@Library('shared-lib') _ import tech.avroid.api.Nexus import tech.avroid.scm.Git String buildThreads = '16' String svaceVersion = '3.4.240312' String svacerVersion = '8-0-1' String svaceCmd = "/data/opt/svace-${svaceVersion}-x64-linux/bin/svace" String svacerCmd = "/data/opt/svacer-${svacerVersion}/bin/svacer" String svaceBuildResults = '' String commitShortSha = '' String svaceResultsDir = 'svace_analysis' String svaceSarifResultFile = "svace_analysis.sarif2" String ldapServer = 'FreeIPA' // Nexus variables Nexus nexus = new Nexus(this, env.JENKINS_NEXUS_URL, env.JENKINS_NEXUS_CREDENTIALS) String svaceNexusRepo = 'devsecops-raw-svace_results' String nexusSvaceSarifRepoPath properties([ buildDiscarder(logRotator(artifactNumToKeepStr: '50', numToKeepStr: '50')), parameters([ string(name: 'GIT_PROJECT', defaultValue: ''), string(name: 'BRANCH', defaultValue: ''), string(name: 'COMMIT_SHA', defaultValue: ''), string(name: 'MAIN_BRANCH', defaultValue: 'master'), string(name: 'SVACE_BUILD_RESULTS_LINK', defaultValue: ''), string(name: 'BUILD_PLATFORM', defaultValue: '', description: 'name, version and arch of build. Example: aurora5_armv7hl') ]) ]) node('svace') { try { stage('env') { println "Using agent ${env.NODE_NAME} (${env.JENKINS_URL})" println "param GIT_PROJECT ${params.GIT_PROJECT}" println "param BRANCH ${params.BRANCH}" println "param COMMIT_SHA ${params.COMMIT_SHA}" println "param SVACE_BUILD_RESULTS_LINK ${params.SVACE_BUILD_RESULTS_LINK}" println "param MAIN_BRANCH ${params.MAIN_BRANCH}" println "param BUILD_PLATFORM ${params.BUILD_PLATFORM}" println "WORKSPACE: ${env.WORKSPACE}" sh 'printenv' } stage('Download') { Git git = new Git(this, env.JENKINS_GIT_CREDENTIALS_SSH) Boolean isDisableSubmodules = (params.GIT_PROJECT == 'Eisen/OS') ? true : false git.clone([ urlRepo: "${env.JENKINS_GIT_REPOSITORY_SSH_URL}/${params.GIT_PROJECT}", branch: params.BRANCH, path: "${env.WORKSPACE}/${params.GIT_PROJECT}", disableSubmodules: isDisableSubmodules, shallow: false ]) svaceBuildResults = nexus.download(params.SVACE_BUILD_RESULTS_LINK) commitShortSha = (params.COMMIT_SHA) ? params.COMMIT_SHA : git.log([count:1, format: "%h"]) dir("${env.WORKSPACE}/${params.GIT_PROJECT}") { git.checkout(commitShortSha) } } stage('Svace analyze') { sh """ tar -xf ${svaceBuildResults} ${svaceCmd} config --svace-dir ./${svaceResultsDir} THREAD_NUMBER ${buildThreads} ${svaceCmd} analyze --log-level brief --svace-dir ./${svaceResultsDir} """ } withCredentials([usernamePassword( credentialsId: env.JENKINS_SVACER_CREDENTIALS, usernameVariable: 'SVACER_USER', passwordVariable: 'SVACER_PASS' )]) { stage('Upload results') { String branch = params.BRANCH String mainBranch = params.MAIN_BRANCH if (params.BUILD_PLATFORM) { branch += '_' + params.BUILD_PLATFORM mainBranch += '_' + params.BUILD_PLATFORM } nexusSvaceSarifRepoPath = "${params.GIT_PROJECT}/${params.BRANCH}/${commitShortSha}" sh """ ${svaceCmd} svres2sarif \ ${svaceResultsDir}/.svace-dir/analyze-res/svace_analysis.svres \ -o ${svaceSarifResultFile} cd ${svaceResultsDir} ${svacerCmd} import --svace ${svaceCmd} \ --project ${params.GIT_PROJECT} \ --branch ${branch} \ --snapshot "${commitShortSha} - `date -R`" \ --source-tree ${env.WORKSPACE}/${params.GIT_PROJECT} \ --if-no-branch clone-${mainBranch} ${svacerCmd} upload --ssl \ --user ${SVACER_USER} \ --password ${SVACER_PASS} \ --ldap_server ${ldapServer} """ nexus.upload([artifactPath: "${svaceSarifResultFile}", repository: svaceNexusRepo, path: nexusSvaceSarifRepoPath]) } } } catch(err) { echo 'ERROR: ' + err.getMessage() currentBuild.result = 'FAILURE' } finally { cleanWs() } }