Skip to content

G
gitlab-ce
Commit 990ef110 authored by Jan Provaznik's avatar Jan Provaznik
Browse files
Options

Merge branch '284683-add-peach-api-to-dast-tmplt' into 'master' 

Update DAST CI template to include new DAST API analyzer

See merge request gitlab-org/gitlab!51824
parents 04b6ff27 3035ec14
Hide whitespace changes
Inline Side-by-side
Showing with 355 additions and 0 deletions
ee/changelogs/unreleased/284683-add-peach-api-to-dast-tmplt.yml 0 → 100644
View file @ 990ef110
---
title: Beta version of DAST API scanner API Security
merge_request: 51824
author:
type: added
ee/spec/lib/gitlab/ci/templates/dast_latest_gitlab_ci_yaml_spec.rb 0 → 100644
View file @ 990ef110
# frozen_string_literal: true
require 'spec_helper'
RSpec.shared_examples 'includes no jobs' do
it 'includes no jobs' do
expect { pipeline }.to raise_error(Ci::CreatePipelineService::CreateError, 'No stages / jobs for this pipeline.')
end
end
RSpec.shared_examples 'includes dast job' do
it 'includes dast job' do
expect(build_names).to match_array(%w[dast])
end
end
RSpec.shared_examples 'includes dast_api job' do
it 'includes dast_api job' do
expect(build_names).to match_array(%w[dast_api])
end
end
RSpec.describe 'DAST.latest.gitlab-ci.yml' do
subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('DAST.latest') }
describe 'the created pipeline' do
let(:default_branch) { 'master' }
let(:pipeline_branch) { default_branch }
let(:project) { create(:project, :custom_repo, files: { 'README.txt' => '' }) }
let(:user) { project.owner }
let(:service) { Ci::CreatePipelineService.new(project, user, ref: pipeline_branch ) }
let(:pipeline) { service.execute!(:push) }
let(:build_names) { pipeline.builds.pluck(:name) }
let(:ci_pipeline_yaml) { "stages: [\"dast\"]\n" }
specify { expect(template).not_to be_nil }
context 'when ci yaml is just template' do
before do
stub_ci_pipeline_yaml_file(template.content)
allow_next_instance_of(Ci::BuildScheduleWorker) do |worker|
allow(worker).to receive(:perform).and_return(true)
end
allow(project).to receive(:default_branch).and_return(default_branch)
end
context 'when project has no license' do
it 'includes no jobs' do
expect(build_names).to be_empty
end
end
end
context 'when stages includes dast' do
before do
stub_ci_pipeline_yaml_file(ci_pipeline_yaml + template.content)
allow_next_instance_of(Ci::BuildScheduleWorker) do |worker|
allow(worker).to receive(:perform).and_return(true)
end
allow(project).to receive(:default_branch).and_return(default_branch)
end
context 'when project has no license' do
include_examples 'includes no jobs'
end
context 'when project has cluster' do
let(:cluster) { create(:cluster, :project, :provided_by_gcp, projects: [project]) }
context 'by default' do
before do
allow(cluster).to receive(:active?).and_return(true)
end
include_examples 'includes no jobs'
end
context 'when project has Ultimate license' do
let(:license) { create(:license, plan: License::ULTIMATE_PLAN) }
before do
allow(License).to receive(:current).and_return(license)
allow(cluster).to receive(:active?).and_return(true)
end
context 'when no specification provided' do
include_examples 'includes dast job'
end
end
end
context 'when cluster is not active' do
context 'by default' do
include_examples 'includes no jobs'
end
context 'when DAST_WEBSITE is present' do
before do
create(:ci_variable, project: project, key: 'DAST_WEBSITE', value: 'http://example.com')
end
include_examples 'includes dast job'
end
context 'when DAST_API_SPECIFICATION is present' do
before do
create(:ci_variable, project: project, key: 'DAST_API_SPECIFICATION', value: 'http://my.api/api-specification.yml')
end
include_examples 'includes dast job'
end
context 'when DAST_API_BETA=1' do
before do
create(:ci_variable, project: project, key: 'DAST_API_BETA', value: '1')
end
context 'when project has Ultimate license' do
let(:license) { create(:license, plan: License::ULTIMATE_PLAN) }
before do
allow(License).to receive(:current).and_return(license)
end
context 'when no specification provided' do
include_examples 'includes no jobs'
end
context 'when DAST_DISABLED=1' do
before do
create(:ci_variable, project: project, key: 'DAST_DISABLED', value: '1')
end
include_examples 'includes no jobs'
end
context 'when DAST_WEBSITE is present' do
before do
create(:ci_variable, project: project, key: 'DAST_WEBSITE', value: 'http://example.com')
end
include_examples 'includes dast job'
end
context 'when DAST_API_SPECIFICATION is present' do
before do
create(:ci_variable, project: project, key: 'DAST_API_SPECIFICATION', value: 'http://my.api/api-specification.yml')
end
include_examples 'includes dast_api job'
end
context 'when DAST_WEBSITE and DAST_API_SPECIFICATION is present' do
before do
create(:ci_variable, project: project, key: 'DAST_WEBSITE', value: 'http://example.com')
create(:ci_variable, project: project, key: 'DAST_API_SPECIFICATION', value: 'http://my.api/api-specification.yml')
end
it 'includes dast_api job' do
expect(build_names).to match_array(%w[dast_api])
end
end
context 'when DAST_API_OPENAPI is present' do
before do
create(:ci_variable, project: project, key: 'DAST_API_OPENAPI', value: 'http://my.api/api-specification.yml')
end
include_examples 'includes dast_api job'
end
context 'when DAST_API_HAR is present' do
before do
create(:ci_variable, project: project, key: 'DAST_API_HAR', value: 'http://my.api/api-specification.yml')
end
include_examples 'includes dast_api job'
end
context 'when DAST_API_POSTMAN_COLLECTION is present' do
before do
create(:ci_variable, project: project, key: 'DAST_API_POSTMAN_COLLECTION', value: 'http://my.api/api-specification.yml')
end
include_examples 'includes dast_api job'
end
end
end
context 'when project has Ultimate license' do
let(:license) { create(:license, plan: License::ULTIMATE_PLAN) }
before do
allow(License).to receive(:current).and_return(license)
end
context 'when project has cluster' do
let(:cluster) { create(:cluster, :project, :provided_by_gcp, projects: [project]) }
context 'when DAST_DISABLED=1' do
before do
allow(cluster).to receive(:active?).and_return(true)
create(:ci_variable, project: project, key: 'DAST_DISABLED', value: '1')
end
include_examples 'includes no jobs'
end
context 'when DAST_DISABLED_FOR_DEFAULT_BRANCH=1' do
before do
allow(cluster).to receive(:active?).and_return(true)
create(:ci_variable, project: project, key: 'DAST_DISABLED_FOR_DEFAULT_BRANCH', value: '1')
end
context 'when on default branch' do
include_examples 'includes no jobs'
end
context 'when on feature branch' do
let(:pipeline_branch) { 'patch-1' }
before do
project.repository.create_branch(pipeline_branch)
end
it 'includes dast job' do
expect(build_names).to match_array(%w[dast])
end
end
end
context 'when REVIEW_DISABLED=true' do
before do
allow(cluster).to receive(:active?).and_return(true)
create(:ci_variable, project: project, key: 'REVIEW_DISABLED', value: 'true')
end
context 'when on default branch' do
include_examples 'includes dast job'
end
context 'when on feature branch' do
let(:pipeline_branch) { 'patch-1' }
before do
project.repository.create_branch(pipeline_branch)
end
include_examples 'includes no jobs'
end
end
end
end
end
end
end
end
lib/gitlab/ci/templates/Security/DAST.latest.gitlab-ci.yml
View file @ 990ef110
......@@ -9,6 +9,19 @@ variables:
# Setting this variable will affect all Security templates
# (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
#
DAST_API_PROFILE: Full
DAST_API_VERSION: latest
DAST_API_CONFIG: .gitlab-dast-api.yml
DAST_API_TIMEOUT: 30
DAST_API_REPORT: gl-dast-api-report.json
DAST_API_REPORT_ASSET_PATH: assets
#
# Wait up to 5 minutes for API Security and target url to become
# available (non 500 response to HTTP(s))
DAST_API_SERVICE_START_TIMEOUT: "300"
#
DAST_API_IMAGE: registry.gitlab.com/gitlab-org/security-products/analyzers/api-fuzzing:${DAST_API_VERSION}-engine
dast:
stage: dast
......@@ -25,6 +38,11 @@ dast:
reports:
dast: gl-dast-report.json
rules:
- if: $DAST_API_BETA && ( $DAST_API_SPECIFICATION ||
$DAST_API_OPENAPI ||
$DAST_API_POSTMAN_COLLECTION ||
$DAST_API_HAR )
when: never
- if: $DAST_DISABLED
when: never
- if: $DAST_DISABLED_FOR_DEFAULT_BRANCH &&
......@@ -40,4 +58,72 @@ dast:
- if: $CI_COMMIT_BRANCH &&
$DAST_WEBSITE
- if: $CI_COMMIT_BRANCH &&
$DAST_API_BETA == null &&
$DAST_API_SPECIFICATION
dast_api:
stage: dast
image:
name: $DAST_API_IMAGE
entrypoint: ["/bin/bash", "-l", "-c"]
variables:
API_SECURITY_MODE: DAST
DAST_API_NEW_REPORT: 1
DAST_API_PROJECT: $CI_PROJECT_PATH
DAST_API_API: http://127.0.0.1:5000
DAST_API_LOG_SCANNER: gl-dast-api-scanner.log
TZ: America/Los_Angeles
allow_failure: true
rules:
- if: $DAST_API_BETA == null
when: never
- if: $DAST_DISABLED
when: never
- if: $DAST_DISABLED_FOR_DEFAULT_BRANCH &&
$CI_DEFAULT_BRANCH == $CI_COMMIT_REF_NAME
when: never
- if: $CI_DEFAULT_BRANCH != $CI_COMMIT_REF_NAME &&
$REVIEW_DISABLED &&
$DAST_API_SPECIFICATION == null &&
$DAST_API_OPENAPI == null &&
$DAST_API_POSTMAN_COLLECTION == null &&
$DAST_API_HAR == null
when: never
- if: $DAST_API_SPECIFICATION == null &&
$DAST_API_OPENAPI == null &&
$DAST_API_POSTMAN_COLLECTION == null &&
$DAST_API_HAR == null
when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdast\b/
script:
#
# Run user provided pre-script
- sh -c "$DAST_API_PRE_SCRIPT"
#
# Make sure asset path exists
- mkdir -p $DAST_API_REPORT_ASSET_PATH
#
# Start API Security background process
- dotnet /peach/Peach.Web.dll &> $DAST_API_LOG_SCANNER &
- APISEC_PID=$!
#
# Start scanning
- worker-entry
#
# Run user provided post-script
- sh -c "$DAST_API_POST_SCRIPT"
#
# Shutdown API Security
- kill $APISEC_PID
- wait $APISEC_PID
#
artifacts:
when: always
paths:
- $DAST_API_REPORT_ASSET_PATH
- $DAST_API_REPORT
- $DAST_API_LOG_SCANNER
- gl-*.log
reports:
dast: $DAST_API_REPORT
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7