[DO-783] update svace (!41)
Reviewed-on: https://git.avroid.tech/DevOps/jenkins-pipelines/pulls/41 Reviewed-by: Boris Shestov <boris.shestov@avroid.tech> Reviewed-by: Andrey Danin <andrey.danin@avroid.tech> Co-authored-by: aleksandr.vodyanov <aleksandr.vodyanov@avroid.tech> Co-committed-by: aleksandr.vodyanov <aleksandr.vodyanov@avroid.tech>
This commit is contained in:
aleksandr.vodyanov
committed by
Aleksandr Vodyanov
Aleksandr Vodyanov
parent
d1214cfe77
commit
321dc6dfc1
@@ -3,21 +3,32 @@
|
||||
import tech.avroid.api.Nexus
|
||||
import tech.avroid.scm.Git
|
||||
|
||||
String buildThreads = '16'
|
||||
String svaceVersion = '3.4.240312'
|
||||
String svacerVersion = '9-0-2'
|
||||
String svaceCmd = "/data/opt/svace-${svaceVersion}-x64-linux/bin/svace"
|
||||
String svacerCmd = "/data/opt/svacer-${svacerVersion}/bin/svacer"
|
||||
String svaceBuildResults = ''
|
||||
String commitShortSha = ''
|
||||
String svaceResultsDir = 'svace_analysis'
|
||||
String svaceSarifResultFile = "svace_analysis.sarif2"
|
||||
String ldapServer = 'FreeIPA'
|
||||
String buildThreads = '16'
|
||||
String svacerVersion = '9-0-2'
|
||||
String svaceCmd = "/data/opt/svace-${env.JENKINS_SVACE_VERSION}-x64-linux/bin/svace"
|
||||
String svacerCmd = "/data/opt/svacer-${svacerVersion}/bin/svacer"
|
||||
String svaceBuildResults = ''
|
||||
String commitShortSha = ''
|
||||
String ldapServer = 'FreeIPA'
|
||||
String nexusSvaceSarifRepoPath = ''
|
||||
|
||||
// Nexus variables
|
||||
Nexus nexus = new Nexus(this, env.JENKINS_NEXUS_URL, env.JENKINS_NEXUS_CREDENTIALS)
|
||||
String svaceNexusRepo = 'devsecops-raw-svace_results'
|
||||
String nexusSvaceSarifRepoPath
|
||||
|
||||
Map configuration = [
|
||||
vaultUrl: env.JENKINS_VAULT_URL,
|
||||
vaultCredentialId: env.JENKINS_VAULT_TOKEN,
|
||||
engineVersion: 2
|
||||
]
|
||||
|
||||
List secrets = [
|
||||
[path: "team-devops/accounts/ldap/service_accounts/svc_svacer", engineVersion: 2, secretValues:
|
||||
[
|
||||
[envVar: 'VAULT_SVACER_LOGIN', vaultKey: 'login'],
|
||||
[envVar: 'VAULT_SVACER_PASS', vaultKey: 'password'],
|
||||
]
|
||||
]
|
||||
]
|
||||
|
||||
properties([
|
||||
buildDiscarder(logRotator(artifactNumToKeepStr: '50',
|
||||
@@ -70,56 +81,51 @@ node('svace') {
|
||||
stage('Svace analyze') {
|
||||
sh """
|
||||
tar -xf ${svaceBuildResults}
|
||||
${svaceCmd} config --svace-dir ./${svaceResultsDir} THREAD_NUMBER ${buildThreads}
|
||||
${svaceCmd} analyze --log-level brief --svace-dir ./${svaceResultsDir}
|
||||
${svaceCmd} config --svace-dir ./${env.JENKINS_SVACE_BUILD_DIR} THREAD_NUMBER ${buildThreads}
|
||||
${svaceCmd} analyze --log-level brief --svace-dir ./${env.JENKINS_SVACE_BUILD_DIR}
|
||||
"""
|
||||
}
|
||||
|
||||
withCredentials([usernamePassword(
|
||||
credentialsId: env.JENKINS_SVACER_CREDENTIALS,
|
||||
usernameVariable: 'SVACER_USER',
|
||||
passwordVariable: 'SVACER_PASS'
|
||||
)]) {
|
||||
stage('Upload results') {
|
||||
String branch = params.BRANCH
|
||||
String mainBranch = params.MAIN_BRANCH
|
||||
stage('Upload results') {
|
||||
withVault([configuration: configuration, vaultSecrets: secrets]) {
|
||||
String branch = params.BRANCH
|
||||
String mainBranch = params.MAIN_BRANCH
|
||||
|
||||
nexusSvaceSarifRepoPath = "${params.GIT_PROJECT}/${params.BRANCH}/${commitShortSha}"
|
||||
nexusSvaceSarifRepoPath = "${params.GIT_PROJECT}/${params.BRANCH}/${commitShortSha}"
|
||||
|
||||
if (params.BUILD_PLATFORM) {
|
||||
branch += '_' + params.BUILD_PLATFORM
|
||||
mainBranch += '_' + params.BUILD_PLATFORM
|
||||
nexusSvaceSarifRepoPath += '/' + params.BUILD_PLATFORM
|
||||
}
|
||||
|
||||
sh """
|
||||
${svaceCmd} svres2sarif \
|
||||
${svaceResultsDir}/.svace-dir/analyze-res/svace_analysis.svres \
|
||||
-o ${svaceSarifResultFile}
|
||||
|
||||
cd ${svaceResultsDir}
|
||||
|
||||
${svacerCmd} import --svace ${svaceCmd} \
|
||||
--project ${params.GIT_PROJECT} \
|
||||
--branch ${branch} \
|
||||
--snapshot "${commitShortSha} - `date -R`" \
|
||||
--source-tree ${env.WORKSPACE}/${params.GIT_PROJECT} \
|
||||
--if-no-branch clone-${mainBranch}
|
||||
|
||||
${svacerCmd} upload --ssl \
|
||||
--user ${SVACER_USER} \
|
||||
--password ${SVACER_PASS} \
|
||||
--ldap_server ${ldapServer}
|
||||
"""
|
||||
nexus.upload([artifactPath: "${svaceSarifResultFile}",
|
||||
repository: svaceNexusRepo,
|
||||
path: nexusSvaceSarifRepoPath])
|
||||
if (params.BUILD_PLATFORM) {
|
||||
branch += '_' + params.BUILD_PLATFORM
|
||||
mainBranch += '_' + params.BUILD_PLATFORM
|
||||
nexusSvaceSarifRepoPath += '/' + params.BUILD_PLATFORM
|
||||
}
|
||||
}
|
||||
|
||||
sh """
|
||||
${svaceCmd} svres2sarif \
|
||||
${env.JENKINS_SVACE_BUILD_DIR}/.svace-dir/analyze-res/svace_analysis.svres \
|
||||
-o ${env.JENKINS_SVACE_SARIF_FILE}
|
||||
|
||||
cd ${env.JENKINS_SVACE_BUILD_DIR}
|
||||
|
||||
${svacerCmd} import --svace ${svaceCmd} \
|
||||
--project ${params.GIT_PROJECT} \
|
||||
--branch ${branch} \
|
||||
--snapshot "${commitShortSha} - `date -R`" \
|
||||
--source-tree ${env.WORKSPACE}/${params.GIT_PROJECT} \
|
||||
--if-no-branch clone-${mainBranch}
|
||||
|
||||
${svacerCmd} upload --ssl \
|
||||
--user ${VAULT_SVACER_LOGIN} \
|
||||
--password ${VAULT_SVACER_PASS} \
|
||||
--ldap_server ${ldapServer}
|
||||
"""
|
||||
nexus.upload([artifactPath: "${env.JENKINS_SVACE_SARIF_FILE}",
|
||||
repository: env.JENKINS_SVACE_NEXUS_REPO,
|
||||
path: nexusSvaceSarifRepoPath])
|
||||
}}
|
||||
} catch(err) {
|
||||
echo 'ERROR: ' + err.getMessage()
|
||||
currentBuild.result = 'FAILURE'
|
||||
} finally {
|
||||
cleanWs()
|
||||
cleanWs()
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user