# this task on your branch
only_if: $CIRRUS_BRANCH == "branch-nightly-build"
+task_only_default_depending_on_build_template: &TASK_ONLY_DEFAUT_DEPENDING_ON_BUILD_TEMPLATE
+ depends_on: build
+ only_if: >-
+ $CIRRUS_BRANCH !=~ "dogfood/.*" &&
+ $CIRRUS_BRANCH != "public_master" &&
+ $CIRRUS_BRANCH != "branch-nightly-build" &&
+ $CIRRUS_CRON == ""
+
docker_build_container_template: &GKE_CONTAINER_TEMPLATE
dockerfile: private/docker/Dockerfile-build
builder_image_project: sonarqube-team
path: "**/build/screenshots/**/*"
build_task:
- only_if: $CIRRUS_BRANCH !=~ "dogfood/.*" && $CIRRUS_BRANCH != "public_master"
+ only_if: >-
+ $CIRRUS_BRANCH !=~ "dogfood/.*" &&
+ $CIRRUS_BRANCH != "public_master" &&
+ $CIRRUS_CRON == ""
timeout_in: 90m
gke_container:
<<: *GKE_CONTAINER_TEMPLATE
- ./private/cirrus/cirrus-trigger-deploy-docs.sh
validate_task:
- depends_on: build
- only_if: $CIRRUS_BRANCH !=~ "dogfood/.*" && $CIRRUS_BRANCH != "public_master" && $CIRRUS_TAG != "nightly-build"
+ <<: *TASK_ONLY_DEFAUT_DEPENDING_ON_BUILD_TEMPLATE
timeout_in: 90m
gke_container:
<<: *GKE_CONTAINER_TEMPLATE
<<: *REPORTS_JUNIT_ON_FAILURE_TEMPLATE
qa_task:
- depends_on: build
- only_if: $CIRRUS_BRANCH !=~ "dogfood/.*" && $CIRRUS_BRANCH != "public_master" && $CIRRUS_TAG != "nightly-build"
+ <<: *TASK_ONLY_DEFAUT_DEPENDING_ON_BUILD_TEMPLATE
gke_container:
<<: *GKE_CONTAINER_TEMPLATE
cpu: 3
<<: *REPORTS_JUNIT_SCREENSHOTS_ON_FAILURE_TEMPLATE
promote_task:
+ <<: *TASK_ONLY_DEFAUT_DEPENDING_ON_BUILD_TEMPLATE
depends_on:
- build
- validate
- qa
- only_if: $CIRRUS_BRANCH !=~ "dogfood/.*" && $CIRRUS_BRANCH != "public_master" && $CIRRUS_TAG != "nightly-build"
gke_container:
<<: *GKE_CONTAINER_TEMPLATE
stateful: true
- ./private/cirrus/cirrus-promote.sh
sql_mssql2017_task:
- depends_on: build
- # Comment the following line and commit with message "DO NOT MERGE" in order to run
- # this task on your branch
- only_if: $CIRRUS_TAG == "nightly-build"
+ <<: *TASK_ONLY_NIGHTLY_DEPENDING_ON_BUILD_TEMPLATE
gke_container:
<<: *GKE_CONTAINER_TEMPLATE
memory: 5Gb
# this is the oldest compatible version of PostgreSQL
sql_postgres93_task:
- depends_on: build
- # Comment the following line and commit with message "DO NOT MERGE" in order to run
- # this task on your branch
- only_if: $CIRRUS_TAG == "nightly-build"
+ <<: *TASK_ONLY_NIGHTLY_DEPENDING_ON_BUILD_TEMPLATE
gke_container:
<<: *GKE_CONTAINER_TEMPLATE
memory: 5Gb
<<: *REPORTS_JUNIT_ON_FAILURE_TEMPLATE
sql_oracle12_task:
- depends_on: build
- # Comment the following line and commit with message "DO NOT MERGE" in order to run
- # this task on your branch
- only_if: $CIRRUS_TAG == "nightly-build"
+ <<: *TASK_ONLY_NIGHTLY_DEPENDING_ON_BUILD_TEMPLATE
gke_container:
<<: *GKE_CONTAINER_TEMPLATE
memory: 5Gb
<<: *REPORTS_JUNIT_ON_FAILURE_TEMPLATE
upgd_mssql2017_task:
- depends_on: build
- # Comment the following line and commit with message "DO NOT MERGE" in order to run
- # this task on your branch
- only_if: $CIRRUS_TAG == "nightly-build"
+ <<: *TASK_ONLY_NIGHTLY_DEPENDING_ON_BUILD_TEMPLATE
gke_container:
<<: *GKE_CONTAINER_TEMPLATE
cpu: 1.5
upgd_oracle12_task:
- depends_on: build
- # Comment the following line and commit with message "DO NOT MERGE" in order to run
- # this task on your branch
- only_if: $CIRRUS_TAG == "nightly-build"
+ <<: *TASK_ONLY_NIGHTLY_DEPENDING_ON_BUILD_TEMPLATE
gke_container:
<<: *GKE_CONTAINER_TEMPLATE
cpu: 1.5
- ./private/cirrus/cleanup-gradle-cache.sh
on_failure:
<<: *REPORTS_JUNIT_ON_FAILURE_TEMPLATE
+
+# Software Composition Analysis (SCA): check potential vulnerabilities in dependencies.
+# Note that license compliance of dependencies is not checked for now.
+owasp_check_task:
+ only_if: >-
+ $CIRRUS_CRON == "nightly" ||
+ $CIRRUS_CRON == "weekly-lts"
+ timeout_in: 30m
+ gke_container:
+ <<: *GKE_CONTAINER_TEMPLATE
+ cpu: 1.7
+ memory: 4Gb
+ environment:
+ # No need to clone the full history.
+ # Depth of 1 is not enough because it would fail the build in case of consecutive pushes
+ # (example of error: "Hard resetting to c968ecaf7a1942dacecd78480b3751ac74d53c33...Failed to force reset to c968ecaf7a1942dacecd78480b3751ac74d53c33: object not found!")
+ CIRRUS_CLONE_DEPTH: 50
+ SLACK_WEBHOOK_SQ: ENCRYPTED[dec8e4350cbea3b94d63098558bcb3ae9e79b71c2b6286fcfb9eb80c0953b6448b10f7271b07b5e75e52f362c25d7a8f]
+ nvd_cache:
+ # The NVD repository of vulnerabilities is big and should be cached so
+ # that consecutive runs download only changes, but not the whole repository.
+ folder: ~/.gradle/dependency-check-data
+ reupload_on_changes: true
+ script:
+ - gradle dependencyCheckAggregate
+ on_failure:
+ slack_notification_script:
+ - ./private/cirrus/cirrus-owasp-notification.sh
+ always:
+ reports_artifacts:
+ path: "build/reports/*"
projects / sonarqube.git / commitdiff