(fulfills https://www.mediawiki.org/wiki/Wikimedia_Engineering/2015-16_Q2_Goals#Security)
Can use Jenkins eventually (https://wiki.jenkins-ci.org/display/JENKINS/Veracode+Scanner+Plugin), but a script like https://github.com/OnLineStrategies/veracode-scripts/blob/master/submitToVeracode.py on cron will also work.
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | • csteipp | T110617 Goal: Implement static code analysis for security | |||
| Resolved | • csteipp | T121046 Automatically submit weekly core deployment branch (+skins, +vendor) to Veracode |
Initially done with a bash cron job:
#!/bin/bash # # app_id="194207" REPO=/home/csteipp/tmp/deploy # we assume it's called "deploy" later, so change that if it's updated SVEDIR=/home/csteipp/CurrentWork/veracodescan/SuperVulnerableExtension PDFDIR=/home/csteipp/code/extensions/git2/extensions/PdfHandler SCANDIR=/home/csteipp/CurrentWork/veracodescan APITOKEN=xxx cd $REPO git fetch --all > /dev/null git branch -a | grep 'remotes/origin/wmf/1.' > $SCANDIR/branches.new if ! diff $SCANDIR/branches $SCANDIR/branches.new > /dev/null; then echo "diff" BRANCH=$(diff $SCANDIR/branches $SCANDIR/branches.new | sort | tail -n 1 | awk -F'/' '{print $4}') echo "Running scan for new branch: $BRANCH" git checkout -t origin/wmf/$BRANCH git submodule update --init --recursive vendor cd skins for SKIN in CologneBlue Modern MonoBook Nostalgia Vector do echo "> $SKIN" git submodule update --init --recursive $SKIN done ## Copy dir and hack it up cd $SCANDIR rsync -a --exclude '.git' $REPO . cd ./deploy/ # Remove all extensions rm -rf extensions/* # Copy in SVE / PDF for good measure cp -a $SVEDIR ./extensions/ cp -a $PDFDIR ./extensions/ cd ./extensions/PdfHandler git fetch --all git checkout -t origin/wmf/$BRANCH cd ../.. # Add a LocalSettings.php cp $SCANDIR/LocalSettings.php . # remove .git rm -rf ./.git cd $SCANDIR tar -zcf ./mediawiki-$BRANCH-veracode.tgz ./deploy echo "doing upload of $BRANCH...\n" curl --compressed -u $APITOKEN https://analysiscenter.veracode.com/api/4.0/uploadfile.do -F "app_id=194207" -F "file=@mediawiki-$BRANCH-veracode.tgz" > upload-$BRANCH.xml curl --compressed -u $APITOKEN https://analysiscenter.veracode.com/api/5.0/beginprescan.do -F "app_id=194207" > prescan-$BRANCH.xml # In a separate cron, we'll actually start the scan, flag this $BRANCH echo "$BRANCH" > doupload.flag # update so we only scan this branch once cp $SCANDIR/branches.new $SCANDIR/branches # clean up rm -rf $SCANDIR/deploy/ fi cd $SCANDIR
and
#!/bin/bash # # app_id="194207" SCANDIR=/home/csteipp/CurrentWork/veracodescan APITOKEN=xxx if [ -f $SCANDIR/doupload.flag ] then BRANCH=$(<$SCANDIR/doupload.flag) echo "Starting scan for $BRANCH"; curl --compressed -u $APITOKEN https://analysiscenter.veracode.com/api/5.0/beginscan.do -F "app_id=194207" -F "scan_all_top_level_modules=true" rm $SCANDIR/doupload.flag fi
with crontab
15 12 * * * /home/csteipp/CurrentWork/veracodescan/upload.sh 15 14 * * * /home/csteipp/CurrentWork/veracodescan/startscan.sh