From 93c6e8ad5be27bec460c70ef113e25f7c2a8a630 Mon Sep 17 00:00:00 2001 From: Lukas Schreiner Date: Wed, 20 Jul 2022 21:39:30 +0200 Subject: [PATCH 1/6] Update .gitlab-ci.yml for gitleaks --- .gitlab-ci.yml | 72 ++++++++++++++++++++++++++++++-------------------- 1 file changed, 44 insertions(+), 28 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 8921950..4121759 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -5,6 +5,7 @@ variables: stages: - install_dependencies + - leaks - build - publish - deploy @@ -51,7 +52,7 @@ stages: .build_template_lnx: image: python:latest stage: build - needs: [install_dep_lnx] + needs: ['dep:lnx'] cache: <<: *cache_def policy: pull @@ -80,7 +81,7 @@ stages: .build_template_win: stage: build - needs: [install_dep_win] + needs: ['dep:win'] cache: <<: *cache_def policy: pull @@ -153,14 +154,29 @@ stages: rules: - if: ($CI_COMMIT_BRANCH == "master" || $CI_COMMIT_BRANCH == "develop") && $BUILD_CFG && $DEPLOY_SCP_HOST -install_dep_lnx: +# actions for merge request. +leaks:gitleaks: + stage: leaks + image: + name: "zricethezav/gitleaks" + entrypoint: [""] + script: + # to avoid + # fatal: unsafe repository ('/builds/...' is owned by someone else) + # with recent git versions + - git config --global --add safe.directory $CI_PROJECT_DIR + - gitleaks detect -v -c gitleaks.toml ./ + rules: + - if: $CI_PIPELINE_SOURCE == 'merge_request_event' + +dep:lnx: extends: .env_template_lnx image: python:latest tags: - python - linux -install_dep_win: +dep:win: extends: .env_template_win image: python:latest tags: @@ -168,7 +184,7 @@ install_dep_win: - shell - python -build_fls_lnx: +build:fls:lnx: extends: .build_template_lnx environment: name: fls/$CI_COMMIT_REF_SLUG @@ -177,7 +193,7 @@ build_fls_lnx: - python - linux -build_fls_win: +build:fls:win: extends: .build_template_win environment: name: fls/$CI_COMMIT_REF_SLUG @@ -187,21 +203,21 @@ build_fls_win: - shell - python -publish_fls: +publish:fls: extends: .publish_template - needs: [build_fls_win, build_fls_lnx] + needs: ['build:fls:win', 'build:fls:lnx'] environment: name: fls/$CI_COMMIT_REF_SLUG action: prepare -deploy_fls: +deploy:fls: extends: .deploy_template - needs: [publish_fls] + needs: ['publish:fls'] environment: name: fls/$CI_COMMIT_REF_SLUG # GKS -build_gks_lnx: +build:gks:lnx: extends: .build_template_lnx environment: name: gks/$CI_COMMIT_REF_SLUG @@ -210,7 +226,7 @@ build_gks_lnx: - python - linux -build_gks_win: +build:gks:win: extends: .build_template_win environment: name: gks/$CI_COMMIT_REF_SLUG @@ -220,21 +236,21 @@ build_gks_win: - shell - python -publish_gks: +publish:gks: extends: .publish_template - needs: [build_gks_win, build_gks_lnx] + needs: ['build:gks:win', 'build:gks:lnx'] environment: name: gks/$CI_COMMIT_REF_SLUG action: prepare -deploy_gks: +deploy:gks: extends: .deploy_template - needs: [publish_gks] + needs: ['publish:gks'] environment: name: gks/$CI_COMMIT_REF_SLUG # SDS -build_sds_lnx: +build:sds:lnx: extends: .build_template_lnx environment: name: sds/$CI_COMMIT_REF_SLUG @@ -243,7 +259,7 @@ build_sds_lnx: - python - linux -build_sds_win: +build:sds:win: extends: .build_template_win environment: name: sds/$CI_COMMIT_REF_SLUG @@ -253,21 +269,21 @@ build_sds_win: - shell - python -publish_sds: +publish:sds: extends: .publish_template - needs: [build_sds_win, build_sds_lnx] + needs: ['build:sds:win', 'build:sds:lnx'] environment: name: sds/$CI_COMMIT_REF_SLUG action: prepare -deploy_sds: +deploy:sds: extends: .deploy_template - needs: [publish_sds] + needs: ['publish:sds'] environment: name: sds/$CI_COMMIT_REF_SLUG # LSS -build_lss_lnx: +build:lss:lnx: extends: .build_template_lnx environment: name: lss/$CI_COMMIT_REF_SLUG @@ -276,7 +292,7 @@ build_lss_lnx: - python - linux -build_lss_win: +build:lss:win: extends: .build_template_win environment: name: lss/$CI_COMMIT_REF_SLUG @@ -286,15 +302,15 @@ build_lss_win: - shell - python -publish_lss: +publish:lss: extends: .publish_template - needs: [build_lss_win, build_lss_lnx] + needs: ['build:lss:win', 'build:lss:lnx'] environment: name: lss/$CI_COMMIT_REF_SLUG action: prepare -deploy_lss: +deploy:lss: extends: .deploy_template - needs: [publish_lss] + needs: ['publish:lss'] environment: name: lss/$CI_COMMIT_REF_SLUG -- GitLab From 9d23fbb7d56ee10ee1c0326f0d7a339b9eb71519 Mon Sep 17 00:00:00 2001 From: Lukas Schreiner Date: Wed, 20 Jul 2022 21:44:41 +0200 Subject: [PATCH 2/6] Use default leaks config --- .gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 4121759..51f125d 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -165,7 +165,7 @@ leaks:gitleaks: # fatal: unsafe repository ('/builds/...' is owned by someone else) # with recent git versions - git config --global --add safe.directory $CI_PROJECT_DIR - - gitleaks detect -v -c gitleaks.toml ./ + - gitleaks detect -v ./ rules: - if: $CI_PIPELINE_SOURCE == 'merge_request_event' -- GitLab From 41331c2093cc6fbd36eda6f1cb3329613dd84fd8 Mon Sep 17 00:00:00 2001 From: Lukas Schreiner Date: Wed, 20 Jul 2022 21:50:49 +0200 Subject: [PATCH 3/6] Added OWASP --- .gitlab-ci.yml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 51f125d..e4cf05c 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -2,6 +2,7 @@ # only cache local items. variables: PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip" + OWASP_DEPENDENCY_CHECK: 'owasp_dependency_check' stages: - install_dependencies @@ -169,6 +170,29 @@ leaks:gitleaks: rules: - if: $CI_PIPELINE_SOURCE == 'merge_request_event' +leaks:depcheck: + image: + name: registry.gitlab.com/gitlab-ci-utils/docker-dependency-check:latest + entrypoint: [""] + stage: leaks + script: + - /usr/share/dependency-check/bin/dependency-check.sh --scan "./" --format ALL --project "$CI_PROJECT_NAME" --failOnCVSS 0 --suppression /suppressions/npm_fp_suppression.xml --suppression /suppressions/npm_na_suppressions.xml + after_script: + # Add artificial metrics report to collect release evidence + - echo 'dependency_check run' > metrics.txt + allow_failure: true + artifacts: + when: always + expose_as: 'OWASP Dependency Check Report' + paths: + - 'dependency-check-report.html' + - 'dependency-check-report.json' + # Add artificial metrics report to collect release evidence + reports: + metrics: metrics.txt + rules: + - if: $CI_PIPELINE_SOURCE == 'merge_request_event' + dep:lnx: extends: .env_template_lnx image: python:latest -- GitLab From f861dc08a3fbe1525e2ce1486b188be9fc6e064f Mon Sep 17 00:00:00 2001 From: Lukas Schreiner Date: Wed, 20 Jul 2022 22:08:00 +0200 Subject: [PATCH 4/6] Added Safety, removed OWASP --- .gitlab-ci.yml | 25 +++++++++++++------------ requirements.txt | 8 ++++---- 2 files changed, 17 insertions(+), 16 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index e4cf05c..17089d4 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -171,25 +171,26 @@ leaks:gitleaks: - if: $CI_PIPELINE_SOURCE == 'merge_request_event' leaks:depcheck: - image: - name: registry.gitlab.com/gitlab-ci-utils/docker-dependency-check:latest - entrypoint: [""] + image: python:latest stage: leaks + before_script: + - python --version # For debugging + - python -m pip install safety script: - - /usr/share/dependency-check/bin/dependency-check.sh --scan "./" --format ALL --project "$CI_PROJECT_NAME" --failOnCVSS 0 --suppression /suppressions/npm_fp_suppression.xml --suppression /suppressions/npm_na_suppressions.xml + - safety check -r requirements.txt --full-report + - safety check -r requirements.txt --json > dependency-check-report.json after_script: # Add artificial metrics report to collect release evidence - echo 'dependency_check run' > metrics.txt allow_failure: true artifacts: - when: always - expose_as: 'OWASP Dependency Check Report' - paths: - - 'dependency-check-report.html' - - 'dependency-check-report.json' - # Add artificial metrics report to collect release evidence - reports: - metrics: metrics.txt + when: always + expose_as: 'Safety Dependency Check Report' + paths: + - 'dependency-check-report.json' + # Add artificial metrics report to collect release evidence + reports: + metrics: metrics.txt rules: - if: $CI_PIPELINE_SOURCE == 'merge_request_event' diff --git a/requirements.txt b/requirements.txt index 33b0aed..c5d5f45 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,4 +1,4 @@ -PyQt5 -cx_Freeze -requests -sentry-sdk \ No newline at end of file +PyQt5-Qt5==5.15.7 +cx_Freeze==6.11.1 +requests==2.28.1 +sentry-sdk==1.7.2 \ No newline at end of file -- GitLab From 90107a954ec417de7b7595ef29a237374587bd66 Mon Sep 17 00:00:00 2001 From: Lukas Schreiner Date: Wed, 20 Jul 2022 22:10:08 +0200 Subject: [PATCH 5/6] Prepare to make freq. checks --- .gitlab-ci.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 17089d4..fc8bf4c 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -168,7 +168,7 @@ leaks:gitleaks: - git config --global --add safe.directory $CI_PROJECT_DIR - gitleaks detect -v ./ rules: - - if: $CI_PIPELINE_SOURCE == 'merge_request_event' + - if: $CI_PIPELINE_SOURCE == 'merge_request_event' leaks:depcheck: image: python:latest @@ -193,6 +193,7 @@ leaks:depcheck: metrics: metrics.txt rules: - if: $CI_PIPELINE_SOURCE == 'merge_request_event' + - if: $CI_PIPELINE_SOURCE == "schedule" dep:lnx: extends: .env_template_lnx -- GitLab From 5b1e8e97a011c08755d6aaf3c2efd8606b97d680 Mon Sep 17 00:00:00 2001 From: Lukas Schreiner Date: Wed, 20 Jul 2022 22:22:04 +0200 Subject: [PATCH 6/6] Added bandit --- .gitlab-ci.yml | 34 +++++++++++++++++++++++++++++----- 1 file changed, 29 insertions(+), 5 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index fc8bf4c..25cbd2f 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -6,7 +6,7 @@ variables: stages: - install_dependencies - - leaks + - security - build - publish - deploy @@ -156,8 +156,8 @@ stages: - if: ($CI_COMMIT_BRANCH == "master" || $CI_COMMIT_BRANCH == "develop") && $BUILD_CFG && $DEPLOY_SCP_HOST # actions for merge request. -leaks:gitleaks: - stage: leaks +security:gitleaks: + stage: security image: name: "zricethezav/gitleaks" entrypoint: [""] @@ -170,9 +170,9 @@ leaks:gitleaks: rules: - if: $CI_PIPELINE_SOURCE == 'merge_request_event' -leaks:depcheck: +security:depcheck: image: python:latest - stage: leaks + stage: security before_script: - python --version # For debugging - python -m pip install safety @@ -195,6 +195,30 @@ leaks:depcheck: - if: $CI_PIPELINE_SOURCE == 'merge_request_event' - if: $CI_PIPELINE_SOURCE == "schedule" +security:staticcode: + image: python:latest + stage: security + before_script: + - python --version # For debugging + - python -m pip install bandit + script: + - bandit -r . -s B110 -f json -o bandit-report.json + - cat bandit-report.json + after_script: + # Add artificial metrics report to collect release evidence + - echo 'bandit_check run' > metrics.txt + allow_failure: true + artifacts: + when: always + expose_as: 'Safety Bandit Report' + paths: + - 'bandit-report.json' + # Add artificial metrics report to collect release evidence + reports: + metrics: metrics.txt + rules: + - if: $CI_PIPELINE_SOURCE == 'merge_request_event' + dep:lnx: extends: .env_template_lnx image: python:latest -- GitLab