diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-01-27 15:08:56 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-01-27 15:08:56 +0000 |
commit | 524a21e75209d2501b23b648daf753e3a4bebe56 (patch) | |
tree | aeed4e65e44cee9e0b23298da15828655d23dc94 /scripts | |
parent | b59833305bfaf6b0b3347ad2b626c90c3b3fd5fc (diff) | |
download | gitlab-ce-524a21e75209d2501b23b648daf753e3a4bebe56.tar.gz |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'scripts')
-rwxr-xr-x | scripts/process_custom_semgrep_results.sh | 55 | ||||
-rwxr-xr-x | scripts/review_apps/review-apps.sh | 2 | ||||
-rw-r--r-- | scripts/utils.sh | 22 |
3 files changed, 78 insertions, 1 deletions
diff --git a/scripts/process_custom_semgrep_results.sh b/scripts/process_custom_semgrep_results.sh new file mode 100755 index 00000000000..1fdd8e486f3 --- /dev/null +++ b/scripts/process_custom_semgrep_results.sh @@ -0,0 +1,55 @@ +# This script requires BOT_USER_ID, CUSTOM_SAST_RULES_BOT_PAT and CI_MERGE_REQUEST_IID variables to be set + +echo "Processing vuln report" + +# Preparing the message for the comment that will be posted by the bot +# Empty string if there are no findings +jq -crM '.vulnerabilities | + map( select( .identifiers[0].name | test( "glappsec_" ) ) | + "- `" + .location.file + "` line " + ( .location.start_line | tostring ) + + ( + if .location.start_line = .location.end_line then "" + else ( " to " + ( .location.end_line | tostring ) ) end + ) + ": " + .message + ) | + sort | + if length > 0 then + { body: ("The findings below have been detected based on the AppSec custom SAST rules. For more information about this bot and what to do with this comment head over to the [README](https://gitlab.com/gitlab-com/gl-security/appsec/sast-custom-rules/-/tree/main/appsec-pings). The following lines of code possibly need attention:\n\n" + join("\n") + "\n\n/cc @gitlab-com/gl-security/appsec") } + else + empty + end' gl-sast-report.json >findings.txt + +echo "Resulting file:" +cat findings.txt + +EXISTING_COMMENT_ID=$(curl "https://gitlab.com/api/v4/projects/$CI_PROJECT_ID/merge_requests/$CI_MERGE_REQUEST_IID/notes" \ + --header "Private-Token: $CUSTOM_SAST_RULES_BOT_PAT" | + jq -crM 'map( select( .author.id == (env.BOT_USER_ID | tonumber) ) | .id ) | first') + +echo "EXISTING_COMMENT_ID: $EXISTING_COMMENT_ID" + +if [ "$EXISTING_COMMENT_ID" == "null" ]; then + if [ -s findings.txt ]; then + echo "No existing comment and there are findings: a new comment will be posted" + curl "https://gitlab.com/api/v4/projects/$CI_PROJECT_ID/merge_requests/$CI_MERGE_REQUEST_IID/notes" \ + --header "Private-Token: $CUSTOM_SAST_RULES_BOT_PAT" \ + --header 'Content-Type: application/json' \ + --data '@findings.txt' + else + echo "No existing comment and no findings: nothing to do" + fi +else + if [ -s findings.txt ]; then + echo "There is an existing comment and there are findings: the existing comment will be updated" + curl --request PUT "https://gitlab.com/api/v4/projects/$CI_PROJECT_ID/merge_requests/$CI_MERGE_REQUEST_IID/notes/$EXISTING_COMMENT_ID" \ + --header "Private-Token: $CUSTOM_SAST_RULES_BOT_PAT" \ + --header 'Content-Type: application/json' \ + --data '@findings.txt' + else + echo "There is an existing comment but no findings: the existing comment will be updated to mention everything is resolved" + curl --request PUT "https://gitlab.com/api/v4/projects/$CI_PROJECT_ID/merge_requests/$CI_MERGE_REQUEST_IID/notes/$EXISTING_COMMENT_ID" \ + --header "Private-Token: $CUSTOM_SAST_RULES_BOT_PAT" \ + --header 'Content-Type: application/json' \ + --data '{"body":"All findings based on the [AppSec custom Semgrep rules](https://gitlab.com/gitlab-com/gl-security/appsec/sast-custom-rules/) have been resolved! :tada:"}' + fi +fi diff --git a/scripts/review_apps/review-apps.sh b/scripts/review_apps/review-apps.sh index cfb4711be19..b08cf9ac832 100755 --- a/scripts/review_apps/review-apps.sh +++ b/scripts/review_apps/review-apps.sh @@ -130,7 +130,7 @@ function disable_sign_ups() { # Create the root token + Disable sign-ups local disable_signup_rb="token = User.find_by_username('root').personal_access_tokens.create(scopes: [:api], name: 'Token to disable sign-ups'); token.set_token('${REVIEW_APPS_ROOT_TOKEN}'); begin; token.save!; rescue(ActiveRecord::RecordNotUnique); end; Gitlab::CurrentSettings.current_application_settings.update!(signup_enabled: false)" - if (retry "run_task \"${disable_signup_rb}\""); then + if (retry_exponential "run_task \"${disable_signup_rb}\""); then echoinfo "Sign-ups have been disabled successfully." else echoerr "Sign-ups are still enabled!" diff --git a/scripts/utils.sh b/scripts/utils.sh index c71de666ac6..44bbabb4c99 100644 --- a/scripts/utils.sh +++ b/scripts/utils.sh @@ -10,6 +10,28 @@ function retry() { return 0 fi done + + return 1 +} + +# Retry after 2s, 4s, 8s, 16s, 32, 64s, 128s +function retry_exponential() { + if eval "$@"; then + return 0 + fi + + local sleep_time=0 + # The last try will be after 2**7 = 128 seconds (2min8s) + for i in 1 2 3 4 5 6 7; do + sleep_time=$((2 ** i)) + + echo "Sleep for $sleep_time seconds..." + sleep $sleep_time + echo "[$(date '+%H:%M:%S')] Attempt #$i..." + if eval "$@"; then + return 0 + fi + done return 1 } |