[isar-cip-core v1 1/3] .gitlab-ci.yml: Add cve-check stage in CI

[Sai.Sathujoda@toshiba-tsip.com]

From: Sai Sathujoda <Sai.Sathujoda@toshiba-tsip.com>

The cve-check uses the dpkg-status file to get the latest CVE
report using the cve_checker.py script in debian-cve-checker
container. The dpkg-status file will also be deployed to aws s3
bucket along with the targets whose deployment is enabled.

Signed-off-by: Sai Sathujoda <Sai.Sathujoda@toshiba-tsip.com>
---
 .gitlab-ci.yml | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 1de6570..c838a81 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -29,6 +29,7 @@ variables:
 stages:
   - build
   - test
+  - cve-check
 
 default:
   before_script:
@@ -48,6 +49,7 @@ default:
     - large
   variables:
     base_yaml: "kas-cip.yml:kas/board/${target}.yml"
+    dpkg_status: "cip-core-image-*.dpkg_status"
   script:
     - if [ "${use_rt}" = "enable" ]; then base_yaml="${base_yaml}:kas/opt/rt.yml"; fi
     - if [ "${extension}" != "none" ]; then base_yaml="${base_yaml}:kas/opt/${extension}.yml"; fi
@@ -60,9 +62,17 @@ default:
     - if [ "${encrypt}" = "enable" ]; then base_yaml="${base_yaml}:kas/opt/encrypt-partitions.yml"; fi
     - echo "Building ${base_yaml}"
     - kas build ${base_yaml}
-    - if [ "${deploy}" = "enable" ]; then scripts/deploy-cip-core.sh ${release} ${target} ${extension} ${dtb} ${CI_COMMIT_REF_SLUG}; fi
+    - if [ "${deploy}" = "enable" ]; then scripts/deploy-cip-core.sh ${release} ${target} ${extension} ${dtb} ${CI_COMMIT_REF_SLUG} ${dpkg_status}; fi
     - if [ "${deploy_kernelci}" = "enable" ]; then scripts/deploy-kernelci.py ${release} ${target} ${extension} ${dtb}; fi
 
+cve-checks:
+  stage: cve-check
+  image: registry.gitlab.com/cip-playground/debian-cve-checker:latest
+  script:
+    - scripts/run-cve-checks.sh
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_JOB_NAME == "cve-checks"
+
 # base image
 build:simatic-ipc227e-base:
   extends:
-- 
2.30.2