phlux/mattermostest
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Integrate Dependency-Check into CircleCI (#1281)

Browse Source
This commit is contained in:
Juho Nurminen
2020-05-26 10:59:44 +03:00
committed by GitHub
parent 929b62874a
commit f0c5c09e99
1 changed files with 61 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

61
.circleci/config.yml
View File

@@ -2,6 +2,7 @@ version: 2.1
orbs: orbs:
win: circleci/windows@1.0.0 win: circleci/windows@1.0.0
aws-s3: circleci/aws-s3@1.0.11 aws-s3: circleci/aws-s3@1.0.11
owasp: entur/owasp@0.0.10
executors: executors:
wine-chrome: wine-chrome:
@@ -115,6 +116,62 @@ jobs:
- "node_modules" - "node_modules"
- "src/node_modules" - "src/node_modules"
check-deps:
parameters:
cve_data_directory:
type: string
default: "~/.owasp/dependency-check-data"
working_directory: ~/mattermost/desktop
executor: owasp/default
environment:
version_url: "https://jeremylong.github.io/DependencyCheck/current.txt"
executable_url: "https://dl.bintray.com/jeremy-long/owasp/dependency-check-VERSION-release.zip"
steps:
- checkout
- run:
name: Link dependency cache
command: sudo ln -s ~/mattermost/desktop /root/mattermost-desktop; sudo chmod 777 /root
- restore_cache:
key: npm-{{ arch }}-{{ .Branch }}-{{ checksum "package-lock.json" }}
- restore_cache:
key: npm-{{ arch }}-{{ .Branch }}-{{ checksum "src/package-lock.json" }}
- run:
name: Adjust permissions
command: |
sudo chown -R `id -nu`:`id -ng` node_modules
sudo chown -R `id -nu`:`id -ng` src/node_modules
- run:
name: Checkout config
command: cd .. && git clone https://github.com/mattermost/security-automation-config
- run:
name: Install Go
command: sudo apt-get update && sudo apt-get install golang
- owasp/with_commandline:
steps:
# Taken from https://github.com/entur/owasp-orb/blob/master/src/%40orb.yml#L349-L361
- owasp/generate_cache_keys:
cache_key: commmandline-default-cache-key-v6
- owasp/restore_owasp_cache
- run:
name: Update OWASP Dependency-Check Database
command: ~/.owasp/dependency-check/bin/dependency-check.sh --data << parameters.cve_data_directory >> --updateonly
- owasp/store_owasp_cache:
cve_data_directory: <<parameters.cve_data_directory>>
- run:
name: Run OWASP Dependency-Check Analyzer
command: |
~/.owasp/dependency-check/bin/dependency-check.sh \
--data << parameters.cve_data_directory >> --format ALL --noupdate --enableExperimental \
--propertyfile ../security-automation-config/dependency-check/dependencycheck.properties \
--suppression ../security-automation-config/dependency-check/suppression.xml \
--suppression ../security-automation-config/dependency-check/suppression.$CIRCLE_PROJECT_REPONAME.xml \
--scan './**/*' || true
- owasp/collect_reports:
persist_to_workspace: false
- run:
name: Post results to Mattermost
command: go run ../security-automation-config/dependency-check/post_results.go
build-linux: build-linux:
executor: wine-mono executor: wine-mono
steps: steps:
@@ -339,6 +396,10 @@ workflows:
- build-linux: - build-linux:
requires: requires:
- check - check
- check-deps:
context: sast-webhook
requires:
- build-linux
- build-win-no-installer: - build-win-no-installer:
requires: requires: