From 2a7bd3aa9e05295b648fa6e719efe6fa8f8435ce Mon Sep 17 00:00:00 2001
From: Eric Rosenberg <erosenberg@gitlab.com>
Date: Tue, 21 Jul 2020 16:39:53 +0000
Subject: [PATCH 1/9] CI: enable SAST, Secret-Detection, and Dependency
 Scanning

---
 .gitlab-ci.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 49af38dd2..c45466397 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -110,3 +110,8 @@ shellcheck:
 #  - stage: test
 #  - script:
 #    - cd changehat/pam_apparmor && make check
+
+include:
+  - template: SAST.gitlab-ci.yml
+  - template: Secret-Detection.gitlab-ci.yml
+  - template: Dependency-Scanning.gitlab-ci.yml

From 9f8c0d25e373878045241bc853c315c6c2cc682d Mon Sep 17 00:00:00 2001
From: intrigeri <intrigeri@boum.org>
Date: Sun, 13 Feb 2022 12:26:19 +0000
Subject: [PATCH 2/9] CI: only run Debian'ish commands on jobs run on
 Debian'ish systems

---
 .gitlab-ci.yml | 30 ++++++++++++++++++++++++------
 1 file changed, 24 insertions(+), 6 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index c45466397..86148caf6 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,11 +1,5 @@
 ---
 image: ubuntu:latest
-before_script:
-  - export DEBIAN_FRONTEND=noninteractive
-  - apt-get update -qq
-  - apt-get install --no-install-recommends -y gcc perl liblocale-gettext-perl linux-libc-dev lsb-release make
-  - lsb_release -a
-  - uname -a
 
 # XXX - add a deploy stage to publish man pages, docs, and coverage
 # reports
@@ -14,11 +8,21 @@ stages:
   - build
   - test
 
+.ubuntu-before_script:
+  before_script:
+    - export DEBIAN_FRONTEND=noninteractive
+    - apt-get update -qq
+    - apt-get install --no-install-recommends -y gcc perl liblocale-gettext-perl linux-libc-dev lsb-release make
+    - lsb_release -a
+    - uname -a
+
 .install-c-build-deps: &install-c-build-deps
   - apt-get install --no-install-recommends -y build-essential apache2-dev autoconf automake bison dejagnu flex libpam-dev libtool pkg-config python3-all-dev python3-setuptools ruby-dev swig zlib1g-dev
 
 build-all:
   stage: build
+  extends:
+    - .ubuntu-before_script
   artifacts:
     name: ${CI_COMMIT_REF_NAME}-${CI_COMMIT_SHA}
     expire_in: 30 days
@@ -44,6 +48,8 @@ build-all:
 test-libapparmor:
   stage: test
   needs: ["build-all"]
+  extends:
+    - .ubuntu-before_script
   script:
     - *install-c-build-deps
     - make -C libraries/libapparmor check
@@ -51,6 +57,8 @@ test-libapparmor:
 test-parser:
   stage: test
   needs: ["build-all"]
+  extends:
+    - .ubuntu-before_script
   script:
     - *install-c-build-deps
     - make -C parser check
@@ -58,12 +66,16 @@ test-parser:
 test-binutils:
   stage: test
   needs: ["build-all"]
+  extends:
+    - .ubuntu-before_script
   script:
     - make -C binutils check
 
 test-utils:
   stage: test
   needs: ["build-all"]
+  extends:
+    - .ubuntu-before_script
   script:
     - apt-get install --no-install-recommends -y libc6-dev libjs-jquery libjs-jquery-throttle-debounce libjs-jquery-isonscreen libjs-jquery-tablesorter pyflakes3 python3-coverage python3-notify2 python3-psutil
     # See apparmor/apparmor#221
@@ -79,12 +91,16 @@ test-utils:
 test-mod-apparmor:
   stage: test
   needs: ["build-all"]
+  extends:
+    - .ubuntu-before_script
   script:
     - make -C changehat/mod_apparmor check
 
 test-profiles:
   stage: test
   needs: ["build-all"]
+  extends:
+    - .ubuntu-before_script
   script:
     - make -C profiles check-parser
     - make -C profiles check-abstractions.d
@@ -92,6 +108,8 @@ test-profiles:
 shellcheck:
   stage: test
   needs: []
+  extends:
+    - .ubuntu-before_script
   script:
   - apt-get install --no-install-recommends -y file shellcheck xmlstarlet
   - shellcheck --version

From 7d69e55074d1fc799a3f85436e66427d86f8f58d Mon Sep 17 00:00:00 2001
From: intrigeri <intrigeri@boum.org>
Date: Sun, 13 Feb 2022 12:49:21 +0000
Subject: [PATCH 3/9] CI: disable spotbugs SAST analyzer

It requires building our Ant projects, which have not been touched in years.
---
 .gitlab-ci.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 86148caf6..2f8b068fb 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -133,3 +133,6 @@ include:
   - template: SAST.gitlab-ci.yml
   - template: Secret-Detection.gitlab-ci.yml
   - template: Dependency-Scanning.gitlab-ci.yml
+
+variables:
+  SAST_EXCLUDED_ANALYZERS: "spotbugs"

From 9240e12e739a429f471b457705143e48640cc09a Mon Sep 17 00:00:00 2001
From: intrigeri <intrigeri@boum.org>
Date: Sun, 13 Feb 2022 12:54:27 +0000
Subject: [PATCH 4/9] CI: disable Dependency Scanning

According to
https://docs.gitlab.com/ee/user/application_security/dependency_scanning/,
"dependency scanning lets you know if your application uses an external (open
source) library that is known to be vulnerable".

AppArmor is not the kind of project that benefits from it: we don't link
statically against our dependencies, nor bundle them into released
artifacts.
---
 .gitlab-ci.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 2f8b068fb..707f8c9ae 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -132,7 +132,6 @@ shellcheck:
 include:
   - template: SAST.gitlab-ci.yml
   - template: Secret-Detection.gitlab-ci.yml
-  - template: Dependency-Scanning.gitlab-ci.yml
 
 variables:
   SAST_EXCLUDED_ANALYZERS: "spotbugs"

From 8655cf162a93cc2909da00cca48c58d50f2b0526 Mon Sep 17 00:00:00 2001
From: intrigeri <intrigeri@boum.org>
Date: Sun, 13 Feb 2022 13:09:32 +0000
Subject: [PATCH 5/9] CI: disable flawfinder SAST analyzer

It reports hundreds of issues, lots of them with critical severity.
The GitLab UI allows dismissing them one-by-one very quickly,
but I'm not a good person to do that.
Let's try to have a better signal/noise ratio for this first iteration.
---
 .gitlab-ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 707f8c9ae..24c000742 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -134,4 +134,4 @@ include:
   - template: Secret-Detection.gitlab-ci.yml
 
 variables:
-  SAST_EXCLUDED_ANALYZERS: "spotbugs"
+  SAST_EXCLUDED_ANALYZERS: "flawfinder,spotbugs"

From 9bbbcd84479462ea2092df68537e330bc8a9d149 Mon Sep 17 00:00:00 2001
From: intrigeri <intrigeri@boum.org>
Date: Sun, 13 Feb 2022 13:11:59 +0000
Subject: [PATCH 6/9] CI: disable ESLint SAST analyzer

We have no JavaScript code, let's make the GitLab CI user interface leaner.
---
 .gitlab-ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 24c000742..6754c468f 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -134,4 +134,4 @@ include:
   - template: Secret-Detection.gitlab-ci.yml
 
 variables:
-  SAST_EXCLUDED_ANALYZERS: "flawfinder,spotbugs"
+  SAST_EXCLUDED_ANALYZERS: "eslint,flawfinder,spotbugs"

From 086fb04f21b0455d9264aa9e2e205784496aad76 Mon Sep 17 00:00:00 2001
From: intrigeri <intrigeri@boum.org>
Date: Sun, 13 Feb 2022 13:20:07 +0000
Subject: [PATCH 7/9] CI: disable SemGrep SAST analyzer

It runs the flawfinder checks, so let's disable this one for the same reason
we disabled flawfinder.
---
 .gitlab-ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 6754c468f..13cfffae2 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -134,4 +134,4 @@ include:
   - template: Secret-Detection.gitlab-ci.yml
 
 variables:
-  SAST_EXCLUDED_ANALYZERS: "eslint,flawfinder,spotbugs"
+  SAST_EXCLUDED_ANALYZERS: "eslint,flawfinder,semgrep,spotbugs"

From 8c8965a7204475aa631b6f888a85fc20e8559c7d Mon Sep 17 00:00:00 2001
From: intrigeri <intrigeri@boum.org>
Date: Sun, 13 Feb 2022 13:28:38 +0000
Subject: [PATCH 8/9] CI: don't run the Bandit SAST analyzer on our test suites

Let's focus for now on code that runs on our users' systems.
---
 .gitlab-ci.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 13cfffae2..a1a5a4319 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -135,3 +135,4 @@ include:
 
 variables:
   SAST_EXCLUDED_ANALYZERS: "eslint,flawfinder,semgrep,spotbugs"
+  SAST_BANDIT_EXCLUDED_PATHS: "*/tst/*, */test/*"

From bf4134e7055ee1f09f48d9cc8982925548aeac84 Mon Sep 17 00:00:00 2001
From: intrigeri <intrigeri@boum.org>
Date: Sun, 13 Feb 2022 14:06:43 +0000
Subject: [PATCH 9/9] Provide examples of how to disable a Bandit SAST analyzer
 warning

---
 utils/apparmor/aa.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/utils/apparmor/aa.py b/utils/apparmor/aa.py
index 38923f756..cf6ddf8bb 100644
--- a/utils/apparmor/aa.py
+++ b/utils/apparmor/aa.py
@@ -17,7 +17,7 @@ from __future__ import division, with_statement
 import os
 import re
 import shutil
-import subprocess
+import subprocess  # nosec
 import sys
 import time
 import traceback
@@ -341,7 +341,7 @@ def get_output(params):
     '''Runs the program with the given args and returns the return code and stdout (as list of lines)'''
     try:
         # Get the output of the program
-        output = subprocess.check_output(params)
+        output = subprocess.check_output(params)  # nosec
         ret = 0
     except OSError as e:
         raise AppArmorException(_("Unable to fork: %(program)s\n\t%(error)s") % { 'program': params[0], 'error': str(e) })