Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 8 additions & 4 deletions .github/workflows/pylint.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,16 +7,20 @@ jobs:
runs-on: ubuntu-latest
strategy:
matrix:
python-version: ["3.8", "3.9", "3.10"]
python-version: ["3.10", "3.11", "3.12"]
steps:
- uses: actions/checkout@v4
with:
submodules: recursive
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v3
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install requests tabulate pylint
pip install -r requirements-sdk.txt
pip install tabulate pylint
- name: Run pylint
run: pylint $(git ls-files '*.py') --fail-under=8
run: |
pylint $(git ls-files '*.py' | grep -v '^vendor/') --fail-under=8
4 changes: 4 additions & 0 deletions .gitmodules
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
[submodule "vendor/workbench-agent-ce"]
path = vendor/workbench-agent-ce
url = https://github.com/fossid-ab/workbench-agent-ce.git
branch = main
101 changes: 85 additions & 16 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,27 +1,96 @@
# FossID Workbench API Examples!
These scripts were built by the FossID Customer Experience teams in collaboration with Engineering to solve specific use cases raised by customers via the [FossID Support Portal](https://support.fossid.com/).
# FossID Workbench API Examples

These scripts were built by the FossID Customer Experience teams in collaboration with Engineering to solve specific use cases raised by customers via the [FossID Support Portal](https://support.fossid.com/).

### Supportability
These examples demonstrate how to interact with the Workbench API. We do our best to keep the examples updated, but there is no long-term maintainer for this code. We do not use GitHub Issues - for questions or issues with the scripts please use the [FossID Support Portal](https://support.fossid.com/). Thank you!

## Example Scripts
The repo has scripts that help you:
These examples demonstrate how to interact with the Workbench API. We do our best to keep the examples updated, but there is no long-term maintainer for this code. We do not use GitHub Issues — for questions or issues with the scripts please use the [FossID Support Portal](https://support.fossid.com/). Thank you!

## Workbench Agent CE (recommended)

For day-to-day and CI/CD use, prefer **[Workbench Agent CE](https://github.com/fossid-ab/workbench-agent-ce)** — a maintained CLI and Docker image that wraps the same SDK:

| Sample folder | CE command |
|---------------|------------|
| `quick-scan/` | `workbench-agent quick-scan` |
| `post-scan-gates/` | `workbench-agent evaluate-gates` |
| `post-scan-reports/` | `workbench-agent download-reports` |
| `import-da/` | `workbench-agent import-da` |
| `delete-scan/` | `workbench-agent delete-scan` |

See the [Getting Started Guide](https://github.com/fossid-ab/workbench-agent-ce/wiki/Getting-Started) and per-folder READMEs for examples.

## Workbench SDK in this repo

Sample scripts that remain in this repo call the SDK vendored as a git submodule:

| Item | Location |
|------|----------|
| Submodule | [`vendor/workbench-agent-ce/`](vendor/workbench-agent-ce/) (pinned to `v0.9.0`) |
| SDK source | `vendor/workbench-agent-ce/src/workbench_agent/api/` |
| API architecture & methods | [vendor/workbench-agent-ce/src/workbench_agent/api/README.md](vendor/workbench-agent-ce/src/workbench_agent/api/README.md) |
| Per-domain clients | [vendor/workbench-agent-ce/src/workbench_agent/api/clients/README.md](vendor/workbench-agent-ce/src/workbench_agent/api/clients/README.md) |
| Shared script helpers | [`lib/workbench_client.py`](lib/workbench_client.py) |

The SDK is not yet published to PyPI as `workbench-sdk`; import from `workbench_agent.api` until extraction happens (see [SDK_DISTRIBUTION_STRATEGY.md](vendor/workbench-agent-ce/src/workbench_agent/api/SDK_DISTRIBUTION_STRATEGY.md)).

### Setup

```bash
git submodule update --init --recursive

### Archive Old Scans
This script helps clients archive stale scans based on when they were last modified.
python -m venv .venv
source .venv/bin/activate
pip install -r requirements-sdk.txt
```

### Post Scan Gates
This script checks scans for Pending Identifications and Policy Violations - useful for gating CI/CD pipelines.
### Credentials

### Post Scan Reports
This script downloads reports for a scan - useful if you want to include FossID reports as build artifacts.
All scripts accept credentials via a root **`.env` file** (loaded automatically when `python-dotenv` is installed), **environment variables**, or CLI flags. Flags override env vars when both are set.

### Quickly Scan a File
This script scans a single file using the Quick Scan API - helpful for quickly knowing if AI-generated code should be investigated further.
```sh
export WORKBENCH_URL="https://workbench.example.com/api.php"
export WORKBENCH_USER="your-username"
export WORKBENCH_TOKEN="your-api-token"
```

### Import Dependency Analysis
This script imports dependency analysis results to an existing scan - useful for adding dependency analysis results from running ORT or FossID-DA in a pipeline to your scans.
`WORKBENCH_URL` must be the API endpoint (`…/api.php`), not the Workbench UI URL.

| CLI flags (most scripts) | Environment variable |
|--------------------------|----------------------|
| `--workbench-url` | `WORKBENCH_URL` |
| `--workbench-user` | `WORKBENCH_USER` |
| `--workbench-token` | `WORKBENCH_TOKEN` |

Some older scripts use `--api-url` / `--api-user` / `--api-token` with the same env vars.

### Example (env vars only)

```bash
export WORKBENCH_URL="https://workbench.example.com/api.php"
export WORKBENCH_USER="ci-user"
export WORKBENCH_TOKEN="your-token"

cd archive-stale-scans
python3 archive_stale_scans.py plan --days 365
```

## Example scripts

| Folder | Purpose |
|--------|---------|
| `archive-stale-scans/` | Archive stale scans (plan → review → archive) |
| `delete-old-scans/` | Permanently delete scans by age |
| `get-project-policy/` | Download project license policy JSON |
| `anon-deactivated-users/` | Anonymize deactivated user PII |
| `quick-scan/` | Quick-scan one file — **use CE** |
| `post-scan-gates/` | CI gates on pending IDs / policy — **use CE** |
| `post-scan-reports/` | Download scan reports — **use CE** |
| `import-da/` | Import DA results — **use CE** |
| `delete-scan/` | Delete one scan — **use CE** |

`old_generation_script/` is historical reference only.

## Contributing
Contributions are welcome! We'll review any Pull Requests made.

Contributions are welcome! We'll review any Pull Requests made.
81 changes: 60 additions & 21 deletions anon-deactivated-users/README.md
Original file line number Diff line number Diff line change
@@ -1,43 +1,82 @@
# anon_deactivated_users

This script will anonimize users that have been deactivated in Workbench.
Anonymize PII for users already deactivated in Workbench (Workbench does not support deleting users).

Since Workbench does not support deleting users, only deactivating them, this will help anonimize the PII from deactivated users so that it's not exposed in the user list.
## What this script changes

# Setting Up
For each **deactivated** user that is not already anonymized, the script calls `users` → `update` with these `data` fields (matching the Workbench API schema):

You need to provide a Workbench URL, User, and Token to use this script.
These can be provided as Arguments or Environment Variables (recommended).
| Request field | Role | Value |
| --- | --- | --- |
| `user_username` | Identifies which user to update (current login name) | unchanged |
| `user_name` | Updated name | `Deactivated` |
| `user_surname` | Updated surname | `User` |
| `user_email` | Updated email | `deactivated@company.com` |
| `user_password` | Updated password | `deactivatedpassword` |
| `user_phone` | Updated phone | `""` (cleared) |
| `user_mobile` | Updated mobile | `""` (cleared) |

### Environment Variables (Recommended)
`username` and `key` (API credentials) are injected by the SDK transport.

**Field naming:** `user_username` is the existing login name used to find the record; `user_name` is the name field being written.

### Lookup key cannot be updated

The `users` → `update` endpoint treats `user_username` as a **lookup key only**. There is no request field to change the login username — the schema only defines it as *"Username for the user being updated"*, and profile fields (`user_name`, `user_surname`, `user_email`, etc.) are updated separately. Deactivated users therefore keep their original login name in the Users list; verify anonymization by checking name, surname, and email in the user details.

The script does **not** pass `reactivate_account` (that would reactivate the user).

Users that already have the target name, surname, and email are skipped.

## Setup

```sh
export WORKBENCH_URL
export WORKBENCH_USER
export WORKBENCH_TOKEN
pip install -r ../requirements-sdk.txt
```

### Arguments
Uses the Workbench SDK for HTTP transport only (`send_api_request`); response parsing and business logic live in this script. A `UsersClient.update()` wrapper will be added to Workbench Agent CE later.

### Workbench SDK

- **Submodule:** `vendor/workbench-agent-ce/` (pinned to `v0.9.0`)
- **API docs:** [vendor/workbench-agent-ce/src/workbench_agent/api/README.md](../vendor/workbench-agent-ce/src/workbench_agent/api/README.md)

```python
python3 anon_deactivated_users.py --workbench-url <url> --workbench-user <user> --workbench-token <token>
### Credentials

The script loads a `.env` file from the repo root automatically (via `python-dotenv`).
You can also export variables in your shell or pass `--workbench-*` flags (flags override env).

```sh
# .env or shell
WORKBENCH_URL="https://workbench.example.com/api.php"
WORKBENCH_USER="your-username"
WORKBENCH_TOKEN="your-api-token"
```

# General Usage
When executed, the script will check for deactivated users and prompt if they should be anonimized.
## Usage

## First - Create a Dry Run
### Dry run

The script includes a `--dry-run` option to display the users that would be anonimized by the operation.
Shows deactivated users that still need anonymization and their current PII. No changes are made.

```python
```bash
python3 anon_deactivated_users.py --dry-run
```

## When ready, archive old scans

When ready to anonimize old users, run it without the `--dry-run` option.
### Apply changes

```python
```bash
python3 anon_deactivated_users.py
```

The script lists affected users and prompts for confirmation (`y` or `yes`) before updating.

### Override credentials on the CLI

```bash
python3 anon_deactivated_users.py \
--workbench-url "https://workbench.example.com/api.php" \
--workbench-user "admin" \
--workbench-token "your-token" \
--dry-run
```
Loading
Loading