Hello_Java/jenkins/Jenkinsfile-bd-bridge-cli at main · priyanks-synopsys/Hello_Java · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
// Example Jenkinsfile with SIG Security Scan that implements:
// - Black Duck INTELLIGENT scan on pushes and RAPID scan on PRs to "important" branches
pipeline {
    agent { label 'linux64' }
    environment {
        // production branches on which we want security reports
        PRODUCTION = "${env.BRANCH_NAME ==~ /^(stage|release)$/ ? 'true' : 'false'}"
        // full scan on pushes to important branches
        FULLSCAN = "${env.BRANCH_NAME ==~ /^(main|master|develop|stage|release)$/ ? 'true' : 'false'}"
        // PR scan on pulll requests to important branches
        PRSCAN = "${env.CHANGE_TARGET ==~ /^(main|master|develop|stage|release)$/ ? 'true' : 'false'}"
        // set project name to be repo name
        PROJECT = sh(script: "basename $GIT_URL .git", returnStdout: true).trim()
        // Bridge CLI download URL
        BRIDGECLI_LINUX64 = 'https://sig-repo.synopsys.com/artifactory/bds-integrations-release/com/synopsys/integration/synopsys-bridge/latest/synopsys-bridge-linux64.zip'
    }
    tools {
        maven 'maven-3.9'
        jdk 'openjdk-17'
    }
    stages {
        stage('Build') {
            steps {
                sh 'mvn -B compile'
            }
        }
        stage('Test') {
            steps {
                sh 'mvn -B test'
            }
        }
        stage('Scan') {
            parallel {
                stage('Black Duck Full Scan') {
                    when { environment name: 'FULLSCAN', value: 'true' }
                    environment {
                        DETECT_PROJECT_NAME = "$PROJECT"
                        DETECT_PROJECT_VERSION_NAME = "$BRANCH_NAME"
                        DETECT_CODE_LOCATION_NAME = "$PROJECT-$BRANCH_NAME"
                        DETECT_RISK_REPORT_PDF = "${env.PRODUCTION == 'true' ? 'true' : 'false'}"
                        DETECT_EXCLUDED_DETECTOR_TYPES = 'GIT'
                    }
                    steps {
                        withCredentials([string(credentialsId: 'testing.blackduck.synopsys.com', variable: 'BRIDGE_BLACKDUCK_TOKEN')]) {
                            script {
                                status = sh returnStatus: true, script: """
                                    curl -fLsS -o bridge.zip $BRIDGECLI_LINUX64 && unzip -qo -d $WORKSPACE_TMP bridge.zip && rm -f bridge.zip
                                    $WORKSPACE_TMP/synopsys-bridge --verbose --stage blackduck \
                                        blackduck.url=$BLACKDUCK_URL \
                                        blackduck.scan.failure.severities='BLOCKER' \
                                        blackduck.scan.full='true'
                                """
                                if (status == 8) { unstable 'policy violation' }
                                else if (status != 0) { error 'scan failure' }
                            }
                        }
                    }
                }
                stage('Black Duck PR Scan') {
                    // Bridge CLI PR comments currently not supported from Jenkins - see INTEGRATE-23
                    when { environment name: 'PRSCAN', value: 'true' }
                    environment {
                        DETECT_PROJECT_NAME = "$PROJECT"
                        DETECT_PROJECT_VERSION_NAME = "$CHANGE_TARGET"
                        DETECT_CODE_LOCATION_NAME = "$PROJECT-$CHANGE_TARGET"
                        DETECT_EXCLUDED_DETECTOR_TYPES = 'GIT'
                        BRIDGE_ENVIRONMENT_SCAN_PULL = 'true'
                    }
                    steps {
                        withCredentials([string(credentialsId: 'testing.blackduck.synopsys.com', variable: 'BRIDGE_BLACKDUCK_TOKEN'),
                                         string(credentialsId: 'github-pat', variable: 'GITHUB_TOKEN')]) {
                            script {
                                status = sh returnStatus: true, script: """
                                    curl -fLsS -o bridge.zip $BRIDGECLI_LINUX64 && unzip -qo -d $WORKSPACE_TMP bridge.zip && rm -f bridge.zip
                                    $WORKSPACE_TMP/synopsys-bridge --verbose --stage blackduck \
                                        blackduck.url=$BLACKDUCK_URL \
                                        blackduck.scan.full='false' \
                                        blackduck.automation.prcomment='true' \
                                        github.repository.branch.name=$BRANCH_NAME \
                                        github.repository.name=$PROJECT \
                                        github.repository.owner.name=$CHANGE_AUTHOR \
                                        github.repository.pull.number=$CHANGE_ID \
                                        github.user.token=$GITHUB_TOKEN
                                """
                                if (status == 8) { unstable 'policy violation' }
                                else if (status != 0) { error 'scan failure' }
                            }
                        }
                    }
                }
            }
        }
        stage('Deploy') {
            when { environment name: 'PRODUCTION', value: 'true' }
            steps {
                sh 'mvn -B -DskipTests install'
            }
        }
    }
    post {
        always {
            archiveArtifacts allowEmptyArchive: true, artifacts: '*_BlackDuck_RiskReport.pdf'
            //zip archive: true, dir: '.bridge', zipFile: 'bridge-logs.zip'
            cleanWs()
        }
    }
}