCookie = req.universalCookies.get('auth_token');
110
+ ```
111
+
112
+ 2. **A real secret was found.** The check is red and the workflow log asks you to
113
+ download the `betterleaks-report` artifact. Open the artifact from the GitHub
114
+ Actions run and check the reported file, line and rule. Remove the committed
115
+ value, move it to the proper secret store, and rotate it if it was exposed.
116
+ A report entry looks like this:
117
+
118
+ ```json
119
+ {
120
+ "RuleID": "secret-literal-assignment",
121
+ "File": "src/config.js",
122
+ "StartLine": 12,
123
+ "Secret": "[REDACTED]"
124
+ }
125
+ ```
126
+
127
+ 3. **The finding is a false positive.** Keep the value only if it is clearly not
128
+ sensitive, such as a test fixture, placeholder, or public example. Add
129
+ `betterleaks:allow` on the same line and include a short explanation in the
130
+ pull request.
131
+
132
+ ```js
133
+ const testPassword = 'admin'; //betterleaks:allow
134
+ ```
135
+
136
+ ```yaml
137
+ password: "admin" #betterleaks:allow
138
+ ```
139
+
140
+ Do not add `betterleaks:allow` to real credentials.
141
+
83
142
  ## Copyright and license
84
143
 
85
144
  The Initial Owner of the Original Code is European Environment Agency (EEA).
package/RELEASE.md CHANGED
@@ -33,7 +33,7 @@ Release-it is a tool that automates 4 important steps in the release process:
33
33
  To configure the authentification, you need to export GITHUB_TOKEN for [GitHub](https://github.com/settings/tokens)
34
34
 
35
35
  ```
36
- export GITHUB_TOKEN=XXX-XXXXXXXXXXXXXXXXXXXXXX
36
+ export GITHUB_TOKEN="${GITHUB_TOKEN}"
37
37
  ```
38
38
 
39
39
  To configure npm, you can use the `npm login` command or use a configuration file with a TOKEN :
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@eeacms/volto-bise-policy",
3
- "version": "1.3.2",
3
+ "version": "1.3.4",
4
4
  "description": "@eeacms/volto-bise-policy: Volto add-on",
5
5
  "main": "src/index.js",
6
6
  "author": "European Environment Agency: IDM2 A-Team",
@@ -9,6 +9,7 @@ import {
9
9
  } from '@eeacms/volto-openlayers-map/api';
10
10
  import React, { useState } from 'react';
11
11
  import { useMapContext } from '@eeacms/volto-openlayers-map/hocs';
12
+ import { GISCO_OSM_ATTRIBUTION } from '@eeacms/volto-bise-policy/constants';
12
13
 
13
14
  function PinInteraction({ longitude, latitude, onChange, ol }) {
14
15
  const mapContext = useMapContext();
@@ -77,6 +78,7 @@ const TileSetLoader = (props) => {
77
78
  setTileWMSSources([
78
79
  new ol.source.TileWMS({
79
80
  url: 'https://gisco-services.ec.europa.eu/maps/service',
81
+ attributions: GISCO_OSM_ATTRIBUTION,
80
82
  params: {
81
83
  LAYERS: 'OSMBlossomComposite',
82
84
  TILED: true,
@@ -102,10 +104,13 @@ const MapContainer = (props) => {
102
104
  zoom: 15,
103
105
  }}
104
106
  pixelRatio={1}
105
- controls={ol.control.defaults({ attribution: false })}
106
107
  >
107
108
  <Layers>
108
- <Controls attribution={false} zoom={false} />
109
+ <Controls
110
+ attribution={true}
111
+ attributionOptions={{ collapsible: false }}
112
+ zoom={false}
113
+ />
109
114
  <PinInteraction
110
115
  ol={ol}
111
116
  latitude={latitude}
@@ -10,6 +10,7 @@ import {
10
10
  useMapContext,
11
11
  } from '@eeacms/volto-openlayers-map/api';
12
12
  import { withOpenLayers } from '@eeacms/volto-openlayers-map';
13
+ import { GISCO_OSM_ATTRIBUTION } from '@eeacms/volto-bise-policy/constants';
13
14
 
14
15
  import InfoOverlay from './InfoOverlay';
15
16
  import FeatureInteraction from './FeatureInteraction';
@@ -45,6 +46,7 @@ function CaseStudyMap(props) {
45
46
  const [tileWMSSources] = React.useState([
46
47
  new ol.source.TileWMS({
47
48
  url: 'https://gisco-services.ec.europa.eu/maps/service',
49
+ attributions: GISCO_OSM_ATTRIBUTION,
48
50
  params: {
49
51
  // LAYERS: 'OSMBlossomComposite', OSMCartoComposite, OSMPositronComposite
50
52
  LAYERS: 'OSMPositronComposite',
@@ -130,9 +132,11 @@ function CaseStudyMap(props) {
130
132
  zoom: 4,
131
133
  }}
132
134
  pixelRatio={1}
133
- // controls={ol.control.defaults({ attribution: false })}
134
135
  >
135
- <Controls attribution={false} />
136
+ <Controls
137
+ attribution={true}
138
+ attributionOptions={{ collapsible: false }}
139
+ />
136
140
  <Layers>
137
141
  {hideFilters ? null : (
138
142
  <button
@@ -0,0 +1,7 @@
1
+ // Basemap attribution strings. OpenStreetMap-derived basemaps (GISCO OSM*
2
+ // composites) must credit "© OpenStreetMap contributors" per the ODbL —
3
+ // https://www.openstreetmap.org/copyright
4
+ export const OSM_ATTRIBUTION =
5
+ '© <a href="https://www.openstreetmap.org/copyright" target="_blank" rel="noopener noreferrer">OpenStreetMap</a> contributors';
6
+
7
+ export const GISCO_OSM_ATTRIBUTION = `${OSM_ATTRIBUTION}, © <a href="https://ec.europa.eu/eurostat/web/gisco" target="_blank" rel="noopener noreferrer">Eurostat/GISCO</a>`;