From cfeb55aaa4829debeaa0449e7973dc28eeda4ce4 Mon Sep 17 00:00:00 2001
From: "janis.streib" <janis.streib@kit.edu>
Date: Fri, 13 May 2022 18:02:47 +0200
Subject: [PATCH] Configure Dependency Scanning in `.gitlab-ci.yml`, creating
this file if it does not already exist
---
.gitlab-ci.yml | 182 ++++++++++++++++++++++++++-----------------------
1 file changed, 97 insertions(+), 85 deletions(-)
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 6ac402689..4ee29e037 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,119 +1,131 @@
+# You can override the included template(s) by including variable overrides
+# SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
+# Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings
+# Dependency Scanning customization: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#customizing-the-dependency-scanning-settings
+# Container Scanning customization: https://docs.gitlab.com/ee/user/application_security/container_scanning/#customizing-the-container-scanning-settings
+# Note that environment variables can be set in several places
+# See https://docs.gitlab.com/ee/ci/variables/#cicd-variable-precedence
default:
- image: debian-bullseye:latest
- tags:
- - netvs
+ image: debian-bullseye:latest
+ tags:
+ - netvs
cache:
key:
files:
- - frontend/package-lock.json
+ - frontend/package-lock.json
paths:
- - frontend/.npm/
+ - frontend/.npm/
before_script:
- ## dependencies
-
- - apt-get update -y
- - command -v curl || apt-get -y install curl
- - command -v git || apt-get -y install git
- - apt-get -y install apt-transport-https gnupg2
- - test -e /etc/apt/sources.list.d/nodesource.list || curl -s https://deb.nodesource.com/gpgkey/nodesource.gpg.key | apt-key add -
- - test -e /etc/apt/sources.list.d/nodesource.list || echo 'deb https://deb.nodesource.com/node_15.x bullseye main' > /etc/apt/sources.list.d/nodesource.list
- - 'command -v npm || (apt-get update -y && apt-get install -y nodejs)'
- - 'command -v pip3 || (apt-get update -y && apt-get install -y python3-pip)'
- - pip3 install git+https://git.scc.kit.edu/scc-net/net-suite/api-generator.git@master#egg=net-api-generator
- - cd frontend/
- - echo "${CI_COMMIT_SHORT_SHA},Job ID ${CI_JOB_ID}@${CI_RUNNER_DESCRIPTION}"
- - sed "s&__LOCAL_BUILD__&${CI_COMMIT_SHORT_SHA},Job ID ${CI_JOB_ID}@${CI_RUNNER_DESCRIPTION}&g" netvs.config.js.example > netvs.config.js
- - sed -i "s&__JOB_ID__&${CI_JOB_ID}&g" netvs.config.js
- - sed -i "s&__COMMIT_SHORT_SHA__&${CI_COMMIT_SHORT_SHA}&g" netvs.config.js
- - sed -i "s&__JOB_ID__&${CI_JOB_ID}&g" public/version.json
- - sed -i "s&__COMMIT_SHORT_SHA__&${CI_COMMIT_SHORT_SHA}&g" public/version.json
- - if [ $CI_JOB_STAGE != "deploy" ]; then npm ci --cache .npm --prefer-offline; fi
- - cd ..
- - export API_VERSION=3.2
-
+- apt-get update -y
+- command -v curl || apt-get -y install curl
+- command -v git || apt-get -y install git
+- apt-get -y install apt-transport-https gnupg2
+- test -e /etc/apt/sources.list.d/nodesource.list || curl -s https://deb.nodesource.com/gpgkey/nodesource.gpg.key
+ | apt-key add -
+- test -e /etc/apt/sources.list.d/nodesource.list || echo 'deb https://deb.nodesource.com/node_15.x
+ bullseye main' > /etc/apt/sources.list.d/nodesource.list
+- command -v npm || (apt-get update -y && apt-get install -y nodejs)
+- command -v pip3 || (apt-get update -y && apt-get install -y python3-pip)
+- pip3 install git+https://git.scc.kit.edu/scc-net/net-suite/api-generator.git@master#egg=net-api-generator
+- cd frontend/
+- echo "${CI_COMMIT_SHORT_SHA},Job ID ${CI_JOB_ID}@${CI_RUNNER_DESCRIPTION}"
+- sed "s&__LOCAL_BUILD__&${CI_COMMIT_SHORT_SHA},Job ID ${CI_JOB_ID}@${CI_RUNNER_DESCRIPTION}&g"
+ netvs.config.js.example > netvs.config.js
+- sed -i "s&__JOB_ID__&${CI_JOB_ID}&g" netvs.config.js
+- sed -i "s&__COMMIT_SHORT_SHA__&${CI_COMMIT_SHORT_SHA}&g" netvs.config.js
+- sed -i "s&__JOB_ID__&${CI_JOB_ID}&g" public/version.json
+- sed -i "s&__COMMIT_SHORT_SHA__&${CI_COMMIT_SHORT_SHA}&g" public/version.json
+- if [ $CI_JOB_STAGE != "deploy" ]; then npm ci --cache .npm --prefer-offline; fi
+- cd ..
+- export API_VERSION=3.2
stages:
- - build
- - lint
- - deploy
-
+- build
+- lint
+- deploy
frontend-build:
- stage: build
- script:
- - cd frontend/
- - if [ $CI_COMMIT_BRANCH == "devel" ]; then export NETDB_ENDPOINT="${NETDB_DEVEL_ENDPOINT}"; fi
- - if [ $CI_COMMIT_BRANCH == "devel" ]; then net-api-generator --version=${API_VERSION} openapi --default_endpoint=devel > public/api.yml; else net-api-generator --version=${API_VERSION} openapi --default_endpoint=test > public/api.yml; fi
- - net-api-generator --version=${API_VERSION} es-webpack
- - npm run build
- artifacts:
- expire_in: 7 days
- paths:
- - frontend/dist/
- - frontend/src/api-services.gen/
- needs: []
+ stage: build
+ script:
+ - cd frontend/
+ - if [ $CI_COMMIT_BRANCH == "devel" ]; then export NETDB_ENDPOINT="${NETDB_DEVEL_ENDPOINT}";
+ fi
+ - if [ $CI_COMMIT_BRANCH == "devel" ]; then net-api-generator --version=${API_VERSION}
+ openapi --default_endpoint=devel > public/api.yml; else net-api-generator --version=${API_VERSION}
+ openapi --default_endpoint=test > public/api.yml; fi
+ - net-api-generator --version=${API_VERSION} es-webpack
+ - npm run build
+ artifacts:
+ expire_in: 7 days
+ paths:
+ - frontend/dist/
+ - frontend/src/api-services.gen/
+ needs: []
frontend-lint:
- stage: lint
- script:
- - cd frontend/
- - npm run lint
- allow_failure: true
- needs: []
-
+ stage: lint
+ script:
+ - cd frontend/
+ - npm run lint
+ allow_failure: true
+ needs: []
frontend-audit:
- stage: lint
- script:
- - cd frontend/
- - npm audit --audit-level high
- allow_failure: true
- needs: []
-
+ stage: lint
+ script:
+ - cd frontend/
+ - npm audit --audit-level high
+ allow_failure: true
+ needs: []
deploy_devel:
stage: deploy
script:
- - 'command -v ssh-agent || ( apt-get install openssh-client -y )'
- - eval $(ssh-agent -s)
- - echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add -
- - mkdir -p ~/.ssh
- - chmod 700 ~/.ssh
- - echo "$SSH_KNOWN_HOSTS" > ~/.ssh/known_hosts
- - chmod 644 ~/.ssh/known_hosts
- - ssh net-suite-devel@netvs-devel.scc.kit.edu "${CI_PIPELINE_ID}"
+ - command -v ssh-agent || ( apt-get install openssh-client -y )
+ - eval $(ssh-agent -s)
+ - echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add -
+ - mkdir -p ~/.ssh
+ - chmod 700 ~/.ssh
+ - echo "$SSH_KNOWN_HOSTS" > ~/.ssh/known_hosts
+ - chmod 644 ~/.ssh/known_hosts
+ - ssh net-suite-devel@netvs-devel.scc.kit.edu "${CI_PIPELINE_ID}"
environment:
name: devel
url: https://netvs-devel.scc.kit.edu
only:
- devel
- needs: ["frontend-build"]
+ needs:
+ - frontend-build
deploy_test:
stage: deploy
script:
- - 'command -v ssh-agent || ( apt-get install openssh-client -y )'
- - eval $(ssh-agent -s)
- - echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add -
- - mkdir -p ~/.ssh
- - chmod 700 ~/.ssh
- - echo "$SSH_KNOWN_HOSTS" > ~/.ssh/known_hosts
- - chmod 644 ~/.ssh/known_hosts
- - ssh www-net-suite@netvs-test.scc.kit.edu "${CI_PIPELINE_ID}"
+ - command -v ssh-agent || ( apt-get install openssh-client -y )
+ - eval $(ssh-agent -s)
+ - echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add -
+ - mkdir -p ~/.ssh
+ - chmod 700 ~/.ssh
+ - echo "$SSH_KNOWN_HOSTS" > ~/.ssh/known_hosts
+ - chmod 644 ~/.ssh/known_hosts
+ - ssh www-net-suite@netvs-test.scc.kit.edu "${CI_PIPELINE_ID}"
environment:
name: test
url: https://netvs-test.scc.kit.edu
only:
- main
- needs: ["frontend-build"]
+ needs:
+ - frontend-build
deploy_prod:
stage: deploy
script:
- - 'command -v ssh-agent || ( apt-get install openssh-client -y )'
- - eval $(ssh-agent -s)
- - echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add -
- - mkdir -p ~/.ssh
- - chmod 700 ~/.ssh
- - echo "$SSH_KNOWN_HOSTS" > ~/.ssh/known_hosts
- - chmod 644 ~/.ssh/known_hosts
- - ssh www-net-suite@netvs.scc.kit.edu "${CI_PIPELINE_ID}"
+ - command -v ssh-agent || ( apt-get install openssh-client -y )
+ - eval $(ssh-agent -s)
+ - echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add -
+ - mkdir -p ~/.ssh
+ - chmod 700 ~/.ssh
+ - echo "$SSH_KNOWN_HOSTS" > ~/.ssh/known_hosts
+ - chmod 644 ~/.ssh/known_hosts
+ - ssh www-net-suite@netvs.scc.kit.edu "${CI_PIPELINE_ID}"
environment:
name: prod
url: https://netvs.scc.kit.edu
only:
- main
- needs: ["frontend-build"]
+ needs:
+ - frontend-build
+include:
+- template: Security/Dependency-Scanning.gitlab-ci.yml
--
GitLab