Avroid/jenkins-pipelines
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[DO-783] update svace (!41)

Browse Source 
Reviewed-on: https://git.avroid.tech/DevOps/jenkins-pipelines/pulls/41
Reviewed-by: Boris Shestov <boris.shestov@avroid.tech>
Reviewed-by: Andrey Danin <andrey.danin@avroid.tech>
Co-authored-by: aleksandr.vodyanov <aleksandr.vodyanov@avroid.tech>
Co-committed-by: aleksandr.vodyanov <aleksandr.vodyanov@avroid.tech>
This commit is contained in:
aleksandr.vodyanov
2024-10-31 14:28:47 +03:00
committed by Aleksandr Vodyanov
parent d1214cfe77
commit 321dc6dfc1
1 changed files with 59 additions and 53 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
pipelines/DevSecOps/svace-analyze.groovy
View File

@@ -4,20 +4,31 @@ import tech.avroid.api.Nexus
import tech.avroid.scm.Git
String buildThreads = '16'
String svaceVersion = '3.4.240312'
String svacerVersion = '9-0-2'
String svaceCmd = "/data/opt/svace-${svaceVersion}-x64-linux/bin/svace"
String svaceCmd = "/data/opt/svace-${env.JENKINS_SVACE_VERSION}-x64-linux/bin/svace"
String svacerCmd = "/data/opt/svacer-${svacerVersion}/bin/svacer"
String svaceBuildResults = ''
String commitShortSha = ''
String svaceResultsDir = 'svace_analysis'
String svaceSarifResultFile = "svace_analysis.sarif2"
String ldapServer = 'FreeIPA'
String nexusSvaceSarifRepoPath = ''
// Nexus variables
Nexus nexus = new Nexus(this, env.JENKINS_NEXUS_URL, env.JENKINS_NEXUS_CREDENTIALS)
String svaceNexusRepo = 'devsecops-raw-svace_results'
String nexusSvaceSarifRepoPath
Map configuration = [
vaultUrl: env.JENKINS_VAULT_URL,
vaultCredentialId: env.JENKINS_VAULT_TOKEN,
engineVersion: 2
]
List secrets = [
[path: "team-devops/accounts/ldap/service_accounts/svc_svacer", engineVersion: 2, secretValues:
[
[envVar: 'VAULT_SVACER_LOGIN', vaultKey: 'login'],
[envVar: 'VAULT_SVACER_PASS', vaultKey: 'password'],
]
]
]
properties([
buildDiscarder(logRotator(artifactNumToKeepStr: '50',
@@ -70,17 +81,13 @@ node('svace') {
stage('Svace analyze') {
sh """
tar -xf ${svaceBuildResults}
${svaceCmd} config --svace-dir ./${svaceResultsDir} THREAD_NUMBER ${buildThreads}
${svaceCmd} analyze --log-level brief --svace-dir ./${svaceResultsDir}
${svaceCmd} config --svace-dir ./${env.JENKINS_SVACE_BUILD_DIR} THREAD_NUMBER ${buildThreads}
${svaceCmd} analyze --log-level brief --svace-dir ./${env.JENKINS_SVACE_BUILD_DIR}
"""
}
withCredentials([usernamePassword(
credentialsId: env.JENKINS_SVACER_CREDENTIALS,
usernameVariable: 'SVACER_USER',
passwordVariable: 'SVACER_PASS'
)]) {
stage('Upload results') {
withVault([configuration: configuration, vaultSecrets: secrets]) {
String branch = params.BRANCH
String mainBranch = params.MAIN_BRANCH
@@ -94,10 +101,10 @@ node('svace') {
sh """
${svaceCmd} svres2sarif \
${svaceResultsDir}/.svace-dir/analyze-res/svace_analysis.svres \
-o ${svaceSarifResultFile}
${env.JENKINS_SVACE_BUILD_DIR}/.svace-dir/analyze-res/svace_analysis.svres \
-o ${env.JENKINS_SVACE_SARIF_FILE}
cd ${svaceResultsDir}
cd ${env.JENKINS_SVACE_BUILD_DIR}
${svacerCmd} import --svace ${svaceCmd} \
--project ${params.GIT_PROJECT} \
@@ -107,15 +114,14 @@ node('svace') {
--if-no-branch clone-${mainBranch}
${svacerCmd} upload --ssl \
--user ${SVACER_USER} \
--password ${SVACER_PASS} \
--user ${VAULT_SVACER_LOGIN} \
--password ${VAULT_SVACER_PASS} \
--ldap_server ${ldapServer}
"""
nexus.upload([artifactPath: "${svaceSarifResultFile}",
repository: svaceNexusRepo,
nexus.upload([artifactPath: "${env.JENKINS_SVACE_SARIF_FILE}",
repository: env.JENKINS_SVACE_NEXUS_REPO,
path: nexusSvaceSarifRepoPath])
}
}
}}
} catch(err) {
echo 'ERROR: ' + err.getMessage()
currentBuild.result = 'FAILURE'