debian-mirror-gitlab/lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml

# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/
#
# Configure the scanning tool through the environment variables.
# List of the variables: https://gitlab.com/gitlab-org/security-products/dependency-scanning#settings
# How to set: https://docs.gitlab.com/ee/ci/yaml/#variables

variables:
  # Setting this variable will affect all Security templates
  # (SAST, Dependency Scanning, ...)
  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"

  # Deprecated, use SECURE_ANALYZERS_PREFIX instead
  DS_ANALYZER_IMAGE_PREFIX: "$SECURE_ANALYZERS_PREFIX"

  DS_DEFAULT_ANALYZERS: "bundler-audit, retire.js, gemnasium, gemnasium-maven, gemnasium-python"
  DS_EXCLUDED_PATHS: "spec, test, tests, tmp"
  DS_MAJOR_VERSION: 2
  DS_DISABLE_DIND: "true"

dependency_scanning:
  stage: test
  image: docker:stable
  variables:
    DOCKER_DRIVER: overlay2
    DOCKER_TLS_CERTDIR: ""
  allow_failure: true
  services:
    - docker:stable-dind
  script:
    - |
      if ! docker info &>/dev/null; then
        if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then
          export DOCKER_HOST='tcp://localhost:2375'
        fi
      fi
    - | # this is required to avoid undesirable reset of Docker image ENV variables being set on build stage
      function propagate_env_vars() {
        CURRENT_ENV=$(printenv)

        for VAR_NAME; do
          echo $CURRENT_ENV | grep "${VAR_NAME}=" > /dev/null && echo "--env $VAR_NAME "
        done
      }
    - |
      docker run \
        $(propagate_env_vars \
          DS_ANALYZER_IMAGES \
          DS_ANALYZER_IMAGE_PREFIX \
          DS_ANALYZER_IMAGE_TAG \
          DS_DEFAULT_ANALYZERS \
          DS_EXCLUDED_PATHS \
          DS_DOCKER_CLIENT_NEGOTIATION_TIMEOUT \
          DS_PULL_ANALYZER_IMAGE_TIMEOUT \
          DS_RUN_ANALYZER_TIMEOUT \
          DS_PYTHON_VERSION \
          DS_PIP_VERSION \
          DS_PIP_DEPENDENCY_PATH \
          GEMNASIUM_DB_LOCAL_PATH \
          GEMNASIUM_DB_REMOTE_URL \
          GEMNASIUM_DB_REF_NAME \
          PIP_INDEX_URL \
          PIP_EXTRA_INDEX_URL \
          PIP_REQUIREMENTS_FILE \
          MAVEN_CLI_OPTS \
          GRADLE_CLI_OPTS \
          SBT_CLI_OPTS \
          BUNDLER_AUDIT_UPDATE_DISABLED \
          BUNDLER_AUDIT_ADVISORY_DB_URL \
          BUNDLER_AUDIT_ADVISORY_DB_REF_NAME \
          RETIREJS_JS_ADVISORY_DB \
          RETIREJS_NODE_ADVISORY_DB \
          DS_REMEDIATE \
        ) \
        --volume "$PWD:/code" \
        --volume /var/run/docker.sock:/var/run/docker.sock \
        "registry.gitlab.com/gitlab-org/security-products/dependency-scanning:$DS_MAJOR_VERSION" /code
  artifacts:
    reports:
      dependency_scanning: gl-dependency-scanning-report.json
  dependencies: []
  rules:
    - if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'true'
      when: never
    - if: $CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bdependency_scanning\b/

.ds-analyzer:
  extends: dependency_scanning
  services: []
  rules:
    - if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false'
      when: never
    - if: $CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bdependency_scanning\b/
  script:
    - /analyzer run

gemnasium-dependency_scanning:
  extends: .ds-analyzer
  image:
    name: "$DS_ANALYZER_IMAGE_PREFIX/gemnasium:$DS_MAJOR_VERSION"
  rules:
    - if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false'
      when: never
    - if: $CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
          $DS_DEFAULT_ANALYZERS =~ /gemnasium([^-]|$)/
      exists:
        - '{Gemfile.lock,*/Gemfile.lock,*/*/Gemfile.lock}'
        - '{composer.lock,*/composer.lock,*/*/composer.lock}'
        - '{gems.locked,*/gems.locked,*/*/gems.locked}'
        - '{go.sum,*/go.sum,*/*/go.sum}'
        - '{npm-shrinkwrap.json,*/npm-shrinkwrap.json,*/*/npm-shrinkwrap.json}'
        - '{package-lock.json,*/package-lock.json,*/*/package-lock.json}'
        - '{yarn.lock,*/yarn.lock,*/*/yarn.lock}'

gemnasium-maven-dependency_scanning:
  extends: .ds-analyzer
  image:
    name: "$DS_ANALYZER_IMAGE_PREFIX/gemnasium-maven:$DS_MAJOR_VERSION"
  rules:
    - if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false'
      when: never
    - if: $CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
          $DS_DEFAULT_ANALYZERS =~ /gemnasium-maven/
      exists:
        - '{build.gradle,*/build.gradle,*/*/build.gradle}'
        - '{build.gradle.kts,*/build.gradle.kts,*/*/build.gradle.kts}'
        - '{build.sbt,*/build.sbt,*/*/build.sbt}'
        - '{pom.xml,*/pom.xml,*/*/pom.xml}'

gemnasium-python-dependency_scanning:
  extends: .ds-analyzer
  image:
    name: "$DS_ANALYZER_IMAGE_PREFIX/gemnasium-python:$DS_MAJOR_VERSION"
  rules:
    - if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false'
      when: never
    - if: $CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
          $DS_DEFAULT_ANALYZERS =~ /gemnasium-python/
      exists:
        - '{requirements.txt,*/requirements.txt,*/*/requirements.txt}'
        - '{requirements.pip,*/requirements.pip,*/*/requirements.pip}'
        - '{Pipfile,*/Pipfile,*/*/Pipfile}'
        - '{requires.txt,*/requires.txt,*/*/requires.txt}'
        - '{setup.py,*/setup.py,*/*/setup.py}'
      # Support passing of $PIP_REQUIREMENTS_FILE
      # See https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#configuring-specific-analyzers-used-by-dependency-scanning
    - if: $CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
          $DS_DEFAULT_ANALYZERS =~ /gemnasium-python/ &&
          $PIP_REQUIREMENTS_FILE

bundler-audit-dependency_scanning:
  extends: .ds-analyzer
  image:
    name: "$DS_ANALYZER_IMAGE_PREFIX/bundler-audit:$DS_MAJOR_VERSION"
  rules:
    - if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false'
      when: never
    - if: $CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
          $DS_DEFAULT_ANALYZERS =~ /bundler-audit/
      exists:
        - '{Gemfile.lock,*/Gemfile.lock,*/*/Gemfile.lock}'

retire-js-dependency_scanning:
  extends: .ds-analyzer
  image:
    name: "$DS_ANALYZER_IMAGE_PREFIX/retire.js:$DS_MAJOR_VERSION"
  rules:
    - if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false'
      when: never
    - if: $CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
          $DS_DEFAULT_ANALYZERS =~ /retire.js/
      exists:
        - '{package.json,*/package.json,*/*/package.json}'
New upstream version 12.3.8 2019-12-04 20:38:33 +05:30			`# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/`
New upstream version 11.10.8+dfsg 2019-07-07 11:18:12 +05:30			`#`
			`# Configure the scanning tool through the environment variables.`
			`# List of the variables: https://gitlab.com/gitlab-org/security-products/dependency-scanning#settings`
			`# How to set: https://docs.gitlab.com/ee/ci/yaml/#variables`

New upstream version 12.5.4 2019-12-26 22:10:19 +05:30			`variables:`
New upstream version 13.0.0 2020-05-24 23:13:21 +05:30			`# Setting this variable will affect all Security templates`
			`# (SAST, Dependency Scanning, ...)`
			`SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"`

			`# Deprecated, use SECURE_ANALYZERS_PREFIX instead`
			`DS_ANALYZER_IMAGE_PREFIX: "$SECURE_ANALYZERS_PREFIX"`

New upstream version 12.6.1 2020-01-01 13:55:28 +05:30			`DS_DEFAULT_ANALYZERS: "bundler-audit, retire.js, gemnasium, gemnasium-maven, gemnasium-python"`
New upstream version 13.1.0 2020-06-23 00:09:42 +05:30			`DS_EXCLUDED_PATHS: "spec, test, tests, tmp"`
New upstream version 12.5.4 2019-12-26 22:10:19 +05:30			`DS_MAJOR_VERSION: 2`
New upstream version 13.0.0 2020-05-24 23:13:21 +05:30			`DS_DISABLE_DIND: "true"`
New upstream version 12.5.4 2019-12-26 22:10:19 +05:30
New upstream version 11.10.8+dfsg 2019-07-07 11:18:12 +05:30			`dependency_scanning:`
			`stage: test`
			`image: docker:stable`
			`variables:`
			`DOCKER_DRIVER: overlay2`
New upstream version 12.1.11 2019-09-30 21:07:59 +05:30			`DOCKER_TLS_CERTDIR: ""`
New upstream version 11.10.8+dfsg 2019-07-07 11:18:12 +05:30			`allow_failure: true`
			`services:`
			`- docker:stable-dind`
			`script:`
			`- \|`
			`if ! docker info &>/dev/null; then`
			`if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then`
			`export DOCKER_HOST='tcp://localhost:2375'`
			`fi`
			`fi`
New upstream version 11.11.7+dfsg 2019-07-31 22:56:46 +05:30			`- \| # this is required to avoid undesirable reset of Docker image ENV variables being set on build stage`
			`function propagate_env_vars() {`
			`CURRENT_ENV=$(printenv)`

			`for VAR_NAME; do`
			`echo $CURRENT_ENV \| grep "${VAR_NAME}=" > /dev/null && echo "--env $VAR_NAME "`
			`done`
			`}`
New upstream version 11.10.8+dfsg 2019-07-07 11:18:12 +05:30			`- \|`
			`docker run \`
New upstream version 11.11.7+dfsg 2019-07-31 22:56:46 +05:30			`$(propagate_env_vars \`
			`DS_ANALYZER_IMAGES \`
			`DS_ANALYZER_IMAGE_PREFIX \`
			`DS_ANALYZER_IMAGE_TAG \`
			`DS_DEFAULT_ANALYZERS \`
			`DS_EXCLUDED_PATHS \`
			`DS_DOCKER_CLIENT_NEGOTIATION_TIMEOUT \`
			`DS_PULL_ANALYZER_IMAGE_TIMEOUT \`
			`DS_RUN_ANALYZER_TIMEOUT \`
New upstream version 12.1.11 2019-09-30 21:07:59 +05:30			`DS_PYTHON_VERSION \`
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30			`DS_PIP_VERSION \`
New upstream version 12.2.8 2019-10-12 21:52:04 +05:30			`DS_PIP_DEPENDENCY_PATH \`
New upstream version 12.8.6 2020-03-13 15:44:24 +05:30			`GEMNASIUM_DB_LOCAL_PATH \`
			`GEMNASIUM_DB_REMOTE_URL \`
			`GEMNASIUM_DB_REF_NAME \`
New upstream version 12.1.11 2019-09-30 21:07:59 +05:30			`PIP_INDEX_URL \`
			`PIP_EXTRA_INDEX_URL \`
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30			`PIP_REQUIREMENTS_FILE \`
New upstream version 12.5.4 2019-12-26 22:10:19 +05:30			`MAVEN_CLI_OPTS \`
New upstream version 12.10.0 2020-04-22 19:07:51 +05:30			`GRADLE_CLI_OPTS \`
			`SBT_CLI_OPTS \`
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30			`BUNDLER_AUDIT_UPDATE_DISABLED \`
New upstream version 12.8.6 2020-03-13 15:44:24 +05:30			`BUNDLER_AUDIT_ADVISORY_DB_URL \`
			`BUNDLER_AUDIT_ADVISORY_DB_REF_NAME \`
New upstream version 12.9.2 2020-04-08 14:13:33 +05:30			`RETIREJS_JS_ADVISORY_DB \`
			`RETIREJS_NODE_ADVISORY_DB \`
New upstream version 12.10.0 2020-04-22 19:07:51 +05:30			`DS_REMEDIATE \`
New upstream version 11.11.7+dfsg 2019-07-31 22:56:46 +05:30			`) \`
New upstream version 11.10.8+dfsg 2019-07-07 11:18:12 +05:30			`--volume "$PWD:/code" \`
			`--volume /var/run/docker.sock:/var/run/docker.sock \`
New upstream version 13.0.0 2020-05-24 23:13:21 +05:30			`"registry.gitlab.com/gitlab-org/security-products/dependency-scanning:$DS_MAJOR_VERSION" /code`
New upstream version 11.10.8+dfsg 2019-07-07 11:18:12 +05:30			`artifacts:`
			`reports:`
			`dependency_scanning: gl-dependency-scanning-report.json`
			`dependencies: []`
New upstream version 13.0.0 2020-05-24 23:13:21 +05:30			`rules:`
			`- if: $DEPENDENCY_SCANNING_DISABLED \|\| $DS_DISABLE_DIND == 'true'`
			`when: never`
			`- if: $CI_COMMIT_BRANCH &&`
			`$GITLAB_FEATURES =~ /\bdependency_scanning\b/`
New upstream version 12.5.4 2019-12-26 22:10:19 +05:30
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30			`.ds-analyzer:`
New upstream version 12.5.4 2019-12-26 22:10:19 +05:30			`extends: dependency_scanning`
			`services: []`
New upstream version 13.0.0 2020-05-24 23:13:21 +05:30			`rules:`
			`- if: $DEPENDENCY_SCANNING_DISABLED \|\| $DS_DISABLE_DIND == 'false'`
			`when: never`
			`- if: $CI_COMMIT_BRANCH &&`
			`$GITLAB_FEATURES =~ /\bdependency_scanning\b/`
New upstream version 12.5.4 2019-12-26 22:10:19 +05:30			`script:`
			`- /analyzer run`

			`gemnasium-dependency_scanning:`
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30			`extends: .ds-analyzer`
New upstream version 12.5.4 2019-12-26 22:10:19 +05:30			`image:`
			`name: "$DS_ANALYZER_IMAGE_PREFIX/gemnasium:$DS_MAJOR_VERSION"`
New upstream version 13.0.0 2020-05-24 23:13:21 +05:30			`rules:`
			`- if: $DEPENDENCY_SCANNING_DISABLED \|\| $DS_DISABLE_DIND == 'false'`
			`when: never`
			`- if: $CI_COMMIT_BRANCH &&`
			`$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&`
			`$DS_DEFAULT_ANALYZERS =~ /gemnasium([^-]\|$)/`
			`exists:`
			`- '{Gemfile.lock,/Gemfile.lock,/*/Gemfile.lock}'`
			`- '{composer.lock,/composer.lock,/*/composer.lock}'`
			`- '{gems.locked,/gems.locked,/*/gems.locked}'`
			`- '{go.sum,/go.sum,/*/go.sum}'`
			`- '{npm-shrinkwrap.json,/npm-shrinkwrap.json,/*/npm-shrinkwrap.json}'`
			`- '{package-lock.json,/package-lock.json,/*/package-lock.json}'`
			`- '{yarn.lock,/yarn.lock,/*/yarn.lock}'`
New upstream version 12.5.4 2019-12-26 22:10:19 +05:30
			`gemnasium-maven-dependency_scanning:`
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30			`extends: .ds-analyzer`
New upstream version 12.5.4 2019-12-26 22:10:19 +05:30			`image:`
			`name: "$DS_ANALYZER_IMAGE_PREFIX/gemnasium-maven:$DS_MAJOR_VERSION"`
New upstream version 13.0.0 2020-05-24 23:13:21 +05:30			`rules:`
			`- if: $DEPENDENCY_SCANNING_DISABLED \|\| $DS_DISABLE_DIND == 'false'`
			`when: never`
			`- if: $CI_COMMIT_BRANCH &&`
			`$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&`
			`$DS_DEFAULT_ANALYZERS =~ /gemnasium-maven/`
			`exists:`
			`- '{build.gradle,/build.gradle,/*/build.gradle}'`
New upstream version 13.1.0 2020-06-23 00:09:42 +05:30			`- '{build.gradle.kts,/build.gradle.kts,/*/build.gradle.kts}'`
New upstream version 13.0.0 2020-05-24 23:13:21 +05:30			`- '{build.sbt,/build.sbt,/*/build.sbt}'`
			`- '{pom.xml,/pom.xml,/*/pom.xml}'`
New upstream version 12.5.4 2019-12-26 22:10:19 +05:30
			`gemnasium-python-dependency_scanning:`
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30			`extends: .ds-analyzer`
New upstream version 12.5.4 2019-12-26 22:10:19 +05:30			`image:`
			`name: "$DS_ANALYZER_IMAGE_PREFIX/gemnasium-python:$DS_MAJOR_VERSION"`
New upstream version 13.0.0 2020-05-24 23:13:21 +05:30			`rules:`
			`- if: $DEPENDENCY_SCANNING_DISABLED \|\| $DS_DISABLE_DIND == 'false'`
			`when: never`
			`- if: $CI_COMMIT_BRANCH &&`
			`$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&`
			`$DS_DEFAULT_ANALYZERS =~ /gemnasium-python/`
			`exists:`
			`- '{requirements.txt,/requirements.txt,/*/requirements.txt}'`
			`- '{requirements.pip,/requirements.pip,/*/requirements.pip}'`
			`- '{Pipfile,/Pipfile,/*/Pipfile}'`
			`- '{requires.txt,/requires.txt,/*/requires.txt}'`
			`- '{setup.py,/setup.py,/*/setup.py}'`
			`# Support passing of $PIP_REQUIREMENTS_FILE`
			`# See https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#configuring-specific-analyzers-used-by-dependency-scanning`
			`- if: $CI_COMMIT_BRANCH &&`
			`$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&`
			`$DS_DEFAULT_ANALYZERS =~ /gemnasium-python/ &&`
			`$PIP_REQUIREMENTS_FILE`
New upstream version 12.5.4 2019-12-26 22:10:19 +05:30
			`bundler-audit-dependency_scanning:`
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30			`extends: .ds-analyzer`
New upstream version 12.5.4 2019-12-26 22:10:19 +05:30			`image:`
			`name: "$DS_ANALYZER_IMAGE_PREFIX/bundler-audit:$DS_MAJOR_VERSION"`
New upstream version 13.0.0 2020-05-24 23:13:21 +05:30			`rules:`
			`- if: $DEPENDENCY_SCANNING_DISABLED \|\| $DS_DISABLE_DIND == 'false'`
			`when: never`
			`- if: $CI_COMMIT_BRANCH &&`
			`$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&`
			`$DS_DEFAULT_ANALYZERS =~ /bundler-audit/`
			`exists:`
			`- '{Gemfile.lock,/Gemfile.lock,/*/Gemfile.lock}'`
New upstream version 12.5.4 2019-12-26 22:10:19 +05:30
			`retire-js-dependency_scanning:`
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30			`extends: .ds-analyzer`
New upstream version 12.5.4 2019-12-26 22:10:19 +05:30			`image:`
			`name: "$DS_ANALYZER_IMAGE_PREFIX/retire.js:$DS_MAJOR_VERSION"`
New upstream version 13.0.0 2020-05-24 23:13:21 +05:30			`rules:`
			`- if: $DEPENDENCY_SCANNING_DISABLED \|\| $DS_DISABLE_DIND == 'false'`
			`when: never`
			`- if: $CI_COMMIT_BRANCH &&`
			`$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&`
			`$DS_DEFAULT_ANALYZERS =~ /retire.js/`
			`exists:`
			`- '{package.json,/package.json,/*/package.json}'`