From 321dc6dfc1e397224896007bfb49ca6c2c7fb79a Mon Sep 17 00:00:00 2001
From: "aleksandr.vodyanov" <aleksandr.vodyanov@avroid.tech>
Date: Thu, 31 Oct 2024 14:28:47 +0300
Subject: [PATCH] [DO-783] update svace (!41)

Reviewed-on: https://git.avroid.tech/DevOps/jenkins-pipelines/pulls/41
Reviewed-by: Boris Shestov <boris.shestov@avroid.tech>
Reviewed-by: Andrey Danin <andrey.danin@avroid.tech>
Co-authored-by: aleksandr.vodyanov <aleksandr.vodyanov@avroid.tech>
Co-committed-by: aleksandr.vodyanov <aleksandr.vodyanov@avroid.tech>
---
 pipelines/DevSecOps/svace-analyze.groovy | 112 ++++++++++++-----------
 1 file changed, 59 insertions(+), 53 deletions(-)

diff --git a/pipelines/DevSecOps/svace-analyze.groovy b/pipelines/DevSecOps/svace-analyze.groovy
index 3ef738a..0543a95 100644
--- a/pipelines/DevSecOps/svace-analyze.groovy
+++ b/pipelines/DevSecOps/svace-analyze.groovy
@@ -3,21 +3,32 @@
 import tech.avroid.api.Nexus
 import tech.avroid.scm.Git
 
-String buildThreads         = '16'
-String svaceVersion         = '3.4.240312'
-String svacerVersion        = '9-0-2'
-String svaceCmd             = "/data/opt/svace-${svaceVersion}-x64-linux/bin/svace"
-String svacerCmd            = "/data/opt/svacer-${svacerVersion}/bin/svacer"
-String svaceBuildResults    = ''
-String commitShortSha       = ''
-String svaceResultsDir      = 'svace_analysis'
-String svaceSarifResultFile = "svace_analysis.sarif2"
-String ldapServer           = 'FreeIPA'
+String buildThreads             = '16'
+String svacerVersion            = '9-0-2'
+String svaceCmd                 = "/data/opt/svace-${env.JENKINS_SVACE_VERSION}-x64-linux/bin/svace"
+String svacerCmd                = "/data/opt/svacer-${svacerVersion}/bin/svacer"
+String svaceBuildResults        = ''
+String commitShortSha           = ''
+String ldapServer               = 'FreeIPA'
+String nexusSvaceSarifRepoPath  = ''
 
 // Nexus variables
 Nexus nexus = new Nexus(this, env.JENKINS_NEXUS_URL, env.JENKINS_NEXUS_CREDENTIALS)
-String svaceNexusRepo = 'devsecops-raw-svace_results'
-String nexusSvaceSarifRepoPath
+
+Map configuration = [
+    vaultUrl: env.JENKINS_VAULT_URL,
+    vaultCredentialId: env.JENKINS_VAULT_TOKEN,
+    engineVersion: 2
+  ]
+
+List secrets = [
+  [path: "team-devops/accounts/ldap/service_accounts/svc_svacer", engineVersion: 2, secretValues:
+    [
+      [envVar: 'VAULT_SVACER_LOGIN', vaultKey: 'login'],
+      [envVar: 'VAULT_SVACER_PASS', vaultKey: 'password'],
+    ]
+  ]
+]
 
 properties([
     buildDiscarder(logRotator(artifactNumToKeepStr: '50',
@@ -70,56 +81,51 @@ node('svace') {
         stage('Svace analyze') {
             sh """
                 tar -xf ${svaceBuildResults}
-                ${svaceCmd} config --svace-dir ./${svaceResultsDir} THREAD_NUMBER ${buildThreads}
-                ${svaceCmd} analyze --log-level brief --svace-dir ./${svaceResultsDir}
+                ${svaceCmd} config --svace-dir ./${env.JENKINS_SVACE_BUILD_DIR} THREAD_NUMBER ${buildThreads}
+                ${svaceCmd} analyze --log-level brief --svace-dir ./${env.JENKINS_SVACE_BUILD_DIR}
             """
         }
 
-        withCredentials([usernamePassword(
-                                          credentialsId: env.JENKINS_SVACER_CREDENTIALS,
-                                          usernameVariable: 'SVACER_USER',
-                                          passwordVariable: 'SVACER_PASS'
-                                         )]) {
-            stage('Upload results') {
-				String branch = params.BRANCH
-				String mainBranch = params.MAIN_BRANCH
+        stage('Upload results') {
+        withVault([configuration: configuration, vaultSecrets: secrets]) {
+            String branch = params.BRANCH
+            String mainBranch = params.MAIN_BRANCH
 
-                nexusSvaceSarifRepoPath = "${params.GIT_PROJECT}/${params.BRANCH}/${commitShortSha}"
+            nexusSvaceSarifRepoPath = "${params.GIT_PROJECT}/${params.BRANCH}/${commitShortSha}"
 
-				if (params.BUILD_PLATFORM) {
-					branch += '_' + params.BUILD_PLATFORM
-					mainBranch += '_' + params.BUILD_PLATFORM
-					nexusSvaceSarifRepoPath += '/' + params.BUILD_PLATFORM
-				}
-
-                sh """
-                    ${svaceCmd} svres2sarif \
-                      ${svaceResultsDir}/.svace-dir/analyze-res/svace_analysis.svres \
-                      -o ${svaceSarifResultFile}
-
-                    cd ${svaceResultsDir}
-
-                    ${svacerCmd} import --svace ${svaceCmd} \
-                                        --project ${params.GIT_PROJECT} \
-                                        --branch ${branch} \
-                                        --snapshot "${commitShortSha} - `date -R`" \
-                                        --source-tree ${env.WORKSPACE}/${params.GIT_PROJECT} \
-                                        --if-no-branch clone-${mainBranch}
-
-                    ${svacerCmd} upload --ssl \
-                                        --user ${SVACER_USER} \
-                                        --password ${SVACER_PASS} \
-                                        --ldap_server ${ldapServer}
-                """
-                nexus.upload([artifactPath: "${svaceSarifResultFile}",
-                              repository: svaceNexusRepo,
-                              path: nexusSvaceSarifRepoPath])
+            if (params.BUILD_PLATFORM) {
+                branch += '_' + params.BUILD_PLATFORM
+                mainBranch += '_' + params.BUILD_PLATFORM
+                nexusSvaceSarifRepoPath += '/' + params.BUILD_PLATFORM
             }
-        }
+
+            sh """
+                ${svaceCmd} svres2sarif \
+                  ${env.JENKINS_SVACE_BUILD_DIR}/.svace-dir/analyze-res/svace_analysis.svres \
+                  -o ${env.JENKINS_SVACE_SARIF_FILE}
+
+                cd ${env.JENKINS_SVACE_BUILD_DIR}
+
+                ${svacerCmd} import --svace ${svaceCmd} \
+                                    --project ${params.GIT_PROJECT} \
+                                    --branch ${branch} \
+                                    --snapshot "${commitShortSha} - `date -R`" \
+                                    --source-tree ${env.WORKSPACE}/${params.GIT_PROJECT} \
+                                    --if-no-branch clone-${mainBranch}
+
+                ${svacerCmd} upload --ssl \
+                                    --user ${VAULT_SVACER_LOGIN} \
+                                    --password ${VAULT_SVACER_PASS} \
+                                    --ldap_server ${ldapServer}
+            """
+            nexus.upload([artifactPath: "${env.JENKINS_SVACE_SARIF_FILE}",
+                          repository: env.JENKINS_SVACE_NEXUS_REPO,
+                          path: nexusSvaceSarifRepoPath])
+        }}
     } catch(err) {
         echo 'ERROR: ' + err.getMessage()
         currentBuild.result = 'FAILURE'
     } finally {
-       cleanWs()
+        cleanWs()
     }
 }