From 881e94ef92a2c00a7135dd4cf49cd23926fe1ee3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rapha=C3=ABl=20Flores?= <raphael.flores@inrae.fr>
Date: Fri, 16 Apr 2021 10:45:26 +0000
Subject: [PATCH 1/2] Set .gitlab-ci.yml to enable or configure SAST
---
.gitlab-ci.yml | 213 +++++++++++++++++++------------------------------
1 file changed, 84 insertions(+), 129 deletions(-)
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index af7db7e4..89e6fb6d 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,222 +1,177 @@
----
+# You can override the included template(s) by including variable overrides
+# See https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
+# Note that environment variables can be set in several places
+# See https://docs.gitlab.com/ee/ci/variables/#priority-of-environment-variables
stages:
- - test
- - build
- - deploy-beta
- - deploy-staging
- - deploy-production
-
-
+- test
+- build
+- deploy-beta
+- deploy-staging
+- deploy-production
image: registry.forgemia.inra.fr/urgi-is/docker-rare/docker-browsers:latest
-
-
-# Disable the Gradle daemon for Continuous Integration servers as correctness
-# is usually a priority over speed in CI environments. Using a fresh
-# runtime for each build is more reliable since the runtime is completely
-# isolated from any previous builds.
variables:
GRADLE_OPTS: "-Dorg.gradle.daemon=false"
- GRADLE_USER_HOME: $CI_PROJECT_DIR/.gradle
+ GRADLE_USER_HOME: "$CI_PROJECT_DIR/.gradle"
APP_NAME: faidare
- JAR_PATH: "backend/build/libs/${APP_NAME}.jar"
+ JAR_PATH: backend/build/libs/${APP_NAME}.jar
GIT_DEPTH: 0
-
-
-# Gradle cache for all jobs
cache:
key: "$CI_COMMIT_REF_NAME"
paths:
- - ".gradle"
- - "frontend/.gradle/"
- - "frontend/node_modules/"
-
-
-# TESTS
-
-
+ - ".gradle"
+ - frontend/.gradle/
+ - frontend/node_modules/
lint:
stage: test
tags:
- - openstack
+ - openstack
script: "./gradlew lint"
-
-
test-and-sonarqube:
stage: test
tags:
- - openstack
- # the backend tests need an elasticsearch instance
+ - openstack
services:
- # even if that would be ideal
- # we can't just launch the service with just elasticsearch:6.3.1
- # because we need to pass some variables, but they are passed to _all_ containers
- # so they fail the start of other docker images like urgi/docker-browsers
- # the only solution is to override the entrypoint of the service and pass the arguments manually
- - name: docker.elastic.co/elasticsearch/elasticsearch:6.5.4
- alias: elasticsearch
- # discovery.type=single-node
- # single-node is necessary to start in development mode
- # so there will be no bootstrap checks that would fail on CI
- # especially the error regarding
- # `max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]`
- command: ["bin/elasticsearch", "-Ediscovery.type=single-node"]
+ - name: docker.elastic.co/elasticsearch/elasticsearch:6.5.4
+ alias: elasticsearch
+ command:
+ - bin/elasticsearch
+ - "-Ediscovery.type=single-node"
variables:
GRADLE_OPTS: "-Dorg.gradle.daemon=true"
SONAR_BRANCH_OPTS: "-Dsonar.pullrequest.key=$CI_MERGE_REQUEST_ID -Dsonar.pullrequest.branch=$CI_COMMIT_REF_NAME"
script:
- - ./gradlew :frontend:test --parallel
- - ./gradlew :backend:test --parallel
- - find /tmp/node/*/bin -name node -exec ln -s {} /tmp/node/node \;
- - export PATH="/tmp/node/:$PATH"
- - ./gradlew -s sonarqube -x test $SONAR_BRANCH_OPTS
+ - "./gradlew :frontend:test --parallel"
+ - "./gradlew :backend:test --parallel"
+ - find /tmp/node/*/bin -name node -exec ln -s {} /tmp/node/node \;
+ - export PATH="/tmp/node/:$PATH"
+ - "./gradlew -s sonarqube -x test $SONAR_BRANCH_OPTS"
artifacts:
reports:
junit:
- - ./backend/build/test-results/test/TEST-*.xml
- - ./frontend/karma-junit-tests-report/TEST*.xml
+ - "./backend/build/test-results/test/TEST-*.xml"
+ - "./frontend/karma-junit-tests-report/TEST*.xml"
only:
refs:
- - merge_requests
-
-
+ - merge_requests
test-and-sonarqube-master:
extends: test-and-sonarqube
variables:
- SONAR_BRANCH_OPTS: ""
+ SONAR_BRANCH_OPTS: ''
only:
refs:
- - master
-
-
-# BUILD
-
-
+ - master
build:
tags:
- - openstack
+ - openstack
stage: build
script:
- - ./gradlew assemble
+ - "./gradlew assemble"
artifacts:
paths:
- - "$JAR_PATH"
+ - "$JAR_PATH"
expire_in: 1 week
-
-
-# DEPLOY
-
-
-.deploy-to-vm-proxmox: &deploy_to_vm_proxmox
- # Hidden job which serves as template for executed jobs below.
- # See https://docs.gitlab.com/ee/ci/yaml/#anchors
+".deploy-to-vm-proxmox":
retry: 2
script:
- ## SSH initialization
- - eval $(ssh-agent -s)
- - ssh-add <(echo "${SSH_PRIVATE_KEY}")
- - ssh -o StrictHostKeyChecking=no ${SERVER_USER}@${SERVER_IP} 'echo "Successfully connected on $(hostname)"'
- # Copy jar
- - scp ./backend/build/libs/${APP_NAME}.jar ${SERVER_USER}@${SERVER_IP}:/tmp/${APP_NAME}-${ENV}.jar
- - ssh ${SERVER_USER}@${SERVER_IP} "sudo mv /tmp/${APP_NAME}-${ENV}.jar /opt/bootapp/${APP_NAME}-${ENV}.jar ; sudo chown -R bootapp:bootapp /opt/bootapp/"
- # Restarting service with the updated jar and the according Spring profiles enabled
- - ssh ${SERVER_USER}@${SERVER_IP} "sudo systemctl restart bootapp@${APP_NAME}-${ENV}"
- - eval $(ssh-agent -k)
- - echo "Deploy done. Application should be available at http://${SERVER_IP}:${APP_PORT}/${CONTEXT_PATH}"
+ - eval $(ssh-agent -s)
+ - ssh-add <(echo "${SSH_PRIVATE_KEY}")
+ - ssh -o StrictHostKeyChecking=no ${SERVER_USER}@${SERVER_IP} 'echo "Successfully
+ connected on $(hostname)"'
+ - scp ./backend/build/libs/${APP_NAME}.jar ${SERVER_USER}@${SERVER_IP}:/tmp/${APP_NAME}-${ENV}.jar
+ - ssh ${SERVER_USER}@${SERVER_IP} "sudo mv /tmp/${APP_NAME}-${ENV}.jar /opt/bootapp/${APP_NAME}-${ENV}.jar
+ ; sudo chown -R bootapp:bootapp /opt/bootapp/"
+ - ssh ${SERVER_USER}@${SERVER_IP} "sudo systemctl restart bootapp@${APP_NAME}-${ENV}"
+ - eval $(ssh-agent -k)
+ - echo "Deploy done. Application should be available at http://${SERVER_IP}:${APP_PORT}/${CONTEXT_PATH}"
only:
changes:
- - .gitlab-ci.yml
- - backend/src/**/*
- - frontend/**/*
-
-
-.deploy-to-vm-openstack: &deploy_to_vm_openstack
- # Hidden job which serves as template for executed jobs below.
- # See https://docs.gitlab.com/ee/ci/yaml/#anchors
+ - ".gitlab-ci.yml"
+ - backend/src/**/*
+ - frontend/**/*
+".deploy-to-vm-openstack":
retry: 2
tags:
- - openstack
+ - openstack
script:
- ## SSH initialization
- - eval $(ssh-agent -s)
- - ssh-add <(echo "${SSH_PRIVATE_KEY}")
- - ssh -o StrictHostKeyChecking=no ${SERVER_USER_OPENSTACK}@${SERVER_IP_OPENSTACK} 'echo "Successfully connected on $(hostname)"'
- # Copy jar
- - scp ./backend/build/libs/${APP_NAME}.jar ${SERVER_USER_OPENSTACK}@${SERVER_IP_OPENSTACK}:/tmp/${APP_NAME}-${ENV}.jar
- - ssh ${SERVER_USER_OPENSTACK}@${SERVER_IP_OPENSTACK} "sudo mv /tmp/${APP_NAME}-${ENV}.jar /opt/bootapp/${APP_NAME}-${ENV}.jar ; sudo chown -R bootapp:bootapp /opt/bootapp/"
- # Restarting service with the updated jar and the according Spring profiles enabled
- - ssh ${SERVER_USER_OPENSTACK}@${SERVER_IP_OPENSTACK} "sudo systemctl restart bootapp@${APP_NAME}-${ENV}"
- - eval $(ssh-agent -k)
- - echo "Deploy done. Application should be available at http://${SERVER_IP_OPENSTACK}:${APP_PORT}/${CONTEXT_PATH}"
+ - eval $(ssh-agent -s)
+ - ssh-add <(echo "${SSH_PRIVATE_KEY}")
+ - ssh -o StrictHostKeyChecking=no ${SERVER_USER_OPENSTACK}@${SERVER_IP_OPENSTACK}
+ 'echo "Successfully connected on $(hostname)"'
+ - scp ./backend/build/libs/${APP_NAME}.jar ${SERVER_USER_OPENSTACK}@${SERVER_IP_OPENSTACK}:/tmp/${APP_NAME}-${ENV}.jar
+ - ssh ${SERVER_USER_OPENSTACK}@${SERVER_IP_OPENSTACK} "sudo mv /tmp/${APP_NAME}-${ENV}.jar
+ /opt/bootapp/${APP_NAME}-${ENV}.jar ; sudo chown -R bootapp:bootapp /opt/bootapp/"
+ - ssh ${SERVER_USER_OPENSTACK}@${SERVER_IP_OPENSTACK} "sudo systemctl restart bootapp@${APP_NAME}-${ENV}"
+ - eval $(ssh-agent -k)
+ - echo "Deploy done. Application should be available at http://${SERVER_IP_OPENSTACK}:${APP_PORT}/${CONTEXT_PATH}"
only:
changes:
- - .gitlab-ci.yml
- - backend/src/**/*
- - frontend/**/*
+ - ".gitlab-ci.yml"
+ - backend/src/**/*
+ - frontend/**/*
when: manual
allow_failure: false
-
deploy-to-beta:
stage: deploy-beta
- extends: .deploy-to-vm-openstack
+ extends: ".deploy-to-vm-openstack"
variables:
- APP_PORT: ${BETA_FAIDARE_PORT}
+ APP_PORT: "${BETA_FAIDARE_PORT}"
ENV: beta
CONTEXT_PATH: faidare-beta
except:
refs:
- - master
+ - master
only:
refs:
- - branches
+ - branches
when: always
-
deploy-to-staging:
stage: deploy-staging
- extends: .deploy-to-vm-openstack
+ extends: ".deploy-to-vm-openstack"
variables:
- APP_PORT: ${STAGING_FAIDARE_PORT}
+ APP_PORT: "${STAGING_FAIDARE_PORT}"
ENV: staging
CONTEXT_PATH: faidare-staging
only:
refs:
- - branches
+ - branches
except:
refs:
- - master
+ - master
when: manual
-
deploy-to-int:
stage: deploy-production
- extends: .deploy-to-vm-proxmox
+ extends: ".deploy-to-vm-proxmox"
variables:
- APP_PORT: ${INT_FAIDARE_PORT}
+ APP_PORT: "${INT_FAIDARE_PORT}"
ENV: int
CONTEXT_PATH: faidare-int
only:
refs:
- - master
+ - master
when: manual
-
deploy-to-prod-public:
stage: deploy-production
- extends: .deploy-to-vm-proxmox
+ extends: ".deploy-to-vm-proxmox"
variables:
- APP_PORT: ${PROD_PUBLIC_FAIDARE_PORT}
+ APP_PORT: "${PROD_PUBLIC_FAIDARE_PORT}"
ENV: prod-public
CONTEXT_PATH: faidare
only:
refs:
- - master
+ - master
when: manual
-
deploy-to-prod-private:
stage: deploy-production
- extends: .deploy-to-vm-proxmox
+ extends: ".deploy-to-vm-proxmox"
variables:
- APP_PORT: ${PROD_PRIVATE_FAIDARE_PORT}
+ APP_PORT: "${PROD_PRIVATE_FAIDARE_PORT}"
ENV: prod-private
CONTEXT_PATH: faidare-private
only:
refs:
- - master
+ - master
when: manual
+sast:
+ stage: test
+include:
+- template: Security/SAST.gitlab-ci.yml
--
GitLab
From dea05fc6a465b1a32c17bace84e3c08e15caf0a2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rapha=C3=ABl=20Flores?= <raphael.flores@inrae.fr>
Date: Fri, 16 Apr 2021 12:58:11 +0200
Subject: [PATCH 2/2] Revert automatic removal of comment and spaces.
---
.gitlab-ci.yml | 63 +++++++++++++++++++++++++++++++++++++++--------
.secrets.baseline | 8 +++---
2 files changed, 57 insertions(+), 14 deletions(-)
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 89e6fb6d..3b00bb08 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,38 +1,61 @@
+---
# You can override the included template(s) by including variable overrides
# See https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
# Note that environment variables can be set in several places
# See https://docs.gitlab.com/ee/ci/variables/#priority-of-environment-variables
+
stages:
- test
- build
- deploy-beta
- deploy-staging
- deploy-production
+
image: registry.forgemia.inra.fr/urgi-is/docker-rare/docker-browsers:latest
+
+# Disable the Gradle daemon for Continuous Integration servers as correctness
+# is usually a priority over speed in CI environments. Using a fresh
+# runtime for each build is more reliable since the runtime is completely
+# isolated from any previous builds.
variables:
GRADLE_OPTS: "-Dorg.gradle.daemon=false"
GRADLE_USER_HOME: "$CI_PROJECT_DIR/.gradle"
APP_NAME: faidare
JAR_PATH: backend/build/libs/${APP_NAME}.jar
GIT_DEPTH: 0
+
+# Gradle cache for all jobs
cache:
key: "$CI_COMMIT_REF_NAME"
paths:
- ".gradle"
- frontend/.gradle/
- frontend/node_modules/
+
lint:
stage: test
tags:
- openstack
script: "./gradlew lint"
+
test-and-sonarqube:
stage: test
tags:
- openstack
+ # the backend tests need an elasticsearch instance
services:
+ # even if that would be ideal
+ # we can't just launch the service with just elasticsearch:6.3.1
+ # because we need to pass some variables, but they are passed to _all_ containers
+ # so they fail the start of other docker images like urgi/docker-browsers
+ # the only solution is to override the entrypoint of the service and pass the arguments manually
- name: docker.elastic.co/elasticsearch/elasticsearch:6.5.4
alias: elasticsearch
+ # discovery.type=single-node
+ # single-node is necessary to start in development mode
+ # so there will be no bootstrap checks that would fail on CI
+ # especially the error regarding
+ # `max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]`
command:
- bin/elasticsearch
- "-Ediscovery.type=single-node"
@@ -53,6 +76,7 @@ test-and-sonarqube:
only:
refs:
- merge_requests
+
test-and-sonarqube-master:
extends: test-and-sonarqube
variables:
@@ -60,6 +84,9 @@ test-and-sonarqube-master:
only:
refs:
- master
+
+# BUILD
+
build:
tags:
- openstack
@@ -70,16 +97,22 @@ build:
paths:
- "$JAR_PATH"
expire_in: 1 week
-".deploy-to-vm-proxmox":
+
+# DEPLOY
+
+.deploy-to-vm-proxmox: &deploy_to_vm_proxmox
+ # Hidden job which serves as template for executed jobs below.
+ # See https://docs.gitlab.com/ee/ci/yaml/#anchors
retry: 2
script:
+ ## SSH initialization
- eval $(ssh-agent -s)
- ssh-add <(echo "${SSH_PRIVATE_KEY}")
- - ssh -o StrictHostKeyChecking=no ${SERVER_USER}@${SERVER_IP} 'echo "Successfully
- connected on $(hostname)"'
+ - ssh -o StrictHostKeyChecking=no ${SERVER_USER}@${SERVER_IP} 'echo "Successfully connected on $(hostname)"'
+ # Copy jar
- scp ./backend/build/libs/${APP_NAME}.jar ${SERVER_USER}@${SERVER_IP}:/tmp/${APP_NAME}-${ENV}.jar
- - ssh ${SERVER_USER}@${SERVER_IP} "sudo mv /tmp/${APP_NAME}-${ENV}.jar /opt/bootapp/${APP_NAME}-${ENV}.jar
- ; sudo chown -R bootapp:bootapp /opt/bootapp/"
+ - ssh ${SERVER_USER}@${SERVER_IP} "sudo mv /tmp/${APP_NAME}-${ENV}.jar /opt/bootapp/${APP_NAME}-${ENV}.jar ; sudo chown -R bootapp:bootapp /opt/bootapp/"
+ # Restarting service with the updated jar and the according Spring profiles enabled
- ssh ${SERVER_USER}@${SERVER_IP} "sudo systemctl restart bootapp@${APP_NAME}-${ENV}"
- eval $(ssh-agent -k)
- echo "Deploy done. Application should be available at http://${SERVER_IP}:${APP_PORT}/${CONTEXT_PATH}"
@@ -88,18 +121,22 @@ build:
- ".gitlab-ci.yml"
- backend/src/**/*
- frontend/**/*
-".deploy-to-vm-openstack":
+
+.deploy-to-vm-openstack: &deploy_to_vm_openstack
+ # Hidden job which serves as template for executed jobs below.
+ # See https://docs.gitlab.com/ee/ci/yaml/#anchors
retry: 2
tags:
- openstack
script:
+ ## SSH initialization
- eval $(ssh-agent -s)
- ssh-add <(echo "${SSH_PRIVATE_KEY}")
- - ssh -o StrictHostKeyChecking=no ${SERVER_USER_OPENSTACK}@${SERVER_IP_OPENSTACK}
- 'echo "Successfully connected on $(hostname)"'
+ - ssh -o StrictHostKeyChecking=no ${SERVER_USER_OPENSTACK}@${SERVER_IP_OPENSTACK} 'echo "Successfully connected on $(hostname)"'
+ # Copy jar
- scp ./backend/build/libs/${APP_NAME}.jar ${SERVER_USER_OPENSTACK}@${SERVER_IP_OPENSTACK}:/tmp/${APP_NAME}-${ENV}.jar
- - ssh ${SERVER_USER_OPENSTACK}@${SERVER_IP_OPENSTACK} "sudo mv /tmp/${APP_NAME}-${ENV}.jar
- /opt/bootapp/${APP_NAME}-${ENV}.jar ; sudo chown -R bootapp:bootapp /opt/bootapp/"
+ - ssh ${SERVER_USER_OPENSTACK}@${SERVER_IP_OPENSTACK} "sudo mv /tmp/${APP_NAME}-${ENV}.jar /opt/bootapp/${APP_NAME}-${ENV}.jar ; sudo chown -R bootapp:bootapp /opt/bootapp/"
+ # Restarting service with the updated jar and the according Spring profiles enabled
- ssh ${SERVER_USER_OPENSTACK}@${SERVER_IP_OPENSTACK} "sudo systemctl restart bootapp@${APP_NAME}-${ENV}"
- eval $(ssh-agent -k)
- echo "Deploy done. Application should be available at http://${SERVER_IP_OPENSTACK}:${APP_PORT}/${CONTEXT_PATH}"
@@ -110,6 +147,7 @@ build:
- frontend/**/*
when: manual
allow_failure: false
+
deploy-to-beta:
stage: deploy-beta
extends: ".deploy-to-vm-openstack"
@@ -124,6 +162,7 @@ deploy-to-beta:
refs:
- branches
when: always
+
deploy-to-staging:
stage: deploy-staging
extends: ".deploy-to-vm-openstack"
@@ -138,6 +177,7 @@ deploy-to-staging:
refs:
- master
when: manual
+
deploy-to-int:
stage: deploy-production
extends: ".deploy-to-vm-proxmox"
@@ -149,6 +189,7 @@ deploy-to-int:
refs:
- master
when: manual
+
deploy-to-prod-public:
stage: deploy-production
extends: ".deploy-to-vm-proxmox"
@@ -160,6 +201,7 @@ deploy-to-prod-public:
refs:
- master
when: manual
+
deploy-to-prod-private:
stage: deploy-production
extends: ".deploy-to-vm-proxmox"
@@ -171,6 +213,7 @@ deploy-to-prod-private:
refs:
- master
when: manual
+
sast:
stage: test
include:
diff --git a/.secrets.baseline b/.secrets.baseline
index d3ef7776..432815a5 100644
--- a/.secrets.baseline
+++ b/.secrets.baseline
@@ -3,7 +3,7 @@
"files": "frontend/package-lock.json|^.secrets.baseline$",
"lines": null
},
- "generated_at": "2020-11-30T10:19:27Z",
+ "generated_at": "2021-04-16T10:58:04Z",
"plugins_used": [
{
"name": "AWSKeyDetector"
@@ -51,21 +51,21 @@
"hashed_secret": "2907dcd1b70a82032e52be9b6b804abbb4a7525e",
"is_secret": false,
"is_verified": false,
- "line_number": 83,
+ "line_number": 81,
"type": "Base64 High Entropy String"
},
{
"hashed_secret": "dd447c7c799dd4ebaacca8f0ad3da45a097d7211",
"is_secret": false,
"is_verified": false,
- "line_number": 174,
+ "line_number": 167,
"type": "Base64 High Entropy String"
},
{
"hashed_secret": "8074db38f8a8acec1a147bc5daf2799ff6693fff",
"is_secret": false,
"is_verified": false,
- "line_number": 189,
+ "line_number": 182,
"type": "Base64 High Entropy String"
}
],
--
GitLab