2 Copyright (c) 2022 Nordix Foundation
4 Licensed under the Apache License, Version 2.0 (the "License");
5 you may not use this file except in compliance with the License.
6 You may obtain a copy of the License at
8 http://www.apache.org/licenses/LICENSE-2.0
10 Unless required by applicable law or agreed to in writing, software
11 distributed under the License is distributed on an "AS IS" BASIS,
12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 See the License for the specific language governing permissions and
14 limitations under the License.
16 import org.jenkinsci.plugins.pipeline.modeldefinition.Utils
18 node('nordix-nsm-build-ubuntu2204') {
19 build_number = env.BUILD_NUMBER
20 workspace = env.WORKSPACE
21 ws("${workspace}/${build_number}") {
22 def git_project = params.GIT_PROJECT
23 def current_branch = params.CURRENT_BRANCH
24 def default_branch = params.DEFAULT_BRANCH
25 def image_registry = params.IMAGE_REGISTRY
26 def version = params.IMAGE_VERSION
27 def email_recipients = EMAIL_RECIPIENTS
28 def image_names = IMAGE_NAMES
30 def vulnerabilityBadge = addEmbeddableBadgeConfiguration(id: 'meridio-vulnerabilities', subject: 'vulnerabilities', color: 'peru', status: '?')
33 stage('Clone/Checkout') {
34 git branch: default_branch, url: git_project
37 branches: [[name: current_branch]],
40 refspec: '+refs/pull/*/head:refs/remotes/origin/pr/*',
47 def command = "make grype VERSION=${version} REGISTRY=${image_registry} IMAGES='${image_names}'"
48 ExecSh(command).call()
51 def command = 'make nancy'
52 ExecSh(command).call()
55 def command = "make trivy VERSION=${version} REGISTRY=${image_registry} IMAGES='${image_names}'"
56 ExecSh(command).call()
59 def command = './hack/parse_security_scan.sh'
60 ExecSh(command).call()
63 if (env.DRY_RUN != 'true') {
65 archiveArtifacts artifacts: '_output/**/*.*', followSymlinks: false
66 } catch (Exception e) {
69 def number_of_vulnerabilities = sh(script: 'cat _output/list.txt | grep -v "^$" | awk \'{print $1}\' | sort | uniq | wc -l', returnStdout: true).trim()
70 def list_of_vulnerabilities = sh(script: 'cat _output/list.txt | grep -v "^$" | awk \'{print $1}\' | sort | uniq | sed \':a;N;$!ba;s/\\n/ ; /g\'', returnStdout: true).trim()
71 def number_of_high_severity_vulnerabilities = sh(script: 'cat _output/list.txt | grep -v "^$" | grep -i "high" | awk \'{print $1}\' | sort | uniq | wc -l', returnStdout: true).trim()
72 def list_of_high_severity_vulnerabilities = sh(script: 'cat _output/list.txt | grep -v "^$" | grep -i "high" | awk \'{print $1}\' | sort | uniq | sed \':a;N;$!ba;s/\\n/ ; /g\'', returnStdout: true).trim()
73 def git_describe = sh(script: 'git describe --dirty --tags', returnStdout: true).trim()
74 def git_rev = sh(script: 'git rev-parse HEAD', returnStdout: true).trim()
75 def report = sh(script: 'cat _output/report.txt', returnStdout: true).trim()
77 def subject = "Meridio - Security Scan - ${number_of_high_severity_vulnerabilities} high severity vulnerabilities detected"
79 Run: ${RUN_DISPLAY_URL}
80 git describe --dirty --tags: ${git_describe}
81 git rev-parse HEAD: ${git_rev}
82 Image registry: ${image_registry}
83 Image Version: ${version}
85 Number of vulnerabilities: ${number_of_vulnerabilities}
86 List of vulnerabilities: ${list_of_vulnerabilities}
88 Number of vulnerabilities with high severity: ${number_of_high_severity_vulnerabilities}
89 List of vulnerabilities with high severity: ${list_of_high_severity_vulnerabilities}
94 emailext body: "${body}", subject: "${subject}", to: "${email_recipients}"
96 vulnerabilityBadge.setStatus("${number_of_vulnerabilities}")
98 Utils.markStageSkippedForConditional('Report')
114 def ExecSh(command) {
116 if (env.DRY_RUN != 'true') {