--- /dev/null
+
+node('nordix-nsm-build-ubuntu1804') {
+ build_number = env.BUILD_NUMBER
+ workspace = env.WORKSPACE
+ ws("${workspace}/${build_number}") {
+ def git_project = params.GIT_PROJECT
+ def current_branch = params.CURRENT_BRANCH
+ def default_branch = params.DEFAULT_BRANCH
+ def image_registry = params.IMAGE_REGISTRY
+ def version = params.IMAGE_VERSION
+ def email_recipients = EMAIL_RECIPIENTS
+
+ def cveBadge = addEmbeddableBadgeConfiguration(id: 'meridio-cve', subject: 'CVE', color: 'peru', status: '?')
+
+ timeout(30) {
+ stage('Clone/Checkout') {
+ git branch: default_branch, url: git_project
+ checkout([
+ $class: 'GitSCM',
+ branches: [[name: current_branch]],
+ extensions: [],
+ userRemoteConfigs: [[
+ refspec: '+refs/pull/*/head:refs/remotes/origin/pr/*',
+ url: git_project
+ ]]
+ ])
+ sh 'git show'
+ }
+ stage('Grype') {
+ sh """
+ . ${HOME}/.profile
+ make grype VERSION=${version} REGISTRY=${image_registry}
+ """
+ }
+ stage('Nancy') {
+ sh """
+ . ${HOME}/.profile
+ make nancy
+ """
+ }
+ stage('Trivy') {
+ sh """
+ . ${HOME}/.profile
+ make trivy VERSION=${version} REGISTRY=${image_registry}
+ """
+ }
+ stage('Parse') {
+ sh """
+ . ${HOME}/.profile
+ ./hack/parse_security_scan.sh
+ """
+ }
+ stage('Report') {
+ archiveArtifacts artifacts: '_output/*', followSymlinks: false
+
+ def number_of_cves = sh(script: 'cat _output/list.txt | grep -v "^$" | awk \'{print $1}\' | sort | uniq | wc -l', returnStdout: true).trim()
+ def list_of_cves = sh(script: 'cat _output/list.txt | grep -v "^$" | awk \'{print $1}\' | sort | uniq | sed \':a;N;$!ba;s/\\n/ ; /g\'', returnStdout: true).trim()
+ def number_of_high_severity_cves = sh(script: 'cat _output/list.txt | grep -v "^$" | grep -i "high" | awk \'{print $1}\' | sort | uniq | wc -l', returnStdout: true).trim()
+ def list_of_high_severity_cves = sh(script: 'cat _output/list.txt | grep -v "^$" | grep -i "high" | awk \'{print $1}\' | sort | uniq | sed \':a;N;$!ba;s/\\n/ ; /g\'', returnStdout: true).trim()
+ def git_describe = sh(script: 'git describe --dirty --tags', returnStdout: true).trim()
+ def git_rev = sh(script: 'git rev-parse HEAD', returnStdout: true).trim()
+ def report = sh(script: 'cat _output/report.txt', returnStdout: true).trim()
+
+ def subject = "Meridio - Security Scan - ${number_of_high_severity_cves} high severity CVEs detected"
+ def body = """
+Run: ${RUN_DISPLAY_URL}
+git describe --dirty --tags: ${git_describe}
+git rev-parse HEAD: ${git_rev}
+Image registry: ${image_registry}
+Image Version: ${version}
+
+Number of CVEs: ${number_of_cves}
+List of CVEs: ${list_of_cves}
+
+Number of CVEs with high severity: ${number_of_high_severity_cves}
+List of CVEs with high severity: ${list_of_high_severity_cves}
+
+report:
+${report}
+"""
+ emailext body: "${body}", subject: "${subject}", to: "${email_recipients}"
+
+ cveBadge.setStatus("${number_of_high_severity_cves}")
+ }
+ }
+ stage('Cleanup') {
+ Cleanup()
+ }
+ }
+}
+
+// Cleanup directory
+def Cleanup() {
+ cleanWs()
+}
--- /dev/null
+---
+# ============LICENSE_START=======================================================
+# Copyright (C) 2021 Nordix Foundation.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+- project:
+ name: 'meridio-periodic-security-scan'
+
+ project: 'meridio-periodic-security-scan'
+
+ jobs:
+ - 'meridio-periodic-security-scan'
+
+- job-template:
+ name: 'meridio-periodic-security-scan'
+ project-type: pipeline
+ disabled: '{obj:disabled}'
+
+ concurrent: true
+
+ properties:
+ - github:
+ url: https://github.com/Nordix/Meridio
+
+ parameters:
+ - string:
+ name: GIT_PROJECT
+ default: "https://github.com/Nordix/Meridio.git"
+ description: Git URL of the project
+ - string:
+ name: CURRENT_BRANCH
+ default: "master"
+ description: Current Git branch
+ - string:
+ name: DEFAULT_BRANCH
+ default: "master"
+ description: default branch
+ - string:
+ name: IMAGE_REGISTRY
+ default: 'registry.nordix.org/cloud-native/meridio'
+ description: Meridio image regsitry
+ - string:
+ name: IMAGE_VERSION
+ default: 'latest'
+ description: Version of the images
+ - string:
+ name: EMAIL_RECIPIENTS
+ default: 'lionel.jouin@est.tech'
+ description: Recipients of the report
+
+ triggers:
+ - timed: '@midnight'
+
+ dsl:
+ !include-raw-escape: Jenkinsfile.security-scan
+
+# vim: set ts=2 sw=2 expandtab: