Add latest changes from gitlab-org/gitlab@13-12-stable-eev13.12.0-rc42

author: GitLab Bot <gitlab-bot@gitlab.com> 2021-05-19 18:44:42 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2021-05-19 18:44:42 +0300
commit: 4555e1b21c365ed8303ffb7a3325d773c9b8bf31 (patch)
tree: 5423a1c7516cffe36384133ade12572cf709398d /lib/security
parent: e570267f2f6b326480d284e0164a6464ba4081bc (diff)
3 files changed, 73 insertions, 45 deletions
diff --git a/lib/security/ci_configuration/base_build_action.rb b/lib/security/ci_configuration/base_build_action.rb
new file mode 100644
index 00000000000..b169d780cad
--- /dev/null
+++ b/lib/security/ci_configuration/base_build_action.rb
@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+module Security
+  module CiConfiguration
+    class BaseBuildAction
+      def initialize(auto_devops_enabled, existing_gitlab_ci_content)
+        @auto_devops_enabled = auto_devops_enabled
+        @existing_gitlab_ci_content = existing_gitlab_ci_content || {}
+      end
+
+      def generate
+        action = @existing_gitlab_ci_content.present? ? 'update' : 'create'
+
+        update_existing_content!
+
+        { action: action, file_path: '.gitlab-ci.yml', content: prepare_existing_content, default_values_overwritten: @default_values_overwritten }
+      end
+
+      private
+
+      def generate_includes
+        includes = @existing_gitlab_ci_content['include'] || []
+        includes = Array.wrap(includes)
+        includes << { 'template' => template }
+        includes.uniq
+      end
+
+      def prepare_existing_content
+        content = @existing_gitlab_ci_content.to_yaml
+        content = remove_document_delimiter(content)
+
+        content.prepend(comment)
+      end
+
+      def remove_document_delimiter(content)
+        content.gsub(/^---\n/, '')
+      end
+
+      def comment
+        <<~YAML
+          # You can override the included template(s) by including variable overrides
+          # SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
+          # Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings
+          # Note that environment variables can be set in several places
+          # See https://docs.gitlab.com/ee/ci/variables/#priority-of-environment-variables
+        YAML
+      end
+    end
+  end
+end
diff --git a/lib/security/ci_configuration/sast_build_actions.rb b/lib/security/ci_configuration/sast_build_action.rb
index b2d684bc1e1..23dd4bd6d14 100644
--- a/lib/security/ci_configuration/sast_build_actions.rb
+++ b/lib/security/ci_configuration/sast_build_action.rb
@@ -2,33 +2,19 @@
 
 module Security
   module CiConfiguration
-    class SastBuildActions
-      SAST_DEFAULT_ANALYZERS = 'bandit, brakeman, eslint, flawfinder, gosec, kubesec, nodejs-scan, phpcs-security-audit, pmd-apex, security-code-scan, sobelow, spotbugs'
+    class SastBuildAction < BaseBuildAction
+      SAST_DEFAULT_ANALYZERS = 'bandit, brakeman, eslint, flawfinder, gosec, kubesec, nodejs-scan, phpcs-security-audit, pmd-apex, security-code-scan, semgrep, sobelow, spotbugs'
 
       def initialize(auto_devops_enabled, params, existing_gitlab_ci_content)
-        @auto_devops_enabled = auto_devops_enabled
+        super(auto_devops_enabled, existing_gitlab_ci_content)
         @variables = variables(params)
-        @existing_gitlab_ci_content = existing_gitlab_ci_content || {}
         @default_sast_values = default_sast_values(params)
         @default_values_overwritten = false
       end
 
-      def generate
-        action = @existing_gitlab_ci_content.present? ? 'update' : 'create'
-
-        update_existing_content!
-
-        [{ action: action, file_path: '.gitlab-ci.yml', content: prepare_existing_content, default_values_overwritten: @default_values_overwritten }]
-      end
-
       private
 
       def variables(params)
-        # This early return is necessary for supporting REST API.
-        # Will be removed during the implementation of
-        # https://gitlab.com/gitlab-org/gitlab/-/issues/246737
-        return params unless params['global'].present?
-
         collect_values(params, 'value')
       end
 
@@ -71,19 +57,12 @@ module Security
         @existing_gitlab_ci_content['stages'] = set_stages
         @existing_gitlab_ci_content['variables'] = set_variables(global_variables, @existing_gitlab_ci_content)
         @existing_gitlab_ci_content['sast'] = set_sast_block
-        @existing_gitlab_ci_content['include'] = set_includes
+        @existing_gitlab_ci_content['include'] = generate_includes
 
         @existing_gitlab_ci_content.select! { |k, v| v.present? }
         @existing_gitlab_ci_content['sast'].select! { |k, v| v.present? }
       end
 
-      def set_includes
-        includes = @existing_gitlab_ci_content['include'] || []
-        includes = includes.is_a?(Array) ? includes : [includes]
-        includes << { 'template' => template }
-        includes.uniq
-      end
-
       def set_stages
         existing_stages = @existing_gitlab_ci_content['stages'] || []
         base_stages = @auto_devops_enabled ? auto_devops_stages : ['test']
@@ -121,26 +100,6 @@ module Security
         sast_content.select { |k, v| v.present? }
       end
 
-      def prepare_existing_content
-        content = @existing_gitlab_ci_content.to_yaml
-        content = remove_document_delimeter(content)
-
-        content.prepend(sast_comment)
-      end
-
-      def remove_document_delimeter(content)
-        content.gsub(/^---\n/, '')
-      end
-
-      def sast_comment
-        <<~YAML
-          # You can override the included template(s) by including variable overrides
-          # See https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
-          # Note that environment variables can be set in several places
-          # See https://docs.gitlab.com/ee/ci/variables/#priority-of-environment-variables
-        YAML
-      end
-
       def template
         return 'Auto-DevOps.gitlab-ci.yml' if @auto_devops_enabled
 
diff --git a/lib/security/ci_configuration/secret_detection_build_action.rb b/lib/security/ci_configuration/secret_detection_build_action.rb
new file mode 100644
index 00000000000..5d513bf5547
--- /dev/null
+++ b/lib/security/ci_configuration/secret_detection_build_action.rb
@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Security
+  module CiConfiguration
+    class SecretDetectionBuildAction < BaseBuildAction
+      private
+
+      def update_existing_content!
+        @existing_gitlab_ci_content['include'] = generate_includes
+      end
+
+      def template
+        return 'Auto-DevOps.gitlab-ci.yml' if @auto_devops_enabled
+
+        'Security/Secret-Detection.gitlab-ci.yml'
+      end
+    end
+  end
+end
author	GitLab Bot <gitlab-bot@gitlab.com>	2021-05-19 18:44:42 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2021-05-19 18:44:42 +0300
commit	4555e1b21c365ed8303ffb7a3325d773c9b8bf31 (patch)
tree	5423a1c7516cffe36384133ade12572cf709398d /lib/security
parent	e570267f2f6b326480d284e0164a6464ba4081bc (diff)