forked from dmwm/deployment
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdeploy
61 lines (54 loc) · 2.4 KB
/
deploy
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
# vim: set ft=sh sw=2 ts=8 et :
deploy_compsec_prep()
{
mkproj reports
}
logurl="https://cern.ch/cms-dmwm-builds/security"
webdir=/afs/cern.ch/user/d/dmwmbld/www/security
deploy_compsec_sw()
{
deploy_pkg comp cms+compsec
# Fetch comp security tools
cd $root/$cfgversion/apps.$glabel
git clone https://gitlab.cern.ch/cms-comp-security/security-scans.git
perl -p -i -e "s;dictionary='skipfish/;dictionary='$root/current/apps/security-scans/skipfish/;g" \
security-scans/lib/webappscanlib.py
perl -p -i -e "s;webapps=webapps;webapps=webapps,outdir='$root/state/$project/reports/reports-webapp-scan';g" \
security-scans/main_webapp_scan.py
perl -p -i -e "s;outdir=generallib.*reports-webapp-scan'\);outdir='somewhere';g" \
security-scans/main_webapp_scan.py
perl -p -i -e "s;outdir=generallib.*reports-rats'\);outdir='$root/state/$project/reports/reports-rats';g; \
s;tempdir=generallib.*temp'\);tempdir='$root/state/$project/temp';g" \
security-scans/main_code_scan.py
perl -p -i -e "s;rats --quiet;rats --quiet -d \\\$RATS_ROOT/share/rats-c.xml -d \\\$RATS_ROOT/share/rats-openssl.xml -d \\\$RATS_ROOT/share/rats-perl.xml -d \\\$RATS_ROOT/share/rats-python.xml;g" \
security-scans/lib/codescanlib.py
perl -p -i -e "s;reports/reports-inventory;reports/reports-cms-inventory;g" \
security-scans/cms_inventory/egroup_device_inventory.py
perl -p -i -e "s;{LOGURL};$logurl;g; \
s;{WEBDIR};$webdir;g;" \
$root/$cfgversion/config/$project/compsec_task
}
deploy_compsec_post()
{
cp $project_config/htaccess $project_state/reports/.htaccess
mkdir $project_state/reports/reports-rats
# We currently run these jobs from jenkins, keeping here for documentation.
(mkcrontab
echo "#0 0 * * * $project_config/compsec_task inventory"
echo "#0 3 * * * $project_config/compsec_task portscan"
echo "#0 6 * * * $project_config/compsec_task webscan"
echo "#0 9 * * * $project_config/compsec_task codescan"
) | crontab -
# Copy output reports to webarea
case $host:$root in
vocms022:/build/dmwmbld/srv )
klist -s # must have afs kerberos token
(acrontab -l | { fgrep -v -e " $host $project_config/" || true; }
echo "*/10 * * * * $host $project_config/compsec_task updateweb"
) | acrontab
note "NOTE: you must configure a CERN web area serving files from $webdir."
;;
* )
;;
esac
}