Gitiles
Code Review Sign In
gerrit.nordix.org / infra / cicd / c4037896ba422b5eea840aeb43be3c9e59a6b14c / . / jjb / nsm / Jenkinsfile.security-scan
blob: 41857e99ba250a571938d38ef5de35364a22d2e8 [file] [log] [blame]
Lionel Jouinc4037892022-11-16 15:53:04 +0100[diff] [blame^]1/*
2Copyright (c) 2022 Nordix Foundation
3
4Licensed under the Apache License, Version 2.0 (the "License");
5you may not use this file except in compliance with the License.
6You may obtain a copy of the License at
7
8 http://www.apache.org/licenses/LICENSE-2.0
9
10Unless required by applicable law or agreed to in writing, software
11distributed under the License is distributed on an "AS IS" BASIS,
12WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13See the License for the specific language governing permissions and
14limitations under the License.
15*/
16import org.jenkinsci.plugins.pipeline.modeldefinition.Utils
Lionel Jouin4ca06662022-09-29 11:58:10 +0200[diff] [blame]17
18node('nordix-nsm-build-ubuntu1804') {
19 build_number = env.BUILD_NUMBER
20 workspace = env.WORKSPACE
21 ws("${workspace}/${build_number}") {
22 def git_project = params.GIT_PROJECT
23 def current_branch = params.CURRENT_BRANCH
24 def default_branch = params.DEFAULT_BRANCH
25 def image_registry = params.IMAGE_REGISTRY
26 def version = params.IMAGE_VERSION
27 def email_recipients = EMAIL_RECIPIENTS
Lionel Jouin4b6b6f52022-10-14 16:22:23 +0200[diff] [blame]28 def image_names = IMAGE_NAMES
Lionel Jouin4ca06662022-09-29 11:58:10 +0200[diff] [blame]29
Lionel Jouin4b6b6f52022-10-14 16:22:23 +0200[diff] [blame]30 def vulnerabilityBadge = addEmbeddableBadgeConfiguration(id: 'meridio-vulnerabilities', subject: 'vulnerabilities', color: 'peru', status: '?')
Lionel Jouin4ca06662022-09-29 11:58:10 +0200[diff] [blame]31
32 timeout(30) {
33 stage('Clone/Checkout') {
34 git branch: default_branch, url: git_project
35 checkout([
36 $class: 'GitSCM',
37 branches: [[name: current_branch]],
38 extensions: [],
39 userRemoteConfigs: [[
40 refspec: '+refs/pull/*/head:refs/remotes/origin/pr/*',
41 url: git_project
42 ]]
43 ])
44 sh 'git show'
45 }
46 stage('Grype') {
Lionel Jouin4b6b6f52022-10-14 16:22:23 +0200[diff] [blame]47 def command = "make grype VERSION=${version} REGISTRY=${image_registry} IMAGES='${image_names}'"
48 ExecSh(command).call()
Lionel Jouin4ca06662022-09-29 11:58:10 +0200[diff] [blame]49 }
50 stage('Nancy') {
Lionel Jouin4b6b6f52022-10-14 16:22:23 +0200[diff] [blame]51 def command = 'make nancy'
52 ExecSh(command).call()
Lionel Jouin4ca06662022-09-29 11:58:10 +0200[diff] [blame]53 }
54 stage('Trivy') {
Lionel Jouin4b6b6f52022-10-14 16:22:23 +0200[diff] [blame]55 def command = "make trivy VERSION=${version} REGISTRY=${image_registry} IMAGES='${image_names}'"
56 ExecSh(command).call()
Lionel Jouin4ca06662022-09-29 11:58:10 +0200[diff] [blame]57 }
58 stage('Parse') {
Lionel Jouin4b6b6f52022-10-14 16:22:23 +0200[diff] [blame]59 def command = './hack/parse_security_scan.sh'
60 ExecSh(command).call()
Lionel Jouin4ca06662022-09-29 11:58:10 +0200[diff] [blame]61 }
62 stage('Report') {
Lionel Jouinc4037892022-11-16 15:53:04 +0100[diff] [blame^]63 if (env.DRY_RUN != 'true') {
64 archiveArtifacts artifacts: '_output/*', followSymlinks: false
Lionel Jouin4ca06662022-09-29 11:58:10 +0200[diff] [blame]65
Lionel Jouinc4037892022-11-16 15:53:04 +0100[diff] [blame^]66 def number_of_vulnerabilities = sh(script: 'cat _output/list.txt | grep -v "^$" | awk \'{print $1}\' | sort | uniq | wc -l', returnStdout: true).trim()
67 def list_of_vulnerabilities = sh(script: 'cat _output/list.txt | grep -v "^$" | awk \'{print $1}\' | sort | uniq | sed \':a;N;$!ba;s/\\n/ ; /g\'', returnStdout: true).trim()
68 def number_of_high_severity_vulnerabilities = sh(script: 'cat _output/list.txt | grep -v "^$" | grep -i "high" | awk \'{print $1}\' | sort | uniq | wc -l', returnStdout: true).trim()
69 def list_of_high_severity_vulnerabilities = sh(script: 'cat _output/list.txt | grep -v "^$" | grep -i "high" | awk \'{print $1}\' | sort | uniq | sed \':a;N;$!ba;s/\\n/ ; /g\'', returnStdout: true).trim()
70 def git_describe = sh(script: 'git describe --dirty --tags', returnStdout: true).trim()
71 def git_rev = sh(script: 'git rev-parse HEAD', returnStdout: true).trim()
72 def report = sh(script: 'cat _output/report.txt', returnStdout: true).trim()
Lionel Jouin4ca06662022-09-29 11:58:10 +0200[diff] [blame]73
Lionel Jouinc4037892022-11-16 15:53:04 +0100[diff] [blame^]74 def subject = "Meridio - Security Scan - ${number_of_high_severity_vulnerabilities} high severity vulnerabilities detected"
75 def body = """
Lionel Jouin4ca06662022-09-29 11:58:10 +0200[diff] [blame]76Run: ${RUN_DISPLAY_URL}
77git describe --dirty --tags: ${git_describe}
78git rev-parse HEAD: ${git_rev}
79Image registry: ${image_registry}
80Image Version: ${version}
81
Lionel Jouin4b6b6f52022-10-14 16:22:23 +0200[diff] [blame]82Number of vulnerabilities: ${number_of_vulnerabilities}
83List of vulnerabilities: ${list_of_vulnerabilities}
Lionel Jouin4ca06662022-09-29 11:58:10 +0200[diff] [blame]84
Lionel Jouin4b6b6f52022-10-14 16:22:23 +0200[diff] [blame]85Number of vulnerabilities with high severity: ${number_of_high_severity_vulnerabilities}
86List of vulnerabilities with high severity: ${list_of_high_severity_vulnerabilities}
Lionel Jouin4ca06662022-09-29 11:58:10 +0200[diff] [blame]87
88report:
89${report}
90"""
Lionel Jouinc4037892022-11-16 15:53:04 +0100[diff] [blame^]91 emailext body: "${body}", subject: "${subject}", to: "${email_recipients}"
Lionel Jouin4ca06662022-09-29 11:58:10 +0200[diff] [blame]92
Lionel Jouinc4037892022-11-16 15:53:04 +0100[diff] [blame^]93 vulnerabilityBadge.setStatus("${number_of_vulnerabilities}")
94 } else {
95 Utils.markStageSkippedForConditional('Report')
96 }
Lionel Jouin4ca06662022-09-29 11:58:10 +0200[diff] [blame]97 }
98 }
99 stage('Cleanup') {
100 Cleanup()
101 }
102 }
103}
104
105// Cleanup directory
106def Cleanup() {
107 cleanWs()
108}
Lionel Jouin4b6b6f52022-10-14 16:22:23 +0200[diff] [blame]109
110// Execute command
111def ExecSh(command) {
112 return {
Lionel Jouinc4037892022-11-16 15:53:04 +0100[diff] [blame^]113 if (env.DRY_RUN != 'true') {
114 sh """
115 . \${HOME}/.profile
116 ${command}
117 """
118 } else {
119 echo "${command}"
120 }
Lionel Jouin4b6b6f52022-10-14 16:22:23 +0200[diff] [blame]121 }
122}