CBD-4005: Various fixes for Server Black Duck scans

ceejatec · ceejatec · commit abac8d70d129 · 2021-03-24T00:19:15.000Z
* Add CONAN to excluded Black Duck detectors for Server * Add necessary replace directives to stub go.mod files * Create fake version of generated Go file * Don't prune "data" directories that contain code * Remove query-ui/n1ql_parser/package.json Change-Id: If73261e0c755d5152ddf5e23f2cb71e7aafd2a26 Reviewed-on: http://review.couchbase.org/c/build-tools/+/149288 Reviewed-by: Ming Ho <ming.ho@couchbase.com> Tested-by: Chris Hillery <ceej@couchbase.com>
diff --git a/blackduck/couchbase-server/detect-config.json b/blackduck/couchbase-server/detect-config.json
@@ -3,7 +3,7 @@
         "detect.detector.search.depth": 9,
         "detect.blackduck.signature.scanner.exclusion.name.patterns": "analytics",
         "logging.level.com.synopsys.integration": "DEBUG",
-        "detect.excluded.detector.types": "GRADLE,HEX,PEAR,PIP,NUGET",
+        "detect.excluded.detector.types": "GRADLE,HEX,PEAR,PIP,NUGET,CONAN",
         "detect.maven.included.scopes": "compile,runtime",
         "detect.maven.included.modules": "cbas-install",
         "detect.maven.build.command": "--batch-mode",
diff --git a/blackduck/couchbase-server/go-mod-replace.txt b/blackduck/couchbase-server/go-mod-replace.txt
@@ -0,0 +1,31 @@
+// These are all the necessary Go module replace directives for
+// Couchbase Server projects currently. We need to append these
+// to the corresponding "stub" go.mod files so that "go mod why"
+// (which is invoked by Black Duck when scanning the source)
+// knows where to look.
+
+replace github.com/couchbase/cbauth => ../cbauth
+
+replace github.com/couchbase/cbft => ../../../../../cbft
+
+replace github.com/couchbase/cbftx => ../../../../../cbftx
+
+replace github.com/couchbase/cbgt => ../../../../../cbgt
+
+replace github.com/couchbase/eventing-ee => ../eventing-ee
+
+replace github.com/couchbase/go-couchbase => ../go-couchbase
+
+replace github.com/couchbase/go_json => ../go_json
+
+replace github.com/couchbase/gomemcached => ../gomemcached
+
+replace github.com/couchbase/indexing => ../indexing
+
+replace github.com/couchbase/n1fty => ../n1fty
+
+replace github.com/couchbase/plasma => ../plasma
+
+replace github.com/couchbase/query => ../query
+
+replace github.com/couchbase/query-ee => ../query-ee
diff --git a/blackduck/couchbase-server/prune_source.sh b/blackduck/couchbase-server/prune_source.sh
@@ -3,6 +3,7 @@
 RELEASE=$1
 VERSION=$2
 BLD_NUM=$3
+TOOLS_DIR=$4
 
 shopt -s extglob
 
@@ -29,6 +30,9 @@ fi
 # Server doesn't use asterix's dashboard, so prune that
 rm analytics/asterixdb/asterixdb/asterix-dashboard/src/node/package.json
 
+# This is build-time only, not shipped
+rm -f query-ui/query-ui/n1ql_parser/package.json
+
 # Server doesn't use any of bleve-mapping-ui's NPM components, so eliminate them
 rm -rf godeps/src/github.com/blevesearch/bleve-mapping-ui/bower_components
 
@@ -51,7 +55,7 @@ find . -name analytics -prune -o -type d -name testdata -print0 | xargs -0 rm -r
 find . -name analytics -prune -o -type d -name gtest -print0 | xargs -0 rm -rf
 find . -name analytics -prune -o -type d -name testing -print0 | xargs -0 rm -rf
 find . -name analytics -prune -o -type d -name \*tests -print0 | xargs -0 rm -rf
-find . -name analytics -prune -o -type d -name data -print0 | xargs -0 rm -rf
+find . -name analytics -prune -o -name backup -prune -o -name indexing -prune -o -type d -name data -print0 | xargs -0 rm -rf
 find . -name analytics -prune -o -type d -name docs -print0 | xargs -0 rm -rf
 find . -name analytics -prune -o -type d -name example -print0 | xargs -0 rm -rf
 find . -name analytics -prune -o -type d -name examples -print0 | xargs -0 rm -rf
@@ -68,6 +72,20 @@ rm -rf godeps/src/golang.org/x/tools/cmd/heapview/client
 # projects' go.mod via replace directives, so we need to leave those there.
 find godeps -name 'couchbase*' -prune -o -name go.mod -print0 | xargs -0 rm -f
 
+# If we find any go.mod files with zero "require" statements, they're probably one
+# of the stub go.mod files we introduced to make other Go projects happy. Black Duck
+# still wants to run "go mod why" on them, which means they need a full set of
+# replace directives.
+for stubmod in $(find . -name go.mod \! -execdir grep --quiet require '{}' \; -print); do
+    cat ${TOOLS_DIR}/go-mod-replace.txt >> ${stubmod}
+done
+
+# Need to fake the generated go file in eventing-ee
+if [ -d goproj/src/github.com/couchbase/eventing-ee/gen ]; then
+    mkdir -p goproj/src/github.com/couchbase/eventing-ee/gen/nftp/client
+    touch goproj/src/github.com/couchbase/eventing-ee/gen/nftp/client/evaluator.pb.go
+fi
+
 # Remove all msvc, vcs* window projects
 WIN='example *msvc* *vcproj* *vcxproj* visual vstudio dot_net_example example csharp vc7ide'
 for windir in ${WIN}; do
diff --git a/blackduck/jenkins/detect-scan/blackduck-detect-scan.sh b/blackduck/jenkins/detect-scan/blackduck-detect-scan.sh
@@ -63,7 +63,9 @@ find . -name .repo -print0 | xargs -0 rm -rf
 
 # Product-specific script for pruning unwanted sources
 if [ -x "${WORKSPACE}/build-tools/blackduck/${PRODUCT}/prune_source.sh" ]; then
-  "${WORKSPACE}/build-tools/blackduck/${PRODUCT}/prune_source.sh" ${RELEASE} ${VERSION} ${BLD_NUM}
+  "${WORKSPACE}/build-tools/blackduck/${PRODUCT}/prune_source.sh" \
+      ${RELEASE} ${VERSION} ${BLD_NUM} \
+      "${WORKSPACE}/build-tools/blackduck/${PRODUCT}"
 fi
 
 # Product-specific config for Synopsys Detect
