diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 215dd5475de1c610bc334dad6d6e4d1c71531820..ad95c7d951bd9cb162cd8ce78b4d9854c19cedd9 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -34,6 +34,7 @@ Test Sonar Scanner:
script:
- docker run --rm its-registry.unl.edu/unl-its/docker-ci/static-code-analysis sonar-scanner -v
- docker run --rm -v "${PWD}:/work" -w /work its-registry.unl.edu/unl-its/docker-ci/detect-secrets -s
+ - docker run --rm -v "${PWD}:/work" -w /work its-registry.unl.edu/unl-its/docker-ci/dependency-check -v
Test PHP Lint:
stage: test
diff --git a/Makefile b/Makefile
index e73972a6bf079106a10f07c08a4ecef24d6c2c0f..155e4b068ab1cfd80a24e349a0964d34c603682c 100644
--- a/Makefile
+++ b/Makefile
@@ -20,7 +20,7 @@ BUILD_ARGS := --build-arg VCS_REF=$(GIT_COMMIT)
.PHONY: all clean test $(DOCKERFILES) static-code-analysis mobile delete_dangling_images security publish
-all: php-lint php-unit-test magento2 mobile static-code-analysis detect-secrets
+all: php-lint php-unit-test magento2 mobile static-code-analysis detect-secrets dependency-check
# Image Groups
####################
@@ -104,6 +104,11 @@ detect-secrets: detect-secrets/Dockerfile
docker build $(BUILD_ARGS) -t ${REPO_ORG}/detect-secrets detect-secrets/
+# dependency-check
+# ################
+dependency-check: dependency-check/Dockerfile
+ docker build $(BUILD_ARGS) -t ${REPO_ORG}/dependency-check dependency-check/
+
#IMAGES_TO_SCAN = $(shell docker images --format '{{.Repository}}:{{.Tag}}' | grep unl-its )
#security:
# @docker login -u ${TENABLE_IO_ACCESS_KEY} -p ${TENABLE_IO_SECRET_KEY} registry.cloud.tenable.com
@@ -120,12 +125,12 @@ publish:
done
#Update README.md based on the template ._README.md
-TOOLSET := `echo "$(sort $(IMAGES_TO_PUBLISH))" | sed -e "s/ /\n - /g"))`
+TOOLSET = `make all --dry-run | grep 'docker build' | cut -d ' ' -f 6 | sort -u | awk '{print "- " $$0}'`
README_HEAD = `cat ./_README.md | sed -e '/%CONTAINERS_LIST%/Q'`
README_TAIL = `cat ./_README.md | sed -e '1,/%CONTAINERS_LIST%/d'`
README_FOOTER = `echo "\n\r_Last update: \`date\`_\n"`
update_readme:
- @echo "$(README_HEAD) \n\n - $(TOOLSET) \n $(README_TAIL) \n$(README_FOOTER)" > README.md
+ @echo "$(README_HEAD) \n\n$(TOOLSET) \n $(README_TAIL) \n$(README_FOOTER)" > README.md
@git add README.md
delete_dangling_images:
diff --git a/README.md b/README.md
index 0b470a5ecb583411a23ee004c3deddafb6c75181..1ad9cb945b282f6f50c56932c9705898f5c61434 100644
--- a/README.md
+++ b/README.md
@@ -11,20 +11,23 @@ This file is automatically updated after execute `git commit` based on the conte
### Available tools
- - its-registry.unl.edu/unl-its/docker-ci/detect-secrets:latest
- - its-registry.unl.edu/unl-its/docker-ci/magento2-unit-test:latest
- - its-registry.unl.edu/unl-its/docker-ci/magento2-xml-lint:latest
- - its-registry.unl.edu/unl-its/docker-ci/php-lint:5.6
- - its-registry.unl.edu/unl-its/docker-ci/php-lint:7.0
- - its-registry.unl.edu/unl-its/docker-ci/php-lint:7.1
- - its-registry.unl.edu/unl-its/docker-ci/php-lint:7.2
- - its-registry.unl.edu/unl-its/docker-ci/php-lint:latest
- - its-registry.unl.edu/unl-its/docker-ci/php-unit-test:5.6
- - its-registry.unl.edu/unl-its/docker-ci/php-unit-test:7.1
- - its-registry.unl.edu/unl-its/docker-ci/secrets-detection:latest
- - its-registry.unl.edu/unl-its/docker-ci/static-code-analysis:latest
- - its-registry.unl.edu/unl-its/docker-ci/static-code-analysis:php
- - its-registry.unl.edu/unl-its/docker-ci/static-code-analysis:python
+- its-registry.unl.edu/unl-its/docker-ci/android-build-server:latest
+- its-registry.unl.edu/unl-its/docker-ci/dependency-check
+- its-registry.unl.edu/unl-its/docker-ci/detect-secrets
+- its-registry.unl.edu/unl-its/docker-ci/magento2-unit-test:latest
+- its-registry.unl.edu/unl-its/docker-ci/magento2-xml-lint:latest
+- its-registry.unl.edu/unl-its/docker-ci/php-lint:5.6
+- its-registry.unl.edu/unl-its/docker-ci/php-lint:7.0
+- its-registry.unl.edu/unl-its/docker-ci/php-lint:7.1
+- its-registry.unl.edu/unl-its/docker-ci/php-lint:7.2
+- its-registry.unl.edu/unl-its/docker-ci/php-unit-test:5.6
+- its-registry.unl.edu/unl-its/docker-ci/php-unit-test:7.0
+- its-registry.unl.edu/unl-its/docker-ci/php-unit-test:7.1
+- its-registry.unl.edu/unl-its/docker-ci/php-unit-test:7.2
+- its-registry.unl.edu/unl-its/docker-ci/static-code-analysis:android
+- its-registry.unl.edu/unl-its/docker-ci/static-code-analysis:latest
+- its-registry.unl.edu/unl-its/docker-ci/static-code-analysis:php
+- its-registry.unl.edu/unl-its/docker-ci/static-code-analysis:python
-
_Last update: Fri May 31 12:11:19 CDT 2019_
+
_Last update: Fri May 31 17:38:34 CDT 2019_
diff --git a/dependency-check/Dockerfile b/dependency-check/Dockerfile
new file mode 100644
index 0000000000000000000000000000000000000000..93f3a7f87b25d72b198b600d91dce1842c9a9246
--- /dev/null
+++ b/dependency-check/Dockerfile
@@ -0,0 +1,36 @@
+FROM adoptopenjdk/openjdk8:alpine
+
+ARG BUILD_DATE
+ARG VCS_REF
+ARG VERSION
+LABEL org.label-schema.build-date=$BUILD_DATE \
+ org.label-schema.name="OWASP Dependency Check" \
+ org.label-schema.description="Docker image for dependency checking" \
+ org.label-schema.vcs-ref=$VCS_REF \
+ org.label-schema.vendor="University of Nebraska - Lincoln" \
+ org.label-schema.version="0.1.0" \
+ org.label-schema.schema-version="1.0" \
+ maintainer="J.R. Barreras <rbarrerasmilanes@nebraska.edu>"
+
+#ENV DEPENDENCY_CHECK_VERSION 4.0.2-release
+ENV DEPENDENCY_CHECK_VERSION 5.0.0-M3-release
+
+
+WORKDIR /opt
+
+RUN apk add --no-cache curl jq su-exec && \
+ curl --insecure -o ./dependency-check.zip -L https://dl.bintray.com/jeremy-long/owasp/dependency-check-${DEPENDENCY_CHECK_VERSION}.zip && \
+ unzip dependency-check.zip && \
+ rm dependency-check.zip && \
+ /opt/dependency-check/bin/dependency-check.sh --updateonly
+
+
+ENV PATH $PATH:/opt/dependency-check/bin
+
+WORKDIR /work
+
+COPY entrypoint.sh /usr/local/bin/
+RUN chmod +x /usr/local/bin/entrypoint.sh
+ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
+
+CMD ["/usr/local/bin/entrypoint.sh"]
diff --git a/dependency-check/entrypoint.sh b/dependency-check/entrypoint.sh
new file mode 100644
index 0000000000000000000000000000000000000000..becbcac905f50d5814f51b3b42a10ef072879734
--- /dev/null
+++ b/dependency-check/entrypoint.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+set -e
+
+if [ $1 == '-v' ]; then
+ dependency-check.sh -v
+ exit 0
+fi
+
+dependency-check.sh -n --project ${CI_PROJECT_NAMESPACE} -s ./ -f JSON
+cat dependency-check-report.json | jq '.dependencies | .[] | select (.vulnerabilities) | [.fileName, .filePath, .vulnerabilities]' | sed -e "s/\"\/work\///g"
+RESULT=`cat dependency-check-report.json | jq '.dependencies | .[] | select (.vulnerabilities) | [.fileName, .filePath, .vulnerabilities] | length == 0' | sed -e "s/\"\/work\///g"`
+
+if [ "${RESULT}" = "" ]; then
+ exit 0
+else
+ exit 1
+fi
diff --git a/examples/dependency-check.md b/examples/dependency-check.md
new file mode 100644
index 0000000000000000000000000000000000000000..f2160c19218f8f9b759b5c4262c52c017ea96cd3
--- /dev/null
+++ b/examples/dependency-check.md
@@ -0,0 +1,35 @@
+# Dependecy check example
+
+## Parameters
+
+| Argument | Description |
+| :------- | :--------------------------- |
+| -v | Prints Dependency Check version and exit |
+| without parameters | Scans the current directory (must be a git repo) |
+
+
+## Detect outdated dependencies in the current project using [OWASP DependencyCheck](https://www.owasp.org/index.php/OWASP_Dependency_Check)
+
+- One 'analysis' stage with one job
+- Allows the job to fail without impacting the rest of the CI (allow_failure: true)
+
+
+``` yml
+stages:
+ - analysis
+variables:
+ stage: analysis
+ tags:
+ - docker
+ script:
+ - docker run --rm -v "${PWD}:/work" -w /work its-registry.unl.edu/unl-its/docker-ci/detect-secrets -s -e 4.5
+ - docker run --rm -v "${PWD}:/work" -w /work its-registry.unl.edu/unl-its/docker-ci/dependency-check
+ allow_failure: true
+```
+
+## Scan the current directory (must be a git repo)
+
+``` bash
+docker run -it --rm -v "${PWD}:/work" -w /work -e CI_PROJECT_NAMESPACE=`basename $(git rev-parse --show-toplevel)` its-registry.unl.edu/unl-its/docker-ci/dependency-check
+
+```