2019-09-17 10:16:34 -04:00
|
|
|
# include:
|
2020-02-13 10:08:52 -05:00
|
|
|
# - template: Jobs/Code-Quality.gitlab-ci.yml
|
2019-09-17 10:16:34 -04:00
|
|
|
# - template: Security/SAST.gitlab-ci.yml
|
|
|
|
# - template: Security/Dependency-Scanning.gitlab-ci.yml
|
|
|
|
# - template: Security/DAST.gitlab-ci.yml
|
2019-04-12 04:56:38 -04:00
|
|
|
|
2019-09-17 10:16:34 -04:00
|
|
|
# We need to duplicate this job's definition because it seems it's impossible to
|
|
|
|
# override an included `only.refs`.
|
|
|
|
# See https://gitlab.com/gitlab-org/gitlab/issues/31371.
|
|
|
|
code_quality:
|
2019-08-26 16:41:55 -04:00
|
|
|
extends:
|
|
|
|
- .default-retry
|
2020-02-13 10:08:52 -05:00
|
|
|
- .reports:rules:code_quality
|
2020-04-08 11:09:29 -04:00
|
|
|
- .use-docker-in-docker
|
2019-09-17 10:16:34 -04:00
|
|
|
stage: test
|
2020-02-20 13:08:51 -05:00
|
|
|
needs: []
|
2019-09-17 10:16:34 -04:00
|
|
|
variables:
|
2020-10-27 14:08:59 -04:00
|
|
|
CODE_QUALITY_IMAGE: "registry.gitlab.com/gitlab-org/ci-cd/codequality:0.85.18"
|
2019-09-17 10:16:34 -04:00
|
|
|
script:
|
|
|
|
- |
|
|
|
|
if ! docker info &>/dev/null; then
|
|
|
|
if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then
|
|
|
|
export DOCKER_HOST='tcp://localhost:2375'
|
|
|
|
fi
|
|
|
|
fi
|
2019-11-26 07:06:18 -05:00
|
|
|
- docker pull --quiet "$CODE_QUALITY_IMAGE"
|
2019-09-17 10:16:34 -04:00
|
|
|
- docker run
|
|
|
|
--env SOURCE_CODE="$PWD"
|
|
|
|
--volume "$PWD":/code
|
|
|
|
--volume /var/run/docker.sock:/var/run/docker.sock
|
2019-11-26 07:06:18 -05:00
|
|
|
"$CODE_QUALITY_IMAGE" /code
|
2019-09-17 10:16:34 -04:00
|
|
|
artifacts:
|
|
|
|
reports:
|
|
|
|
codequality: gl-code-quality-report.json
|
2019-12-16 10:07:39 -05:00
|
|
|
paths:
|
2020-02-13 10:08:52 -05:00
|
|
|
- gl-code-quality-report.json # GitLab-specific
|
|
|
|
expire_in: 1 week # GitLab-specific
|
2019-04-12 04:56:38 -04:00
|
|
|
|
2019-09-17 10:16:34 -04:00
|
|
|
# We need to duplicate this job's definition because it seems it's impossible to
|
|
|
|
# override an included `only.refs`.
|
|
|
|
# See https://gitlab.com/gitlab-org/gitlab/issues/31371.
|
2020-04-10 05:09:39 -04:00
|
|
|
.sast:
|
2019-09-17 10:16:34 -04:00
|
|
|
extends:
|
|
|
|
- .default-retry
|
2020-02-13 10:08:52 -05:00
|
|
|
- .reports:rules:sast
|
2019-09-17 10:16:34 -04:00
|
|
|
stage: test
|
2020-04-10 05:09:39 -04:00
|
|
|
# `needs: []` starts the job immediately in the pipeline
|
|
|
|
# https://docs.gitlab.com/ee/ci/yaml/README.html#needs
|
2020-02-20 13:08:51 -05:00
|
|
|
needs: []
|
2020-02-13 10:08:52 -05:00
|
|
|
artifacts:
|
|
|
|
paths:
|
|
|
|
- gl-sast-report.json # GitLab-specific
|
|
|
|
reports:
|
|
|
|
sast: gl-sast-report.json
|
|
|
|
expire_in: 1 week # GitLab-specific
|
2019-04-12 04:56:38 -04:00
|
|
|
variables:
|
2020-04-10 05:09:39 -04:00
|
|
|
DOCKER_TLS_CERTDIR: ""
|
|
|
|
SAST_ANALYZER_IMAGE_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
|
|
|
|
SAST_ANALYZER_IMAGE_TAG: 2
|
2020-02-13 10:08:52 -05:00
|
|
|
SAST_BRAKEMAN_LEVEL: 2 # GitLab-specific
|
2020-07-22 11:09:28 -04:00
|
|
|
SAST_EXCLUDED_PATHS: qa,spec,doc,ee/spec,config/gitlab.yml.example # GitLab-specific
|
2020-07-14 14:09:55 -04:00
|
|
|
SAST_DISABLE_BABEL: "true"
|
2019-09-17 10:16:34 -04:00
|
|
|
script:
|
2020-04-10 05:09:39 -04:00
|
|
|
- /analyzer run
|
|
|
|
|
|
|
|
brakeman-sast:
|
|
|
|
extends: .sast
|
|
|
|
image:
|
|
|
|
name: "$SAST_ANALYZER_IMAGE_PREFIX/brakeman:$SAST_ANALYZER_IMAGE_TAG"
|
|
|
|
|
|
|
|
eslint-sast:
|
|
|
|
extends: .sast
|
|
|
|
image:
|
|
|
|
name: "$SAST_ANALYZER_IMAGE_PREFIX/eslint:$SAST_ANALYZER_IMAGE_TAG"
|
|
|
|
|
2020-07-14 14:09:55 -04:00
|
|
|
nodejs-scan-sast:
|
|
|
|
extends: .sast
|
|
|
|
image:
|
|
|
|
name: "$SAST_ANALYZER_IMAGE_PREFIX/nodejs-scan:$SAST_ANALYZER_IMAGE_TAG"
|
2020-04-10 05:09:39 -04:00
|
|
|
|
|
|
|
secrets-sast:
|
|
|
|
extends: .sast
|
|
|
|
image:
|
2020-08-27 14:10:29 -04:00
|
|
|
name: "$SAST_ANALYZER_IMAGE_PREFIX/secrets:3"
|
|
|
|
artifacts:
|
|
|
|
paths:
|
|
|
|
- gl-secret-detection-report.json # GitLab-specific
|
|
|
|
reports:
|
|
|
|
sast: gl-secret-detection-report.json
|
|
|
|
expire_in: 1 week # GitLab-specific
|
2019-04-12 04:56:38 -04:00
|
|
|
|
2019-09-17 10:16:34 -04:00
|
|
|
# We need to duplicate this job's definition because it seems it's impossible to
|
|
|
|
# override an included `only.refs`.
|
|
|
|
# See https://gitlab.com/gitlab-org/gitlab/issues/31371.
|
2019-04-12 04:56:38 -04:00
|
|
|
dependency_scanning:
|
2019-09-17 10:16:34 -04:00
|
|
|
extends:
|
|
|
|
- .default-retry
|
2020-02-13 10:08:52 -05:00
|
|
|
- .reports:rules:dependency_scanning
|
2020-04-08 11:09:29 -04:00
|
|
|
- .use-docker-in-docker
|
2019-09-17 10:16:34 -04:00
|
|
|
stage: test
|
2020-02-20 13:08:51 -05:00
|
|
|
needs: []
|
2019-09-17 10:16:34 -04:00
|
|
|
variables:
|
2020-06-10 08:08:58 -04:00
|
|
|
DS_MAJOR_VERSION: 2
|
2020-02-13 10:08:52 -05:00
|
|
|
DS_EXCLUDED_PATHS: "qa/qa/ee/fixtures/secure_premade_reports,spec,ee/spec" # GitLab-specific
|
2019-09-17 10:16:34 -04:00
|
|
|
script:
|
|
|
|
- |
|
|
|
|
if ! docker info &>/dev/null; then
|
|
|
|
if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then
|
|
|
|
export DOCKER_HOST='tcp://localhost:2375'
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
- | # this is required to avoid undesirable reset of Docker image ENV variables being set on build stage
|
|
|
|
function propagate_env_vars() {
|
|
|
|
CURRENT_ENV=$(printenv)
|
2019-08-20 13:04:23 -04:00
|
|
|
|
2019-09-17 10:16:34 -04:00
|
|
|
for VAR_NAME; do
|
|
|
|
echo $CURRENT_ENV | grep "${VAR_NAME}=" > /dev/null && echo "--env $VAR_NAME "
|
|
|
|
done
|
|
|
|
}
|
|
|
|
- |
|
|
|
|
docker run \
|
|
|
|
$(propagate_env_vars \
|
|
|
|
DS_ANALYZER_IMAGES \
|
|
|
|
DS_ANALYZER_IMAGE_PREFIX \
|
|
|
|
DS_ANALYZER_IMAGE_TAG \
|
|
|
|
DS_DEFAULT_ANALYZERS \
|
|
|
|
DS_EXCLUDED_PATHS \
|
|
|
|
DS_DOCKER_CLIENT_NEGOTIATION_TIMEOUT \
|
|
|
|
DS_PULL_ANALYZER_IMAGE_TIMEOUT \
|
|
|
|
DS_RUN_ANALYZER_TIMEOUT \
|
|
|
|
DS_PYTHON_VERSION \
|
2020-02-13 10:08:52 -05:00
|
|
|
DS_PIP_VERSION \
|
2019-09-17 10:16:34 -04:00
|
|
|
DS_PIP_DEPENDENCY_PATH \
|
2020-02-13 10:08:52 -05:00
|
|
|
GEMNASIUM_DB_LOCAL_PATH \
|
|
|
|
GEMNASIUM_DB_REMOTE_URL \
|
|
|
|
GEMNASIUM_DB_REF_NAME \
|
2019-09-17 10:16:34 -04:00
|
|
|
PIP_INDEX_URL \
|
|
|
|
PIP_EXTRA_INDEX_URL \
|
2020-02-13 10:08:52 -05:00
|
|
|
PIP_REQUIREMENTS_FILE \
|
|
|
|
MAVEN_CLI_OPTS \
|
|
|
|
BUNDLER_AUDIT_UPDATE_DISABLED \
|
|
|
|
BUNDLER_AUDIT_ADVISORY_DB_URL \
|
|
|
|
BUNDLER_AUDIT_ADVISORY_DB_REF_NAME \
|
2019-09-17 10:16:34 -04:00
|
|
|
) \
|
|
|
|
--volume "$PWD:/code" \
|
|
|
|
--volume /var/run/docker.sock:/var/run/docker.sock \
|
2020-06-10 08:08:58 -04:00
|
|
|
"registry.gitlab.com/gitlab-org/security-products/dependency-scanning:$DS_MAJOR_VERSION" /code
|
2020-11-30 10:09:21 -05:00
|
|
|
# Post-processing: This will be an after_script once this job will use the Dependency Scanning CI template
|
|
|
|
- apk add jq
|
|
|
|
# Lower execa severity based on https://gitlab.com/gitlab-org/gitlab/-/issues/223859#note_452922390
|
|
|
|
- jq '(.vulnerabilities[] | select (.cve == "yarn.lock:execa:gemnasium:05cfa2e8-2d0c-42c1-8894-638e2f12ff3d")).severity = "Medium"' gl-dependency-scanning-report.json > temp.json && mv temp.json gl-dependency-scanning-report.json
|
2019-09-17 10:16:34 -04:00
|
|
|
artifacts:
|
2020-02-13 10:08:52 -05:00
|
|
|
paths:
|
|
|
|
- gl-dependency-scanning-report.json # GitLab-specific
|
2019-09-17 10:16:34 -04:00
|
|
|
reports:
|
|
|
|
dependency_scanning: gl-dependency-scanning-report.json
|
2020-02-13 10:08:52 -05:00
|
|
|
expire_in: 1 week # GitLab-specific
|
2020-10-08 20:08:41 -04:00
|
|
|
|
2020-11-09 13:09:11 -05:00
|
|
|
# The job below analysis dependencies for malicous behavior
|
|
|
|
package_hunter:
|
|
|
|
extends:
|
|
|
|
- .reports:schedule-dast
|
|
|
|
stage: test
|
|
|
|
image:
|
|
|
|
name: registry.gitlab.com/gitlab-com/gl-security/security-research/package-hunter-cli:latest
|
|
|
|
entrypoint: [""]
|
|
|
|
needs: []
|
|
|
|
script:
|
|
|
|
- rm -r spec locale .git app/assets/images doc/
|
|
|
|
- cd .. && tar -I "gzip --best" -cf gitlab.tgz gitlab/
|
|
|
|
- DEBUG=* HTR_user=$PACKAGE_HUNTER_USER HTR_pass=$PACKAGE_HUNTER_PASS node /usr/src/app/cli.js analyze --format gitlab gitlab.tgz | tee $CI_PROJECT_DIR/gl-dependency-scanning-report.json
|
|
|
|
artifacts:
|
|
|
|
paths:
|
|
|
|
- gl-dependency-scanning-report.json # GitLab-specific
|
|
|
|
reports:
|
|
|
|
dependency_scanning: gl-dependency-scanning-report.json
|
|
|
|
expire_in: 1 week # GitLab-specific
|
|
|
|
|
2020-10-08 20:08:41 -04:00
|
|
|
license_scanning:
|
|
|
|
extends:
|
|
|
|
- .default-retry
|
|
|
|
- .reports:rules:license_scanning
|
|
|
|
stage: test
|
|
|
|
image:
|
|
|
|
name: "registry.gitlab.com/gitlab-org/security-products/analyzers/license-finder:3"
|
|
|
|
entrypoint: [""]
|
|
|
|
needs: []
|
|
|
|
script:
|
|
|
|
- /run.sh analyze .
|
|
|
|
artifacts:
|
|
|
|
reports:
|
|
|
|
license_scanning: gl-license-scanning-report.json
|
|
|
|
expire_in: 1 week # GitLab-specific
|
|
|
|
dependencies: []
|