diff options
| author | Malena Ebert <malena.ebert@sonarsource.com> | 2020-10-02 14:22:58 +0200 |
|---|---|---|
| committer | sonartech <sonartech@sonarsource.com> | 2020-10-02 20:07:42 +0000 |
| commit | a5ba90ff48c5581b34a726b3865761ab3dd9f25a (patch) | |
| tree | 07ad8d4838f9dec67ead4f3a3e7a1f9f08df5316 | |
| parent | e59875122c7b9090f41dc5a0fb7deb87573e4b79 (diff) | |
| download | sonarqube-a5ba90ff48c5581b34a726b3865761ab3dd9f25a.tar.gz sonarqube-a5ba90ff48c5581b34a726b3865761ab3dd9f25a.zip | |
SONAR-13912 Add owasp_check_task to Cirrus CI.
| -rw-r--r-- | .cirrus.yml | 28 | ||||
| -rw-r--r-- | build.gradle | 5 |
2 files changed, 33 insertions, 0 deletions
diff --git a/.cirrus.yml b/.cirrus.yml index efea6e4cded..aa76d281daa 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -401,3 +401,31 @@ upgd_oracle12_task: - ./private/cirrus/cirrus-qa.sh oracle12 on_failure: <<: *REPORTS_JUNIT_ON_FAILURE_TEMPLATE + +# Software Composition Analysis (SCA): check potential vulnerabilities in dependencies. +# Note that license compliance of dependencies is not checked for now. +owasp_check_task: + only_if: $CIRRUS_CRON == "nightly" + timeout_in: 30m + gke_container: + <<: *GKE_CONTAINER_TEMPLATE + cpu: 1.7 + memory: 2Gb + environment: + # No need to clone the full history. + # Depth of 1 is not enough because it would fail the build in case of consecutive pushes + # (example of error: "Hard resetting to c968ecaf7a1942dacecd78480b3751ac74d53c33...Failed to force reset to c968ecaf7a1942dacecd78480b3751ac74d53c33: object not found!") + CIRRUS_CLONE_DEPTH: 50 + SLACK_WEBHOOK_SQ: ENCRYPTED[dec8e4350cbea3b94d63098558bcb3ae9e79b71c2b6286fcfb9eb80c0953b6448b10f7271b07b5e75e52f362c25d7a8f] + nvd_cache: + # The NVD repository of vulnerabilities is big and should be cached so + # that consecutive runs download only changes, but not the whole repository. + folder: ~/.gradle/dependency-check-data + reupload_on_changes: true + script: + - gradle dependencyCheckAggregate + always: + slack_notification_script: + - ./private/cirrus/cirrus-owasp-notification.sh + reports_artifacts: + path: "build/reports/*"
\ No newline at end of file diff --git a/build.gradle b/build.gradle index 1a25f8b9a29..9ce84e4edb8 100644 --- a/build.gradle +++ b/build.gradle @@ -486,6 +486,11 @@ subprojects { yarnVersion = '1.22.0' download = true } + + // the OWASP tool does not support yarn, and its yarn.lock files, so node modules + // should be explicitly installed (yarn task) before running the audit + // See https://github.com/jeremylong/DependencyCheck/issues/2393 + dependencyCheckAggregate.dependsOn(yarn) } if (official) { |