Integrate Dependency-Check into CircleCI (#1281)
This commit is contained in:
parent
929b62874a
commit
f0c5c09e99
|
@ -2,6 +2,7 @@ version: 2.1
|
|||
orbs:
|
||||
win: circleci/windows@1.0.0
|
||||
aws-s3: circleci/aws-s3@1.0.11
|
||||
owasp: entur/owasp@0.0.10
|
||||
|
||||
executors:
|
||||
wine-chrome:
|
||||
|
@ -115,6 +116,62 @@ jobs:
|
|||
- "node_modules"
|
||||
- "src/node_modules"
|
||||
|
||||
check-deps:
|
||||
parameters:
|
||||
cve_data_directory:
|
||||
type: string
|
||||
default: "~/.owasp/dependency-check-data"
|
||||
working_directory: ~/mattermost/desktop
|
||||
executor: owasp/default
|
||||
environment:
|
||||
version_url: "https://jeremylong.github.io/DependencyCheck/current.txt"
|
||||
executable_url: "https://dl.bintray.com/jeremy-long/owasp/dependency-check-VERSION-release.zip"
|
||||
steps:
|
||||
- checkout
|
||||
- run:
|
||||
name: Link dependency cache
|
||||
command: sudo ln -s ~/mattermost/desktop /root/mattermost-desktop; sudo chmod 777 /root
|
||||
- restore_cache:
|
||||
key: npm-{{ arch }}-{{ .Branch }}-{{ checksum "package-lock.json" }}
|
||||
- restore_cache:
|
||||
key: npm-{{ arch }}-{{ .Branch }}-{{ checksum "src/package-lock.json" }}
|
||||
- run:
|
||||
name: Adjust permissions
|
||||
command: |
|
||||
sudo chown -R `id -nu`:`id -ng` node_modules
|
||||
sudo chown -R `id -nu`:`id -ng` src/node_modules
|
||||
- run:
|
||||
name: Checkout config
|
||||
command: cd .. && git clone https://github.com/mattermost/security-automation-config
|
||||
- run:
|
||||
name: Install Go
|
||||
command: sudo apt-get update && sudo apt-get install golang
|
||||
- owasp/with_commandline:
|
||||
steps:
|
||||
# Taken from https://github.com/entur/owasp-orb/blob/master/src/%40orb.yml#L349-L361
|
||||
- owasp/generate_cache_keys:
|
||||
cache_key: commmandline-default-cache-key-v6
|
||||
- owasp/restore_owasp_cache
|
||||
- run:
|
||||
name: Update OWASP Dependency-Check Database
|
||||
command: ~/.owasp/dependency-check/bin/dependency-check.sh --data << parameters.cve_data_directory >> --updateonly
|
||||
- owasp/store_owasp_cache:
|
||||
cve_data_directory: <<parameters.cve_data_directory>>
|
||||
- run:
|
||||
name: Run OWASP Dependency-Check Analyzer
|
||||
command: |
|
||||
~/.owasp/dependency-check/bin/dependency-check.sh \
|
||||
--data << parameters.cve_data_directory >> --format ALL --noupdate --enableExperimental \
|
||||
--propertyfile ../security-automation-config/dependency-check/dependencycheck.properties \
|
||||
--suppression ../security-automation-config/dependency-check/suppression.xml \
|
||||
--suppression ../security-automation-config/dependency-check/suppression.$CIRCLE_PROJECT_REPONAME.xml \
|
||||
--scan './**/*' || true
|
||||
- owasp/collect_reports:
|
||||
persist_to_workspace: false
|
||||
- run:
|
||||
name: Post results to Mattermost
|
||||
command: go run ../security-automation-config/dependency-check/post_results.go
|
||||
|
||||
build-linux:
|
||||
executor: wine-mono
|
||||
steps:
|
||||
|
@ -339,6 +396,10 @@ workflows:
|
|||
- build-linux:
|
||||
requires:
|
||||
- check
|
||||
- check-deps:
|
||||
context: sast-webhook
|
||||
requires:
|
||||
- build-linux
|
||||
|
||||
- build-win-no-installer:
|
||||
requires:
|
||||
|
|
Loading…
Reference in a new issue