.gitlab-ci.yml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141

variables:
  # Locale settings do not affect the build, but might affect tests.
  LC_ALL: C

  CI_REGISTRY_IMAGE: registry.gitlab.isc.org/isc-projects/kea

  # Setting this variable will affect all Security templates
  # (SAST, Dependency Scanning, ...)
  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"

  # Leave only bandit, flawfinder, semgrep.
  SAST_EXCLUDED_ANALYZERS: "eslint, spotbugs"

image: "${CI_REGISTRY_IMAGE}:latest"

stages:
  - test

are-database-scripts-in-sync:
  stage: test
  script:
    - ./src/share/database/scripts/utils/are-scripts-in-sync.py

check-for-json-errors-in-doc:
  stage: test
  script:
    - ./tools/check-for-json-errors-in-doc.sh

danger:
  stage: test
  before_script:
    - export CI_MERGE_REQUEST_ID=$(git ls-remote -q origin merge-requests\*\head | grep $CI_COMMIT_SHA | sed 's/.*refs\/merge-requests\/\([0-9]*\)\/head/\1/g')
    - export CI_PROJECT_PATH=$CI_PROJECT_ID #some version of gitlab has problems with searching by project path
    - export DANGER_GITLAB_HOST=gitlab.isc.org
    - export DANGER_GITLAB_API_BASE_URL=https://gitlab.isc.org/api/v4
  script:
    - danger --fail-on-errors=true --new-comment

duplicate-includes:
  stage: test
  script:
    - ./tools/check-for-duplicate-includes.sh

duplicate-log-messages:
  stage: test
  script:
    - ./tools/check-messages.py

uninstalled-headers:
  stage: test
  script:
    - ./tools/find-uninstalled-headers.py

missing-api-commands:
  stage: test
  script:
    - ./tools/check-for-missing-api-commands.sh

missing-config-h-include:
  stage: test
  script:
    - FILES=$(./tools/add-config-h.sh -n)
    - printf '%s\n' "${FILES}"
    - test -z "${FILES}"

missing-git-attribute:
  stage: test
  script:
    - git_diff=$(git diff)
    - if test -n "${git_diff}"; then printf '%s\n\ngit diff should be empty here under all circumstances. CI broken?\n' "${git_diff}"; exit 1; fi
    - ./tools/print-generated-files.sh -a
    - git_diff=$(git diff)
    - if test -n "${git_diff}"; then printf '%s\n\n.gitattributes are missing a generated file. Please run "./tools/print-generated-files.sh -a" and commit the resulting change to fix them.\n' "${git_diff}"; exit 1; fi

shellcheck:
  stage: test
  script:
    - ./tools/shellcheck-all.sh

.base_get_list_of_modified_files: &get_modified_files
  - MODIFIED_FILES=$(git diff --name-only $(git merge-base origin/master HEAD))
  - echo "${MODIFIED_FILES}"

.base_get_list_of_python_scripts: &get_python_scripts
  - PYTHON_SCRIPTS=$(find ${INPUT-.} -type f -not -path './.git/*' -and \( -name '*.py' -or -name '*.py.in' \) | sort)
  - echo "${PYTHON_SCRIPTS}"
  - if test -z "${PYTHON_SCRIPTS}"; then echo "No python scripts to check. Exiting early."; exit 0; fi

bandit:
  script:
    - bandit -r ./src -x ./.git

pycodestyle:
  stage: test
  script:
    # - *get_modified_files
    # - INPUT="${MODIFIED_FILES}"
    - *get_python_scripts
    - pycodestyle --config=.gitlab/ci/pycodestyle.cfg ${PYTHON_SCRIPTS}

pylint:
  stage: test
  script:
    # - *get_modified_files
    # - INPUT="${MODIFIED_FILES}"
    - *get_python_scripts
    - pylint --jobs "$(nproc || gnproc || echo 1)" --rcfile ./.gitlab/ci/pylint.rc ${PYTHON_SCRIPTS}
    # If we reached this point, it means pylint passed. Run again with all warnings enabled, but ignore the return code to show a list of improvements that the developer could do, even when CI is passing.
    - pylint --jobs "$(nproc || gnproc || echo 1)" --rcfile ./.gitlab/ci/pylint.rc --enable all ${PYTHON_SCRIPTS} || true

############################### SAST ################################
# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/sast/
#
# Configure SAST with CI/CD variables (https://docs.gitlab.com/ee/ci/variables/index.html).
# List of available variables: https://docs.gitlab.com/ee/user/application_security/sast/index.html#available-variables

include:
  - template: Security/SAST.gitlab-ci.yml

.sast-analyzer:
  extends: sast
  allow_failure: true
  script:
    - /analyzer run

flawfinder-sast:
  extends: .sast-analyzer
  image:
    name: "$SAST_ANALYZER_IMAGE"
  variables:
    SAST_ANALYZER_IMAGE_TAG: latest
    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/flawfinder:$SAST_ANALYZER_IMAGE_TAG"
  rules:
    - if: $SAST_DISABLED
      when: never
    - if: $SAST_EXCLUDED_ANALYZERS =~ /flawfinder/
      when: never
    - if: $CI_COMMIT_BRANCH
      exists:
        - '**/*.cc'
        - '**/*.h'