Configure Dependency Scanning in .gitlab-ci.yml, creating this file if it does not already exist

.gitlab-ci.yml

@@ -1,282 +1,261 @@
-#Calendar implementation for the HTWK Leipzig timetable. Evaluation and display of the individual dates in iCal format.
+# You can override the included template(s) by including variable overrides
-#Copyright (C) 2024 HTWKalender support@htwkalender.de
+# SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
-
+# Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/pipeline/#customization
-#This program is free software: you can redistribute it and/or modify
+# Dependency Scanning customization: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#customizing-the-dependency-scanning-settings
-#it under the terms of the GNU Affero General Public License as published by
+# Container Scanning customization: https://docs.gitlab.com/ee/user/application_security/container_scanning/#customizing-the-container-scanning-settings
-#the Free Software Foundation, either version 3 of the License, or
+# Note that environment variables can be set in several places
-#(at your option) any later version.
+# See https://docs.gitlab.com/ee/ci/variables/#cicd-variable-precedence
-
-#This program is distributed in the hope that it will be useful,
-#but WITHOUT ANY WARRANTY; without even the implied warranty of
-#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#GNU Affero General Public License for more details.
-
-#You should have received a copy of the GNU Affero General Public License
-#along with this program.  If not, see <https://www.gnu.org/licenses/>.
-
 stages:
-  - lint
+- lint
-  - build
+- build
-  - test
+- test
-  - sonarqube-check
+- sonarqube-check
-  - oci-build
+- oci-build
-  - deploy
+- deploy
-  - deploy-dev  # New stage for development deployment
+- deploy-dev
-
 lint-frontend:
   image: node:lts
   stage: lint
   rules:
-    - changes:
+  - changes:
-        - frontend/**/*
+    - frontend/**/*
   script:
-    - cd frontend
+  - cd frontend
-    - npm i
+  - npm i
-    - npm run lint-no-fix
+  - npm run lint-no-fix
-
 lint-data-manager:
   stage: lint
   image: golangci/golangci-lint:latest
   rules:
-    - changes:
+  - changes:
-        - services/data-manager/**/*
+    - services/data-manager/**/*
   script:
-    - cd services/data-manager
+  - cd services/data-manager
-    - go mod download
+  - go mod download
-    - golangci-lint --version
+  - golangci-lint --version
-    - golangci-lint run -v --skip-dirs=migrations --timeout=5m
+  - golangci-lint run -v --skip-dirs=migrations --timeout=5m
-
 lint-ical:
   stage: lint
   image: golangci/golangci-lint:latest
   rules:
-    - changes:
+  - changes:
-        - services/ical/**/*
+    - services/ical/**/*
   script:
-    - cd services/ical
+  - cd services/ical
-    - go mod download
+  - go mod download
-    - golangci-lint --version
+  - golangci-lint --version
-    - golangci-lint run -v --skip-dirs=migrations --timeout=5m
+  - golangci-lint run -v --skip-dirs=migrations --timeout=5m
-
-
 build-data-manager:
   image: golang:alpine
   stage: build
   rules:
-    - changes:
+  - changes:
-      - services/data-manager/**/*
+    - services/data-manager/**/*
   script:
-    - cd services/data-manager
+  - cd services/data-manager
-    - go build -o htwkalender
+  - go build -o htwkalender
   artifacts:
     paths:
-      - data-manager/htwkalender
+    - data-manager/htwkalender
-      - data-manager/go.sum
+    - data-manager/go.sum
-      - data-manager/go.mod
+    - data-manager/go.mod
-
 build-ical:
   image: golang:alpine
   stage: build
   rules:
-    - changes:
+  - changes:
-        - services/ical/**/*
+    - services/ical/**/*
   script:
-    - cd services/ical
+  - cd services/ical
-    - go build -o htwkalender-ical
+  - go build -o htwkalender-ical
   artifacts:
     paths:
-      - data-manager/htwkalender-ical
+    - data-manager/htwkalender-ical
-      - data-manager/go.sum
+    - data-manager/go.sum
-      - data-manager/go.mod
+    - data-manager/go.mod
-
 sonarqube-data-manager:
   stage: sonarqube-check
   image:
     name: sonarsource/sonar-scanner-cli:5.0
-    entrypoint: [""]
+    entrypoint:
+    - ''
   variables:
-    SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"  # Defines the location of the analysis task cache
+    SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"
-    GIT_DEPTH: "0"  # Tells git to fetch all the branches of the project, required by the analysis task
+    GIT_DEPTH: '0'
   cache:
     key: "${CI_JOB_NAME}"
     paths:
-      - .sonar/cache
+    - ".sonar/cache"
   script:
-    - cd services/data-manager
+  - cd services/data-manager
-    - sonar-scanner
+  - sonar-scanner
   allow_failure: true
   only:
-    - merge_requests
+  - merge_requests
-    - master
+  - master
-    - main
+  - main
-    - develop
+  - develop
-
 build-frontend:
-    image: node:lts
+  image: node:lts
-    stage: build
+  stage: build
-    rules:
+  rules:
-        - changes:
+  - changes:
-            - frontend/**/*
+    - frontend/**/*
-    script:
+  script:
-        - cd frontend
+  - cd frontend
-        - npm i
+  - npm i
-        - npm run build
+  - npm run build
-    artifacts:
+  artifacts:
-        paths:
+    paths:
-        - frontend/build
+    - frontend/build
-
 test-data-manager:
   image: golang:alpine
   stage: test
   rules:
-    - changes:
+  - changes:
-      - services/data-manager/**/*
+    - services/data-manager/**/*
   script:
-    - cd services/data-manager
+  - cd services/data-manager
-    - go test -v ./...
+  - go test -v ./...
   dependencies:
-    - build-data-manager
+  - build-data-manager
-
 test-ical:
   image: golang:alpine
   stage: test
   rules:
-    - changes:
+  - changes:
-        - services/ical/**/*
+    - services/ical/**/*
   script:
-    - cd services/ical
+  - cd services/ical
-    - go test -v ./...
+  - go test -v ./...
   dependencies:
-    - build-ical
+  - build-ical
-
 test-frontend:
   image: node:lts
   stage: test
   rules:
-    - changes:
+  - changes:
-        - frontend/**/*
+    - frontend/**/*
   script:
-    - cd frontend
+  - cd frontend
-    - npm i
+  - npm i
-    - npm run test
+  - npm run test
   dependencies:
-    - lint-frontend
+  - lint-frontend
-
 build-data-manager-image:
   stage: oci-build
   image: docker:latest
   services:
-    - docker:dind
+  - docker:dind
   tags:
-    - image
+  - image
   variables:
-    IMAGE_TAG: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG-data-manager
+    IMAGE_TAG: "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG-data-manager"
     DOCKER_HOST: tcp://docker:2376
     DOCKER_TLS_CERTDIR: "/certs"
     DOCKER_TLS_VERIFY: 1
     DOCKER_CERT_PATH: "/certs/client"
   before_script:
-    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
+  - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
   script:
-    - docker build --pull -t $IMAGE_TAG -f ./services/data-manager/Dockerfile --target prod ./services
+  - docker build --pull -t $IMAGE_TAG -f ./services/data-manager/Dockerfile --target
-    - docker push $IMAGE_TAG
+    prod ./services
+  - docker push $IMAGE_TAG
   rules:
-    - if: $CI_COMMIT_BRANCH == "main" || $CI_COMMIT_BRANCH == "development"
+  - if: $CI_COMMIT_BRANCH == "main" || $CI_COMMIT_BRANCH == "development"
-      changes:
+    changes:
-        - services/data-manager/**/*
+    - services/data-manager/**/*
-
 build-ical-image:
   stage: oci-build
   image: docker:latest
   services:
-    - docker:dind
+  - docker:dind
   tags:
-    - image
+  - image
   variables:
-    IMAGE_TAG: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG-ical
+    IMAGE_TAG: "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG-ical"
     DOCKER_HOST: tcp://docker:2376
     DOCKER_TLS_CERTDIR: "/certs"
     DOCKER_TLS_VERIFY: 1
     DOCKER_CERT_PATH: "/certs/client"
   before_script:
-    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
+  - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
   script:
-    - docker build --pull -t $IMAGE_TAG -f ./services/ical/Dockerfile --target prod ./services
+  - docker build --pull -t $IMAGE_TAG -f ./services/ical/Dockerfile --target prod
-    - docker push $IMAGE_TAG
+    ./services
+  - docker push $IMAGE_TAG
   rules:
-    - if: $CI_COMMIT_BRANCH == "main" || $CI_COMMIT_BRANCH == "development"
+  - if: $CI_COMMIT_BRANCH == "main" || $CI_COMMIT_BRANCH == "development"
-      changes:
+    changes:
-        - services/ical/**/*
+    - services/ical/**/*
-
 build-frontend-image:
   stage: oci-build
   image: docker:latest
   services:
-    - docker:dind
+  - docker:dind
   tags:
-    - image
+  - image
   variables:
-    IMAGE_TAG: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG-frontend
+    IMAGE_TAG: "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG-frontend"
     DOCKER_HOST: tcp://docker:2376
     DOCKER_TLS_CERTDIR: "/certs"
     DOCKER_TLS_VERIFY: 1
     DOCKER_CERT_PATH: "/certs/client"
   before_script:
-    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
+  - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
-    - cd ./frontend
+  - cd ./frontend
   script:
-    - docker build --pull -t $IMAGE_TAG -f ./Dockerfile --target prod .
+  - docker build --pull -t $IMAGE_TAG -f ./Dockerfile --target prod .
-    - docker push $IMAGE_TAG
+  - docker push $IMAGE_TAG
   rules:
-    - if: $CI_COMMIT_BRANCH == "main" || $CI_COMMIT_BRANCH == "development"
+  - if: $CI_COMMIT_BRANCH == "main" || $CI_COMMIT_BRANCH == "development"
-      changes:
+    changes:
-        - frontend/**/*
+    - frontend/**/*
-
-# Development deployment job
 deploy-dev:
-  stage: deploy-dev  # New stage for development deployment
+  stage: deploy-dev
   image: alpine:latest
   before_script:
-    - apk add --no-cache openssh-client sed # install dependencies
+  - apk add --no-cache openssh-client sed
-    - eval $(ssh-agent -s) # set some ssh variables
+  - eval $(ssh-agent -s)
-    - ssh-add <(echo "$CI_SSH_KEY" | tr -d '\r')
+  - ssh-add <(echo "$CI_SSH_KEY" | tr -d '\r')
   script:
-    # replace some placeholders
+  - sed -i -e "s|DOCKER_REGISTRY_REPO|$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG|" docker-compose.dev.yml
-    - sed -i -e "s|DOCKER_REGISTRY_REPO|$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG|" docker-compose.dev.yml  # Assuming you have a separate docker-compose file for development
+  - 'scp -P $CI_SSH_PORT -o StrictHostKeyChecking=no -o LogLevel=ERROR ./docker-compose.dev.yml
-    # upload necessary files to the dev server
+    ./reverseproxy.dev.conf $CI_SSH_USER@$CI_SSH_DEV_HOST:/home/$CI_SSH_USER/docker/htwkalender/
-    - >
+
-      scp -P $CI_SSH_PORT -o StrictHostKeyChecking=no -o LogLevel=ERROR ./docker-compose.dev.yml ./reverseproxy.dev.conf
+    '
-      $CI_SSH_USER@$CI_SSH_DEV_HOST:/home/$CI_SSH_USER/docker/htwkalender/
+  - 'ssh -p $CI_SSH_PORT -o StrictHostKeyChecking=no -o LogLevel=ERROR $CI_SSH_USER@$CI_SSH_DEV_HOST
-    # ssh to the dev server and start the service
+    "cd /home/$CI_SSH_USER/docker/htwkalender/ && docker login -u $CI_REGISTRY_USER
-    - >
+    -p $CI_REGISTRY_PASSWORD $CI_REGISTRY && docker compose -f ./docker-compose.dev.yml
-      ssh -p $CI_SSH_PORT -o StrictHostKeyChecking=no -o LogLevel=ERROR $CI_SSH_USER@$CI_SSH_DEV_HOST
+    down && docker compose -f ./docker-compose.dev.yml up -d --remove-orphans && docker
-      "cd /home/$CI_SSH_USER/docker/htwkalender/ &&
+    logout"
-      docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY &&
+
-      docker compose -f ./docker-compose.dev.yml down && docker compose -f ./docker-compose.dev.yml up -d --remove-orphans && docker logout"
+    '
   rules:
-    - if: $CI_COMMIT_BRANCH == "development"  # Only execute for the development branch
+  - if: $CI_COMMIT_BRANCH == "development"
-
-
 deploy-all:
   stage: deploy
   image: alpine:latest
   before_script:
-    - apk add --no-cache openssh-client sed # install dependencies
+  - apk add --no-cache openssh-client sed
-    - eval $(ssh-agent -s) # set some ssh variables
+  - eval $(ssh-agent -s)
-    - ssh-add <(echo "$CI_SSH_KEY" | tr -d '\r')
+  - ssh-add <(echo "$CI_SSH_KEY" | tr -d '\r')
   script:
-    # replace some placeholders
+  - sed -i -e "s|DOCKER_REGISTRY_REPO|$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG|" docker-compose.prod.yml
-    - sed -i -e "s|DOCKER_REGISTRY_REPO|$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG|" docker-compose.prod.yml
+  - 'scp -P $CI_SSH_PORT -o StrictHostKeyChecking=no -o LogLevel=ERROR ./docker-compose.prod.yml
-    # upload necessary files to the server
+    ./reverseproxy.conf $CI_SSH_USER@$CI_SSH_HOST:/home/$CI_SSH_USER/docker/htwkalender/
-    - >
+
-      scp -P $CI_SSH_PORT -o StrictHostKeyChecking=no -o LogLevel=ERROR ./docker-compose.prod.yml ./reverseproxy.conf
+    '
-      $CI_SSH_USER@$CI_SSH_HOST:/home/$CI_SSH_USER/docker/htwkalender/
+  - 'ssh -p $CI_SSH_PORT -o StrictHostKeyChecking=no -o LogLevel=ERROR $CI_SSH_USER@$CI_SSH_HOST
-    # ssh to the server and start the service
+    "cd /home/$CI_SSH_USER/docker/htwkalender/ && docker login -u $CI_REGISTRY_USER
-    - >
+    -p $CI_REGISTRY_PASSWORD $CI_REGISTRY && docker compose -f ./docker-compose.prod.yml
-      ssh -p $CI_SSH_PORT -o StrictHostKeyChecking=no -o LogLevel=ERROR $CI_SSH_USER@$CI_SSH_HOST
+    down && docker compose -f ./docker-compose.prod.yml up -d --remove-orphans &&
-      "cd /home/$CI_SSH_USER/docker/htwkalender/ &&
+    docker logout && docker exec --user root htwkalender-htwkalender-frontend-1 /bin/sh
-      docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY &&
+    -c \"echo ''google-site-verification: $GOOGLE_VERIFICATION.html'' > ./$GOOGLE_VERIFICATION.html\"
-      docker compose -f ./docker-compose.prod.yml down && docker compose -f ./docker-compose.prod.yml up -d --remove-orphans && docker logout &&
+    "
-      docker exec --user root htwkalender-htwkalender-frontend-1 /bin/sh -c \"echo 'google-site-verification: $GOOGLE_VERIFICATION.html' > ./$GOOGLE_VERIFICATION.html\" "
+
+    '
   rules:
-    - if: $CI_COMMIT_BRANCH == "main"
+  - if: $CI_COMMIT_BRANCH == "main"
+include:
+- template: Security/Dependency-Scanning.gitlab-ci.yml