diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 8d5a93e918cb7241401449672ca02083168f8085..295746ef49c354717bc75d098db0dc8622f9559e 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -83,11 +83,12 @@ sqa: name: "git.gfz-potsdam.de:5000/id2/software/services/fair/software-quality-assurance/software-quality-assurance:latest" entrypoint: [""] script: - - sqa --repository_dir "$CI_PROJECT_DIR" run + - sqa --repository_dir "$CI_PROJECT_DIR" run -r -lli -lla -la -c only: refs: - master - enhancement/add_sqa + - 17-initially-set-up-sqa artifacts: paths: - QUALITY.md diff --git a/.sqa/check_credentials/gitleaks_config.toml b/.sqa/check_credentials/gitleaks_config.toml new file mode 100644 index 0000000000000000000000000000000000000000..b8bbcac99ac7755e92d905ab799f30bc3a1e0f38 --- /dev/null +++ b/.sqa/check_credentials/gitleaks_config.toml @@ -0,0 +1,111 @@ + +title = "gitleaks config" +[[rules]] + description = "AWS Manager ID" + regex = '''(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}''' + tags = ["key", "AWS"] +[[rules]] + description = "AWS Secret Key" + regex = '''(?i)aws(.{0,20})?(?-i)['\"][0-9a-zA-Z\/+]{40}['\"]''' + tags = ["key", "AWS"] +[[rules]] + description = "AWS MWS key" + regex = '''amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}''' + tags = ["key", "AWS", "MWS"] +[[rules]] + description = "Facebook Secret Key" + regex = '''(?i)(facebook|fb)(.{0,20})?(?-i)['\"][0-9a-f]{32}['\"]''' + tags = ["key", "Facebook"] +[[rules]] + description = "Facebook Client ID" + regex = '''(?i)(facebook|fb)(.{0,20})?['\"][0-9]{13,17}['\"]''' + tags = ["key", "Facebook"] +[[rules]] + description = "Twitter Secret Key" + regex = '''(?i)twitter(.{0,20})?[0-9a-z]{35,44}''' + tags = ["key", "Twitter"] +[[rules]] + description = "Twitter Client ID" + regex = '''(?i)twitter(.{0,20})?[0-9a-z]{18,25}''' + tags = ["client", "Twitter"] +[[rules]] + description = "Github" + regex = '''(?i)github(.{0,20})?(?-i)[0-9a-zA-Z]{35,40}''' + tags = ["key", "Github"] +[[rules]] + description = "LinkedIn Client ID" + regex = '''(?i)linkedin(.{0,20})?(?-i)[0-9a-z]{12}''' + tags = ["client", "LinkedIn"] +[[rules]] + description = "LinkedIn Secret Key" + regex = '''(?i)linkedin(.{0,20})?[0-9a-z]{16}''' + tags = ["secret", "LinkedIn"] +[[rules]] + description = "Slack" + regex = '''xox[baprs]-([0-9a-zA-Z]{10,48})?''' + tags = ["key", "Slack"] +[[rules]] + description = "Asymmetric Private Key" + regex = '''-----BEGIN ((EC|PGP|DSA|RSA|OPENSSH) )?PRIVATE KEY( BLOCK)?-----''' + tags = ["key", "AsymmetricPrivateKey"] +[[rules]] + description = "Google API key" + regex = '''AIza[0-9A-Za-z\\-_]{35}''' + tags = ["key", "Google"] +[[rules]] + description = "Google (GCP) Service Account" + regex = '''"type": "service_account"''' + tags = ["key", "Google"] +[[rules]] + description = "Heroku API key" + regex = '''(?i)heroku(.{0,20})?[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}''' + tags = ["key", "Heroku"] +[[rules]] + description = "MailChimp API key" + regex = '''(?i)(mailchimp|mc)(.{0,20})?[0-9a-f]{32}-us[0-9]{1,2}''' + tags = ["key", "Mailchimp"] +[[rules]] + description = "Mailgun API key" + regex = '''((?i)(mailgun|mg)(.{0,20})?)?key-[0-9a-z]{32}''' + tags = ["key", "Mailgun"] +[[rules]] + description = "PayPal Braintree access token" + regex = '''access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}''' + tags = ["key", "Paypal"] +[[rules]] + description = "Picatic API key" + regex = '''sk_live_[0-9a-z]{32}''' + tags = ["key", "Picatic"] +[[rules]] + description = "SendGrid API Key" + regex = '''SG\.[\w_]{16,32}\.[\w_]{16,64}''' + tags = ["key", "SendGrid"] +[[rules]] + description = "Slack Webhook" + regex = '''https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}''' + tags = ["key", "slack"] +[[rules]] + description = "Stripe API key" + regex = '''(?i)stripe(.{0,20})?[sr]k_live_[0-9a-zA-Z]{24}''' + tags = ["key", "Stripe"] +[[rules]] + description = "Square access token" + regex = '''sq0atp-[0-9A-Za-z\-_]{22}''' + tags = ["key", "square"] +[[rules]] + description = "Square OAuth secret" + regex = '''sq0csp-[0-9A-Za-z\\-_]{43}''' + tags = ["key", "square"] +[[rules]] + description = "Twilio API key" + regex = '''(?i)twilio(.{0,20})?SK[0-9a-f]{32}''' + tags = ["key", "twilio"] +[[rules]] + description = "Generic Credential" + regex = '''(?i)(dbpasswd|dbuser|dbname|dbhost|api_key|apikey|secret|key|api|password|user|guid|hostname|pw|auth)(.{0,20})?['|"]([0-9a-zA-Z-_\/+!{}/=]{4,120})['|"]''' + tags = ["key", "API", "generic"] + [rules.allowlist] + regexes = ['''keyword''', '''AUTHORITY\[\"EPSG\"''', '''apinfo''', '''KeyError''', '''key \'pos\' '''] +[allowlist] + description = "Allowlisted files" + files = ['''.*gitleaks_config.toml$''', '''(.*?)(jpg|gif|doc|pdf|bin)$''', '''(go.mod|go.sum)$'''] diff --git a/.sqa/list_used_licenses/config.yml b/.sqa/list_used_licenses/config.yml new file mode 100644 index 0000000000000000000000000000000000000000..4594a2af59723b573e51957c8d3272186a126424 --- /dev/null +++ b/.sqa/list_used_licenses/config.yml @@ -0,0 +1,27 @@ + +# META +# valid names for programming languages +# ['Python', +# 'Node'] + + +# OPTIONAL, files, paths to exclude from analyzing licenses +# non-programming language files should go here +#exclude: +# - '' +manual dependency config: + # MANDATORY, the name of the programming language the library is used in + Python: + # MANDATORY, sometimes the name to import differs from the name to download via a pkg-manager + # therefore the matching can be done here, if it cannot be resolved by a pkg manager + - import name: 'setuptools' + pkg name: 'setuptools' + # OPTIONAL, if the dependency is a local import (part of your software) you should ignore it, + # because is has no license + ignore: True + # OPTIONAL, it is possible to use two different versions of a dependency - you can set the version here + #version: '' + # OPTIONAL, it is common, that the pkg repositories do not know the license(s) for a package + # you can give assign it here + #licenses: + # - ''