Invoke mend scan for sonar-text-dotnet (#105)

csaba-sagi-sonarsource · web-flow · commit 5bb1912b706a · 2023-02-10T12:02:07.000+01:00
diff --git a/.cirrus.yml b/.cirrus.yml
@@ -151,7 +151,8 @@ build_and_release_dotnet_task:
     BUILD_CONFIGURATION: "Release"
     PROJECT_DIR: ${CIRRUS_WORKING_DIR}\\sonar-text-dotnet
     PIPELINE_SCRIPTS_DIR: ${PROJECT_DIR}\\pipeline_scripts
-    PROJECT_NAME: "sonar-secrets-dotnet"
+    PROJECT_KEY: "sonar-secrets-dotnet"
+    PROJECT_NAME: "sonar-text-dotnet"
     SNK_PATH: ${CIRRUS_WORKING_DIR}\\SonarSourceSecret.snk
     ENCODED_SONARSOURCE_SNK: VAULT[development/team/languages/kv/data/strong_named_key data.SonarSourceSecret_snk]
     ENCODED_SONARSOURCE_SNK_PATH: ${CIRRUS_WORKING_DIR}\\Encoded_SonarSourceSecret.snk
@@ -161,6 +162,8 @@ build_and_release_dotnet_task:
     ENCODED_PFX_CERT: VAULT[development/kv/data/sign/dotnet data.cert_pfx]
     ENCODED_PFX_CERT_PATH: ${CIRRUS_WORKING_DIR}\\Encoded_SonarSource-2021-2023.pfx
     ARTIFACTORY_BUILD_NAME: "sonar-text-dotnet" # artifactory dotnet build name
+    WS_APIKEY: VAULT[development/kv/data/mend data.apikey]
+    WS_PRODUCTNAME: "SonarSource/sonar-text"
   sign_cert_pfx_file:
     path: ${ENCODED_PFX_CERT_PATH}
     variable_name: ENCODED_PFX_CERT
@@ -185,6 +188,8 @@ build_and_release_dotnet_task:
   analysis_end_step_script:
     - cd $PROJECT_DIR
     - ps: SonarScanner.MSBuild.exe end /d:sonar.login="$env:SONAR_TOKEN"
+  execute_mend_scan_script:
+    - PowerShell -NonInteractive -NoProfile -File "${PIPELINE_SCRIPTS_DIR}\\mend_scan.ps1"
   promote_script:
     - source cirrus-env QA
     - PowerShell -NonInteractive -NoProfile -File "${PIPELINE_SCRIPTS_DIR}\\promote.ps1"
diff --git a/sonar-text-dotnet/pipeline_scripts/analysis_begin_step.ps1 b/sonar-text-dotnet/pipeline_scripts/analysis_begin_step.ps1
@@ -3,7 +3,7 @@ Write-Host "Reading the Sonar project version from '${versionFilePath}' ..."
 
 # Read the version from the file
 [xml]$versionProps = Get-Content "$versionFilePath"
-$sonarProjectVersion = $versionProps.Project.PropertyGroup.Version
+$sonarProjectVersion = $versionProps.Project.PropertyGroup.Version[1] # Versions is an array of objects in powershell
 Write-Host "Version: ${sonarProjectVersion}"
 
 Set-Location $env:PROJECT_DIR
@@ -12,7 +12,7 @@ if ([string]::IsNullOrEmpty($env:CIRRUS_PR)) {
     Write-Host "Execute analysis begin step for master branch"
 
     SonarScanner.MSBuild.exe begin `
-        /k:$env:PROJECT_NAME `
+        /k:$env:PROJECT_KEY `
         /n:$env:PROJECT_NAME `
         /v:$sonarProjectVersion `
         /d:sonar.host.url=$env:SONAR_HOST_URL `
@@ -23,7 +23,7 @@ else {
     Write-Host "Execute analysis begin step on branch $env:CIRRUS_BRANCH"
 
     SonarScanner.MSBuild.exe begin `
-        /k:$env:PROJECT_NAME `
+        /k:$env:PROJECT_KEY `
         /n:$env:PROJECT_NAME `
         /v:$sonarProjectVersion `
         /d:sonar.host.url=$env:SONAR_HOST_URL `
diff --git a/sonar-text-dotnet/pipeline_scripts/mend_scan.ps1 b/sonar-text-dotnet/pipeline_scripts/mend_scan.ps1
@@ -0,0 +1,78 @@
+function Get-Version {
+  $versionFilePath = Join-Path $env:PROJECT_DIR "Directory.Build.props"
+  Write-Host "Reading the Sonar project version from '${versionFilePath}' ..."
+  # Read the version from the file
+  [xml]$versionProps = Get-Content "$versionFilePath"
+  return $versionProps.Project.PropertyGroup.Version[1] # Versions is an array of objects in powershell
+}
+
+if ("$env:CIRRUS_BRANCH" -ne "master" -and (-not ("$env:CIRRUS_BRANCH".startsWith("branch-"))))
+{
+  Exit 0
+}
+
+Set-Location $env:PROJECT_DIR
+Write-host "Create tools directory"
+$toolsPath = "C:\tools"
+if (-Not [System.IO.Directory]::Exists($toolsPath)){
+  New-Item -Path "C:\" -Name "tools" -ItemType "directory"
+}
+
+$NUM_RETRIES = 5
+for ($num = 1 ; $num -le $NUM_RETRIES ; $num++)
+{
+  try
+  {
+    Write-host "Download Mend tool, attempt $num/$NUM_RETRIES"
+    $MendAgentPath = Join-Path $toolsPath "wss-unified-agent.jar"
+    Invoke-WebRequest -Uri https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar -OutFile $MendAgentPath
+    break
+  }
+  catch
+  {
+    if ([System.IO.File]::Exists($MendAgentPath))
+    {
+      Remove-Item -Path $MendAgentPath
+    }
+    Write-host "Download failed with error: $_"
+
+    if($num -lt $NUM_RETRIES)
+    {
+      Write-host "Will wait 5s before retry."
+      Start-Sleep -Seconds 5
+    }
+  }
+}
+
+Write-Host "Validating Mend agent jar signature..."
+& "$env:JAVA_HOME\bin\jarsigner.exe" -verify -strict -verbose $MendAgentPath
+if (-Not $?) # if result is "jar is unsigned" exit code is false, otherwise it's true.
+{
+  Write-Host "wss-unified-agent.jar signature verification failed."
+  exit 1
+}
+
+Write-Host "Download wss-unified-agent.jar.sha256 file"
+$shaPath = Join-Path $toolsPath "wss-unified-agent.jar.sha256"
+Invoke-WebRequest -Uri https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256 -OutFile $shaPath
+if (-Not (Test-Path -Path $shaPath)){
+  Write-Host "wss-unified-agent.jar.sha256 file does not exist - cannot complete signature verification."
+  exit 1
+}
+
+Write-Host "Validating Mend agent jar hash..."
+if (-Not (Get-Content $shaPath).split(" ")[0] -eq (Get-FileHash $MendAgentPath).Hash)
+{
+    Write-Host "Failed to verify jar hash".
+    exit 1
+}
+
+# Mend agent needs the following environment variables:
+# - WS_APIKEY
+# - WS_PRODUCTNAME
+# - WS_PROJECTNAME
+
+$env:WS_PROJECTNAME = "SonarSource/$env:PROJECT_NAME $(Get-Version)"
+
+Write-Host "Running the Mend unified agent for $env:WS_PROJECTNAME..."
+& "$env:JAVA_HOME\bin\java.exe" -jar $MendAgentPath -c "$PSScriptRoot\wss-unified-agent.config"
diff --git a/sonar-text-dotnet/pipeline_scripts/wss-unified-agent.config b/sonar-text-dotnet/pipeline_scripts/wss-unified-agent.config
@@ -0,0 +1,19 @@
+# Mend config for the .NET secrets implementation.
+# Documentation: https://docs.mend.io/bundle/unified_agent/page/unified_agent_configuration_parameters.html
+
+# Exclude tests - only scan product code
+excludes=src/IntegrationTests/** src/SonarLint.Secrets.DotNet.UnitTests/**
+fileSystemScan=False
+resolveAllDependencies=True
+
+nuget.resolvePackagesConfigFiles=True
+nuget.resolveDependencies=True
+nuget.preferredEnvironment=nuget
+nuget.runPreStep=True
+
+wss.url=https://saas-eu.whitesourcesoftware.com/agent
+
+updateEmptyProject=True
+forceUpdate=True
+checkPolicies=True
+forceUpdate.failBuildOnPolicyViolation=True
diff --git a/wss-unified-agent.config b/wss-unified-agent.config
@@ -1,6 +1,6 @@
 # WhiteSource documentation https://whitesource.atlassian.net/wiki/spaces/WD/pages/1544880156/Unified+Agent+Configuration+Parameters
 
-excludes=**/*sources.jar **/*javadoc.jar its/projects/**
+excludes=**/*sources.jar **/*javadoc.jar its/projects/** sonar-secrets-dotnet/**
 fileSystemScan=False
 resolveAllDependencies=False
 
