diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 89219509a57353ade57969d57ac373ba87b0ee82..25cbd2f2a494175844b4c77c53c92fa2be9a2782 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -2,9 +2,11 @@ # only cache local items. variables: PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip" + OWASP_DEPENDENCY_CHECK: 'owasp_dependency_check' stages: - install_dependencies + - security - build - publish - deploy @@ -51,7 +53,7 @@ stages: .build_template_lnx: image: python:latest stage: build - needs: [install_dep_lnx] + needs: ['dep:lnx'] cache: <<: *cache_def policy: pull @@ -80,7 +82,7 @@ stages: .build_template_win: stage: build - needs: [install_dep_win] + needs: ['dep:win'] cache: <<: *cache_def policy: pull @@ -153,14 +155,78 @@ stages: rules: - if: ($CI_COMMIT_BRANCH == "master" || $CI_COMMIT_BRANCH == "develop") && $BUILD_CFG && $DEPLOY_SCP_HOST -install_dep_lnx: +# actions for merge request. +security:gitleaks: + stage: security + image: + name: "zricethezav/gitleaks" + entrypoint: [""] + script: + # to avoid + # fatal: unsafe repository ('/builds/...' is owned by someone else) + # with recent git versions + - git config --global --add safe.directory $CI_PROJECT_DIR + - gitleaks detect -v ./ + rules: + - if: $CI_PIPELINE_SOURCE == 'merge_request_event' + +security:depcheck: + image: python:latest + stage: security + before_script: + - python --version # For debugging + - python -m pip install safety + script: + - safety check -r requirements.txt --full-report + - safety check -r requirements.txt --json > dependency-check-report.json + after_script: + # Add artificial metrics report to collect release evidence + - echo 'dependency_check run' > metrics.txt + allow_failure: true + artifacts: + when: always + expose_as: 'Safety Dependency Check Report' + paths: + - 'dependency-check-report.json' + # Add artificial metrics report to collect release evidence + reports: + metrics: metrics.txt + rules: + - if: $CI_PIPELINE_SOURCE == 'merge_request_event' + - if: $CI_PIPELINE_SOURCE == "schedule" + +security:staticcode: + image: python:latest + stage: security + before_script: + - python --version # For debugging + - python -m pip install bandit + script: + - bandit -r . -s B110 -f json -o bandit-report.json + - cat bandit-report.json + after_script: + # Add artificial metrics report to collect release evidence + - echo 'bandit_check run' > metrics.txt + allow_failure: true + artifacts: + when: always + expose_as: 'Safety Bandit Report' + paths: + - 'bandit-report.json' + # Add artificial metrics report to collect release evidence + reports: + metrics: metrics.txt + rules: + - if: $CI_PIPELINE_SOURCE == 'merge_request_event' + +dep:lnx: extends: .env_template_lnx image: python:latest tags: - python - linux -install_dep_win: +dep:win: extends: .env_template_win image: python:latest tags: @@ -168,7 +234,7 @@ install_dep_win: - shell - python -build_fls_lnx: +build:fls:lnx: extends: .build_template_lnx environment: name: fls/$CI_COMMIT_REF_SLUG @@ -177,7 +243,7 @@ build_fls_lnx: - python - linux -build_fls_win: +build:fls:win: extends: .build_template_win environment: name: fls/$CI_COMMIT_REF_SLUG @@ -187,21 +253,21 @@ build_fls_win: - shell - python -publish_fls: +publish:fls: extends: .publish_template - needs: [build_fls_win, build_fls_lnx] + needs: ['build:fls:win', 'build:fls:lnx'] environment: name: fls/$CI_COMMIT_REF_SLUG action: prepare -deploy_fls: +deploy:fls: extends: .deploy_template - needs: [publish_fls] + needs: ['publish:fls'] environment: name: fls/$CI_COMMIT_REF_SLUG # GKS -build_gks_lnx: +build:gks:lnx: extends: .build_template_lnx environment: name: gks/$CI_COMMIT_REF_SLUG @@ -210,7 +276,7 @@ build_gks_lnx: - python - linux -build_gks_win: +build:gks:win: extends: .build_template_win environment: name: gks/$CI_COMMIT_REF_SLUG @@ -220,21 +286,21 @@ build_gks_win: - shell - python -publish_gks: +publish:gks: extends: .publish_template - needs: [build_gks_win, build_gks_lnx] + needs: ['build:gks:win', 'build:gks:lnx'] environment: name: gks/$CI_COMMIT_REF_SLUG action: prepare -deploy_gks: +deploy:gks: extends: .deploy_template - needs: [publish_gks] + needs: ['publish:gks'] environment: name: gks/$CI_COMMIT_REF_SLUG # SDS -build_sds_lnx: +build:sds:lnx: extends: .build_template_lnx environment: name: sds/$CI_COMMIT_REF_SLUG @@ -243,7 +309,7 @@ build_sds_lnx: - python - linux -build_sds_win: +build:sds:win: extends: .build_template_win environment: name: sds/$CI_COMMIT_REF_SLUG @@ -253,21 +319,21 @@ build_sds_win: - shell - python -publish_sds: +publish:sds: extends: .publish_template - needs: [build_sds_win, build_sds_lnx] + needs: ['build:sds:win', 'build:sds:lnx'] environment: name: sds/$CI_COMMIT_REF_SLUG action: prepare -deploy_sds: +deploy:sds: extends: .deploy_template - needs: [publish_sds] + needs: ['publish:sds'] environment: name: sds/$CI_COMMIT_REF_SLUG # LSS -build_lss_lnx: +build:lss:lnx: extends: .build_template_lnx environment: name: lss/$CI_COMMIT_REF_SLUG @@ -276,7 +342,7 @@ build_lss_lnx: - python - linux -build_lss_win: +build:lss:win: extends: .build_template_win environment: name: lss/$CI_COMMIT_REF_SLUG @@ -286,15 +352,15 @@ build_lss_win: - shell - python -publish_lss: +publish:lss: extends: .publish_template - needs: [build_lss_win, build_lss_lnx] + needs: ['build:lss:win', 'build:lss:lnx'] environment: name: lss/$CI_COMMIT_REF_SLUG action: prepare -deploy_lss: +deploy:lss: extends: .deploy_template - needs: [publish_lss] + needs: ['publish:lss'] environment: name: lss/$CI_COMMIT_REF_SLUG diff --git a/requirements.txt b/requirements.txt index 33b0aedc313939e0b0e9884ac4f3e98cca5a912e..c5d5f452efeb7ea1fa6d6dd2cd792abf3679781e 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,4 +1,4 @@ -PyQt5 -cx_Freeze -requests -sentry-sdk \ No newline at end of file +PyQt5-Qt5==5.15.7 +cx_Freeze==6.11.1 +requests==2.28.1 +sentry-sdk==1.7.2 \ No newline at end of file