Gitiles
Code Review Sign In
gerrit.nordix.org / infra / cicd / 4b6b6f592d9dcccfeb35d5a190e41e48494c8cb0 / . / jjb / nsm / Jenkinsfile.security-scan
blob: 708a3a00b4eda8b3f3f1d6b181f8072a65c1c610 [file] [log] [blame]
Lionel Jouin4ca06662022-09-29 11:58:10 +0200[diff] [blame]1
2node('nordix-nsm-build-ubuntu1804') {
3 build_number = env.BUILD_NUMBER
4 workspace = env.WORKSPACE
5 ws("${workspace}/${build_number}") {
6 def git_project = params.GIT_PROJECT
7 def current_branch = params.CURRENT_BRANCH
8 def default_branch = params.DEFAULT_BRANCH
9 def image_registry = params.IMAGE_REGISTRY
10 def version = params.IMAGE_VERSION
11 def email_recipients = EMAIL_RECIPIENTS
Lionel Jouin4b6b6f52022-10-14 16:22:23 +0200[diff] [blame^]12 def image_names = IMAGE_NAMES
Lionel Jouin4ca06662022-09-29 11:58:10 +0200[diff] [blame]13
Lionel Jouin4b6b6f52022-10-14 16:22:23 +0200[diff] [blame^]14 def vulnerabilityBadge = addEmbeddableBadgeConfiguration(id: 'meridio-vulnerabilities', subject: 'vulnerabilities', color: 'peru', status: '?')
Lionel Jouin4ca06662022-09-29 11:58:10 +0200[diff] [blame]15
16 timeout(30) {
17 stage('Clone/Checkout') {
18 git branch: default_branch, url: git_project
19 checkout([
20 $class: 'GitSCM',
21 branches: [[name: current_branch]],
22 extensions: [],
23 userRemoteConfigs: [[
24 refspec: '+refs/pull/*/head:refs/remotes/origin/pr/*',
25 url: git_project
26 ]]
27 ])
28 sh 'git show'
29 }
30 stage('Grype') {
Lionel Jouin4b6b6f52022-10-14 16:22:23 +0200[diff] [blame^]31 def command = "make grype VERSION=${version} REGISTRY=${image_registry} IMAGES='${image_names}'"
32 ExecSh(command).call()
Lionel Jouin4ca06662022-09-29 11:58:10 +0200[diff] [blame]33 }
34 stage('Nancy') {
Lionel Jouin4b6b6f52022-10-14 16:22:23 +0200[diff] [blame^]35 def command = 'make nancy'
36 ExecSh(command).call()
Lionel Jouin4ca06662022-09-29 11:58:10 +0200[diff] [blame]37 }
38 stage('Trivy') {
Lionel Jouin4b6b6f52022-10-14 16:22:23 +0200[diff] [blame^]39 def command = "make trivy VERSION=${version} REGISTRY=${image_registry} IMAGES='${image_names}'"
40 ExecSh(command).call()
Lionel Jouin4ca06662022-09-29 11:58:10 +0200[diff] [blame]41 }
42 stage('Parse') {
Lionel Jouin4b6b6f52022-10-14 16:22:23 +0200[diff] [blame^]43 def command = './hack/parse_security_scan.sh'
44 ExecSh(command).call()
Lionel Jouin4ca06662022-09-29 11:58:10 +0200[diff] [blame]45 }
46 stage('Report') {
47 archiveArtifacts artifacts: '_output/*', followSymlinks: false
48
Lionel Jouin4b6b6f52022-10-14 16:22:23 +0200[diff] [blame^]49 def number_of_vulnerabilities = sh(script: 'cat _output/list.txt | grep -v "^$" | awk \'{print $1}\' | sort | uniq | wc -l', returnStdout: true).trim()
50 def list_of_vulnerabilities = sh(script: 'cat _output/list.txt | grep -v "^$" | awk \'{print $1}\' | sort | uniq | sed \':a;N;$!ba;s/\\n/ ; /g\'', returnStdout: true).trim()
51 def number_of_high_severity_vulnerabilities = sh(script: 'cat _output/list.txt | grep -v "^$" | grep -i "high" | awk \'{print $1}\' | sort | uniq | wc -l', returnStdout: true).trim()
52 def list_of_high_severity_vulnerabilities = sh(script: 'cat _output/list.txt | grep -v "^$" | grep -i "high" | awk \'{print $1}\' | sort | uniq | sed \':a;N;$!ba;s/\\n/ ; /g\'', returnStdout: true).trim()
Lionel Jouin4ca06662022-09-29 11:58:10 +0200[diff] [blame]53 def git_describe = sh(script: 'git describe --dirty --tags', returnStdout: true).trim()
54 def git_rev = sh(script: 'git rev-parse HEAD', returnStdout: true).trim()
55 def report = sh(script: 'cat _output/report.txt', returnStdout: true).trim()
56
Lionel Jouin4b6b6f52022-10-14 16:22:23 +0200[diff] [blame^]57 def subject = "Meridio - Security Scan - ${number_of_high_severity_vulnerabilities} high severity vulnerabilities detected"
Lionel Jouin4ca06662022-09-29 11:58:10 +0200[diff] [blame]58 def body = """
59Run: ${RUN_DISPLAY_URL}
60git describe --dirty --tags: ${git_describe}
61git rev-parse HEAD: ${git_rev}
62Image registry: ${image_registry}
63Image Version: ${version}
64
Lionel Jouin4b6b6f52022-10-14 16:22:23 +0200[diff] [blame^]65Number of vulnerabilities: ${number_of_vulnerabilities}
66List of vulnerabilities: ${list_of_vulnerabilities}
Lionel Jouin4ca06662022-09-29 11:58:10 +0200[diff] [blame]67
Lionel Jouin4b6b6f52022-10-14 16:22:23 +0200[diff] [blame^]68Number of vulnerabilities with high severity: ${number_of_high_severity_vulnerabilities}
69List of vulnerabilities with high severity: ${list_of_high_severity_vulnerabilities}
Lionel Jouin4ca06662022-09-29 11:58:10 +0200[diff] [blame]70
71report:
72${report}
73"""
74 emailext body: "${body}", subject: "${subject}", to: "${email_recipients}"
75
Lionel Jouin4b6b6f52022-10-14 16:22:23 +0200[diff] [blame^]76 vulnerabilityBadge.setStatus("${number_of_vulnerabilities}")
Lionel Jouin4ca06662022-09-29 11:58:10 +0200[diff] [blame]77 }
78 }
79 stage('Cleanup') {
80 Cleanup()
81 }
82 }
83}
84
85// Cleanup directory
86def Cleanup() {
87 cleanWs()
88}
Lionel Jouin4b6b6f52022-10-14 16:22:23 +0200[diff] [blame^]89
90// Execute command
91def ExecSh(command) {
92 return {
93 sh """
94 . \${HOME}/.profile
95 ${command}
96 """
97 }
98}