Merge branch '12-integrate-dependency-check-container-with-sonarqube-2' into 'develop'

Resolve "Integrate dependency-check container with Sonarqube"

Closes #12

See merge request !33

.gitlab-ci.yml

@@ -2,69 +2,15 @@ stages:
   - verify
   - build
   - test
+  - test_dependency_check_npm_install
+  - test_dependency_check_dependency_check
+  - test_dependency_check_sonar_scanner
   - publish
   - security
 
-Check Makefile:
-  stage: verify
-  tags:
-    - linux, dockerd
-  script:
-    - docker run --rm -v "${PWD}:/work" -w /work mandrean/checkmake ./Makefile
-
-Lint and Validate dockerfiles:
-  stage: verify
-  tags:
-    - linux, dockerd
-  script:
-    - make test
-
-Make All Images:
-  stage: build
-  image: projectatomic/dockerfile-lint
-  tags:
-    - linux, dockerd
-  script:
-    - make 
-
-Test Sonar Scanner:
-  stage: test
-  tags:
-    - dockerd
-  script: 
-    - docker run --rm its-registry.unl.edu/unl-its/docker-ci/static-code-analysis sonar-scanner -v
-    - docker run --rm -v "${PWD}:/work" -w /work its-registry.unl.edu/unl-its/docker-ci/detect-secrets -s
-    - docker run --rm -v "${PWD}:/work" -w /work its-registry.unl.edu/unl-its/docker-ci/dependency-check -v
-
-Test PHP Lint:
-  stage: test
-  tags:
-    - linux, dockerd
-  script: 
-    - t/php-lint/tests.sh
-
-
-Test PHP Lint:
-  stage: test
-  tags:
-    - linux, dockerd
-  script: 
-    - t/php-lint/tests.sh
-
-
-Push to Container Registry:
-  after_script:
-    - rm -f /var/lib/gitlab-runner/.docker/config.json
-  stage: publish
-  tags:
-    - linux, dockerd
-  script:
-    - make publish
-
-.Scan with Tenable:
-  stage: security
-  tags:
-    - linux, dockerd
-  script:
-    - make security
-
+include:
+  - local: .gitlab/ci/verify.yml
+  - local: .gitlab/ci/build.yml
+  - local: .gitlab/ci/test.yml
+  - local: .gitlab/ci/test.dependency_check.yml
+  - local: .gitlab/ci/publish.yml

.gitlab/ci/build.yml

+
+Make All Images:
+  stage: build
+  image: projectatomic/dockerfile-lint
+  tags:
+    - linux, dockerd
+  script:
+    - make 

.gitlab/ci/publish.yml

+Push to Container Registry:
+  after_script:
+    - rm -f /var/lib/gitlab-runner/.docker/config.json
+  stage: publish
+  tags:
+    - linux, dockerd
+  script:
+    - make publish

.gitlab/ci/test.dependency_check.yml

+variables:
+  DEPENDENCY_CHECK_OUT_DIR: t/dependency-check/simple-app/dependency_check_results/
+  SRC_DIR: t/dependency-check/simple-app/
+
+test_dependency_check_npm_install:
+  stage: test_dependency_check_npm_install
+  tags:
+    - docker
+  image: node:alpine
+  cache:
+    paths:
+      - t/dependency-check/simple-app/node_modules/
+  script:
+    - cd t/dependency-check/simple-app/
+    - npm install
+
+test_dependency_check_dependency_check:
+  stage: test_dependency_check_dependency_check
+  image: 
+    name: its-registry.unl.edu/unl-its/docker-ci/dependency-check
+  cache:
+    policy: pull
+    paths:
+      - t/dependency-check/simple-app/dependency_check_results/
+  tags:
+    - docker
+  script:
+    - dependency-check --format ALL -s ${SRC_DIR} --out ${DEPENDENCY_CHECK_OUT_DIR} --project ${CI_PROJECT_NAMESPACE} -n
+  artifacts:
+    paths:
+      - t/dependency-check/simple-app/dependency_check_results/dependency-check-report.html
+      - t/dependency-check/simple-app/dependency_check_results/dependency-check-report.xml
+    expire_in: 1 day
+
+test_dependency_check_sonar_scanner:
+  stage: test_dependency_check_sonar_scanner
+  image: 
+    name: its-registry.unl.edu/unl-its/docker-ci/static-code-analysis
+  cache:
+    policy: pull
+    paths:
+      - t/dependency-check/simple-app/dependency_check_results/
+  tags:
+    - docker
+  script:
+    - sonar-scanner -Dsonar.host.url=$SONAR_URL -Dsonar.projectKey=$CI_PROJECT_PATH_SLUG -Dsonar.sources=$SRC_DIR -Dsonar.login=$SONAR_TOKEN -Dsonar.dependencyCheck.reportPath=${DEPENDENCY_CHECK_OUT_DIR}/dependency-check-report.xml -Dsonar.dependencyCheck.htmlReportPath=${DEPENDENCY_CHECK_OUT_DIR}/dependency-check-report.html -Dsonar.scm.disabled=True

.gitlab/ci/test.yml

+Test Container Versions:
+  stage: test
+  tags:
+    - dockerd
+  script: 
+    - docker run --rm its-registry.unl.edu/unl-its/docker-ci/static-code-analysis sonar-scanner -v
+    - docker run --rm -v "${PWD}:/work" -w /work its-registry.unl.edu/unl-its/docker-ci/detect-secrets -s
+    - docker run --rm its-registry.unl.edu/unl-its/docker-ci/dependency-check dependency-check -v
+
+Test PHP Lint:
+  stage: test
+  tags:
+    - linux, dockerd
+  script: 
+    - t/php-lint/tests.sh
+

.gitlab/ci/verify.yml

+Check Makefile:
+  stage: verify
+  tags:
+    - linux, dockerd
+  script:
+    - docker run --rm -v "${PWD}:/work" -w /work mandrean/checkmake ./Makefile
+
+Lint and Validate dockerfiles:
+  stage: verify
+  tags:
+    - linux, dockerd
+  script:
+    - make test
\ No newline at end of file

README.md

@@ -9,9 +9,7 @@
 To build these images, clone this repository onto a machine with docker and make installed. Run `make` and all of the images will be built and installed as local docker images.  
 This file is automatically updated after execute `git commit` based on the content of file `_README.md` To enable this feature, execute `.dev/bootstrap.sh` after cloning the repo.
 
-### Available tools    
-
-- its-registry.unl.edu/unl-its/docker-ci/android-build-server:latest
+### Available tools    \n\n- its-registry.unl.edu/unl-its/docker-ci/android-build-server:latest
 - its-registry.unl.edu/unl-its/docker-ci/dependency-check
 - its-registry.unl.edu/unl-its/docker-ci/detect-secrets
 - its-registry.unl.edu/unl-its/docker-ci/magento2-unit-test:latest
@@ -27,7 +25,4 @@ This file is automatically updated after execute `git commit` based on the conte
 - its-registry.unl.edu/unl-its/docker-ci/static-code-analysis:android
 - its-registry.unl.edu/unl-its/docker-ci/static-code-analysis:latest
 - its-registry.unl.edu/unl-its/docker-ci/static-code-analysis:php
-- its-registry.unl.edu/unl-its/docker-ci/static-code-analysis:python 
-    
-
-_Last update: Fri May 31 17:38:34 CDT 2019_
+- its-registry.unl.edu/unl-its/docker-ci/static-code-analysis:python \n    \n\n\r_Last update: Fri Sep 20 09:15:46 CDT 2019_\n

dependency-check/Dockerfile

@@ -12,25 +12,25 @@ LABEL org.label-schema.build-date=$BUILD_DATE \
       org.label-schema.schema-version="1.0" \
       maintainer="J.R. Barreras <rbarrerasmilanes@nebraska.edu>"
 
-#ENV DEPENDENCY_CHECK_VERSION 4.0.2-release
-ENV DEPENDENCY_CHECK_VERSION 5.0.0-M3-release
+ENV DEPENDENCY_CHECK_VERSION 5.2.1-release
 
 
 WORKDIR /opt
 
-RUN apk add --no-cache curl jq su-exec && \
+RUN apk add --no-cache curl jq su-exec bash && \
     curl --insecure -o ./dependency-check.zip -L https://dl.bintray.com/jeremy-long/owasp/dependency-check-${DEPENDENCY_CHECK_VERSION}.zip  && \
     unzip dependency-check.zip  && \
     rm dependency-check.zip && \
-    /opt/dependency-check/bin/dependency-check.sh --updateonly
+    /opt/dependency-check/bin/dependency-check.sh --updateonly && \
+    ln -s /opt/dependency-check/bin/dependency-check.sh /opt/dependency-check/bin/dependency-check
 
 
 ENV PATH $PATH:/opt/dependency-check/bin
 
 WORKDIR /work
 
-COPY entrypoint.sh /usr/local/bin/
-RUN chmod +x /usr/local/bin/entrypoint.sh
-ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
+COPY docker-entrypoint.sh /usr/local/bin/
+RUN chmod +x /usr/local/bin/docker-entrypoint.sh
+ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]
 
-CMD ["/usr/local/bin/entrypoint.sh"]
+CMD ["/bin/bash"]

dependency-check/docker-entrypoint.sh

+#!/bin/bash
+set -e
+
+USER_ID=${LOCAL_USER_ID:-9001}
+
+su-exec user "$@"
+
+

dependency-check/entrypoint.sh

-#!/bin/sh
-set -e
-
-if [ $1 == '-v' ]; then
-	dependency-check.sh -v
-	exit 0
-fi
-
-dependency-check.sh -n --project ${CI_PROJECT_NAMESPACE} -s ./ -f JSON
-cat dependency-check-report.json | jq '.dependencies | .[] | select (.vulnerabilities) | [.fileName, .filePath, .vulnerabilities]' | sed -e "s/\"\/work\///g"
-RESULT=`cat dependency-check-report.json | jq '.dependencies | .[] | select (.vulnerabilities) | [.fileName, .filePath, .vulnerabilities] | length == 0' | sed -e "s/\"\/work\///g"`
-
-if [ "${RESULT}" = "" ]; then
-	exit 0
-else
-    exit 1
-fi

examples/dependency-check.md

@@ -12,24 +12,33 @@
 
 - One 'analysis' stage with one job  
 - Allows the job to fail without impacting the rest of the CI (allow_failure: true)
+- Export the results as an artifact
 
 
 ``` yml
 stages:
   - analysis 
-variables:
+dependency_check:
   stage: analysis
+  image: 
+    name: its-registry.unl.edu/unl-its/docker-ci/dependency-check
+  variables:
+    DEPENDENCY_CHECK_OUT_DIR: ./dependency_check_results/
   tags:
     - docker
   script:
-    - docker run --rm -v "${PWD}:/work" -w /work its-registry.unl.edu/unl-its/docker-ci/detect-secrets -s -e 4.5
-    - docker run --rm -v "${PWD}:/work" -w /work its-registry.unl.edu/unl-its/docker-ci/dependency-check
+    - dependency-check --format ALL -s ./ --out ${DEPENDENCY_CHECK_OUT_DIR} --project ${CI_PROJECT_NAMESPACE}
+  artifacts:
+    paths:
+      - ./dependency_check_results/dependency-check-report.html
+      - ./dependency_check_results/dependency_check_results/dependency-check-report.xml
+    expire_in: 1 day
   allow_failure: true
 ``` 
 
 ## Scan the current directory (must be a git repo)
 
 ``` bash
-docker run -it --rm -v "${PWD}:/work" -w /work -e CI_PROJECT_NAMESPACE=`basename $(git rev-parse --show-toplevel)` its-registry.unl.edu/unl-its/docker-ci/dependency-check
-
+CI_PROJECT_NAMESPACE=`basename $(git rev-parse --show-toplevel)`
+docker run -it --rm -v "${PWD}:/work" -w /work -e CI_PROJECT_NAMESPACE=${CI_PROJECT_NAMESPACE} its-registry.unl.edu/unl-its/docker-ci/dependency-check dependency-check --format ALL -s ./ --out ./dependency_check_results --project ${CI_PROJECT_NAMESPACE}
 ```

t/dependency-check/simple-app/package.json

+{
+  "name": "dependency-check-demo-app",
+  "version": "1.0.0",
+  "description": "Simple app with old dependencies",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "dependencies": {
+    "braces": "2.3.0",
+    "lodash": "4.17.10",
+    "open": "0.0.5",
+    "jquery": "2.1.0",
+    "tar": "4.3.0"
+  },
+  "author": "Raul Barreras",
+  "license": "ISC"
+}