Meridio: Images renamed, scanner, error handler
- load-balancer has been renamed to stateless-lb
- ctraffic has been renamed to example-target
- Exclude example-target from being scanned
- Better error message on failing job
- Add Zoltan and Lars as admin of the Github PRs
Change-Id: Ibeec01ff516c4d2c6fef4afc3eba292198e6679a
diff --git a/jjb/nsm/Jenkinsfile b/jjb/nsm/Jenkinsfile
index fced230..e54acf6 100644
--- a/jjb/nsm/Jenkinsfile
+++ b/jjb/nsm/Jenkinsfile
@@ -24,6 +24,9 @@
completed = 'Completed.'
failed = 'Failed'
+exception_message_exec = 'failed to execute the following command: '
+exception_message_code_generation = 'Generated code verification failed'
+
node('nordix-nsm-build-ubuntu1804') {
build_number = env.BUILD_NUMBER
workspace = env.WORKSPACE
@@ -97,16 +100,14 @@
return {
def context = 'Unit Tests'
stage('Unit Tests') {
+ def command = 'make test'
try {
SetBuildStatus(in_progress, context, pending)
- sh '''
- . \${HOME}/.profile
- make test
- '''
+ ExecSh(command).call()
SetBuildStatus(completed, context, success)
} catch (Exception e) {
SetBuildStatus(failed, context, failure)
- Error(e).call()
+ Error(exception_message_exec + command).call()
}
}
}
@@ -117,16 +118,14 @@
return {
def context = 'Linter'
stage('Linter') {
+ def command = 'make lint'
try {
SetBuildStatus(in_progress, context, pending)
- sh '''
- . \${HOME}/.profile
- make lint
- '''
+ ExecSh(command).call()
SetBuildStatus(completed, context, success)
} catch (Exception e) {
SetBuildStatus(failed, context, failure)
- Error(e).call()
+ Error(exception_message_exec + command).call()
}
}
}
@@ -140,38 +139,29 @@
def GeneratedCode() {
return {
def context = 'Generated code verification'
- def exception_message = 'Generated code verification failed'
SetBuildStatus(in_progress, context, pending)
stage('go mod tidy') {
+ def command = 'go mod tidy'
try {
- sh '''
- . \${HOME}/.profile
- go mod tidy
- '''
+ ExecSh(command).call()
if (GetModifiedFiles() != '') {
- throw new Exception(exception_message)
+ throw new Exception(exception_message_code_generation)
}
} catch (Exception e) {
SetBuildStatus(failed, context, failure)
- sh 'git diff'
- sh 'git status -s'
- Error(e).call()
+ Error(exception_message_exec + command).call()
}
}
stage('go generate ./...') {
+ def command = 'make generate'
try {
- sh '''
- . \${HOME}/.profile
- make generate
- '''
+ ExecSh(command).call()
if (GetModifiedFiles() != '') {
- throw new Exception(exception_message)
+ throw new Exception(exception_message_code_generation)
}
} catch (Exception e) {
SetBuildStatus(failed, context, failure)
- sh 'git diff'
- sh 'git status -s'
- Error(e).call()
+ Error(exception_message_exec + command).call()
}
}
stage('Proto') {
@@ -218,13 +208,14 @@
def in_progress_message = "${in_progress} (${build_steps})"
def completed_message = "${completed} (${build_steps})"
def failed_message = "${failed} (${build_steps})"
+ def command = "make ${image} VERSION=${version} BUILD_STEPS='${build_steps}' REGISTRY=${registry} LOCAL_VERSION=${local_version} BASE_IMAGE=${base_image}:${local_version}"
try {
SetBuildStatus(in_progress_message, context, pending)
- sh "make ${image} VERSION=${version} BUILD_STEPS='${build_steps}' REGISTRY=${registry} LOCAL_VERSION=${local_version} BASE_IMAGE=${base_image}:${local_version}"
+ ExecSh(command).call()
SetBuildStatus(completed_message, context, success)
} catch (Exception e) {
SetBuildStatus(failed_message, context, failure)
- Error(e).call()
+ Error(exception_message_exec + command).call()
}
}
}
@@ -247,6 +238,8 @@
// Raise error in Jenkins job
def Error(e) {
return {
+ sh 'git diff'
+ sh 'git status -s'
Cleanup()
error e
}
@@ -257,6 +250,16 @@
cleanWs()
}
+// Execute command
+def ExecSh(command) {
+ return {
+ sh """
+ . \${HOME}/.profile
+ ${command}
+ """
+ }
+}
+
// Set the commit status on Github
// https://plugins.jenkins.io/github/#plugin-content-pipeline-examples
def SetBuildStatus(String message, String context, String state) {
diff --git a/jjb/nsm/Jenkinsfile.security-scan b/jjb/nsm/Jenkinsfile.security-scan
index a6eb1f6..708a3a0 100644
--- a/jjb/nsm/Jenkinsfile.security-scan
+++ b/jjb/nsm/Jenkinsfile.security-scan
@@ -9,8 +9,9 @@
def image_registry = params.IMAGE_REGISTRY
def version = params.IMAGE_VERSION
def email_recipients = EMAIL_RECIPIENTS
+ def image_names = IMAGE_NAMES
- def cveBadge = addEmbeddableBadgeConfiguration(id: 'meridio-cve', subject: 'CVE', color: 'peru', status: '?')
+ def vulnerabilityBadge = addEmbeddableBadgeConfiguration(id: 'meridio-vulnerabilities', subject: 'vulnerabilities', color: 'peru', status: '?')
timeout(30) {
stage('Clone/Checkout') {
@@ -27,41 +28,33 @@
sh 'git show'
}
stage('Grype') {
- sh """
- . ${HOME}/.profile
- make grype VERSION=${version} REGISTRY=${image_registry}
- """
+ def command = "make grype VERSION=${version} REGISTRY=${image_registry} IMAGES='${image_names}'"
+ ExecSh(command).call()
}
stage('Nancy') {
- sh """
- . ${HOME}/.profile
- make nancy
- """
+ def command = 'make nancy'
+ ExecSh(command).call()
}
stage('Trivy') {
- sh """
- . ${HOME}/.profile
- make trivy VERSION=${version} REGISTRY=${image_registry}
- """
+ def command = "make trivy VERSION=${version} REGISTRY=${image_registry} IMAGES='${image_names}'"
+ ExecSh(command).call()
}
stage('Parse') {
- sh """
- . ${HOME}/.profile
- ./hack/parse_security_scan.sh
- """
+ def command = './hack/parse_security_scan.sh'
+ ExecSh(command).call()
}
stage('Report') {
archiveArtifacts artifacts: '_output/*', followSymlinks: false
- def number_of_cves = sh(script: 'cat _output/list.txt | grep -v "^$" | awk \'{print $1}\' | sort | uniq | wc -l', returnStdout: true).trim()
- def list_of_cves = sh(script: 'cat _output/list.txt | grep -v "^$" | awk \'{print $1}\' | sort | uniq | sed \':a;N;$!ba;s/\\n/ ; /g\'', returnStdout: true).trim()
- def number_of_high_severity_cves = sh(script: 'cat _output/list.txt | grep -v "^$" | grep -i "high" | awk \'{print $1}\' | sort | uniq | wc -l', returnStdout: true).trim()
- def list_of_high_severity_cves = sh(script: 'cat _output/list.txt | grep -v "^$" | grep -i "high" | awk \'{print $1}\' | sort | uniq | sed \':a;N;$!ba;s/\\n/ ; /g\'', returnStdout: true).trim()
+ def number_of_vulnerabilities = sh(script: 'cat _output/list.txt | grep -v "^$" | awk \'{print $1}\' | sort | uniq | wc -l', returnStdout: true).trim()
+ def list_of_vulnerabilities = sh(script: 'cat _output/list.txt | grep -v "^$" | awk \'{print $1}\' | sort | uniq | sed \':a;N;$!ba;s/\\n/ ; /g\'', returnStdout: true).trim()
+ def number_of_high_severity_vulnerabilities = sh(script: 'cat _output/list.txt | grep -v "^$" | grep -i "high" | awk \'{print $1}\' | sort | uniq | wc -l', returnStdout: true).trim()
+ def list_of_high_severity_vulnerabilities = sh(script: 'cat _output/list.txt | grep -v "^$" | grep -i "high" | awk \'{print $1}\' | sort | uniq | sed \':a;N;$!ba;s/\\n/ ; /g\'', returnStdout: true).trim()
def git_describe = sh(script: 'git describe --dirty --tags', returnStdout: true).trim()
def git_rev = sh(script: 'git rev-parse HEAD', returnStdout: true).trim()
def report = sh(script: 'cat _output/report.txt', returnStdout: true).trim()
- def subject = "Meridio - Security Scan - ${number_of_high_severity_cves} high severity CVEs detected"
+ def subject = "Meridio - Security Scan - ${number_of_high_severity_vulnerabilities} high severity vulnerabilities detected"
def body = """
Run: ${RUN_DISPLAY_URL}
git describe --dirty --tags: ${git_describe}
@@ -69,18 +62,18 @@
Image registry: ${image_registry}
Image Version: ${version}
-Number of CVEs: ${number_of_cves}
-List of CVEs: ${list_of_cves}
+Number of vulnerabilities: ${number_of_vulnerabilities}
+List of vulnerabilities: ${list_of_vulnerabilities}
-Number of CVEs with high severity: ${number_of_high_severity_cves}
-List of CVEs with high severity: ${list_of_high_severity_cves}
+Number of vulnerabilities with high severity: ${number_of_high_severity_vulnerabilities}
+List of vulnerabilities with high severity: ${list_of_high_severity_vulnerabilities}
report:
${report}
"""
emailext body: "${body}", subject: "${subject}", to: "${email_recipients}"
- cveBadge.setStatus("${number_of_high_severity_cves}")
+ vulnerabilityBadge.setStatus("${number_of_vulnerabilities}")
}
}
stage('Cleanup') {
@@ -93,3 +86,13 @@
def Cleanup() {
cleanWs()
}
+
+// Execute command
+def ExecSh(command) {
+ return {
+ sh """
+ . \${HOME}/.profile
+ ${command}
+ """
+ }
+}
diff --git a/jjb/nsm/meridio-periodic-security-scan.yaml b/jjb/nsm/meridio-periodic-security-scan.yaml
index 8c5641c..9cf718f 100644
--- a/jjb/nsm/meridio-periodic-security-scan.yaml
+++ b/jjb/nsm/meridio-periodic-security-scan.yaml
@@ -61,6 +61,10 @@
name: EMAIL_RECIPIENTS
default: 'lionel.jouin@est.tech'
description: Recipients of the report
+ - string:
+ name: IMAGE_NAMES
+ default: 'stateless-lb proxy tapa ipam nsp frontend'
+ description: Images to compile
triggers:
- timed: '@midnight'
diff --git a/jjb/nsm/meridio-periodic.yaml b/jjb/nsm/meridio-periodic.yaml
index 9ffe7e9..631f5fd 100644
--- a/jjb/nsm/meridio-periodic.yaml
+++ b/jjb/nsm/meridio-periodic.yaml
@@ -53,7 +53,7 @@
description: JJB configured PROJECT parameter to identify a Nordix GitHub project
- string:
name: IMAGE_NAMES
- default: 'load-balancer proxy tapa ipam nsp ctraffic frontend'
+ default: 'stateless-lb proxy tapa ipam nsp example-target frontend'
description: Images to compile
- string:
name: IMAGE_VERSION
diff --git a/jjb/nsm/meridio-pull-request.yaml b/jjb/nsm/meridio-pull-request.yaml
index 61e341f..40cd3b1 100644
--- a/jjb/nsm/meridio-pull-request.yaml
+++ b/jjb/nsm/meridio-pull-request.yaml
@@ -54,7 +54,7 @@
description: JJB configured PROJECT parameter to identify a Nordix GitHub project
- string:
name: IMAGE_NAMES
- default: 'load-balancer proxy tapa ipam nsp ctraffic frontend'
+ default: 'stateless-lb proxy tapa ipam nsp example-target frontend'
description: Images to compile
- string:
name: IMAGE_VERSION
@@ -90,6 +90,8 @@
- github-pull-request:
admin-list:
- LionelJouin
+ - uablrek
+ - zolug
auth-id: '{ghprb-auth-id}'
github-hooks: true
permit-all: true