Meridio: update node to 2204
[infra/cicd.git] / jjb / nsm / Jenkinsfile.security-scan
1 /*
2 Copyright (c) 2022 Nordix Foundation
3
4 Licensed under the Apache License, Version 2.0 (the "License");
5 you may not use this file except in compliance with the License.
6 You may obtain a copy of the License at
7
8     http://www.apache.org/licenses/LICENSE-2.0
9
10 Unless required by applicable law or agreed to in writing, software
11 distributed under the License is distributed on an "AS IS" BASIS,
12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 See the License for the specific language governing permissions and
14 limitations under the License.
15 */
16 import org.jenkinsci.plugins.pipeline.modeldefinition.Utils
17
18 node('nordix-nsm-build-ubuntu2204') {
19     build_number = env.BUILD_NUMBER
20     workspace = env.WORKSPACE
21     ws("${workspace}/${build_number}") {
22         def git_project = params.GIT_PROJECT
23         def current_branch = params.CURRENT_BRANCH
24         def default_branch = params.DEFAULT_BRANCH
25         def image_registry = params.IMAGE_REGISTRY
26         def version = params.IMAGE_VERSION
27         def email_recipients = EMAIL_RECIPIENTS
28         def image_names = IMAGE_NAMES
29
30         def vulnerabilityBadge = addEmbeddableBadgeConfiguration(id: 'meridio-vulnerabilities', subject: 'vulnerabilities', color: 'peru', status: '?')
31
32         timeout(30) {
33             stage('Clone/Checkout') {
34                 git branch: default_branch, url: git_project
35                 checkout([
36                     $class: 'GitSCM',
37                     branches: [[name: current_branch]],
38                     extensions: [],
39                     userRemoteConfigs: [[
40                         refspec: '+refs/pull/*/head:refs/remotes/origin/pr/*',
41                         url: git_project
42                     ]]
43                 ])
44                 sh 'git show'
45             }
46             stage('Grype') {
47                 def command = "make grype VERSION=${version} REGISTRY=${image_registry} IMAGES='${image_names}'"
48                 ExecSh(command).call()
49             }
50             stage('Nancy') {
51                 def command = 'make nancy'
52                 ExecSh(command).call()
53             }
54             stage('Trivy') {
55                 def command = "make trivy VERSION=${version} REGISTRY=${image_registry} IMAGES='${image_names}'"
56                 ExecSh(command).call()
57             }
58             stage('Parse') {
59                 def command = './hack/parse_security_scan.sh'
60                 ExecSh(command).call()
61             }
62             stage('Report') {
63                 if (env.DRY_RUN != 'true') {
64                     archiveArtifacts artifacts: '_output/*', followSymlinks: false
65
66                     def number_of_vulnerabilities =  sh(script: 'cat _output/list.txt | grep -v "^$" | awk \'{print $1}\' | sort | uniq | wc -l', returnStdout: true).trim()
67                     def list_of_vulnerabilities =  sh(script: 'cat _output/list.txt | grep -v "^$" | awk \'{print $1}\' | sort | uniq | sed \':a;N;$!ba;s/\\n/ ; /g\'', returnStdout: true).trim()
68                     def number_of_high_severity_vulnerabilities =  sh(script: 'cat _output/list.txt | grep -v "^$" | grep -i "high" | awk \'{print $1}\' | sort | uniq | wc -l', returnStdout: true).trim()
69                     def list_of_high_severity_vulnerabilities =  sh(script: 'cat _output/list.txt | grep -v "^$" | grep -i "high" | awk \'{print $1}\' | sort | uniq | sed \':a;N;$!ba;s/\\n/ ; /g\'', returnStdout: true).trim()
70                     def git_describe =  sh(script: 'git describe --dirty --tags', returnStdout: true).trim()
71                     def git_rev =  sh(script: 'git rev-parse HEAD', returnStdout: true).trim()
72                     def report =  sh(script: 'cat _output/report.txt', returnStdout: true).trim()
73
74                     def subject = "Meridio - Security Scan - ${number_of_high_severity_vulnerabilities} high severity vulnerabilities detected"
75                     def body = """
76 Run: ${RUN_DISPLAY_URL}
77 git describe --dirty --tags: ${git_describe}
78 git rev-parse HEAD: ${git_rev}
79 Image registry: ${image_registry}
80 Image Version: ${version}
81
82 Number of vulnerabilities: ${number_of_vulnerabilities}
83 List of vulnerabilities: ${list_of_vulnerabilities}
84
85 Number of vulnerabilities with high severity: ${number_of_high_severity_vulnerabilities}
86 List of vulnerabilities with high severity: ${list_of_high_severity_vulnerabilities}
87
88 report:
89 ${report}
90 """
91                     emailext body: "${body}", subject: "${subject}", to: "${email_recipients}"
92
93                     vulnerabilityBadge.setStatus("${number_of_vulnerabilities}")
94                 } else {
95                     Utils.markStageSkippedForConditional('Report')
96                 }
97             }
98         }
99         stage('Cleanup') {
100             Cleanup()
101         }
102     }
103 }
104
105 // Cleanup directory
106 def Cleanup() {
107     cleanWs()
108 }
109
110 // Execute command
111 def ExecSh(command) {
112     return {
113         if (env.DRY_RUN != 'true') {
114             sh """
115                 . \${HOME}/.profile
116                 ${command}
117             """
118         } else {
119             echo "${command}"
120         }
121     }
122 }