mirrors
/
sonarqube
mirror of https://github.com/SonarSource/sonarqube.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 237 Wiki Activity
Browse Source

SONAR-13912 Add owasp_check_task to Cirrus CI. 

Cirrus Cron Invocation
* nightly cron: only owasp scan on master
* weekly-lts cron: only owasp scan on current lts branch
tags/7.9.5
Malena Ebert 3 years ago
parent
969ccd1d3d
commit
2731543827
2 changed files with 56 additions and 26 deletions
Split View Show Diff Stats
  1. 51
    26
      .cirrus.yml
  2. 5
    0
      build.gradle

+ 51
- 26
.cirrus.yml View File

@@ -36,6 +36,14 @@ task_only_nightly_depending_on_build_template: &TASK_ONLY_NIGHTLY_DEPENDING_ON_B
# this task on your branch
only_if: $CIRRUS_BRANCH == "branch-nightly-build"

task_only_default_depending_on_build_template: &TASK_ONLY_DEFAUT_DEPENDING_ON_BUILD_TEMPLATE
depends_on: build
only_if: >-
$CIRRUS_BRANCH !=~ "dogfood/.*" &&
$CIRRUS_BRANCH != "public_master" &&
$CIRRUS_BRANCH != "branch-nightly-build" &&
$CIRRUS_CRON == ""

docker_build_container_template: &GKE_CONTAINER_TEMPLATE
dockerfile: private/docker/Dockerfile-build
builder_image_project: sonarqube-team
@@ -78,7 +86,10 @@ screenshots_on_failure_template: &REPORTS_JUNIT_SCREENSHOTS_ON_FAILURE_TEMPLATE
path: "**/build/screenshots/**/*"

build_task:
only_if: $CIRRUS_BRANCH !=~ "dogfood/.*" && $CIRRUS_BRANCH != "public_master"
only_if: >-
$CIRRUS_BRANCH !=~ "dogfood/.*" &&
$CIRRUS_BRANCH != "public_master" &&
$CIRRUS_CRON == ""
timeout_in: 90m
gke_container:
<<: *GKE_CONTAINER_TEMPLATE
@@ -113,8 +124,7 @@ deploy_docs_task:
- ./private/cirrus/cirrus-trigger-deploy-docs.sh

validate_task:
depends_on: build
only_if: $CIRRUS_BRANCH !=~ "dogfood/.*" && $CIRRUS_BRANCH != "public_master" && $CIRRUS_TAG != "nightly-build"
<<: *TASK_ONLY_DEFAUT_DEPENDING_ON_BUILD_TEMPLATE
timeout_in: 90m
gke_container:
<<: *GKE_CONTAINER_TEMPLATE
@@ -132,8 +142,7 @@ validate_task:
<<: *REPORTS_JUNIT_ON_FAILURE_TEMPLATE

qa_task:
depends_on: build
only_if: $CIRRUS_BRANCH !=~ "dogfood/.*" && $CIRRUS_BRANCH != "public_master" && $CIRRUS_TAG != "nightly-build"
<<: *TASK_ONLY_DEFAUT_DEPENDING_ON_BUILD_TEMPLATE
gke_container:
<<: *GKE_CONTAINER_TEMPLATE
cpu: 3
@@ -169,11 +178,11 @@ qa_task:
<<: *REPORTS_JUNIT_SCREENSHOTS_ON_FAILURE_TEMPLATE

promote_task:
<<: *TASK_ONLY_DEFAUT_DEPENDING_ON_BUILD_TEMPLATE
depends_on:
- build
- validate
- qa
only_if: $CIRRUS_BRANCH !=~ "dogfood/.*" && $CIRRUS_BRANCH != "public_master" && $CIRRUS_TAG != "nightly-build"
gke_container:
<<: *GKE_CONTAINER_TEMPLATE
stateful: true
@@ -186,10 +195,7 @@ promote_task:
- ./private/cirrus/cirrus-promote.sh

sql_mssql2017_task:
depends_on: build
# Comment the following line and commit with message "DO NOT MERGE" in order to run
# this task on your branch
only_if: $CIRRUS_TAG == "nightly-build"
<<: *TASK_ONLY_NIGHTLY_DEPENDING_ON_BUILD_TEMPLATE
gke_container:
<<: *GKE_CONTAINER_TEMPLATE
memory: 5Gb
@@ -215,10 +221,7 @@ sql_mssql2017_task:

# this is the oldest compatible version of PostgreSQL
sql_postgres93_task:
depends_on: build
# Comment the following line and commit with message "DO NOT MERGE" in order to run
# this task on your branch
only_if: $CIRRUS_TAG == "nightly-build"
<<: *TASK_ONLY_NIGHTLY_DEPENDING_ON_BUILD_TEMPLATE
gke_container:
<<: *GKE_CONTAINER_TEMPLATE
memory: 5Gb
@@ -235,10 +238,7 @@ sql_postgres93_task:
<<: *REPORTS_JUNIT_ON_FAILURE_TEMPLATE

sql_oracle12_task:
depends_on: build
# Comment the following line and commit with message "DO NOT MERGE" in order to run
# this task on your branch
only_if: $CIRRUS_TAG == "nightly-build"
<<: *TASK_ONLY_NIGHTLY_DEPENDING_ON_BUILD_TEMPLATE
gke_container:
<<: *GKE_CONTAINER_TEMPLATE
memory: 5Gb
@@ -252,10 +252,7 @@ sql_oracle12_task:
<<: *REPORTS_JUNIT_ON_FAILURE_TEMPLATE

upgd_mssql2017_task:
depends_on: build
# Comment the following line and commit with message "DO NOT MERGE" in order to run
# this task on your branch
only_if: $CIRRUS_TAG == "nightly-build"
<<: *TASK_ONLY_NIGHTLY_DEPENDING_ON_BUILD_TEMPLATE
gke_container:
<<: *GKE_CONTAINER_TEMPLATE
cpu: 1.5
@@ -288,10 +285,7 @@ upgd_mssql2017_task:


upgd_oracle12_task:
depends_on: build
# Comment the following line and commit with message "DO NOT MERGE" in order to run
# this task on your branch
only_if: $CIRRUS_TAG == "nightly-build"
<<: *TASK_ONLY_NIGHTLY_DEPENDING_ON_BUILD_TEMPLATE
gke_container:
<<: *GKE_CONTAINER_TEMPLATE
cpu: 1.5
@@ -313,3 +307,34 @@ upgd_oracle12_task:
- ./private/cirrus/cleanup-gradle-cache.sh
on_failure:
<<: *REPORTS_JUNIT_ON_FAILURE_TEMPLATE

# Software Composition Analysis (SCA): check potential vulnerabilities in dependencies.
# Note that license compliance of dependencies is not checked for now.
owasp_check_task:
only_if: >-
$CIRRUS_CRON == "nightly" ||
$CIRRUS_CRON == "weekly-lts"
timeout_in: 30m
gke_container:
<<: *GKE_CONTAINER_TEMPLATE
cpu: 1.7
memory: 4Gb
environment:
# No need to clone the full history.
# Depth of 1 is not enough because it would fail the build in case of consecutive pushes
# (example of error: "Hard resetting to c968ecaf7a1942dacecd78480b3751ac74d53c33...Failed to force reset to c968ecaf7a1942dacecd78480b3751ac74d53c33: object not found!")
CIRRUS_CLONE_DEPTH: 50
SLACK_WEBHOOK_SQ: ENCRYPTED[dec8e4350cbea3b94d63098558bcb3ae9e79b71c2b6286fcfb9eb80c0953b6448b10f7271b07b5e75e52f362c25d7a8f]
nvd_cache:
# The NVD repository of vulnerabilities is big and should be cached so
# that consecutive runs download only changes, but not the whole repository.
folder: ~/.gradle/dependency-check-data
reupload_on_changes: true
script:
- gradle dependencyCheckAggregate
on_failure:
slack_notification_script:
- ./private/cirrus/cirrus-owasp-notification.sh
always:
reports_artifacts:
path: "build/reports/*"

+ 5
- 0
build.gradle View File

@@ -387,6 +387,11 @@ subprojects {
yarnVersion = '1.15.2'
download = true
}

// the OWASP tool does not support yarn, and its yarn.lock files, so node modules
// should be explicitly installed (yarn task) before running the audit
// See https://github.com/jeremylong/DependencyCheck/issues/2393
dependencyCheckAggregate.dependsOn(yarn)
}

if (official) {

Write Preview
Loading…
Cancel
Save