| Lionel Jouin | c403789 | 2022-11-16 15:53:04 +0100 | [diff] [blame] | 1 | /* |
| 2 | Copyright (c) 2022 Nordix Foundation |
| 3 | |
| 4 | Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | you may not use this file except in compliance with the License. |
| 6 | You may obtain a copy of the License at |
| 7 | |
| 8 | http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | |
| 10 | Unless required by applicable law or agreed to in writing, software |
| 11 | distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | See the License for the specific language governing permissions and |
| 14 | limitations under the License. |
| 15 | */ |
| 16 | import org.jenkinsci.plugins.pipeline.modeldefinition.Utils |
| Lionel Jouin | 4ca0666 | 2022-09-29 11:58:10 +0200 | [diff] [blame] | 17 | |
| Lionel Jouin | 1317f9e | 2022-11-17 11:20:32 +0100 | [diff] [blame] | 18 | node('nordix-nsm-build-ubuntu2204') { |
| Lionel Jouin | 4ca0666 | 2022-09-29 11:58:10 +0200 | [diff] [blame] | 19 | build_number = env.BUILD_NUMBER |
| 20 | workspace = env.WORKSPACE |
| 21 | ws("${workspace}/${build_number}") { |
| 22 | def git_project = params.GIT_PROJECT |
| 23 | def current_branch = params.CURRENT_BRANCH |
| 24 | def default_branch = params.DEFAULT_BRANCH |
| 25 | def image_registry = params.IMAGE_REGISTRY |
| 26 | def version = params.IMAGE_VERSION |
| 27 | def email_recipients = EMAIL_RECIPIENTS |
| Lionel Jouin | 4b6b6f5 | 2022-10-14 16:22:23 +0200 | [diff] [blame] | 28 | def image_names = IMAGE_NAMES |
| Lionel Jouin | 4ca0666 | 2022-09-29 11:58:10 +0200 | [diff] [blame] | 29 | |
| Lionel Jouin | 4b6b6f5 | 2022-10-14 16:22:23 +0200 | [diff] [blame] | 30 | def vulnerabilityBadge = addEmbeddableBadgeConfiguration(id: 'meridio-vulnerabilities', subject: 'vulnerabilities', color: 'peru', status: '?') |
| Lionel Jouin | 4ca0666 | 2022-09-29 11:58:10 +0200 | [diff] [blame] | 31 | |
| 32 | timeout(30) { |
| 33 | stage('Clone/Checkout') { |
| 34 | git branch: default_branch, url: git_project |
| 35 | checkout([ |
| 36 | $class: 'GitSCM', |
| 37 | branches: [[name: current_branch]], |
| 38 | extensions: [], |
| 39 | userRemoteConfigs: [[ |
| 40 | refspec: '+refs/pull/*/head:refs/remotes/origin/pr/*', |
| 41 | url: git_project |
| 42 | ]] |
| 43 | ]) |
| 44 | sh 'git show' |
| 45 | } |
| 46 | stage('Grype') { |
| Lionel Jouin | 4b6b6f5 | 2022-10-14 16:22:23 +0200 | [diff] [blame] | 47 | def command = "make grype VERSION=${version} REGISTRY=${image_registry} IMAGES='${image_names}'" |
| 48 | ExecSh(command).call() |
| Lionel Jouin | 4ca0666 | 2022-09-29 11:58:10 +0200 | [diff] [blame] | 49 | } |
| 50 | stage('Nancy') { |
| Lionel Jouin | 4b6b6f5 | 2022-10-14 16:22:23 +0200 | [diff] [blame] | 51 | def command = 'make nancy' |
| 52 | ExecSh(command).call() |
| Lionel Jouin | 4ca0666 | 2022-09-29 11:58:10 +0200 | [diff] [blame] | 53 | } |
| 54 | stage('Trivy') { |
| Lionel Jouin | 4b6b6f5 | 2022-10-14 16:22:23 +0200 | [diff] [blame] | 55 | def command = "make trivy VERSION=${version} REGISTRY=${image_registry} IMAGES='${image_names}'" |
| 56 | ExecSh(command).call() |
| Lionel Jouin | 4ca0666 | 2022-09-29 11:58:10 +0200 | [diff] [blame] | 57 | } |
| 58 | stage('Parse') { |
| Lionel Jouin | 4b6b6f5 | 2022-10-14 16:22:23 +0200 | [diff] [blame] | 59 | def command = './hack/parse_security_scan.sh' |
| 60 | ExecSh(command).call() |
| Lionel Jouin | 4ca0666 | 2022-09-29 11:58:10 +0200 | [diff] [blame] | 61 | } |
| 62 | stage('Report') { |
| Lionel Jouin | c403789 | 2022-11-16 15:53:04 +0100 | [diff] [blame] | 63 | if (env.DRY_RUN != 'true') { |
| Lionel Jouin | 1e04de6 | 2022-11-18 11:59:18 +0100 | [diff] [blame] | 64 | try { |
| 65 | archiveArtifacts artifacts: '_output/**/*.*', followSymlinks: false |
| 66 | } catch (Exception e) { |
| 67 | } |
| Lionel Jouin | 4ca0666 | 2022-09-29 11:58:10 +0200 | [diff] [blame] | 68 | |
| Lionel Jouin | c403789 | 2022-11-16 15:53:04 +0100 | [diff] [blame] | 69 | def number_of_vulnerabilities = sh(script: 'cat _output/list.txt | grep -v "^$" | awk \'{print $1}\' | sort | uniq | wc -l', returnStdout: true).trim() |
| 70 | def list_of_vulnerabilities = sh(script: 'cat _output/list.txt | grep -v "^$" | awk \'{print $1}\' | sort | uniq | sed \':a;N;$!ba;s/\\n/ ; /g\'', returnStdout: true).trim() |
| 71 | def number_of_high_severity_vulnerabilities = sh(script: 'cat _output/list.txt | grep -v "^$" | grep -i "high" | awk \'{print $1}\' | sort | uniq | wc -l', returnStdout: true).trim() |
| 72 | def list_of_high_severity_vulnerabilities = sh(script: 'cat _output/list.txt | grep -v "^$" | grep -i "high" | awk \'{print $1}\' | sort | uniq | sed \':a;N;$!ba;s/\\n/ ; /g\'', returnStdout: true).trim() |
| 73 | def git_describe = sh(script: 'git describe --dirty --tags', returnStdout: true).trim() |
| 74 | def git_rev = sh(script: 'git rev-parse HEAD', returnStdout: true).trim() |
| 75 | def report = sh(script: 'cat _output/report.txt', returnStdout: true).trim() |
| Lionel Jouin | 4ca0666 | 2022-09-29 11:58:10 +0200 | [diff] [blame] | 76 | |
| Lionel Jouin | c403789 | 2022-11-16 15:53:04 +0100 | [diff] [blame] | 77 | def subject = "Meridio - Security Scan - ${number_of_high_severity_vulnerabilities} high severity vulnerabilities detected" |
| 78 | def body = """ |
| Lionel Jouin | 4ca0666 | 2022-09-29 11:58:10 +0200 | [diff] [blame] | 79 | Run: ${RUN_DISPLAY_URL} |
| 80 | git describe --dirty --tags: ${git_describe} |
| 81 | git rev-parse HEAD: ${git_rev} |
| 82 | Image registry: ${image_registry} |
| 83 | Image Version: ${version} |
| 84 | |
| Lionel Jouin | 4b6b6f5 | 2022-10-14 16:22:23 +0200 | [diff] [blame] | 85 | Number of vulnerabilities: ${number_of_vulnerabilities} |
| 86 | List of vulnerabilities: ${list_of_vulnerabilities} |
| Lionel Jouin | 4ca0666 | 2022-09-29 11:58:10 +0200 | [diff] [blame] | 87 | |
| Lionel Jouin | 4b6b6f5 | 2022-10-14 16:22:23 +0200 | [diff] [blame] | 88 | Number of vulnerabilities with high severity: ${number_of_high_severity_vulnerabilities} |
| 89 | List of vulnerabilities with high severity: ${list_of_high_severity_vulnerabilities} |
| Lionel Jouin | 4ca0666 | 2022-09-29 11:58:10 +0200 | [diff] [blame] | 90 | |
| 91 | report: |
| 92 | ${report} |
| 93 | """ |
| Lionel Jouin | c403789 | 2022-11-16 15:53:04 +0100 | [diff] [blame] | 94 | emailext body: "${body}", subject: "${subject}", to: "${email_recipients}" |
| Lionel Jouin | 4ca0666 | 2022-09-29 11:58:10 +0200 | [diff] [blame] | 95 | |
| Lionel Jouin | c403789 | 2022-11-16 15:53:04 +0100 | [diff] [blame] | 96 | vulnerabilityBadge.setStatus("${number_of_vulnerabilities}") |
| 97 | } else { |
| 98 | Utils.markStageSkippedForConditional('Report') |
| 99 | } |
| Lionel Jouin | 4ca0666 | 2022-09-29 11:58:10 +0200 | [diff] [blame] | 100 | } |
| 101 | } |
| 102 | stage('Cleanup') { |
| 103 | Cleanup() |
| 104 | } |
| 105 | } |
| 106 | } |
| 107 | |
| 108 | // Cleanup directory |
| 109 | def Cleanup() { |
| 110 | cleanWs() |
| 111 | } |
| Lionel Jouin | 4b6b6f5 | 2022-10-14 16:22:23 +0200 | [diff] [blame] | 112 | |
| 113 | // Execute command |
| 114 | def ExecSh(command) { |
| 115 | return { |
| Lionel Jouin | c403789 | 2022-11-16 15:53:04 +0100 | [diff] [blame] | 116 | if (env.DRY_RUN != 'true') { |
| 117 | sh """ |
| 118 | . \${HOME}/.profile |
| 119 | ${command} |
| 120 | """ |
| 121 | } else { |
| 122 | echo "${command}" |
| 123 | } |
| Lionel Jouin | 4b6b6f5 | 2022-10-14 16:22:23 +0200 | [diff] [blame] | 124 | } |
| 125 | } |