Merge pull request #316 from vitalykorolev/MLE-19837_add-blackduck-scan

vitalykorolev · web-flow · commit f7ebb6910992 · 2025-05-21T09:29:56.000-07:00
MLE-19837 add blackduck scan
diff --git a/Jenkinsfile b/Jenkinsfile
@@ -6,7 +6,7 @@
 import groovy.json.JsonSlurperClassic
 
 emailList = 'vitaly.korolev@progress.com, sumanth.ravipati@progress.com, peng.zhou@progress.com, fayez.saliba@progress.com, barkha.choithani@progress.com, romain.winieski@progress.com'
-emailSecList = 'Rangan.Doreswamy@progress.com, Mahalakshmi.Srinivasan@progress.com'
+emailSecList = 'Mahalakshmi.Srinivasan@progress.com'
 gitCredID = 'marklogic-builder-github'
 JIRA_ID = ''
 JIRA_ID_PATTERN = /(?i)(MLE)-\d{3,6}/
@@ -103,7 +103,7 @@ def getReviewState() {
     return reviewState
 }
 
-void resultNotification(message) {
+void resultNotification(status) {
     def author, authorEmail, emailList
     if (env.CHANGE_AUTHOR) {
         author = env.CHANGE_AUTHOR.toString().trim().toLowerCase()
@@ -117,11 +117,11 @@ void resultNotification(message) {
     jira_email_body = "${email_body} <br><br><b>Jira URL: </b><br><a href='${jira_link}'>${jira_link}</a>"
 
     if (JIRA_ID) {
-        def comment = [ body: "Jenkins pipeline build result: ${message}" ]
+        def comment = [ body: "Jenkins pipeline build result: ${status}" ]
         jiraAddComment site: 'JIRA', idOrKey: JIRA_ID, failOnError: false, input: comment
-        mail charset: 'UTF-8', mimeType: 'text/html', to: "${emailList}", body: "${jira_email_body}", subject: "${message}: ${env.JOB_NAME} #${env.BUILD_NUMBER} - ${JIRA_ID}"
+        mail charset: 'UTF-8', mimeType: 'text/html', to: "${emailList}", body: "${jira_email_body}", subject: "🥷 ${status}: ${env.JOB_NAME} #${env.BUILD_NUMBER} - ${JIRA_ID}"
     } else {
-        mail charset: 'UTF-8', mimeType: 'text/html', to: "${emailList}", body: "${email_body}", subject: "${message}: ${env.JOB_NAME} #${env.BUILD_NUMBER}"
+        mail charset: 'UTF-8', mimeType: 'text/html', to: "${emailList}", body: "${email_body}", subject: "🥷 ${status}: ${env.JOB_NAME} #${env.BUILD_NUMBER}"
     }
 }
 
@@ -147,6 +147,11 @@ void imageScan() {
     }
 
     sh '''rm -f dep-image-scan.txt'''
+
+    // trigger BlackDuck scan
+    def rawImageList = readFile(file: 'helm_image.list').trim()
+    def imageList = rawImageList.endsWith(',') ? rawImageList[0..-2] : rawImageList
+    build job: 'securityscans/Blackduck/KubeNinjas/kubernetes-helm', wait: false, parameters: [ string(name: 'branch', value: "${env.BRANCH_NAME}"), string(name: 'CONTAINER_IMAGES', value: "${imageList}") ]
 }
 
 void publishTestResults() {
@@ -261,13 +266,16 @@ pipeline {
             sh "rm -rf $WORKSPACE/test/test_results/"
         }
         success {
-            resultNotification('BUILD SUCCESS ✅')
+            resultNotification('✅ Success')
         }
         failure {
-            resultNotification('BUILD ERROR ❌')
+            resultNotification('❌ Failure')
         }
         unstable {
-            resultNotification('BUILD UNSTABLE ❌')
+            resultNotification('⚠️ Unstable')
+        }
+        aborted {
+            resultNotification('🚫 Aborted')
         }
     }
 }
diff --git a/makefile b/makefile
@@ -233,8 +233,10 @@ upgrade-test: prepare
 .PHONY: image-scan
 image-scan:
 
+	@rm -f helm_image.list dep-image-scan.txt
 	@echo "=====Scan dependent Docker images in charts/values.yaml" $(if $(saveOutput), | tee -a dep-image-scan.txt,)
 	@for depImage in $(shell grep -E "^\s*\bimage:\s+(.*)" charts/values.yaml | sed 's/image: //g' | sed 's/"//g'); do\
+		echo -n "$${depImage}," >> helm_image.list ; \
 		echo "= $${depImage}:" $(if $(saveOutput), | tee -a dep-image-scan.txt,) ; \
 		docker run --rm -v /var/run/docker.sock:/var/run/docker.sock anchore/grype:latest --output json $${depImage} | jq -r '[(.matches[] | [.artifact.name, .artifact.version, .vulnerability.id, .vulnerability.severity])] | .[] | @tsv' | sort -k4 | column -t $(if $(saveOutput), | tee -a dep-image-scan.txt,);\
 		echo $(if $(saveOutput), | tee -a dep-image-scan.txt,) ;\

Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@`
`6`	`6`	`import groovy.json.JsonSlurperClassic`
`7`	`7`
`8`	`8`	`emailList = '[email protected], [email protected], [email protected], [email protected], [email protected], [email protected]'`
`9`		`-emailSecList = '[email protected], [email protected]'`
	`9`	`+emailSecList = '[email protected]'`
`10`	`10`	`gitCredID = 'marklogic-builder-github'`
`11`	`11`	`JIRA_ID = ''`
`12`	`12`	`JIRA_ID_PATTERN = /(?i)(MLE)-\d{3,6}/`
`@@ -103,7 +103,7 @@ def getReviewState() {`
`103`	`103`	`return reviewState`
`104`	`104`	`}`
`105`	`105`
`106`		`-void resultNotification(message) {`
	`106`	`+void resultNotification(status) {`
`107`	`107`	`def author, authorEmail, emailList`
`108`	`108`	`if (env.CHANGE_AUTHOR) {`
`109`	`109`	`author = env.CHANGE_AUTHOR.toString().trim().toLowerCase()`
`@@ -117,11 +117,11 @@ void resultNotification(message) {`
`117`	`117`	`jira_email_body = "${email_body} <br><br><b>Jira URL: </b><br><a href='${jira_link}'>${jira_link}</a>"`
`118`	`118`
`119`	`119`	`if (JIRA_ID) {`
`120`		`- def comment = [ body: "Jenkins pipeline build result: ${message}" ]`
	`120`	`+ def comment = [ body: "Jenkins pipeline build result: ${status}" ]`
`121`	`121`	`jiraAddComment site: 'JIRA', idOrKey: JIRA_ID, failOnError: false, input: comment`
`122`		`- mail charset: 'UTF-8', mimeType: 'text/html', to: "${emailList}", body: "${jira_email_body}", subject: "${message}: ${env.JOB_NAME} #${env.BUILD_NUMBER} - ${JIRA_ID}"`
	`122`	`+ mail charset: 'UTF-8', mimeType: 'text/html', to: "${emailList}", body: "${jira_email_body}", subject: "🥷 ${status}: ${env.JOB_NAME} #${env.BUILD_NUMBER} - ${JIRA_ID}"`
`123`	`123`	`} else {`
`124`		`- mail charset: 'UTF-8', mimeType: 'text/html', to: "${emailList}", body: "${email_body}", subject: "${message}: ${env.JOB_NAME} #${env.BUILD_NUMBER}"`
	`124`	`+ mail charset: 'UTF-8', mimeType: 'text/html', to: "${emailList}", body: "${email_body}", subject: "🥷 ${status}: ${env.JOB_NAME} #${env.BUILD_NUMBER}"`
`125`	`125`	`}`
`126`	`126`	`}`
`127`	`127`
`@@ -147,6 +147,11 @@ void imageScan() {`
`147`	`147`	`}`
`148`	`148`
`149`	`149`	`sh '''rm -f dep-image-scan.txt'''`
	`150`	`+`
	`151`	`+ // trigger BlackDuck scan`
	`152`	`+ def rawImageList = readFile(file: 'helm_image.list').trim()`
	`153`	`+ def imageList = rawImageList.endsWith(',') ? rawImageList[0..-2] : rawImageList`
	`154`	`+ build job: 'securityscans/Blackduck/KubeNinjas/kubernetes-helm', wait: false, parameters: [ string(name: 'branch', value: "${env.BRANCH_NAME}"), string(name: 'CONTAINER_IMAGES', value: "${imageList}") ]`
`150`	`155`	`}`
`151`	`156`
`152`	`157`	`void publishTestResults() {`
`@@ -261,13 +266,16 @@ pipeline {`
`261`	`266`	`sh "rm -rf $WORKSPACE/test/test_results/"`
`262`	`267`	`}`
`263`	`268`	`success {`
`264`		`- resultNotification('BUILD SUCCESS ✅')`
	`269`	`+ resultNotification('✅ Success')`
`265`	`270`	`}`
`266`	`271`	`failure {`
`267`		`- resultNotification('BUILD ERROR ❌')`
	`272`	`+ resultNotification('❌ Failure')`
`268`	`273`	`}`
`269`	`274`	`unstable {`
`270`		`- resultNotification('BUILD UNSTABLE ❌')`
	`275`	`+ resultNotification('⚠️ Unstable')`
	`276`	`+ }`
	`277`	`+ aborted {`
	`278`	`+ resultNotification('🚫 Aborted')`
`271`	`279`	`}`
`272`	`280`	`}`
`273`	`281`	`}`