Integrate Dependency-Check to CircleCI

mattermost · mattermod · May 26, 2020 · Apr 22, 2020 · Apr 22, 2020 · Apr 22, 2020
commit f35e5c4aed1788c91e8be9fec03b80a5860bf66a
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -31,6 +31,50 @@ jobs:
  cd node_modules/mattermost-redux && npm i && npm run build
  - *save_cache
 
+ check-deps:
+ parameters:
+ cve_data_directory:
+ type: string
+ default: "~/.owasp/dependency-check-data"
+ working_directory: ~/mattermost/mattermost-webapp
+ executor: owasp/default
+ environment:
+ version_url: "https://jeremylong.github.io/DependencyCheck/current.txt"
+ executable_url: "https://dl.bintray.com/jeremy-long/owasp/dependency-check-VERSION-release.zip"
+ steps:
+ - checkout
+ - *restore_cache
+ - run:
+ name: Checkout config
+ command: cd .. && git clone https://github.com/mattermost/security-automation-config
+ - run:
+ name: Install Go
+ command: sudo apt-get update && sudo apt-get install golang
+ - owasp/with_commandline:
+ steps:
+ # Taken from https://github.com/entur/owasp-orb/blob/master/src/%40orb.yml#L349-L361
+ - owasp/generate_cache_keys:
+ cache_key: commmandline-default-cache-key-v6
+ - owasp/restore_owasp_cache
+ - run:
+ name: Update OWASP Dependency-Check Database
+ command: ~/.owasp/dependency-check/bin/dependency-check.sh --data << parameters.cve_data_directory >> --updateonly
+ - owasp/store_owasp_cache:
+ cve_data_directory: <<parameters.cve_data_directory>>
+ - run:
+ name: Run OWASP Dependency-Check Analyzer
+ command: |
+ ~/.owasp/dependency-check/bin/dependency-check.sh \
+ --data << parameters.cve_data_directory >> --format ALL --noupdate --enableExperimental \
+ --suppression ../security-automation-config/dependency-check/suppression.xml \
+ --suppression ../security-automation-config/dependency-check/suppression.$CIRCLE_PROJECT_REPONAME.xml \
+ --scan './**/*' || true
+ - owasp/collect_reports:
+ persist_to_workspace: false
+ - run:
+ name: Post results to Mattermost
+ command: ../security-automation-config/dependency-check/post-results.sh
+
  lint:
  executor:
  name: default
@@ -175,6 +219,10 @@ workflows:
  untagged-build:
  jobs:
  - install
+ - check-deps:
+ context: sast-webhook
+ requires:
+ - install
  - lint:
  requires:
  - install