diff --git a/.circleci/config.yml b/.circleci/config.yml index 2abf7456dcf..e4e45e17ed5 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -2,7 +2,41 @@ defaults: &defaults docker: - image: circleci/node:15.2.1-browsers -version: 2 +version: 2.1 +commands: + build_push_image: + parameters: + push: + description: Push image to DockerHub + type: string + default: "false" + steps: + - run: + name: Build cBioPortal docker image + environment: + DOCKER_REPO: cbioportal/cbioportal-dev + command: | + export DOCKER_TAG=$CIRCLE_SHA1 + URL="https://hub.docker.com/v2/repositories/cbioportal/cbioportal-dev/tags/$DOCKER_TAG-web-shenandoah" + TAG_FOUND=$(curl -s $URL | jq -r .name) + if [ $TAG_FOUND = "$DOCKER_TAG-web-shenandoah" ]; then + echo "Image already exists. Skipping build step!" + exit 0 + fi + cd cbioportal-test + ./scripts/build-push-image.sh --src=/tmp/repos/cbioportal --push=<> --skip_web_and_data=true + if [ "<>" = "false" ]; then + EXISTS=$(docker inspect --type=image $DOCKER_REPO:$DOCKER_TAG-web-shenandoah > /dev/null; echo $?); + else + EXISTS=$(docker manifest inspect $DOCKER_REPO:$DOCKER_TAG-web-shenandoah > /dev/null; echo $?); + fi + if [ $EXISTS -eq 0 ]; then + echo "Build succeeded!" + else + echo "Build failed!" + exit 1 + fi + jobs: build_backend: docker: @@ -258,37 +292,51 @@ jobs: paths: - cbioportal-frontend - build_push_image: + checkout_pr: machine: image: ubuntu-2204:2024.08.1 resource_class: medium working_directory: /tmp/repos steps: - - attach_workspace: - at: /tmp/repos - checkout: path: /tmp/repos/cbioportal + - persist_to_workspace: + root: /tmp/repos + paths: + - cbioportal + + build_image: + machine: + image: ubuntu-2204:2024.08.1 + resource_class: medium + working_directory: /tmp/repos + environment: + DOCKER_REPO: cbioportal/cbioportal-dev + steps: + - attach_workspace: + at: /tmp/repos + - build_push_image: + push: "false" - run: - name: Build cBioPortal docker image - environment: - DOCKER_REPO: cbioportal/cbioportal-dev + name: Save cbioportal image as tar command: | export DOCKER_TAG=$CIRCLE_SHA1 - URL="https://hub.docker.com/v2/repositories/cbioportal/cbioportal-dev/tags/$DOCKER_TAG-web-shenandoah" - TAG_FOUND=$(curl -s $URL | jq -r .name) - if [ $TAG_FOUND = "$DOCKER_TAG-web-shenandoah" ]; then - echo "Image already exists. Skipping build step!" - exit 0 - fi - cd cbioportal-test - ./scripts/build-push-image.sh --src=/tmp/repos/cbioportal --push=true --skip_web_and_data=true - EXISTS=$(docker manifest inspect $DOCKER_REPO:$DOCKER_TAG-web-shenandoah > /dev/null; echo $?) - if [ $EXISTS -eq 0 ]; then - echo "Build succeeded!" - else - echo "Build failed!" - exit 1 - fi + docker save -o $DOCKER_TAG-web-shenandoah.tar $DOCKER_REPO:$DOCKER_TAG-web-shenandoah + - persist_to_workspace: + root: /tmp/repos + paths: + - "*.tar" + + push_image: + machine: + image: ubuntu-2204:2024.08.1 + resource_class: medium + working_directory: /tmp/repos + steps: + - attach_workspace: + at: /tmp/repos + - build_push_image: + push: "true" run_api_tests: machine: @@ -296,15 +344,19 @@ jobs: docker_layer_caching: true resource_class: large working_directory: /tmp/repos + environment: + DOCKER_REPO: cbioportal/cbioportal-dev steps: - attach_workspace: at: /tmp/repos - - checkout: - path: /tmp/repos/cbioportal + - run: + name: Load cbioportal image + command: | + export DOCKER_TAG=$CIRCLE_SHA1 + docker load -i $DOCKER_TAG-web-shenandoah.tar - run: name: Instantiate a cbioportal instance environment: - DOCKER_REPO: cbioportal/cbioportal-dev APP_CLICKHOUSE_MODE: "true" command: | cd cbioportal-test @@ -346,8 +398,6 @@ jobs: yarn --ignore-engines yarn run apitests - - store_artifacts: - path: /tmp/repos/cbioportal-test/web-metadata.json - store_artifacts: path: /tmp/repos/docker-compose-logs.txt @@ -356,10 +406,15 @@ jobs: image: ubuntu-2204:2024.08.1 docker_layer_caching: true resource_class: medium + working_directory: /tmp/repos environment: BASE_REPO: cbioportal/cbioportal DEV_REPO: cbioportal/cbioportal-dev + OUTPUT_FORMAT: '{severity: .cvss.severity, source_id: .source_id, vulnerable_range: .vulnerable_range, fixed_by: .fixed_by, url: .url, description: .description}' + SORT: 'sort_by(.severity | if . == "CRITICAL" then 0 elif . == "HIGH" then 1 elif . == "MEDIUM" then 2 elif . == "LOW" then 3 else 4 end)' steps: + - attach_workspace: + at: /tmp/repos - run: name: Install Docker Scout command: | @@ -367,32 +422,27 @@ jobs: - run: name: Log in to Docker command: | - echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin; + echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin + - run: + name: Load cbioportal image + command: | + export DOCKER_TAG=$CIRCLE_SHA1 + docker load -i $DOCKER_TAG-web-shenandoah.tar + - run: + name: Run Docker Scout on master + command: | + IMAGE=$BASE_REPO:master-web-shenandoah + docker pull $IMAGE + docker-scout cves $IMAGE --format sbom | jq -r "[.vulnerabilities[].vulnerabilities[] | $OUTPUT_FORMAT] | $SORT" > master_report.sbom - run: - name: Wait for cbioportal docker images + name: Run Docker Scout on PR command: | - URL="https://hub.docker.com/v2/repositories/$DEV_REPO/tags/$CIRCLE_SHA1-web-shenandoah" - while true; do - TAG_FOUND=$(curl -s $URL | jq -r .name) - if [ $TAG_FOUND = "$CIRCLE_SHA1-web-shenandoah" ]; then - echo "Image found!" - exit 0 - fi - echo "Image not found yet. Waiting for API Tests to finish building. Retrying in 30 seconds..." - sleep 30 - done + IMAGE=$DEV_REPO:$CIRCLE_SHA1-web-shenandoah + docker-scout cves $IMAGE --format sbom | jq -r "[.vulnerabilities[].vulnerabilities[] | $OUTPUT_FORMAT] | $SORT" > pr_report.sbom - run: - name: Run Docker Scout vulnerability test + name: Analyze and report results command: | - BASE_IMAGE=$BASE_REPO:master-web-shenandoah - PR_IMAGE=$DEV_REPO:$CIRCLE_SHA1-web-shenandoah - OUTPUT_FORMAT='{severity: .cvss.severity, source_id: .source_id, vulnerable_range: .vulnerable_range, fixed_by: .fixed_by, url: .url, description: .description}' - SORT='sort_by(.severity | if . == "CRITICAL" then 0 elif . == "HIGH" then 1 elif . == "MEDIUM" then 2 elif . == "LOW" then 3 else 4 end)' - docker pull $BASE_IMAGE - docker pull $PR_IMAGE - docker-scout cves $BASE_IMAGE --format sbom | jq -r "[.vulnerabilities[].vulnerabilities[] | $OUTPUT_FORMAT] | $SORT" > base_report.sbom - docker-scout cves $PR_IMAGE --format sbom | jq -r "[.vulnerabilities[].vulnerabilities[] | $OUTPUT_FORMAT] | $SORT" > pr_report.sbom - DIFF=$(jq -s 'map(map(.source_id)) | .[0] - .[1]' pr_report.sbom base_report.sbom) + DIFF=$(jq -s 'map(map(.source_id)) | .[0] - .[1]' pr_report.sbom master_report.sbom) COUNT=$(echo $DIFF | jq 'length') if [ "$COUNT" -gt 0 ]; then printf "New vulnerabilities found: $COUNT\n" @@ -404,7 +454,6 @@ jobs: fi workflows: - version: 2 end_to_end_tests: jobs: - build_backend @@ -417,28 +466,29 @@ workflows: - build_backend - pull_frontend_codebase - install_yarn - api_tests: + tests: jobs: + - checkout_pr - pull_cbioportal_test_codebase - pull_cbioportal_frontend_codebase - - wait_for_approval: - type: approval + - build_image: requires: + - checkout_pr - pull_cbioportal_test_codebase - - pull_cbioportal_frontend_codebase - - build_push_image: + - push_image: context: - api-tests requires: - - wait_for_approval + - checkout_pr + - pull_cbioportal_test_codebase - run_api_tests: context: - api-tests requires: - - build_push_image - - security_tests: - jobs: + - build_image + - pull_cbioportal_frontend_codebase - run_security_tests: context: - - docker-scout \ No newline at end of file + - docker-scout + requires: + - build_image \ No newline at end of file