Commit 858a5865 authored by SBassett's avatar SBassett
Browse files

Refactor various npm-related security templates

* Remove version-based directory structure
* Add single, per-tool ci template files, based upon configurable
  docker-registry.wikimedia.org images (via new env var)
* Update ci templates to support multiple, nested package/-lock.json files
* Add support for configurable tool options (via new env var)
* Other misc. cleanup
parent 7b5e07d4
Pipeline #1413 passed with stage
in 46 seconds
auditjs_dependency_check:
image: docker-registry.wikimedia.org/${WM_APPSEC_NPM_IMAGE}
stage: test
allow_failure: false # failed security job fails pipeline by default
variables:
AUDITJS_OPTIONS: "ossi"
before_script:
- apt-get update -yqq && apt-get install -yqq git
- npm install -g auditjs
- |
# check if alternative npm audit options were specified calling gitlab-ci.yml file
if [ ! -z ${WM_APPSEC_AUDITJS_OPTIONS} ]; then
AUDITJS_OPTIONS=${WM_APPSEC_AUDITJS_OPTIONS}
fi
# create a new package lock file, run auditjs
script:
- |
root_dir=$(pwd)
file_list=$(git diff-tree --no-commit-id --name-only -r $CI_COMMIT_SHA -- \
{*package.json,*package-lock.json,*/package.json,*/package-lock.json})
# find all modified package.json files and run audit-ci against them
TOTAL_EXIT_CODES=0
for f in $file_list; do
npm_dir="$(dirname "$f")"
cd $root_dir/$npm_dir
npm install --package-lock-only
echo -e "\n "
echo -e "----- $f -----"
echo -e "\n "
set -e
EXIT_CODE=0
auditjs ${AUDITJS_OPTIONS} || EXIT_CODE=$?
TOTAL_EXIT_CODES=$(($TOTAL_EXIT_CODES + $EXIT_CODE))
done
if [ "$TOTAL_EXIT_CODES" -gt 0 ]; then
echo -e "\n "
echo -e "At least one package.json file contained vulnerable dependencies, please review."
echo -e "\n "
exit 1
fi
# only run on changes to package and package.lock .json
only:
changes:
- package.json
- package-lock.json
- "**/*package.json"
- "**/*package-lock.json"
auditjs_dependency_check:
image: docker-registry.wikimedia.org/nodejs10-devel:0.0.4
stage: test
allow_failure: false # failed security job fails pipeline by default
variables:
AUDITJS_OPTIONS: "ossi"
before_script:
- apt-get update -yqq
- npm install -g auditjs
- npm install
# create a new package lock file, run auditjs
script:
- auditjs ${AUDITJS_OPTIONS}
# only run on changes to package and package.lock .json
only:
changes:
- package.json
- package-lock.json
- "**/*package.json"
- "**/*package-lock.json"
auditjs_dependency_check:
image: docker-registry.wikimedia.org/nodejs12-devel:0.0.1
stage: test
allow_failure: false # failed security job fails pipeline by default
variables:
AUDITJS_OPTIONS: "ossi"
before_script:
- apt-get update -yqq
- npm install -g auditjs
- npm install
# create a new package lock file, run auditjs
script:
- auditjs ${AUDITJS_OPTIONS}
# only run on changes to package and package.lock .json
only:
changes:
- package.json
- package-lock.json
- "**/*package.json"
- "**/*package-lock.json"
auditjs_dependency_check:
# node14 not fully-supported yet?
image: docker-registry.wikimedia.org/releng/node14:0.0.3
stage: test
allow_failure: false # failed security job fails pipeline by default
variables:
AUDITJS_OPTIONS: "ossi"
before_script:
- user root
- apt-get update -yqq
- npm install -g auditjs
- npm install
- user nobody
# create a new package lock file, run auditjs
script:
- auditjs ${AUDITJS_OPTIONS}
# only run on changes to package and package.lock .json
only:
changes:
- package.json
- package-lock.json
- "**/*package.json"
- "**/*package-lock.json"
npm_audit_dependency_check:
image: docker-registry.wikimedia.org/nodejs10-devel:0.0.4
stage: test
allow_failure: false
variables:
NPM_AUDIT_OPTIONS: "--moderate=true --skip-dev=true --report=true"
before_script:
- apt-get update -yqq
- npm install -g audit-ci
script:
- |
root_dir=$(pwd)
file_list=$(git diff-tree --no-commit-id --name-only -r $CI_COMMIT_SHA -- \
{*package.json,*package-lock.json,*/package.json,*/package-lock.json})
for f in $file_list; do
npm_dir="$(dirname "$f")"
cd $root_dir/$npm_dir
npm install
echo -e "\n "
echo -e "----- $f -----"
echo -e "\n "
audit-ci ${NPM_AUDIT_OPTIONS}
done
# only run on changes to package and package.lock .json
only:
changes:
- package.json
- package-lock.json
- "**/*package.json"
- "**/*package-lock.json"
npm_audit_dependency_check:
image: docker-registry.wikimedia.org/${WM_APPSEC_NPM_IMAGE}
stage: test
allow_failure: false
......@@ -43,8 +44,7 @@ npm_audit_dependency_check:
echo -e "\n "
exit 1
fi
# only run on changes to package and package.lock .json
only:
changes:
......
npm-outdated_dependency_check:
image: docker-registry.wikimedia.org/nodejs10-devel:0.0.4
stage: test
allow_failure: true # npm outdated should NOT fail a pipeline, purely informational
variables:
NPM_OUTDATED_OPTIONS: ""
before_script:
- apt-get update -yqq
- npm install -g check-outdated
- npm install
# create a new package lock file, run auditjs
script:
- check-outdated ${NPM_OUTDATED_OPTIONS}
# only run on changes to package and package.lock .json
only:
changes:
- package.json
- package-lock.json
- "**/*package.json"
- "**/*package-lock.json"
npm-outdated_dependency_check:
image: docker-registry.wikimedia.org/nodejs12-devel:0.0.1
stage: test
allow_failure: true # npm oudated should NOT fail a pipeline
variables:
NPM_OUTDATED_OPTIONS: ""
before_script:
- apt-get update -yqq
- npm install -g check-outdated
- npm install
# create a new package lock file, run auditjs
script:
- check-outdated ${NPM_OUTDATED_OPTIONS}
# only run on changes to package and package.lock .json
only:
changes:
- package.json
- package-lock.json
- "**/*package.json"
- "**/*package-lock.json"
npm-outdated_dependency_check:
image: docker-registry.wikimedia.org/nodejs12-devel:0.0.1
stage: test
allow_failure: true # npm outdated should NOT fail an appsec pipeline
variables:
NPM_OUTDATED_OPTIONS: ""
before_script:
- apt-get update -yqq
- npm install -g check-outdated
- npm install
# create a new package lock file, run auditjs
script:
- check-outdated ${NPM_OUTDATED_OPTIONS}
# only run on changes to package and package.lock .json
only:
changes:
- package.json
- package-lock.json
- "**/*package.json"
- "**/*package-lock.json"
npm_audit_dependency_check:
image: docker-registry.wikimedia.org/releng/node14-test-browser:0.0.2
npm-outdated_dependency_check:
image: docker-registry.wikimedia.org/${WM_APPSEC_NPM_IMAGE}
stage: test
allow_failure: false
allow_failure: true # npm outdated should NOT fail a pipeline
variables:
NPM_AUDIT_OPTIONS: "--moderate=true --skip-dev=true --report=true"
NPM_OUTDATED_OPTIONS: ""
before_script:
- apt-get update -yqq && apt-get install -yqq git
- npm install -g audit-ci
- npm install -g check-outdated
- |
# check if alternative npm audit options were specified calling gitlab-ci.yml file
if [ ! -z ${WM_APPSEC_NPM_OUTDATED_OPTIONS} ]; then
NPM_OUTDATED_OPTIONS=${WM_APPSEC_NPM_OUTDATED_OPTIONS}
fi
# create a new package lock file, run auditjs
script:
- |
- |
root_dir=$(pwd)
file_list=$(git diff-tree --no-commit-id --name-only -r $CI_COMMIT_SHA -- \
{*package.json,*package-lock.json,*/package.json,*/package-lock.json})
# find all modified package.json files and run audit-ci against them
TOTAL_EXIT_CODES=0
for f in $file_list; do
npm_dir="$(dirname "$f")"
cd $root_dir/$npm_dir
......@@ -23,10 +32,18 @@ npm_audit_dependency_check:
echo -e "\n "
echo -e "----- $f -----"
echo -e "\n "
audit-ci ${NPM_AUDIT_OPTIONS}
set -e
EXIT_CODE=0
check-outdated ${NPM_OUTDATED_OPTIONS} || EXIT_CODE=$?
TOTAL_EXIT_CODES=$(($TOTAL_EXIT_CODES + $EXIT_CODE))
done
if [ "$TOTAL_EXIT_CODES" -gt 0 ]; then
echo -e "\n "
echo -e "At least one package.json file contained outdated dependencies, please review."
echo -e "\n "
fi
# only run on changes to package and package.lock .json
only:
changes:
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment