From 27315438275ebbc2874ee3c8551443bd78d55cb7 Mon Sep 17 00:00:00 2001
From: Malena Ebert <malena.ebert@sonarsource.com>
Date: Fri, 2 Oct 2020 14:22:58 +0200
Subject: [PATCH] SONAR-13912 Add owasp_check_task to Cirrus CI.

Cirrus Cron Invocation
* nightly cron: only owasp scan on master
* weekly-lts cron: only owasp scan on current lts branch
---
 .cirrus.yml  | 77 ++++++++++++++++++++++++++++++++++------------------
 build.gradle |  5 ++++
 2 files changed, 56 insertions(+), 26 deletions(-)

diff --git a/.cirrus.yml b/.cirrus.yml
index b11a3dd2fe7..52af74b7f1b 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -36,6 +36,14 @@ task_only_nightly_depending_on_build_template: &TASK_ONLY_NIGHTLY_DEPENDING_ON_B
   # this task on your branch
   only_if: $CIRRUS_BRANCH == "branch-nightly-build"
 
+task_only_default_depending_on_build_template: &TASK_ONLY_DEFAUT_DEPENDING_ON_BUILD_TEMPLATE
+  depends_on: build
+  only_if: >-
+           $CIRRUS_BRANCH !=~ "dogfood/.*" &&
+           $CIRRUS_BRANCH != "public_master" &&
+           $CIRRUS_BRANCH != "branch-nightly-build" &&
+           $CIRRUS_CRON == ""
+
 docker_build_container_template: &GKE_CONTAINER_TEMPLATE
   dockerfile: private/docker/Dockerfile-build
   builder_image_project: sonarqube-team
@@ -78,7 +86,10 @@ screenshots_on_failure_template: &REPORTS_JUNIT_SCREENSHOTS_ON_FAILURE_TEMPLATE
     path: "**/build/screenshots/**/*"
 
 build_task:
-  only_if: $CIRRUS_BRANCH !=~ "dogfood/.*" && $CIRRUS_BRANCH != "public_master"
+  only_if: >-
+           $CIRRUS_BRANCH !=~ "dogfood/.*" &&
+           $CIRRUS_BRANCH != "public_master" &&
+           $CIRRUS_CRON == ""
   timeout_in: 90m
   gke_container:
     <<: *GKE_CONTAINER_TEMPLATE
@@ -113,8 +124,7 @@ deploy_docs_task:
     - ./private/cirrus/cirrus-trigger-deploy-docs.sh
 
 validate_task:
-  depends_on: build
-  only_if: $CIRRUS_BRANCH !=~ "dogfood/.*" && $CIRRUS_BRANCH != "public_master" && $CIRRUS_TAG != "nightly-build"
+  <<: *TASK_ONLY_DEFAUT_DEPENDING_ON_BUILD_TEMPLATE
   timeout_in: 90m
   gke_container:
     <<: *GKE_CONTAINER_TEMPLATE
@@ -132,8 +142,7 @@ validate_task:
     <<: *REPORTS_JUNIT_ON_FAILURE_TEMPLATE
 
 qa_task:
-  depends_on: build
-  only_if: $CIRRUS_BRANCH !=~ "dogfood/.*" && $CIRRUS_BRANCH != "public_master" && $CIRRUS_TAG != "nightly-build"
+  <<: *TASK_ONLY_DEFAUT_DEPENDING_ON_BUILD_TEMPLATE
   gke_container:
     <<: *GKE_CONTAINER_TEMPLATE
     cpu: 3
@@ -169,11 +178,11 @@ qa_task:
     <<: *REPORTS_JUNIT_SCREENSHOTS_ON_FAILURE_TEMPLATE
 
 promote_task:
+  <<: *TASK_ONLY_DEFAUT_DEPENDING_ON_BUILD_TEMPLATE
   depends_on:
     - build
     - validate
     - qa
-  only_if: $CIRRUS_BRANCH !=~ "dogfood/.*" && $CIRRUS_BRANCH != "public_master" && $CIRRUS_TAG != "nightly-build"
   gke_container:
     <<: *GKE_CONTAINER_TEMPLATE
   stateful: true
@@ -186,10 +195,7 @@ promote_task:
     - ./private/cirrus/cirrus-promote.sh
 
 sql_mssql2017_task:
-  depends_on: build
-  # Comment the following line and commit with message "DO NOT MERGE" in order to run
-  # this task on your branch
-  only_if: $CIRRUS_TAG == "nightly-build"
+  <<: *TASK_ONLY_NIGHTLY_DEPENDING_ON_BUILD_TEMPLATE
   gke_container:
     <<: *GKE_CONTAINER_TEMPLATE
     memory: 5Gb
@@ -215,10 +221,7 @@ sql_mssql2017_task:
 
 # this is the oldest compatible version of PostgreSQL
 sql_postgres93_task:
-  depends_on: build
-  # Comment the following line and commit with message "DO NOT MERGE" in order to run
-  # this task on your branch
-  only_if: $CIRRUS_TAG == "nightly-build"
+  <<: *TASK_ONLY_NIGHTLY_DEPENDING_ON_BUILD_TEMPLATE
   gke_container:
     <<: *GKE_CONTAINER_TEMPLATE
     memory: 5Gb
@@ -235,10 +238,7 @@ sql_postgres93_task:
     <<: *REPORTS_JUNIT_ON_FAILURE_TEMPLATE
 
 sql_oracle12_task:
-  depends_on: build
-  # Comment the following line and commit with message "DO NOT MERGE" in order to run
-  # this task on your branch
-  only_if: $CIRRUS_TAG == "nightly-build"
+  <<: *TASK_ONLY_NIGHTLY_DEPENDING_ON_BUILD_TEMPLATE
   gke_container:
     <<: *GKE_CONTAINER_TEMPLATE
     memory: 5Gb
@@ -252,10 +252,7 @@ sql_oracle12_task:
     <<: *REPORTS_JUNIT_ON_FAILURE_TEMPLATE
 
 upgd_mssql2017_task:
-  depends_on: build
-  # Comment the following line and commit with message "DO NOT MERGE" in order to run
-  # this task on your branch
-  only_if: $CIRRUS_TAG == "nightly-build"
+  <<: *TASK_ONLY_NIGHTLY_DEPENDING_ON_BUILD_TEMPLATE
   gke_container:
     <<: *GKE_CONTAINER_TEMPLATE
     cpu: 1.5
@@ -288,10 +285,7 @@ upgd_mssql2017_task:
 
 
 upgd_oracle12_task:
-  depends_on: build
-  # Comment the following line and commit with message "DO NOT MERGE" in order to run
-  # this task on your branch
-  only_if: $CIRRUS_TAG == "nightly-build"
+  <<: *TASK_ONLY_NIGHTLY_DEPENDING_ON_BUILD_TEMPLATE
   gke_container:
     <<: *GKE_CONTAINER_TEMPLATE
     cpu: 1.5
@@ -313,3 +307,34 @@ upgd_oracle12_task:
     - ./private/cirrus/cleanup-gradle-cache.sh
   on_failure:
     <<: *REPORTS_JUNIT_ON_FAILURE_TEMPLATE
+
+# Software Composition Analysis (SCA): check potential vulnerabilities in dependencies.
+# Note that license compliance of dependencies is not checked for now.
+owasp_check_task:
+  only_if: >-
+           $CIRRUS_CRON == "nightly" ||
+           $CIRRUS_CRON == "weekly-lts"
+  timeout_in: 30m
+  gke_container:
+    <<: *GKE_CONTAINER_TEMPLATE
+    cpu: 1.7
+    memory: 4Gb
+  environment:
+    # No need to clone the full history.
+    # Depth of 1 is not enough because it would fail the build in case of consecutive pushes
+    # (example of error: "Hard resetting to c968ecaf7a1942dacecd78480b3751ac74d53c33...Failed to force reset to c968ecaf7a1942dacecd78480b3751ac74d53c33: object not found!")
+    CIRRUS_CLONE_DEPTH: 50
+    SLACK_WEBHOOK_SQ: ENCRYPTED[dec8e4350cbea3b94d63098558bcb3ae9e79b71c2b6286fcfb9eb80c0953b6448b10f7271b07b5e75e52f362c25d7a8f]
+  nvd_cache:
+    # The NVD repository of vulnerabilities is big and should be cached so
+    # that consecutive runs download only changes, but not the whole repository.
+    folder: ~/.gradle/dependency-check-data
+    reupload_on_changes: true
+  script:
+    - gradle dependencyCheckAggregate
+  on_failure:
+    slack_notification_script:
+      - ./private/cirrus/cirrus-owasp-notification.sh
+  always:
+    reports_artifacts:
+      path: "build/reports/*"
diff --git a/build.gradle b/build.gradle
index f732e5180f9..eea57a99051 100644
--- a/build.gradle
+++ b/build.gradle
@@ -387,6 +387,11 @@ subprojects {
       yarnVersion = '1.15.2'
       download = true
     }
+
+    // the OWASP tool does not support yarn, and its yarn.lock files, so node modules
+    // should be explicitly installed (yarn task) before running the audit
+    // See https://github.com/jeremylong/DependencyCheck/issues/2393
+    dependencyCheckAggregate.dependsOn(yarn)
   }
 
   if (official) {
-- 
2.39.5