node('nordix-nsm-build-ubuntu1804') { build_number = env.BUILD_NUMBER workspace = env.WORKSPACE ws("${workspace}/${build_number}") { def git_project = params.GIT_PROJECT def current_branch = params.CURRENT_BRANCH def default_branch = params.DEFAULT_BRANCH def image_registry = params.IMAGE_REGISTRY def version = params.IMAGE_VERSION def email_recipients = EMAIL_RECIPIENTS def image_names = IMAGE_NAMES def vulnerabilityBadge = addEmbeddableBadgeConfiguration(id: 'meridio-vulnerabilities', subject: 'vulnerabilities', color: 'peru', status: '?') timeout(30) { stage('Clone/Checkout') { git branch: default_branch, url: git_project checkout([ $class: 'GitSCM', branches: [[name: current_branch]], extensions: [], userRemoteConfigs: [[ refspec: '+refs/pull/*/head:refs/remotes/origin/pr/*', url: git_project ]] ]) sh 'git show' } stage('Grype') { def command = "make grype VERSION=${version} REGISTRY=${image_registry} IMAGES='${image_names}'" ExecSh(command).call() } stage('Nancy') { def command = 'make nancy' ExecSh(command).call() } stage('Trivy') { def command = "make trivy VERSION=${version} REGISTRY=${image_registry} IMAGES='${image_names}'" ExecSh(command).call() } stage('Parse') { def command = './hack/parse_security_scan.sh' ExecSh(command).call() } stage('Report') { archiveArtifacts artifacts: '_output/*', followSymlinks: false def number_of_vulnerabilities = sh(script: 'cat _output/list.txt | grep -v "^$" | awk \'{print $1}\' | sort | uniq | wc -l', returnStdout: true).trim() def list_of_vulnerabilities = sh(script: 'cat _output/list.txt | grep -v "^$" | awk \'{print $1}\' | sort | uniq | sed \':a;N;$!ba;s/\\n/ ; /g\'', returnStdout: true).trim() def number_of_high_severity_vulnerabilities = sh(script: 'cat _output/list.txt | grep -v "^$" | grep -i "high" | awk \'{print $1}\' | sort | uniq | wc -l', returnStdout: true).trim() def list_of_high_severity_vulnerabilities = sh(script: 'cat _output/list.txt | grep -v "^$" | grep -i "high" | awk \'{print $1}\' | sort | uniq | sed \':a;N;$!ba;s/\\n/ ; /g\'', returnStdout: true).trim() def git_describe = sh(script: 'git describe --dirty --tags', returnStdout: true).trim() def git_rev = sh(script: 'git rev-parse HEAD', returnStdout: true).trim() def report = sh(script: 'cat _output/report.txt', returnStdout: true).trim() def subject = "Meridio - Security Scan - ${number_of_high_severity_vulnerabilities} high severity vulnerabilities detected" def body = """ Run: ${RUN_DISPLAY_URL} git describe --dirty --tags: ${git_describe} git rev-parse HEAD: ${git_rev} Image registry: ${image_registry} Image Version: ${version} Number of vulnerabilities: ${number_of_vulnerabilities} List of vulnerabilities: ${list_of_vulnerabilities} Number of vulnerabilities with high severity: ${number_of_high_severity_vulnerabilities} List of vulnerabilities with high severity: ${list_of_high_severity_vulnerabilities} report: ${report} """ emailext body: "${body}", subject: "${subject}", to: "${email_recipients}" vulnerabilityBadge.setStatus("${number_of_vulnerabilities}") } } stage('Cleanup') { Cleanup() } } } // Cleanup directory def Cleanup() { cleanWs() } // Execute command def ExecSh(command) { return { sh """ . \${HOME}/.profile ${command} """ } }