mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-08-28 12:58:07 +00:00
Merge CI: enable Secret-Detection and a few SAST analyzers
This MR depends on !843, mostly for convenience and to avoid having to rework it once !843 is merged. If this turns out to be a blocker, I can rebase it `--onto` master. It's based on the draft from !584 and !716, but on top of copying'n'pasting the examples from the GitLab documentation, which was necessary but not sufficient, in this MR I tried my best to make these features work in our context: it actually passes CI, it does not clutter the CI UI with jobs that are not applicable here, and it yields a manageable amount of output (as opposed to hundreds of "OMG you're using format strings", that I don't think any of us is going to triage one by one any time soon). MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/844 Acked-by: Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>
This commit is contained in:
John Johansen
commit
4300953dc8
@ -1,11 +1,5 @@
|
|||||||
---
|
---
|
||||||
image: ubuntu:latest
|
image: ubuntu:latest
|
||||||
before_script:
|
|
||||||
- export DEBIAN_FRONTEND=noninteractive
|
|
||||||
- apt-get update -qq
|
|
||||||
- apt-get install --no-install-recommends -y gcc perl liblocale-gettext-perl linux-libc-dev lsb-release make
|
|
||||||
- lsb_release -a
|
|
||||||
- uname -a
|
|
||||||
|
|
||||||
# XXX - add a deploy stage to publish man pages, docs, and coverage
|
# XXX - add a deploy stage to publish man pages, docs, and coverage
|
||||||
# reports
|
# reports
|
||||||
@ -14,11 +8,21 @@ stages:
|
|||||||
- build
|
- build
|
||||||
- test
|
- test
|
||||||
|
|
||||||
|
.ubuntu-before_script:
|
||||||
|
before_script:
|
||||||
|
- export DEBIAN_FRONTEND=noninteractive
|
||||||
|
- apt-get update -qq
|
||||||
|
- apt-get install --no-install-recommends -y gcc perl liblocale-gettext-perl linux-libc-dev lsb-release make
|
||||||
|
- lsb_release -a
|
||||||
|
- uname -a
|
||||||
|
|
||||||
.install-c-build-deps: &install-c-build-deps
|
.install-c-build-deps: &install-c-build-deps
|
||||||
- apt-get install --no-install-recommends -y build-essential apache2-dev autoconf automake bison dejagnu flex libpam-dev libtool pkg-config python3-all-dev python3-setuptools ruby-dev swig zlib1g-dev
|
- apt-get install --no-install-recommends -y build-essential apache2-dev autoconf automake bison dejagnu flex libpam-dev libtool pkg-config python3-all-dev python3-setuptools ruby-dev swig zlib1g-dev
|
||||||
|
|
||||||
build-all:
|
build-all:
|
||||||
stage: build
|
stage: build
|
||||||
|
extends:
|
||||||
|
- .ubuntu-before_script
|
||||||
artifacts:
|
artifacts:
|
||||||
name: ${CI_COMMIT_REF_NAME}-${CI_COMMIT_SHA}
|
name: ${CI_COMMIT_REF_NAME}-${CI_COMMIT_SHA}
|
||||||
expire_in: 30 days
|
expire_in: 30 days
|
||||||
@ -44,6 +48,8 @@ build-all:
|
|||||||
test-libapparmor:
|
test-libapparmor:
|
||||||
stage: test
|
stage: test
|
||||||
needs: ["build-all"]
|
needs: ["build-all"]
|
||||||
|
extends:
|
||||||
|
- .ubuntu-before_script
|
||||||
script:
|
script:
|
||||||
- *install-c-build-deps
|
- *install-c-build-deps
|
||||||
- make -C libraries/libapparmor check
|
- make -C libraries/libapparmor check
|
||||||
@ -51,6 +57,8 @@ test-libapparmor:
|
|||||||
test-parser:
|
test-parser:
|
||||||
stage: test
|
stage: test
|
||||||
needs: ["build-all"]
|
needs: ["build-all"]
|
||||||
|
extends:
|
||||||
|
- .ubuntu-before_script
|
||||||
script:
|
script:
|
||||||
- *install-c-build-deps
|
- *install-c-build-deps
|
||||||
- make -C parser check
|
- make -C parser check
|
||||||
@ -58,12 +66,16 @@ test-parser:
|
|||||||
test-binutils:
|
test-binutils:
|
||||||
stage: test
|
stage: test
|
||||||
needs: ["build-all"]
|
needs: ["build-all"]
|
||||||
|
extends:
|
||||||
|
- .ubuntu-before_script
|
||||||
script:
|
script:
|
||||||
- make -C binutils check
|
- make -C binutils check
|
||||||
|
|
||||||
test-utils:
|
test-utils:
|
||||||
stage: test
|
stage: test
|
||||||
needs: ["build-all"]
|
needs: ["build-all"]
|
||||||
|
extends:
|
||||||
|
- .ubuntu-before_script
|
||||||
script:
|
script:
|
||||||
- apt-get install --no-install-recommends -y libc6-dev libjs-jquery libjs-jquery-throttle-debounce libjs-jquery-isonscreen libjs-jquery-tablesorter pyflakes3 python3-coverage python3-notify2 python3-psutil
|
- apt-get install --no-install-recommends -y libc6-dev libjs-jquery libjs-jquery-throttle-debounce libjs-jquery-isonscreen libjs-jquery-tablesorter pyflakes3 python3-coverage python3-notify2 python3-psutil
|
||||||
# See apparmor/apparmor#221
|
# See apparmor/apparmor#221
|
||||||
@ -79,12 +91,16 @@ test-utils:
|
|||||||
test-mod-apparmor:
|
test-mod-apparmor:
|
||||||
stage: test
|
stage: test
|
||||||
needs: ["build-all"]
|
needs: ["build-all"]
|
||||||
|
extends:
|
||||||
|
- .ubuntu-before_script
|
||||||
script:
|
script:
|
||||||
- make -C changehat/mod_apparmor check
|
- make -C changehat/mod_apparmor check
|
||||||
|
|
||||||
test-profiles:
|
test-profiles:
|
||||||
stage: test
|
stage: test
|
||||||
needs: ["build-all"]
|
needs: ["build-all"]
|
||||||
|
extends:
|
||||||
|
- .ubuntu-before_script
|
||||||
script:
|
script:
|
||||||
- make -C profiles check-parser
|
- make -C profiles check-parser
|
||||||
- make -C profiles check-abstractions.d
|
- make -C profiles check-abstractions.d
|
||||||
@ -92,6 +108,8 @@ test-profiles:
|
|||||||
shellcheck:
|
shellcheck:
|
||||||
stage: test
|
stage: test
|
||||||
needs: []
|
needs: []
|
||||||
|
extends:
|
||||||
|
- .ubuntu-before_script
|
||||||
script:
|
script:
|
||||||
- apt-get install --no-install-recommends -y file shellcheck xmlstarlet
|
- apt-get install --no-install-recommends -y file shellcheck xmlstarlet
|
||||||
- shellcheck --version
|
- shellcheck --version
|
||||||
@ -110,3 +128,11 @@ shellcheck:
|
|||||||
# - stage: test
|
# - stage: test
|
||||||
# - script:
|
# - script:
|
||||||
# - cd changehat/pam_apparmor && make check
|
# - cd changehat/pam_apparmor && make check
|
||||||
|
|
||||||
|
include:
|
||||||
|
- template: SAST.gitlab-ci.yml
|
||||||
|
- template: Secret-Detection.gitlab-ci.yml
|
||||||
|
|
||||||
|
variables:
|
||||||
|
SAST_EXCLUDED_ANALYZERS: "eslint,flawfinder,semgrep,spotbugs"
|
||||||
|
SAST_BANDIT_EXCLUDED_PATHS: "*/tst/*, */test/*"
|
||||||
|
|||||||
@ -17,7 +17,7 @@ from __future__ import division, with_statement
|
|||||||
import os
|
import os
|
||||||
import re
|
import re
|
||||||
import shutil
|
import shutil
|
||||||
import subprocess
|
import subprocess # nosec
|
||||||
import sys
|
import sys
|
||||||
import time
|
import time
|
||||||
import traceback
|
import traceback
|
||||||
@ -341,7 +341,7 @@ def get_output(params):
|
|||||||
'''Runs the program with the given args and returns the return code and stdout (as list of lines)'''
|
'''Runs the program with the given args and returns the return code and stdout (as list of lines)'''
|
||||||
try:
|
try:
|
||||||
# Get the output of the program
|
# Get the output of the program
|
||||||
output = subprocess.check_output(params)
|
output = subprocess.check_output(params) # nosec
|
||||||
ret = 0
|
ret = 0
|
||||||
except OSError as e:
|
except OSError as e:
|
||||||
raise AppArmorException(_("Unable to fork: %(program)s\n\t%(error)s") % { 'program': params[0], 'error': str(e) })
|
raise AppArmorException(_("Unable to fork: %(program)s\n\t%(error)s") % { 'program': params[0], 'error': str(e) })
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user