From 4b6b6f592d9dcccfeb35d5a190e41e48494c8cb0 Mon Sep 17 00:00:00 2001 From: Lionel Jouin Date: Fri, 14 Oct 2022 16:22:23 +0200 Subject: [PATCH] Meridio: Images renamed, scanner, error handler - load-balancer has been renamed to stateless-lb - ctraffic has been renamed to example-target - Exclude example-target from being scanned - Better error message on failing job - Add Zoltan and Lars as admin of the Github PRs Change-Id: Ibeec01ff516c4d2c6fef4afc3eba292198e6679a --- jjb/nsm/Jenkinsfile | 61 +++++++++++---------- jjb/nsm/Jenkinsfile.security-scan | 57 ++++++++++--------- jjb/nsm/meridio-periodic-security-scan.yaml | 4 ++ jjb/nsm/meridio-periodic.yaml | 2 +- jjb/nsm/meridio-pull-request.yaml | 4 +- 5 files changed, 70 insertions(+), 58 deletions(-) diff --git a/jjb/nsm/Jenkinsfile b/jjb/nsm/Jenkinsfile index fced230b..e54acf6a 100644 --- a/jjb/nsm/Jenkinsfile +++ b/jjb/nsm/Jenkinsfile @@ -24,6 +24,9 @@ in_progress = 'In Progress.' completed = 'Completed.' failed = 'Failed' +exception_message_exec = 'failed to execute the following command: ' +exception_message_code_generation = 'Generated code verification failed' + node('nordix-nsm-build-ubuntu1804') { build_number = env.BUILD_NUMBER workspace = env.WORKSPACE @@ -97,16 +100,14 @@ def UnitTests() { return { def context = 'Unit Tests' stage('Unit Tests') { + def command = 'make test' try { SetBuildStatus(in_progress, context, pending) - sh ''' - . \${HOME}/.profile - make test - ''' + ExecSh(command).call() SetBuildStatus(completed, context, success) } catch (Exception e) { SetBuildStatus(failed, context, failure) - Error(e).call() + Error(exception_message_exec + command).call() } } } @@ -117,16 +118,14 @@ def Linter() { return { def context = 'Linter' stage('Linter') { + def command = 'make lint' try { SetBuildStatus(in_progress, context, pending) - sh ''' - . \${HOME}/.profile - make lint - ''' + ExecSh(command).call() SetBuildStatus(completed, context, success) } catch (Exception e) { SetBuildStatus(failed, context, failure) - Error(e).call() + Error(exception_message_exec + command).call() } } } @@ -140,38 +139,29 @@ def Linter() { def GeneratedCode() { return { def context = 'Generated code verification' - def exception_message = 'Generated code verification failed' SetBuildStatus(in_progress, context, pending) stage('go mod tidy') { + def command = 'go mod tidy' try { - sh ''' - . \${HOME}/.profile - go mod tidy - ''' + ExecSh(command).call() if (GetModifiedFiles() != '') { - throw new Exception(exception_message) + throw new Exception(exception_message_code_generation) } } catch (Exception e) { SetBuildStatus(failed, context, failure) - sh 'git diff' - sh 'git status -s' - Error(e).call() + Error(exception_message_exec + command).call() } } stage('go generate ./...') { + def command = 'make generate' try { - sh ''' - . \${HOME}/.profile - make generate - ''' + ExecSh(command).call() if (GetModifiedFiles() != '') { - throw new Exception(exception_message) + throw new Exception(exception_message_code_generation) } } catch (Exception e) { SetBuildStatus(failed, context, failure) - sh 'git diff' - sh 'git status -s' - Error(e).call() + Error(exception_message_exec + command).call() } } stage('Proto') { @@ -218,13 +208,14 @@ def Build(image, version, build_steps, registry, local_version) { def in_progress_message = "${in_progress} (${build_steps})" def completed_message = "${completed} (${build_steps})" def failed_message = "${failed} (${build_steps})" + def command = "make ${image} VERSION=${version} BUILD_STEPS='${build_steps}' REGISTRY=${registry} LOCAL_VERSION=${local_version} BASE_IMAGE=${base_image}:${local_version}" try { SetBuildStatus(in_progress_message, context, pending) - sh "make ${image} VERSION=${version} BUILD_STEPS='${build_steps}' REGISTRY=${registry} LOCAL_VERSION=${local_version} BASE_IMAGE=${base_image}:${local_version}" + ExecSh(command).call() SetBuildStatus(completed_message, context, success) } catch (Exception e) { SetBuildStatus(failed_message, context, failure) - Error(e).call() + Error(exception_message_exec + command).call() } } } @@ -247,6 +238,8 @@ def E2e(e2e_enabled) { // Raise error in Jenkins job def Error(e) { return { + sh 'git diff' + sh 'git status -s' Cleanup() error e } @@ -257,6 +250,16 @@ def Cleanup() { cleanWs() } +// Execute command +def ExecSh(command) { + return { + sh """ + . \${HOME}/.profile + ${command} + """ + } +} + // Set the commit status on Github // https://plugins.jenkins.io/github/#plugin-content-pipeline-examples def SetBuildStatus(String message, String context, String state) { diff --git a/jjb/nsm/Jenkinsfile.security-scan b/jjb/nsm/Jenkinsfile.security-scan index a6eb1f6c..708a3a00 100644 --- a/jjb/nsm/Jenkinsfile.security-scan +++ b/jjb/nsm/Jenkinsfile.security-scan @@ -9,8 +9,9 @@ node('nordix-nsm-build-ubuntu1804') { def image_registry = params.IMAGE_REGISTRY def version = params.IMAGE_VERSION def email_recipients = EMAIL_RECIPIENTS + def image_names = IMAGE_NAMES - def cveBadge = addEmbeddableBadgeConfiguration(id: 'meridio-cve', subject: 'CVE', color: 'peru', status: '?') + def vulnerabilityBadge = addEmbeddableBadgeConfiguration(id: 'meridio-vulnerabilities', subject: 'vulnerabilities', color: 'peru', status: '?') timeout(30) { stage('Clone/Checkout') { @@ -27,41 +28,33 @@ node('nordix-nsm-build-ubuntu1804') { sh 'git show' } stage('Grype') { - sh """ - . ${HOME}/.profile - make grype VERSION=${version} REGISTRY=${image_registry} - """ + def command = "make grype VERSION=${version} REGISTRY=${image_registry} IMAGES='${image_names}'" + ExecSh(command).call() } stage('Nancy') { - sh """ - . ${HOME}/.profile - make nancy - """ + def command = 'make nancy' + ExecSh(command).call() } stage('Trivy') { - sh """ - . ${HOME}/.profile - make trivy VERSION=${version} REGISTRY=${image_registry} - """ + def command = "make trivy VERSION=${version} REGISTRY=${image_registry} IMAGES='${image_names}'" + ExecSh(command).call() } stage('Parse') { - sh """ - . ${HOME}/.profile - ./hack/parse_security_scan.sh - """ + def command = './hack/parse_security_scan.sh' + ExecSh(command).call() } stage('Report') { archiveArtifacts artifacts: '_output/*', followSymlinks: false - def number_of_cves = sh(script: 'cat _output/list.txt | grep -v "^$" | awk \'{print $1}\' | sort | uniq | wc -l', returnStdout: true).trim() - def list_of_cves = sh(script: 'cat _output/list.txt | grep -v "^$" | awk \'{print $1}\' | sort | uniq | sed \':a;N;$!ba;s/\\n/ ; /g\'', returnStdout: true).trim() - def number_of_high_severity_cves = sh(script: 'cat _output/list.txt | grep -v "^$" | grep -i "high" | awk \'{print $1}\' | sort | uniq | wc -l', returnStdout: true).trim() - def list_of_high_severity_cves = sh(script: 'cat _output/list.txt | grep -v "^$" | grep -i "high" | awk \'{print $1}\' | sort | uniq | sed \':a;N;$!ba;s/\\n/ ; /g\'', returnStdout: true).trim() + def number_of_vulnerabilities = sh(script: 'cat _output/list.txt | grep -v "^$" | awk \'{print $1}\' | sort | uniq | wc -l', returnStdout: true).trim() + def list_of_vulnerabilities = sh(script: 'cat _output/list.txt | grep -v "^$" | awk \'{print $1}\' | sort | uniq | sed \':a;N;$!ba;s/\\n/ ; /g\'', returnStdout: true).trim() + def number_of_high_severity_vulnerabilities = sh(script: 'cat _output/list.txt | grep -v "^$" | grep -i "high" | awk \'{print $1}\' | sort | uniq | wc -l', returnStdout: true).trim() + def list_of_high_severity_vulnerabilities = sh(script: 'cat _output/list.txt | grep -v "^$" | grep -i "high" | awk \'{print $1}\' | sort | uniq | sed \':a;N;$!ba;s/\\n/ ; /g\'', returnStdout: true).trim() def git_describe = sh(script: 'git describe --dirty --tags', returnStdout: true).trim() def git_rev = sh(script: 'git rev-parse HEAD', returnStdout: true).trim() def report = sh(script: 'cat _output/report.txt', returnStdout: true).trim() - def subject = "Meridio - Security Scan - ${number_of_high_severity_cves} high severity CVEs detected" + def subject = "Meridio - Security Scan - ${number_of_high_severity_vulnerabilities} high severity vulnerabilities detected" def body = """ Run: ${RUN_DISPLAY_URL} git describe --dirty --tags: ${git_describe} @@ -69,18 +62,18 @@ git rev-parse HEAD: ${git_rev} Image registry: ${image_registry} Image Version: ${version} -Number of CVEs: ${number_of_cves} -List of CVEs: ${list_of_cves} +Number of vulnerabilities: ${number_of_vulnerabilities} +List of vulnerabilities: ${list_of_vulnerabilities} -Number of CVEs with high severity: ${number_of_high_severity_cves} -List of CVEs with high severity: ${list_of_high_severity_cves} +Number of vulnerabilities with high severity: ${number_of_high_severity_vulnerabilities} +List of vulnerabilities with high severity: ${list_of_high_severity_vulnerabilities} report: ${report} """ emailext body: "${body}", subject: "${subject}", to: "${email_recipients}" - cveBadge.setStatus("${number_of_high_severity_cves}") + vulnerabilityBadge.setStatus("${number_of_vulnerabilities}") } } stage('Cleanup') { @@ -93,3 +86,13 @@ ${report} def Cleanup() { cleanWs() } + +// Execute command +def ExecSh(command) { + return { + sh """ + . \${HOME}/.profile + ${command} + """ + } +} diff --git a/jjb/nsm/meridio-periodic-security-scan.yaml b/jjb/nsm/meridio-periodic-security-scan.yaml index 8c5641ca..9cf718f6 100644 --- a/jjb/nsm/meridio-periodic-security-scan.yaml +++ b/jjb/nsm/meridio-periodic-security-scan.yaml @@ -61,6 +61,10 @@ name: EMAIL_RECIPIENTS default: 'lionel.jouin@est.tech' description: Recipients of the report + - string: + name: IMAGE_NAMES + default: 'stateless-lb proxy tapa ipam nsp frontend' + description: Images to compile triggers: - timed: '@midnight' diff --git a/jjb/nsm/meridio-periodic.yaml b/jjb/nsm/meridio-periodic.yaml index 9ffe7e9d..631f5fdc 100644 --- a/jjb/nsm/meridio-periodic.yaml +++ b/jjb/nsm/meridio-periodic.yaml @@ -53,7 +53,7 @@ description: JJB configured PROJECT parameter to identify a Nordix GitHub project - string: name: IMAGE_NAMES - default: 'load-balancer proxy tapa ipam nsp ctraffic frontend' + default: 'stateless-lb proxy tapa ipam nsp example-target frontend' description: Images to compile - string: name: IMAGE_VERSION diff --git a/jjb/nsm/meridio-pull-request.yaml b/jjb/nsm/meridio-pull-request.yaml index 61e341f4..40cd3b18 100644 --- a/jjb/nsm/meridio-pull-request.yaml +++ b/jjb/nsm/meridio-pull-request.yaml @@ -54,7 +54,7 @@ description: JJB configured PROJECT parameter to identify a Nordix GitHub project - string: name: IMAGE_NAMES - default: 'load-balancer proxy tapa ipam nsp ctraffic frontend' + default: 'stateless-lb proxy tapa ipam nsp example-target frontend' description: Images to compile - string: name: IMAGE_VERSION @@ -90,6 +90,8 @@ - github-pull-request: admin-list: - LionelJouin + - uablrek + - zolug auth-id: '{ghprb-auth-id}' github-hooks: true permit-all: true -- 2.25.1