Review of gitlab CI using yml

Question

Hi I am using the following gitlab yml file for setting up my pipeline. The project is a maven Java project. But I am not able to run all the steps successfully. Here is the gitlab yml:

image: maven:3.5-jdk-8

variables:
   MAVEN_CLI_OPTS: "-s .m2/settings.xml --batch-mode"
   MAVEN_OPTS: "-Dmaven.repo.local=.m2/repository"

include:
    - template: Security/SAST.gitlab-ci.yml

cache:
  paths:
    - .m2/settings.xml

# Define stages
#   Stages group various steps into one block,
#   if any step fails, the entire stage fails
stages:
  - validate
  - compile
  - SonarQube
  - test
  
validate: 
  stage: validate
  script:
    - mvn validate

compile:
  stage: compile
  script:
    - mvn $MAVEN_CLI_OPTS compile
  
sonarqube-check:
  image: maven:3.6.3-jdk-11
  stage: SonarQube 
  variables:
    SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"
  script:
    - mvn sonar:sonar -Dsonar.projectKey=key -Dsonar.host.url=url -Dsonar.login=id
  allow_failure: true

spotbugs-sast:
  variables:
    COMPILE: "false"
    SECURE_LOG_LEVEL: "debug"
  artifacts:
    reports:
      sast: gl-sast-report.json


#spotbugs-sast:
#  variables:
#    SECURE_LOG_LEVEL: "debug"
    #FAIL_NEVER: 1

test:
  image: maven:3.5-jdk-8
  stage: test
  script:
    - mkdir -p /opt/path/conf/project/
    - echo ${CI_PROJECT_DIR}
    - cp "${CI_PROJECT_DIR}/project.properties" "/opt/path/conf/project/"
    - mvn $MAVEN_CLI_OPTS test -B

But I am getting errors in stages: sonarqube, spotbug-sast and test.

1. In sonarqube, it isshowing error as: Failed to resolve the project dependency with a list of jar files as:

The following artifacts could not be resolved: webpay:webpay-client:jar:4.0.4, mpienhanced:mpienhanced:jar:1.0.0, webpay:webpay-mpi:jar:4.3.9, webpay:matrix-mpi:jar:1.27.4, webpay:vbv-matrix:jar:1.12.1, webpay:xercesImpl:jar:2.12.0, webpay:xss4j:jar:0.0.1, webpay:xmlParserAPIs:jar:2.11.0, webpay:webpay-mpi-util:jar:4.2.2

1. In spotbugs-sast I am getting the error as: [INFO] [Find Security Bugs] [2022-01-13T10:41:39Z] ▶ Found 1 analyzable projects. [FATA] [Find Security Bugs] [2022-01-13T10:41:39Z] ▶ lstat /root/.m2/repository: no such file or directory

2. In test stage it is not able to get the properties file from the path that is mentioned in the config file. I have tried to place the properties file at all the places and specify the path but to no luck.

Can someone please help resolve my issues. Thanks in advance. Let me know if any additional info is required.

Answer 1

You could try going back to a documentation example and tweak it to incrementally make it like the one in your question.

But be warned: spotbugs-sast won't analyze Java much longer.

See GitLab 14.10 (April 2022)

Faster, easier Java scanning in SAST

GitLab Static Application Security Testing (SAST) now uses Semgrep to scan Java code, building on previous support for Go (introduced in GitLab 14.4) and for JavaScript, TypeScript, and Python (introduced in GitLab 13.12).

The Semgrep-based analyzer runs significantly faster—up to 7 times faster in our testing than the existing analyzer that’s based on SpotBugs. It also doesn’t need to compile your code before scanning, so it’s much simpler to use than SpotBugs.

The Static Analysis and Vulnerability Research teams worked together to translate rules to the Semgrep format, preserving most existing rules. We also updated, refined, and tested the rules as we converted them.

If you use the GitLab-managed SAST template (SAST.gitlab-ci.yml), both Semgrep and SpotBugs now run whenever Java code is found. In GitLab Ultimate, the Security Dashboard combines findings from the two analyzers, so you won’t see duplicate vulnerability reports.

In GitLab 15.0, as we announced, we’ll change the GitLab-managed SAST template (SAST.gitlab-ci.yml) to only run the Semgrep-based analyzer for Java code. The SpotBugs-based analyzer will still scan other JVM languages like Groovy, Kotlin, and Scala.

If you have any questions, feedback, or issues with the new Semgrep-based Java scanning, please file an issue, we’ll be glad to help.

See Documentation and Issue.