/* Copyright (c) 2022 Nordix Foundation Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ import org.jenkinsci.plugins.pipeline.modeldefinition.Utils node('nordix-nsm-build-ubuntu2204') { build_number = env.BUILD_NUMBER workspace = env.WORKSPACE ws("${workspace}/${build_number}") { def git_project = params.GIT_PROJECT def current_branch = params.CURRENT_BRANCH def default_branch = params.DEFAULT_BRANCH def image_registry = params.IMAGE_REGISTRY def version = params.IMAGE_VERSION def email_recipients = EMAIL_RECIPIENTS def image_names = IMAGE_NAMES def vulnerabilityBadge = addEmbeddableBadgeConfiguration(id: 'meridio-vulnerabilities', subject: 'vulnerabilities', color: 'peru', status: '?') timeout(30) { stage('Clone/Checkout') { git branch: default_branch, url: git_project checkout([ $class: 'GitSCM', branches: [[name: current_branch]], extensions: [], userRemoteConfigs: [[ refspec: '+refs/pull/*/head:refs/remotes/origin/pr/*', url: git_project ]] ]) sh 'git show' } stage('Grype') { def command = "make grype VERSION=${version} REGISTRY=${image_registry} IMAGES='${image_names}'" ExecSh(command).call() } stage('Nancy') { def command = 'make nancy' ExecSh(command).call() } stage('Trivy') { def command = "make trivy VERSION=${version} REGISTRY=${image_registry} IMAGES='${image_names}'" ExecSh(command).call() } stage('Parse') { def command = './hack/parse_security_scan.sh' ExecSh(command).call() } stage('Report') { if (env.DRY_RUN != 'true') { try { archiveArtifacts artifacts: '_output/**/*.*', followSymlinks: false } catch (Exception e) { } def number_of_vulnerabilities = sh(script: 'cat _output/list.txt | grep -v "^$" | awk \'{print $1}\' | sort | uniq | wc -l', returnStdout: true).trim() def list_of_vulnerabilities = sh(script: 'cat _output/list.txt | grep -v "^$" | awk \'{print $1}\' | sort | uniq | sed \':a;N;$!ba;s/\\n/ ; /g\'', returnStdout: true).trim() def number_of_high_severity_vulnerabilities = sh(script: 'cat _output/list.txt | grep -v "^$" | grep -i "high" | awk \'{print $1}\' | sort | uniq | wc -l', returnStdout: true).trim() def list_of_high_severity_vulnerabilities = sh(script: 'cat _output/list.txt | grep -v "^$" | grep -i "high" | awk \'{print $1}\' | sort | uniq | sed \':a;N;$!ba;s/\\n/ ; /g\'', returnStdout: true).trim() def git_describe = sh(script: 'git describe --dirty --tags', returnStdout: true).trim() def git_rev = sh(script: 'git rev-parse HEAD', returnStdout: true).trim() def report = sh(script: 'cat _output/report.txt', returnStdout: true).trim() def subject = "Meridio - Security Scan - ${number_of_high_severity_vulnerabilities} high severity vulnerabilities detected" def body = """ Run: ${RUN_DISPLAY_URL} git describe --dirty --tags: ${git_describe} git rev-parse HEAD: ${git_rev} Image registry: ${image_registry} Image Version: ${version} Number of vulnerabilities: ${number_of_vulnerabilities} List of vulnerabilities: ${list_of_vulnerabilities} Number of vulnerabilities with high severity: ${number_of_high_severity_vulnerabilities} List of vulnerabilities with high severity: ${list_of_high_severity_vulnerabilities} report: ${report} """ emailext body: "${body}", subject: "${subject}", to: "${email_recipients}" vulnerabilityBadge.setStatus("${number_of_vulnerabilities}") } else { Utils.markStageSkippedForConditional('Report') } } } stage('Cleanup') { Cleanup() } } } // Cleanup directory def Cleanup() { cleanWs() } // Execute command def ExecSh(command) { return { if (env.DRY_RUN != 'true') { sh """ . \${HOME}/.profile ${command} """ } else { echo "${command}" } } }