[DO-273] add svace analyze pipeline (!16)

Reviewed-on: https://git.avroid.tech/DevOps/jenkins-pipelines/pulls/16 Reviewed-by: Andrey Danin <andrey.danin@avroid.tech> Co-authored-by: aleksandr.vodyanov <aleksandr.vodyanov@avroid.tech> Co-committed-by: aleksandr.vodyanov <aleksandr.vodyanov@avroid.tech>
2024-02-22 15:31:40 +03:00
parent ce9e9cd67a
commit 87ad52f470
4 changed files with 130 additions and 4 deletions
--- a/jobs-dsl/folders/DevSecOps.groovy
+++ b/jobs-dsl/folders/DevSecOps.groovy
@@ -0,0 +1,4 @@
+folder('DevSecOps') {
+    displayName('DevSecOps')
+    description('DevSecOps directory for devsec CI')
+}
--- a/jobs-dsl/folders/bbl_waydroid.groovy
+++ b/jobs-dsl/folders/bbl_waydroid.groovy
@@ -1,4 +0,0 @@
-folder('BBL-Waydroid') {
-    displayName('BBL-Waydroid')
-    description("Job for build Waydroid")
-}
--- a/jobs-dsl/jobs/DevSecOps/svace_analyze.groovy
+++ b/jobs-dsl/jobs/DevSecOps/svace_analyze.groovy
@@ -0,0 +1,34 @@
+pipelineJob('DevSecOps/svace_analyze') {
+    parameters {
+        string {
+            description('Git project url')
+            name('GIT_PROJECT')
+            defaultValue('')
+        }
+        string {
+            description('Git project branch')
+            name('BRANCH')
+            defaultValue('')
+        }
+        string {
+            description('Link with build results')
+            name('SVACE_BUILD_RESULTS_LINK')
+            defaultValue('')
+        }
+    }
+
+    definition {
+        cpsScm {
+            scm {
+                git {
+                    remote {
+                        url("${JENKINS_GIT_REPOSITORY_URL}/DevOps/jenkins-pipelines.git")
+                        credentials("${JENKINS_GIT_CREDENTIALS_HTTP}")
+                    }
+                    branch('master')
+                }
+            }
+            scriptPath('pipelines/DevSecOps/svace-analyze.groovy')
+        }
+    }
+}
--- a/pipelines/DevSecOps/svace-analyze.groovy
+++ b/pipelines/DevSecOps/svace-analyze.groovy
@@ -0,0 +1,92 @@
+@Library('shared-lib') _
+
+import tech.avroid.api.Nexus
+import tech.avroid.scm.Git
+
+Nexus nexus = new Nexus(this, env.JENKINS_NEXUS_URL, env.JENKINS_NEXUS_CREDENTIALS)
+String buildThreads = '16'
+String svaceVersion = '3.4.240109'
+String svacerVersion = '8-0-0'
+String svaceCmd = "/data/opt/svace-${svaceVersion}-x64-linux/bin/svace"
+String svacerCmd = "/data/opt/svacer-${svacerVersion}/bin/svacer"
+String svaceBuildResult = ''
+String commitShortSha = ''
+String svaceResultsDir = 'svace_analysis'
+String ldapServer = 'FreeIPA'
+
+properties([
+    buildDiscarder(logRotator(artifactNumToKeepStr: '50',
+                              numToKeepStr: '50')),
+    parameters([
+        string(name: 'GIT_PROJECT', defaultValue: ''),
+        string(name: 'BRANCH', defaultValue: ''),
+        string(name: 'COMMIT_SHA', defaultValue: ''),
+        string(name: 'SVACE_BUILD_RESULTS_LINK', defaultValue: '')
+    ])
+])
+
+node('svace') {
+    try {
+        stage('env') {
+            println "Using agent ${env.NODE_NAME} (${env.JENKINS_URL})"
+            println "param GIT_PROJECT ${params.GIT_PROJECT}"
+            println "param BRANCH ${params.BRANCH}"
+            println "param COMMIT_SHA ${params.COMMIT_SHA}"
+            println "param SVACE_BUILD_RESULTS_LINK ${params.SVACE_BUILD_RESULTS_LINK}"
+            println "WORKSPACE: ${env.WORKSPACE}"
+            sh 'printenv'
+        }
+
+        stage('download') {
+            Git git = new Git(this, env.JENKINS_GIT_CREDENTIALS_SSH)
+            
+            git.clone([
+                       urlRepo: "${env.JENKINS_GIT_REPOSITORY_SSH_URL}/${params.GIT_PROJECT}",
+                       branch: params.BRANCH,
+                       path: "${env.WORKSPACE}/${params.GIT_PROJECT}",
+                       ])
+            svaceBuildResults = nexus.download(params.SVACE_BUILD_RESULTS_LINK)
+            commitShortSha = (params.COMMIT_SHA) ? params.COMMIT_SHA : git.log([count:1, format: "%h"])
+            println "commitShortSha ${commitShortSha}"
+            dir("${env.WORKSPACE}/${params.GIT_PROJECT}") {
+                git.checkout(commitShortSha)
+            }
+        }
+
+        stage('Svace analyze') {
+            sh """
+                tar -xf ${svaceBuildResults}
+                ${svaceCmd} config --svace-dir ./${svaceResultsDir} THREAD_NUMBER ${buildThreads}
+                ${svaceCmd} analyze --log-level brief --svace-dir ./${svaceResultsDir}
+            """
+        }
+        
+        stage('Upload result') {
+            withCredentials([usernamePassword(
+                                              credentialsId: env.JENKINS_SVACER_CREDENTIALS,
+                                              usernameVariable: 'SVACER_USER',
+                                              passwordVariable: 'SVACER_PASS'
+                                             )]) {
+                sh """
+                    cd ${svaceResultsDir}
+                    ${svacerCmd} import --svace ${svaceCmd} \
+                                        --project ${params.GIT_PROJECT} \
+                                        --branch ${params.BRANCH} \
+                                        --snapshot "${commitShortSha} - `date -R`" \
+                                        --source-tree ${env.WORKSPACE}/${params.GIT_PROJECT}
+
+                    ${svacerCmd} upload --ssl \
+                                        --user ${SVACER_USER} \
+                                        --password ${SVACER_PASS} \
+                                        -ldap_server ${ldapServer}
+                """
+            }
+        }
+    }
+    catch(err) {
+        echo 'ERROR: ' + err.getMessage()
+        currentBuild.result = 'FAILURE'
+    } finally {
+        cleanWs()
+    }
+}