X-Git-Url: https://gerrit.nordix.org/gitweb?a=blobdiff_plain;f=jjb%2Fnsm%2FJenkinsfile.security-scan;h=ca9997b3eb01a0a686d8d6fe399c07f1604814c6;hb=3b5d5d8f359a4207872edf32773fdb72c3193eb7;hp=a6eb1f6c0a2ee99520fca5d34090353c9bebbd5a;hpb=4ca0666d578b56e25a4d90a02b543b6a1268dd92;p=infra%2Fcicd.git

diff --git a/jjb/nsm/Jenkinsfile.security-scan b/jjb/nsm/Jenkinsfile.security-scan
index a6eb1f6c..ca9997b3 100644
--- a/jjb/nsm/Jenkinsfile.security-scan
+++ b/jjb/nsm/Jenkinsfile.security-scan
@@ -1,5 +1,21 @@
+/*
+Copyright (c) 2022 Nordix Foundation
 
-node('nordix-nsm-build-ubuntu1804') {
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+import org.jenkinsci.plugins.pipeline.modeldefinition.Utils
+
+node('nordix-nsm-build-ubuntu2204') {
     build_number = env.BUILD_NUMBER
     workspace = env.WORKSPACE
     ws("${workspace}/${build_number}") {
@@ -9,8 +25,9 @@ node('nordix-nsm-build-ubuntu1804') {
         def image_registry = params.IMAGE_REGISTRY
         def version = params.IMAGE_VERSION
         def email_recipients = EMAIL_RECIPIENTS
+        def image_names = IMAGE_NAMES
 
-        def cveBadge = addEmbeddableBadgeConfiguration(id: 'meridio-cve', subject: 'CVE', color: 'peru', status: '?')
+        def vulnerabilityBadge = addEmbeddableBadgeConfiguration(id: 'meridio-vulnerabilities', subject: 'vulnerabilities', color: 'peru', status: '?')
 
         timeout(30) {
             stage('Clone/Checkout') {
@@ -27,60 +44,59 @@ node('nordix-nsm-build-ubuntu1804') {
                 sh 'git show'
             }
             stage('Grype') {
-                sh """
-                    . ${HOME}/.profile
-                    make grype VERSION=${version} REGISTRY=${image_registry}
-                """
+                def command = "make grype VERSION=${version} REGISTRY=${image_registry} IMAGES='${image_names}'"
+                ExecSh(command).call()
             }
             stage('Nancy') {
-                sh """
-                    . ${HOME}/.profile
-                    make nancy
-                """
+                def command = 'make nancy'
+                ExecSh(command).call()
             }
             stage('Trivy') {
-                sh """
-                    . ${HOME}/.profile
-                    make trivy VERSION=${version} REGISTRY=${image_registry}
-                """
+                def command = "make trivy VERSION=${version} REGISTRY=${image_registry} IMAGES='${image_names}'"
+                ExecSh(command).call()
             }
             stage('Parse') {
-                sh """
-                    . ${HOME}/.profile
-                    ./hack/parse_security_scan.sh
-                """
+                def command = './hack/parse_security_scan.sh'
+                ExecSh(command).call()
             }
             stage('Report') {
-                archiveArtifacts artifacts: '_output/*', followSymlinks: false
+                if (env.DRY_RUN != 'true') {
+                    try {
+                        archiveArtifacts artifacts: '_output/**/*.*', followSymlinks: false
+                    } catch (Exception e) {
+                    }
 
-                def number_of_cves =  sh(script: 'cat _output/list.txt | grep -v "^$" | awk \'{print $1}\' | sort | uniq | wc -l', returnStdout: true).trim()
-                def list_of_cves =  sh(script: 'cat _output/list.txt | grep -v "^$" | awk \'{print $1}\' | sort | uniq | sed \':a;N;$!ba;s/\\n/ ; /g\'', returnStdout: true).trim()
-                def number_of_high_severity_cves =  sh(script: 'cat _output/list.txt | grep -v "^$" | grep -i "high" | awk \'{print $1}\' | sort | uniq | wc -l', returnStdout: true).trim()
-                def list_of_high_severity_cves =  sh(script: 'cat _output/list.txt | grep -v "^$" | grep -i "high" | awk \'{print $1}\' | sort | uniq | sed \':a;N;$!ba;s/\\n/ ; /g\'', returnStdout: true).trim()
-                def git_describe =  sh(script: 'git describe --dirty --tags', returnStdout: true).trim()
-                def git_rev =  sh(script: 'git rev-parse HEAD', returnStdout: true).trim()
-                def report =  sh(script: 'cat _output/report.txt', returnStdout: true).trim()
+                    def number_of_vulnerabilities =  sh(script: 'cat _output/list.txt | grep -v "^$" | awk \'{print $1}\' | sort | uniq | wc -l', returnStdout: true).trim()
+                    def list_of_vulnerabilities =  sh(script: 'cat _output/list.txt | grep -v "^$" | awk \'{print $1}\' | sort | uniq | sed \':a;N;$!ba;s/\\n/ ; /g\'', returnStdout: true).trim()
+                    def number_of_high_severity_vulnerabilities =  sh(script: 'cat _output/list.txt | grep -v "^$" | grep -i "high" | awk \'{print $1}\' | sort | uniq | wc -l', returnStdout: true).trim()
+                    def list_of_high_severity_vulnerabilities =  sh(script: 'cat _output/list.txt | grep -v "^$" | grep -i "high" | awk \'{print $1}\' | sort | uniq | sed \':a;N;$!ba;s/\\n/ ; /g\'', returnStdout: true).trim()
+                    def git_describe =  sh(script: 'git describe --dirty --tags', returnStdout: true).trim()
+                    def git_rev =  sh(script: 'git rev-parse HEAD', returnStdout: true).trim()
+                    def report =  sh(script: 'cat _output/report.txt', returnStdout: true).trim()
 
-                def subject = "Meridio - Security Scan - ${number_of_high_severity_cves} high severity CVEs detected"
-                def body = """
+                    def subject = "Meridio - Security Scan - ${number_of_high_severity_vulnerabilities} high severity vulnerabilities detected"
+                    def body = """
 Run: ${RUN_DISPLAY_URL}
 git describe --dirty --tags: ${git_describe}
 git rev-parse HEAD: ${git_rev}
 Image registry: ${image_registry}
 Image Version: ${version}
 
-Number of CVEs: ${number_of_cves}
-List of CVEs: ${list_of_cves}
+Number of vulnerabilities: ${number_of_vulnerabilities}
+List of vulnerabilities: ${list_of_vulnerabilities}
 
-Number of CVEs with high severity: ${number_of_high_severity_cves}
-List of CVEs with high severity: ${list_of_high_severity_cves}
+Number of vulnerabilities with high severity: ${number_of_high_severity_vulnerabilities}
+List of vulnerabilities with high severity: ${list_of_high_severity_vulnerabilities}
 
 report:
 ${report}
 """
-                emailext body: "${body}", subject: "${subject}", to: "${email_recipients}"
+                    emailext body: "${body}", subject: "${subject}", to: "${email_recipients}"
 
-                cveBadge.setStatus("${number_of_high_severity_cves}")
+                    vulnerabilityBadge.setStatus("${number_of_vulnerabilities}")
+                } else {
+                    Utils.markStageSkippedForConditional('Report')
+                }
             }
         }
         stage('Cleanup') {
@@ -93,3 +109,17 @@ ${report}
 def Cleanup() {
     cleanWs()
 }
+
+// Execute command
+def ExecSh(command) {
+    return {
+        if (env.DRY_RUN != 'true') {
+            sh """
+                . \${HOME}/.profile
+                ${command}
+            """
+        } else {
+            echo "${command}"
+        }
+    }
+}