From 209028b57b51c643339f89684700db6bbbfdfb56 Mon Sep 17 00:00:00 2001
From: Jose Raul Barreras <barreras@unl.edu>
Date: Wed, 18 Sep 2019 15:39:40 -0500
Subject: [PATCH] integrate dependency-check with Sonarqube

---
 .gitlab-ci.yml                             | 16 +++++++++++++++-
 README.md                                  |  9 ++-------
 dependency-check/entrypoint.sh             | 10 +++++++---
 t/dependency-check/simple-app/package.json | 18 ++++++++++++++++++
 4 files changed, 42 insertions(+), 11 deletions(-)
 create mode 100644 t/dependency-check/simple-app/package.json

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index ad95c7d..ec16130 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -34,7 +34,21 @@ Test Sonar Scanner:
   script: 
     - docker run --rm its-registry.unl.edu/unl-its/docker-ci/static-code-analysis sonar-scanner -v
     - docker run --rm -v "${PWD}:/work" -w /work its-registry.unl.edu/unl-its/docker-ci/detect-secrets -s
-    - docker run --rm -v "${PWD}:/work" -w /work its-registry.unl.edu/unl-its/docker-ci/dependency-check -v
+
+.Test Dependency Checker:
+  stage: test
+  tags:
+    - dockerd
+  script:
+    - docker run --rm -v "${PWD}/t/dependency-check/simple-app:/work" -w /work node:alpine npm install 
+    - docker run --rm -v "${PWD}/t/dependency-check/simple-app:/work" -w /work its-registry.unl.edu/unl-its/docker-ci/dependency-check
+    - docker run --rm its-registry.unl.edu/unl-its/docker-ci/static-code-analysis sonar-scanner -Dsonar.host.url=$SONAR_URL -Dsonar.projectKey=$CI_PROJECT_PATH_SLUG -Dsonar.sources=. -Dsonar.login=$SONAR_TOKEN
+  artifacts:
+    paths:
+      - dependency-check-report.xml
+      - dependency-check-report.html
+    expire_in: 1 day
+
 
 Test PHP Lint:
   stage: test
diff --git a/README.md b/README.md
index 1ad9cb9..8d2d8de 100644
--- a/README.md
+++ b/README.md
@@ -9,9 +9,7 @@
 To build these images, clone this repository onto a machine with docker and make installed. Run `make` and all of the images will be built and installed as local docker images.  
 This file is automatically updated after execute `git commit` based on the content of file `_README.md` To enable this feature, execute `.dev/bootstrap.sh` after cloning the repo.
 
-### Available tools    
-
-- its-registry.unl.edu/unl-its/docker-ci/android-build-server:latest
+### Available tools    \n\n- its-registry.unl.edu/unl-its/docker-ci/android-build-server:latest
 - its-registry.unl.edu/unl-its/docker-ci/dependency-check
 - its-registry.unl.edu/unl-its/docker-ci/detect-secrets
 - its-registry.unl.edu/unl-its/docker-ci/magento2-unit-test:latest
@@ -27,7 +25,4 @@ This file is automatically updated after execute `git commit` based on the conte
 - its-registry.unl.edu/unl-its/docker-ci/static-code-analysis:android
 - its-registry.unl.edu/unl-its/docker-ci/static-code-analysis:latest
 - its-registry.unl.edu/unl-its/docker-ci/static-code-analysis:php
-- its-registry.unl.edu/unl-its/docker-ci/static-code-analysis:python 
-    
-
-
_Last update: Fri May 31 17:38:34 CDT 2019_
+- its-registry.unl.edu/unl-its/docker-ci/static-code-analysis:python \n    \n\n\r_Last update: Wed Sep 18 15:39:40 CDT 2019_\n
diff --git a/dependency-check/entrypoint.sh b/dependency-check/entrypoint.sh
index becbcac..28b3652 100644
--- a/dependency-check/entrypoint.sh
+++ b/dependency-check/entrypoint.sh
@@ -6,9 +6,13 @@ if [ $1 == '-v' ]; then
 	exit 0
 fi
 
-dependency-check.sh -n --project ${CI_PROJECT_NAMESPACE} -s ./ -f JSON
-cat dependency-check-report.json | jq '.dependencies | .[] | select (.vulnerabilities) | [.fileName, .filePath, .vulnerabilities]' | sed -e "s/\"\/work\///g"
-RESULT=`cat dependency-check-report.json | jq '.dependencies | .[] | select (.vulnerabilities) | [.fileName, .filePath, .vulnerabilities] | length == 0' | sed -e "s/\"\/work\///g"`
+DEPENDENCY_CHECK_OUT_DIR=${DEPENDENCY_CHECK_OUT_DIR-"`pwd`/dependency-check-report/"}
+
+mkdir -p ${DEPENDENCY_CHECK_OUT_DIR}
+dependency-check.sh --format ALL -s ./ --out ${DEPENDENCY_CHECK_OUT_DIR} --project ${CI_PROJECT_NAMESPACE} -n
+
+cat ${DEPENDENCY_CHECK_OUT_DIR}/dependency-check-report.json | jq '.dependencies | .[] | select (.vulnerabilities) | [.fileName, .filePath, .vulnerabilities]' | sed -e "s/\"\/work\///g"
+RESULT=`cat ${DEPENDENCY_CHECK_OUT_DIR}/dependency-check-report.json | jq '.dependencies | .[] | select (.vulnerabilities) | [.fileName, .filePath, .vulnerabilities] | length == 0' | sed -e "s/\"\/work\///g"`
 
 if [ "${RESULT}" = "" ]; then
 	exit 0
diff --git a/t/dependency-check/simple-app/package.json b/t/dependency-check/simple-app/package.json
new file mode 100644
index 0000000..e6f17d9
--- /dev/null
+++ b/t/dependency-check/simple-app/package.json
@@ -0,0 +1,18 @@
+{
+  "name": "dependency-check-demo-app",
+  "version": "1.0.0",
+  "description": "Simple app with old dependencies",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "dependencies": {
+    "braces": "2.3.0",
+    "lodash": "4.17.10",
+    "open": "0.0.5",
+    "jquery": "2.3.0",
+    "tar": "4.5.0"
+  },
+  "author": "Raul Barreras",
+  "license": "ISC"
+}
-- 
GitLab