diff --git a/.circleci/config.yml b/.circleci/config.yml index f94b920580b..aadde50aaae 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -261,6 +261,66 @@ jobs: fromtag=$(docker images |grep securedrop-test-focal-py3 |head -n1 |awk '{print $2}') DOCKER_BUILD_ARGUMENTS="--cache-from securedrop-test-focal-py3:${fromtag:-latest}" securedrop/bin/dev-shell bash -c "pip3 install -U -q --upgrade pip && pip3 install -U -q --upgrade semgrep && make -C .. semgrep" + zap-vulnerability-scan: + machine: + image: ubuntu-2004:202010-01 + enabled: true + environment: + DOCKER_API_VERSION: 1.23 + BASE_OS: focal + parallelism: 3 + steps: + - checkout + - *rebaseontarget + - *createcachedir + - *restorecache + - *loadimagelayers + - *dockerimagebuild + - *saveimagelayers + - *savecache + + - run: + name: Install dependencies + command: | + sudo systemctl stop apt-daily.service + sudo systemctl kill --kill-who=all apt-daily.service + while ! (systemctl list-units --all apt-daily.service | egrep -q '(dead|failed)') do sleep 1; done + ( sudo apt-get update || sudo apt-get update ) + sudo apt-get install -y openjdk-17-jre-headless wget firefox + export GECKODRIVER_VER=v0.30.0 + wget https://github.com/mozilla/geckodriver/releases/download/${GECKODRIVER_VER}/geckodriver-${GECKODRIVER_VER}-linux64.tar.gz -O /tmp/geckodriver.tar.gz + cd /tmp + tar -xvzf geckodriver.tar.gz + sudo install geckodriver /usr/local/bin + wget https://github.com/zaproxy/zaproxy/releases/download/v2.11.1/ZAP_2_11_1_unix.sh -O /tmp/zap_installer.sh + chmod u+x /tmp/zap_installer.sh + sudo /tmp/zap_installer.sh -q + zap.sh -cmd -addoninstall jython + cd ~/project; ls + pip3 install -r scans/requirements.txt + + - run: + name: Run dev instance + command: | + fromtag=$(docker images |grep securedrop-test-focal-py3 |head -n1 |awk '{print $2}') + DOCKER_BUILD_ARGUMENTS="--cache-from securedrop-test-focal-py3:${fromtag:-latest}" make dev-detatched + background: true + + - run: + name: Run zap daemon + command: zap.sh -daemon -port 8090 -config api.disablekey=true -config hud.enabled=false -config hud.enabledForDesktop=false + background: true + + - run: + name: Run zap + command: ~/project/scans/zapscan.py + + - store_test_results: + path: ~/project/jrn_report.html + + - store_artifacts: + path: ~/project/src_report.html + staging-test-with-rebase: machine: image: ubuntu-2004:202010-01 @@ -310,63 +370,64 @@ workflows: version: 2 securedrop_ci: jobs: - - lint - - app-tests: - filters: - branches: - ignore: - - /i18n-.*/ - - /update-builder-.*/ - requires: - - lint - - app-page-layout-tests: - filters: - branches: - ignore: - - /i18n-.*/ - - /update-builder-.*/ - requires: - - lint - - admin-tests: - filters: - branches: - ignore: - - /i18n-.*/ - - /update-builder-.*/ - requires: - - lint - - updater-gui-tests: - filters: - branches: - ignore: - - /i18n-.*/ - - /update-builder-.*/ - requires: - - lint - - static-analysis-and-no-known-cves: - requires: - - lint - - staging-test-with-rebase: - filters: - branches: - # Ignore needs to be here explicitely as only clause introduced in PR #6086 might be removed afterwards. - ignore: /i18n-.*/ - only: /(stg-|release\/).*/ - requires: - - lint - - translation-tests: - requires: - - lint - filters: - branches: - only: /i18n-.*/ - - deb-tests: - filters: - branches: - only: - - /update-builder-.*/ - requires: - - lint + - zap-vulnerability-scan + # - lint + # - app-tests: + # filters: + # branches: + # ignore: + # - /i18n-.*/ + # - /update-builder-.*/ + # requires: + # - lint + # - app-page-layout-tests: + # filters: + # branches: + # ignore: + # - /i18n-.*/ + # - /update-builder-.*/ + # requires: + # - lint + # - admin-tests: + # filters: + # branches: + # ignore: + # - /i18n-.*/ + # - /update-builder-.*/ + # requires: + # - lint + # - updater-gui-tests: + # filters: + # branches: + # ignore: + # - /i18n-.*/ + # - /update-builder-.*/ + # requires: + # - lint + # - static-analysis-and-no-known-cves: + # requires: + # - lint + # - staging-test-with-rebase: + # filters: + # branches: + # # Ignore needs to be here explicitely as only clause introduced in PR #6086 might be removed afterwards. + # ignore: /i18n-.*/ + # only: /(stg-|release\/).*/ + # requires: + # - lint + # - translation-tests: + # requires: + # - lint + # filters: + # branches: + # only: /i18n-.*/ + # - deb-tests: + # filters: + # branches: + # only: + # - /update-builder-.*/ + # requires: + # - lint nightly: triggers: diff --git a/Makefile b/Makefile index 18a0a86404d..d310bc36bfb 100644 --- a/Makefile +++ b/Makefile @@ -237,6 +237,12 @@ dev: ## Run the development server in a Docker container. @echo "███ Starting development server..." @OFFSET_PORTS='false' DOCKER_BUILD_VERBOSE='true' $(DEVSHELL) $(SDBIN)/run @echo + +.PHONY: dev-detatched +dev-detatched: ## Run the development server in a Docker container without attatching tty. + @echo "███ Starting development server..." + @OFFSET_PORTS='false' DETATCHED='true' DOCKER_BUILD_VERBOSE='true' $(DEVSHELL) $(SDBIN)/run + @echo .PHONY: dev-tor dev-tor: ## Run the development server with onion services in a Docker container.