forked from wendyi/continuousSecurityGoCd
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathconfigure.py
executable file
·167 lines (146 loc) · 11.1 KB
/
configure.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
#!/usr/bin/env python
from gomatic import *
import os
def _create_pipeline(group, pipeline_name, add_cf_vars=False):
pipeline_group = configurator.ensure_pipeline_group(group)
pipeline = pipeline_group.ensure_replacement_of_pipeline(pipeline_name)
if(add_cf_vars == True):
pipeline.ensure_unencrypted_secure_environment_variables({"CF_USERNAME": os.environ['CF_USERNAME'], "CF_PASSWORD": os.environ['CF_PASSWORD']})
pipeline.ensure_environment_variables({"CF_HOME": "."})
return pipeline
def _add_exec_task(job, command, working_dir=None, runif="passed"):
job.add_task(ExecTask(['/bin/bash', '-l', '-c', command], working_dir=working_dir, runif=runif))
def _add_sudo_exec_task(job, command, working_dir=None, runif="passed"):
job.add_task(ExecTask(['/bin/bash', '-c', 'sudo ' + command], working_dir=working_dir, runif=runif))
def build_csharp_pipeline_group(configurator):
pipeline = _create_pipeline("csharp", "csharp_build")
pipeline.set_git_url("https://github.com/wendyi/continuousSecurityCsharp")
job = pipeline.ensure_stage("build").ensure_job("compile")
_add_exec_task(job, 'rm -rf packages', 'csharp')
_add_exec_task(job, '/home/vagrant/.dnx/runtimes/dnx-coreclr-linux-x64.1.0.0-rc1-update1/bin/dnu restore src/RecipeSharing', 'csharp')
_add_exec_task(job, '/home/vagrant/.dnx/runtimes/dnx-coreclr-linux-x64.1.0.0-rc1-update1/bin/dnu build src/RecipeSharing', 'csharp')
_add_exec_task(job, '/home/vagrant/.dnx/runtimes/dnx-coreclr-linux-x64.1.0.0-rc1-update1/bin/dnu restore test/RecipeSharing.UnitTests', 'csharp')
_add_exec_task(job, '/home/vagrant/.dnx/runtimes/dnx-coreclr-linux-x64.1.0.0-rc1-update1/bin/dnu build test/RecipeSharing.UnitTests', 'csharp')
job.ensure_artifacts({BuildArtifact("*", "csharp_build")})
pipeline = _create_pipeline("csharp", "csharp_unit_test")
pipeline.ensure_material(PipelineMaterial('csharp_build', 'build'))
stage = pipeline.ensure_stage("unit_test")
job = stage.ensure_job("run_tests")
job = job.ensure_artifacts({TestArtifact("csharp_build/csharp/test/RecipeSharing.UnitTests")})
job = job.ensure_tab(Tab("XUnit", "test/RecipeSharing.UnitTests/tests.txt"))
job.add_task(FetchArtifactTask('csharp_build', 'build', 'compile', FetchArtifactDir('csharp_build')))
_add_exec_task(job, '/home/vagrant/.dnx/runtimes/dnx-coreclr-linux-x64.1.0.0-rc1-update1/bin/dnx run > tests.txt', 'csharp_build/csharp/test/RecipeSharing.UnitTests')
pipeline = _create_pipeline("csharp", "csharp_vulnerable_components")
pipeline.ensure_material(PipelineMaterial('csharp_build', 'build'))
csharp_job = pipeline.ensure_stage("verify_components").ensure_job("check_csharp_dependencies")
csharp_job.add_task(FetchArtifactTask('csharp_build', 'build', 'compile', FetchArtifactDir('csharp_build')))
_add_sudo_exec_task(csharp_job, '/usr/local/bin/dependency-check/bin/dependency-check.sh --project "RecipeSharing" --scan "packages" --format ALL', 'csharp_build/csharp')
_add_exec_task(csharp_job, 'grep "<li><i>Vulnerabilities Found</i>: 0</li>" -c dependency-check-report.html', 'csharp_build/csharp')
csharp_job = csharp_job.ensure_artifacts({TestArtifact("csharp_build/csharp/dependency-check-report.html")});
csharp_job = csharp_job.ensure_tab(Tab("Vulnerabilities", "dependency-check-report.html"))
def build_java_pipeline_group(configurator):
pipeline = _create_pipeline("java", "java_secrets")
pipeline.set_git_url("https://github.com/wendyi/continuousSecurityJava")
secrets_job = pipeline.ensure_stage("java_secrets_stage") \
.ensure_job("find_secrets_job") \
.ensure_artifacts({BuildArtifact("*", "find_secrets_job")}) \
.ensure_artifacts({TestArtifact("java/build/reports")}) \
.ensure_tab(Tab("Secrets", "reports/talisman.txt"))
_add_exec_task(secrets_job, 'gradle --profile findSecrets --debug', 'java')
pipeline = _create_pipeline("java", "java_build")
pipeline.ensure_material(PipelineMaterial('java_secrets', 'java_secrets_stage'))
compile_job = pipeline.ensure_stage("java_build_stage") \
.ensure_job("java_compile_job") \
.ensure_artifacts({BuildArtifact("*", "java_compile_job")})
compile_job.add_task(FetchArtifactTask('java_secrets', 'java_secrets_stage', 'find_secrets_job', FetchArtifactDir('find_secrets_job/java')))
_add_exec_task(compile_job, 'gradle --profile clean', 'java')
_add_exec_task(compile_job, 'gradle --profile compileJava', 'java')
_add_exec_task(compile_job, 'gradle --profile compileTestJava', 'java')
pipeline = _create_pipeline("java", "java_unit_test")
pipeline.ensure_material(PipelineMaterial('java_build', 'java_build_stage'))
unit_test_job = pipeline.ensure_stage("unit_test") \
.ensure_job("run_tests") \
.ensure_artifacts({TestArtifact("java_build/java/build/reports")}) \
.ensure_tab(Tab("JUnit", "reports/tests/index.html"))
unit_test_job.add_task(FetchArtifactTask('java_build', 'java_build_stage', 'java_compile_job', FetchArtifactDir('java_compile_job/java')))
_add_exec_task(unit_test_job, 'gradle --profile test', 'java')
pipeline = _create_pipeline("java", "java_vulnerable_components")
pipeline.ensure_material(PipelineMaterial('java_build', 'java_build_stage'))
vulnerable_components_job = pipeline.ensure_stage("verify_components") \
.ensure_job("check_java_dependencies") \
.ensure_artifacts({TestArtifact("java/build/reports/dependency-check-report.html")}) \
.ensure_tab(Tab("Vulnerabilities", "dependency-check-report.html"))
vulnerable_components_job.add_task(FetchArtifactTask('java_build', 'java_build_stage', 'java_compile_job', FetchArtifactDir('java_compile_job/java')))
_add_exec_task(vulnerable_components_job, 'gradle --profile dependencyCheck', 'java')
def build_java_canary_pipeline_group(configurator):
pipeline = _create_pipeline("java_canary", "java_canary_secrets")
pipeline.set_git_url("https://github.com/wendyi/continuousSecurityJava")
secrets_job = pipeline.ensure_stage("java_secrets_stage") \
.ensure_job("find_secrets_job") \
.ensure_artifacts({BuildArtifact("*", "find_secrets_job")}) \
.ensure_artifacts({TestArtifact("java/build/reports")}) \
.ensure_tab(Tab("Secrets", "reports/talisman.txt"))
_add_exec_task(secrets_job, 'gradle --profile findSecrets --debug', 'java')
pipeline = _create_pipeline("java_canary", "java_canary_build")
pipeline.ensure_material(PipelineMaterial('java_canary_secrets', 'java_secrets_stage'))
compile_job = pipeline.ensure_stage("java_build_stage") \
.ensure_job("java_compile_job") \
.ensure_artifacts({BuildArtifact("*", "java_compile_job")})
compile_job.add_task(FetchArtifactTask('java_canary_secrets', 'java_secrets_stage', 'find_secrets_job', FetchArtifactDir('find_secrets_job/java')))
_add_exec_task(compile_job, 'gradle -b canary.gradle --profile clean', 'java')
_add_exec_task(compile_job, 'gradle -b canary.gradle --profile compileJava', 'java')
_add_exec_task(compile_job, 'gradle -b canary.gradle --profile compileTestJava', 'java')
pipeline = _create_pipeline("java_canary", "java_canary_unit_test")
pipeline.ensure_material(PipelineMaterial('java_canary_build', 'java_build_stage'))
unit_test_job = pipeline.ensure_stage("unit_test") \
.ensure_job("run_tests") \
.ensure_artifacts({TestArtifact("java_canary_build/java/build/reports")}) \
.ensure_tab(Tab("JUnit", "reports/tests/index.html"))
unit_test_job.add_task(FetchArtifactTask('java_canary_build', 'java_build_stage', 'java_compile_job', FetchArtifactDir('java_compile_job/java')))
_add_exec_task(unit_test_job, 'gradle -b canary.gradle --profile test', 'java')
pipeline = _create_pipeline("java_canary", "java_canary_vulnerable_components")
pipeline.ensure_material(PipelineMaterial('java_canary_build', 'java_build_stage'))
vulnerable_components_job = pipeline.ensure_stage("verify_components") \
.ensure_job("check_java_dependencies") \
.ensure_artifacts({TestArtifact("java/build/reports/dependency-check-report.html")}) \
.ensure_tab(Tab("Vulnerabilities", "dependency-check-report.html"))
vulnerable_components_job.add_task(FetchArtifactTask('java_canary_build', 'java_build_stage', 'java_compile_job', FetchArtifactDir('java_compile_job/java')))
_add_exec_task(vulnerable_components_job, 'gradle -b canary.gradle --profile dependencyCheck', 'java')
# pipeline = _create_pipeline("java_canary", "java_canary_upgradable_components")
# pipeline.ensure_material(PipelineMaterial('java_canary_build', 'java_build_stage'))
# upgradeable_components_job = pipeline.ensure_stage("upgradable_components") \
# .ensure_job("upgradeable_components_job") \
# .ensure_artifacts({BuildArtifact("*", "upgradeable_components_job")}) \
# .ensure_artifacts({TestArtifact("java/build/reports/upgrades.txt")}) \
# .ensure_tab(Tab("Upgrades", "reports/upgrades.txt"))
# upgradeable_components_job.add_task(FetchArtifactTask('java_canary_build', 'java_build_stage', 'java_compile_job', FetchArtifactDir('java_compile_job/java')))
# _add_exec_task(upgradeable_components_job, 'gradle -b canary.gradle --profile dependencies > reports/upgrades.txt', 'java')
def build_ruby_pipeline_group(configurator):
pipeline = _create_pipeline("ruby", "ruby_build")
pipeline.set_git_url("https://github.com/wendyi/continuousSecurityRuby")
job = pipeline.ensure_stage("build").ensure_job("bundle_install")
_add_exec_task(job, 'bundle install --path vendor/bundle', 'ruby')
job.ensure_artifacts({BuildArtifact("*", "ruby_build")})
pipeline = _create_pipeline("ruby", "ruby_unit_test")
pipeline.ensure_material(PipelineMaterial('ruby_build', 'build'))
stage = pipeline.ensure_stage("unit_test")
job = stage.ensure_job("run_tests")
job = job.ensure_artifacts({TestArtifact("ruby_build/ruby/reports")})
job = job.ensure_tab(Tab("RSpec", "reports/tests/index.html"))
job.add_task(FetchArtifactTask('ruby_build', 'build', 'bundle_install', FetchArtifactDir('ruby_build')))
_add_exec_task(job, 'bundle exec rake spec:unit', 'ruby_build/ruby')
pipeline = _create_pipeline("ruby", "ruby_vulnerable_components")
pipeline.ensure_material(PipelineMaterial('ruby_build', 'build'))
ruby_job = pipeline.ensure_stage("verify_components").ensure_job("check_ruby_dependencies")
ruby_job.add_task(FetchArtifactTask('ruby_build', 'build', 'bundle_install', FetchArtifactDir('ruby_build')))
# _add_exec_task(ruby_job, 'bundle exec rake dependency_check', 'vulnerabilities.txt', 'ruby_build/ruby')
_add_exec_task(ruby_job, 'bundle exec rake dependency_check', 'ruby_build/ruby')
ruby_job = ruby_job.ensure_artifacts({TestArtifact("ruby_build/ruby/build/vulnerabilities.txt")});
ruby_job = ruby_job.ensure_tab(Tab("Vulnerabilities", "vulnerabilities.txt"))
configurator = GoCdConfigurator(HostRestClient("localhost:8153"))
configurator.remove_all_pipeline_groups()
# build_csharp_pipeline_group(configurator)
build_java_pipeline_group(configurator)
# build_java_canary_pipeline_group(configurator)
# build_ruby_pipeline_group(configurator)
configurator.save_updated_config()