Commit 062e98bf authored by Pierre Smeyers's avatar Pierre Smeyers Committed by Cédric OLIVIER
Browse files

feat: migrate to CI/CD component

parent 11aab5d5

.gitlab-ci.yml

+1 −1
Original line number Diff line number Diff line
@@ -10,7 +10,7 @@ include: 
    file: '/templates/validation.yml'

  - project: 'to-be-continuous/bash'

    ref: '3.3'

    file: 'templates/gitlab-ci-bash.yml'

    file: '/templates/gitlab-ci-bash.yml'

  - project: 'to-be-continuous/semantic-release'

    ref: '3.7'

    file: '/templates/gitlab-ci-semrel.yml'

README.md

+63 −42
Original line number Diff line number Diff line
@@ -40,12 +40,36 @@ You may connect to DefectDojo server to visualize the summary of your project's 


## Usage



In order to include this template in your project, add the following to your `.gitlab-ci.yml`:

This template can be used both as a [CI/CD component](https://docs.gitlab.com/ee/ci/components/#use-a-component-in-a-cicd-configuration) 

or using the legacy [`include:project`](https://docs.gitlab.com/ee/ci/yaml/index.html#includeproject) syntax.



### Use as a CI/CD component



Add the following to your `gitlab-ci.yml`:



```yaml

include:

  # 1: include the component

  - component: gitlab.com/to-be-continuous/defectdojo/gitlab-ci-defectdojo@2.5.1

    # 2: set/override component inputs

    inputs:

      server-url: "https://defectdojo.acme.host" # ⚠ this is only an example

```



### Use as a CI/CD template (legacy)



Add the following to your `gitlab-ci.yml`:



```yaml

include:

  # 1: include the template

  - project: 'to-be-continuous/defectdojo'

    ref: '2.5.1'

    file: '/templates/gitlab-ci-defectdojo.yml'



variables:

  # 2: set/override template variables

  DEFECTDOJO_SERVER_URL: "https://defectdojo.acme.host" # ⚠ this is only an example

```



## defectdojo job
@@ -54,40 +78,41 @@ This job uploads security reports found in the artifacts to a DefectDojo server. 


It is bound to the `.post` stage, and uses the following variables:



| Name                          | Description                            | Default value     |

| Input / Variable | Description                            | Default value     |

| ----------------------------- | -------------------------------------- | ----------------- |

| `DEFECTDOJO_SERVER_URL`       | URL of DefectDojo server               | _none_            |

| `dir` / `DEFECTDOJO_DIR`      | DefectDojo working directory           | `.`               |

| `server-url` / `DEFECTDOJO_SERVER_URL` | URL of DefectDojo server      | _none_            |

| :lock: `DEFECTDOJO_API_KEY`   | Your DefectDojo API v2 Key (see [below](#first-connection-to-defectdojo) how to retrieve it)            | _none_            |



## Global variables



Depending on the security tools you launch, and their configuration, you may have to redefine some of the following variables in your `gitlab-ci.yml`:



| Name                                     | Description                                                                                                                            | Default value                             |

| Input / Variable | Description                                                                                                                            | Default value                             |

|------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------| ----------------------------------------- |

| `DEFECTDOJO_BANDIT_REPORTS`              | path to Bandit JSON reports                                                                                                            | `bandit*.json reports/py-bandit.bandit.json`                        |

| `DEFECTDOJO_DC_GRADLE_REPORTS`           | path to Dependency Check XML reports (Gradle template)                                                                                 | `dependency-check*.xml` |

| `DEFECTDOJO_DC_REPORTS`                  | path to Dependency Check XML reports (Maven template)                                                                                  | `dependency-check*.xml`        |

| `DEFECTDOJO_GITLEAKS_REPORTS`            | path to Gitleaks JSON reports                                                                                                          | `gitleaks/gitleaks-report.json reports/gitleaks.native.json` || `DEFECTDOJO_HADOLINT_REPORTS`            | path to Hadolint JSON reports                                                                                                          | `hadolint-json-*.json reports/docker-hadolint-*.native.json`             |

| `DEFECTDOJO_MOBSF_REPORTS`               | path to MobSF JSON reports                                                                                                             | `mobsf*.json`                        |

| `DEFECTDOJO_NODEJSSCAN_REPORTS`          | path to NodeJSScan SARIF reports                                                                                                       | `nodejsscan-report-sarif.json`                        |

| `DEFECTDOJO_NPMAUDIT_REPORTS`            | path to NPM Audit JSON reports                                                                                                         | `npm-audit*.json`                        |

| `DEFECTDOJO_SEMGREP_REPORTS`| Path to Semgrep reports | `reports/semgrep.native.json`|

| `SEMGREP_TEMPLATE`| Path to Semgrep template | _none_ |

| `DEFECTDOJO_TESTSSL_REPORTS`             | path to TestSSL CSV reports                                                                                                            | `reports/testssl.native.csv`                        |

| `DEFECTDOJO_ZAP_REPORTS`               | path to Zap xml reports                                                                                                             | `reports/zap.native.xml`            |

| `ZAP_TPL_PROJECT`        | path to Zap template (if any) | _none_ | 

| `DEFECTDOJO_TRIVY_REPORTS`               | path to Trivy JSON reports                                                                                                             | `trivy/*.json trivy-*.json reports/docker-trivy-*.native.json reports/py-trivy.trivy.json`             |

| `bandit-reports` / `DEFECTDOJO_BANDIT_REPORTS`| path to Bandit JSON reports                                                                                                            | `bandit*.json reports/py-bandit.bandit.json`                        |

| `dc-gradle-reports` / `DEFECTDOJO_DC_GRADLE_REPORTS` | path to Dependency Check XML reports (Gradle template)                                                                                 | `dependency-check*.xml` |

| `dc-reports` / `DEFECTDOJO_DC_REPORTS` | path to Dependency Check XML reports (Maven template)                                                                                  | `dependency-check*.xml`        |

| `gitleaks-reports` / `DEFECTDOJO_GITLEAKS_REPORTS` | path to Gitleaks JSON reports                                                                                                          | `gitleaks/gitleaks-report.json reports/gitleaks.native.json` || `hadolint-reports` / `DEFECTDOJO_HADOLINT_REPORTS` | path to Hadolint JSON reports                                                                                                          | `hadolint-json-*.json reports/docker-hadolint-*.native.json`             |

| `mobsf-reports` / `DEFECTDOJO_MOBSF_REPORTS` | path to MobSF JSON reports                                                                                                             | `mobsf*.json`                        |

| `nodejsscan-reports` / `DEFECTDOJO_NODEJSSCAN_REPORTS` | path to NodeJSScan SARIF reports                                                                                                       | `nodejsscan-report-sarif.json`                        |

| `npmaudit-reports` / `DEFECTDOJO_NPMAUDIT_REPORTS` | path to NPM Audit JSON reports                                                                                                         | `npm-audit*.json`                        |

| `semgrep-reports` / `DEFECTDOJO_SEMGREP_REPORTS` | Path to Semgrep reports | `reports/semgrep.native.json`|

| `semgrep-template` / `SEMGREP_TEMPLATE` | Path to Semgrep template | _none_ |

| `testssl-reports` / `DEFECTDOJO_TESTSSL_REPORTS` | path to TestSSL CSV reports                                                                                                            | `reports/testssl.native.csv`                        |

| `zap-reports` / `DEFECTDOJO_ZAP_REPORTS` | path to Zap xml reports                                                                                                             | `reports/zap.native.xml`            |

| `zap-tpl-project` / `ZAP_TPL_PROJECT` | path to Zap template (if any) | _none_ | 

| `trivy-reports` / `DEFECTDOJO_TRIVY_REPORTS` | path to Trivy JSON reports                                                                                                             | `trivy/*.json trivy-*.json reports/docker-trivy-*.native.json reports/py-trivy.trivy.json`             |

| `DEFECTDOJO_SONARQUBE_APPLICATION`       | your application name in Sonar                                                                                                         | ex: project-name                         |

| `DEFECTDOJO_SONARQUBE_PROJECT_KEY`       | your project key in Sonar (be careful, the project key might be distinct from project-dir-project-name, sometimes Sonar adds a suffix) | ex: project-dir-project-name or        project-dir-project-name__AXjLJ76cpGZrj3BUYg10                 |

| `DEFECTDOJO_SONARQUBE_SINCELEAKPERIOD`   | determines if delta analysis is activated                                                                                              | false                         |

| `DEFECTDOJO_SONARQUBE_NOSECURITYHOTSPOT` | if true, disable hotspots processing                                                                                                   | true                         |

| `sonarqube-sinceleakperiod` / `DEFECTDOJO_SONARQUBE_SINCELEAKPERIOD` | determines if delta analysis is activated                                                                                              | false                         |

| `sonarqube-nosecurityhotspot` / `DEFECTDOJO_SONARQUBE_NOSECURITYHOTSPOT` | if true, disable hotspots processing                                                                                                   | true                         |

| `DEFECTDOJO_SONARQUBE_ALLBUGS `          | true if all bugs are returned, false if only vulnerabilities are returned                                                              | false                         |

| `DEFECTDOJO_BASE_IMAGE`                  | Alpine base image                                                                                                                      | `registry.hub.docker.com/library/node:alpine3.11`                         |

| `DEFECTDOJO_SMTP_SERVER`                 | name:port of SMTP server used for notifications                                                                                        | dist                         |

| `DEFECTDOJO_NOTIFICATION_SEVERITIES`     | list of (comma separated) severities to be notified on                                                                                 | Critical,High                         |

| `DEFECTDOJO_TIMEZONE`                    | timezone used for naming engagements and setting engagements start and end                                                             | `Europe/Paris`                  |

| `DEFECTDOJO_NOPROD_ENABLED`              | determines if defectdojo job is launched on non production branches                                                                    | false                         |

| `base-image` / `DEFECTDOJO_BASE_IMAGE` | Alpine base image                                                                                                                      | `registry.hub.docker.com/library/node:alpine3.11`                         |

| `smtp-server` / `DEFECTDOJO_SMTP_SERVER` | name:port of SMTP server used for notifications                                                                                        | dist                         |

| `notification-severities` / `DEFECTDOJO_NOTIFICATION_SEVERITIES` | list of (comma separated) severities to be notified on                                                                                 | Critical,High                         |

| `timezone` / `DEFECTDOJO_TIMEZONE` | timezone used for naming engagements and setting engagements start and end                                                             | `Europe/Paris`                  |

| `noprod-enabled` / `DEFECTDOJO_NOPROD_ENABLED` | determines if defectdojo job is launched on non production branches                                                                    | false                         |





## First connection to DefectDojo
@@ -179,11 +204,11 @@ This variant allows delegating your secrets management to a [Vault](https://www. 


In order to be able to communicate with the Vault server, the variant requires the additional configuration parameters:



| Name              | Description                            | Default value     |

| Input / Variable | Description                            | Default value     |

| ----------------- | -------------------------------------- | ----------------- |

| `TBC_VAULT_IMAGE` | The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use (can be overridden) | `registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:master` |

| `VAULT_BASE_URL`  | The Vault server base API url          | _none_ |

| `VAULT_OIDC_AUD`  | The `aud` claim for the JWT | `$CI_SERVER_URL` |

| `vault-base-url` / `VAULT_BASE_URL` | The Vault server base API url          | _none_ |

| `vault-oidc-aud` / `VAULT_OIDC_AUD` | The `aud` claim for the JWT | `$CI_SERVER_URL` |

| :lock: `VAULT_ROLE_ID`   | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | **must be defined** |

| :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | **must be defined** |
@@ -197,7 +222,7 @@ Then you may retrieve any of your secret(s) from Vault using the following synta 


With:



| Name                             | Description                            |

| Parameter                        | Description                            |

| -------------------------------- | -------------------------------------- |

| `secret_path` (_path parameter_) | this is your secret location in the Vault server |

| `field` (_query parameter_)      | parameter to access a single basic field from the secret JSON payload |
@@ -207,19 +232,15 @@ With: 
```yaml

include:

  # main template

  - project: 'to-be-continuous/defectdojo'

    ref: '2.5.1'

    file: '/templates/gitlab-ci-defectdojo.yml'

  - component: gitlab.com/to-be-continuous/defectdojo/gitlab-ci-defectdojo@2.5.1

    inputs:

      server-url: "https://defectdojo.acme.host" # ⚠ this is only an example

      # Secrets managed by Vault

      api-key: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/defectdojo/credentials?field=token"

  # Vault variant

  - project: 'to-be-continuous/defectdojo'

    ref: '2.5.1'

    file: '/templates/gitlab-ci-defectdojo-vault.yml'



variables:

  - component: gitlab.com/to-be-continuous/defectdojo/gitlab-ci-defectdojo-vault@2.5.1

    inputs:

      # audience claim for JWT

    VAULT_OIDC_AUD: "https://vault.acme.host"

    # Secrets managed by Vault

    DEFECTDOJO_API_KEY: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/defectdojo/credentials?field=token"

    VAULT_BASE_URL: "https://vault.acme.host/v1"

    # $VAULT_ROLE_ID and $VAULT_SECRET_ID defined as a secret CI/CD variable

      vault-oidc-aud: "https://vault.acme.host"

      vault-base-url: "https://vault.acme.host/v1"

```

bumpversion.sh

+2 −2
Original line number Diff line number Diff line
@@ -27,13 +27,13 @@ if [[ "$curVer" ]]; then 
  log_info "Bump version from \\e[33;1m${curVer}\\e[0m to \\e[33;1m${nextVer}\\e[0m (release type: $relType)..."



  # replace in README

  sed -e "s/ref: '$curVer'/ref: '$nextVer'/" README.md > README.md.next

  sed -e "s/ref: *'$curVer'/ref: '$nextVer'/" -e "s/ref: *\"$curVer\”/ref: \”$nextVer\”/" -e "s/component: *\(.*\)@$curVer/component: \1@$nextVer/" README.md > README.md.next

  mv -f README.md.next README.md



  # replace in template and variants

  for tmpl in templates/*.yml

  do

    sed -e "s/\"$curVer\"/\"$nextVer\"/" "$tmpl" > "$tmpl.next"

    sed -e "s/command: *\[\"--service\", \"\(.*\)\", \"$curVer\"\]/command: [\"--service\", \"\1\", \"$nextVer\"]/" "$tmpl" > "$tmpl.next"

    mv -f "$tmpl.next" "$tmpl"

  done

else

kicker.json

+14 −0
Original line number Diff line number Diff line
@@ -3,6 +3,8 @@ 
  "description": "Import security reports into [DefectDojo](https://www.defectdojo.org/)",

  "template_path": "templates/gitlab-ci-defectdojo.yml",

  "kind": "analyse",

  "prefix": "defectdojo",

  "is_component": true,

  "variables": [

    {

      "name": "DEFECTDOJO_BASE_IMAGE",
@@ -20,6 +22,12 @@ 
      "secret": true,

      "mandatory": true

    },

    {

      "name": "DEFECTDOJO_DIR",

      "description": "DefectDojo working directory",

      "default": ".",

      "advanced": true

    },

    {

      "name": "DEFECTDOJO_NOPROD_ENABLED",

      "description": "Determines whether security reports produced in non-production branches are uploaded to DefectDojo",
@@ -43,6 +51,12 @@ 
      "default": "Critical,High",

      "advanced": true

    },

    {

      "name": "DEFECTDOJO_BANDIT_REPORTS",

      "description": "path to Bandit JSON reports",

      "default": "bandit*.json reports/py-bandit.bandit.json",

      "advanced": true

    },

    {

      "name": "DEFECTDOJO_DC_REPORTS",

      "description": "Path to Dependency Check reports",

logo.png

+4.68 KiB (6.69 KiB)
Loading image diff...