Merge branch 'master' of gitlab.exxcellent.de:gilden/ci/gitlab-ci-templates into Add-Version-Templates

 Conflicts:

	.idea/sonarlint/issuestore/index.pb

	documentation/chapters/templates/publish-image.adoc

	documentation/document.adoc

.gitignore

@@ -72,3 +72,4 @@ fabric.properties
 
 # Android studio 3.1+ serialized cache file
 .idea/caches/build_file_checksums.ser
+/.idea/sonarlint/

.gitlab-ci.yml

@@ -1,4 +1,5 @@
 stages:
+  - dependencies
   - generate-docs
 
 .generate-document:
@@ -16,7 +17,7 @@ stages:
     PAGE_PREFIX: "[CI/CD] - [TMPL] - "
     CONFLUENCE_SPACE: RANDI
     REV_NUMBER: $CI_COMMIT_SHORT_SHA
-    TEXT_GENERATED_HINT: '<ac:structured-macro ac:name="warning"><ac:parameter ac:name="title" /><ac:rich-text-body>This is a generated page, do not edit! All changes must happen in the https://gitlab.exxcellent.de/gilden/ci/exxcellent-documentation-tool[repository]
+    TEXT_GENERATED_HINT: '<ac:structured-macro ac:name="warning"><ac:parameter ac:name="title" /><ac:rich-text-body>This is a generated page, do not edit! All changes must happen in the <a href="${CI_PROJECT_URL}">Repository</a>
 .</ac:rich-text-body></ac:structured-macro>'
     FILE_INPUT: "index.html,111183157,gitlab-ci-templates"
   before_script:

.idea/gitlab-ci-templates.iml

@@ -2,7 +2,9 @@
 <module type="JAVA_MODULE" version="4">
   <component name="NewModuleRootManager" inherit-compiler-output="true">
     <exclude-output />
-    <content url="file://$MODULE_DIR$" />
+    <content url="file://$MODULE_DIR$">
+      <excludeFolder url="file://$MODULE_DIR$/.idea/sonarlint" />
+    </content>
     <orderEntry type="inheritedJdk" />
     <orderEntry type="sourceFolder" forTests="false" />
   </component>

container-publish.gitlab-ci.yml

@@ -1,9 +1,12 @@
 .publish-image-jib:
   image: $MAVEN_IMAGE
   stage: package
-  only:
+  rules:
-    - tags
+    - if: $CI_COMMIT_TAG
   variables:
+    DOCKER_REGISTRY: $CI_REGISTRY_IMAGE
+    DOCKER_REGISTRY_USER: $CI_REGISTRY_USER
+    DOCKER_REGISTRY_PASSWORD: $CI_REGISTRY_PASSWORD
     MVN_VERSION: "true"
   script:
     - export PARSED_VERSION=$(echo $CI_COMMIT_TAG | sed -r 's/\+/_/g') # Replace + sign since this is not valid in a docker tag
@@ -14,8 +17,9 @@
       fi
     - mvn $MAVEN_CLI_OPTS compile jib:build
       "-DskipTests"
-      "-Djib.to.auth.username=$CI_REGISTRY_USER"
+      "-Djib.to.image=$DOCKER_REGISTRY:$PARSED_VERSION"
-      "-Djib.to.auth.password=$CI_REGISTRY_PASSWORD"
+      "-Djib.to.auth.username=$DOCKER_REGISTRY_USER"
+      "-Djib.to.auth.password=$DOCKER_REGISTRY_PASSWORD"
 
 .publish-image-kaniko:
   image:
@@ -25,7 +29,7 @@
   rules:
     - if: $CI_COMMIT_TAG
   variables:
-    DOCKER_REGISTRY: $CI_REGISTRY
+    DOCKER_REGISTRY: $CI_REGISTRY_IMAGE
     DOCKER_REGISTRY_USER: $CI_REGISTRY_USER
     DOCKER_REGISTRY_PASSWORD: $CI_REGISTRY_PASSWORD
     PROJECT_DIR: $CI_PROJECT_DIR

container-scan.gitlab-ci.yml

@@ -0,0 +1,48 @@
+.scan-container-jib:
+  image: $MAVEN_IMAGE
+  stage: test
+  variables:
+    TRIVY_VERSION: 0.18.3
+    EXITCODE_ON_HIGH: 1
+    EXITCODE_ON_CRITICAL: 1
+  before_script:
+    - curl -L "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz"  --output trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz
+    - tar zxvf trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz
+  script:
+    - mvn $MAVEN_CLI_OPTS compile jib:buildTar -DskipTests
+    - ./trivy --cache-dir .trivycache/ --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@contrib/junit.tpl" -o junit-report.xml --input target/jib-image.tar
+    - ./trivy --cache-dir .trivycache/ --exit-code $EXITCODE_ON_HIGH --severity HIGH --no-progress --auto-refresh --input target/jib-image.tar
+    - ./trivy --cache-dir .trivycache/ --exit-code $EXITCODE_ON_CRITICAL --severity CRITICAL --no-progress --auto-refresh --input target/jib-image.tar
+  cache:
+    paths:
+      - .trivycache/
+  artifacts:
+    reports:
+      junit: junit-report.xml
+
+.scan-container-kaniko:
+  stage: test
+  image:
+    name: gcr.io/kaniko-project/executor:debug
+    entrypoint: [ "" ]
+  variables:
+    TRIVY_VERSION: 0.18.3
+    PROJECT_DIR: $CI_PROJECT_DIR
+    DOCKERFILE_LOCATION: $CI_PROJECT_DIR/Dockerfile
+    CONTEXT_LOCATION: $CI_PROJECT_DIR
+    EXITCODE_ON_HIGH: 1
+    EXITCODE_ON_CRITICAL: 1
+  before_script:
+    - wget "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz"
+    - tar zxvf trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz
+  script:
+    - /kaniko/executor --context $CONTEXT_LOCATION --dockerfile $DOCKERFILE_LOCATION --cache-dir cache/image --tarPath  image.tar --no-push --destination image
+    - ./trivy --cache-dir .trivycache/ --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@contrib/junit.tpl" -o junit-report.xml --input image.tar
+    - ./trivy --cache-dir .trivycache/ --exit-code $EXITCODE_ON_HIGH --severity HIGH --no-progress --auto-refresh --input image.tar
+    - ./trivy --cache-dir .trivycache/ --exit-code $EXITCODE_ON_CRITICAL  --severity CRITICAL --no-progress --auto-refresh --input image.tar
+  cache:
+    paths:
+      - .trivycache/
+  artifacts:
+    reports:
+      junit: junit-report.xml

documentation/chapters/generalInformation.adoc

@@ -16,14 +16,15 @@ include:
   - project: 'gilden/ci/gitlab-ci-templates'
     ref: 'master'
     file:
-      - 'maven-build-template.yml'
+      - 'maven-build-template.gitlab-ci.yml'
-      - 'maven-dependencies-template.yml'
+      - 'maven-dependencies-template.gitlab-ci.yml'
-      - 'maven-verify-template.yml'
+      - 'maven-verify-template.gitlab-ci.yml'
-      - 'npm-build-template.yml'
+      - 'npm-build-template.gitlab-ci.yml'
-      - 'npm-dependencies-template.yml'
+      - 'npm-dependencies-template.gitlab-ci.yml'
-      - 'npm-lint-template.yml'
+      - 'npm-lint-template.gitlab-ci.yml'
-      - 'npm-test-template.yml'
+      - 'npm-test-template.gitlab-ci.yml'
-      - 'publish-image.yml'
+      - 'container-publish.gitlab-ci.yml'
+      - 'container-scan.gitlab-ci.yml'
       - 'set-version-template.yml'
       - 'push-tag-and-version-template.yml'
       - 'sonar-template.yml'
@@ -56,5 +57,5 @@ Bitte folgende Variablen in `.gitlab-ci.yaml` setzen
 |===
 
 ----
-include::{sourcedir}/STD-variablen-Template.yml[]
+include::{sourcedir}/STD-variablen-Template.gitlab-ci.yml[]
 ----

documentation/chapters/templates/container-publish.adoc

@@ -0,0 +1,19 @@
+:sourcedir: ../../../
+
+= Container-Publish
+
+Baut mithilfe von jib oder kaniko ein Docker Image und läd das Image in der Docker Registry des Projekts hoch.
+Dieser Schritt wird nur ausgeführt, wenn ein Tag gesetzt wird.
+
+.Variables
+|===
+|Name |Description | Default Value
+|MVN_VERSION | Bestimmt, ob die version von MAVEN gesetzt werden soll.
+Falls das Projekt aus mehreren Poms besteht, kann `before_script:` benutzt werden.  | "true"
+|===
+
+.sonar-template
+[source, yaml]
+----
+include::{sourcedir}/container-publish.gitlab-ci.yml[]
+----

documentation/chapters/templates/container-scan.adoc

@@ -0,0 +1,31 @@
+:sourcedir: ../../../
+
+= Container-Scan
+
+Baut ein Image mithilfe von jib oder Kaniko welches im Anschluss gescanned wird. Dieser Schritt wird ausgeführt, wenn ein Tag gesetzt wird. Die Ergebnisse des Scans können genutzt werden den Build failen zu lassen, falls gewünscht (vgl. `EXITCODE_ON_HIGH` und `EXITCODE_ON_CRITICAL`).
+
+.Variables
+|===
+|Name |Description | Default Value
+|TRIVY_VERSION
+| Version von Trivy die benutzt werden soll.
+| -
+
+|EXITCODE_ON_HIGH
+| Bestimmt den Exit code der ausgegeben werden soll, wenn ein CVE der als HIGH markiert wurde, gefunden werden konnte.
+Wenn 0 benutzt wird, läuft die CI weiter.
+Benutzte `allow_failure: true` damit die CI weiter läuft aber ein Failure angezeigt wird.
+| -
+
+|EXITCODE_ON_CRITICAL
+| Bestimmt den Exit code der ausgegeben werden soll, wenn ein CVE der als CRITICAL markiert wurde, gefunden werden konnte.
+Wenn 0 benutzt wird, läuft die CI weiter.
+Benutzte `allow_failure: true` damit die CI weiter läuft aber ein Failure angezeigt wird.
+| -
+|===
+
+.container scan template
+[source, yaml]
+----
+include::{sourcedir}/container-scan.gitlab-ci.yml[]
+----

documentation/chapters/templates/maven-build-template.adoc

@@ -10,6 +10,7 @@ Diese Template Baut die .jar Files und speichert die Ergebnisse als Artifact.
 |===
 
 .mvn-build-template
+[source, yaml]
 ----
-include::{sourcedir}/maven-build-template.yml[]
+include::{sourcedir}/maven-build-template.gitlab-ci.yml[]
 ----

documentation/chapters/templates/maven-dependencies-template.adoc

@@ -11,6 +11,7 @@ Bitte den Cache hinzufügen. Siehe xref:Generel-Veriablen[Generelle Veriablen]
 |===
 
 .mvn-dependencies-template
+[source, yaml]
 ----
-include::{sourcedir}/maven-dependencies-template.yml[]
+include::{sourcedir}/maven-dependencies-template.gitlab-ci.yml[]
 ----

documentation/chapters/templates/maven-verify-template.adoc

@@ -10,6 +10,7 @@ Dieses Template startet `mvn verify` und speichert die Ergebnisse als Artifact.
 |===
 
 .mvn-verify-template
+[source, yaml]
 ----
-include::{sourcedir}/maven-verify-template.yml[]
+include::{sourcedir}/maven-verify-template.gitlab-ci.yml[]
 ----

documentation/chapters/templates/npm-build-template.adoc

@@ -10,6 +10,7 @@ Dieses Template baut das NPM projekt und speichert die Ergebnisse als Artifact..
 |===
 
 .npm-build-template
+[source, yaml]
 ----
-include::{sourcedir}/npm-build-template.yml[]
+include::{sourcedir}/npm-build-template.gitlab-ci.yml[]
 ----

documentation/chapters/templates/npm-dependencies-template.adoc

@@ -11,6 +11,7 @@ Bitte den Cache hinzufügen. Siehe xref:Generel-Veriablen[Generelle Veriablen]
 |===
 
 .npm-dependencies-template
+[source, yaml]
 ----
-include::{sourcedir}/npm-dependencies-template.yml[]
+include::{sourcedir}/npm-dependencies-template.gitlab-ci.yml[]
 ----

documentation/chapters/templates/npm-lint-template.adoc

@@ -10,6 +10,7 @@ Dieses Template durchläuft den Linter das NPM projekts.
 |===
 
 .npm-lint-template
+[source, yaml]
 ----
-include::{sourcedir}/npm-lint-template.yml[]
+include::{sourcedir}/npm-lint-template.gitlab-ci.yml[]
 ----

documentation/chapters/templates/npm-test-template.adoc

@@ -10,6 +10,7 @@ Dieses Template baut das NPM projekt.
 |===
 
 .npm-test-template
+[source, yaml]
 ----
-include::{sourcedir}/npm-test-template.yml[]
+include::{sourcedir}/npm-test-template.gitlab-ci.yml[]
 ----

documentation/chapters/templates/sonar-template.adoc

@@ -1,17 +0,0 @@
-:sourcedir: ../../../
-
-= sonar-template
-
-Ruft den Sonar Job für das Projekt auf.
-Mehr Details zu finden hier: https://gitlab.exxcellent.de/gilden/ci/exxcellent-sonar-tool[Gilde CI/CD: exxcellent-sonar-tool].
-
-.Variables
-|===
-|Name |Description | Default Value
-|SONAR_PROJECT_KEY | Der Sonar-Projekt-Key.  | ""
-|===
-
-.sonar-template
-----
-include::{sourcedir}/sonar-template.yml[]
-----

documentation/document.adoc

@@ -37,26 +37,31 @@ include::chapters/generalInformation.adoc[leveloffset=1]
 == Misc Templates
 //include::chapters/templates/sonar-template.adoc[leveloffset=1]
 include::chapters/templates/publish-image.adoc[leveloffset=2]
+include::chapters/templates/container-scan.adoc[leveloffset=2]
 
 == Update Version
 
 === Templates
 include::chapters/templates/push-tag-and-version-template.adoc[leveloffset=3]
 include::chapters/templates/set-version-template.adoc[leveloffset=3]
+include::chapters/templates/release-template.adoc[leveloffset=3]
 
 === Pipeline
 include::chapters/pipelines/update-version-pipeline.adoc[leveloffset=3]
 
-
 == NPM Templates
 
-include::chapters/templates/npm-dependencies-template.adoc[leveloffset=2]
+include::chapters/templates/npm-dependencies-template.adoc[leveloffset=1]
-include::chapters/templates/npm-build-template.adoc[leveloffset=2]
+include::chapters/templates/npm-build-template.adoc[leveloffset=1]
-include::chapters/templates/npm-lint-template.adoc[leveloffset=2]
+include::chapters/templates/npm-lint-template.adoc[leveloffset=1]
-include::chapters/templates/npm-test-template.adoc[leveloffset=2]
+include::chapters/templates/npm-test-template.adoc[leveloffset=1]
 
 == Maven Templates
 
-include::chapters/templates/maven-dependencies-template.adoc[leveloffset=2]
+include::chapters/templates/maven-dependencies-template.adoc[leveloffset=1]
-include::chapters/templates/maven-build-template.adoc[leveloffset=2]
+include::chapters/templates/maven-build-template.adoc[leveloffset=1]
-include::chapters/templates/maven-verify-template.adoc[leveloffset=2]
+include::chapters/templates/maven-verify-template.adoc[leveloffset=1]
+
+== Tools
+
+Weitere Templates für die Tools der CI Gilde, sind in den jeweiligen Repos zu finden.

maven-build-template.gitlab-ci.yml

@@ -2,7 +2,7 @@
   stage: build
   image: $MAVEN_IMAGE
   script:
-    - mvn $MAVEN_CLI_OPTS clean package -DskipTests
+    - mvn $MAVEN_CLI_OPTS package -DskipTests
   artifacts:
     expire_in: 2 weeks
     when: always

maven-verify-template.gitlab-ci.yml

@@ -8,5 +8,5 @@
     expire_in: 2 weeks
     reports:
       junit:
-        - $BACKEND_DIR/target/surefire-reports/TEST-*.xml
+        - target/surefire-reports/TEST-*.xml
-        - $BACKEND_DIR/target/failsafe-reports/TEST-*.xml
+        - target/failsafe-reports/TEST-*.xml

renovate.json

@@ -0,0 +1,6 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:base"
+  ]
+}