Avroid/jenkins-pipelines
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[DO-338] export svacer snapshots to sarif2 (!21)

Browse Source 
Reviewed-on: https://git.avroid.tech/DevOps/jenkins-pipelines/pulls/21
This commit is contained in:
Aleksandr Vodyanov
2024-04-01 12:01:09 +03:00
parent 0a77ef6605
commit b85939500d
1 changed files with 32 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
pipelines/DevSecOps/svace-analyze.groovy
View File

@@ -3,16 +3,21 @@
import tech.avroid.api.Nexus import tech.avroid.api.Nexus
import tech.avroid.scm.Git import tech.avroid.scm.Git
String buildThreads = '16'
String svaceVersion = '3.4.240312'
String svacerVersion = '8-0-1'
String svaceCmd = "/data/opt/svace-${svaceVersion}-x64-linux/bin/svace"
String svacerCmd = "/data/opt/svacer-${svacerVersion}/bin/svacer"
String svaceBuildResult = ''
String commitShortSha = ''
String svaceResultsDir = 'svace_analysis'
String svaceSarifResultFile = "svace_analysis.sarif2"
String ldapServer = 'FreeIPA'
// Nexus variables
Nexus nexus = new Nexus(this, env.JENKINS_NEXUS_URL, env.JENKINS_NEXUS_CREDENTIALS) Nexus nexus = new Nexus(this, env.JENKINS_NEXUS_URL, env.JENKINS_NEXUS_CREDENTIALS)
String buildThreads = '16' String svaceNexusRepo = 'devsecops-raw-svace_results'
String svaceVersion = '3.4.240109' String nexusSvaceSarifRepoPath
String svacerVersion = '8-0-0'
String svaceCmd = "/data/opt/svace-${svaceVersion}-x64-linux/bin/svace"
String svacerCmd = "/data/opt/svacer-${svacerVersion}/bin/svacer"
String svaceBuildResult = ''
String commitShortSha = ''
String svaceResultsDir = 'svace_analysis'
String ldapServer = 'FreeIPA'
properties([ properties([
buildDiscarder(logRotator(artifactNumToKeepStr: '50', buildDiscarder(logRotator(artifactNumToKeepStr: '50',
@@ -37,7 +42,7 @@ node('svace') {
sh 'printenv' sh 'printenv'
} }
stage('download') { stage('Download') {
Git git = new Git(this, env.JENKINS_GIT_CREDENTIALS_SSH) Git git = new Git(this, env.JENKINS_GIT_CREDENTIALS_SSH)
git.clone([ git.clone([
@@ -47,7 +52,6 @@ node('svace') {
]) ])
svaceBuildResults = nexus.download(params.SVACE_BUILD_RESULTS_LINK) svaceBuildResults = nexus.download(params.SVACE_BUILD_RESULTS_LINK)
commitShortSha = (params.COMMIT_SHA) ? params.COMMIT_SHA : git.log([count:1, format: "%h"]) commitShortSha = (params.COMMIT_SHA) ? params.COMMIT_SHA : git.log([count:1, format: "%h"])
println "commitShortSha ${commitShortSha}"
dir("${env.WORKSPACE}/${params.GIT_PROJECT}") { dir("${env.WORKSPACE}/${params.GIT_PROJECT}") {
git.checkout(commitShortSha) git.checkout(commitShortSha)
} }
@@ -61,14 +65,17 @@ node('svace') {
""" """
} }
stage('Upload result') { withCredentials([usernamePassword(
withCredentials([usernamePassword( credentialsId: env.JENKINS_SVACER_CREDENTIALS,
credentialsId: env.JENKINS_SVACER_CREDENTIALS, usernameVariable: 'SVACER_USER',
usernameVariable: 'SVACER_USER', passwordVariable: 'SVACER_PASS'
passwordVariable: 'SVACER_PASS' )]) {
)]) { stage('Upload results') {
nexusSvaceSarifRepoPath = "${params.GIT_PROJECT}/${params.BRANCH}/${commitShortSha}"
sh """ sh """
${svaceCmd} svres2sarif ${svaceResultsDir}/.svace-dir/analyze-res/svace_analysis.svres -o ${svaceSarifResultFile}
cd ${svaceResultsDir} cd ${svaceResultsDir}
${svacerCmd} import --svace ${svaceCmd} \ ${svacerCmd} import --svace ${svaceCmd} \
--project ${params.GIT_PROJECT} \ --project ${params.GIT_PROJECT} \
--branch ${params.BRANCH} \ --branch ${params.BRANCH} \
@@ -78,15 +85,17 @@ node('svace') {
${svacerCmd} upload --ssl \ ${svacerCmd} upload --ssl \
--user ${SVACER_USER} \ --user ${SVACER_USER} \
--password ${SVACER_PASS} \ --password ${SVACER_PASS} \
-ldap_server ${ldapServer} --ldap_server ${ldapServer}
""" """
nexus.upload([artifactPath: "${svaceSarifResultFile}",
repository: svaceNexusRepo,
path: nexusSvaceSarifRepoPath])
} }
} }
} } catch(err) {
catch(err) {
echo 'ERROR: ' + err.getMessage() echo 'ERROR: ' + err.getMessage()
currentBuild.result = 'FAILURE' currentBuild.result = 'FAILURE'
} finally { } finally {
cleanWs() cleanWs()
} }
} }