Merge pull request diffblue#540 from diffblue/smowton/feature/gitlab-integration-prototype

Add initial prototype of Gitlab integration scripts

Author: smowton

gitlab-integration/.gitignore

@@ -0,0 +1,4 @@
+*.js
+*.js.map
+node_modules
+

gitlab-integration/README

@@ -0,0 +1,44 @@
+Steps to set up Gitlab security analysis:
+
+All steps are performed on the same machine, which will run the Diffblue platform
+and the Gitlab runner.
+
+1. Set up an instance of Diffblue platform capable of running security-analyser.
+   Check it is working by manually creating a project and running an analysis
+   on a test project, such as github.com/smowton/security-demo.git
+
+2. Create a user named 'diffblue' with password 'password'
+
+3. Install Node.js and npm
+
+4. Install dependencies and compile the integration script and platform API
+   bindings: in the same directory as this README, run:
+   $ npm install
+   $ npm run build
+
+5. Install the Gitlab runner on this machine:
+   https://docs.gitlab.com/runner/install/
+
+6. Register the runner:
+   https://docs.gitlab.com/runner/register/
+
+   Note that guide shows registering the runner as a system service, but running
+   it as an ordinary user is fine for our purposes. When asked for a runner
+   executor, choose 'shell'. When asked for tags, enter 'diffblue'.
+
+7. Start the runner (in a scratch working directory):
+   $ gitlab-runner run
+
+8. Add a 'sast' job to your Gitlab repository's .gitlab-ci.yml file. A minimum
+   working example is included in this directory, named gitlab-ci.yml.example.
+   Replace the dummy /absolute/path/to/gitlab-wrapper.sh with the absolute path
+   of this directory.
+
+   Note the 'tags' section is unnecessary if this is the only runner registered
+   for CI jobs for this repository, but is important if you will be (for example)
+   using the normal Gitlab.com shared runners for normal CI jobs.
+
+9. Test: create a Gitlab merge request and you should see a security report
+   displayed after the 'sast' job has completed running security analysis.
+   Note Gitlab Ultimate or Gold is required for this to work -- a free short-
+   term trial can be used for testing: https://about.gitlab.com/free-trial/

gitlab-integration/analyse-project.ts

@@ -0,0 +1,83 @@
+import * as models from "./models";
+import * as platform from "./api";
+import { wait } from "./misc";
+import { TwoColumnLogger } from "./logger";
+import fs = require("fs");
+
+if(process.argv.length < 4 || process.argv.length > 5) {
+    console.error("Usage: analyse-project.ts https://somehub.com/user/repo.git branchname [sast-report.json]");
+    process.exit(1);
+}
+
+async function securityAnalysis() {
+
+    const projectName = `gitlab-${Date.now()}`;
+    let localMachine: models.Instance = {
+        name: "local-executor",
+        ip: "localhost",
+        log: new TwoColumnLogger("local-executor"),
+        project: {
+            name: projectName,
+            fullName: "not-needed",
+            uri: process.argv[2],
+            branch: process.argv[3],
+            manualVerify: { verifyBranch: "x", innerDir: "y", jacocoFile: "z" }
+        },
+        status: "USER_CREATED",
+        type: "notype",
+        zones: [],
+        zone: "nozone",
+        zoneIndex: 0,
+        diskImg: { name: "nodiskimgname", link: "nodiskimglink" },
+        username: "diffblue",
+        duration: { start: "nodurationstart" },
+    };
+
+    let startTime = Date.now();
+
+    localMachine = await platform.createProject(localMachine);
+    localMachine = await platform.initialiseProject(localMachine);
+    localMachine = await platform.startAnalysis(localMachine);
+
+    do {
+        localMachine = await platform.getAnalysisProgress(localMachine);
+        if (localMachine.analysisStatus === "RUNNING" || localMachine.analysisStatus === "WAITING") {
+            let elapsed = Date.now() - startTime;
+            await wait(elapsed / 10000); // Wait for 10% of time elapsed so far
+        }
+    } while (localMachine.analysisStatus === "RUNNING" || localMachine.analysisStatus === "WAITING");
+
+    let issues = await platform.getIssues(localMachine);
+
+    localMachine.log.debug(`Identified ${issues.length} issues`);
+    localMachine.log.debug(JSON.stringify(issues));
+
+    if(process.argv.length == 5) {
+
+        let report = issues.map(
+            function(issue : any) {
+
+                // TODO: query the platform's public-facing URL
+                let testUrl = `http://localhost/${projectName}/${localMachine.analysisNum}/tests/${issue.id}/trace`;
+
+                return {
+                    file: `${issue.testClassDir}/${issue.testClass}`,
+                    message: issue.testName,
+                    priority: "High",
+                    tool: "Diffblue-security",
+                    url: testUrl,
+                    cve: `Click here ${testUrl}`
+                    //cve: testUrl // Mandatory key
+                };
+            }
+        );
+
+        localMachine.log.debug(`Writing issue report to ${process.argv[4]}`);
+        fs.writeFileSync(process.argv[4], JSON.stringify(report));
+
+    }
+
+    process.exit(issues.length == 0 ? 0 : 2);
+}
+
+securityAnalysis();