diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-05-19 18:44:42 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-05-19 18:44:42 +0300 |
commit | 4555e1b21c365ed8303ffb7a3325d773c9b8bf31 (patch) | |
tree | 5423a1c7516cffe36384133ade12572cf709398d /lib/security | |
parent | e570267f2f6b326480d284e0164a6464ba4081bc (diff) |
Add latest changes from gitlab-org/gitlab@13-12-stable-eev13.12.0-rc42
Diffstat (limited to 'lib/security')
-rw-r--r-- | lib/security/ci_configuration/base_build_action.rb | 50 | ||||
-rw-r--r-- | lib/security/ci_configuration/sast_build_action.rb (renamed from lib/security/ci_configuration/sast_build_actions.rb) | 49 | ||||
-rw-r--r-- | lib/security/ci_configuration/secret_detection_build_action.rb | 19 |
3 files changed, 73 insertions, 45 deletions
diff --git a/lib/security/ci_configuration/base_build_action.rb b/lib/security/ci_configuration/base_build_action.rb new file mode 100644 index 00000000000..b169d780cad --- /dev/null +++ b/lib/security/ci_configuration/base_build_action.rb @@ -0,0 +1,50 @@ +# frozen_string_literal: true + +module Security + module CiConfiguration + class BaseBuildAction + def initialize(auto_devops_enabled, existing_gitlab_ci_content) + @auto_devops_enabled = auto_devops_enabled + @existing_gitlab_ci_content = existing_gitlab_ci_content || {} + end + + def generate + action = @existing_gitlab_ci_content.present? ? 'update' : 'create' + + update_existing_content! + + { action: action, file_path: '.gitlab-ci.yml', content: prepare_existing_content, default_values_overwritten: @default_values_overwritten } + end + + private + + def generate_includes + includes = @existing_gitlab_ci_content['include'] || [] + includes = Array.wrap(includes) + includes << { 'template' => template } + includes.uniq + end + + def prepare_existing_content + content = @existing_gitlab_ci_content.to_yaml + content = remove_document_delimiter(content) + + content.prepend(comment) + end + + def remove_document_delimiter(content) + content.gsub(/^---\n/, '') + end + + def comment + <<~YAML + # You can override the included template(s) by including variable overrides + # SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings + # Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings + # Note that environment variables can be set in several places + # See https://docs.gitlab.com/ee/ci/variables/#priority-of-environment-variables + YAML + end + end + end +end diff --git a/lib/security/ci_configuration/sast_build_actions.rb b/lib/security/ci_configuration/sast_build_action.rb index b2d684bc1e1..23dd4bd6d14 100644 --- a/lib/security/ci_configuration/sast_build_actions.rb +++ b/lib/security/ci_configuration/sast_build_action.rb @@ -2,33 +2,19 @@ module Security module CiConfiguration - class SastBuildActions - SAST_DEFAULT_ANALYZERS = 'bandit, brakeman, eslint, flawfinder, gosec, kubesec, nodejs-scan, phpcs-security-audit, pmd-apex, security-code-scan, sobelow, spotbugs' + class SastBuildAction < BaseBuildAction + SAST_DEFAULT_ANALYZERS = 'bandit, brakeman, eslint, flawfinder, gosec, kubesec, nodejs-scan, phpcs-security-audit, pmd-apex, security-code-scan, semgrep, sobelow, spotbugs' def initialize(auto_devops_enabled, params, existing_gitlab_ci_content) - @auto_devops_enabled = auto_devops_enabled + super(auto_devops_enabled, existing_gitlab_ci_content) @variables = variables(params) - @existing_gitlab_ci_content = existing_gitlab_ci_content || {} @default_sast_values = default_sast_values(params) @default_values_overwritten = false end - def generate - action = @existing_gitlab_ci_content.present? ? 'update' : 'create' - - update_existing_content! - - [{ action: action, file_path: '.gitlab-ci.yml', content: prepare_existing_content, default_values_overwritten: @default_values_overwritten }] - end - private def variables(params) - # This early return is necessary for supporting REST API. - # Will be removed during the implementation of - # https://gitlab.com/gitlab-org/gitlab/-/issues/246737 - return params unless params['global'].present? - collect_values(params, 'value') end @@ -71,19 +57,12 @@ module Security @existing_gitlab_ci_content['stages'] = set_stages @existing_gitlab_ci_content['variables'] = set_variables(global_variables, @existing_gitlab_ci_content) @existing_gitlab_ci_content['sast'] = set_sast_block - @existing_gitlab_ci_content['include'] = set_includes + @existing_gitlab_ci_content['include'] = generate_includes @existing_gitlab_ci_content.select! { |k, v| v.present? } @existing_gitlab_ci_content['sast'].select! { |k, v| v.present? } end - def set_includes - includes = @existing_gitlab_ci_content['include'] || [] - includes = includes.is_a?(Array) ? includes : [includes] - includes << { 'template' => template } - includes.uniq - end - def set_stages existing_stages = @existing_gitlab_ci_content['stages'] || [] base_stages = @auto_devops_enabled ? auto_devops_stages : ['test'] @@ -121,26 +100,6 @@ module Security sast_content.select { |k, v| v.present? } end - def prepare_existing_content - content = @existing_gitlab_ci_content.to_yaml - content = remove_document_delimeter(content) - - content.prepend(sast_comment) - end - - def remove_document_delimeter(content) - content.gsub(/^---\n/, '') - end - - def sast_comment - <<~YAML - # You can override the included template(s) by including variable overrides - # See https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings - # Note that environment variables can be set in several places - # See https://docs.gitlab.com/ee/ci/variables/#priority-of-environment-variables - YAML - end - def template return 'Auto-DevOps.gitlab-ci.yml' if @auto_devops_enabled diff --git a/lib/security/ci_configuration/secret_detection_build_action.rb b/lib/security/ci_configuration/secret_detection_build_action.rb new file mode 100644 index 00000000000..5d513bf5547 --- /dev/null +++ b/lib/security/ci_configuration/secret_detection_build_action.rb @@ -0,0 +1,19 @@ +# frozen_string_literal: true + +module Security + module CiConfiguration + class SecretDetectionBuildAction < BaseBuildAction + private + + def update_existing_content! + @existing_gitlab_ci_content['include'] = generate_includes + end + + def template + return 'Auto-DevOps.gitlab-ci.yml' if @auto_devops_enabled + + 'Security/Secret-Detection.gitlab-ci.yml' + end + end + end +end |