Avroid/jenkins-pipelines
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[DO-783] update svace (!41)

Browse Source 
Reviewed-on: https://git.avroid.tech/DevOps/jenkins-pipelines/pulls/41
Reviewed-by: Boris Shestov <boris.shestov@avroid.tech>
Reviewed-by: Andrey Danin <andrey.danin@avroid.tech>
Co-authored-by: aleksandr.vodyanov <aleksandr.vodyanov@avroid.tech>
Co-committed-by: aleksandr.vodyanov <aleksandr.vodyanov@avroid.tech>
This commit is contained in:
aleksandr.vodyanov
2024-10-31 14:28:47 +03:00
committed by Aleksandr Vodyanov
parent d1214cfe77
commit 321dc6dfc1
1 changed files with 59 additions and 53 deletions
Download Patch File Download Diff File Expand all files Collapse all files

112
pipelines/DevSecOps/svace-analyze.groovy
View File

@@ -3,21 +3,32 @@
import tech.avroid.api.Nexus import tech.avroid.api.Nexus
import tech.avroid.scm.Git import tech.avroid.scm.Git
String buildThreads = '16' String buildThreads = '16'
String svaceVersion = '3.4.240312' String svacerVersion = '9-0-2'
String svacerVersion = '9-0-2' String svaceCmd = "/data/opt/svace-${env.JENKINS_SVACE_VERSION}-x64-linux/bin/svace"
String svaceCmd = "/data/opt/svace-${svaceVersion}-x64-linux/bin/svace" String svacerCmd = "/data/opt/svacer-${svacerVersion}/bin/svacer"
String svacerCmd = "/data/opt/svacer-${svacerVersion}/bin/svacer" String svaceBuildResults = ''
String svaceBuildResults = '' String commitShortSha = ''
String commitShortSha = '' String ldapServer = 'FreeIPA'
String svaceResultsDir = 'svace_analysis' String nexusSvaceSarifRepoPath = ''
String svaceSarifResultFile = "svace_analysis.sarif2"
String ldapServer = 'FreeIPA'
// Nexus variables // Nexus variables
Nexus nexus = new Nexus(this, env.JENKINS_NEXUS_URL, env.JENKINS_NEXUS_CREDENTIALS) Nexus nexus = new Nexus(this, env.JENKINS_NEXUS_URL, env.JENKINS_NEXUS_CREDENTIALS)
String svaceNexusRepo = 'devsecops-raw-svace_results'
String nexusSvaceSarifRepoPath Map configuration = [
vaultUrl: env.JENKINS_VAULT_URL,
vaultCredentialId: env.JENKINS_VAULT_TOKEN,
engineVersion: 2
]
List secrets = [
[path: "team-devops/accounts/ldap/service_accounts/svc_svacer", engineVersion: 2, secretValues:
[
[envVar: 'VAULT_SVACER_LOGIN', vaultKey: 'login'],
[envVar: 'VAULT_SVACER_PASS', vaultKey: 'password'],
]
]
]
properties([ properties([
buildDiscarder(logRotator(artifactNumToKeepStr: '50', buildDiscarder(logRotator(artifactNumToKeepStr: '50',
@@ -70,56 +81,51 @@ node('svace') {
stage('Svace analyze') { stage('Svace analyze') {
sh """ sh """
tar -xf ${svaceBuildResults} tar -xf ${svaceBuildResults}
${svaceCmd} config --svace-dir ./${svaceResultsDir} THREAD_NUMBER ${buildThreads} ${svaceCmd} config --svace-dir ./${env.JENKINS_SVACE_BUILD_DIR} THREAD_NUMBER ${buildThreads}
${svaceCmd} analyze --log-level brief --svace-dir ./${svaceResultsDir} ${svaceCmd} analyze --log-level brief --svace-dir ./${env.JENKINS_SVACE_BUILD_DIR}
""" """
} }
withCredentials([usernamePassword( stage('Upload results') {
credentialsId: env.JENKINS_SVACER_CREDENTIALS, withVault([configuration: configuration, vaultSecrets: secrets]) {
usernameVariable: 'SVACER_USER', String branch = params.BRANCH
passwordVariable: 'SVACER_PASS' String mainBranch = params.MAIN_BRANCH
)]) {
stage('Upload results') {
String branch = params.BRANCH
String mainBranch = params.MAIN_BRANCH
nexusSvaceSarifRepoPath = "${params.GIT_PROJECT}/${params.BRANCH}/${commitShortSha}" nexusSvaceSarifRepoPath = "${params.GIT_PROJECT}/${params.BRANCH}/${commitShortSha}"
if (params.BUILD_PLATFORM) { if (params.BUILD_PLATFORM) {
branch += '_' + params.BUILD_PLATFORM branch += '_' + params.BUILD_PLATFORM
mainBranch += '_' + params.BUILD_PLATFORM mainBranch += '_' + params.BUILD_PLATFORM
nexusSvaceSarifRepoPath += '/' + params.BUILD_PLATFORM nexusSvaceSarifRepoPath += '/' + params.BUILD_PLATFORM
}
sh """
${svaceCmd} svres2sarif \
${svaceResultsDir}/.svace-dir/analyze-res/svace_analysis.svres \
-o ${svaceSarifResultFile}
cd ${svaceResultsDir}
${svacerCmd} import --svace ${svaceCmd} \
--project ${params.GIT_PROJECT} \
--branch ${branch} \
--snapshot "${commitShortSha} - `date -R`" \
--source-tree ${env.WORKSPACE}/${params.GIT_PROJECT} \
--if-no-branch clone-${mainBranch}
${svacerCmd} upload --ssl \
--user ${SVACER_USER} \
--password ${SVACER_PASS} \
--ldap_server ${ldapServer}
"""
nexus.upload([artifactPath: "${svaceSarifResultFile}",
repository: svaceNexusRepo,
path: nexusSvaceSarifRepoPath])
} }
}
sh """
${svaceCmd} svres2sarif \
${env.JENKINS_SVACE_BUILD_DIR}/.svace-dir/analyze-res/svace_analysis.svres \
-o ${env.JENKINS_SVACE_SARIF_FILE}
cd ${env.JENKINS_SVACE_BUILD_DIR}
${svacerCmd} import --svace ${svaceCmd} \
--project ${params.GIT_PROJECT} \
--branch ${branch} \
--snapshot "${commitShortSha} - `date -R`" \
--source-tree ${env.WORKSPACE}/${params.GIT_PROJECT} \
--if-no-branch clone-${mainBranch}
${svacerCmd} upload --ssl \
--user ${VAULT_SVACER_LOGIN} \
--password ${VAULT_SVACER_PASS} \
--ldap_server ${ldapServer}
"""
nexus.upload([artifactPath: "${env.JENKINS_SVACE_SARIF_FILE}",
repository: env.JENKINS_SVACE_NEXUS_REPO,
path: nexusSvaceSarifRepoPath])
}}
} catch(err) { } catch(err) {
echo 'ERROR: ' + err.getMessage() echo 'ERROR: ' + err.getMessage()
currentBuild.result = 'FAILURE' currentBuild.result = 'FAILURE'
} finally { } finally {
cleanWs() cleanWs()
} }
} }