Meridio: Security Scan Periodic Job

[infra/cicd.git] / jjb / nsm / Jenkinsfile.security-scan

node('nordix-nsm-build-ubuntu1804') {
    build_number = env.BUILD_NUMBER
    workspace = env.WORKSPACE
    ws("${workspace}/${build_number}") {
        def git_project = params.GIT_PROJECT
        def current_branch = params.CURRENT_BRANCH
        def default_branch = params.DEFAULT_BRANCH
        def image_registry = params.IMAGE_REGISTRY
        def version = params.IMAGE_VERSION
        def email_recipients = EMAIL_RECIPIENTS

        def cveBadge = addEmbeddableBadgeConfiguration(id: 'meridio-cve', subject: 'CVE', color: 'peru', status: '?')

        timeout(30) {
            stage('Clone/Checkout') {
                git branch: default_branch, url: git_project
                checkout([
                    $class: 'GitSCM',
                    branches: [[name: current_branch]],
                    extensions: [],
                    userRemoteConfigs: [[
                        refspec: '+refs/pull/*/head:refs/remotes/origin/pr/*',
                        url: git_project
                    ]]
                ])
                sh 'git show'
            }
            stage('Grype') {
                sh """
                    . ${HOME}/.profile
                    make grype VERSION=${version} REGISTRY=${image_registry}
                """
            }
            stage('Nancy') {
                sh """
                    . ${HOME}/.profile
                    make nancy
                """
            }
            stage('Trivy') {
                sh """
                    . ${HOME}/.profile
                    make trivy VERSION=${version} REGISTRY=${image_registry}
                """
            }
            stage('Parse') {
                sh """
                    . ${HOME}/.profile
                    ./hack/parse_security_scan.sh
                """
            }
            stage('Report') {
                archiveArtifacts artifacts: '_output/*', followSymlinks: false

                def number_of_cves =  sh(script: 'cat _output/list.txt | grep -v "^$" | awk \'{print $1}\' | sort | uniq | wc -l', returnStdout: true).trim()
                def list_of_cves =  sh(script: 'cat _output/list.txt | grep -v "^$" | awk \'{print $1}\' | sort | uniq | sed \':a;N;$!ba;s/\\n/ ; /g\'', returnStdout: true).trim()
                def number_of_high_severity_cves =  sh(script: 'cat _output/list.txt | grep -v "^$" | grep -i "high" | awk \'{print $1}\' | sort | uniq | wc -l', returnStdout: true).trim()
                def list_of_high_severity_cves =  sh(script: 'cat _output/list.txt | grep -v "^$" | grep -i "high" | awk \'{print $1}\' | sort | uniq | sed \':a;N;$!ba;s/\\n/ ; /g\'', returnStdout: true).trim()
                def git_describe =  sh(script: 'git describe --dirty --tags', returnStdout: true).trim()
                def git_rev =  sh(script: 'git rev-parse HEAD', returnStdout: true).trim()
                def report =  sh(script: 'cat _output/report.txt', returnStdout: true).trim()

                def subject = "Meridio - Security Scan - ${number_of_high_severity_cves} high severity CVEs detected"
                def body = """
Run: ${RUN_DISPLAY_URL}
git describe --dirty --tags: ${git_describe}
git rev-parse HEAD: ${git_rev}
Image registry: ${image_registry}
Image Version: ${version}

Number of CVEs: ${number_of_cves}
List of CVEs: ${list_of_cves}

Number of CVEs with high severity: ${number_of_high_severity_cves}
List of CVEs with high severity: ${list_of_high_severity_cves}

report:
${report}
"""
                emailext body: "${body}", subject: "${subject}", to: "${email_recipients}"

                cveBadge.setStatus("${number_of_high_severity_cves}")
            }
        }
        stage('Cleanup') {
            Cleanup()
        }
    }
}

// Cleanup directory
def Cleanup() {
    cleanWs()
}