Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
DBRepo
Manage
Activity
Members
Labels
Plan
External wiki
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Deploy
Releases
Package registry
Model registry
Operate
Terraform modules
Analyze
Contributor analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
GitLab community forum
Contribute to GitLab
Provide feedback
Terms and privacy
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
FAIR Data Austria DB Repository
DBRepo
Commits
7ff0fde9
Verified
Commit
7ff0fde9
authored
2 years ago
by
Martin Weise
Browse files
Options
Downloads
Patches
Plain Diff
Added Trivy scanner to the pipeline
parent
30e85ec8
No related branches found
No related tags found
2 merge requests
!163
Relase 1.3.0
,
!158
Resolve "CI/CD vulnerability scanner"
Changes
4
Show whitespace changes
Inline
Side-by-side
Showing
4 changed files
.gitignore
+3
-0
3 additions, 0 deletions
.gitignore
.gitlab-ci.yml
+310
-3
310 additions, 3 deletions
.gitlab-ci.yml
.trivy/gitlab.tpl
+82
-0
82 additions, 0 deletions
.trivy/gitlab.tpl
Makefile
+88
-3
88 additions, 3 deletions
Makefile
with
483 additions
and
6 deletions
.gitignore
+
3
−
0
View file @
7ff0fde9
...
@@ -32,6 +32,9 @@ fda-ui/
...
@@ -32,6 +32,9 @@ fda-ui/
# Environment
# Environment
.env
.env
# scanning
.trivy/trivy-*.json
# Debug
# Debug
debug.txt
debug.txt
...
...
This diff is collapsed.
Click to expand it.
.gitlab-ci.yml
+
310
−
3
View file @
7ff0fde9
...
@@ -9,7 +9,9 @@ before_script:
...
@@ -9,7 +9,9 @@ before_script:
variables
:
variables
:
HOSTALIASES
:
./hosts
HOSTALIASES
:
./hosts
DOCKER_TLS_CERTDIR
:
/certs
DOCKER_TLS_CERTDIR
:
/certs
TAG
:
${TAG:-latest}
TAG
:
"
${TAG:-latest}"
TRIVY_NO_PROGRESS
:
"
true"
TRIVY_CACHE_DIR
:
"
.trivycache/"
cache
:
cache
:
paths
:
paths
:
...
@@ -24,6 +26,7 @@ stages:
...
@@ -24,6 +26,7 @@ stages:
-
test-backend
-
test-backend
-
test-frontend
-
test-frontend
-
build-docker
-
build-docker
-
scan-docker
-
release
-
release
build-metadata-db
:
build-metadata-db
:
...
@@ -334,10 +337,298 @@ build-frontend:
...
@@ -334,10 +337,298 @@ build-frontend:
script
:
script
:
-
make build-frontend
-
make build-frontend
scan-analyse-service
:
stage
:
scan-docker
needs
:
-
build-docker
allow_failure
:
true
script
:
-
make scan-analyse-service
cache
:
paths
:
-
.trivycache/
artifacts
:
when
:
always
expire_in
:
1 days
reports
:
container_scanning
:
./.trivy/trivy-analyse-service-report.json
scan-authentication-service
:
stage
:
scan-docker
needs
:
-
build-docker
allow_failure
:
true
script
:
-
make scan-authentication-service
cache
:
paths
:
-
.trivycache/
artifacts
:
when
:
always
expire_in
:
1 days
reports
:
container_scanning
:
./.trivy/trivy-authentication-service-report.json
scan-broker-service
:
stage
:
scan-docker
needs
:
-
build-docker
allow_failure
:
true
script
:
-
make scan-broker-service
cache
:
paths
:
-
.trivycache/
artifacts
:
when
:
always
expire_in
:
1 days
reports
:
container_scanning
:
./.trivy/trivy-broker-service-report.json
scan-container-service
:
stage
:
scan-docker
needs
:
-
build-docker
allow_failure
:
true
script
:
-
make scan-container-service
cache
:
paths
:
-
.trivycache/
artifacts
:
when
:
always
expire_in
:
1 days
reports
:
container_scanning
:
./.trivy/trivy-container-service-report.json
scan-database-service
:
stage
:
scan-docker
needs
:
-
build-docker
allow_failure
:
true
script
:
-
make scan-database-service
cache
:
paths
:
-
.trivycache/
artifacts
:
when
:
always
expire_in
:
1 days
reports
:
container_scanning
:
./.trivy/trivy-database-service-report.json
scan-discovery-service
:
stage
:
scan-docker
needs
:
-
build-docker
allow_failure
:
true
script
:
-
make scan-discovery-service
cache
:
paths
:
-
.trivycache/
artifacts
:
when
:
always
expire_in
:
1 days
reports
:
container_scanning
:
./.trivy/trivy-discovery-service-report.json
scan-gateway-service
:
stage
:
scan-docker
needs
:
-
build-docker
allow_failure
:
true
script
:
-
make scan-gateway-service
cache
:
paths
:
-
.trivycache/
artifacts
:
when
:
always
expire_in
:
1 days
reports
:
container_scanning
:
./.trivy/trivy-gateway-service-report.json
scan-identifier-service
:
stage
:
scan-docker
needs
:
-
build-docker
allow_failure
:
true
script
:
-
make scan-identifier-service
cache
:
paths
:
-
.trivycache/
artifacts
:
when
:
always
expire_in
:
1 days
reports
:
container_scanning
:
./.trivy/trivy-identifier-service-report.json
scan-metadata-db
:
stage
:
scan-docker
needs
:
-
build-docker
allow_failure
:
true
script
:
-
make scan-metadata-db
cache
:
paths
:
-
.trivycache/
artifacts
:
when
:
always
expire_in
:
1 days
reports
:
container_scanning
:
./.trivy/trivy-metadata-db-report.json
scan-metadata-service
:
stage
:
scan-docker
needs
:
-
build-docker
allow_failure
:
true
script
:
-
make scan-metadata-service
cache
:
paths
:
-
.trivycache/
artifacts
:
when
:
always
expire_in
:
1 days
reports
:
container_scanning
:
./.trivy/trivy-metadata-service-report.json
scan-proxy
:
stage
:
scan-docker
needs
:
-
build-docker
allow_failure
:
true
script
:
-
make scan-proxy
cache
:
paths
:
-
.trivycache/
artifacts
:
when
:
always
expire_in
:
1 days
reports
:
container_scanning
:
./.trivy/trivy-proxy-report.json
scan-query-service
:
stage
:
scan-docker
needs
:
-
build-docker
allow_failure
:
true
script
:
-
make scan-query-service
cache
:
paths
:
-
.trivycache/
artifacts
:
when
:
always
expire_in
:
1 days
reports
:
container_scanning
:
./.trivy/trivy-query-service-report.json
scan-search-service
:
stage
:
scan-docker
needs
:
-
build-docker
allow_failure
:
true
script
:
-
make scan-search-service
cache
:
paths
:
-
.trivycache/
artifacts
:
when
:
always
expire_in
:
1 days
reports
:
container_scanning
:
./.trivy/trivy-search-service-report.json
scan-semantics-service
:
stage
:
scan-docker
needs
:
-
build-docker
allow_failure
:
true
script
:
-
make scan-semantics-service
cache
:
paths
:
-
.trivycache/
artifacts
:
when
:
always
expire_in
:
1 days
reports
:
container_scanning
:
./.trivy/trivy-semantics-service-report.json
scan-table-service
:
stage
:
scan-docker
needs
:
-
build-docker
allow_failure
:
true
script
:
-
make scan-table-service
cache
:
paths
:
-
.trivycache/
artifacts
:
when
:
always
expire_in
:
1 days
reports
:
container_scanning
:
./.trivy/trivy-table-service-report.json
scan-ui
:
stage
:
scan-docker
needs
:
-
build-docker
allow_failure
:
true
script
:
-
make scan-ui
cache
:
paths
:
-
.trivycache/
artifacts
:
when
:
always
expire_in
:
1 days
reports
:
container_scanning
:
./.trivy/trivy-ui-report.json
scan-user-service
:
stage
:
scan-docker
needs
:
-
build-docker
allow_failure
:
true
script
:
-
make scan-user-service
cache
:
paths
:
-
.trivycache/
artifacts
:
when
:
always
expire_in
:
1 days
reports
:
container_scanning
:
./.trivy/trivy-user-service-report.json
release-latest
:
release-latest
:
stage
:
release
stage
:
release
needs
:
needs
:
-
build-docker
-
scan-analyse-service
-
scan-authentication-service
-
scan-broker-service
-
scan-container-service
-
scan-database-service
-
scan-discovery-service
-
scan-gateway-service
-
scan-identifier-service
-
scan-metadata-db
-
scan-metadata-service
-
scan-proxy
-
scan-query-service
-
scan-search-service
-
scan-semantics-service
-
scan-table-service
-
scan-ui
-
scan-user-service
only
:
only
:
refs
:
refs
:
-
dev
-
dev
...
@@ -349,7 +640,23 @@ release-latest:
...
@@ -349,7 +640,23 @@ release-latest:
release-version
:
release-version
:
stage
:
release
stage
:
release
needs
:
needs
:
-
build-docker
-
scan-analyse-service
-
scan-authentication-service
-
scan-broker-service
-
scan-container-service
-
scan-database-service
-
scan-discovery-service
-
scan-gateway-service
-
scan-identifier-service
-
scan-metadata-db
-
scan-metadata-service
-
scan-proxy
-
scan-query-service
-
scan-search-service
-
scan-semantics-service
-
scan-table-service
-
scan-ui
-
scan-user-service
only
:
only
:
refs
:
refs
:
-
master
-
master
...
...
This diff is collapsed.
Click to expand it.
.trivy/gitlab.tpl
0 → 100644
+
82
−
0
View file @
7ff0fde9
{{
-
/*
Template
based
on
https
://
docs
.
gitlab
.
com
/
ee
/
user
/
application_security
/
container_scanning
/
#
reports
-
json
-
format
*/
-
}}
{
"version": "14.0.6",
"vulnerabilities": [
{{- $t_first := true }}
{{- range . }}
{{- $target := .Target }}
{{- $image := $target | regexFind "[^\\s]+" }}
{{- range .Vulnerabilities -}}
{{- if $t_first -}}
{{- $t_first = false -}}
{{ else -}}
,
{{- end }}
{
"id": "{{ .VulnerabilityID }}",
"category": "container_scanning",
"message": {{ .Title | printf "%q" }},
"description": {{ .Description | printf "%q" }},
{{- /* cve is a deprecated key, use id instead */}}
"cve": "{{ .VulnerabilityID }}",
"severity": {{ if eq .Severity "UNKNOWN" -}}
"Unknown"
{{- else if eq .Severity "LOW" -}}
"Low"
{{- else if eq .Severity "MEDIUM" -}}
"Medium"
{{- else if eq .Severity "HIGH" -}}
"High"
{{- else if eq .Severity "CRITICAL" -}}
"Critical"
{{- else -}}
"{{ .Severity }}"
{{- end }},
"solution": {{ if .FixedVersion -}}
"Upgrade {{ .PkgName }} to {{ .FixedVersion }}"
{{- else -}}
"No solution provided"
{{- end }},
"scanner": {
"id": "trivy",
"name": "trivy"
},
"location": {
"dependency": {
"package": {
"name": "{{ .PkgName }}"
},
"version": "{{ .InstalledVersion }}"
},
{{- /* TODO: No mapping available - https://github.com/aquasecurity/trivy/issues/332 */}}
"operating_system": "Unknown",
"image": "{{ $image }}"
},
"identifiers": [
{
{{- /* TODO: Type not extractable - https://github.com/aquasecurity/trivy-db/pull/24 */}}
"type": "cve",
"name": "{{ .VulnerabilityID }}",
"value": "{{ .VulnerabilityID }}",
"url": "{{ .PrimaryURL }}"
}
],
"links": [
{{- $l_first := true -}}
{{- range .References -}}
{{- if $l_first -}}
{{- $l_first = false }}
{{- else -}}
,
{{- end -}}
{
"url": "{{ regexFind "[^ ]+" . }}"
}
{{- end }}
]
}
{{- end -}}
{{- end }}
],
"remediations": []
}
This diff is collapsed.
Click to expand it.
Makefile
+
88
−
3
View file @
7ff0fde9
.PHONY
:
clean all
.PHONY
:
clean all
TAG
?=
latest
TAG
?=
latest
TRIVY_VERSION
?=
v0.41.0
all
:
all
:
...
@@ -103,9 +104,6 @@ tag-broker:
...
@@ -103,9 +104,6 @@ tag-broker:
tag-search
:
tag-search
:
docker tag dbrepo-search-service:latest
"dbrepo/search-service:
${
TAG
}
"
docker tag dbrepo-search-service:latest
"dbrepo/search-service:
${
TAG
}
"
tag-user
:
docker tag dbrepo-user-service:latest
"dbrepo/user-service:
${
TAG
}
"
release
:
build-docker tag release-identifier release-search release-container release-database release-discovery release-gateway release-query release-table release-analyse release-authentication release-metadata-db release-ui release-units release-broker release-metadata release-user
release
:
build-docker tag release-identifier release-search release-container release-database release-discovery release-gateway release-query release-table release-analyse release-authentication release-metadata-db release-ui release-units release-broker release-metadata release-user
release-analyse
:
tag-analyse
release-analyse
:
tag-analyse
...
@@ -192,6 +190,93 @@ test-semantics-service: build-semantics-service
...
@@ -192,6 +190,93 @@ test-semantics-service: build-semantics-service
test-analyse-service
:
build-analyse-service
test-analyse-service
:
build-analyse-service
bash ./dbrepo-analyse-service/test.sh
bash ./dbrepo-analyse-service/test.sh
scan
:
scan-analyse-service scan-authentication-service scan-broker-service scan-container-service scan-database-service scan-discovery-service scan-gateway-service scan-identifier-service scan-metadata-db scan-metadata-service scan-proxy scan-query-service scan-search-service scan-semantics-service scan-table-service scan-ui scan-user-service
scan-analyse-service
:
trivy image
--exit-code
0
--format
template
--template
"@.trivy/gitlab.tpl"
-o
./.trivy/trivy-analyse-service-report.json dbrepo-analyse-service:latest
trivy image
--exit-code
0 dbrepo-analyse-service:latest
trivy image
--exit-code
1
--severity
CRITICAL dbrepo-analyse-service:latest
scan-authentication-service
:
trivy image
--exit-code
0
--format
template
--template
"@.trivy/gitlab.tpl"
-o
./.trivy/trivy-authentication-service-report.json dbrepo-authentication-service:latest
trivy image
--exit-code
0 dbrepo-authentication-service:latest
trivy image
--exit-code
1
--severity
CRITICAL dbrepo-authentication-service:latest
scan-broker-service
:
trivy image
--exit-code
0
--format
template
--template
"@.trivy/gitlab.tpl"
-o
./.trivy/trivy-broker-service-report.json dbrepo-broker-service:latest
trivy image
--exit-code
0 dbrepo-broker-service:latest
trivy image
--exit-code
1
--severity
CRITICAL dbrepo-broker-service:latest
scan-container-service
:
trivy image
--exit-code
0
--format
template
--template
"@.trivy/gitlab.tpl"
-o
./.trivy/trivy-container-service-report.json dbrepo-container-service:latest
trivy image
--exit-code
0 dbrepo-container-service:latest
trivy image
--exit-code
1
--severity
CRITICAL dbrepo-container-service:latest
scan-database-service
:
trivy image
--exit-code
0
--format
template
--template
"@.trivy/gitlab.tpl"
-o
./.trivy/trivy-database-service-report.json dbrepo-database-service:latest
trivy image
--exit-code
0 dbrepo-database-service:latest
trivy image
--exit-code
1
--severity
CRITICAL dbrepo-database-service:latest
scan-discovery-service
:
trivy image
--exit-code
0
--format
template
--template
"@.trivy/gitlab.tpl"
-o
./.trivy/trivy-discovery-service-report.json dbrepo-discovery-service:latest
trivy image
--exit-code
0 dbrepo-discovery-service:latest
trivy image
--exit-code
1
--severity
CRITICAL dbrepo-discovery-service:latest
scan-gateway-service
:
trivy image
--exit-code
0
--format
template
--template
"@.trivy/gitlab.tpl"
-o
./.trivy/trivy-gateway-service-report.json dbrepo-gateway-service:latest
trivy image
--exit-code
0 dbrepo-gateway-service:latest
trivy image
--exit-code
1
--severity
CRITICAL dbrepo-gateway-service:latest
scan-identifier-service
:
trivy image
--exit-code
0
--format
template
--template
"@.trivy/gitlab.tpl"
-o
./.trivy/trivy-identifier-service-report.json dbrepo-identifier-service:latest
trivy image
--exit-code
0 dbrepo-identifier-service:latest
trivy image
--exit-code
1
--severity
CRITICAL dbrepo-identifier-service:latest
scan-metadata-db
:
trivy image
--exit-code
0
--format
template
--template
"@.trivy/gitlab.tpl"
-o
./.trivy/trivy-metadata-db-report.json dbrepo-metadata-db:latest
trivy image
--exit-code
0 dbrepo-metadata-db:latest
trivy image
--exit-code
1
--severity
CRITICAL dbrepo-metadata-db:latest
scan-metadata-service
:
trivy image
--exit-code
0
--format
template
--template
"@.trivy/gitlab.tpl"
-o
./.trivy/trivy-metadata-service-report.json dbrepo-metadata-service:latest
trivy image
--exit-code
0 dbrepo-metadata-service:latest
trivy image
--exit-code
1
--severity
CRITICAL dbrepo-metadata-service:latest
scan-proxy
:
trivy image
--exit-code
0
--format
template
--template
"@.trivy/gitlab.tpl"
-o
./.trivy/trivy-proxy-report.json dbrepo-proxy:latest
trivy image
--exit-code
0 dbrepo-proxy:latest
trivy image
--exit-code
1
--severity
CRITICAL dbrepo-proxy:latest
scan-query-service
:
trivy image
--exit-code
0
--format
template
--template
"@.trivy/gitlab.tpl"
-o
./.trivy/trivy-query-service-report.json dbrepo-query-service:latest
trivy image
--exit-code
0 dbrepo-query-service:latest
trivy image
--exit-code
1
--severity
CRITICAL dbrepo-query-service:latest
scan-search-service
:
trivy image
--exit-code
0
--format
template
--template
"@.trivy/gitlab.tpl"
-o
./.trivy/trivy-search-service-report.json dbrepo-search-service:latest
trivy image
--exit-code
0 dbrepo-search-service:latest
trivy image
--exit-code
1
--severity
CRITICAL dbrepo-search-service:latest
scan-semantics-service
:
trivy image
--exit-code
0
--format
template
--template
"@.trivy/gitlab.tpl"
-o
./.trivy/trivy-semantics-service-report.json dbrepo-semantics-service:latest
trivy image
--exit-code
0 dbrepo-semantics-service:latest
trivy image
--exit-code
1
--severity
CRITICAL dbrepo-semantics-service:latest
scan-table-service
:
trivy image
--exit-code
0
--format
template
--template
"@.trivy/gitlab.tpl"
-o
./.trivy/trivy-table-service-report.json dbrepo-table-service:latest
trivy image
--exit-code
0 dbrepo-table-service:latest
trivy image
--exit-code
1
--severity
CRITICAL dbrepo-table-service:latest
scan-ui
:
trivy image
--exit-code
0
--format
template
--template
"@.trivy/gitlab.tpl"
-o
./.trivy/trivy-ui-report.json dbrepo-ui:latest
trivy image
--exit-code
0 dbrepo-ui:latest
trivy image
--exit-code
1
--severity
CRITICAL dbrepo-ui:latest
scan-user-service
:
trivy image
--exit-code
0
--format
template
--template
"@.trivy/gitlab.tpl"
-o
./.trivy/trivy-user-service-report.json dbrepo-user-service:latest
trivy image
--exit-code
0 dbrepo-user-service:latest
trivy image
--exit-code
1
--severity
CRITICAL dbrepo-user-service:latest
coverage-frontend
:
build-frontend
coverage-frontend
:
build-frontend
yarn
--cwd
./dbrepo-ui run coverage
||
true
yarn
--cwd
./dbrepo-ui run coverage
||
true
...
...
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment