Merge branch 'da/updoad-package-hunter-artefact' into 'master'

Upload package hunter report to S3 See merge request gitlab-org/gitlab!79843

Merge branch 'da/updoad-package-hunter-artefact' into 'master'
Upload package hunter report to S3 See merge request gitlab-org/gitlab!79843
0abe94b4 · Rémy Coutable · 66eb6b96 · 5a7fb3a5 · 0abe94b4 · 0abe94b4
Commit 0abe94b4 authored Mar 01, 2022 by Rémy Coutable
Hide whitespace changes
Inline Side-by-side

Showing with 43 additions and 0 deletions

.gitlab/ci/reports.gitlab-ci.yml .gitlab/ci/reports.gitlab-ci.yml +5 -0

scripts/ingest-reports-to-siem scripts/ingest-reports-to-siem +38 -0

No files found.
--- a/.gitlab/ci/reports.gitlab-ci.yml
+++ b/.gitlab/ci/reports.gitlab-ci.yml
@@ -121,6 +121,11 @@ yarn-audit-dependency_scanning:
    - cd .. && tar -I "gzip --best" -cf gitlab.tgz gitlab/
  script:
    - DEBUG=* node /usr/src/app/cli.js analyze --format gitlab --manager ${PACKAGE_MANAGER} gitlab.tgz | tee ${CI_PROJECT_DIR}/gl-dependency-scanning-report.json
+  after_script:
+    - mkdir ~/.aws
+    - '[[ -z "${AWS_SIEM_REPORT_INGESTION_CREDENTIALS_FILE}" ]] || mv "${AWS_SIEM_REPORT_INGESTION_CREDENTIALS_FILE}" ~/.aws/credentials'
+    - npm install --no-save --ignore-scripts @aws-sdk/client-s3@3.49.0
+    - scripts/ingest-reports-to-siem
  artifacts:
    paths:
      - gl-dependency-scanning-report.json

--- a/scripts/ingest-reports-to-siem
+++ b/scripts/ingest-reports-to-siem
+#!/usr/bin/env node
+
+const { S3Client, PutObjectCommand } = require('@aws-sdk/client-s3')
+const { fromIni } = require('@aws-sdk/credential-provider-ini')
+const path = require('path')
+const fs = require('fs')
+const crypto = require('crypto')
+
+function getMD5HashFromFile(data) {
+  const hash = crypto.createHash('md5').update(data).digest('base64')
+  return hash
+}
+
+(async function () {
+  const s3Client = new S3Client({
+    region: 'us-east-2',
+    credentials: fromIni({ profile: 'gl-logs-for-panther' }),
+  })
+  try {
+    const file = 'gl-dependency-scanning-report.json'
+    const data = fs.readFileSync(file)
+    const responseData = await s3Client.send(
+      new PutObjectCommand({
+        Bucket: 'gl-logs-for-panther-test',
+        Key: path.join('package_hunter_test', path.basename(file)),
+        Body: data,
+        ContentMD5: getMD5HashFromFile(data),
+      }),
+    )
+    console.log('Successfully uploaded %s', file)
+  } catch (err) {
+    if (err.name === 'CredentialsProviderError' || err.name === 'AuthorizationHeaderMalformed')
+      console.log('Could not upload the report. Are AWS credentials configured in ~/.aws/credentials?')
+    else 
+      console.log('Unexpected error during upload.')
+      process.exit(1)
+  }
+})()