From 444d24d09112089c86c38c0e8effdf676b1a4897 Mon Sep 17 00:00:00 2001 From: Jaime Martinez Date: Mon, 10 Aug 2020 13:28:01 +1000 Subject: [PATCH 1/4] Override dependency_scanning to run on MRs (cherry picked from commit 7409b7856d8afd26a6ca646db4501c15fe4bcdc4) --- .gitlab-ci.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 0e121cb2b..a6098fbe3 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -60,6 +60,12 @@ license_scanning: - if: $CI_COMMIT_BRANCH == 'master' when: on_success +dependency_scanning: + stage: prepare + rules: + - if: '$CI_MERGE_REQUEST_ID' + - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH' + # disable eslint-sast since html files are fixtures for testing eslint-sast: rules: -- GitLab From 2498440a5ea75b1aff98213b0e4226d02e08b540 Mon Sep 17 00:00:00 2001 From: Jaime Martinez Date: Mon, 10 Aug 2020 13:43:35 +1000 Subject: [PATCH 2/4] Move scanners and tests into their own file Include local stage files --- .gitlab-ci.yml | 129 ++--------------------------------------- .gitlab/ci/prepare.yml | 48 +++++++++++++++ .gitlab/ci/test.yml | 72 +++++++++++++++++++++++ 3 files changed, 124 insertions(+), 125 deletions(-) create mode 100644 .gitlab/ci/prepare.yml create mode 100644 .gitlab/ci/test.yml diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index a6098fbe3..08a5a6411 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,8 +1,3 @@ -include: - - template: Security/License-Scanning.gitlab-ci.yml - - template: Security/SAST.gitlab-ci.yml - - template: Security/Dependency-Scanning.gitlab-ci.yml - stages: - prepare - test @@ -19,6 +14,10 @@ workflow: - if: '$CI_COMMIT_BRANCH =~ /^[\d-]+-stable(-ee)?$/' - if: '$CI_COMMIT_BRANCH =~ /^security\//' +include: + - local: .gitlab/ci/prepare.yml + - local: .gitlab/ci/test.yml + default: image: golang:1.13 tags: @@ -32,123 +31,3 @@ default: cache: paths: - .GOPATH/pkg/mod/ - -.tests: - extends: .go-mod-cache - stage: test - tags: - - gitlab-org-docker - needs: ['download deps'] - script: - - echo "Running all tests without daemonizing..." - - make test - - echo "Running just the acceptance tests daemonized (tmpdir)...." - - TEST_DAEMONIZE=tmpdir make acceptance - - echo "Running just the acceptance tests daemonized (inplace)...." - - TEST_DAEMONIZE=inplace make acceptance - artifacts: - paths: - - bin/gitlab-pages - -license_scanning: - stage: prepare - variables: - LICENSE_MANAGEMENT_SETUP_CMD: go mod vendor - rules: - - if: $CI_MERGE_REQUEST_ID - when: on_success - - if: $CI_COMMIT_BRANCH == 'master' - when: on_success - -dependency_scanning: - stage: prepare - rules: - - if: '$CI_MERGE_REQUEST_ID' - - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH' - -# disable eslint-sast since html files are fixtures for testing -eslint-sast: - rules: - - when: never - -secrets-sast: - stage: prepare - rules: - - if: $CI_MERGE_REQUEST_ID - when: on_success - - if: $CI_COMMIT_BRANCH == 'master' - when: on_success - -gosec-sast: - stage: prepare - rules: - - if: $CI_MERGE_REQUEST_ID - when: on_success - - if: $CI_COMMIT_BRANCH == 'master' - when: on_success - -download deps: - extends: .go-mod-cache - stage: prepare - script: - - make deps-download - artifacts: - paths: - - go.mod - - go.sum - -cover: - extends: .go-mod-cache - stage: test - needs: ['download deps'] - script: - - make setup - - make generate-mocks - - make cover - coverage: '/total:.+\(statements\).+\d+\.\d+/' - artifacts: - paths: - - coverage.html - -code_quality: - stage: test - needs: ['download deps'] - extends: .go-mod-cache - image: golangci/golangci-lint:v1.27.0 - variables: - REPORT_FILE: gl-code-quality-report.json - LINT_FLAGS: "--color never --deadline 15m" - OUT_FORMAT: code-climate - script: - - golangci-lint run ./... --out-format ${OUT_FORMAT} ${LINT_FLAGS} | tee ${REPORT_FILE} - timeout: 15 minutes - artifacts: - reports: - codequality: ${REPORT_FILE} - paths: - - ${REPORT_FILE} - -test:1.13: - extends: .tests - image: golang:1.13 - -test:1.14: - extends: .tests - image: golang:1.14 - -race: - extends: .go-mod-cache - stage: test - tags: - - gitlab-org-docker - needs: ['download deps'] - script: - - echo "Running race detector" - - make race - -check deps: - extends: .go-mod-cache - stage: test - needs: ['download deps'] - script: - - make deps-check diff --git a/.gitlab/ci/prepare.yml b/.gitlab/ci/prepare.yml new file mode 100644 index 000000000..330829840 --- /dev/null +++ b/.gitlab/ci/prepare.yml @@ -0,0 +1,48 @@ +include: + - template: Security/License-Scanning.gitlab-ci.yml + - template: Security/SAST.gitlab-ci.yml + - template: Security/Dependency-Scanning.gitlab-ci.yml + +# workflow rules are not extended by scanner jobs +# TODO: remove when https://gitlab.com/gitlab-org/gitlab/-/issues/218444 is done +.rules-for-scanners: + stage: prepare + rules: + # For merge requests, create a pipeline. + - if: '$CI_MERGE_REQUEST_IID' + # For `master` branch, create a pipeline (this includes on schedules, pushes, merges, etc.). + - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH' + # For tags, create a pipeline. + - if: '$CI_COMMIT_TAG' + # For stable, and security branches, create a pipeline. + - if: '$CI_COMMIT_BRANCH =~ /^[\d-]+-stable(-ee)?$/' + - if: '$CI_COMMIT_BRANCH =~ /^security\//' + +license_scanning: + variables: + LICENSE_MANAGEMENT_SETUP_CMD: go mod vendor + extends: .rules-for-scanners + +dependency_scanning: + extends: .rules-for-scanners + +# disable eslint-sast since html files are fixtures for testing +eslint-sast: + rules: + - when: never + +secrets-sast: + extends: .rules-for-scanners + +gosec-sast: + extends: .rules-for-scanners + +download deps: + extends: .go-mod-cache + stage: prepare + script: + - make deps-download + artifacts: + paths: + - go.mod + - go.sum diff --git a/.gitlab/ci/test.yml b/.gitlab/ci/test.yml new file mode 100644 index 000000000..8c4e757b5 --- /dev/null +++ b/.gitlab/ci/test.yml @@ -0,0 +1,72 @@ +.tests: + extends: .go-mod-cache + stage: test + tags: + - gitlab-org-docker + needs: ['download deps'] + script: + - echo "Running all tests without daemonizing..." + - make test + - echo "Running just the acceptance tests daemonized (tmpdir)...." + - TEST_DAEMONIZE=tmpdir make acceptance + - echo "Running just the acceptance tests daemonized (inplace)...." + - TEST_DAEMONIZE=inplace make acceptance + artifacts: + paths: + - bin/gitlab-pages + +test:1.13: + extends: .tests + image: golang:1.13 + +test:1.14: + extends: .tests + image: golang:1.14 + +race: + extends: .go-mod-cache + stage: test + needs: ['download deps'] + tags: + - gitlab-org-docker + script: + - echo "Running race detector" + - make race + +cover: + stage: test + extends: .go-mod-cache + needs: ['download deps'] + script: + - make setup + - make generate-mocks + - make cover + coverage: '/total:.+\(statements\).+\d+\.\d+/' + artifacts: + paths: + - coverage.html + +code_quality: + stage: test + extends: .go-mod-cache + needs: ['download deps'] + image: golangci/golangci-lint:v1.27.0 + variables: + REPORT_FILE: gl-code-quality-report.json + LINT_FLAGS: "--color never --deadline 15m" + OUT_FORMAT: code-climate + script: + - golangci-lint run ./... --out-format ${OUT_FORMAT} ${LINT_FLAGS} | tee ${REPORT_FILE} + timeout: 15 minutes + artifacts: + reports: + codequality: ${REPORT_FILE} + paths: + - ${REPORT_FILE} + +check deps: + stage: test + extends: .go-mod-cache + needs: ['download deps'] + script: + - make deps-check -- GitLab From 69b756610687752929b98ee681495a99a199bb6c Mon Sep 17 00:00:00 2001 From: Jaime Martinez Date: Mon, 10 Aug 2020 13:59:14 +1000 Subject: [PATCH 3/4] Add rules to each scanner job --- .gitlab/ci/prepare.yml | 55 ++++++++++++++++++++++++++++++++---------- 1 file changed, 42 insertions(+), 13 deletions(-) diff --git a/.gitlab/ci/prepare.yml b/.gitlab/ci/prepare.yml index 330829840..2666d6ba5 100644 --- a/.gitlab/ci/prepare.yml +++ b/.gitlab/ci/prepare.yml @@ -3,10 +3,13 @@ include: - template: Security/SAST.gitlab-ci.yml - template: Security/Dependency-Scanning.gitlab-ci.yml -# workflow rules are not extended by scanner jobs +# workflow rules are not extended by scanner jobs, need to override them manually # TODO: remove when https://gitlab.com/gitlab-org/gitlab/-/issues/218444 is done -.rules-for-scanners: + +license_scanning: stage: prepare + variables: + LICENSE_MANAGEMENT_SETUP_CMD: go mod vendor rules: # For merge requests, create a pipeline. - if: '$CI_MERGE_REQUEST_IID' @@ -18,24 +21,50 @@ include: - if: '$CI_COMMIT_BRANCH =~ /^[\d-]+-stable(-ee)?$/' - if: '$CI_COMMIT_BRANCH =~ /^security\//' -license_scanning: - variables: - LICENSE_MANAGEMENT_SETUP_CMD: go mod vendor - extends: .rules-for-scanners dependency_scanning: - extends: .rules-for-scanners - -# disable eslint-sast since html files are fixtures for testing -eslint-sast: + stage: prepare rules: - - when: never + # For merge requests, create a pipeline. + - if: '$CI_MERGE_REQUEST_IID' + # For `master` branch, create a pipeline (this includes on schedules, pushes, merges, etc.). + - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH' + # For tags, create a pipeline. + - if: '$CI_COMMIT_TAG' + # For stable, and security branches, create a pipeline. + - if: '$CI_COMMIT_BRANCH =~ /^[\d-]+-stable(-ee)?$/' + - if: '$CI_COMMIT_BRANCH =~ /^security\//' secrets-sast: - extends: .rules-for-scanners + stage: prepare + rules: + # For merge requests, create a pipeline. + - if: '$CI_MERGE_REQUEST_IID' + # For `master` branch, create a pipeline (this includes on schedules, pushes, merges, etc.). + - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH' + # For tags, create a pipeline. + - if: '$CI_COMMIT_TAG' + # For stable, and security branches, create a pipeline. + - if: '$CI_COMMIT_BRANCH =~ /^[\d-]+-stable(-ee)?$/' + - if: '$CI_COMMIT_BRANCH =~ /^security\//' gosec-sast: - extends: .rules-for-scanners + stage: prepare + rules: + # For merge requests, create a pipeline. + - if: '$CI_MERGE_REQUEST_IID' + # For `master` branch, create a pipeline (this includes on schedules, pushes, merges, etc.). + - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH' + # For tags, create a pipeline. + - if: '$CI_COMMIT_TAG' + # For stable, and security branches, create a pipeline. + - if: '$CI_COMMIT_BRANCH =~ /^[\d-]+-stable(-ee)?$/' + - if: '$CI_COMMIT_BRANCH =~ /^security\//' + +# disable eslint-sast since html files are fixtures for testing +eslint-sast: + rules: + - when: never download deps: extends: .go-mod-cache -- GitLab From c25cef21485d411ebc3e163c5babe70a011bffa3 Mon Sep 17 00:00:00 2001 From: Jaime Martinez Date: Mon, 24 Aug 2020 09:39:29 +1000 Subject: [PATCH 4/4] Use rules from reference --- .gitlab/ci/prepare.yml | 45 +++++++++--------------------------------- 1 file changed, 9 insertions(+), 36 deletions(-) diff --git a/.gitlab/ci/prepare.yml b/.gitlab/ci/prepare.yml index 2666d6ba5..ef438a0b6 100644 --- a/.gitlab/ci/prepare.yml +++ b/.gitlab/ci/prepare.yml @@ -6,10 +6,8 @@ include: # workflow rules are not extended by scanner jobs, need to override them manually # TODO: remove when https://gitlab.com/gitlab-org/gitlab/-/issues/218444 is done -license_scanning: +.rules-for-scanners: &rules-for-scanners stage: prepare - variables: - LICENSE_MANAGEMENT_SETUP_CMD: go mod vendor rules: # For merge requests, create a pipeline. - if: '$CI_MERGE_REQUEST_IID' @@ -21,45 +19,20 @@ license_scanning: - if: '$CI_COMMIT_BRANCH =~ /^[\d-]+-stable(-ee)?$/' - if: '$CI_COMMIT_BRANCH =~ /^security\//' +license_scanning: + <<: *rules-for-scanners + variables: + LICENSE_MANAGEMENT_SETUP_CMD: go mod vendor + dependency_scanning: - stage: prepare - rules: - # For merge requests, create a pipeline. - - if: '$CI_MERGE_REQUEST_IID' - # For `master` branch, create a pipeline (this includes on schedules, pushes, merges, etc.). - - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH' - # For tags, create a pipeline. - - if: '$CI_COMMIT_TAG' - # For stable, and security branches, create a pipeline. - - if: '$CI_COMMIT_BRANCH =~ /^[\d-]+-stable(-ee)?$/' - - if: '$CI_COMMIT_BRANCH =~ /^security\//' + <<: *rules-for-scanners secrets-sast: - stage: prepare - rules: - # For merge requests, create a pipeline. - - if: '$CI_MERGE_REQUEST_IID' - # For `master` branch, create a pipeline (this includes on schedules, pushes, merges, etc.). - - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH' - # For tags, create a pipeline. - - if: '$CI_COMMIT_TAG' - # For stable, and security branches, create a pipeline. - - if: '$CI_COMMIT_BRANCH =~ /^[\d-]+-stable(-ee)?$/' - - if: '$CI_COMMIT_BRANCH =~ /^security\//' + <<: *rules-for-scanners gosec-sast: - stage: prepare - rules: - # For merge requests, create a pipeline. - - if: '$CI_MERGE_REQUEST_IID' - # For `master` branch, create a pipeline (this includes on schedules, pushes, merges, etc.). - - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH' - # For tags, create a pipeline. - - if: '$CI_COMMIT_TAG' - # For stable, and security branches, create a pipeline. - - if: '$CI_COMMIT_BRANCH =~ /^[\d-]+-stable(-ee)?$/' - - if: '$CI_COMMIT_BRANCH =~ /^security\//' + <<: *rules-for-scanners # disable eslint-sast since html files are fixtures for testing eslint-sast: -- GitLab