-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathJenkinsfile-bd+cop
More file actions
144 lines (144 loc) · 8.11 KB
/
Jenkinsfile-bd+cop
File metadata and controls
144 lines (144 loc) · 8.11 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
// Example Jenkinsfile with SIG Security Scan that implements:
// - Black Duck INTELLIGENT scan on pushes and RAPID scan on PRs to "important" branches
// - Coverity on Polaris FULL scan on pushes and PRs to "important" branches
pipeline {
agent { label 'linux64' }
environment {
// production branches on which we want security reports
PRODUCTION = "${env.BRANCH_NAME ==~ /^(stage|release)$/ ? 'true' : 'false'}"
// full scan on pushes to important branches
FULLSCAN = "${env.BRANCH_NAME ==~ /^(main|master|develop|stage|release)$/ ? 'true' : 'false'}"
// PR scan on pulll requests to important branches
PRSCAN = "${env.CHANGE_TARGET ==~ /^(main|master|develop|stage|release)$/ ? 'true' : 'false'}"
// extract REPO_NAME from GIT_URL
REPO_NAME = "${env.GIT_URL.tokenize('/.')[-2]}"
// Bridge CLI download URL
BRIDGECLI_LINUX64 = 'https://sig-repo.synopsys.com/artifactory/bds-integrations-release/com/synopsys/integration/synopsys-bridge/latest/synopsys-bridge-linux64.zip'
}
tools {
maven 'maven-3.9'
jdk 'openjdk-17'
}
stages {
stage('Build') {
steps {
sh 'mvn -B compile'
}
}
stage('Test') {
steps {
sh 'mvn -B test'
}
}
stage('Scan') {
parallel {
stage('Black Duck Full Scan') {
when { environment name: 'FULLSCAN', value: 'true' }
environment {
DETECT_PROJECT_NAME = "$REPO_NAME"
DETECT_PROJECT_VERSION_NAME = "$BRANCH_NAME"
DETECT_CODE_LOCATION_NAME = "$REPO_NAME-$BRANCH_NAME"
DETECT_RISK_REPORT_PDF = "${env.PRODUCTION == 'true' ? 'true' : 'false'}"
DETECT_EXCLUDED_DETECTOR_TYPES = 'GIT'
}
steps {
withCredentials([string(credentialsId: 'testing.blackduck.synopsys.com', variable: 'BRIDGE_BLACKDUCK_TOKEN')]) {
script {
status = sh returnStatus: true, script: """
curl -fLsS -o bridge.zip $BRIDGECLI_LINUX64 && unzip -qo -d $WORKSPACE_TMP bridge.zip && rm -f bridge.zip
$WORKSPACE_TMP/synopsys-bridge --verbose --stage blackduck \
blackduck.url=$BLACKDUCK_URL \
blackduck.scan.failure.severities='BLOCKER' \
blackduck.scan.full='true'
"""
if (status == 8) { unstable 'policy violation' }
else if (status != 0) { error 'scan failure' }
}
}
}
}
stage('Black Duck PR Scan') {
// Bridge CLI PR comments currently not supported from Jenkins - see INTEGRATE-23
when { environment name: 'PRSCAN', value: 'true' }
environment {
DETECT_PROJECT_NAME = "$REPO_NAME"
DETECT_PROJECT_VERSION_NAME = "$CHANGE_TARGET"
DETECT_CODE_LOCATION_NAME = "$REPO_NAME-$CHANGE_TARGET"
DETECT_EXCLUDED_DETECTOR_TYPES = 'GIT'
BRIDGE_ENVIRONMENT_SCAN_PULL = 'true'
}
steps {
withCredentials([string(credentialsId: 'testing.blackduck.synopsys.com', variable: 'BRIDGE_BLACKDUCK_TOKEN'),
string(credentialsId: 'github-pat', variable: 'GITHUB_TOKEN')]) {
script {
status = sh returnStatus: true, script: """
curl -fLsS -o bridge.zip $BRIDGECLI_LINUX64 && unzip -qo -d $WORKSPACE_TMP bridge.zip && rm -f bridge.zip
$WORKSPACE_TMP/synopsys-bridge --verbose --stage blackduck \
blackduck.url=$BLACKDUCK_URL \
blackduck.scan.full='false' \
blackduck.automation.prcomment='true' \
github.repository.branch.name=$BRANCH_NAME \
github.repository.name=$REPO_NAME \
github.repository.owner.name=$CHANGE_AUTHOR \
github.repository.pull.number=$CHANGE_ID \
github.user.token=$GITHUB_TOKEN
"""
if (status == 8) { unstable 'policy violation' }
else if (status != 0) { error 'scan failure' }
}
}
}
}
stage('Coverity on Polaris Full Scan') {
when { environment name: 'FULLSCAN', value: 'true' }
steps {
withCredentials([string(credentialsId: 'sipse.polaris.synopsys.com', variable: 'POLARIS_ACCESS_TOKEN')]) {
script {
status = sh returnStatus: true, script: """
curl -fLOsS $POLARIS_SERVER_URL/api/tools/polaris_cli-linux64.zip
unzip -qo -d $WORKSPACE_TMP -jo polaris_cli-linux64.zip && rm -f polaris_cli-linux64.zip
$WORKSPACE_TMP/polaris --co project.name=$REPO_NAME analyze -w
# simple quality gate for critical and high impact issues; more advanced filtering requires an API script
if [ \$(cat .synopsys/polaris/cli-scan.json | jq '[.issueSummary.issuesBySeverity|.critical,.high]|add') -ne 0 ]; then exit 8; fi
"""
if (status == 8) { unstable 'policy violation' }
else if (status != 0) { error 'scan failure' }
}
}
}
}
stage('Coverity on Polaris PR Scan') {
when { environment name: 'PRSCAN', value: 'true' }
steps {
withCredentials([string(credentialsId: 'sipse.polaris.synopsys.com', variable: 'POLARIS_ACCESS_TOKEN')]) {
script {
status = sh returnStatus: true, script: """
curl -fLOsS $POLARIS_SERVER_URL/api/tools/polaris_cli-linux64.zip
unzip -qo -d $WORKSPACE_TMP -jo polaris_cli-linux64.zip && rm -f polaris_cli-linux64.zip
$WORKSPACE_TMP/polaris --co project.name=$REPO_NAME analyze -w
# query for new issues; will always be non-zero for PRs; replace with API script to compare with CHANGE_TARGET
if [ \$(cat .synopsys/polaris/cli-scan.json | jq '.issueSummary.newIssues') -ne 0 ]; then exit 8; fi
"""
if (status == 8) { unstable 'policy violation' }
else if (status != 0) { error 'scan failure' }
}
}
}
}
}
}
stage('Deploy') {
when { environment name: 'PRODUCTION', value: 'true' }
steps {
sh 'mvn -B -DskipTests install'
}
}
}
post {
always {
archiveArtifacts allowEmptyArchive: true, artifacts: '.synopsys/polaris/configuration/synopsys.yml, .synopsys/polaris/data/coverity/*/idir/build-log.txt, *_BlackDuck_RiskReport.pdf'
//zip archive: true, dir: '.bridge', zipFile: 'bridge-logs.zip'
cleanWs()
}
}
}