| /* |
| Copyright (c) 2022 Nordix Foundation |
| |
| Licensed under the Apache License, Version 2.0 (the "License"); |
| you may not use this file except in compliance with the License. |
| You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| */ |
| import org.jenkinsci.plugins.pipeline.modeldefinition.Utils |
| |
| node('nordix-nsm-build-ubuntu1804') { |
| build_number = env.BUILD_NUMBER |
| workspace = env.WORKSPACE |
| ws("${workspace}/${build_number}") { |
| def git_project = params.GIT_PROJECT |
| def current_branch = params.CURRENT_BRANCH |
| def default_branch = params.DEFAULT_BRANCH |
| def image_registry = params.IMAGE_REGISTRY |
| def version = params.IMAGE_VERSION |
| def email_recipients = EMAIL_RECIPIENTS |
| def image_names = IMAGE_NAMES |
| |
| def vulnerabilityBadge = addEmbeddableBadgeConfiguration(id: 'meridio-vulnerabilities', subject: 'vulnerabilities', color: 'peru', status: '?') |
| |
| timeout(30) { |
| stage('Clone/Checkout') { |
| git branch: default_branch, url: git_project |
| checkout([ |
| $class: 'GitSCM', |
| branches: [[name: current_branch]], |
| extensions: [], |
| userRemoteConfigs: [[ |
| refspec: '+refs/pull/*/head:refs/remotes/origin/pr/*', |
| url: git_project |
| ]] |
| ]) |
| sh 'git show' |
| } |
| stage('Grype') { |
| def command = "make grype VERSION=${version} REGISTRY=${image_registry} IMAGES='${image_names}'" |
| ExecSh(command).call() |
| } |
| stage('Nancy') { |
| def command = 'make nancy' |
| ExecSh(command).call() |
| } |
| stage('Trivy') { |
| def command = "make trivy VERSION=${version} REGISTRY=${image_registry} IMAGES='${image_names}'" |
| ExecSh(command).call() |
| } |
| stage('Parse') { |
| def command = './hack/parse_security_scan.sh' |
| ExecSh(command).call() |
| } |
| stage('Report') { |
| if (env.DRY_RUN != 'true') { |
| archiveArtifacts artifacts: '_output/*', followSymlinks: false |
| |
| def number_of_vulnerabilities = sh(script: 'cat _output/list.txt | grep -v "^$" | awk \'{print $1}\' | sort | uniq | wc -l', returnStdout: true).trim() |
| def list_of_vulnerabilities = sh(script: 'cat _output/list.txt | grep -v "^$" | awk \'{print $1}\' | sort | uniq | sed \':a;N;$!ba;s/\\n/ ; /g\'', returnStdout: true).trim() |
| def number_of_high_severity_vulnerabilities = sh(script: 'cat _output/list.txt | grep -v "^$" | grep -i "high" | awk \'{print $1}\' | sort | uniq | wc -l', returnStdout: true).trim() |
| def list_of_high_severity_vulnerabilities = sh(script: 'cat _output/list.txt | grep -v "^$" | grep -i "high" | awk \'{print $1}\' | sort | uniq | sed \':a;N;$!ba;s/\\n/ ; /g\'', returnStdout: true).trim() |
| def git_describe = sh(script: 'git describe --dirty --tags', returnStdout: true).trim() |
| def git_rev = sh(script: 'git rev-parse HEAD', returnStdout: true).trim() |
| def report = sh(script: 'cat _output/report.txt', returnStdout: true).trim() |
| |
| def subject = "Meridio - Security Scan - ${number_of_high_severity_vulnerabilities} high severity vulnerabilities detected" |
| def body = """ |
| Run: ${RUN_DISPLAY_URL} |
| git describe --dirty --tags: ${git_describe} |
| git rev-parse HEAD: ${git_rev} |
| Image registry: ${image_registry} |
| Image Version: ${version} |
| |
| Number of vulnerabilities: ${number_of_vulnerabilities} |
| List of vulnerabilities: ${list_of_vulnerabilities} |
| |
| Number of vulnerabilities with high severity: ${number_of_high_severity_vulnerabilities} |
| List of vulnerabilities with high severity: ${list_of_high_severity_vulnerabilities} |
| |
| report: |
| ${report} |
| """ |
| emailext body: "${body}", subject: "${subject}", to: "${email_recipients}" |
| |
| vulnerabilityBadge.setStatus("${number_of_vulnerabilities}") |
| } else { |
| Utils.markStageSkippedForConditional('Report') |
| } |
| } |
| } |
| stage('Cleanup') { |
| Cleanup() |
| } |
| } |
| } |
| |
| // Cleanup directory |
| def Cleanup() { |
| cleanWs() |
| } |
| |
| // Execute command |
| def ExecSh(command) { |
| return { |
| if (env.DRY_RUN != 'true') { |
| sh """ |
| . \${HOME}/.profile |
| ${command} |
| """ |
| } else { |
| echo "${command}" |
| } |
| } |
| } |