Meridio: Security Scan Periodic Job

[infra/cicd.git] / jjb / nsm / Jenkinsfile.security-scan
diff --git a/jjb/nsm/Jenkinsfile.security-scan b/jjb/nsm/Jenkinsfile.security-scan

new file mode 100644 (file)

index 0000000..a6eb1f6
--- /dev/null
+++ b/jjb/nsm/Jenkinsfile.security-scan
@@ -0,0 +1,95 @@
+
+node('nordix-nsm-build-ubuntu1804') {
+    build_number = env.BUILD_NUMBER
+    workspace = env.WORKSPACE
+    ws("${workspace}/${build_number}") {
+        def git_project = params.GIT_PROJECT
+        def current_branch = params.CURRENT_BRANCH
+        def default_branch = params.DEFAULT_BRANCH
+        def image_registry = params.IMAGE_REGISTRY
+        def version = params.IMAGE_VERSION
+        def email_recipients = EMAIL_RECIPIENTS
+
+        def cveBadge = addEmbeddableBadgeConfiguration(id: 'meridio-cve', subject: 'CVE', color: 'peru', status: '?')
+
+        timeout(30) {
+            stage('Clone/Checkout') {
+                git branch: default_branch, url: git_project
+                checkout([
+                    $class: 'GitSCM',
+                    branches: [[name: current_branch]],
+                    extensions: [],
+                    userRemoteConfigs: [[
+                        refspec: '+refs/pull/*/head:refs/remotes/origin/pr/*',
+                        url: git_project
+                    ]]
+                ])
+                sh 'git show'
+            }
+            stage('Grype') {
+                sh """
+                    . ${HOME}/.profile
+                    make grype VERSION=${version} REGISTRY=${image_registry}
+                """
+            }
+            stage('Nancy') {
+                sh """
+                    . ${HOME}/.profile
+                    make nancy
+                """
+            }
+            stage('Trivy') {
+                sh """
+                    . ${HOME}/.profile
+                    make trivy VERSION=${version} REGISTRY=${image_registry}
+                """
+            }
+            stage('Parse') {
+                sh """
+                    . ${HOME}/.profile
+                    ./hack/parse_security_scan.sh
+                """
+            }
+            stage('Report') {
+                archiveArtifacts artifacts: '_output/*', followSymlinks: false
+
+                def number_of_cves =  sh(script: 'cat _output/list.txt | grep -v "^$" | awk \'{print $1}\' | sort | uniq | wc -l', returnStdout: true).trim()
+                def list_of_cves =  sh(script: 'cat _output/list.txt | grep -v "^$" | awk \'{print $1}\' | sort | uniq | sed \':a;N;$!ba;s/\\n/ ; /g\'', returnStdout: true).trim()
+                def number_of_high_severity_cves =  sh(script: 'cat _output/list.txt | grep -v "^$" | grep -i "high" | awk \'{print $1}\' | sort | uniq | wc -l', returnStdout: true).trim()
+                def list_of_high_severity_cves =  sh(script: 'cat _output/list.txt | grep -v "^$" | grep -i "high" | awk \'{print $1}\' | sort | uniq | sed \':a;N;$!ba;s/\\n/ ; /g\'', returnStdout: true).trim()
+                def git_describe =  sh(script: 'git describe --dirty --tags', returnStdout: true).trim()
+                def git_rev =  sh(script: 'git rev-parse HEAD', returnStdout: true).trim()
+                def report =  sh(script: 'cat _output/report.txt', returnStdout: true).trim()
+
+                def subject = "Meridio - Security Scan - ${number_of_high_severity_cves} high severity CVEs detected"
+                def body = """
+Run: ${RUN_DISPLAY_URL}
+git describe --dirty --tags: ${git_describe}
+git rev-parse HEAD: ${git_rev}
+Image registry: ${image_registry}
+Image Version: ${version}
+
+Number of CVEs: ${number_of_cves}
+List of CVEs: ${list_of_cves}
+
+Number of CVEs with high severity: ${number_of_high_severity_cves}
+List of CVEs with high severity: ${list_of_high_severity_cves}
+
+report:
+${report}
+"""
+                emailext body: "${body}", subject: "${subject}", to: "${email_recipients}"
+
+                cveBadge.setStatus("${number_of_high_severity_cves}")
+            }
+        }
+        stage('Cleanup') {
+            Cleanup()
+        }
+    }
+}
+
+// Cleanup directory
+def Cleanup() {
+    cleanWs()
+}