jjb/nsm/Jenkinsfile.security-scan - infra/cicd - Gitiles

 /*
 Copyright (c) 2022 Nordix Foundation

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at

     http://www.apache.org/licenses/LICENSE-2.0

 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 import org.jenkinsci.plugins.pipeline.modeldefinition.Utils

 node('nordix-nsm-build-ubuntu2204') {
     build_number = env.BUILD_NUMBER
     workspace = env.WORKSPACE
     ws("${workspace}/${build_number}") {
         def git_project = params.GIT_PROJECT
         def current_branch = params.CURRENT_BRANCH
         def default_branch = params.DEFAULT_BRANCH
         def image_registry = params.IMAGE_REGISTRY
         def version = params.IMAGE_VERSION
         def email_recipients = EMAIL_RECIPIENTS
         def image_names = IMAGE_NAMES

         def vulnerabilityBadge = addEmbeddableBadgeConfiguration(id: 'meridio-vulnerabilities', subject: 'vulnerabilities', color: 'peru', status: '?')

         timeout(30) {
             stage('Clone/Checkout') {
                 git branch: default_branch, url: git_project
                 checkout([
                     $class: 'GitSCM',
                     branches: [[name: current_branch]],
                     extensions: [],
                     userRemoteConfigs: [[
                         refspec: '+refs/pull/*/head:refs/remotes/origin/pr/*',
                         url: git_project
                     ]]
                 ])
                 sh 'git show'
             }
             stage('Grype') {
                 def command = "make grype VERSION=${version} REGISTRY=${image_registry} IMAGES='${image_names}'"
                 ExecSh(command).call()
             }
             stage('Nancy') {
                 def command = 'make nancy'
                 ExecSh(command).call()
             }
             stage('Trivy') {
                 def command = "make trivy VERSION=${version} REGISTRY=${image_registry} IMAGES='${image_names}'"
                 ExecSh(command).call()
             }
             stage('Parse') {
                 def command = './hack/parse_security_scan.sh'
                 ExecSh(command).call()
             }
             stage('Report') {
                 if (env.DRY_RUN != 'true') {
                     try {
                         archiveArtifacts artifacts: '_output/**/*.*', followSymlinks: false
                     } catch (Exception e) {
                     }

                     def number_of_vulnerabilities =  sh(script: 'cat _output/list.txt | grep -v "^$" | awk \'{print $1}\' | sort | uniq | wc -l', returnStdout: true).trim()
                     def list_of_vulnerabilities =  sh(script: 'cat _output/list.txt | grep -v "^$" | awk \'{print $1}\' | sort | uniq | sed \':a;N;$!ba;s/\\n/ ; /g\'', returnStdout: true).trim()
                     def number_of_high_severity_vulnerabilities =  sh(script: 'cat _output/list.txt | grep -v "^$" | grep -i "high" | awk \'{print $1}\' | sort | uniq | wc -l', returnStdout: true).trim()
                     def list_of_high_severity_vulnerabilities =  sh(script: 'cat _output/list.txt | grep -v "^$" | grep -i "high" | awk \'{print $1}\' | sort | uniq | sed \':a;N;$!ba;s/\\n/ ; /g\'', returnStdout: true).trim()
                     def git_describe =  sh(script: 'git describe --dirty --tags', returnStdout: true).trim()
                     def git_rev =  sh(script: 'git rev-parse HEAD', returnStdout: true).trim()
                     def report =  sh(script: 'cat _output/report.txt', returnStdout: true).trim()

                     def subject = "Meridio - Security Scan - ${number_of_high_severity_vulnerabilities} high severity vulnerabilities detected"
                     def body = """
 Run: ${RUN_DISPLAY_URL}
 git describe --dirty --tags: ${git_describe}
 git rev-parse HEAD: ${git_rev}
 Image registry: ${image_registry}
 Image Version: ${version}

 Number of vulnerabilities: ${number_of_vulnerabilities}
 List of vulnerabilities: ${list_of_vulnerabilities}

 Number of vulnerabilities with high severity: ${number_of_high_severity_vulnerabilities}
 List of vulnerabilities with high severity: ${list_of_high_severity_vulnerabilities}

 report:
 ${report}
 """
                     emailext body: "${body}", subject: "${subject}", to: "${email_recipients}"

                     vulnerabilityBadge.setStatus("${number_of_vulnerabilities}")
                 } else {
                     Utils.markStageSkippedForConditional('Report')
                 }
             }
         }
         stage('Cleanup') {
             Cleanup()
         }
     }
 }

 // Cleanup directory
 def Cleanup() {
     cleanWs()
 }

 // Execute command
 def ExecSh(command) {
     return {
         if (env.DRY_RUN != 'true') {
             sh """
                 . \${HOME}/.profile
                 ${command}
             """
         } else {
             echo "${command}"
         }
     }
 }
	/*
	Copyright (c) 2022 Nordix Foundation

	Licensed under the Apache License, Version 2.0 (the "License");
	you may not use this file except in compliance with the License.
	You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing, software
	distributed under the License is distributed on an "AS IS" BASIS,
	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	See the License for the specific language governing permissions and
	limitations under the License.
	*/
	import org.jenkinsci.plugins.pipeline.modeldefinition.Utils

	node('nordix-nsm-build-ubuntu2204') {
	build_number = env.BUILD_NUMBER
	workspace = env.WORKSPACE
	ws("${workspace}/${build_number}") {
	def git_project = params.GIT_PROJECT
	def current_branch = params.CURRENT_BRANCH
	def default_branch = params.DEFAULT_BRANCH
	def image_registry = params.IMAGE_REGISTRY
	def version = params.IMAGE_VERSION
	def email_recipients = EMAIL_RECIPIENTS
	def image_names = IMAGE_NAMES

	def vulnerabilityBadge = addEmbeddableBadgeConfiguration(id: 'meridio-vulnerabilities', subject: 'vulnerabilities', color: 'peru', status: '?')

	timeout(30) {
	stage('Clone/Checkout') {
	git branch: default_branch, url: git_project
	checkout([
	$class: 'GitSCM',
	branches: [[name: current_branch]],
	extensions: [],
	userRemoteConfigs: [[
	refspec: '+refs/pull//head:refs/remotes/origin/pr/',
	url: git_project
	]]
	])
	sh 'git show'
	}
	stage('Grype') {
	def command = "make grype VERSION=${version} REGISTRY=${image_registry} IMAGES='${image_names}'"
	ExecSh(command).call()
	}
	stage('Nancy') {
	def command = 'make nancy'
	ExecSh(command).call()
	}
	stage('Trivy') {
	def command = "make trivy VERSION=${version} REGISTRY=${image_registry} IMAGES='${image_names}'"
	ExecSh(command).call()
	}
	stage('Parse') {
	def command = './hack/parse_security_scan.sh'
	ExecSh(command).call()
	}
	stage('Report') {
	if (env.DRY_RUN != 'true') {
	try {
	archiveArtifacts artifacts: '_output/*/.*', followSymlinks: false
	} catch (Exception e) {
	}

	def number_of_vulnerabilities = sh(script: 'cat _output/list.txt \| grep -v "^$" \| awk \'{print $1}\' \| sort \| uniq \| wc -l', returnStdout: true).trim()
	def list_of_vulnerabilities = sh(script: 'cat _output/list.txt \| grep -v "^$" \| awk \'{print $1}\' \| sort \| uniq \| sed \':a;N;$!ba;s/\\n/ ; /g\'', returnStdout: true).trim()
	def number_of_high_severity_vulnerabilities = sh(script: 'cat _output/list.txt \| grep -v "^$" \| grep -i "high" \| awk \'{print $1}\' \| sort \| uniq \| wc -l', returnStdout: true).trim()
	def list_of_high_severity_vulnerabilities = sh(script: 'cat _output/list.txt \| grep -v "^$" \| grep -i "high" \| awk \'{print $1}\' \| sort \| uniq \| sed \':a;N;$!ba;s/\\n/ ; /g\'', returnStdout: true).trim()
	def git_describe = sh(script: 'git describe --dirty --tags', returnStdout: true).trim()
	def git_rev = sh(script: 'git rev-parse HEAD', returnStdout: true).trim()
	def report = sh(script: 'cat _output/report.txt', returnStdout: true).trim()

	def subject = "Meridio - Security Scan - ${number_of_high_severity_vulnerabilities} high severity vulnerabilities detected"
	def body = """
	Run: ${RUN_DISPLAY_URL}
	git describe --dirty --tags: ${git_describe}
	git rev-parse HEAD: ${git_rev}
	Image registry: ${image_registry}
	Image Version: ${version}

	Number of vulnerabilities: ${number_of_vulnerabilities}
	List of vulnerabilities: ${list_of_vulnerabilities}

	Number of vulnerabilities with high severity: ${number_of_high_severity_vulnerabilities}
	List of vulnerabilities with high severity: ${list_of_high_severity_vulnerabilities}

	report:
	${report}
	"""
	emailext body: "${body}", subject: "${subject}", to: "${email_recipients}"

	vulnerabilityBadge.setStatus("${number_of_vulnerabilities}")
	} else {
	Utils.markStageSkippedForConditional('Report')
	}
	}
	}
	stage('Cleanup') {
	Cleanup()
	}
	}
	}

	// Cleanup directory
	def Cleanup() {
	cleanWs()
	}

	// Execute command
	def ExecSh(command) {
	return {
	if (env.DRY_RUN != 'true') {
	sh """
	. \${HOME}/.profile
	${command}
	"""
	} else {
	echo "${command}"
	}
	}
	}