Reporting
Covered Gitlab features : unit tests report, dependency scanning, container scanning
As "Père Blaise", your Gitlab C.I can report you a lot of things directly in merge requests.
Non mais attendez, je crois qu’on s’est mal compris, là : vous avez une idée du temps qu’il me faut pour tracer une lettre avec ces PUTAINS DE PLUMES ?!
Kaamelott S01E51
Unit tests report
📝 Instructions
➡️ Add the following in artifacts
section of your unit
job:
artifacts: ... reports: junit: - target/surefire-reports/TEST-*.xml - target/failsafe-reports/TEST-*.xml
➡️ Use git to commit and push your modifications :
git add .
git commit -m "chore(ci): report unit tests in merge requests"
git push
Ok reporting is configured, so we had to create a merge request to view results :
➡️ Go to your project issues :
https://gitlab.com/gitlab-workshop/swiss-institute-of-bioinformatics/<your-project>/issues
➡️ Click on button
➡️ Enter the following fun title : feat(quotes): alter unit tests
and click on button
➡️ Click on button
➡️ A new branch named 1-feat-quotes-alter-unit-tests
is automatically created and you can fetch it using git fetch
➡️ Switch on the branch using git checkout 1-feat-quotes-alter-unit-tests
➡️ Locate QuoteRepositoryTest.kt
file and replace
val quote = Quote(null, arthur, "Le Graal, je sais pas où il est mais il va y rester un moment, c'est moi qui vous l'dis !")
by :
val quote = Quote(null, arthur, "J'en ai rien à foutre ! Vous pourriez vous marier avec une chèvre si ça vous chante. Et puis, si y en a une qu'est d'accord, rappelez-vous qu'c'est inespéré puis sautez sur l'occasion.")
➡️ Use git to commit and push your modifications :
git add .
git commit -m "feat(quotes): alter unit tests"
git push
➡️ Wait for the pipeline to be successful (watch directly in the merge request 😍)
➡️ Contemplate the new test summary appearance 🚀 :
➡️ ⚠ Don’t forget to return on your main branch using git checkout master
🚨 Solution
Project : https://gitlab.com/gitlab-workshop/solutions/blob/3a9438d1f10556cf9c25b454fe1b3586ac3386f4/ // REF(reporting:unit-tests)
Pipeline : https://gitlab.com/gitlab-workshop/solutions/pipelines/275966321 // REF(reporting:unit-tests)
Merge request : https://gitlab.com/gitlab-workshop/solutions/merge_requests/4
Dependency scanning
Gitlab CI could also report security vulnerabilities for your program dependencies.
📝 Instructions
➡️ Add a new security
stage after build
one
➡️ Add the following include
at the top of the .gitlab-ci.yaml
file:
include:
- template: Dependency-Scanning.gitlab-ci.yml
➡️ Add the following job after build
one (provided by Gitlab here) :
dependency_scanning:
stage: security
variables:
MAVEN_CLI_OPTS: "-DskipTests --batch-mode --errors --fail-at-end --show-version -DinstallAtEnd=true -DdeployAtEnd=true"
allow_failure: true
➡️ Use git to commit and push your modifications :
git add .
git commit -m "chore(ci): add dependency scanning"
git push
➡️ Create an issue and a merge request with chore: add outdated apache dependency
title (see instructions here)
➡️ A new branch named 2-chore-add-outdated-apache-dependency
is automatically created and you can fetch it using git fetch
➡️ Switch on the branch using git checkout 2-chore-add-outdated-apache-dependency
➡️ Add the following in pom.xml
file into dependencies
:
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-collections4</artifactId>
<version>4.0</version>
</dependency>
➡️ Use git to commit and push your modifications :
git add .
git commit -m "chore: add outdated apache dependency"
git push
➡️ Wait for the pipeline to be successful (watch directly in the merge request 😍)
➡️ Open dependency_scanning
job log, you could see that your newly added dependency contains CVE :
The information is also raised on merge requests if your user is associated to a Gitlab gold plan. |
➡️ ⚠ Don’t forget to return on your main branch using git checkout master
🚨 Solution
Project : https://gitlab.com/gitlab-workshop/solutions/blob/12a35df479a83b6d47a4a12aedec34ce768b9889/ // REF(reporting:dependency-scanning)
Pipeline : https://gitlab.com/gitlab-workshop/solutions/pipelines/275966457 // REF(reporting:dependency-scanning)
Merge request : https://gitlab.com/gitlab-workshop/solutions/merge_requests/5
Container scanning
In our case we build a docker image for our application, so now dependency are scanned but docker embedded O.S CVE are not scanned. Let’s Gitlab container scanning help us !
📝 Instructions
➡️ Add the following job after dependency_scanning
one:
container_scanning:
stage: security
variables:
TRIVY_AUTH_URL: $CI_REGISTRY
TRIVY_USERNAME: $REGISTRY_USER
TRIVY_PASSWORD: $CI_REGISTRY_PASSWORD
CI_APPLICATION_REPOSITORY: $CI_REGISTRY/$CI_PROJECT_PATH/kaamelott-quote
CI_APPLICATION_TAG: latest
image:
name: aquasec/trivy
entrypoint: [""]
allow_failure: true
script:
- trivy --exit-code 0 --no-progress --cache-dir .trivy/ --format template --template "@/contrib/gitlab.tpl" -o gl-container-scanning-report.json ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG}
- trivy --exit-code 0 --no-progress --cache-dir .trivy/ ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG}
artifacts:
reports:
container_scanning: gl-container-scanning-report.json
This is a custom analysis system which will be used in GitLab starting v14.0. For now, the current solution is described here. |
➡️ Use git to commit and push your modifications :
git add .
git commit -m "chore(ci): add container scanning"
git push
➡️ Wait the pipeline, open container_scanning
job logs and observe that no vulnerabilities are detected. This is because jib uses distroless images.
➡️ Create an issue and a merge request with chore(jib): use openjdk:8-jdk-slim as base image
title (see instructions here)
➡️ A new branch named 3-chore-jib-use-openjdk-8-jdk-slim-as-base-image
is automatically created and you can fetch it using git fetch
➡️ Switch on the branch using git checkout 3-chore-jib-use-openjdk-8-jdk-slim-as-base-image
➡️ Replace the jib plugin section in pom.xml
file with :
<plugin>
<groupId>com.google.cloud.tools</groupId>
<artifactId>jib-maven-plugin</artifactId>
<version>0.10.0</version>
<configuration>
<from>
<image>openjdk:8-jdk-slim</image>
</from>
<to>
<image>${env.CI_REGISTRY}/${env.CI_PROJECT_PATH}/kaamelott-quote:latest</image>
<auth>
<username>${env.REGISTRY_USER}</username>
<password>${env.CI_REGISTRY_PASSWORD}</password>
</auth>
</to>
</configuration>
</plugin>
➡️ Use git to commit and push your modifications :
git add .
git commit -m "chore(jib): use openjdk:8-jdk-slim as base image"
git push
➡️ Wait for the pipeline to be successful (watch directly in the merge request 😍)
➡️ Open container_scanning
job log, you could see that your newly used docker image contains CVE :
The information is also raised on merge requests if your user is associated to a Gitlab gold plan. |
➡️ ⚠ Don’t forget to return on your main branch using git checkout master
🚨 Solution
Project : https://gitlab.com/gitlab-workshop/solutions/blob/da036a16df3d559244cfcce3a8a480c15bfe39a9/ // REF(reporting:container-scanning)
Pipeline : https://gitlab.com/gitlab-workshop/solutions/pipelines/275966583 // REF(reporting:container-scanning)
Merge request : https://gitlab.com/gitlab-workshop/solutions/merge_requests/6