blob: 1fdd8e486f3d34ede62a18bd16096caba7404f10 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
|
# This script requires BOT_USER_ID, CUSTOM_SAST_RULES_BOT_PAT and CI_MERGE_REQUEST_IID variables to be set
echo "Processing vuln report"
# Preparing the message for the comment that will be posted by the bot
# Empty string if there are no findings
jq -crM '.vulnerabilities |
map( select( .identifiers[0].name | test( "glappsec_" ) ) |
"- `" + .location.file + "` line " + ( .location.start_line | tostring ) +
(
if .location.start_line = .location.end_line then ""
else ( " to " + ( .location.end_line | tostring ) ) end
) + ": " + .message
) |
sort |
if length > 0 then
{ body: ("The findings below have been detected based on the AppSec custom SAST rules. For more information about this bot and what to do with this comment head over to the [README](https://gitlab.com/gitlab-com/gl-security/appsec/sast-custom-rules/-/tree/main/appsec-pings). The following lines of code possibly need attention:\n\n" + join("\n") + "\n\n/cc @gitlab-com/gl-security/appsec") }
else
empty
end' gl-sast-report.json >findings.txt
echo "Resulting file:"
cat findings.txt
EXISTING_COMMENT_ID=$(curl "https://gitlab.com/api/v4/projects/$CI_PROJECT_ID/merge_requests/$CI_MERGE_REQUEST_IID/notes" \
--header "Private-Token: $CUSTOM_SAST_RULES_BOT_PAT" |
jq -crM 'map( select( .author.id == (env.BOT_USER_ID | tonumber) ) | .id ) | first')
echo "EXISTING_COMMENT_ID: $EXISTING_COMMENT_ID"
if [ "$EXISTING_COMMENT_ID" == "null" ]; then
if [ -s findings.txt ]; then
echo "No existing comment and there are findings: a new comment will be posted"
curl "https://gitlab.com/api/v4/projects/$CI_PROJECT_ID/merge_requests/$CI_MERGE_REQUEST_IID/notes" \
--header "Private-Token: $CUSTOM_SAST_RULES_BOT_PAT" \
--header 'Content-Type: application/json' \
--data '@findings.txt'
else
echo "No existing comment and no findings: nothing to do"
fi
else
if [ -s findings.txt ]; then
echo "There is an existing comment and there are findings: the existing comment will be updated"
curl --request PUT "https://gitlab.com/api/v4/projects/$CI_PROJECT_ID/merge_requests/$CI_MERGE_REQUEST_IID/notes/$EXISTING_COMMENT_ID" \
--header "Private-Token: $CUSTOM_SAST_RULES_BOT_PAT" \
--header 'Content-Type: application/json' \
--data '@findings.txt'
else
echo "There is an existing comment but no findings: the existing comment will be updated to mention everything is resolved"
curl --request PUT "https://gitlab.com/api/v4/projects/$CI_PROJECT_ID/merge_requests/$CI_MERGE_REQUEST_IID/notes/$EXISTING_COMMENT_ID" \
--header "Private-Token: $CUSTOM_SAST_RULES_BOT_PAT" \
--header 'Content-Type: application/json' \
--data '{"body":"All findings based on the [AppSec custom Semgrep rules](https://gitlab.com/gitlab-com/gl-security/appsec/sast-custom-rules/) have been resolved! :tada:"}'
fi
fi
|