From 1cecd489999496afb031e240ff5c61889a08174e Mon Sep 17 00:00:00 2001
From: latlon team <info@lat-lon.de>
Date: Tue, 9 Jul 2024 05:22:04 +0000
Subject: [PATCH] Code drop
- XPLANBOX-2986 - upgrade owasp.version to 10.0.2 (3c32410cd)
- XPLANBOX-2986 - added missing nvdApiKey in pom (1e7aa5ee8)
- XPLANBOX-2986 - set nvdApiKeyEnvironmentVariable as environment variable (7ab8b7584)
- XPLANBOX-2986 use NVD Api key for dependency-check plugin (6ade39716)
Co-authored-by: Lyn Elisa Goltz <goltz@lat-lon.de>
Co-authored-by: Marc Guillemot <guillemot@lat-lon.de>
Dropped from commit: 64f758732be85478b824e47f0236e1f747c15fe9
---
.gitlab-ci.yml | 6 ++++--
README.md | 10 ++++++++--
gitlab/mvn-build-image.Dockerfile | 5 +++--
jenkinsfiles/owasp-check.Jenkinsfile | 8 +++++---
pom.xml | 5 +++--
5 files changed, 23 insertions(+), 11 deletions(-)
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index b412aaf3b..3ce3bdc3f 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -145,9 +145,12 @@ create-maven-build-image:
name: gcr.io/kaniko-project/executor:v1.9.1-debug
entrypoint: [""]
script:
+# see https://stackoverflow.com/questions/75442435/how-to-use-docker-build-secrets-with-kaniko
+ - mkdir -p /kaniko/run/secrets && cp $NVD_API_KEY_FILE /kaniko/run/secrets/nvdApiKey
- /kaniko/executor
--context "${CI_PROJECT_DIR}"
--dockerfile "${CI_PROJECT_DIR}/gitlab/mvn-build-image.Dockerfile"
+ --build-arg SECRETS_DIR=/kaniko/run/secrets
--destination "${CI_REGISTRY_IMAGE}/mvn-build-image:latest"
--cache=true --compressed-caching=false --use-new-run --cleanup
rules:
@@ -157,10 +160,9 @@ create-maven-build-image:
# ---------------------------------------------------------------------------------------------------------------------------
dependency-check:
stage: build
-# image: maven:3.8.6-jdk-11
image: registry.opencode.de/diplanung/ozgxplanung/mvn-build-image:latest
script:
- - 'mvn org.owasp:dependency-check-maven:aggregate -Ddependency-check.skip=false'
+ - export nvdApiKeyEnvironmentVariable=$(cat $NVD_API_KEY_FILE); mvn org.owasp:dependency-check-maven:aggregate -Ddependency-check.skip=false
artifacts:
when: always
paths:
diff --git a/README.md b/README.md
index 8498a5572..d19b788e6 100644
--- a/README.md
+++ b/README.md
@@ -75,6 +75,11 @@ mvn clean install
> **_Hinweis_**: Unter dem Betriebssystem Windows kann es bei der Ausführung von Unit-Test zu Fehlern kommen. Es kann dann erforderlich sein, die Tests zu überspringen. Dazu ist die Option `-DskipTests` beim Aufruf von Maven zu ergänzen.
+Bei der Verwendung vom OWASP Dependency Check Maven Plugin kann die Issue Datenbank deutlich schneller heruntergeladen werden, wenn einen [NVD API Key](https://nvd.nist.gov/developers/request-an-api-key) verwendet wird. Dieser kann über eine Umgebungsvariable gesetzt werden:
+
+```
+export nvdApiKeyEnvironmentVariable=....
+```
#### Container Images erstellen
Um Container Images aus dem Source Code auf Open CoDE zu bauen, sind folgende Anpassungen erforderlich. Die gebauten Container Images sind in der Container Registry verfügbar: https://gitlab.opencode.de/diplanung/ozgxplanung/container_registry/.
@@ -132,12 +137,13 @@ Das Pipeline Schedule [Create Maven Build Image](https://gitlab.opencode.de/dipl
##### Manuelle Erzeugung
-Das Image kann auch manuell gebaut und gepusht werden.
+Das Image kann auch manuell gebaut und gepusht werden. Dafür ist ein [NVD API Key notwendig](https://nvd.nist.gov/developers/request-an-api-key).
###### Docker Image lokal bauen
```
-docker build -t registry.opencode.de/diplanung/ozgxplanung/mvn-build-image:latest -f ci/mvn-build-image.Dockerfile .
+export nvdApiKeyEnvironmentVariable=....
+docker build -t registry.opencode.de/diplanung/ozgxplanung/mvn-build-image:latest -f gitlab/mvn-build-image.Dockerfile --secret id=nvdApiKey,env=nvdApiKeyEnvironmentVariable .
```
###### GitLab personal access token erstellen
diff --git a/gitlab/mvn-build-image.Dockerfile b/gitlab/mvn-build-image.Dockerfile
index e1d058c93..d9404db99 100644
--- a/gitlab/mvn-build-image.Dockerfile
+++ b/gitlab/mvn-build-image.Dockerfile
@@ -4,6 +4,7 @@ FROM maven:3.9.6-eclipse-temurin-17
ARG BUILD_DATE=?
ARG DOCKER_IMAGE_NAME=?
ARG GIT_REVISION=?
+ARG SECRETS_DIR=/run/secrets
ARG XPLANBOX_VERSION=latest
# see https://github.com/opencontainers/image-spec/blob/main/annotations.md#pre-defined-annotation-keys
@@ -20,8 +21,8 @@ LABEL "org.opencontainers.image.created"="$BUILD_DATE" \
RUN mkdir /tmp/ozgxplanung
ADD . /tmp/ozgxplanung
-RUN cd /tmp/ozgxplanung \
+RUN --mount=type=secret,id=nvdApiKey cd /tmp/ozgxplanung \
&& mvn test -Pdocker --fail-never -Dtest=notExisting -Ddependency-check.skip=true \
- && mvn org.owasp:dependency-check-maven:aggregate -Ddependency-check.skip=false -Dformats=JUNIT \
+ && export nvdApiKeyEnvironmentVariable=$(cat $SECRETS_DIR/nvdApiKey); mvn org.owasp:dependency-check-maven:aggregate -Ddependency-check.skip=false -Dformats=JUNIT \
&& find $MAVEN_CONFIG/repository -name '*-SNAPSHOT' | xargs rm -rf \
&& rm -rf /tmp/ozgxplanung
\ No newline at end of file
diff --git a/jenkinsfiles/owasp-check.Jenkinsfile b/jenkinsfiles/owasp-check.Jenkinsfile
index c1b756b55..51f7aca53 100644
--- a/jenkinsfiles/owasp-check.Jenkinsfile
+++ b/jenkinsfiles/owasp-check.Jenkinsfile
@@ -11,7 +11,9 @@ pipeline {
stage('Build with owasp check') {
steps{
withMaven(mavenLocalRepo: '.repository', mavenSettingsConfig: 'mvn-empty-settings', options: [junitPublisher(healthScaleFactor: 1.0)], publisherStrategy: 'EXPLICIT') {
- sh 'mvn -B -C clean install -Ddependency-check.skip=false'
+ withCredentials([string(credentialsId: 'nvdApiKey', variable: 'nvdApiKeyEnvironmentVariable')]) {
+ sh 'mvn -B -C clean install -Ddependency-check.skip=false'
+ }
}
}
}
@@ -22,10 +24,10 @@ pipeline {
dependencyCheckPublisher pattern: '**/target/dependency-check-report.xml'
}
failure {
- slackSend channel: '#build', message: "${env.JOB_NAME} failed, Buildnr: ${env.BUILD_NUMBER}", teamDomain: 'xplanbox', tokenCredentialId: 'slack-integration-id'
+ slackSend channel: '#build', message: "${env.JOB_NAME} failed, Buildnr: ${env.BUILD_NUMBER}\n${env.BUILD_URL}", teamDomain: 'xplanbox', tokenCredentialId: 'slack-integration-id'
}
unstable {
- slackSend channel: '#build', message: "${env.JOB_NAME} unstable, Buildnr: ${env.BUILD_NUMBER}", teamDomain: 'xplanbox', tokenCredentialId: 'slack-integration-id'
+ slackSend channel: '#build', message: "${env.JOB_NAME} unstable, Buildnr: ${env.BUILD_NUMBER}\n${env.BUILD_URL}", teamDomain: 'xplanbox', tokenCredentialId: 'slack-integration-id'
}
}
}
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index 4576dda09..f66af63b6 100644
--- a/pom.xml
+++ b/pom.xml
@@ -38,7 +38,7 @@
<liquibase.version>4.28.0</liquibase.version>
<postgresql.version>42.7.3</postgresql.version>
<picocli.version>4.7.6</picocli.version>
- <owasp.version>9.2.0</owasp.version>
+ <owasp.version>10.0.2</owasp.version>
<!-- API properties -->
<base.package.name>de.latlon.xplanbox</base.package.name>
<jakarta.servlet-api.version>6.0.0</jakarta.servlet-api.version>
@@ -525,9 +525,10 @@
<version>${owasp.version}</version>
<configuration>
<formats>HTML,JUNIT,XML</formats>
- <nvdValidForHours>24</nvdValidForHours>
<failBuildOnCVSS>10</failBuildOnCVSS>
<knownExploitedEnabled>false</knownExploitedEnabled>
+ <nvdValidForHours>24</nvdValidForHours>
+ <nvdApiKey>${env.nvdApiKeyEnvironmentVariable}</nvdApiKey>
</configuration>
<executions>
<execution>
--
GitLab