From 87ad52f470c7850ae5ce5be3117884987a19a3a3 Mon Sep 17 00:00:00 2001 From: "aleksandr.vodyanov" Date: Thu, 22 Feb 2024 15:31:40 +0300 Subject: [PATCH] [DO-273] add svace analyze pipeline (!16) Reviewed-on: https://git.avroid.tech/DevOps/jenkins-pipelines/pulls/16 Reviewed-by: Andrey Danin Co-authored-by: aleksandr.vodyanov Co-committed-by: aleksandr.vodyanov --- jobs-dsl/folders/DevSecOps.groovy | 4 + jobs-dsl/folders/bbl_waydroid.groovy | 4 - jobs-dsl/jobs/DevSecOps/svace_analyze.groovy | 34 ++++++++ pipelines/DevSecOps/svace-analyze.groovy | 92 ++++++++++++++++++++ 4 files changed, 130 insertions(+), 4 deletions(-) create mode 100644 jobs-dsl/folders/DevSecOps.groovy delete mode 100644 jobs-dsl/folders/bbl_waydroid.groovy create mode 100644 jobs-dsl/jobs/DevSecOps/svace_analyze.groovy create mode 100644 pipelines/DevSecOps/svace-analyze.groovy diff --git a/jobs-dsl/folders/DevSecOps.groovy b/jobs-dsl/folders/DevSecOps.groovy new file mode 100644 index 0000000..c9397c7 --- /dev/null +++ b/jobs-dsl/folders/DevSecOps.groovy @@ -0,0 +1,4 @@ +folder('DevSecOps') { + displayName('DevSecOps') + description('DevSecOps directory for devsec CI') +} diff --git a/jobs-dsl/folders/bbl_waydroid.groovy b/jobs-dsl/folders/bbl_waydroid.groovy deleted file mode 100644 index bdd9983..0000000 --- a/jobs-dsl/folders/bbl_waydroid.groovy +++ /dev/null @@ -1,4 +0,0 @@ -folder('BBL-Waydroid') { - displayName('BBL-Waydroid') - description("Job for build Waydroid") -} diff --git a/jobs-dsl/jobs/DevSecOps/svace_analyze.groovy b/jobs-dsl/jobs/DevSecOps/svace_analyze.groovy new file mode 100644 index 0000000..c4c3209 --- /dev/null +++ b/jobs-dsl/jobs/DevSecOps/svace_analyze.groovy @@ -0,0 +1,34 @@ +pipelineJob('DevSecOps/svace_analyze') { + parameters { + string { + description('Git project url') + name('GIT_PROJECT') + defaultValue('') + } + string { + description('Git project branch') + name('BRANCH') + defaultValue('') + } + string { + description('Link with build results') + name('SVACE_BUILD_RESULTS_LINK') + defaultValue('') + } + } + + definition { + cpsScm { + scm { + git { + remote { + url("${JENKINS_GIT_REPOSITORY_URL}/DevOps/jenkins-pipelines.git") + credentials("${JENKINS_GIT_CREDENTIALS_HTTP}") + } + branch('master') + } + } + scriptPath('pipelines/DevSecOps/svace-analyze.groovy') + } + } +} diff --git a/pipelines/DevSecOps/svace-analyze.groovy b/pipelines/DevSecOps/svace-analyze.groovy new file mode 100644 index 0000000..9d750a5 --- /dev/null +++ b/pipelines/DevSecOps/svace-analyze.groovy @@ -0,0 +1,92 @@ +@Library('shared-lib') _ + +import tech.avroid.api.Nexus +import tech.avroid.scm.Git + +Nexus nexus = new Nexus(this, env.JENKINS_NEXUS_URL, env.JENKINS_NEXUS_CREDENTIALS) +String buildThreads = '16' +String svaceVersion = '3.4.240109' +String svacerVersion = '8-0-0' +String svaceCmd = "/data/opt/svace-${svaceVersion}-x64-linux/bin/svace" +String svacerCmd = "/data/opt/svacer-${svacerVersion}/bin/svacer" +String svaceBuildResult = '' +String commitShortSha = '' +String svaceResultsDir = 'svace_analysis' +String ldapServer = 'FreeIPA' + +properties([ + buildDiscarder(logRotator(artifactNumToKeepStr: '50', + numToKeepStr: '50')), + parameters([ + string(name: 'GIT_PROJECT', defaultValue: ''), + string(name: 'BRANCH', defaultValue: ''), + string(name: 'COMMIT_SHA', defaultValue: ''), + string(name: 'SVACE_BUILD_RESULTS_LINK', defaultValue: '') + ]) +]) + +node('svace') { + try { + stage('env') { + println "Using agent ${env.NODE_NAME} (${env.JENKINS_URL})" + println "param GIT_PROJECT ${params.GIT_PROJECT}" + println "param BRANCH ${params.BRANCH}" + println "param COMMIT_SHA ${params.COMMIT_SHA}" + println "param SVACE_BUILD_RESULTS_LINK ${params.SVACE_BUILD_RESULTS_LINK}" + println "WORKSPACE: ${env.WORKSPACE}" + sh 'printenv' + } + + stage('download') { + Git git = new Git(this, env.JENKINS_GIT_CREDENTIALS_SSH) + + git.clone([ + urlRepo: "${env.JENKINS_GIT_REPOSITORY_SSH_URL}/${params.GIT_PROJECT}", + branch: params.BRANCH, + path: "${env.WORKSPACE}/${params.GIT_PROJECT}", + ]) + svaceBuildResults = nexus.download(params.SVACE_BUILD_RESULTS_LINK) + commitShortSha = (params.COMMIT_SHA) ? params.COMMIT_SHA : git.log([count:1, format: "%h"]) + println "commitShortSha ${commitShortSha}" + dir("${env.WORKSPACE}/${params.GIT_PROJECT}") { + git.checkout(commitShortSha) + } + } + + stage('Svace analyze') { + sh """ + tar -xf ${svaceBuildResults} + ${svaceCmd} config --svace-dir ./${svaceResultsDir} THREAD_NUMBER ${buildThreads} + ${svaceCmd} analyze --log-level brief --svace-dir ./${svaceResultsDir} + """ + } + + stage('Upload result') { + withCredentials([usernamePassword( + credentialsId: env.JENKINS_SVACER_CREDENTIALS, + usernameVariable: 'SVACER_USER', + passwordVariable: 'SVACER_PASS' + )]) { + sh """ + cd ${svaceResultsDir} + ${svacerCmd} import --svace ${svaceCmd} \ + --project ${params.GIT_PROJECT} \ + --branch ${params.BRANCH} \ + --snapshot "${commitShortSha} - `date -R`" \ + --source-tree ${env.WORKSPACE}/${params.GIT_PROJECT} + + ${svacerCmd} upload --ssl \ + --user ${SVACER_USER} \ + --password ${SVACER_PASS} \ + -ldap_server ${ldapServer} + """ + } + } + } + catch(err) { + echo 'ERROR: ' + err.getMessage() + currentBuild.result = 'FAILURE' + } finally { + cleanWs() + } +}