From: Lionel Jouin Date: Thu, 29 Sep 2022 09:58:10 +0000 (+0200) Subject: Meridio: Security Scan Periodic Job X-Git-Url: https://gerrit.nordix.org/gitweb?a=commitdiff_plain;h=4ca0666d578b56e25a4d90a02b543b6a1268dd92;p=infra%2Fcicd.git Meridio: Security Scan Periodic Job Executed at midnight, the job scans the Meridio Images and dependencies using Nancy, Trivy and Grype and then send a report via email. Change-Id: I9cb99a943e26f6afe157764a916d28ef3f9d2977 --- diff --git a/jjb/nsm/Jenkinsfile.security-scan b/jjb/nsm/Jenkinsfile.security-scan new file mode 100644 index 00000000..a6eb1f6c --- /dev/null +++ b/jjb/nsm/Jenkinsfile.security-scan @@ -0,0 +1,95 @@ + +node('nordix-nsm-build-ubuntu1804') { + build_number = env.BUILD_NUMBER + workspace = env.WORKSPACE + ws("${workspace}/${build_number}") { + def git_project = params.GIT_PROJECT + def current_branch = params.CURRENT_BRANCH + def default_branch = params.DEFAULT_BRANCH + def image_registry = params.IMAGE_REGISTRY + def version = params.IMAGE_VERSION + def email_recipients = EMAIL_RECIPIENTS + + def cveBadge = addEmbeddableBadgeConfiguration(id: 'meridio-cve', subject: 'CVE', color: 'peru', status: '?') + + timeout(30) { + stage('Clone/Checkout') { + git branch: default_branch, url: git_project + checkout([ + $class: 'GitSCM', + branches: [[name: current_branch]], + extensions: [], + userRemoteConfigs: [[ + refspec: '+refs/pull/*/head:refs/remotes/origin/pr/*', + url: git_project + ]] + ]) + sh 'git show' + } + stage('Grype') { + sh """ + . ${HOME}/.profile + make grype VERSION=${version} REGISTRY=${image_registry} + """ + } + stage('Nancy') { + sh """ + . ${HOME}/.profile + make nancy + """ + } + stage('Trivy') { + sh """ + . ${HOME}/.profile + make trivy VERSION=${version} REGISTRY=${image_registry} + """ + } + stage('Parse') { + sh """ + . ${HOME}/.profile + ./hack/parse_security_scan.sh + """ + } + stage('Report') { + archiveArtifacts artifacts: '_output/*', followSymlinks: false + + def number_of_cves = sh(script: 'cat _output/list.txt | grep -v "^$" | awk \'{print $1}\' | sort | uniq | wc -l', returnStdout: true).trim() + def list_of_cves = sh(script: 'cat _output/list.txt | grep -v "^$" | awk \'{print $1}\' | sort | uniq | sed \':a;N;$!ba;s/\\n/ ; /g\'', returnStdout: true).trim() + def number_of_high_severity_cves = sh(script: 'cat _output/list.txt | grep -v "^$" | grep -i "high" | awk \'{print $1}\' | sort | uniq | wc -l', returnStdout: true).trim() + def list_of_high_severity_cves = sh(script: 'cat _output/list.txt | grep -v "^$" | grep -i "high" | awk \'{print $1}\' | sort | uniq | sed \':a;N;$!ba;s/\\n/ ; /g\'', returnStdout: true).trim() + def git_describe = sh(script: 'git describe --dirty --tags', returnStdout: true).trim() + def git_rev = sh(script: 'git rev-parse HEAD', returnStdout: true).trim() + def report = sh(script: 'cat _output/report.txt', returnStdout: true).trim() + + def subject = "Meridio - Security Scan - ${number_of_high_severity_cves} high severity CVEs detected" + def body = """ +Run: ${RUN_DISPLAY_URL} +git describe --dirty --tags: ${git_describe} +git rev-parse HEAD: ${git_rev} +Image registry: ${image_registry} +Image Version: ${version} + +Number of CVEs: ${number_of_cves} +List of CVEs: ${list_of_cves} + +Number of CVEs with high severity: ${number_of_high_severity_cves} +List of CVEs with high severity: ${list_of_high_severity_cves} + +report: +${report} +""" + emailext body: "${body}", subject: "${subject}", to: "${email_recipients}" + + cveBadge.setStatus("${number_of_high_severity_cves}") + } + } + stage('Cleanup') { + Cleanup() + } + } +} + +// Cleanup directory +def Cleanup() { + cleanWs() +} diff --git a/jjb/nsm/meridio-periodic-security-scan.yaml b/jjb/nsm/meridio-periodic-security-scan.yaml new file mode 100644 index 00000000..8c5641ca --- /dev/null +++ b/jjb/nsm/meridio-periodic-security-scan.yaml @@ -0,0 +1,71 @@ +--- +# ============LICENSE_START======================================================= +# Copyright (C) 2021 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +- project: + name: 'meridio-periodic-security-scan' + + project: 'meridio-periodic-security-scan' + + jobs: + - 'meridio-periodic-security-scan' + +- job-template: + name: 'meridio-periodic-security-scan' + project-type: pipeline + disabled: '{obj:disabled}' + + concurrent: true + + properties: + - github: + url: https://github.com/Nordix/Meridio + + parameters: + - string: + name: GIT_PROJECT + default: "https://github.com/Nordix/Meridio.git" + description: Git URL of the project + - string: + name: CURRENT_BRANCH + default: "master" + description: Current Git branch + - string: + name: DEFAULT_BRANCH + default: "master" + description: default branch + - string: + name: IMAGE_REGISTRY + default: 'registry.nordix.org/cloud-native/meridio' + description: Meridio image regsitry + - string: + name: IMAGE_VERSION + default: 'latest' + description: Version of the images + - string: + name: EMAIL_RECIPIENTS + default: 'lionel.jouin@est.tech' + description: Recipients of the report + + triggers: + - timed: '@midnight' + + dsl: + !include-raw-escape: Jenkinsfile.security-scan + +# vim: set ts=2 sw=2 expandtab: