Merge branch 'feat/component' into 'main' (fc298589) · Commits · to be continuous... / DefectDojo

.gitlab-ci.yml

+1 −1

Original line number	Diff line number	Diff line
		@@ -10,7 +10,7 @@ include:
		file: '/templates/validation.yml'
		- project: 'to-be-continuous/bash'
		ref: '3.3'
		file: 'templates/gitlab-ci-bash.yml'
		file: '/templates/gitlab-ci-bash.yml'
		- project: 'to-be-continuous/semantic-release'
		ref: '3.7'
		file: '/templates/gitlab-ci-semrel.yml'

README.md

+63 −42

Original line number	Diff line number	Diff line
		@@ -40,12 +40,36 @@ You may connect to DefectDojo server to visualize the summary of your project's

		## Usage

		In order to include this template in your project, add the following to your `.gitlab-ci.yml`:
		This template can be used both as a [CI/CD component](https://docs.gitlab.com/ee/ci/components/#use-a-component-in-a-cicd-configuration)
		or using the legacy [`include:project`](https://docs.gitlab.com/ee/ci/yaml/index.html#includeproject) syntax.

		### Use as a CI/CD component

		Add the following to your `gitlab-ci.yml`:

		```yaml
		include:
		# 1: include the component
		- component: gitlab.com/to-be-continuous/defectdojo/gitlab-ci-defectdojo@2.5.1
		# 2: set/override component inputs
		inputs:
		server-url: "https://defectdojo.acme.host" # ⚠ this is only an example
		```

		### Use as a CI/CD template (legacy)

		Add the following to your `gitlab-ci.yml`:

		```yaml
		include:
		# 1: include the template
		- project: 'to-be-continuous/defectdojo'
		ref: '2.5.1'
		file: '/templates/gitlab-ci-defectdojo.yml'

		variables:
		# 2: set/override template variables
		DEFECTDOJO_SERVER_URL: "https://defectdojo.acme.host" # ⚠ this is only an example
		```

		## defectdojo job
		@@ -54,40 +78,41 @@ This job uploads security reports found in the artifacts to a DefectDojo server.

		It is bound to the `.post` stage, and uses the following variables:

		\| Name \| Description \| Default value \|
		\| Input / Variable \| Description \| Default value \|
		\| ----------------------------- \| -------------------------------------- \| ----------------- \|
		\| `DEFECTDOJO_SERVER_URL` \| URL of DefectDojo server \| _none_ \|
		\| `dir` / `DEFECTDOJO_DIR` \| DefectDojo working directory \| `.` \|
		\| `server-url` / `DEFECTDOJO_SERVER_URL` \| URL of DefectDojo server \| _none_ \|
		\| :lock: `DEFECTDOJO_API_KEY` \| Your DefectDojo API v2 Key (see [below](#first-connection-to-defectdojo) how to retrieve it) \| _none_ \|

		## Global variables

		Depending on the security tools you launch, and their configuration, you may have to redefine some of the following variables in your `gitlab-ci.yml`:

		\| Name \| Description \| Default value \|
		\| Input / Variable \| Description \| Default value \|
		\|------------------------------------------\|----------------------------------------------------------------------------------------------------------------------------------------\| ----------------------------------------- \|
		\| `DEFECTDOJO_BANDIT_REPORTS` \| path to Bandit JSON reports \| `bandit*.json reports/py-bandit.bandit.json` \|
		\| `DEFECTDOJO_DC_GRADLE_REPORTS` \| path to Dependency Check XML reports (Gradle template) \| `dependency-check*.xml` \|
		\| `DEFECTDOJO_DC_REPORTS` \| path to Dependency Check XML reports (Maven template) \| `dependency-check*.xml` \|
		\| `DEFECTDOJO_GITLEAKS_REPORTS` \| path to Gitleaks JSON reports \| `gitleaks/gitleaks-report.json reports/gitleaks.native.json` \|\| `DEFECTDOJO_HADOLINT_REPORTS` \| path to Hadolint JSON reports \| `hadolint-json-.json reports/docker-hadolint-.native.json` \|
		\| `DEFECTDOJO_MOBSF_REPORTS` \| path to MobSF JSON reports \| `mobsf*.json` \|
		\| `DEFECTDOJO_NODEJSSCAN_REPORTS` \| path to NodeJSScan SARIF reports \| `nodejsscan-report-sarif.json` \|
		\| `DEFECTDOJO_NPMAUDIT_REPORTS` \| path to NPM Audit JSON reports \| `npm-audit*.json` \|
		\| `DEFECTDOJO_SEMGREP_REPORTS`\| Path to Semgrep reports \| `reports/semgrep.native.json`\|
		\| `SEMGREP_TEMPLATE`\| Path to Semgrep template \| _none_ \|
		\| `DEFECTDOJO_TESTSSL_REPORTS` \| path to TestSSL CSV reports \| `reports/testssl.native.csv` \|
		\| `DEFECTDOJO_ZAP_REPORTS` \| path to Zap xml reports \| `reports/zap.native.xml` \|
		\| `ZAP_TPL_PROJECT` \| path to Zap template (if any) \| _none_ \|
		\| `DEFECTDOJO_TRIVY_REPORTS` \| path to Trivy JSON reports \| `trivy/.json trivy-.json reports/docker-trivy-*.native.json reports/py-trivy.trivy.json` \|
		\| `bandit-reports` / `DEFECTDOJO_BANDIT_REPORTS`\| path to Bandit JSON reports \| `bandit*.json reports/py-bandit.bandit.json` \|
		\| `dc-gradle-reports` / `DEFECTDOJO_DC_GRADLE_REPORTS` \| path to Dependency Check XML reports (Gradle template) \| `dependency-check*.xml` \|
		\| `dc-reports` / `DEFECTDOJO_DC_REPORTS` \| path to Dependency Check XML reports (Maven template) \| `dependency-check*.xml` \|
		\| `gitleaks-reports` / `DEFECTDOJO_GITLEAKS_REPORTS` \| path to Gitleaks JSON reports \| `gitleaks/gitleaks-report.json reports/gitleaks.native.json` \|\| `hadolint-reports` / `DEFECTDOJO_HADOLINT_REPORTS` \| path to Hadolint JSON reports \| `hadolint-json-.json reports/docker-hadolint-.native.json` \|
		\| `mobsf-reports` / `DEFECTDOJO_MOBSF_REPORTS` \| path to MobSF JSON reports \| `mobsf*.json` \|
		\| `nodejsscan-reports` / `DEFECTDOJO_NODEJSSCAN_REPORTS` \| path to NodeJSScan SARIF reports \| `nodejsscan-report-sarif.json` \|
		\| `npmaudit-reports` / `DEFECTDOJO_NPMAUDIT_REPORTS` \| path to NPM Audit JSON reports \| `npm-audit*.json` \|
		\| `semgrep-reports` / `DEFECTDOJO_SEMGREP_REPORTS` \| Path to Semgrep reports \| `reports/semgrep.native.json`\|
		\| `semgrep-template` / `SEMGREP_TEMPLATE` \| Path to Semgrep template \| _none_ \|
		\| `testssl-reports` / `DEFECTDOJO_TESTSSL_REPORTS` \| path to TestSSL CSV reports \| `reports/testssl.native.csv` \|
		\| `zap-reports` / `DEFECTDOJO_ZAP_REPORTS` \| path to Zap xml reports \| `reports/zap.native.xml` \|
		\| `zap-tpl-project` / `ZAP_TPL_PROJECT` \| path to Zap template (if any) \| _none_ \|
		\| `trivy-reports` / `DEFECTDOJO_TRIVY_REPORTS` \| path to Trivy JSON reports \| `trivy/.json trivy-.json reports/docker-trivy-*.native.json reports/py-trivy.trivy.json` \|
		\| `DEFECTDOJO_SONARQUBE_APPLICATION` \| your application name in Sonar \| ex: project-name \|
		\| `DEFECTDOJO_SONARQUBE_PROJECT_KEY` \| your project key in Sonar (be careful, the project key might be distinct from project-dir-project-name, sometimes Sonar adds a suffix) \| ex: project-dir-project-name or project-dir-project-name__AXjLJ76cpGZrj3BUYg10 \|
		\| `DEFECTDOJO_SONARQUBE_SINCELEAKPERIOD` \| determines if delta analysis is activated \| false \|
		\| `DEFECTDOJO_SONARQUBE_NOSECURITYHOTSPOT` \| if true, disable hotspots processing \| true \|
		\| `sonarqube-sinceleakperiod` / `DEFECTDOJO_SONARQUBE_SINCELEAKPERIOD` \| determines if delta analysis is activated \| false \|
		\| `sonarqube-nosecurityhotspot` / `DEFECTDOJO_SONARQUBE_NOSECURITYHOTSPOT` \| if true, disable hotspots processing \| true \|
		\| `DEFECTDOJO_SONARQUBE_ALLBUGS ` \| true if all bugs are returned, false if only vulnerabilities are returned \| false \|
		\| `DEFECTDOJO_BASE_IMAGE` \| Alpine base image \| `registry.hub.docker.com/library/node:alpine3.11` \|
		\| `DEFECTDOJO_SMTP_SERVER` \| name:port of SMTP server used for notifications \| dist \|
		\| `DEFECTDOJO_NOTIFICATION_SEVERITIES` \| list of (comma separated) severities to be notified on \| Critical,High \|
		\| `DEFECTDOJO_TIMEZONE` \| timezone used for naming engagements and setting engagements start and end \| `Europe/Paris` \|
		\| `DEFECTDOJO_NOPROD_ENABLED` \| determines if defectdojo job is launched on non production branches \| false \|
		\| `base-image` / `DEFECTDOJO_BASE_IMAGE` \| Alpine base image \| `registry.hub.docker.com/library/node:alpine3.11` \|
		\| `smtp-server` / `DEFECTDOJO_SMTP_SERVER` \| name:port of SMTP server used for notifications \| dist \|
		\| `notification-severities` / `DEFECTDOJO_NOTIFICATION_SEVERITIES` \| list of (comma separated) severities to be notified on \| Critical,High \|
		\| `timezone` / `DEFECTDOJO_TIMEZONE` \| timezone used for naming engagements and setting engagements start and end \| `Europe/Paris` \|
		\| `noprod-enabled` / `DEFECTDOJO_NOPROD_ENABLED` \| determines if defectdojo job is launched on non production branches \| false \|


		## First connection to DefectDojo
		@@ -179,11 +204,11 @@ This variant allows delegating your secrets management to a [Vault](https://www.

		In order to be able to communicate with the Vault server, the variant requires the additional configuration parameters:

		\| Name \| Description \| Default value \|
		\| Input / Variable \| Description \| Default value \|
		\| ----------------- \| -------------------------------------- \| ----------------- \|
		\| `TBC_VAULT_IMAGE` \| The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use (can be overridden) \| `registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:master` \|
		\| `VAULT_BASE_URL` \| The Vault server base API url \| _none_ \|
		\| `VAULT_OIDC_AUD` \| The `aud` claim for the JWT \| `$CI_SERVER_URL` \|
		\| `vault-base-url` / `VAULT_BASE_URL` \| The Vault server base API url \| _none_ \|
		\| `vault-oidc-aud` / `VAULT_OIDC_AUD` \| The `aud` claim for the JWT \| `$CI_SERVER_URL` \|
		\| :lock: `VAULT_ROLE_ID` \| The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID \| must be defined \|
		\| :lock: `VAULT_SECRET_ID` \| The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID \| must be defined \|

		@@ -197,7 +222,7 @@ Then you may retrieve any of your secret(s) from Vault using the following synta

		With:

		\| Name \| Description \|
		\| Parameter \| Description \|
		\| -------------------------------- \| -------------------------------------- \|
		\| `secret_path` (_path parameter_) \| this is your secret location in the Vault server \|
		\| `field` (_query parameter_) \| parameter to access a single basic field from the secret JSON payload \|
		@@ -207,19 +232,15 @@ With:
		```yaml
		include:
		# main template
		- project: 'to-be-continuous/defectdojo'
		ref: '2.5.1'
		file: '/templates/gitlab-ci-defectdojo.yml'
		- component: gitlab.com/to-be-continuous/defectdojo/gitlab-ci-defectdojo@2.5.1
		inputs:
		server-url: "https://defectdojo.acme.host" # ⚠ this is only an example
		# Secrets managed by Vault
		api-key: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/defectdojo/credentials?field=token"
		# Vault variant
		- project: 'to-be-continuous/defectdojo'
		ref: '2.5.1'
		file: '/templates/gitlab-ci-defectdojo-vault.yml'

		variables:
		- component: gitlab.com/to-be-continuous/defectdojo/gitlab-ci-defectdojo-vault@2.5.1
		inputs:
		# audience claim for JWT
		VAULT_OIDC_AUD: "https://vault.acme.host"
		# Secrets managed by Vault
		DEFECTDOJO_API_KEY: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/defectdojo/credentials?field=token"
		VAULT_BASE_URL: "https://vault.acme.host/v1"
		# $VAULT_ROLE_ID and $VAULT_SECRET_ID defined as a secret CI/CD variable
		vault-oidc-aud: "https://vault.acme.host"
		vault-base-url: "https://vault.acme.host/v1"
		```

bumpversion.sh

+2 −2

Original line number	Diff line number	Diff line
		@@ -27,13 +27,13 @@ if [[ "$curVer" ]]; then
		log_info "Bump version from \\e[33;1m${curVer}\\e[0m to \\e[33;1m${nextVer}\\e[0m (release type: $relType)..."

		# replace in README
		sed -e "s/ref: '$curVer'/ref: '$nextVer'/" README.md > README.md.next
		sed -e "s/ref: '$curVer'/ref: '$nextVer'/" -e "s/ref: \"$curVer\”/ref: \”$nextVer\”/" -e "s/component: $.$@$curVer/component: \1@$nextVer/" README.md > README.md.next
		mv -f README.md.next README.md

		# replace in template and variants
		for tmpl in templates/*.yml
		do
		sed -e "s/\"$curVer\"/\"$nextVer\"/" "$tmpl" > "$tmpl.next"
		sed -e "s/command: \[\"--service\", \"$.$\", \"$curVer\"\]/command: [\"--service\", \"\1\", \"$nextVer\"]/" "$tmpl" > "$tmpl.next"
		mv -f "$tmpl.next" "$tmpl"
		done
		else

kicker.json

+14 −0

Original line number	Diff line number	Diff line
		@@ -3,6 +3,8 @@
		"description": "Import security reports into [DefectDojo](https://www.defectdojo.org/)",
		"template_path": "templates/gitlab-ci-defectdojo.yml",
		"kind": "analyse",
		"prefix": "defectdojo",
		"is_component": true,
		"variables": [
		{
		"name": "DEFECTDOJO_BASE_IMAGE",
		@@ -20,6 +22,12 @@
		"secret": true,
		"mandatory": true
		},
		{
		"name": "DEFECTDOJO_DIR",
		"description": "DefectDojo working directory",
		"default": ".",
		"advanced": true
		},
		{
		"name": "DEFECTDOJO_NOPROD_ENABLED",
		"description": "Determines whether security reports produced in non-production branches are uploaded to DefectDojo",
		@@ -43,6 +51,12 @@
		"default": "Critical,High",
		"advanced": true
		},
		{
		"name": "DEFECTDOJO_BANDIT_REPORTS",
		"description": "path to Bandit JSON reports",
		"default": "bandit*.json reports/py-bandit.bandit.json",
		"advanced": true
		},
		{
		"name": "DEFECTDOJO_DC_REPORTS",
		"description": "Path to Dependency Check reports",

logo.png

+4.68 KiB (6.69 KiB)

Loading image diff...