Add the global var SECURE_ANALYZERS_PREFIX

This variable helps to setup all Security Products with a single variable. It has numerous advantages over the previous version: - The var can be set up in `.gitlab-ci.yml` or in the UI - That means users can define it at the group level directly if needed - It flattens the paths used (sometimes it was with /analyzers/, sometimes not) - A single variable can now define all the base paths at once This change is especially useful for air-gapped environments, where all the images are generally duplicated locally. Having different prefixes is creating a lot of plumbing just to get started. Note that we need to create registry.gitlab.com/gitlab-org/security-products/secure-bundle before merging this. refs gitlab-org/gitlab#209258 and gitlab-org/gitlab#209846

Add the global var SECURE_ANALYZERS_PREFIX
This variable helps to setup all Security Products with a single variable. It has numerous advantages over the previous version: - The var can be set up in `.gitlab-ci.yml` or in the UI - That means users can define it at the group level directly if needed - It flattens the paths used (sometimes it was with /analyzers/, sometimes not) - A single variable can now define all the base paths at once This change is especially useful for air-gapped environments, where all the images are generally duplicated locally. Having different prefixes is creating a lot of plumbing just to get started. Note that we need to create registry.gitlab.com/gitlab-org/security-products/secure-bundle before merging this. refs gitlab-org/gitlab#209258 and gitlab-org/gitlab#209846
e5da8442 · Philippe Lafoucrière · Douglas Barbosa Alexandre · 17872da7 · e5da8442 · e5da8442
Commit e5da8442 authored May 11, 2020 by Philippe Lafoucrière Committed by Douglas Barbosa Alexandre May 11, 2020
15 changed files
--- a/changelogs/unreleased/28617-add-global-sec-prefix.yml
+++ b/changelogs/unreleased/28617-add-global-sec-prefix.yml
+---
+title: Add the global var SECURE_ANALYZERS_PREFIX
+merge_request: 28617
+author:
+type: added
--- a/doc/user/application_security/container_scanning/index.md
+++ b/doc/user/application_security/container_scanning/index.md
@@ -169,6 +169,7 @@ using environment variables.
 | Environment Variable           | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | Default                                                                                                         |
 | ------                         | ------                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | ------                                                                                                          |
+| `SECURE_ANALYZERS_PREFIX`      | Set the Docker registry base address from which to download the analyzer. | `"registry.gitlab.com/gitlab-org/security-products/analyzers"` |
 | `KLAR_TRACE`                   | Set to true to enable more verbose output from klar.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | `"false"`                                                                                                       |
 | `CLAIR_TRACE`                  | Set to true to enable more verbose output from the clair server process.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | `"false"`                                                                                   |
 | `DOCKER_USER`                  | Username for accessing a Docker registry requiring authentication.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | `$CI_REGISTRY_USER`                                                                                             |

--- a/doc/user/application_security/dast/index.md
+++ b/doc/user/application_security/dast/index.md
@@ -438,7 +438,8 @@ don't forget to add `stage: dast` when you override the template job definition.
 DAST can be [configured](#customizing-the-dast-settings) using environment variables.
 | Environment variable        | Required   | Description                                                                    |
-|-----------------------------| ----------|--------------------------------------------------------------------------------|
+|-----------------------------| -----------|--------------------------------------------------------------------------------|
+| `SECURE_ANALYZERS_PREFIX`   | no         | Set the Docker registry base address from which to download the analyzer.            |
 | `DAST_WEBSITE`  | no| The URL of the website to scan. `DAST_API_SPECIFICATION` must be specified if this is omitted. |
 | `DAST_API_SPECIFICATION`  | no | The API specification to import. `DAST_WEBSITE` must be specified if this is omitted. |
 | `DAST_AUTH_URL` | no | The authentication URL of the website to scan. Not supported for API scans. |
@@ -563,6 +564,8 @@ dast:
 The DAST job should now use local copies of the DAST analyzers to scan your code and generate
 security reports without requiring internet access.
+Alternatively, you can use the variable `SECURE_ANALYZERS_PREFIX` to override the base registry address of the `dast` image.
 ## Reports
 The DAST job can emit various reports.

--- a/doc/user/application_security/dependency_scanning/analyzers.md
+++ b/doc/user/application_security/dependency_scanning/analyzers.md
@@ -43,7 +43,7 @@ include:
  template: Dependency-Scanning.gitlab-ci.yml
 variables:
-  DS_ANALYZER_IMAGE_PREFIX: my-docker-registry/gl-images
+  SECURE_ANALYZERS_PREFIX: my-docker-registry/gl-images
 ```
 This configuration requires that your custom registry provides images for all

--- a/doc/user/application_security/dependency_scanning/index.md
+++ b/doc/user/application_security/dependency_scanning/index.md
@@ -140,7 +140,8 @@ The following variables allow configuration of global dependency scanning settin
 | Environment variable                    | Description |
 | --------------------------------------- |------------ |
-| `DS_ANALYZER_IMAGE_PREFIX`              | Override the name of the Docker registry providing the official default images (proxy). Read more about [customizing analyzers](analyzers.md). |
+| `SECURE_ANALYZERS_PREFIX`               | Override the name of the Docker registry providing the official default images (proxy). Read more about [customizing analyzers](analyzers.md). |
+| `DS_ANALYZER_IMAGE_PREFIX`              | **DEPRECATED:** Use `SECURE_ANALYZERS_PREFIX` instead. |
 | `DS_DEFAULT_ANALYZERS`                  | Override the names of the official default images. Read more about [customizing analyzers](analyzers.md). |
 | `DS_DISABLE_DIND`                       | Disable Docker-in-Docker and run analyzers [individually](#disabling-docker-in-docker-for-dependency-scanning).|
 | `ADDITIONAL_CA_CERT_BUNDLE`             | Bundle of CA certs to trust. |

--- a/doc/user/application_security/index.md
+++ b/doc/user/application_security/index.md
@@ -44,6 +44,12 @@ To add Container Scanning, follow the steps listed in the [Container Scanning do
 To further configure any of the other scanners, refer to each scanner's documentation.
+### Override the default registry base address
+By default, GitLab security scanners use `registry.gitlab.com/gitlab-org/security-products/analyzers` as the
+base address for Docker images. You can override this globally by setting the variable
+`SECURE_ANALYZERS_PREFIX` to another location. Note that this affects all scanners at once.
 ## Security scanning tools
 GitLab uses the following tools to scan and report known vulnerabilities found in your project.

--- a/doc/user/application_security/sast/analyzers.md
+++ b/doc/user/application_security/sast/analyzers.md
@@ -52,7 +52,7 @@ include:
  - template: SAST.gitlab-ci.yml
 variables:
-  SAST_ANALYZER_IMAGE_PREFIX: my-docker-registry/gl-images
+  SECURE_ANALYZERS_PREFIX: my-docker-registry/gl-images
 ```
 This configuration requires that your custom registry provides images for all

--- a/doc/user/application_security/sast/index.md
+++ b/doc/user/application_security/sast/index.md
@@ -293,7 +293,8 @@ The following are Docker image-related variables.
 | Environment variable         | Description                                                                                                                                                                                                              |
 |------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `SAST_ANALYZER_IMAGE_PREFIX` | Override the name of the Docker registry providing the default images (proxy). Read more about [customizing analyzers](analyzers.md).                                                                                    |
+| `SECURE_ANALYZERS_PREFIX`    | Override the name of the Docker registry providing the default images (proxy). Read more about [customizing analyzers](analyzers.md).                                                                                    |
+| `SAST_ANALYZER_IMAGE_PREFIX` | **DEPRECATED**: Use `SECURE_ANALYZERS_PREFIX` instead.                                                                                                                                                                       |
 | `SAST_ANALYZER_IMAGE_TAG`    | **DEPRECATED:** Override the Docker tag of the default images. Read more about [customizing analyzers](analyzers.md).                                                                                                        |
 | `SAST_DEFAULT_ANALYZERS`     | Override the names of default images. Read more about [customizing analyzers](analyzers.md).                                                                                                                             |
 | `SAST_DISABLE_DIND`          | Disable Docker in Docker and run analyzers [individually](#disabling-docker-in-docker-for-sast).                                                                                                                         |
@@ -575,7 +576,7 @@ include:
  - template: SAST.gitlab-ci.yml
 variables:
-  SAST_ANALYZER_IMAGE_PREFIX: "localhost:5000/analyzers"
+  SECURE_ANALYZERS_PREFIX: "localhost:5000/analyzers"
  SAST_DISABLE_DIND: "true"
  ```

--- a/doc/user/compliance/license_compliance/index.md
+++ b/doc/user/compliance/license_compliance/index.md
@@ -134,7 +134,8 @@ The License Compliance settings can be changed through [environment variables](#
 License Compliance can be configured using environment variables.
 | Environment variable        | Required | Description |
-|-----------------------|----------|-------------|
+|-----------------------------|----------|-------------|
+| `SECURE_ANALYZERS_PREFIX`   | no       | Set the Docker registry base address to download the analyzer from. |
 | `ADDITIONAL_CA_CERT_BUNDLE` | no       | Bundle of trusted CA certificates (currently supported in Pip, Pipenv, Maven, Gradle, and NPM projects). |
 | `GRADLE_CLI_OPTS`           | no       | Additional arguments for the gradle executable. If not supplied, defaults to `--exclude-task=test`. |
 | `LICENSE_FINDER_CLI_OPTS`   | no       | Additional arguments for the `license_finder` executable. For example, if your project has both Golang and Ruby code stored in different directories and you want to only scan the Ruby code, you can update your `.gitlab-ci-yml` template to specify which project directories to scan, like `LICENSE_FINDER_CLI_OPTS: '--debug --aggregate-paths=. ruby'`. |

--- a/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml
 # Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/container_scanning/
 variables:
+  # Setting this variable will affect all Security templates
+  # (SAST, Dependency Scanning, ...)
+  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
  CS_MAJOR_VERSION: 2
 container_scanning:
  stage: test
-  image: registry.gitlab.com/gitlab-org/security-products/analyzers/klar:$CS_MAJOR_VERSION
+  image: $SECURE_ANALYZERS_PREFIX/klar:$CS_MAJOR_VERSION
  variables:
    # By default, use the latest clair vulnerabilities database, however, allow it to be overridden here with a specific image
    # to enable container scanning to run offline, or to provide a consistent list of vulnerabilities for integration testing purposes
    CLAIR_DB_IMAGE_TAG: "latest"
-    CLAIR_DB_IMAGE: "arminc/clair-db:$CLAIR_DB_IMAGE_TAG"
+    CLAIR_DB_IMAGE: "$SECURE_ANALYZERS_PREFIX/clair-vulnerabilities-db:$CLAIR_DB_IMAGE_TAG"
    # Override the GIT_STRATEGY variable in your `.gitlab-ci.yml` file and set it to `fetch` if you want to provide a `clair-whitelist.yml`
    # file. See https://docs.gitlab.com/ee/user/application_security/container_scanning/index.html#overriding-the-container-scanning-template
    # for details

--- a/lib/gitlab/ci/templates/Security/DAST.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/DAST.gitlab-ci.yml
@@ -12,11 +12,14 @@ stages:
 variables:
  DAST_VERSION: 1
+  # Setting this variable will affect all Security templates
+  # (SAST, Dependency Scanning, ...)
+  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
 dast:
  stage: dast
  image:
-    name: "registry.gitlab.com/gitlab-org/security-products/dast:$DAST_VERSION"
+    name: "$SECURE_ANALYZERS_PREFIX/dast:$DAST_VERSION"
  variables:
    GIT_STRATEGY: none
  allow_failure: true

--- a/lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml
@@ -5,8 +5,13 @@
 # How to set: https://docs.gitlab.com/ee/ci/yaml/#variables
 variables:
-  SECURITY_SCANNER_IMAGE_PREFIX: "registry.gitlab.com/gitlab-org/security-products"
+  # Setting this variable will affect all Security templates
-  DS_ANALYZER_IMAGE_PREFIX: "$SECURITY_SCANNER_IMAGE_PREFIX/analyzers"
+  # (SAST, Dependency Scanning, ...)
+  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
+  # Deprecated, use SECURE_ANALYZERS_PREFIX instead
+  DS_ANALYZER_IMAGE_PREFIX: "$SECURE_ANALYZERS_PREFIX"
  DS_DEFAULT_ANALYZERS: "bundler-audit, retire.js, gemnasium, gemnasium-maven, gemnasium-python"
  DS_MAJOR_VERSION: 2
  DS_DISABLE_DIND: "false"
@@ -67,7 +72,7 @@ dependency_scanning:
        ) \
        --volume "$PWD:/code" \
        --volume /var/run/docker.sock:/var/run/docker.sock \
-        "$SECURITY_SCANNER_IMAGE_PREFIX/dependency-scanning:$DS_MAJOR_VERSION" /code
+        "registry.gitlab.com/gitlab-org/security-products/dependency-scanning:$DS_MAJOR_VERSION" /code
  artifacts:
    reports:
      dependency_scanning: gl-dependency-scanning-report.json

--- a/lib/gitlab/ci/templates/Security/License-Scanning.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/License-Scanning.gitlab-ci.yml
@@ -5,13 +5,17 @@
 # How to set: https://docs.gitlab.com/ee/ci/yaml/#variables
 variables:
+  # Setting this variable will affect all Security templates
+  # (SAST, Dependency Scanning, ...)
+  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
  LICENSE_MANAGEMENT_SETUP_CMD: ''  # If needed, specify a command to setup your environment with a custom package manager.
  LICENSE_MANAGEMENT_VERSION: 3
 license_scanning:
  stage: test
  image:
-    name: "registry.gitlab.com/gitlab-org/security-products/license-management:$LICENSE_MANAGEMENT_VERSION"
+    name: "$SECURE_ANALYZERS_PREFIX/license-finder:$LICENSE_MANAGEMENT_VERSION"
    entrypoint: [""]
  variables:
    LM_REPORT_FILE: gl-license-scanning-report.json

--- a/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
@@ -5,7 +5,13 @@
 # How to set: https://docs.gitlab.com/ee/ci/yaml/#variables
 variables:
-  SAST_ANALYZER_IMAGE_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
+  # Setting this variable will affect all Security templates
+  # (SAST, Dependency Scanning, ...)
+  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
+  # Deprecated, use SECURE_ANALYZERS_PREFIX instead
+  SAST_ANALYZER_IMAGE_PREFIX: "$SECURE_ANALYZERS_PREFIX"
  SAST_DEFAULT_ANALYZERS: "bandit, brakeman, gosec, spotbugs, flawfinder, phpcs-security-audit, security-code-scan, nodejs-scan, eslint, tslint, secrets, sobelow, pmd-apex, kubesec"
  SAST_ANALYZER_IMAGE_TAG: 2
  SAST_DISABLE_DIND: "false"

--- a/lib/gitlab/ci/templates/Security/Secure-Binaries.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/Secure-Binaries.gitlab-ci.yml
@@ -16,7 +16,7 @@ variables:
    bandit, brakeman, gosec, spotbugs, flawfinder, phpcs-security-audit, security-code-scan, nodejs-scan, eslint, tslint, secrets, sobelow, pmd-apex, kubesec,
    bundler-audit, retire.js, gemnasium, gemnasium-maven, gemnasium-python,
    klar, clair-vulnerabilities-db,
-    license-management,
+    license-finder,
    dast
  SECURE_BINARIES_DOWNLOAD_IMAGES: "true"
@@ -39,7 +39,7 @@ variables:
  script:
    - docker info
    - env
-    - if [ -z "$SECURE_BINARIES_IMAGE" ]; then export SECURE_BINARIES_IMAGE=${SECURE_BINARIES_IMAGE:-"registry.gitlab.com/gitlab-org/security-products/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}"}; fi
+    - if [ -z "$SECURE_BINARIES_IMAGE" ]; then export SECURE_BINARIES_IMAGE=${SECURE_BINARIES_IMAGE:-"registry.gitlab.com/gitlab-org/security-products/analyzers/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}"}; fi
    - docker pull ${SECURE_BINARIES_IMAGE}
    - mkdir -p output/$(dirname ${CI_JOB_NAME})
    - |
@@ -62,98 +62,98 @@ variables:
 # SAST jobs
 #
-analyzers/bandit:
+bandit:
  extends: .download_images
  only:
    variables:
      - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
          $SECURE_BINARIES_ANALYZERS =~ /\bbandit\b/
-analyzers/brakeman:
+brakeman:
  extends: .download_images
  only:
    variables:
      - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
          $SECURE_BINARIES_ANALYZERS =~ /\bbrakeman\b/
-analyzers/gosec:
+gosec:
  extends: .download_images
  only:
    variables:
      - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
          $SECURE_BINARIES_ANALYZERS =~ /\bgosec\b/
-analyzers/spotbugs:
+spotbugs:
  extends: .download_images
  only:
    variables:
      - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
          $SECURE_BINARIES_ANALYZERS =~ /\bspotbugs\b/
-analyzers/flawfinder:
+flawfinder:
  extends: .download_images
  only:
    variables:
      - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
          $SECURE_BINARIES_ANALYZERS =~ /\bflawfinder\b/
-analyzers/phpcs-security-audit:
+phpcs-security-audit:
  extends: .download_images
  only:
    variables:
      - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
          $SECURE_BINARIES_ANALYZERS =~ /\bphpcs-security-audit\b/
-analyzers/security-code-scan:
+security-code-scan:
  extends: .download_images
  only:
    variables:
      - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
          $SECURE_BINARIES_ANALYZERS =~ /\bsecurity-code-scan\b/
-analyzers/nodejs-scan:
+nodejs-scan:
  extends: .download_images
  only:
    variables:
      - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
          $SECURE_BINARIES_ANALYZERS =~ /\bnodejs-scan\b/
-analyzers/eslint:
+eslint:
  extends: .download_images
  only:
    variables:
      - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
          $SECURE_BINARIES_ANALYZERS =~ /\beslint\b/
-analyzers/tslint:
+tslint:
  extends: .download_images
  only:
    variables:
      - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
          $SECURE_BINARIES_ANALYZERS =~ /\btslint\b/
-analyzers/secrets:
+secrets:
  extends: .download_images
  only:
    variables:
      - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
          $SECURE_BINARIES_ANALYZERS =~ /\bsecrets\b/
-analyzers/sobelow:
+sobelow:
  extends: .download_images
  only:
    variables:
      - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
          $SECURE_BINARIES_ANALYZERS =~ /\bsobelow\b/
-analyzers/pmd-apex:
+pmd-apex:
  extends: .download_images
  only:
    variables:
      - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
          $SECURE_BINARIES_ANALYZERS =~ /\bsecrets\b/
-analyzers/kubesec:
+kubesec:
  extends: .download_images
  only:
    variables:
@@ -163,14 +163,14 @@ analyzers/kubesec:
 # Container Scanning jobs
 #
-analyzers/klar:
+klar:
  extends: .download_images
  only:
    variables:
      - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
          $SECURE_BINARIES_ANALYZERS =~ /\bklar\b/
-analyzers/clair-vulnerabilities-db:
+clair-vulnerabilities-db:
  extends: .download_images
  only:
    variables:
@@ -184,35 +184,35 @@ analyzers/clair-vulnerabilities-db:
 # Dependency Scanning jobs
 #
-analyzers/bundler-audit:
+bundler-audit:
  extends: .download_images
  only:
    variables:
      - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
          $SECURE_BINARIES_ANALYZERS =~ /\bbundler-audit\b/
-analyzers/retire.js:
+retire.js:
  extends: .download_images
  only:
    variables:
      - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
          $SECURE_BINARIES_ANALYZERS =~ /\bretire\.js\b/
-analyzers/gemnasium:
+gemnasium:
  extends: .download_images
  only:
    variables:
      - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
          $SECURE_BINARIES_ANALYZERS =~ /\bgemnasium\b/
-analyzers/gemnasium-maven:
+gemnasium-maven:
  extends: .download_images
  only:
    variables:
      - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
          $SECURE_BINARIES_ANALYZERS =~ /\bgemnasium-maven\b/
-analyzers/gemnasium-python:
+gemnasium-python:
  extends: .download_images
  only:
    variables:
@@ -223,14 +223,14 @@ analyzers/gemnasium-python:
 # License Scanning
 #
-license-management:
+license-finder:
  extends: .download_images
  variables:
    SECURE_BINARIES_ANALYZER_VERSION: "3"
  only:
    variables:
      - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
-          $SECURE_BINARIES_ANALYZERS =~ /\blicense-management\b/
+          $SECURE_BINARIES_ANALYZERS =~ /\blicense-finder\b/
 #
 # DAST
@@ -238,9 +238,9 @@ license-management:
 dast:
  extends: .download_images
+  variables:
+    SECURE_BINARIES_ANALYZER_VERSION: "1"
  only:
    variables:
      - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
          $SECURE_BINARIES_ANALYZERS =~ /\bdast\b/
-  variables:
-    SECURE_BINARIES_ANALYZER_VERSION: 1