Commit 4270e89d authored by Lin Jen-Shin's avatar Lin Jen-Shin

Merge branch 'mc_rocha-change-dast-scan-template-327070' into 'master'

Update DAST On-Demand Scan Template

See merge request gitlab-org/gitlab!73564
parents d31b218a 8f13ed95
---
name: dast_api_scanner
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/73564
rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/345837
milestone: '14.7'
type: development
group: group::dynamic analysis
default_enabled: false
...@@ -44,13 +44,25 @@ module AppSec ...@@ -44,13 +44,25 @@ module AppSec
def ci_configuration def ci_configuration
{ {
'stages' => [STAGE_NAME], 'stages' => [STAGE_NAME],
'include' => [{ 'template' => 'Security/DAST-On-Demand-Scan.gitlab-ci.yml' }], 'include' => [{ 'template' => dast_template }],
'dast' => { 'dast' => {
'dast_configuration' => { 'site_profile' => dast_site_profile.name, 'scanner_profile' => dast_scanner_profile&.name }.compact 'dast_configuration' => { 'site_profile' => dast_site_profile.name, 'scanner_profile' => dast_scanner_profile&.name }.compact
} }
}.to_yaml }.to_yaml
end end
def dast_template
if should_use_api_scan?
'Security/DAST-On-Demand-API-Scan.gitlab-ci.yml'
else
'Security/DAST-On-Demand-Scan.gitlab-ci.yml'
end
end
def should_use_api_scan?
Feature.enabled?(:dast_api_scanner, dast_site_profile.project, default_enabled: :yaml) && dast_site_profile.target_type == 'api'
end
def dast_profile def dast_profile
strong_memoize(:dast_profile) do strong_memoize(:dast_profile) do
params[:dast_profile] params[:dast_profile]
......
---
key_path: redis_hll_counters.ci_templates.p_ci_templates_security_dast_on_demand_api_scan_monthly
name: "dast_on_demand_api_scan"
description: Count of pipelines using the latest DAST API template
product_section: sec
product_stage: secure
product_group: "group::dynamic analysis"
product_category: DAST
value_type: number
status: active
milestone: "14.7"
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/73564
time_frame: 28d
data_source: redis_hll
data_category: optional
instrumentation_class: RedisHLLMetric
options:
events:
- p_ci_templates_security_dast_on_demand_api_scan
performance_indicator_type: []
distribution:
- ee
tier:
#- premium
- ultimate
---
key_path: redis_hll_counters.ci_templates.p_ci_templates_implicit_security_dast_on_demand_api_scan_monthly
name: "implicit_security_dast_on_demand_api_scan"
description: Count of pipelines with implicit runs using the latest DAST API template
product_section: sec
product_stage: secure
product_group: "group::dynamic analysis"
product_category: DAST
value_type: number
status: active
milestone: "14.7"
introduced_by_url:
time_frame: 28d
data_source: redis_hll
data_category: optional
instrumentation_class: RedisHLLMetric
options:
events:
- p_ci_templates_implicit_security_dast_on_demand_api_scan
performance_indicator_type: []
distribution:
- ee
tier:
#- premium
- ultimate
---
key_path: redis_hll_counters.ci_templates.p_ci_templates_security_dast_on_demand_api_scan_weekly
name: "dast_on_demand_api_scan"
description: Count of pipelines using the latest DAST API template
product_section: sec
product_stage: secure
product_group: "group::dynamic analysis"
product_category: DAST
value_type: number
status: active
milestone: "14.7"
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/73564
time_frame: 7d
data_source: redis_hll
data_category: optional
instrumentation_class: RedisHLLMetric
options:
events:
- p_ci_templates_security_dast_on_demand_api_scan
performance_indicator_type: []
distribution:
- ee
tier:
#- premium
- ultimate
---
key_path: redis_hll_counters.ci_templates.p_ci_templates_implicit_security_dast_on_demand_api_scan_weekly
name: "implicit_security_dast_on_demand_api_scan"
description: Count of pipelines with implicit runs using the latest DAST API template
product_section: sec
product_stage: secure
product_group: "group::dynamic analysis"
product_category: DAST
value_type: number
status: active
milestone: "14.7"
introduced_by_url:
time_frame: 7d
data_source: redis_hll
data_category: optional
instrumentation_class: RedisHLLMetric
options:
events:
- p_ci_templates_implicit_security_dast_on_demand_api_scan
performance_indicator_type: []
distribution:
- ee
tier:
#- premium
- ultimate
...@@ -4,7 +4,7 @@ require 'spec_helper' ...@@ -4,7 +4,7 @@ require 'spec_helper'
RSpec.describe AppSec::Dast::ScanConfigs::BuildService do RSpec.describe AppSec::Dast::ScanConfigs::BuildService do
let_it_be(:project) { create(:project, :repository) } let_it_be(:project) { create(:project, :repository) }
let_it_be(:dast_site_profile) { create(:dast_site_profile, project: project) } let_it_be_with_reload(:dast_site_profile) { create(:dast_site_profile, project: project, target_type: 'website') }
let_it_be(:dast_scanner_profile) { create(:dast_scanner_profile, project: project, spider_timeout: 5, target_timeout: 20) } let_it_be(:dast_scanner_profile) { create(:dast_scanner_profile, project: project, spider_timeout: 5, target_timeout: 20) }
let_it_be(:dast_profile) { create(:dast_profile, project: project, dast_site_profile: dast_site_profile, dast_scanner_profile: dast_scanner_profile, branch_name: 'master') } let_it_be(:dast_profile) { create(:dast_profile, project: project, dast_site_profile: dast_site_profile, dast_scanner_profile: dast_scanner_profile, branch_name: 'master') }
...@@ -19,6 +19,8 @@ RSpec.describe AppSec::Dast::ScanConfigs::BuildService do ...@@ -19,6 +19,8 @@ RSpec.describe AppSec::Dast::ScanConfigs::BuildService do
let(:dast_full_scan_enabled) { dast_scanner_profile.full_scan_enabled? } let(:dast_full_scan_enabled) { dast_scanner_profile.full_scan_enabled? }
let(:dast_use_ajax_spider) { dast_scanner_profile.use_ajax_spider? } let(:dast_use_ajax_spider) { dast_scanner_profile.use_ajax_spider? }
let(:dast_debug) { dast_scanner_profile.show_debug_messages? } let(:dast_debug) { dast_scanner_profile.show_debug_messages? }
let(:on_demand_scan_template) { 'Security/DAST-On-Demand-Scan.gitlab-ci.yml' }
let(:api_scan_template) { 'Security/DAST-On-Demand-API-Scan.gitlab-ci.yml' }
let(:params) { { dast_site_profile: dast_site_profile, dast_scanner_profile: dast_scanner_profile } } let(:params) { { dast_site_profile: dast_site_profile, dast_scanner_profile: dast_scanner_profile } }
...@@ -28,7 +30,7 @@ RSpec.describe AppSec::Dast::ScanConfigs::BuildService do ...@@ -28,7 +30,7 @@ RSpec.describe AppSec::Dast::ScanConfigs::BuildService do
stages: stages:
- dast - dast
include: include:
- template: Security/DAST-On-Demand-Scan.gitlab-ci.yml - template: #{template}
dast: dast:
dast_configuration: dast_configuration:
site_profile: #{dast_site_profile.name} site_profile: #{dast_site_profile.name}
...@@ -39,6 +41,7 @@ RSpec.describe AppSec::Dast::ScanConfigs::BuildService do ...@@ -39,6 +41,7 @@ RSpec.describe AppSec::Dast::ScanConfigs::BuildService do
subject { described_class.new(container: project, params: params).execute } subject { described_class.new(container: project, params: params).execute }
describe 'execute' do describe 'execute' do
shared_examples 'build service execute tests' do
context 'when a dast_profile is provided' do context 'when a dast_profile is provided' do
let(:params) { { dast_profile: dast_profile } } let(:params) { { dast_profile: dast_profile } }
...@@ -92,7 +95,7 @@ RSpec.describe AppSec::Dast::ScanConfigs::BuildService do ...@@ -92,7 +95,7 @@ RSpec.describe AppSec::Dast::ScanConfigs::BuildService do
stages: stages:
- dast - dast
include: include:
- template: Security/DAST-On-Demand-Scan.gitlab-ci.yml - template: #{template}
dast: dast:
dast_configuration: dast_configuration:
site_profile: #{dast_site_profile.name} site_profile: #{dast_site_profile.name}
...@@ -120,4 +123,33 @@ RSpec.describe AppSec::Dast::ScanConfigs::BuildService do ...@@ -120,4 +123,33 @@ RSpec.describe AppSec::Dast::ScanConfigs::BuildService do
end end
end end
end end
context 'when feature flag dast_api_scanner is disabled' do
let(:template) { on_demand_scan_template }
before do
stub_feature_flags(dast_api_scanner: false)
end
it_behaves_like 'build service execute tests'
end
context 'when feature flag dast_api_scanner is enabled' do
context 'when the target_type is api' do
before do
dast_site_profile.target_type = 'api'
end
let(:template) { api_scan_template }
it_behaves_like 'build service execute tests'
end
context 'when the target_type is NOT api' do
let(:template) { on_demand_scan_template }
it_behaves_like 'build service execute tests'
end
end
end
end end
stages:
- build
- test
- deploy
- dast
variables:
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
DAST_API_VERSION: "1"
DAST_API_IMAGE: $SECURE_ANALYZERS_PREFIX/api-fuzzing:$DAST_API_VERSION
dast:
stage: dast
image: $DAST_API_IMAGE
variables:
GIT_STRATEGY: none
allow_failure: true
script:
- /peach/analyzer-dast-api
artifacts:
when: always
paths:
- gl-assets
- gl-dast-api-report.json
- gl-*.log
reports:
dast: gl-dast-api-report.json
...@@ -103,6 +103,10 @@ ...@@ -103,6 +103,10 @@
category: ci_templates category: ci_templates
redis_slot: ci_templates redis_slot: ci_templates
aggregation: weekly aggregation: weekly
- name: p_ci_templates_security_dast_on_demand_api_scan
category: ci_templates
redis_slot: ci_templates
aggregation: weekly
- name: p_ci_templates_security_coverage_fuzzing - name: p_ci_templates_security_coverage_fuzzing
category: ci_templates category: ci_templates
redis_slot: ci_templates redis_slot: ci_templates
...@@ -539,6 +543,10 @@ ...@@ -539,6 +543,10 @@
category: ci_templates category: ci_templates
redis_slot: ci_templates redis_slot: ci_templates
aggregation: weekly aggregation: weekly
- name: p_ci_templates_implicit_security_dast_on_demand_api_scan
category: ci_templates
redis_slot: ci_templates
aggregation: weekly
- name: p_ci_templates_implicit_security_coverage_fuzzing - name: p_ci_templates_implicit_security_coverage_fuzzing
category: ci_templates category: ci_templates
redis_slot: ci_templates redis_slot: ci_templates
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment