integrate dependency-check with Sonarqube

.gitlab-ci.yml

@@ -34,7 +34,21 @@ Test Sonar Scanner:
   script: 
     - docker run --rm its-registry.unl.edu/unl-its/docker-ci/static-code-analysis sonar-scanner -v
     - docker run --rm -v "${PWD}:/work" -w /work its-registry.unl.edu/unl-its/docker-ci/detect-secrets -s
-    - docker run --rm -v "${PWD}:/work" -w /work its-registry.unl.edu/unl-its/docker-ci/dependency-check -v
+
+.Test Dependency Checker:
+  stage: test
+  tags:
+    - dockerd
+  script:
+    - docker run --rm -v "${PWD}/t/dependency-check/simple-app:/work" -w /work node:alpine npm install 
+    - docker run --rm -v "${PWD}/t/dependency-check/simple-app:/work" -w /work its-registry.unl.edu/unl-its/docker-ci/dependency-check
+    - docker run --rm its-registry.unl.edu/unl-its/docker-ci/static-code-analysis sonar-scanner -Dsonar.host.url=$SONAR_URL -Dsonar.projectKey=$CI_PROJECT_PATH_SLUG -Dsonar.sources=. -Dsonar.login=$SONAR_TOKEN
+  artifacts:
+    paths:
+      - dependency-check-report.xml
+      - dependency-check-report.html
+    expire_in: 1 day
+
 
 Test PHP Lint:
   stage: test

README.md

@@ -9,9 +9,7 @@
 To build these images, clone this repository onto a machine with docker and make installed. Run `make` and all of the images will be built and installed as local docker images.  
 This file is automatically updated after execute `git commit` based on the content of file `_README.md` To enable this feature, execute `.dev/bootstrap.sh` after cloning the repo.
 
-### Available tools    
-
-- its-registry.unl.edu/unl-its/docker-ci/android-build-server:latest
+### Available tools    \n\n- its-registry.unl.edu/unl-its/docker-ci/android-build-server:latest
 - its-registry.unl.edu/unl-its/docker-ci/dependency-check
 - its-registry.unl.edu/unl-its/docker-ci/detect-secrets
 - its-registry.unl.edu/unl-its/docker-ci/magento2-unit-test:latest
@@ -27,7 +25,4 @@ This file is automatically updated after execute `git commit` based on the conte
 - its-registry.unl.edu/unl-its/docker-ci/static-code-analysis:android
 - its-registry.unl.edu/unl-its/docker-ci/static-code-analysis:latest
 - its-registry.unl.edu/unl-its/docker-ci/static-code-analysis:php
-- its-registry.unl.edu/unl-its/docker-ci/static-code-analysis:python 
-    
-
-_Last update: Fri May 31 17:38:34 CDT 2019_
+- its-registry.unl.edu/unl-its/docker-ci/static-code-analysis:python \n    \n\n\r_Last update: Wed Sep 18 15:39:40 CDT 2019_\n

dependency-check/entrypoint.sh

@@ -6,9 +6,13 @@ if [ $1 == '-v' ]; then
 	exit 0
 fi
 
-dependency-check.sh -n --project ${CI_PROJECT_NAMESPACE} -s ./ -f JSON
-cat dependency-check-report.json | jq '.dependencies | .[] | select (.vulnerabilities) | [.fileName, .filePath, .vulnerabilities]' | sed -e "s/\"\/work\///g"
-RESULT=`cat dependency-check-report.json | jq '.dependencies | .[] | select (.vulnerabilities) | [.fileName, .filePath, .vulnerabilities] | length == 0' | sed -e "s/\"\/work\///g"`
+DEPENDENCY_CHECK_OUT_DIR=${DEPENDENCY_CHECK_OUT_DIR-"`pwd`/dependency-check-report/"}
+
+mkdir -p ${DEPENDENCY_CHECK_OUT_DIR}
+dependency-check.sh --format ALL -s ./ --out ${DEPENDENCY_CHECK_OUT_DIR} --project ${CI_PROJECT_NAMESPACE} -n
+
+cat ${DEPENDENCY_CHECK_OUT_DIR}/dependency-check-report.json | jq '.dependencies | .[] | select (.vulnerabilities) | [.fileName, .filePath, .vulnerabilities]' | sed -e "s/\"\/work\///g"
+RESULT=`cat ${DEPENDENCY_CHECK_OUT_DIR}/dependency-check-report.json | jq '.dependencies | .[] | select (.vulnerabilities) | [.fileName, .filePath, .vulnerabilities] | length == 0' | sed -e "s/\"\/work\///g"`
 
 if [ "${RESULT}" = "" ]; then
 	exit 0

t/dependency-check/simple-app/package.json

+{
+  "name": "dependency-check-demo-app",
+  "version": "1.0.0",
+  "description": "Simple app with old dependencies",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "dependencies": {
+    "braces": "2.3.0",
+    "lodash": "4.17.10",
+    "open": "0.0.5",
+    "jquery": "2.3.0",
+    "tar": "4.5.0"
+  },
+  "author": "Raul Barreras",
+  "license": "ISC"
+}