Merge branch 'codeOwnersUpdate2' into 'development'

small updates to code owners file

See merge request !376

.gitlab-ci.yml

@@ -26,7 +26,7 @@ variables:
   GRADLE_USER_HOME: ".gradle"
   GRADLE_OPTS: "-Dorg.gradle.daemon=false -Dorg.gradle.caching=true"
 
-
+  SAST_JAVA_VERSION: 11
 
 # The names of the stages we use
 stages:
@@ -74,7 +74,7 @@ gradle_build:
     paths:
       - build/
   script:
-    - ./gradlew --build-cache build -x test -x licenseMain -x licenseTest -x spotlessJava -x spotlessCheck
+    - gradle --build-cache build testClasses -x test -x licenseMain -x licenseTest -x spotlessJava -x spotlessCheck
 
 # Generate the pom for dependency scanning
 generate_pom:
@@ -95,7 +95,7 @@ generate_pom:
     paths:
       - pom.xml
   script:
-    - ./gradlew --build-cache generatePomFileForGeneratePomPublication
+    - gradle --build-cache generatePomFileForGeneratePomPublication
   after_script:
     - cp build/publications/generatePom/pom-*.xml pom.xml
 
@@ -125,11 +125,11 @@ gradle_test:
       junit: build/test-results/test/TEST-*.xml
       cobertura: build/reports/jacoco/test/jacocoTestReport.xml
   script:
-    - ./gradlew --build-cache test
+    - gradle --build-cache test
   after_script:
     # Rerun with none of the dependent tasks to ensure creation of the report
     # without having to recheck whether the code has compiled (it has in build cache).
-    - ./gradlew jacocoTestReport -x processResources -x compileJava -x classes --rerun-tasks
+    - gradle jacocoTestReport -x processResources -x compileJava -x classes --rerun-tasks
 
     # Print out the coverage percentage from the test report.
     - awk -F"," '{ instructions += $4 + $5; covered += $5 } END { print covered, "/", instructions, " instructions covered"; print "Code coverage:", 100*covered/instructions }' build/reports/jacoco/test/jacocoTestReport.csv || true
@@ -156,7 +156,7 @@ gradle_spotless:
       - spotless-diagnose-java/
   stage: review
   script:
-    - ./gradlew --build-cache spotlessCheck
+    - gradle --build-cache spotlessCheck
   after_script:
     - cp -r build/spotless-diagnose-java spotless-diagnose-java/
 
@@ -175,8 +175,8 @@ gradle_licenses:
         $CI_MERGE_REQUEST_ID ||
         $CI_PIPELINE_SOURCE == "push"
   script:
-    - ./gradlew --build-cache licenseMain
-    - ./gradlew --build-cache licenseTest
+    - gradle --build-cache licenseMain
+    - gradle --build-cache licenseTest
 
 
 # Publish the JAR for Queue
@@ -205,10 +205,13 @@ publish_jar:
 include:
   - template: Jobs/Code-Quality.gitlab-ci.yml
   - template: Security/DAST.gitlab-ci.yml
+  - template: Security/SAST.gitlab-ci.yml
   - template: Security/Container-Scanning.gitlab-ci.yml
   - template: Security/Dependency-Scanning.gitlab-ci.yml
   - template: Security/License-Scanning.gitlab-ci.yml
-
+  - template: Security/Secret-Detection.gitlab-ci.yml
+  - template: Verify/Accessibility.gitlab-ci.yml
+  - template: Verify/Browser-Performance.gitlab-ci.yml
 
 
 # Runs the code quality reporter
@@ -224,11 +227,9 @@ code_quality:
         $CI_MERGE_REQUEST_ID
   stage: gitlab reports
 
-# Runs the SAST reporter manually
-# (there was a problem with running this from the template with Java 11,
-#  even though it should have been configured)
 sast:
   extends:
+    - .build_cached
     - .gitlab_reporter
   rules:
     - if: $CI_PIPELINE_SOURCE == "trigger" ||
@@ -238,30 +239,25 @@ sast:
         $CI_COMMIT_BRANCH == "development" ||
         $CI_MERGE_REQUEST_ID
   stage: gitlab reports
-  image: docker:stable
-  variables:
-    DOCKER_DRIVER: overlay2
   allow_failure: true
-  services:
-    - docker:stable-dind
-  script:
-    - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
-    - docker run
-      --env SAST_CONFIDENCE_LEVEL="${SAST_CONFIDENCE_LEVEL:-3}"
-      --env SAST_DEFAULT_ANALYZERS=spotbugs
-      --env SAST_JAVA_VERSION=11
-      --volume "$PWD:/code"
-      --volume /var/run/docker.sock:/var/run/docker.sock
-      "registry.gitlab.com/gitlab-org/security-products/sast:$SP_VERSION" /app/bin/run /code
-  artifacts:
-    reports:
-      sast: gl-sast-report.json
+
+secret_detection:
+  extends:
+    - .gitlab_reporter
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "trigger" ||
+        $CI_MERGE_REQUEST_EVENT_TYPE == "merge_train"
+      when: never
+    - if: $CI_COMMIT_BRANCH == "master" ||
+        $CI_COMMIT_BRANCH == "development" ||
+        $CI_MERGE_REQUEST_ID
+  stage: gitlab reports
+
 
 # Run the DAST security checks and reporter.
 # Currently set to manual as it requires a test environment to be up and running.
 dast:
   extends:
-    - .build_cached
     - .gitlab_reporter
   rules:
     - if: $CI_PIPELINE_SOURCE == "trigger" ||
@@ -269,12 +265,43 @@ dast:
       when: never
     - if: $CI_COMMIT_BRANCH == "master" ||
         $CI_COMMIT_BRANCH == "development"
+      when: manual
   stage: gitlab reports
   tags:
     - longJob
   variables:
     DAST_VERSION: latest
 
+# Accessibility testing
+a11y:
+  extends:
+    - .gitlab_reporter
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "trigger" ||
+        $CI_MERGE_REQUEST_EVENT_TYPE == "merge_train"
+      when: never
+    - if: $CI_COMMIT_BRANCH == "master" ||
+        $CI_COMMIT_BRANCH == "development"
+      when: manual
+  stage: gitlab reports
+  variables:
+    ally_urls: "https://queue.tudelft.nl"
+
+# Accessibility testing
+performance:
+  extends:
+    - .gitlab_reporter
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "trigger" ||
+        $CI_MERGE_REQUEST_EVENT_TYPE == "merge_train"
+      when: never
+    - if: $CI_COMMIT_BRANCH == "master" ||
+        $CI_COMMIT_BRANCH == "development"
+      when: manual
+  stage: gitlab reports
+  variables:
+    URL: "https://queue.tudelft.nl"
+
 # Run the container scanning security checks.
 # Currently set to manual because we do not believe it adds anything to the current
 # setup of Queue.
@@ -337,4 +364,6 @@ license_scanning:
     - rm build.gradle* gradlew gradlew.bat
   variables:
     MAVEN_CLI_OPTS: -q -Dmaven.main.skip -Dmaven.test.skip -DskipTests --batch-mode
+    ASDF_JAVA_VERSION: 11
     LM_JAVA_VERSION: 11
+

.gitlab/CODEOWNERS

@@ -7,10 +7,10 @@ LICENSE @otto
 LICENSE.header @otto
 
 # Files that should be looked at by more experienced developers
-/src/ @EIP-devs @Senior-devs
+/src/ @Senior-devs
 CONTRIBUTING.md @EIP-devs @Senior-devs
 README.md @EIP-devs @Senior-devs
 
 # potentially scary changes in here should be covered by the special automagic approval rules
-build.gradle @EIP-devs @Senior-devs
+build.gradle.kts @EIP-devs @Senior-devs
 

build.gradle.kts

@@ -74,7 +74,6 @@ plugins {
 
     // Plugin for checking license headers within our code and files.
     id("com.github.hierynomus.license").version("0.15.0")
-    id("com.github.hierynomus.license-report").version("0.15.0")
 
     // Plugin for checking security issues in dependencies of this project.
     id("org.owasp.dependencycheck").version("5.3.0") apply false
@@ -381,9 +380,11 @@ dependencies {
 	/////// Test dependencies ///////
 	testImplementation("org.springframework.boot", "spring-boot-starter-test", springBootVersion) {
 		exclude("junit", "junit")
+		exclude("org.junit.vintage", "junit-vintage-engine")
 	}
 	testImplementation("org.springframework.security", "spring-security-test", "5.1.9.RELEASE") {
 		exclude("junit", "junit")
+		exclude("org.junit.vintage", "junit-vintage-engine")
 	}
 	testImplementation("org.junit.jupiter:junit-jupiter:5.6.2")
 	testImplementation("org.mockito:mockito-junit-jupiter:3.3.3")

gradle/wrapper/gradle-wrapper.properties

 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-5.6.4-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-6.5.1-bin.zip
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists