2 node('nordix-nsm-build-ubuntu1804') {
3 build_number = env.BUILD_NUMBER
4 workspace = env.WORKSPACE
5 ws("${workspace}/${build_number}") {
6 def git_project = params.GIT_PROJECT
7 def current_branch = params.CURRENT_BRANCH
8 def default_branch = params.DEFAULT_BRANCH
9 def image_registry = params.IMAGE_REGISTRY
10 def version = params.IMAGE_VERSION
11 def email_recipients = EMAIL_RECIPIENTS
12 def image_names = IMAGE_NAMES
14 def vulnerabilityBadge = addEmbeddableBadgeConfiguration(id: 'meridio-vulnerabilities', subject: 'vulnerabilities', color: 'peru', status: '?')
17 stage('Clone/Checkout') {
18 git branch: default_branch, url: git_project
21 branches: [[name: current_branch]],
24 refspec: '+refs/pull/*/head:refs/remotes/origin/pr/*',
31 def command = "make grype VERSION=${version} REGISTRY=${image_registry} IMAGES='${image_names}'"
32 ExecSh(command).call()
35 def command = 'make nancy'
36 ExecSh(command).call()
39 def command = "make trivy VERSION=${version} REGISTRY=${image_registry} IMAGES='${image_names}'"
40 ExecSh(command).call()
43 def command = './hack/parse_security_scan.sh'
44 ExecSh(command).call()
47 archiveArtifacts artifacts: '_output/*', followSymlinks: false
49 def number_of_vulnerabilities = sh(script: 'cat _output/list.txt | grep -v "^$" | awk \'{print $1}\' | sort | uniq | wc -l', returnStdout: true).trim()
50 def list_of_vulnerabilities = sh(script: 'cat _output/list.txt | grep -v "^$" | awk \'{print $1}\' | sort | uniq | sed \':a;N;$!ba;s/\\n/ ; /g\'', returnStdout: true).trim()
51 def number_of_high_severity_vulnerabilities = sh(script: 'cat _output/list.txt | grep -v "^$" | grep -i "high" | awk \'{print $1}\' | sort | uniq | wc -l', returnStdout: true).trim()
52 def list_of_high_severity_vulnerabilities = sh(script: 'cat _output/list.txt | grep -v "^$" | grep -i "high" | awk \'{print $1}\' | sort | uniq | sed \':a;N;$!ba;s/\\n/ ; /g\'', returnStdout: true).trim()
53 def git_describe = sh(script: 'git describe --dirty --tags', returnStdout: true).trim()
54 def git_rev = sh(script: 'git rev-parse HEAD', returnStdout: true).trim()
55 def report = sh(script: 'cat _output/report.txt', returnStdout: true).trim()
57 def subject = "Meridio - Security Scan - ${number_of_high_severity_vulnerabilities} high severity vulnerabilities detected"
59 Run: ${RUN_DISPLAY_URL}
60 git describe --dirty --tags: ${git_describe}
61 git rev-parse HEAD: ${git_rev}
62 Image registry: ${image_registry}
63 Image Version: ${version}
65 Number of vulnerabilities: ${number_of_vulnerabilities}
66 List of vulnerabilities: ${list_of_vulnerabilities}
68 Number of vulnerabilities with high severity: ${number_of_high_severity_vulnerabilities}
69 List of vulnerabilities with high severity: ${list_of_high_severity_vulnerabilities}
74 emailext body: "${body}", subject: "${subject}", to: "${email_recipients}"
76 vulnerabilityBadge.setStatus("${number_of_vulnerabilities}")
Code Review / infra / cicd.git / blob