diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-06-20 12:09:24 +0000 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-06-20 12:09:24 +0000 |
| commit | 24f32a55ee1f8dc2dc36e04898886459b1393c2f (patch) | |
| tree | 7a4e5329a5c718875f730aea5c3c1142982404ab /scripts/process_custom_semgrep_results.sh | |
| parent | b509bf0a57ade2d846459e44c208495e0e317c81 (diff) | |
| download | gitlab-ce-24f32a55ee1f8dc2dc36e04898886459b1393c2f.tar.gz | |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'scripts/process_custom_semgrep_results.sh')
| -rwxr-xr-x | scripts/process_custom_semgrep_results.sh | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/scripts/process_custom_semgrep_results.sh b/scripts/process_custom_semgrep_results.sh new file mode 100755 index 00000000000..28fb5c79598 --- /dev/null +++ b/scripts/process_custom_semgrep_results.sh @@ -0,0 +1,55 @@ +# This script requires BOT_USER_ID, CUSTOM_SAST_RULES_BOT_PAT and CI_MERGE_REQUEST_IID variables to be set + +echo "Processing vuln report" + +# Preparing the message for the comment that will be posted by the bot +# Empty string if there are no findings +jq -crM '.vulnerabilities | + map( select( .identifiers[0].name | test( "glappsec_" ) ) | + "- `" + .location.file + "` line " + ( .location.start_line | tostring ) + + ( + if .location.start_line = .location.end_line then "" + else ( " to " + ( .location.end_line | tostring ) ) end + ) + ": " + .message + ) | + sort | + if length > 0 then + { body: ("The findings below have been detected based on the [AppSec custom Semgrep rules](https://gitlab.com/gitlab-com/gl-security/appsec/sast-custom-rules/) and need attention:\n\n" + join("\n") + "\n\n/cc @gitlab-com/gl-security/appsec") } + else + empty + end' gl-sast-report.json >findings.txt + +echo "Resulting file:" +cat findings.txt + +EXISTING_COMMENT_ID=$(curl "https://gitlab.com/api/v4/projects/$CI_PROJECT_ID/merge_requests/$CI_MERGE_REQUEST_IID/notes" \ + --header "Private-Token: $CUSTOM_SAST_RULES_BOT_PAT" | + jq -crM 'map( select( .author.id == (env.BOT_USER_ID | tonumber) ) | .id ) | first') + +echo "EXISTING_COMMENT_ID: $EXISTING_COMMENT_ID" + +if [ "$EXISTING_COMMENT_ID" == "null" ]; then + if [ -s findings.txt ]; then + echo "No existing comment and there are findings: a new comment will be posted" + curl "https://gitlab.com/api/v4/projects/$CI_PROJECT_ID/merge_requests/$CI_MERGE_REQUEST_IID/notes" \ + --header "Private-Token: $CUSTOM_SAST_RULES_BOT_PAT" \ + --header 'Content-Type: application/json' \ + --data '@findings.txt' + else + echo "No existing comment and no findings: nothing to do" + fi +else + if [ -s findings.txt ]; then + echo "There is an existing comment and there are findings: the existing comment will be updated" + curl --request PUT "https://gitlab.com/api/v4/projects/$CI_PROJECT_ID/merge_requests/$CI_MERGE_REQUEST_IID/notes/$EXISTING_COMMENT_ID" \ + --header "Private-Token: $CUSTOM_SAST_RULES_BOT_PAT" \ + --header 'Content-Type: application/json' \ + --data '@findings.txt' + else + echo "There is an existing comment but no findings: the existing comment will be updated to mention everything is resolved" + curl --request PUT "https://gitlab.com/api/v4/projects/$CI_PROJECT_ID/merge_requests/$CI_MERGE_REQUEST_IID/notes/$EXISTING_COMMENT_ID" \ + --header "Private-Token: $CUSTOM_SAST_RULES_BOT_PAT" \ + --header 'Content-Type: application/json' \ + --data '{"body":"All findings based on the [AppSec custom Semgrep rules](https://gitlab.com/gitlab-com/gl-security/appsec/sast-custom-rules/) have been resolved! :tada:"}' + fi +fi |