Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
a92eb346
Commit
a92eb346
authored
Apr 30, 2020
by
Lucas Charles
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Migrate Dependency-Scanning CI template to rules syntax
Relates to
https://gitlab.com/gitlab-org/gitlab/-/issues/36547
parent
03b84967
Changes
3
Show whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
107 additions
and
56 deletions
+107
-56
changelogs/unreleased/e2300-ds-template.yml
changelogs/unreleased/e2300-ds-template.yml
+5
-0
ee/spec/lib/gitlab/ci/templates/dependency_scanning_gitlab_ci_yaml_spec.rb
...b/ci/templates/dependency_scanning_gitlab_ci_yaml_spec.rb
+33
-18
lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml
...b/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml
+69
-38
No files found.
changelogs/unreleased/e2300-ds-template.yml
0 → 100644
View file @
a92eb346
---
title
:
Migrate Dependency-Scanning CI template to rules syntax
merge_request
:
30907
author
:
type
:
changed
ee/spec/lib/gitlab/ci/templates/dependency_scanning_gitlab_ci_yaml_spec.rb
View file @
a92eb346
...
...
@@ -8,7 +8,8 @@ describe 'Dependency-Scanning.gitlab-ci.yml' do
describe
'the created pipeline'
do
let
(
:user
)
{
create
(
:admin
)
}
let
(
:default_branch
)
{
'master'
}
let
(
:project
)
{
create
(
:project
,
:custom_repo
,
files:
{
'README.txt'
=>
''
})
}
let
(
:files
)
{
{
'README.txt'
=>
''
}
}
let
(
:project
)
{
create
(
:project
,
:custom_repo
,
files:
files
)
}
let
(
:service
)
{
Ci
::
CreatePipelineService
.
new
(
project
,
user
,
ref:
'master'
)
}
let
(
:pipeline
)
{
service
.
execute!
(
:push
)
}
let
(
:build_names
)
{
pipeline
.
builds
.
pluck
(
:name
)
}
...
...
@@ -48,35 +49,49 @@ describe 'Dependency-Scanning.gitlab-ci.yml' do
end
end
context
'when DS_DISABLE_DIND=
1
'
do
context
'when DS_DISABLE_DIND=
true
'
do
before
do
create
(
:ci_variable
,
project:
project
,
key:
'DS_DISABLE_DIND'
,
value:
'
1
'
)
create
(
:ci_variable
,
project:
project
,
key:
'DS_DISABLE_DIND'
,
value:
'
true
'
)
end
describe
'language detection'
do
using
RSpec
::
Parameterized
::
TableSyntax
where
(
:case_name
,
:variables
,
:include_build_names
)
do
'Go'
|
{
"CI_PROJECT_REPOSITORY_LANGUAGES"
=>
"go"
}
|
%w(gemnasium-dependency_scanning)
'Java'
|
{
"CI_PROJECT_REPOSITORY_LANGUAGES"
=>
"java"
}
|
%w(gemnasium-maven-dependency_scanning)
'Javascript'
|
{
"CI_PROJECT_REPOSITORY_LANGUAGES"
=>
"javascript"
}
|
%w(gemnasium-dependency_scanning retire-js-dependency_scanning)
'Multiple languages'
|
{
"CI_PROJECT_REPOSITORY_LANGUAGES"
=>
"java,javascript"
}
|
%w(gemnasium-dependency_scanning gemnasium-maven-dependency_scanning retire-js-dependency_scanning)
'PHP'
|
{
"CI_PROJECT_REPOSITORY_LANGUAGES"
=>
"php"
}
|
%w(gemnasium-dependency_scanning)
'Python'
|
{
"CI_PROJECT_REPOSITORY_LANGUAGES"
=>
"python"
}
|
%w(gemnasium-python-dependency_scanning)
'Ruby'
|
{
"CI_PROJECT_REPOSITORY_LANGUAGES"
=>
"ruby"
}
|
%w(bundler-audit-dependency_scanning gemnasium-dependency_scanning)
'Scala'
|
{
"CI_PROJECT_REPOSITORY_LANGUAGES"
=>
"scala"
}
|
%w(gemnasium-maven-dependency_scanning)
where
(
:case_name
,
:files
,
:include_build_names
)
do
'Go'
|
{
'go.sum'
=>
''
}
|
%w(gemnasium-dependency_scanning)
'Java'
|
{
'pom.xml'
=>
''
}
|
%w(gemnasium-maven-dependency_scanning)
'Java Gradle'
|
{
'build.gradle'
=>
''
}
|
%w(gemnasium-maven-dependency_scanning)
'Javascript'
|
{
'package.json'
=>
''
}
|
%w(retire-js-dependency_scanning)
'Javascript package-lock.json'
|
{
'package-lock.json'
=>
''
}
|
%w(gemnasium-dependency_scanning)
'Javascript yarn.lock'
|
{
'yarn.lock'
=>
''
}
|
%w(gemnasium-dependency_scanning)
'Javascript npm-shrinkwrap.json'
|
{
'npm-shrinkwrap.json'
=>
''
}
|
%w(gemnasium-dependency_scanning)
'Multiple languages'
|
{
'pom.xml'
=>
''
,
'package.json'
=>
''
}
|
%w(gemnasium-maven-dependency_scanning retire-js-dependency_scanning)
'PHP'
|
{
'composer.lock'
=>
''
}
|
%w(gemnasium-dependency_scanning)
'Python requirements.txt'
|
{
'requirements.txt'
=>
''
}
|
%w(gemnasium-python-dependency_scanning)
'Python requirements.pip'
|
{
'requirements.pip'
=>
''
}
|
%w(gemnasium-python-dependency_scanning)
'Python Pipfile'
|
{
'Pipfile'
=>
''
}
|
%w(gemnasium-python-dependency_scanning)
'Python Pipfile.lock'
|
{
'Pipfile.lock'
=>
''
}
|
%w(gemnasium-dependency_scanning)
'Python requires.txt'
|
{
'requires.txt'
=>
''
}
|
%w(gemnasium-python-dependency_scanning)
'Python with setup.py'
|
{
'setup.py'
=>
''
}
|
%w(gemnasium-python-dependency_scanning)
'Ruby Gemfile.lock'
|
{
'Gemfile.lock'
=>
''
}
|
%w(bundler-audit-dependency_scanning gemnasium-dependency_scanning)
'Ruby gems.locked'
|
{
'gems.locked'
=>
''
}
|
%w(gemnasium-dependency_scanning)
'Scala'
|
{
'build.sbt'
=>
''
}
|
%w(gemnasium-maven-dependency_scanning)
end
with_them
do
before
do
variables
.
each
do
|
(
key
,
value
)
|
create
(
:ci_variable
,
project:
project
,
key:
key
,
value:
value
)
it
'creates a pipeline with the expected jobs'
do
expect
(
build_names
).
to
include
(
*
include_build_names
)
end
end
end
it
'creates a pipeline with the expected jobs'
do
expect
(
build_names
).
to
include
(
*
include_build_names
)
context
'when PIP_REQUIREMENTS_FILE is defined'
do
before
do
create
(
:ci_variable
,
project:
project
,
key:
'PIP_REQUIREMENTS_FILE'
,
value:
'/some/path/requirements.txt'
)
end
it
'creates a pipeline with the expected jobs'
do
expect
(
build_names
).
to
include
(
'gemnasium-python-dependency_scanning'
)
end
end
end
...
...
lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml
View file @
a92eb346
...
...
@@ -72,23 +72,20 @@ dependency_scanning:
reports
:
dependency_scanning
:
gl-dependency-scanning-report.json
dependencies
:
[]
only
:
refs
:
-
branches
variables
:
-
$GITLAB_FEATURES =~ /\bdependency_scanning\b/
except
:
variables
:
-
$DEPENDENCY_SCANNING_DISABLED
-
$DS_DISABLE_DIND == 'true'
rules
:
-
if
:
$DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'true'
when
:
never
-
if
:
$CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/
.ds-analyzer
:
extends
:
dependency_scanning
services
:
[]
except
:
variables
:
-
$DEPENDENCY_SCANNING_DISABLED
-
$DS_DISABLE_DIND == 'false'
rules
:
-
if
:
$DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false'
when
:
never
-
if
:
$CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/
script
:
-
/analyzer run
...
...
@@ -96,48 +93,82 @@ gemnasium-dependency_scanning:
extends
:
.ds-analyzer
image
:
name
:
"
$DS_ANALYZER_IMAGE_PREFIX/gemnasium:$DS_MAJOR_VERSION"
only
:
variables
:
-
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /gemnasium([^-]|$)/ &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /ruby|javascript|php|\bgo\b/
rules
:
-
if
:
$DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false'
when
:
never
-
if
:
$CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /gemnasium([^-]|$)/
exists
:
-
'
Gemfile.lock'
-
'
Pipfile.lock'
-
'
composer.lock'
-
'
gems.locked'
-
'
go.sum'
-
'
npm-shrinkwrap.json'
-
'
package-lock.json'
-
'
yarn.lock'
gemnasium-maven-dependency_scanning
:
extends
:
.ds-analyzer
image
:
name
:
"
$DS_ANALYZER_IMAGE_PREFIX/gemnasium-maven:$DS_MAJOR_VERSION"
only
:
variables
:
-
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /gemnasium-maven/ &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /\b(java|scala)\b/
rules
:
-
if
:
$DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false'
when
:
never
-
if
:
$CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /gemnasium-maven/
exists
:
-
'
build.gradle'
-
'
build.sbt'
-
'
pom.xml'
gemnasium-python-dependency_scanning
:
extends
:
.ds-analyzer
image
:
name
:
"
$DS_ANALYZER_IMAGE_PREFIX/gemnasium-python:$DS_MAJOR_VERSION"
only
:
variables
:
-
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
rules
:
-
if
:
$DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false'
when
:
never
-
if
:
$CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /gemnasium-python/
exists
:
-
'
requirements.txt'
-
'
requirements.pip'
-
'
Pipfile'
-
'
requires.txt'
-
'
setup.py'
# Support passing of $PIP_REQUIREMENTS_FILE
# See https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#configuring-specific-analyzers-used-by-dependency-scanning
-
if
:
$CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /gemnasium-python/ &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /python/
$PIP_REQUIREMENTS_FILE
bundler-audit-dependency_scanning
:
extends
:
.ds-analyzer
image
:
name
:
"
$DS_ANALYZER_IMAGE_PREFIX/bundler-audit:$DS_MAJOR_VERSION"
only
:
variables
:
-
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /bundler-audit/ &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /ruby/
rules
:
-
if
:
$DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false'
when
:
never
-
if
:
$CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /bundler-audit/
exists
:
-
'
Gemfile.lock'
retire-js-dependency_scanning
:
extends
:
.ds-analyzer
image
:
name
:
"
$DS_ANALYZER_IMAGE_PREFIX/retire.js:$DS_MAJOR_VERSION"
only
:
variables
:
-
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /retire.js/ &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /javascript/
rules
:
-
if
:
$DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false'
when
:
never
-
if
:
$CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /retire.js/
exists
:
-
'
package.json'
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment