Commit e726b387 authored by Michael Eddington's avatar Michael Eddington Committed by Stan Hu

Adding FIPS support to DAST API/API Fuzzing latest CI template

- New variable _VERSION_TAG added
- Automatically set _VERSION_TAG to "-fips" via rules

Changelog: added
EE: true
parent 3ca6af6c
...@@ -135,6 +135,34 @@ RSpec.describe 'API-Fuzzing.latest.gitlab-ci.yml' do ...@@ -135,6 +135,34 @@ RSpec.describe 'API-Fuzzing.latest.gitlab-ci.yml' do
expect { pipeline }.to raise_error(Ci::CreatePipelineService::CreateError) expect { pipeline }.to raise_error(Ci::CreatePipelineService::CreateError)
end end
end end
context 'when CI_GITLAB_FIPS_MODE=false' do
let(:build_dast_api) { pipeline.builds.find_by(name: 'apifuzzer_fuzz') }
let(:build_variables) { build_dast_api.variables.pluck(:key, :value) }
before do
create(:ci_variable, project: project, key: 'CI_GITLAB_FIPS_MODE', value: 'false')
create(:ci_variable, project: project, key: 'FUZZAPI_HAR', value: 'testing.har')
create(:ci_variable, project: project, key: 'FUZZAPI_TARGET_URL', value: 'http://example.com')
end
it 'sets FUZZAPI_VERSION_TAG to ""' do
expect(build_variables).to be_include(['FUZZAPI_VERSION_TAG', ''])
end
end
context 'when CI_GITLAB_FIPS_MODE=true' do
let(:build_dast_api) { pipeline.builds.find_by(name: 'apifuzzer_fuzz') }
let(:build_variables) { build_dast_api.variables.pluck(:key, :value) }
before do
create(:ci_variable, project: project, key: 'CI_GITLAB_FIPS_MODE', value: 'true')
end
it 'sets FUZZAPI_VERSION_TAG to "-fips"' do
expect(build_variables).to be_include(['FUZZAPI_VERSION_TAG', '-fips'])
end
end
end end
end end
end end
......
...@@ -98,6 +98,32 @@ RSpec.describe 'DAST-API.latest.gitlab-ci.yml' do ...@@ -98,6 +98,32 @@ RSpec.describe 'DAST-API.latest.gitlab-ci.yml' do
expect { pipeline }.to raise_error(Ci::CreatePipelineService::CreateError) expect { pipeline }.to raise_error(Ci::CreatePipelineService::CreateError)
end end
end end
context 'when CI_GITLAB_FIPS_MODE=false' do
let(:build_dast_api) { pipeline.builds.find_by(name: 'dast_api') }
let(:build_variables) { build_dast_api.variables.pluck(:key, :value) }
before do
create(:ci_variable, project: project, key: 'CI_GITLAB_FIPS_MODE', value: 'false')
end
it 'sets DAST_API_VERSION_TAG to ""' do
expect(build_variables).to be_include(['DAST_API_VERSION_TAG', ''])
end
end
context 'when CI_GITLAB_FIPS_MODE=true' do
let(:build_dast_api) { pipeline.builds.find_by(name: 'dast_api') }
let(:build_variables) { build_dast_api.variables.pluck(:key, :value) }
before do
create(:ci_variable, project: project, key: 'CI_GITLAB_FIPS_MODE', value: 'true')
end
it 'sets DAST_API_VERSION_TAG to "-fips"' do
expect(build_variables).to be_include(['DAST_API_VERSION_TAG', '-fips'])
end
end
end end
end end
end end
......
...@@ -3,19 +3,36 @@ ...@@ -3,19 +3,36 @@
# This specific template is located at: # This specific template is located at:
# https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/API-Fuzzing.latest.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/API-Fuzzing.latest.gitlab-ci.yml
# To use this template, add the following to your .gitlab-ci.yml file:
#
# include:
# template: API-Fuzzing.latest.gitlab-ci.yml
#
# You also need to add a `fuzz` stage to your `stages:` configuration. A sample configuration for API Fuzzing:
#
# stages:
# - build
# - test
# - deploy
# - fuzz
# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/api_fuzzing/ # Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/api_fuzzing/
# #
# Configure API fuzzing with CI/CD variables (https://docs.gitlab.com/ee/ci/variables/index.html). # Configure API Fuzzing with CI/CD variables (https://docs.gitlab.com/ee/ci/variables/index.html).
# List of available variables: https://docs.gitlab.com/ee/user/application_security/api_fuzzing/#available-cicd-variables # List of available variables: https://docs.gitlab.com/ee/user/application_security/api_fuzzing/#available-cicd-variables
variables: variables:
FUZZAPI_VERSION: "1" # Setting this variable affects all Security templates
# (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products" SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
#
FUZZAPI_VERSION: "1"
FUZZAPI_VERSION_TAG: ""
FUZZAPI_IMAGE: api-fuzzing FUZZAPI_IMAGE: api-fuzzing
apifuzzer_fuzz: apifuzzer_fuzz:
stage: fuzz stage: fuzz
image: $SECURE_ANALYZERS_PREFIX/$FUZZAPI_IMAGE:$FUZZAPI_VERSION image: $SECURE_ANALYZERS_PREFIX/$FUZZAPI_IMAGE:$FUZZAPI_VERSION$FUZZAPI_VERSION_TAG
allow_failure: true allow_failure: true
rules: rules:
- if: $API_FUZZING_DISABLED - if: $API_FUZZING_DISABLED
...@@ -23,6 +40,10 @@ apifuzzer_fuzz: ...@@ -23,6 +40,10 @@ apifuzzer_fuzz:
- if: $API_FUZZING_DISABLED_FOR_DEFAULT_BRANCH && - if: $API_FUZZING_DISABLED_FOR_DEFAULT_BRANCH &&
$CI_DEFAULT_BRANCH == $CI_COMMIT_REF_NAME $CI_DEFAULT_BRANCH == $CI_COMMIT_REF_NAME
when: never when: never
- if: $CI_COMMIT_BRANCH &&
$CI_GITLAB_FIPS_MODE == "true"
variables:
FUZZAPI_VERSION_TAG: "-fips"
- if: $CI_COMMIT_BRANCH - if: $CI_COMMIT_BRANCH
script: script:
- /peach/analyzer-fuzz-api - /peach/analyzer-fuzz-api
......
...@@ -27,11 +27,12 @@ variables: ...@@ -27,11 +27,12 @@ variables:
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products" SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
# #
DAST_API_VERSION: "1" DAST_API_VERSION: "1"
DAST_API_VERSION_TAG: ""
DAST_API_IMAGE: api-fuzzing DAST_API_IMAGE: api-fuzzing
dast_api: dast_api:
stage: dast stage: dast
image: $SECURE_ANALYZERS_PREFIX/$DAST_API_IMAGE:$DAST_API_VERSION image: $SECURE_ANALYZERS_PREFIX/$DAST_API_IMAGE:$DAST_API_VERSION$DAST_API_VERSION_TAG
allow_failure: true allow_failure: true
rules: rules:
- if: $DAST_API_DISABLED - if: $DAST_API_DISABLED
...@@ -39,6 +40,10 @@ dast_api: ...@@ -39,6 +40,10 @@ dast_api:
- if: $DAST_API_DISABLED_FOR_DEFAULT_BRANCH && - if: $DAST_API_DISABLED_FOR_DEFAULT_BRANCH &&
$CI_DEFAULT_BRANCH == $CI_COMMIT_REF_NAME $CI_DEFAULT_BRANCH == $CI_COMMIT_REF_NAME
when: never when: never
- if: $CI_COMMIT_BRANCH &&
$CI_GITLAB_FIPS_MODE == "true"
variables:
DAST_API_VERSION_TAG: "-fips"
- if: $CI_COMMIT_BRANCH - if: $CI_COMMIT_BRANCH
script: script:
- /peach/analyzer-dast-api - /peach/analyzer-dast-api
...@@ -50,3 +55,5 @@ dast_api: ...@@ -50,3 +55,5 @@ dast_api:
- gl-*.log - gl-*.log
reports: reports:
dast: gl-dast-api-report.json dast: gl-dast-api-report.json
# end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment