Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add .gitlab.yml and veracode upload script #15

Merged
merged 1 commit into from
Oct 23, 2019
Merged

Add .gitlab.yml and veracode upload script #15

merged 1 commit into from
Oct 23, 2019

Conversation

ystefinko
Copy link
Collaborator

Added 2 files:

  • gitlab yml is for Pipeline setup on Gitlab for scheduled scan for security (weekly or other,schedule setting is on UI of Gitlab in Pipeline > Schedules)
  • bash scripts which do packing all .ts files into zip and upload to Veracode Static Scan
    Two hidden variables will be defined in Gitlab Project Setting: VERACODE_API_PWD, VERACODE_API_USER.

Resolves: OLPEDGE-804

Signed-off-by: Yaroslav Stefinko [email protected]

@ystefinko ystefinko added the ci ci/cd related, scripts, devops tasks label Oct 22, 2019
leonid-ziskel
leonid-ziskel previously approved these changes Oct 23, 2019
View reviewed changes
leonid-ziskel
leonid-ziskel reviewed Oct 23, 2019
View reviewed changes
scripts/veracode/veracodeUpload.sh Outdated
# Examples:
# veracodeUpload.sh /tmp/veracode.war [email protected] 443849 1.0.0-RC1
#
LATEST_TAG=$(git describe --tags)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why do you take the latest tag. Maybe better the commit hash the script used to run the scanner on?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From my side, when I get email with title
"SPC - Veracode results for OLP EDGE Enablers (TypeScript) Build olp-edge-ts-v0.9.1-1-g94ca2be-168 Policy Compliance=Pass Score=99"
is better than :
"SPC - Veracode results for OLP EDGE Enablers (TypeScript) Build olp-edge-ts-1-g94ca2be-168 Policy Compliance=Pass Score=99"
because second does not give us any versioning information.

This hash (g94ca2be) is random data generated by Veracode, but not by our commit hash on Github (01db17a).

What is your suggestion then?

Copy link
Contributor

@leonid-ziskel leonid-ziskel Oct 23, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

my suggestion would be olp-edge-ts-01db17a-1-g94ca2be-168, i.e. to take the git hash commit instead of the tag. Reason: we ran the scanner on the master and not on the tag

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated.
Chosen your suggestion as its more clear for you and Oleksii.

leonid-ziskel
leonid-ziskel previously approved these changes Oct 23, 2019
View reviewed changes
@ystefinko ystefinko force-pushed the task/olpedge-804 branch 3 times, most recently from b6a0c50 to ca0e31a Compare October 23, 2019 10:02
@ystefinko
Add .gitlab.yml and veracode upload script
0d6445c 
Added 2 files:
- gitlab yml is for Pipeline setup on Gitlab for scheduled scan for security (weekly or other,schedule setting is on UI of Gitlab in Pipeline > Schedules)
- bash scripts which do packing all .ts files into zip and upload to Veracode Static Scan
Two hidden variables will be defined in Gitlab Project Setting: VERACODE_API_PWD, VERACODE_API_USER.

Resolves: OLPEDGE-804

Signed-off-by: Yaroslav Stefinko <[email protected]>
@OleksiiZubko OleksiiZubko merged commit e418d53 into master Oct 23, 2019
@OleksiiZubko OleksiiZubko deleted the task/olpedge-804 branch October 23, 2019 11:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@OleksiiZubko OleksiiZubko OleksiiZubko approved these changes

@mykhailo-kuchma mykhailo-kuchma Awaiting requested review from mykhailo-kuchma

@andescu andescu Awaiting requested review from andescu

@leonid-ziskel leonid-ziskel Awaiting requested review from leonid-ziskel

Assignees
No one assigned
Labels
ci ci/cd related, scripts, devops tasks
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@ystefinko @OleksiiZubko @leonid-ziskel