Add in gitlab pipelines.

pipelines/gitlab/api/mayhem.yml

@@ -0,0 +1,35 @@
+# Scan an API -> get a SARIF/Junit report
+
+stages:
+    - scan
+
+variables:
+    # Define the target API to scan
+    TARGET_API: "https://demo-api.mayhem.security/api/v3"
+    TARGET_API_SPEC: "https://demo-api.mayhem.security/api/v3/openapi.json"
+
+api-mayhem:
+    image: docker:latest
+    services:
+        - docker:dind
+    stage: scan
+    script:
+        # Install dependencies
+        - apt update && apt install -fy curl
+        # Install the Mayhem CLI
+        - curl -Lo mapi https://app.mayhem.security/cli/mapi/linux-musl/latest/mapi && chmod +x mapi
+        # Login
+        - ./mapi login $MAYHEM_TOKEN
+        # Run Mayhem and generate SARIF and JUnit reports
+        - ./mapi run forallsecure/gitlab/openapi-example 60s $TARGET_API_SPEC --url $TARGET_API --sarif api_mayhem.sarif --junit api_mayhem.junit --scm-branch $CI_COMMIT_REF_NAME --scm-commit-sha $CI_COMMIT_SHA --scm-remote $CI_REPOSITORY_URL
+        # Convert SARIF to GitLab SAST format
+        - curl -Lo sarif-converter https://gitlab.com/ignis-build/sarif-converter/-/releases/permalink/latest/downloads/bin/sarif-converter-linux && chmod +x sarif-converter
+        - ./sarif-converter --type sast api_mayhem.sarif gl-api-mayhem-sast.json
+    artifacts:
+        paths:
+            - gl-api-mayhem-sast.json
+            - api_mayhem.junit
+            - api_mayhem.sarif
+        reports:
+            sast: gl-api-mayhem-sast.json
+            junit: api-mayhem.junit

pipelines/gitlab/fuzz/mayhem.yml

@@ -0,0 +1,37 @@
+# Fuzz a Docker image -> Get a SARIF/Junit report using Mayhem
+
+stages:
+    - scan
+
+fuzz-mayhem:
+    stage: scan
+    image: golang:latest  # or other example image being tested
+    script:
+        # Install dependencies
+        - apt-get update -qq && apt-get install -y -qq curl  # or other dependencies
+        - curl --no-progress-meter -Lo mayhem ${MAYHEM_URL}/cli/Linux/mayhem && chmod +x mayhem
+        # Build target
+        - make
+        # Login
+        - ./mayhem login $MAYHEM_URL $MAYHEM_TOKEN
+        # Package the target and starting testsuite
+        - ./mayhem package gitlab-fuzzing-example/vulnerable -o package
+        - cp gitlab-fuzzing-example/inputs/* package/testsuite/ && cp gitlab-fuzzing-example/Mayhemfile package/
+        # Run Mayhem and generate SARIF and JUnit reports
+        - ./mayhem run package --duration 60 --ci-url $CI_SERVER_URL --scm-merge-base-branch ${CI_MERGE_REQUEST_TARGET_BRANCH_NAME:-""} --branch-name $CI_COMMIT_REF_NAME --revision $CI_COMMIT_SHA > /tmp/run
+        - ./mayhem wait $(cat /tmp/run) --sarif fuzz_mayhem.sarif --junit fuzz_mayhem.junit
+        # every path in the CI starts with the path /builds/group/project, sed it out
+        - sed -i 's|builds/[^/]\+/[^/]\+/||g' fuzz_mayhem.sarif
+        # Convert SARIF to GitLab SAST format
+        - curl -Lo sarif-converter https://gitlab.com/ignis-build/sarif-converter/-/releases/permalink/latest/downloads/bin/sarif-converter-linux && chmod +x sarif-converter
+        - ./sarif-converter --type sast fuzz_mayhem.sarif gl-fuzz-mayhem-sast.json || true
+
+    artifacts:
+        paths:
+          - gl-fuzz-mayhem-sast.json
+          - fuzz_mayhem.sarif
+          - fuzz_mayhem.junit
+        reports:
+            sast: gl-fuzz-mayhem-sast.json
+            junit: fuzz_mayhem.junit
+

pipelines/gitlab/sbom/gitlab.tpl

@@ -0,0 +1,105 @@
+{{- /* Template based on https://docs.gitlab.com/ee/user/application_security/container_scanning/#reports-json-format */ -}}
+{
+  "version": "15.0.7",
+  "scan": {
+    "analyzer": {
+      "id": "trivy",
+      "name": "Trivy",
+      "vendor": {
+        "name": "Aqua Security"
+      },
+      "version": "{{ appVersion }}"
+    },
+    "end_time": "{{ now | date "2006-01-02T15:04:05" }}",
+    "scanner": {
+      "id": "trivy",
+      "name": "Trivy",
+      "url": "https://github.com/aquasecurity/trivy/",
+      "vendor": {
+        "name": "Aqua Security"
+      },
+      "version": "{{ appVersion }}"
+    },
+    "start_time": "{{ now | date "2006-01-02T15:04:05" }}",
+    "status": "success",
+    "type": "container_scanning"
+  },
+  "vulnerabilities": [
+  {{- $t_first := true }}
+  {{- range . }}
+  {{- $target := .Target }}
+    {{- $image := $target | regexFind "[^\\s]+" }}
+    {{- range .Vulnerabilities -}}
+    {{- if $t_first -}}
+      {{- $t_first = false -}}
+    {{ else -}}
+      ,
+    {{- end }}
+    {
+      "id": "{{ .VulnerabilityID }}",
+      "name": {{ .Title | printf "%q" }},
+      "description": {{ .Description | printf "%q" }},
+      "severity": {{ if eq .Severity "UNKNOWN" -}}
+                    "Unknown"
+                  {{- else if eq .Severity "LOW" -}}
+                    "Low"
+                  {{- else if eq .Severity "MEDIUM" -}}
+                    "Medium"
+                  {{- else if eq .Severity "HIGH" -}}
+                    "High"
+                  {{- else if eq .Severity "CRITICAL" -}}
+                    "Critical"
+                  {{-  else -}}
+                    "{{ .Severity }}"
+                  {{- end }},
+      "solution": {{ if .FixedVersion -}}
+                    "Upgrade {{ .PkgName }} to {{ .FixedVersion }}"
+                  {{- else -}}
+                    "No solution provided"
+                  {{- end }},
+      "location": {
+        "dependency": {
+          "package": {
+            "name": "{{ .PkgName }}"
+          },
+          "version": "{{ .InstalledVersion }}"
+        },
+        {{- /* TODO: No mapping available - https://github.com/aquasecurity/trivy/issues/332 */}}
+        "operating_system": "Unknown",
+        "image": "{{ $image }}"
+      },
+      "identifiers": [
+        {
+	  {{- /* TODO: Type not extractable - https://github.com/aquasecurity/trivy-db/pull/24 */}}
+          "type": "cve",
+          "name": "{{ .VulnerabilityID }}",
+          "value": "{{ .VulnerabilityID }}"
+          {{- /* cf. https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/e3d280d7f0862ca66a1555ea8b24016a004bb914/dist/container-scanning-report-format.json#L157-179 */}}
+          {{- if .PrimaryURL | regexMatch "^(https?|ftp)://.+" -}},
+          "url": "{{ .PrimaryURL }}"
+          {{- end }}
+        }
+      ],
+      "links": [
+        {{- $l_first := true -}}
+        {{- range .References -}}
+        {{- if $l_first -}}
+          {{- $l_first = false }}
+        {{- else -}}
+          ,
+        {{- end -}}
+        {{- if . | regexMatch "^(https?|ftp)://.+" -}}
+        {
+          "url": "{{ . }}"
+        }
+        {{- else -}}
+          {{- $l_first = true }}
+        {{- end -}}
+        {{- end }}
+      ]
+    }
+    {{- end -}}
+  {{- end }}
+  ],
+  "remediations": []
+}

pipelines/gitlab/sbom/postprocess.py

@@ -0,0 +1,43 @@
+#!/usr/bin/python3
+# Custom script to postprocess Trivy JSON file and automatically insert
+# observations from Dynamic SBOM CSV file.
+
+import argparse
+import csv
+import json
+
+
+def main():
+    parser = argparse.ArgumentParser(description='Postprocess Trivy JSON file')
+    parser.add_argument('trivy_json', type=str, help='Trivy JSON file')
+    parser.add_argument('mdsbom_csv', type=str, help='MDSBOM CSV file')
+    parser.add_argument('output_json', type=str, help='Output JSON file')
+    args = parser.parse_args()
+
+    with open(args.trivy_json, 'r') as f:
+        trivy_data = json.load(f)
+    with open(args.mdsbom_csv, 'r') as f:
+        mdsbom_data = csv.DictReader(f)
+
+        vulnerabilities = set(vuln["id"] for vuln in trivy_data["vulnerabilities"])
+
+        remediations = set()
+        for row in mdsbom_data:
+            if row["name"] in vulnerabilities and row["observed"] == "false":
+                remediations.add(row["name"])
+
+        trivy_data["remediations"] = [
+            {
+                "fixes": [{"id": remediation}],
+                "summary": "This vulnerability was not observed during runtime.",
+                "diff": "non_observed"
+            } for remediation in remediations
+        ]
+
+    with open(args.output_json, 'w') as f:
+        json.dump(trivy_data, f, indent=2)
+
+
+if __name__ == "__main__":
+    main()
+

pipelines/gitlab/sbom/trivy_mayhem.yml

@@ -0,0 +1,39 @@
+# Scan a docker image -> get a Dynamic SBOM/SCA report with Trivy + Mayhem
+# Use custom postprocessing script to insert observation data
+# into custom GitLab Container Scanning report format
+
+stages:
+    - scan
+
+variables:
+    # Define the target image to scan
+    TARGET_IMAGE: "redis:latest"
+
+sbom-sca-trivy-mayhem:
+    stage: scan
+    # Example base image with mdsbom CLI installed
+    image: ethan42/mdsbom:1
+    script:
+        # Enable Mayhem DSBOM syncing
+        - echo -e '[sync]\n    api_token = "'$MAYHEM_TOKEN'"\n    upstream_url = "'$MAYHEM_URL'"\n    workspace = "forallsecure"\n' > /etc/mdsbom/config.toml
+        - apk add python3
+        # Allow service to start
+        - sleep 5
+        # Generate Trivy report
+        - trivy image --format template --template "@gitlab.tpl" -o trivy.json redis:latest
+        # Login to Mayhem
+        - mdsbom login $MAYHEM_URL $MAYHEM_TOKEN
+        # Run redis service
+        - timeout -s 2 10 docker run --rm $TARGET_IMAGE
+        - sleep 30
+        # Generate Dynamic SBOM/SCA reports
+        - mdsbom trivy $TARGET_IMAGE --workspace forallsecure --sca-summary-csv dynamic_sca_trivy.csv --sbom-summary-csv dynamic_sbom_trivy.csv
+        # Postprocess Trivy report to mark remediated vulnerabilities
+        - ./postprocess.py trivy.json dynamic_sca_trivy.csv gl-container-scanning-report.json
+    artifacts:
+        paths:
+            - dynamic_sca_trivy.csv
+            - dynamic_sbom_trivy.csv
+            - gl-container-scanning-report.json
+        reports:
+            container_scanning: gl-container-scanning-report.json