Commit 7c001e9e authored by Saikat Sarkar's avatar Saikat Sarkar Committed by Markus Koller

Add MobSF in SAST vendor template

parent db4b71ae
---
title: Add MobSF in SAST vendor template
merge_request: 45291
author:
type: added
...@@ -36,27 +36,31 @@ RSpec.describe 'SAST.gitlab-ci.yml' do ...@@ -36,27 +36,31 @@ RSpec.describe 'SAST.gitlab-ci.yml' do
using RSpec::Parameterized::TableSyntax using RSpec::Parameterized::TableSyntax
where(:case_name, :files, :variables, :include_build_names) do where(:case_name, :files, :variables, :include_build_names) do
'Apex' | { 'app.cls' => '' } | {} | %w(pmd-apex-sast) 'Android' | { 'AndroidManifest.xml' => '', 'a.java' => '' } | { 'SAST_EXPERIMENTAL_FEATURES' => 'true' } | %w(mobsf-android-sast)
'C' | { 'app.c' => '' } | {} | %w(flawfinder-sast) 'Apex' | { 'app.cls' => '' } | {} | %w(pmd-apex-sast)
'C++' | { 'app.cpp' => '' } | {} | %w(flawfinder-sast) 'C' | { 'app.c' => '' } | {} | %w(flawfinder-sast)
'C#' | { 'app.csproj' => '' } | {} | %w(security-code-scan-sast) 'C++' | { 'app.cpp' => '' } | {} | %w(flawfinder-sast)
'Elixir' | { 'mix.exs' => '' } | {} | %w(sobelow-sast) 'C#' | { 'app.csproj' => '' } | {} | %w(security-code-scan-sast)
'Golang' | { 'main.go' => '' } | {} | %w(gosec-sast) 'Elixir' | { 'mix.exs' => '' } | {} | %w(sobelow-sast)
'Groovy' | { 'app.groovy' => '' } | {} | %w(spotbugs-sast) 'Golang' | { 'main.go' => '' } | {} | %w(gosec-sast)
'Java' | { 'app.java' => '' } | {} | %w(spotbugs-sast) 'Groovy' | { 'app.groovy' => '' } | {} | %w(spotbugs-sast)
'Javascript' | { 'app.js' => '' } | {} | %w(eslint-sast) 'iOS' | { 'a.xcodeproj/x.pbxproj' => '' } | { 'SAST_EXPERIMENTAL_FEATURES' => 'true' } | %w(mobsf-ios-sast)
'JSX' | { 'app.jsx' => '' } | {} | %w(eslint-sast) 'Java' | { 'app.java' => '' } | {} | %w(spotbugs-sast)
'Javascript Node' | { 'package.json' => '' } | {} | %w(nodejs-scan-sast) 'Java with MobSF' | { 'app.java' => '' } | { 'SAST_EXPERIMENTAL_FEATURES' => 'true' } | %w(spotbugs-sast)
'HTML' | { 'index.html' => '' } | {} | %w(eslint-sast) 'Java without MobSF' | { 'AndroidManifest.xml' => '', 'a.java' => '' } | {} | %w(spotbugs-sast)
'Kubernetes Manifests' | { 'Chart.yaml' => '' } | { 'SCAN_KUBERNETES_MANIFESTS' => 'true' } | %w(kubesec-sast) 'Javascript' | { 'app.js' => '' } | {} | %w(eslint-sast)
'Multiple languages' | { 'app.java' => '', 'app.js' => '' } | {} | %w(eslint-sast spotbugs-sast) 'JSX' | { 'app.jsx' => '' } | {} | %w(eslint-sast)
'PHP' | { 'app.php' => '' } | {} | %w(phpcs-security-audit-sast) 'Javascript Node' | { 'package.json' => '' } | {} | %w(nodejs-scan-sast)
'Python' | { 'app.py' => '' } | {} | %w(bandit-sast) 'HTML' | { 'index.html' => '' } | {} | %w(eslint-sast)
'Ruby' | { 'config/routes.rb' => '' } | {} | %w(brakeman-sast) 'Kubernetes Manifests' | { 'Chart.yaml' => '' } | { 'SCAN_KUBERNETES_MANIFESTS' => 'true' } | %w(kubesec-sast)
'Scala' | { 'app.scala' => '' } | {} | %w(spotbugs-sast) 'Multiple languages' | { 'app.java' => '', 'app.js' => '' } | {} | %w(eslint-sast spotbugs-sast)
'Typescript' | { 'app.ts' => '' } | {} | %w(eslint-sast) 'PHP' | { 'app.php' => '' } | {} | %w(phpcs-security-audit-sast)
'Typescript JSX' | { 'app.tsx' => '' } | {} | %w(eslint-sast) 'Python' | { 'app.py' => '' } | {} | %w(bandit-sast)
'Visual Basic' | { 'app.vbproj' => '' } | {} | %w(security-code-scan-sast) 'Ruby' | { 'config/routes.rb' => '' } | {} | %w(brakeman-sast)
'Scala' | { 'app.scala' => '' } | {} | %w(spotbugs-sast)
'Typescript' | { 'app.ts' => '' } | {} | %w(eslint-sast)
'Typescript JSX' | { 'app.tsx' => '' } | {} | %w(eslint-sast)
'Visual Basic' | { 'app.vbproj' => '' } | {} | %w(security-code-scan-sast)
end end
with_them do with_them do
......
...@@ -9,7 +9,7 @@ variables: ...@@ -9,7 +9,7 @@ variables:
# (SAST, Dependency Scanning, ...) # (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers" SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
SAST_DEFAULT_ANALYZERS: "bandit, brakeman, gosec, spotbugs, flawfinder, phpcs-security-audit, security-code-scan, nodejs-scan, eslint, sobelow, pmd-apex, kubesec" SAST_DEFAULT_ANALYZERS: "bandit, brakeman, gosec, spotbugs, flawfinder, phpcs-security-audit, security-code-scan, nodejs-scan, eslint, sobelow, pmd-apex, kubesec, mobsf"
SAST_EXCLUDED_PATHS: "spec, test, tests, tmp" SAST_EXCLUDED_PATHS: "spec, test, tests, tmp"
SAST_ANALYZER_IMAGE_TAG: 2 SAST_ANALYZER_IMAGE_TAG: 2
SCAN_KUBERNETES_MANIFESTS: "false" SCAN_KUBERNETES_MANIFESTS: "false"
...@@ -125,6 +125,42 @@ gosec-sast: ...@@ -125,6 +125,42 @@ gosec-sast:
exists: exists:
- '**/*.go' - '**/*.go'
mobsf-android-sast:
extends: .sast-analyzer
services:
- name: opensecurity/mobile-security-framework-mobsf:latest
alias: mobsf
image:
name: "$SAST_ANALYZER_IMAGE"
variables:
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/mobsf:$SAST_ANALYZER_IMAGE_TAG"
rules:
- if: $SAST_DISABLED
when: never
- if: $CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /mobsf/ &&
$SAST_EXPERIMENTAL_FEATURES == 'true'
exists:
- '**/AndroidManifest.xml'
mobsf-ios-sast:
extends: .sast-analyzer
services:
- name: opensecurity/mobile-security-framework-mobsf:latest
alias: mobsf
image:
name: "$SAST_ANALYZER_IMAGE"
variables:
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/mobsf:$SAST_ANALYZER_IMAGE_TAG"
rules:
- if: $SAST_DISABLED
when: never
- if: $CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /mobsf/ &&
$SAST_EXPERIMENTAL_FEATURES == 'true'
exists:
- '**/*.xcodeproj/*'
nodejs-scan-sast: nodejs-scan-sast:
extends: .sast-analyzer extends: .sast-analyzer
image: image:
...@@ -203,6 +239,11 @@ spotbugs-sast: ...@@ -203,6 +239,11 @@ spotbugs-sast:
variables: variables:
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/spotbugs:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/spotbugs:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DEFAULT_ANALYZERS =~ /mobsf/ &&
$SAST_EXPERIMENTAL_FEATURES == 'true'
exists:
- '**/AndroidManifest.xml'
when: never
- if: $SAST_DISABLED - if: $SAST_DISABLED
when: never when: never
- if: $CI_COMMIT_BRANCH && - if: $CI_COMMIT_BRANCH &&
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment