├── .github └── CODEOWNERS ├── NOTICE ├── .gitignore ├── .gitlab-ci.yml ├── LICENSE ├── README.md └── templates └── ort-scan.yml /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | * @tsteenbe 2 | -------------------------------------------------------------------------------- /NOTICE: -------------------------------------------------------------------------------- 1 | The ORT Project 2 | 3 | Copyright (C) 2020-2022 HERE Europe B.V. 4 | Copyright (C) 2022 Alliander N.V. 5 | Copyright (C) 2022 EPAM Systems, Inc. 6 | Copyright (C) 2024-2025 Thomas Steenbergen 7 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # See https://git-scm.com/docs/gitignore for more about ignoring files. 2 | 3 | .idea/ 4 | 5 | # dependencies 6 | node_modules/ 7 | 8 | # production 9 | build/ 10 | 11 | # misc 12 | .DS_Store 13 | .env 14 | .env.local 15 | .env.development.local 16 | .env.test.local 17 | .env.production.local 18 | 19 | npm-debug.log* 20 | yarn-debug.log* 21 | yarn-error.log* -------------------------------------------------------------------------------- /.gitlab-ci.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Copyright (C) 2020 The ORT Project Authors 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the 'License'); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # https://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an 'AS IS' BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | # 16 | # SPDX-License-Identifier: Apache-2.0 17 | # License-Filename: LICENSE 18 | 19 | include: 20 | - local: 'templates/ort-scan.yml' 21 | 22 | stages: 23 | - ort-scan 24 | 25 | variables: 26 | SW_NAME: 27 | description: | 28 | Name of project, product or component to be scanned. 29 | By default the name of the repository is used as shown in its clone URL. 30 | value: '' 31 | SW_VERSION: 32 | description: | 33 | Project version number or release name (use the version from package metadata, not VCS revision). 34 | By default, the Git short SHA is used. 35 | value: '' 36 | VCS_TYPE: 37 | description: | 38 | Type of version control system. 39 | Accepted values are 'git', 'git-repo', 'mercurial' or 'subversion'. 40 | value: 'git' 41 | VCS_URL: 42 | description: | 43 | Repository or clone URL of project to scan. 44 | value: '' 45 | VCS_REVISION: 46 | description: | 47 | SHA1 or tag to scan (do not use branch names as they can move). 48 | If VCS_TYPE is 'git-repo', SHA1 must be unabbreviated. 49 | Tag names must be prefixed with 'refs/tags/'. 50 | value: '' 51 | VCS_PATH: 52 | description: | 53 | Leave this field empty unless one of the following special cases applies: 54 | 1) project VCS_TYPE is git-repo - specify path to repo manifest file 55 | (e.g. sdk.xml, note vcs-url must point to a manifest repository) 56 | 2) you require sparse checkout - specify repository sub-path to download and scan 57 | (e.g. projects/gradle/, note sparse checkout is possible only for VCS_TYPE git, mercurial or subversion) 58 | value: '' 59 | ADVISORS: 60 | description: | 61 | Comma-separated list of security vulnerability advisors to use. 62 | value: '' 63 | ALLOW_DYNAMIC_VERSIONS: 64 | description: | 65 | Set to 'true' only if dynamic dependency versions are allowed (note version ranges specified for dependencies may cause unstable results). 66 | This field applies only to package managers that support lock files, e.g. NPM. 67 | value: 'true' 68 | DB_URL: 69 | description: | 70 | URL for PostgreSQL database to use to cache scan-results and store file archives. 71 | value: '' 72 | DB_USERNAME: 73 | description: | 74 | Username for PostgreSQL database to use to cache scan-results and store file archives. 75 | value: '' 76 | DB_PASSWORD: 77 | description: | 78 | Username for PostgreSQL database to use to cache scan-results and store file archives. 79 | value: '' 80 | DB_SCHEMA: 81 | description: | 82 | Schema for PostgreSQL database to use to cache scan-results and store file archives. 83 | value: '' 84 | FAIL_ON: 85 | description: | 86 | Comma-separated list of ORT results that if exceeding their severity threshold will fail the action. 87 | Accepted values are '', 'issues', 'violations' or 'issues,violations'. 88 | If empty, then exceeding severity threshold will not fail the action. 89 | value: '' 90 | ORT_CLI_ARGS: 91 | description: | 92 | List of arguments to pass to ORT CLI, applies to all commands. 93 | value: '' 94 | ORT_CLI_ANALYZE_ARGS: 95 | description: | 96 | List of arguments to pass to ORT Analyzer CLI. 97 | value: '' 98 | ORT_CLI_SCAN_ARGS: 99 | description: | 100 | List of arguments to pass to ORT Scanner CLI. 101 | value: '' 102 | ORT_CLI_EVALUATE_ARGS: 103 | description: | 104 | List of arguments to pass to ORT Evaluator CLI. 105 | value: '' 106 | ORT_CLI_ADVISE_ARGS: 107 | description: | 108 | List of arguments to pass to ORT Advisor CLI. 109 | value: '' 110 | ORT_CLI_REPORT_ARGS: 111 | description: | 112 | List of arguments to pass to ORT Reporter CLI. 113 | value: '' 114 | ORT_CONFIG_REPOSITORY: 115 | description: | 116 | URL to ORT configuration repository to use. 117 | value: '' 118 | ORT_CONFIG_REVISION: 119 | description: | 120 | The Git revision of the ORT configuration repository to use. 121 | value: '' 122 | ORT_DATA_DIR_NAME: 123 | description: | 124 | Name of ORT directory within user home directory. 125 | value: '' 126 | ORT_LOG_LEVEL: 127 | description: | 128 | Set value to 'debug' to see additional debug output to help tracking down errors. 129 | value: '' 130 | ORT_YML_PATH: 131 | description: | 132 | Path to file containing the repository configuration. 133 | If set, the '.ort.yml' file from the repository is ignored. 134 | value: '' 135 | REPORT_FORMATS: 136 | description: | 137 | Comma-separated list of ORT reporters to run. 138 | value: '' 139 | RUN: 140 | description: | 141 | Comma-separated list of optional workflow steps to run. 142 | value: 'labels,analyzer,scanner,evaluator,advisor,reporter' 143 | FF_SCRIPT_SECTIONS: 'true' 144 | 145 | 146 | ort-scan: 147 | image: $ORT_DOCKER_IMAGE 148 | stage: ort-scan 149 | extends: .ort-scan 150 | variables: 151 | ORT_DOCKER_IMAGE: 'ghcr.io/alliander-opensource/ort-container:latest' 152 | before_script: 153 | # Use HTTPS instead of SSH for Git cloning 154 | - git config --global url.https://github.com/.insteadOf ssh://git@github.com/ 155 | rules: 156 | - if: $CI_PIPELINE_SOURCE == 'pipeline' || $CI_PIPELINE_SOURCE == 'trigger' 157 | - if: $CI_PIPELINE_SOURCE == 'web' && $VCS_URL && $VCS_REVISION 158 | artifacts: 159 | when: always 160 | paths: 161 | - $ORT_RESULTS_PATH 162 | - vars.env 163 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "{}" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright {yyyy} {name of copyright owner} 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # GitLab Job Template for ORT 2 | 3 | Run licensing, security, best practices checks and generate reports/Software Bill of Materials (SBOMs) using [ORT][ort] 4 | within [GitLab pipelines][gitlab-pipelines-docs]. 5 | 6 | ## Usage 7 | 8 | See [.gitlab-ci.yml](.gitlab-ci.yml) 9 | 10 | ### Prerequisites 11 | 12 | GitLab Commmunity or Enterprise Edition, version 15 or higher. 13 | 14 | ### Basic 15 | 16 | ```yaml 17 | include: 18 | - https://raw.githubusercontent.com/oss-review-toolkit/ort-ci-gitlab/main/templates/ort-scan.yml 19 | 20 | stages: 21 | - ort 22 | 23 | ort-scan: 24 | stage: ort 25 | extends: .ort-scan 26 | artifacts: 27 | when: always 28 | paths: 29 | - $ORT_RESULTS_PATH 30 | ``` 31 | 32 | Alternatively, you can also use ORT to scan any Git, Git-repo, Mercurial or Subversion project. 33 | 34 | ```yaml 35 | include: 36 | - https://raw.githubusercontent.com/oss-review-toolkit/ort-ci-gitlab/main/templates/ort-scan.yml 37 | 38 | stages: 39 | - ort 40 | 41 | ort-scan: 42 | stage: ort 43 | extends: .ort-scan 44 | variables: 45 | SW_NAME: 'Mime Types' 46 | SW_VERSION: '2.1.35' 47 | VCS_URL: 'ssh://git@github.com:jshttp/mime-types.git' 48 | VCS_REVISION: 'ef932231c20e716ec27ea159c082322c3c485b66' 49 | ALLOW_DYNAMIC_VERSIONS: 'true' 50 | before_script: 51 | # Use HTTPS instead of SSH for Git cloning 52 | - git config --global url.https://github.com/.insteadOf ssh://git@github.com/ 53 | rules: 54 | - if: '$CI_PIPELINE_SOURCE == "merge_request_event"' 55 | when: manual 56 | allow_failure: true 57 | - if: '$CI_PIPELINE_SOURCE == "schedule"' 58 | artifacts: 59 | when: always 60 | paths: 61 | - $ORT_RESULTS_PATH 62 | ``` 63 | 64 | ### Scenarios 65 | 66 | - [Run ORT and analyze only specified package managers](#Run-ORT-and-analyze-only-specified-package-managers) 67 | - [Run ORT with labels](#Run-ORT-with-labels) 68 | - [Run ORT and fail job on policy violations or security issues](#Run-ORT-and-fail-job-on-policy-violations-or-security-issues) 69 | - [Run ORT on private repositories](#Run-ORT-on-private-repositories) 70 | - [Run ORT with a custom global configuration](#Run-ORT-with-a-custom-global-configuration) 71 | - [Run ORT with a custom Docker image](#Run-ORT-with-a-custom-Docker-image) 72 | - [Run ORT with PostgreSQL database](#Run-ORT-with-PostgreSQL-database) 73 | - [Run only parts of the GitLab Job Template for ORT](#Run-only-parts-of-the-GitLab-Job-Template-for-ORT) 74 | 75 | #### Run ORT and analyze only specified package managers 76 | 77 | ```yaml 78 | include: 79 | - https://raw.githubusercontent.com/oss-review-toolkit/ort-ci-gitlab/main/templates/ort-scan.yml 80 | 81 | stages: 82 | - ort 83 | 84 | ort-scan: 85 | stage: ort 86 | extends: .ort-scan 87 | variables: 88 | SW_NAME: 'Mime Types' 89 | SW_VERSION: '2.1.35' 90 | VCS_URL: 'ssh://git@github.com:jshttp/mime-types.git' 91 | VCS_REVISION: 'ef932231c20e716ec27ea159c082322c3c485b66' 92 | ALLOW_DYNAMIC_VERSIONS: 'true' 93 | ORT_CLI_ARGS: '-P ort.analyzer.enabledPackageManagers=NPM,Yarn,Yarn2 -P ort.forceOverwrite=true --stacktrace' 94 | before_script: 95 | # Use HTTPS instead of SSH for Git cloning 96 | - git config --global url.https://github.com/.insteadOf ssh://git@github.com/ 97 | artifacts: 98 | when: always 99 | paths: 100 | - $ORT_RESULTS_PATH 101 | ``` 102 | 103 | #### Run ORT with labels 104 | 105 | Use labels to track scan related info or execute policy rules for specific product, delivery or organization. 106 | 107 | ```yaml 108 | include: 109 | - https://raw.githubusercontent.com/oss-review-toolkit/ort-ci-gitlab/main/templates/ort-scan.yml 110 | 111 | stages: 112 | - ort 113 | 114 | ort-scan: 115 | stage: ort 116 | extends: .ort-scan 117 | variables: 118 | SW_NAME: 'Mime Types' 119 | SW_VERSION: '2.1.35' 120 | VCS_URL: 'ssh://git@github.com:jshttp/mime-types.git' 121 | VCS_REVISION: 'ef932231c20e716ec27ea159c082322c3c485b66' 122 | ALLOW_DYNAMIC_VERSIONS: 'true' 123 | ORT_CLI_ANALYZE_ARGS: > 124 | -l project=oss-project 125 | -l dist=external 126 | -l org=engineering-sdk-xyz-team-germany-berlin 127 | before_script: 128 | # Use HTTPS instead of SSH for Git cloning 129 | - git config --global url.https://github.com/.insteadOf ssh://git@github.com/ 130 | artifacts: 131 | when: always 132 | paths: 133 | - $ORT_RESULTS_PATH 134 | ``` 135 | 136 | ### Run ORT and fail job on policy violations or security issues 137 | 138 | Set `FAIL_ON` to fail the pipeline if: 139 | - policy violations reported by Evaluator exceed the `severeRuleViolationThreshold` level. 140 | - security issues reported by the Advisor exceed the `severeIssueThreshold` level. 141 | 142 | By default `severeRuleViolationThreshold` and `severeIssueThreshold` are set to `WARNING` 143 | but you can change this to for example `ERROR` in your [config.yml][ort-config-yml]. 144 | 145 | ```yaml 146 | include: 147 | - https://raw.githubusercontent.com/oss-review-toolkit/ort-ci-gitlab/main/templates/ort-scan.yml 148 | 149 | stages: 150 | - ort 151 | 152 | ort-scan: 153 | stage: ort 154 | extends: .ort-scan 155 | variables: 156 | SW_NAME: 'Mime Types' 157 | SW_VERSION: '2.1.35' 158 | VCS_URL: 'ssh://git@github.com:jshttp/mime-types.git' 159 | VCS_REVISION: 'ef932231c20e716ec27ea159c082322c3c485b66' 160 | ALLOW_DYNAMIC_VERSIONS: 'true' 161 | FAIL_ON: 'violations' 162 | before_script: 163 | # Use HTTPS instead of SSH for Git cloning 164 | - git config --global url.https://github.com/.insteadOf ssh://git@github.com/ 165 | artifacts: 166 | when: always 167 | paths: 168 | - $ORT_RESULTS_PATH 169 | ``` 170 | 171 | #### Run ORT on private repositories 172 | 173 | To run ORT on private Git repositories, we recommend to: 174 | - Set up an account with read-only access rights 175 | - Use [masked variables][gitlab-define-variable] for authentication secrets such as passwords or key values 176 | - Use the `before_script` to generate the required authentication configuration files or set authentication tokens. 177 | 178 | ```yaml 179 | include: 180 | - https://raw.githubusercontent.com/oss-review-toolkit/ort-ci-gitlab/main/templates/ort-scan.yml 181 | 182 | image: 'ubuntu:latest' 183 | 184 | stages: 185 | - ort 186 | 187 | ort-scan: 188 | stage: ort 189 | extends: .ort-scan 190 | variables: 191 | SW_NAME: 'Mime Types' 192 | SW_VERSION: '2.1.35' 193 | VCS_URL: 'ssh://git@github.com:jshttp/mime-types.git' 194 | VCS_REVISION: 'ef932231c20e716ec27ea159c082322c3c485b66' 195 | ALLOW_DYNAMIC_VERSIONS: 'true' 196 | before_script: 197 | # Generate .netrc configuration file 198 | - echo "default login ${NETRC_LOGIN} password ${NETRC_PASSWORD}" > ${HOME}/.netrc 199 | # Add SSH private key and generate SSH configuration file 200 | # Based on https://gitlab.com/gitlab-examples/ssh-private-key 201 | - | 202 | - 'which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )' 203 | - eval $(ssh-agent -s) 204 | - ssh-add <(echo "$SSH_PRIVATE_KEY" | base64 --decode) 205 | - mkdir -p ~/.ssh 206 | - chmod 700 ~/.ssh 207 | - echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config 208 | artifacts: 209 | when: always 210 | paths: 211 | - $ORT_RESULTS_PATH 212 | ``` 213 | 214 | ```yaml 215 | include: 216 | - https://raw.githubusercontent.com/oss-review-toolkit/ort-ci-gitlab/main/templates/ort-scan.yml 217 | 218 | stages: 219 | - ort 220 | 221 | ort-scan: 222 | stage: ort 223 | extends: .ort-scan 224 | variables: 225 | SW_NAME: 'Mime Types' 226 | SW_VERSION: '2.1.35' 227 | VCS_URL: 'ssh://git@github.com:jshttp/mime-types.git' 228 | VCS_REVISION: 'ef932231c20e716ec27ea159c082322c3c485b66' 229 | ALLOW_DYNAMIC_VERSIONS: 'true' 230 | ORT_CONFIG_REPOSITORY: "https://oauth2:${EXAMPLE_ORG_AUTH_TOKEN}@git.example.com/ort-project/ort-config.git" 231 | before_script: 232 | # Set network proxy server environment variables 233 | - | 234 | export https_proxy='http://proxy.example.com:3128/' 235 | export http_proxy='http://proxy.example.com:3128/' 236 | printenv >> vars.env 237 | # Use HTTPS with personal token instead of SSH for Git cloning 238 | - | 239 | git config --global url.'https://oauth2:${GITHUB_PERSONAL_TOKEN}@github.com/'.insteadOf 'ssh://git@github.com/' 240 | git config --global url.'https://oauth2:${EXAMPLE_ORG_AUTH_TOKEN}@git.example.com/'.insteadOf 'ssh://git@git.example.com/' 241 | git config --global url.'https://oauth2:${EXAMPLE_ORG_AUTH_TOKEN}@git.example.com/'.insteadOf 'https://git.example.com/' 242 | artifacts: 243 | when: always 244 | paths: 245 | - $ORT_RESULTS_PATH 246 | ``` 247 | 248 | ### Run ORT with a custom global configuration 249 | 250 | Use `ORT_CONFIG_REPOSITORY` to specify the location of your ORT global configuration repository. 251 | If `ORT_CONFIG_REVISION` is not automatically latest state of configuration repository will be used. 252 | 253 | Alternatively, you can also define your ORT global configuration files in `~/.ort/config` 254 | using `before_script` within the `ort-scan` job. 255 | 256 | ```yaml 257 | include: 258 | - https://raw.githubusercontent.com/oss-review-toolkit/ort-ci-gitlab/main/templates/ort-scan.yml 259 | 260 | stages: 261 | - ort 262 | 263 | ort-scan: 264 | stage: ort-scan 265 | extends: .ort-scan 266 | variables: 267 | SW_NAME: 'Mime Types' 268 | SW_VERSION: '2.1.35' 269 | VCS_URL: 'https://github.com/jshttp/mime-types.git' 270 | VCS_REVISION: 'ef932231c20e716ec27ea159c082322c3c485b66' 271 | ALLOW_DYNAMIC_VERSIONS: 'true' 272 | ORT_CONFIG_REPOSITORY: 'https://github.com/oss-review-toolkit/ort-config.git' 273 | ORT_CONFIG_REVISION: 'e4ae8f0a2d0415e35d80df0f48dd95c90a992514' 274 | before_script: 275 | # Use HTTPS instead of SSH for Git cloning 276 | - git config --global url.https://github.com/.insteadOf ssh://git@github.com/ 277 | artifacts: 278 | when: always 279 | paths: 280 | - $ORT_RESULTS_PATH 281 | ``` 282 | 283 | ### Run ORT with a custom Docker image 284 | 285 | ```yaml 286 | include: 287 | - https://raw.githubusercontent.com/oss-review-toolkit/ort-ci-gitlab/main/templates/ort-scan.yml 288 | 289 | stages: 290 | - ort 291 | 292 | ort-scan: 293 | stage: ort 294 | image: 'example.com/my-org/ort-container:latest' 295 | extends: .ort-scan 296 | variables: 297 | SW_NAME: 'Mime Types' 298 | SW_VERSION: '2.1.35' 299 | VCS_URL: 'https://github.com/jshttp/mime-types.git' 300 | VCS_REVISION: 'ef932231c20e716ec27ea159c082322c3c485b66' 301 | ALLOW_DYNAMIC_VERSIONS: 'true' 302 | before_script: 303 | # Use HTTPS instead of SSH for Git cloning 304 | - git config --global url.https://github.com/.insteadOf ssh://git@github.com/ 305 | artifacts: 306 | when: always 307 | paths: 308 | - $ORT_RESULTS_PATH 309 | ``` 310 | 311 | ### Run ORT with PostgreSQL database 312 | 313 | ORT supports using a PostgreSQL database to caching scan data to speed-up scans. 314 | 315 | Set the following [masked variables][gitlab-define-variable] at project, group or instance level to specify the database to use: 316 | - `POSTGRES_URL`: 'jdbc:postgresql://ort-db.example.com:5432/ort' 317 | - `POSTGRES_USERNAME`: 'ort-db-username' 318 | - `POSTGRES_PASSWORD`: 'ort-db-password' 319 | - `POSTGRES_SCHEMA`: 'ort-prod' 320 | 321 | Next, call GitLab Pipeline for ORT as shown below: 322 | 323 | ```yaml 324 | include: 325 | - https://raw.githubusercontent.com/oss-review-toolkit/ort-ci-gitlab/main/templates/ort-scan.yml 326 | 327 | stages: 328 | - ort 329 | 330 | ort-scan: 331 | stage: ort 332 | extends: .ort-scan 333 | variables: 334 | SW_NAME: 'Mime Types' 335 | SW_VERSION: '2.1.35' 336 | VCS_URL: 'https://github.com/jshttp/mime-types.git' 337 | VCS_REVISION: 'ef932231c20e716ec27ea159c082322c3c485b66' 338 | ALLOW_DYNAMIC_VERSIONS: 'true' 339 | DB_URL: "${POSTGRES_URL}" 340 | DB_SCHEMA: "${POSTGRES_SCHEMA}" 341 | DB_USERNAME: "${POSTGRES_USERNAME}" 342 | DB_USER: "${POSTGRES_PASSWORD}" 343 | before_script: 344 | # Use HTTPS instead of SSH for Git cloning 345 | - git config --global url.https://github.com/.insteadOf ssh://git@github.com/ 346 | artifacts: 347 | when: always 348 | paths: 349 | - $ORT_RESULTS_PATH 350 | ``` 351 | 352 | ### Run only parts of the GitLab Job Template for ORT 353 | 354 | ```yaml 355 | include: 356 | - https://raw.githubusercontent.com/oss-review-toolkit/ort-ci-gitlab/main/templates/ort-scan.yml 357 | 358 | stages: 359 | - ort 360 | 361 | ort-scan: 362 | stage: ort 363 | extends: .ort-scan 364 | variables: 365 | SW_NAME: 'Mime Types' 366 | SW_VERSION: '2.1.35' 367 | VCS_URL: 'https://github.com/jshttp/mime-types.git' 368 | VCS_REVISION: 'ef932231c20e716ec27ea159c082322c3c485b66' 369 | ALLOW_DYNAMIC_VERSIONS: 'true' 370 | RUN: > 371 | labels, 372 | analyzer, 373 | advisor, 374 | reporter 375 | before_script: 376 | # Use HTTPS instead of SSH for Git cloning 377 | - git config --global url.https://github.com/.insteadOf ssh://git@github.com/ 378 | artifacts: 379 | when: always 380 | paths: 381 | - $ORT_RESULTS_PATH 382 | ``` 383 | 384 | # Want to Help or have Questions? 385 | 386 | All contributions are welcome. If you are interested in contributing, please read our 387 | [contributing guide][ort-contributing-md], and to get quick answers 388 | to any of your questions we recommend you [join our Slack community][ort-slack]. 389 | 390 | # License 391 | 392 | Copyright (C) 2020-2025 [The ORT Project Authors](./NOTICE). 393 | 394 | See the [LICENSE](./LICENSE) file in the root of this project for license details. 395 | 396 | OSS Review Toolkit (ORT) is a [Linux Foundation project][lf] and part of [ACT][act]. 397 | 398 | [act]: https://automatecompliance.org/ 399 | [gitlab-define-variable]: https://docs.gitlab.com/ee/ci/variables/#define-a-cicd-variable-in-the-ui 400 | [gitlab-pipelines-docs]: https://docs.gitlab.com/ci/pipelines/ 401 | [ort]: https://github.com/oss-review-toolkit/ort 402 | [ort-config-yml]: https://github.com/oss-review-toolkit/ort/blob/main/model/src/main/resources/reference.yml 403 | [ort-contributing-md]: https://github.com/oss-review-toolkit/.github/blob/main/CONTRIBUTING.md 404 | [ort-slack]: http://slack.oss-review-toolkit.org 405 | [lf]: https://www.linuxfoundation.org 406 | -------------------------------------------------------------------------------- /templates/ort-scan.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Copyright (C) 2020 The ORT Project Authors 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the 'License'); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # https://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an 'AS IS' BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | # 16 | # SPDX-License-Identifier: Apache-2.0 17 | # License-Filename: LICENSE 18 | 19 | .ort-scan: 20 | image: 21 | name: ${ORT_DOCKER_IMAGE} 22 | entrypoint: [""] 23 | cache: 24 | key: ${CI_PROJECT_ID} 25 | paths: 26 | - cache/.m2/repository 27 | - cache/.go/pkg/mod 28 | - cache/pip 29 | - cache/.gradle 30 | - cache/yarn 31 | - cache/node_modules 32 | - cache/ivy2/cache 33 | - cache/sbt 34 | variables: 35 | ORT_DOCKER_IMAGE: "ghcr.io/oss-review-toolkit/ort:latest" 36 | ORT_RESULTS_PATH: "${CI_PROJECT_DIR}/ort-results" 37 | 38 | # GitLab will not cache things (see https://gitlab.com/gitlab-org/gitlab/-/issues/14151) outside the build's working 39 | # directory (e.g., /builds/{user}/geometry), but luckily we can move Maven repository around. 40 | MAVEN_REPO_LOCAL: "${CI_PROJECT_DIR}/cache/.m2/repository" 41 | GO_CACHE_LOCAL: "${CI_PROJECT_DIR}/cache/.go/pkg/mod" 42 | PIP_CACHE_DIR: "${CI_PROJECT_DIR}/cache/pip" 43 | GRADLE_USER_HOME: "${CI_PROJECT_DIR}/cache/.gradle" 44 | YARN_CACHE_FOLDER: "${CI_PROJECT_DIR}/cache/yarn" 45 | NODE_PATH: "${CI_PROJECT_DIR}/cache/node_modules" 46 | SBT_OPTS: "-Dsbt.global.base=${CI_PROJECT_DIR}/cache/sbt -Dsbt.ivy.home=${CI_PROJECT_DIR}/cache/ivy2 -Divy.home=${CI_PROJECT_DIR}/cache/ivy2" 47 | script: 48 | - export ORT_SCAN_STARTED_AT=$(date +"%Y-%m-%dT%H:%M:%S%z") 49 | 50 | # Set safe directory to resolve Git 'fatal: detected dubious ownership in repository' error message. 51 | - git config --global safe.directory '*' 52 | 53 | # GITLAB_USER_NAME is UPPERCASED in order to unmask it in GitLab logs. 54 | - export TRIGGERER=${UPSTREAM_PIPELINE_URL:-"${GITLAB_USER_NAME^^} manually"} 55 | - echo "Started by $TRIGGERER" 56 | 57 | # Workaround for maven cache. 58 | - | 59 | if [[ -d "$MAVEN_REPO_LOCAL" ]]; then 60 | mkdir -p ${HOME}/.m2/repository/ 61 | mv ${MAVEN_REPO_LOCAL}/* ${HOME}/.m2/repository/ 62 | fi 63 | 64 | # Workaround for go cache. 65 | - | 66 | if [[ -d "$GO_CACHE_LOCAL" ]]; then 67 | mkdir -p ${GOPATH}/pkg/mod 68 | mv ${GO_CACHE_LOCAL}/* ${GOPATH}/pkg/mod/ 69 | fi 70 | 71 | - echo -e "\e[1;33m Initializing ORT in GitLab... " 72 | 73 | # Setting default values for various variables. 74 | - | 75 | export ORT_DATA_PATH=${HOME}/${ORT_DATA_DIR_NAME:-".ort"} 76 | export DISABLE_SHALLOW_CLONE=${DISABLE_SHALLOW_CLONE:-"false"} 77 | export FAIL_ON_OUTDATED_NOTICE_FILE=${FAIL_ON_OUTDATED_NOTICE_FILE:-"false"} 78 | export NOTICE_FILE=${NOTICE_FILE:-"FOSS_NOTICE"} 79 | export ORT_ADVISORS=${ADVISORS:-"OSV"} 80 | export ORT_ALLOW_DYNAMIC_VERSIONS=${ALLOW_DYNAMIC_VERSIONS:-"false"} 81 | export ORT_CLI="/opt/ort/bin/ort" 82 | export ORT_CLI_ARGS=${ORT_CLI_ARGS:-"-P ort.forceOverwrite=true --stacktrace"} 83 | ORT_CLI_REPORT_DEFAULT_ARGS="-O CycloneDX=output.file.formats=json,xml -O SpdxDocument=output.file.formats=json,yaml" 84 | export ORT_CLI_REPORT_ARGS=${ORT_CLI_REPORT_ARGS:-$ORT_CLI_REPORT_DEFAULT_ARGS} 85 | export ORT_CONFIG_PATH=${ORT_CONFIG_PATH:-"${ORT_DATA_PATH}/config"} 86 | export ORT_CONFIG_VCS_REVISION=${ORT_CONFIG_REVISION:-"main"} 87 | export ORT_CONFIG_VCS_URL=${ORT_CONFIG_REPOSITORY:-"https://github.com/oss-review-toolkit/ort-config.git"} 88 | export ORT_DISABLE_ADVISOR=${ORT_DISABLE_ADVISOR:-"false"} 89 | export ORT_DISABLE_EVALUATOR=${ORT_DISABLE_EVALUATOR:-"false"} 90 | export ORT_DISABLE_SCANNER=${ORT_DISABLE_SCANNER:-"true"} 91 | export ORT_LOG_LEVEL=${ORT_LOG_LEVEL:-"warn"} 92 | export ORT_RESULTS_PATH=${ORT_RESULTS_PATH:-"${ORT_DATA_PATH}/ort-results"} 93 | export ORT_REPORT_FORMATS=${REPORT_FORMATS:-"CycloneDx,SpdxDocument,WebApp"} 94 | export ORT_RESULTS_ADVISOR_PATH="${ORT_RESULTS_PATH}/advisor-result.json" 95 | export ORT_RESULTS_ANALYZER_PATH="${ORT_RESULTS_PATH}/analyzer-result.json" 96 | export ORT_RESULTS_CURRENT_PATH="${ORT_RESULTS_PATH}/current-result.json" 97 | export ORT_RESULTS_EVALUATED_MODEL_PATH="${ORT_RESULTS_PATH}/evaluated-model.json" 98 | export ORT_RESULTS_EVALUATOR_PATH="${ORT_RESULTS_PATH}/evaluation-result.json" 99 | export ORT_RESULTS_HTML_REPORT_PATH="${ORT_RESULTS_PATH}/ort-results/scan-report.html" 100 | export ORT_RESULTS_SCANNER_PATH="${ORT_RESULTS_PATH}/scan-result.json" 101 | export ORT_RESULTS_SBOM_CYCLONE_XML_PATH="${ORT_RESULTS_PATH}/bom.cyclonedx.xml" 102 | export ORT_RESULTS_SBOM_SPDX_JSON_PATH="${ORT_RESULTS_PATH}/bom.spdx.json" 103 | export ORT_RESULTS_SBOM_SPDX_YML_PATH="${ORT_RESULTS_PATH}/bom.spdx.yml" 104 | export ORT_RESULTS_WEB_APP_PATH="${ORT_RESULTS_PATH}/scan-report-web-app.html" 105 | export ORT_RUN_COMMANDS=${RUN:-"labels,analyzer,evaluator,advisor,reporter"} 106 | export ORT_VERSION=$(ort --version) 107 | export POSTGRES_PASSWORD=${POSTGRES_PASSWORD:-$DB_PASSWORD} 108 | export POSTGRES_SCHEMA=${POSTGRES_SCHEMA:-$DB_SCHEMA} 109 | export POSTGRES_URL=${POSTGRES_URL:-$DB_URL} 110 | export POSTGRES_USERNAME=${POSTGRES_USERNAME:-$DB_USERNAME} 111 | 112 | if [ ! -n "${VCS_TYPE+x}" ] && \ 113 | [ ! -n "${VCS_URL+x}" ] && \ 114 | [ ! -n "${VCS_REVISION+x}" ] && \ 115 | [ ! -n "${VCS_PATH+x}" ] 116 | then 117 | # Scan already cloned repository under $CI_PROJECT_DIR: 118 | export PROJECT_VCS_TYPE="git" 119 | export PROJECT_VCS_URL="ssh://git@${CI_SERVER_HOST}/${CI_PROJECT_PATH}.git" 120 | export PROJECT_VCS_REVISION="${CI_COMMIT_SHA}" 121 | export PROJECT_VCS_PATH="" 122 | export PROJECT_PATH="${CI_PROJECT_DIR}" 123 | else 124 | # Scan specified repository: 125 | export PROJECT_VCS_TYPE=${VCS_TYPE:-"git"} 126 | export PROJECT_VCS_URL=${VCS_URL:-""} 127 | export PROJECT_VCS_REVISION=${VCS_REVISION:-""} 128 | export PROJECT_VCS_PATH=${VCS_PATH:-""} 129 | export PROJECT_PATH="${HOME}/project" 130 | fi 131 | 132 | export PROJECT_VCS_REPOSITORY_NAME=$(echo $PROJECT_VCS_URL | sed -E 's/.*\/(.*)\.git/\1/') 133 | export SW_NAME=${SW_NAME:-"$PROJECT_VCS_REPOSITORY_NAME"} 134 | # Remove all special characters and whitespace from software name as some tools cannot handle them. 135 | export SW_NAME_SAFE=$(echo ${SW_NAME} | sed -e 's/\s/-/g' -e 's/[^[:alnum:]_-]//g' -e 's/--/-/g' -e 's/\([A-Z]\)/\L\1/g') 136 | export SW_VERSION=${SW_VERSION:-"${VCS_REVISION:0:7}"} 137 | 138 | # Creating required directories within user home directory. 139 | - | 140 | mkdir -p ${HOME}/.cache/scancode-tk/; chmod -R aug+w ${HOME}/.cache/ || : 141 | mkdir -p ${HOME}/.config/jgit/; chmod -R aug+w ${HOME}/.config/ || : 142 | mkdir -p ${ORT_DATA_PATH}/{cache,config,ort-results,scanner/archive/,scanner/provenance/}; chmod -R aug+w ${ORT_DATA_PATH}/ || : 143 | mkdir -p ${PROJECT_PATH}/; chmod -R aug+w ${PROJECT_PATH}/ || : 144 | 145 | # Set up ORT configuration repository. 146 | - | 147 | if [[ -z "$(ls -A ${ORT_CONFIG_PATH})" ]]; then 148 | ORT_CONFIG_VCS_REVISION=${ORT_CONFIG_VCS_REVISION:-$(git remote show origin | sed -n '/HEAD branch/s/.*: //p')} 149 | echo -e "\e[1;33m Retrieving ORT config commit '${ORT_CONFIG_VCS_REVISION}' from ${ORT_CONFIG_VCS_URL}... " 150 | cd $ORT_CONFIG_PATH 151 | git init -q 152 | git remote add origin $ORT_CONFIG_VCS_URL 153 | git fetch -q --depth 1 origin $ORT_CONFIG_VCS_REVISION 154 | 155 | git checkout -q FETCH_HEAD 156 | cd - 157 | fi 158 | cd $ORT_CONFIG_PATH 159 | [[ -d "${ORT_CONFIG_PATH}/.git" ]] \ 160 | && export ORT_CONFIG_VCS_URL=$(git config remote.origin.url) \ 161 | && export ORT_CONFIG_VCS_REVISION=$(git rev-parse HEAD) 162 | cd - 163 | 164 | echo -e "Using ORT config revision ${ORT_CONFIG_VCS_REVISION}." 165 | 166 | # Generate ORT global configuration if not found and PostgreSQL is used. 167 | - | 168 | if [[ (! -a "${ORT_CONFIG_PATH}/config.yml") && (-n "${POSTGRES_URL}") ]]; then 169 | echo -e "\e[1;33m Generating a 'config.yml' with a PostgreSQL storage..." 170 | cat << EOF > ${ORT_CONFIG_PATH}/config.yml 171 | ort: 172 | enableRepositoryPackageConfigurations: true 173 | enableRepositoryPackageCurations: true 174 | packageCurationProviders: 175 | - type: DefaultFile 176 | - type: DefaultDir 177 | - type: OrtConfig 178 | enabled: false 179 | scanner: 180 | archive: 181 | enabled: true 182 | postgresStorage: 183 | connection: 184 | url: "${POSTGRES_URL}" 185 | schema: "${POSTGRES_SCHEMA}" 186 | username: "${POSTGRES_USERNAME}" 187 | password: "${POSTGRES_PASSWORD}" 188 | sslmode: "disable" 189 | parallelTransactions: 5 190 | type: "PROVENANCE_BASED" 191 | createMissingArchives: true 192 | detectedLicenseMapping: {} 193 | fileListStorage: 194 | postgresStorage: 195 | connection: 196 | url: "${POSTGRES_URL}" 197 | schema: "${POSTGRES_SCHEMA}" 198 | username: "${POSTGRES_USERNAME}" 199 | password: "${POSTGRES_PASSWORD}" 200 | sslmode: "disable" 201 | parallelTransactions: 5 202 | config: 203 | ScanCode: 204 | options: 205 | commandLine: "--copyright --license --info --strip-root --timeout 300" 206 | parseLicenseExpressions: true 207 | preferFileLicense: false 208 | minVersion: "31.0.0" 209 | maxVersion: "33.0.0" 210 | storages: 211 | postgres: 212 | connection: 213 | url: "${POSTGRES_URL}" 214 | schema: "${POSTGRES_SCHEMA}" 215 | username: "${POSTGRES_USERNAME}" 216 | password: "${POSTGRES_PASSWORD}" 217 | sslmode: "disable" 218 | parallelTransactions: 5 219 | type: "PROVENANCE_BASED" 220 | storageReaders: 221 | - "postgres" 222 | storageWriters: 223 | - "postgres" 224 | ignorePatterns: 225 | - "**/NOTICE" 226 | - "**/META-INF/DEPENDENCIES" 227 | provenanceStorage: 228 | postgresStorage: 229 | connection: 230 | url: "${POSTGRES_URL}" 231 | schema: "${POSTGRES_SCHEMA}" 232 | username: "${POSTGRES_USERNAME}" 233 | password: "${POSTGRES_PASSWORD}" 234 | sslmode: "disable" 235 | parallelTransactions: 5 236 | type: "PROVENANCE_BASED" 237 | severeIssueThreshold: "ERROR" 238 | severeRuleViolationThreshold: "ERROR" 239 | EOF 240 | elif [[ ! -a "${ORT_CONFIG_PATH}/config.yml" ]]; then 241 | echo -e "\e[1;33m Generating a 'config.yml' without a PostgreSQL storage..." 242 | cat << EOF > ${ORT_CONFIG_PATH}/config.yml 243 | ort: 244 | packageCurationProviders: 245 | - type: DefaultFile 246 | - type: DefaultDir 247 | - type: OrtConfig 248 | enabled: false 249 | EOF 250 | else 251 | echo -e "\e[1;33m Using 'config.yml' from 'ort-config' repository..." 252 | fi 253 | 254 | ${ORT_CLI} config --show-active 255 | 256 | # Generate labels to be passed as arguments to ORT Analyzer. 257 | # Labels can be used track scan related info or execute policy rules for specific product, delivery or organization. 258 | - | 259 | if [[ ${ORT_RUN_COMMANDS} == *"labels"* ]]; then 260 | echo -e "\e[1;33m Compute ORT labels... " 261 | 262 | ORT_CLI_ANALYZE_ARGS="\ 263 | -l ci-url=${CI_PIPELINE_URL} \ 264 | -l ci-actor=${GITLAB_USER_LOGIN} \ 265 | -l ci-event-name=${CI_PIPELINE_SOURCE} \ 266 | -l ci-date=$(date +"%Y-%m-%d") ${ORT_CLI_ANALYZE_ARGS}" 267 | 268 | [[ -n "${ORT_ALLOW_DYNAMIC_VERSIONS}" ]] && ORT_CLI_ANALYZE_ARGS="-l allow-dynamic-versions=${ORT_ALLOW_DYNAMIC_VERSIONS} ${ORT_CLI_ANALYZE_ARGS}" 269 | [[ -n "${ORT_CONFIG_VCS_REVISION}" ]] && ORT_CLI_ANALYZE_ARGS="-l ort-config-revision=${ORT_CONFIG_VCS_REVISION} ${ORT_CLI_ANALYZE_ARGS}" 270 | [[ -n "${ORT_CONFIG_VCS_URL}" ]] && ORT_CLI_ANALYZE_ARGS="-l ort-config-repository=${ORT_CONFIG_VCS_URL} ${ORT_CLI_ANALYZE_ARGS}" 271 | ORT_CLI_ANALYZE_ARGS="-l sw-version=${SW_VERSION} -l sw-name=${SW_NAME_SAFE} ${ORT_CLI_ANALYZE_ARGS}" 272 | fi 273 | 274 | # Include repository configuration file (.ort.yml) if found in ORT CLI parameters. 275 | - | 276 | if [[ -s "${ORT_YML_PATH}" ]]; then 277 | ORT_CLI_ANALYZE_ARGS="--repository-configuration-file ${ORT_YML_PATH} ${ORT_CLI_ANALYZE_ARGS}" 278 | ORT_CLI_EVALUATE_ARGS="--repository-configuration-file ${ORT_YML_PATH} ${ORT_CLI_EVALUATE_ARGS}" 279 | ORT_CLI_REPORT_ARGS="--repository-configuration-file ${ORT_YML_PATH} ${ORT_CLI_REPORT_ARGS}" 280 | elif [[ ! -a "${ORT_YML_PATH}" ]]; then 281 | echo -e "\e[1;31m File ${ORT_YML_PATH} not found!." 282 | fi 283 | 284 | - | 285 | export ORT_CLI_ANALYZE_ARGS ORT_CLI_EVALUATE_ARGS ORT_CLI_REPORT_ARGS 286 | 287 | # Run ORT's Downloader to retrieve the source code for the project to be scanned. 288 | - | 289 | if [[ "$PROJECT_PATH" = "$CI_PROJECT_DIR" ]]; then 290 | echo -e "\e[1;33m Not running ORT Downloader, as the already cloned sources are to be analyzed..." 291 | else 292 | echo -e "\e[1;33m Running ORT Downloader to download project to scan... " 293 | echo -e "\e[1;33m ${PROJECT_VCS_TYPE} project revision ${PROJECT_VCS_REVISION} located at ${PROJECT_VCS_URL} in path '${PROJECT_VCS_PATH}'... " 294 | 295 | ${ORT_CLI} \ 296 | --${ORT_LOG_LEVEL} \ 297 | ${ORT_CLI_ARGS} \ 298 | download \ 299 | -o "${PROJECT_PATH}" \ 300 | --vcs-type "${PROJECT_VCS_TYPE}" \ 301 | --project-url "${PROJECT_VCS_URL}" \ 302 | --vcs-revision "${PROJECT_VCS_REVISION}" \ 303 | --vcs-path "${PROJECT_VCS_PATH}" \ 304 | --project-name "${SW_NAME_SAFE}" \ 305 | || ORT_CLI_DOWNLOAD_EXIT_CODE=$? \ 306 | && export ORT_CLI_DOWNLOAD_EXIT_CODE="${ORT_CLI_DOWNLOAD_EXIT_CODE:-0}" 307 | 308 | [[ ${ORT_CLI_DOWNLOAD_EXIT_CODE} -eq 1 ]] \ 309 | && echo -e "\e[1;31m Unable to retrieve project sources from ${VCS_URL}." \ 310 | && exit 1 311 | fi 312 | 313 | # Run ORT's Analyzer to determine the dependencies used by the project and their metadata. 314 | - | 315 | echo -e "\e[1;33m Running ORT Analyzer... " 316 | ${ORT_CLI} \ 317 | --${ORT_LOG_LEVEL} \ 318 | -P ort.analyzer.allowDynamicVersions=${ORT_ALLOW_DYNAMIC_VERSIONS} \ 319 | ${ORT_CLI_ARGS} \ 320 | analyze \ 321 | -i ${PROJECT_PATH} \ 322 | -o ${ORT_RESULTS_PATH} \ 323 | -f JSON \ 324 | ${ORT_CLI_ANALYZE_ARGS} \ 325 | || ORT_CLI_ANALYZE_EXIT_CODE=$? \ 326 | && export ORT_CLI_ANALYZE_EXIT_CODE="${ORT_CLI_ANALYZE_EXIT_CODE:-0}" \ 327 | && printenv >> vars.env 328 | 329 | [[ -f ${ORT_RESULTS_ANALYZER_PATH} ]] \ 330 | && ln -frs $ORT_RESULTS_ANALYZER_PATH $ORT_RESULTS_CURRENT_PATH \ 331 | || echo -e "\e[1;31m File $ORT_RESULTS_ANALYZER_PATH not found." 332 | 333 | [[ ${ORT_CLI_ANALYZE_EXIT_CODE} -eq 1 ]] && exit 1 334 | 335 | # Run ORT's Scanner to use configured source code scanners to detect license and copyright findings. 336 | - | 337 | if [[ ${ORT_RUN_COMMANDS} == *"scanner"* ]]; then 338 | echo -e "\e[1;33m Running ORT Scanner... " 339 | 340 | ${ORT_CLI} \ 341 | --${ORT_LOG_LEVEL} \ 342 | ${ORT_CLI_ARGS} \ 343 | scan \ 344 | -i ${ORT_RESULTS_CURRENT_PATH} \ 345 | -o ${ORT_RESULTS_PATH} \ 346 | -f JSON \ 347 | ${ORT_CLI_SCAN_ARGS} \ 348 | || ORT_CLI_SCAN_EXIT_CODE=$? \ 349 | && export ORT_CLI_SCAN_EXIT_CODE="${ORT_CLI_SCAN_EXIT_CODE:-0}" \ 350 | && printenv >> vars.env 351 | 352 | [[ -f ${ORT_RESULTS_SCANNER_PATH} ]] \ 353 | && ln -frs $ORT_RESULTS_SCANNER_PATH $ORT_RESULTS_CURRENT_PATH \ 354 | || echo -e "\e[1;31m File $ORT_RESULTS_SCANNER_PATH not found." 355 | 356 | [[ ${ORT_CLI_SCANNER_EXIT_CODE} -eq 1 ]] && exit 1 357 | fi 358 | 359 | # Run ORT's Advisor to retrieve security advisories for used dependencies from configured vulnerability data services. 360 | - | 361 | if [[ ${ORT_RUN_COMMANDS} == *"advisor"* ]]; then 362 | echo -e "\e[1;33m Running ORT Advisor... " 363 | 364 | ${ORT_CLI} \ 365 | --$ORT_LOG_LEVEL \ 366 | ${ORT_CLI_ARGS} \ 367 | advise \ 368 | -i ${ORT_RESULTS_CURRENT_PATH} \ 369 | -o ${ORT_RESULTS_PATH} \ 370 | -a ${ORT_ADVISORS} \ 371 | -f JSON \ 372 | ${ORT_CLI_ADVISE_ARGS} \ 373 | || ORT_CLI_ADVISE_EXIT_CODE=$? \ 374 | && export ORT_CLI_ADVISE_EXIT_CODE="${ORT_CLI_ADVISE_EXIT_CODE:-0}" \ 375 | && printenv >> vars.env 376 | 377 | [[ -f ${ORT_RESULTS_ADVISOR_PATH} ]] \ 378 | && ln -frs $ORT_RESULTS_ADVISOR_PATH $ORT_RESULTS_CURRENT_PATH \ 379 | || echo -e "\e[1;31m File $ORT_RESULTS_ADVISOR_PATH not found." 380 | 381 | [[ ${ORT_CLI_ADVISE_EXIT_CODE} -eq 1 ]] && exit 1 382 | fi 383 | 384 | # Run ORT's Evaluator to evaluate custom policy rules along with custom license classifications against the data gathered 385 | # in preceding ORT stages and returns a list of policy violations (e.g. flags license or vulnerability findings). 386 | - | 387 | if [[ ${ORT_RUN_COMMANDS} == *"evaluator"* ]]; then 388 | echo -e "\e[1;33m Running ORT Evaluator... " 389 | 390 | ${ORT_CLI} \ 391 | --${ORT_LOG_LEVEL} \ 392 | ${ORT_CLI_ARGS} \ 393 | evaluate \ 394 | -i ${ORT_RESULTS_CURRENT_PATH} \ 395 | -o ${ORT_RESULTS_PATH} \ 396 | -f JSON \ 397 | ${ORT_CLI_EVALUATE_ARGS} \ 398 | || ORT_CLI_EVALUATE_EXIT_CODE=$? \ 399 | && export ORT_CLI_EVALUATE_EXIT_CODE="${ORT_CLI_EVALUATE_EXIT_CODE:-0}" \ 400 | && printenv >> vars.env 401 | 402 | [[ -f ${ORT_RESULTS_EVALUATOR_PATH} ]] \ 403 | && ln -frs $ORT_RESULTS_EVALUATOR_PATH $ORT_RESULTS_CURRENT_PATH \ 404 | || echo -e "\e[1;31m File $ORT_RESULTS_EVALUATOR_PATH not found." 405 | 406 | [[ ${ORT_CLI_EVALUATE_EXIT_CODE} -eq 1 ]] && exit 1 407 | fi 408 | 409 | # Run ORT's Reporter to present scan results in various formats such as visual reports, 410 | # Open Source notices or Software Bill-Of-Materials (SBOMs). 411 | - | 412 | if [[ ${ORT_RUN_COMMANDS} == *"reporter"* ]]; then 413 | echo -e "\e[1;33m Running ORT Reporter... " 414 | 415 | $ORT_CLI \ 416 | --${ORT_LOG_LEVEL} \ 417 | ${ORT_CLI_ARGS} \ 418 | report \ 419 | -i ${ORT_RESULTS_CURRENT_PATH} \ 420 | -o ${ORT_RESULTS_PATH} \ 421 | -f $ORT_REPORT_FORMATS \ 422 | -O SpdxDocument=document.name="${SW_NAME_SAFE}" \ 423 | ${ORT_CLI_REPORT_ARGS} \ 424 | || ORT_CLI_REPORT_EXIT_CODE=$? \ 425 | && export ORT_CLI_REPORT_EXIT_CODE="${ORT_CLI_REPORT_EXIT_CODE:-0}" \ 426 | && printenv >> vars.env 427 | 428 | [[ ${ORT_CLI_REPORT_CODE} -eq 1 ]] && exit 1 429 | fi 430 | 431 | # Remove job internal use only current-result.json from scan results directory 432 | - | 433 | [[ -f ${ORT_RESULTS_CURRENT_PATH} ]] \ 434 | && rm $ORT_RESULTS_CURRENT_PATH \ 435 | && unset $ORT_RESULTS_CURRENT_PATH 436 | 437 | # Fail job on policy violations if FAIL_ON variable contains 'violations'. 438 | - | 439 | if [[ ${FAIL_ON} == *"violations"* && ORT_CLI_EVALUATE_EXIT_CODE -eq 2 ]]; then 440 | echo -e "\e[1;31m Failing action as Evaluator exceeded severity threshold... " 441 | exit 2 442 | fi 443 | 444 | # Fail job on security issues if FAIL_ON variable contains 'issues'. 445 | - | 446 | if [[ ${FAIL_ON} == *"issues"* && ORT_CLI_ADVISE_EXIT_CODE -eq 2 ]]; then 447 | echo -e "\e[1;31m Failing action as Advisor exceeded severity threshold... " 448 | exit 2 449 | fi 450 | timeout: 20 hours 451 | after_script: 452 | # Workaround for maven cache. 453 | - | 454 | if [[ -d "${HOME}/.m2/repository/" ]]; then 455 | mkdir -p $MAVEN_REPO_LOCAL 456 | mv -f ${HOME}/.m2/repository/* $MAVEN_REPO_LOCAL 457 | fi 458 | 459 | # Workaround for go cache. 460 | - | 461 | if [[ -d "${GOPATH}/pkg/mod/" ]]; then 462 | mkdir -p ${GO_CACHE_LOCAL} 463 | mv ${GOPATH}/pkg/mod/* ${GO_CACHE_LOCAL} 464 | fi 465 | 466 | - export ORT_SCAN_FINISHED_AT=$(date +"%Y-%m-%dT%H:%M:%S%z") 467 | --------------------------------------------------------------------------------