Merge CI: enable Secret-Detection and a few SAST analyzers

This MR depends on !843, mostly for convenience and to avoid having to rework it once !843 is merged. If this turns out to be a blocker, I can rebase it `--onto` master.

It's based on the draft from !584 and !716, but on top of copying'n'pasting the examples from the GitLab documentation, which was necessary but not sufficient, in this MR I tried my best to make these features work in our context: it actually passes CI, it does not clutter the CI UI with jobs that are not applicable here, and it yields a manageable amount of output (as opposed to hundreds of "OMG you're using format strings", that I don't think any of us is going to triage one by one any time soon).

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/844
Acked-by: Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>

.gitlab-ci.yml

@@ -1,11 +1,5 @@
 ---
 image: ubuntu:latest
-before_script:
-  - export DEBIAN_FRONTEND=noninteractive
-  - apt-get update -qq
-  - apt-get install --no-install-recommends -y gcc perl liblocale-gettext-perl linux-libc-dev lsb-release make
-  - lsb_release -a
-  - uname -a
 
 # XXX - add a deploy stage to publish man pages, docs, and coverage
 # reports
@@ -14,11 +8,21 @@ stages:
   - build
   - test
 
+.ubuntu-before_script:
+  before_script:
+    - export DEBIAN_FRONTEND=noninteractive
+    - apt-get update -qq
+    - apt-get install --no-install-recommends -y gcc perl liblocale-gettext-perl linux-libc-dev lsb-release make
+    - lsb_release -a
+    - uname -a
+
 .install-c-build-deps: &install-c-build-deps
   - apt-get install --no-install-recommends -y build-essential apache2-dev autoconf automake bison dejagnu flex libpam-dev libtool pkg-config python3-all-dev python3-setuptools ruby-dev swig zlib1g-dev
 
 build-all:
   stage: build
+  extends:
+    - .ubuntu-before_script
   artifacts:
     name: ${CI_COMMIT_REF_NAME}-${CI_COMMIT_SHA}
     expire_in: 30 days
@@ -44,6 +48,8 @@ build-all:
 test-libapparmor:
   stage: test
   needs: ["build-all"]
+  extends:
+    - .ubuntu-before_script
   script:
     - *install-c-build-deps
     - make -C libraries/libapparmor check
@@ -51,6 +57,8 @@ test-libapparmor:
 test-parser:
   stage: test
   needs: ["build-all"]
+  extends:
+    - .ubuntu-before_script
   script:
     - *install-c-build-deps
     - make -C parser check
@@ -58,12 +66,16 @@ test-parser:
 test-binutils:
   stage: test
   needs: ["build-all"]
+  extends:
+    - .ubuntu-before_script
   script:
     - make -C binutils check
 
 test-utils:
   stage: test
   needs: ["build-all"]
+  extends:
+    - .ubuntu-before_script
   script:
     - apt-get install --no-install-recommends -y libc6-dev libjs-jquery libjs-jquery-throttle-debounce libjs-jquery-isonscreen libjs-jquery-tablesorter pyflakes3 python3-coverage python3-notify2 python3-psutil
     # See apparmor/apparmor#221
@@ -79,12 +91,16 @@ test-utils:
 test-mod-apparmor:
   stage: test
   needs: ["build-all"]
+  extends:
+    - .ubuntu-before_script
   script:
     - make -C changehat/mod_apparmor check
 
 test-profiles:
   stage: test
   needs: ["build-all"]
+  extends:
+    - .ubuntu-before_script
   script:
     - make -C profiles check-parser
     - make -C profiles check-abstractions.d
@@ -92,6 +108,8 @@ test-profiles:
 shellcheck:
   stage: test
   needs: []
+  extends:
+    - .ubuntu-before_script
   script:
   - apt-get install --no-install-recommends -y file shellcheck xmlstarlet
   - shellcheck --version
@@ -110,3 +128,11 @@ shellcheck:
 #  - stage: test
 #  - script:
 #    - cd changehat/pam_apparmor && make check
+
+include:
+  - template: SAST.gitlab-ci.yml
+  - template: Secret-Detection.gitlab-ci.yml
+
+variables:
+  SAST_EXCLUDED_ANALYZERS: "eslint,flawfinder,semgrep,spotbugs"
+  SAST_BANDIT_EXCLUDED_PATHS: "*/tst/*, */test/*"

utils/apparmor/aa.py

@@ -17,7 +17,7 @@ from __future__ import division, with_statement
 import os
 import re
 import shutil
-import subprocess
+import subprocess  # nosec
 import sys
 import time
 import traceback
@@ -341,7 +341,7 @@ def get_output(params):
     '''Runs the program with the given args and returns the return code and stdout (as list of lines)'''
     try:
         # Get the output of the program
-        output = subprocess.check_output(params)
+        output = subprocess.check_output(params)  # nosec
         ret = 0
     except OSError as e:
         raise AppArmorException(_("Unable to fork: %(program)s\n\t%(error)s") % { 'program': params[0], 'error': str(e) })