Move Dependency-Check configs to a separate repo (#14497)

.circleci/config.yml

@@ -54,6 +54,9 @@ jobs:
     steps:
       - attach_workspace:
           at: ~/mattermost/
+      - run:
+          name: Checkout config
+          command: cd .. && git clone https://github.com/mattermost/security-automation-config
       - run:
           name: Install Go
           command: sudo apt-get update && sudo apt-get install golang
@@ -71,14 +74,17 @@ jobs:
             - run:
                 name: Run OWASP Dependency-Check Analyzer
                 command: |
-                  ~/.owasp/dependency-check/bin/dependency-check.sh --data << parameters.cve_data_directory >> \
-                    --format ALL --noupdate --enableExperimental --suppression ./dependency-suppression.xml \
+                  ~/.owasp/dependency-check/bin/dependency-check.sh \
+                    --data << parameters.cve_data_directory >> --format ALL --noupdate --enableExperimental \
+                    --propertyfile ../security-automation-config/dependency-check/dependencycheck.properties \
+                    --suppression ../security-automation-config/dependency-check/suppression.xml \
+                    --suppression ../security-automation-config/dependency-check/suppression.$CIRCLE_PROJECT_REPONAME.xml \
                     --scan './**/*' || true
             - owasp/collect_reports:
                 persist_to_workspace: false
       - run:
           name: Post results to Mattermost
-          command: ./scripts/depcheck-alert.sh
+          command: go run ../security-automation-config/dependency-check/post_results.go
 
   # TODO: enable this step when the i18n-extract works with mattermost-server only
   # and not depend on both mm-server/enterprise

dependency-suppression.xml

@@ -1,80 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-  <suppress>
-    <notes><![CDATA[
-      Vulnerable cipher (Salsa20) not used
-    ]]></notes>
-    <packageUrl regex="true">^pkg:golang/golang\.org/x/crypto@.*$</packageUrl>
-    <vulnerabilityName>CVE-2019-11840</vulnerabilityName>
-  </suppress>
-  <suppress>
-    <notes><![CDATA[
-      MySQL driver misidentified as MySQL server
-    ]]></notes>
-    <packageUrl regex="true">^pkg:golang/github\.com/go\-sql\-driver/mysql@.*$</packageUrl>
-    <cpe>cpe:/a:mysql:mysql</cpe>
-  </suppress>
-  <suppress>
-    <notes><![CDATA[
-      Various dependencies from GitHub misidentified as GitHub Enterprise
-    ]]></notes>
-    <packageUrl regex="true">^pkg:golang/github\.com/.*$</packageUrl>
-    <cpe>cpe:/a:github:github</cpe>
-  </suppress>
-  <suppress>
-    <notes><![CDATA[
-      Prometheus client misidentified as server
-    ]]></notes>
-    <packageUrl regex="true">^pkg:golang/github\.com/prometheus/client_model@.*$</packageUrl>
-    <cpe>cpe:/a:prometheus:prometheus</cpe>
-  </suppress>
-  <suppress>
-    <notes><![CDATA[
-      Vulnerability affects only RBAC and client-cert-auth
-    ]]></notes>
-    <packageUrl regex="true">^pkg:golang/github\.com/coreos/etcd@.*$</packageUrl>
-    <cve>CVE-2018-16886</cve>
-  </suppress>
-  <suppress>
-    <notes><![CDATA[
-      Golang module misidentified as unrelated CLI toolset
-    ]]></notes>
-    <packageUrl regex="true">^pkg:golang/golang\.org/x/tools@.*$</packageUrl>
-    <cpe>cpe:/a:data-tools_project:data_tools</cpe>
-  </suppress>
-  <suppress>
-    <notes><![CDATA[
-      Misidentified version (commit hash vs. date)
-    ]]></notes>
-    <packageUrl regex="true">^pkg:golang/golang\.org/x/crypto@.*$</packageUrl>
-    <vulnerabilityName>CVE-2017-3204</vulnerabilityName>
-  </suppress>
-  <suppress>
-    <notes><![CDATA[
-      Golang crypto package misidentified as SSH
-    ]]></notes>
-    <packageUrl regex="true">^pkg:golang/golang\.org/x/crypto@.*$</packageUrl>
-    <cpe>cpe:/a:ssh:ssh</cpe>
-  </suppress>
-  <suppress>
-    <notes><![CDATA[
-      DoS affecting `Delete`; no references to the operation in codebase or dependencies
-    ]]></notes>
-    <packageUrl regex="true">^pkg:golang/github\.com/buger/jsonparser@.*$</packageUrl>
-    <cve>CVE-2020-10675</cve>
-  </suppress>
-  <suppress>
-    <notes><![CDATA[
-      Golang module misidentified as unrelated CLI toolset
-    ]]></notes>
-    <packageUrl regex="true">^pkg:golang/golang\.org/x/tools@.*$</packageUrl>
-    <cpe>cpe:/a:data_tools_project:data_tools</cpe>
-  </suppress>
-  <suppress>
-    <notes><![CDATA[
-      jQuery HTML sanitization not used
-    ]]></notes>
-    <packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl>
-    <vulnerabilityName>Regex in its jQuery.htmlPrefilter  sometimes may introduce XSS</vulnerabilityName>
-  </suppress>
-</suppressions>

scripts/depcheck-alert.sh

@@ -1,63 +0,0 @@
-#!/usr/bin/env bash
-# This is a script to post alerts about new Dependency-Check
-# findings to the community server
-
-# Get artifacts from CircleCI
-report_artifacts=$(curl -s https://circleci.com/api/v1.1/project/gh/$CIRCLE_PROJECT_USERNAME/$CIRCLE_PROJECT_REPONAME/$CIRCLE_BUILD_NUM/artifacts)
-json_url=$(echo $report_artifacts | jq -r 'map(select(.path == "Reports/OWASP/dependency-check-report.json").url)[0]')
-json_report=$(curl -sL $json_url)
-
-# Anything new?
-vulnerability_count=$(echo $json_report | jq '[.dependencies[]?.vulnerabilities[]?.name]|length')
-if [ $vulnerability_count -ne 0 ]
-then
-  if [ $vulnerability_count -gt 1 ]
-  then
-    alert_message="$vulnerability_count new findings"
-  else
-    alert_message="New finding"
-  fi
-  alert_message="$alert_message in \`$CIRCLE_PROJECT_REPONAME\` CircleCI build [#$CIRCLE_BUILD_NUM]($CIRCLE_BUILD_URL)"
-  if [ -z "$CIRCLE_PULL_REQUEST" ]
-  then
-    alert_message="$alert_message\n\n"
-  else
-    alert_message="$alert_message, triggered by $CIRCLE_PULL_REQUEST\n\n"
-  fi
-  alert_message="$alert_message|Dependency|CPEs|CVEs|Severity|\n|----------|----|----|--------|\n"
-  html_url=$(echo $report_artifacts | jq -r 'map(select(.path == "Reports/OWASP/dependency-check-report.html").url)[0]')
-
-  # Build the rows of the summary table
-  vulnerable_dependencies=($(echo $json_report | jq -r '[.dependencies[]?]|map(select(.vulnerabilities).fileName)[]'))
-  for dependency in ${vulnerable_dependencies[@]}
-  do
-    json_dependency=$(echo $json_report | jq -r '[.dependencies[]?]|map(select(.fileName=="'$dependency'"))[]')
-    index=$(echo $json_report | jq '[.dependencies[]?]|map(.fileName)|index("'$dependency'")+1')
-    sha1=$(echo $json_dependency | jq -r '.sha1')
-    # The SHA-1 is set on the JSON report only for non-virtual dependencies
-    # Calculation for virtual dependencies is analyzer-specific
-    if [ $sha1 = 'null' ]
-    then
-      evidence_source=$(echo $json_dependency | jq -r '.evidenceCollected|.vendorEvidence+.productEvidence+.versionEvidence|map(.source)|unique[0]')
-      if [ $evidence_source = 'Gopkg.lock' ]
-      then
-        sha1=($(echo $json_dependency | jq -r '.packages[0].id' | tr -d '\n' | sha1sum))
-      else
-        sha1=($(echo $json_dependency | jq -r '.filePath' | tr -d '\n' | sha1sum))
-      fi
-    fi
-    dependency_url="$html_url#l${index}_$sha1"
-    cpes=$(echo $json_dependency | jq -r '.vulnerabilityIds|select(.)|map("`"+.id+"`")|join(", ")')
-    cves=$(echo $json_dependency | jq -r '.vulnerabilities|select(.)|map("[`"+.name+"`](http://web.nvd.nist.gov/view/vuln/detail?vulnId="+.name+")")|join(", ")')
-    severities=$(echo $json_dependency | jq '.vulnerabilities|select(.)|map(.severity)|unique')
-    severity=$(echo $severities | jq -r 'if contains(["HIGH"]) then "`HIGH`" elif contains(["MEDIUM"]) then "`MEDIUM`" elif contains(["LOW"]) then "`LOW`" else "`Unknown`" end')
-    alert_message="$alert_message|[$dependency]"'('$dependency_url')'"|$cpes|$cves|$severity|\n"
-  done
-  alert_message=$alert_message'\nView the full report [here]('$html_url')'
-  alert_message=$alert_message' or [edit suppressions](https://github.com/'$CIRCLE_PROJECT_USERNAME'/'$CIRCLE_PROJECT_REPONAME'/edit/master/dependency-suppression.xml).'
-
-  # Post to Mattermost
-  curl -s -X POST -d 'payload={"username": "Dependency-Check", "icon_url": "https://www.mattermost.org/wp-content/uploads/2016/04/icon.png", "text":
-    "'"$alert_message"'"
-    }' "$SAST_WEBHOOK_URL"
-fi