# include:
#   - template: Jobs/Code-Quality.gitlab-ci.yml
#   - template: Security/SAST.gitlab-ci.yml
#   - template: Security/Dependency-Scanning.gitlab-ci.yml
#   - template: Security/DAST.gitlab-ci.yml

# We need to duplicate this job's definition because the rules
# defined in the extended jobs rely on local YAML anchors
# (`*if-default-refs`)
code_quality:
  extends:
    - .default-retry
    - .reports:rules:code_quality
    - .use-docker-in-docker
  stage: test
  needs: []
  variables:
    CODE_QUALITY_IMAGE: "registry.gitlab.com/gitlab-org/ci-cd/codequality:0.85.18"
  script:
    - |
      if ! docker info &>/dev/null; then
        if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then
          export DOCKER_HOST='tcp://localhost:2375'
        fi
      fi
    - docker pull --quiet "$CODE_QUALITY_IMAGE"
    - docker run
        --env SOURCE_CODE="$PWD"
        --volume "$PWD":/code
        --volume /var/run/docker.sock:/var/run/docker.sock
        "$CODE_QUALITY_IMAGE" /code
  artifacts:
    reports:
      codequality: gl-code-quality-report.json
    paths:
      - gl-code-quality-report.json  # GitLab-specific
    expire_in: 1 week  # GitLab-specific

# We need to duplicate this job's definition because the rules
# defined in the extended jobs rely on local YAML anchors
# (`*if-default-refs`)
.sast:
  extends:
    - .default-retry
    - .reports:rules:sast
  stage: test
  # `needs: []` starts the job immediately in the pipeline
  # https://docs.gitlab.com/ee/ci/yaml/README.html#needs
  needs: []
  artifacts:
    paths:
      - gl-sast-report.json  # GitLab-specific
    reports:
      sast: gl-sast-report.json
    expire_in: 1 week  # GitLab-specific
  variables:
    DOCKER_TLS_CERTDIR: ""
    SAST_ANALYZER_IMAGE_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
    SAST_ANALYZER_IMAGE_TAG: 2
    SAST_BRAKEMAN_LEVEL: 2  # GitLab-specific
    SAST_EXCLUDED_PATHS: qa,spec,doc,ee/spec,config/gitlab.yml.example  # GitLab-specific
    SAST_DISABLE_BABEL: "true"
  script:
    - /analyzer run

brakeman-sast:
  extends: .sast
  image:
    name: "$SAST_ANALYZER_IMAGE_PREFIX/brakeman:$SAST_ANALYZER_IMAGE_TAG"

eslint-sast:
  extends: .sast
  image:
    name: "$SAST_ANALYZER_IMAGE_PREFIX/eslint:$SAST_ANALYZER_IMAGE_TAG"

nodejs-scan-sast:
  extends: .sast
  image:
    name: "$SAST_ANALYZER_IMAGE_PREFIX/nodejs-scan:$SAST_ANALYZER_IMAGE_TAG"

secrets-sast:
  extends: .sast
  image:
    name: "$SAST_ANALYZER_IMAGE_PREFIX/secrets:3"
  artifacts:
    paths:
      - gl-secret-detection-report.json  # GitLab-specific
    reports:
      sast: gl-secret-detection-report.json
    expire_in: 1 week  # GitLab-specific

# We need to duplicate this job's definition because the rules
# defined in the extended jobs rely on local YAML anchors
# (`*if-default-refs`)
.dependency_scanning:
  extends:
    - .default-retry
    - .reports:rules:dependency_scanning
  stage: test
  needs: []
  variables:
    DS_MAJOR_VERSION: 2
    DS_EXCLUDED_PATHS: "qa/qa/ee/fixtures/secure_premade_reports, spec, ee/spec"  # GitLab-specific
    SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
  artifacts:
    paths:
      - gl-dependency-scanning-report.json  # GitLab-specific
    reports:
      dependency_scanning: gl-dependency-scanning-report.json
    expire_in: 1 week  # GitLab-specific
  script:
    - /analyzer run

dependency_scanning gemnasium:
  extends: .dependency_scanning
  image:
    name: "$SECURE_ANALYZERS_PREFIX/gemnasium:$DS_MAJOR_VERSION"
  before_script:
    # git-lfs is needed for auto-remediation
    - apk add git-lfs
  after_script:
    # Post-processing
    - apk add jq
    # Lower execa severity based on https://gitlab.com/gitlab-org/gitlab/-/issues/223859#note_452922390
    - jq '(.vulnerabilities[] | select (.cve == "yarn.lock:execa:gemnasium:05cfa2e8-2d0c-42c1-8894-638e2f12ff3d")).severity = "Medium"' gl-dependency-scanning-report.json > temp.json && mv temp.json gl-dependency-scanning-report.json

dependency_scanning bundler-audit:
  extends: .dependency_scanning
  image:
    name: "$SECURE_ANALYZERS_PREFIX/bundler-audit:$DS_MAJOR_VERSION"

dependency_scanning retire-js:
  extends: .dependency_scanning
  image:
    name: "$SECURE_ANALYZERS_PREFIX/retire.js:$DS_MAJOR_VERSION"

dependency_scanning gemnasium-python:
  extends: .dependency_scanning
  image:
    name: "$SECURE_ANALYZERS_PREFIX/gemnasium-python:$DS_MAJOR_VERSION"

# Analyze dependencies for malicious behavior
# See https://gitlab.com/gitlab-com/gl-security/security-research/package-hunter
package_hunter:
  extends:
    - .reports:schedule-dast
  stage: test
  image:
    name: registry.gitlab.com/gitlab-com/gl-security/security-research/package-hunter-cli:latest
    entrypoint: [""]
  needs: []
  script:
    - rm -r spec locale .git app/assets/images doc/
    - cd .. && tar -I "gzip --best" -cf gitlab.tgz gitlab/
    - DEBUG=* HTR_user=$PACKAGE_HUNTER_USER HTR_pass=$PACKAGE_HUNTER_PASS node /usr/src/app/cli.js analyze --format gitlab gitlab.tgz | tee $CI_PROJECT_DIR/gl-dependency-scanning-report.json
  artifacts:
    paths:
      - gl-dependency-scanning-report.json  # GitLab-specific
    reports:
      dependency_scanning: gl-dependency-scanning-report.json
    expire_in: 1 week  # GitLab-specific

license_scanning:
  extends:
    - .default-retry
    - .reports:rules:license_scanning
  stage: test
  image:
    name: "registry.gitlab.com/gitlab-org/security-products/analyzers/license-finder:3"
    entrypoint: [""]
  needs: []
  script:
    - /run.sh analyze .
  artifacts:
    reports:
      license_scanning: gl-license-scanning-report.json
    expire_in: 1 week  # GitLab-specific
  dependencies: []