@Library('shared-lib') _ import tech.avroid.api.Nexus import tech.avroid.scm.Git String buildThreads = '28' String svacerVersion = '9-0-2' String svaceCmd = "/data/opt/svace-${env.JENKINS_SVACE_VERSION}-x64-linux/bin/svace" String svacerCmd = "/data/opt/svacer-${svacerVersion}/bin/svacer" String svaceBuildResults = '' String commitShortSha = '' String ldapServer = 'FreeIPA' String nexusSvaceSarifRepoPath = '' // Nexus variables Nexus nexus = new Nexus(this, env.JENKINS_NEXUS_URL, env.JENKINS_NEXUS_CREDENTIALS) Map configuration = [ vaultUrl: env.JENKINS_VAULT_URL, vaultCredentialId: env.JENKINS_VAULT_TOKEN, engineVersion: 2 ] List secrets = [ [path: "team-devops/accounts/ldap/service_accounts/svc_svacer", engineVersion: 2, secretValues: [ [envVar: 'VAULT_SVACER_LOGIN', vaultKey: 'login'], [envVar: 'VAULT_SVACER_PASS', vaultKey: 'password'], ] ] ] properties([ buildDiscarder(logRotator(artifactNumToKeepStr: '50', numToKeepStr: '50')), parameters([ string(name: 'GIT_PROJECT', defaultValue: ''), string(name: 'BRANCH', defaultValue: ''), string(name: 'COMMIT_SHA', defaultValue: ''), string(name: 'MAIN_BRANCH', defaultValue: 'master'), string(name: 'SVACE_BUILD_RESULTS_LINK', defaultValue: ''), string(name: 'BUILD_PLATFORM', defaultValue: '', description: 'name, version and arch of build. Example: aurora5_armv7hl') ]) ]) node('svace') { try { stage('env') { println "Using agent ${env.NODE_NAME} (${env.JENKINS_URL})" println "param GIT_PROJECT ${params.GIT_PROJECT}" println "param BRANCH ${params.BRANCH}" println "param COMMIT_SHA ${params.COMMIT_SHA}" println "param SVACE_BUILD_RESULTS_LINK ${params.SVACE_BUILD_RESULTS_LINK}" println "param MAIN_BRANCH ${params.MAIN_BRANCH}" println "param BUILD_PLATFORM ${params.BUILD_PLATFORM}" println "WORKSPACE: ${env.WORKSPACE}" sh 'printenv' } stage('Download') { Git git = new Git(this, env.JENKINS_GIT_CREDENTIALS_SSH) Boolean isDisableSubmodules = (params.GIT_PROJECT == 'Eisen/OS') ? true : false git.clone([ urlRepo: "${env.JENKINS_GIT_REPOSITORY_SSH_URL}/${params.GIT_PROJECT}", branch: params.BRANCH, path: "${env.WORKSPACE}/${params.GIT_PROJECT}", disableSubmodules: isDisableSubmodules, shallow: false ]) svaceBuildResults = nexus.download(params.SVACE_BUILD_RESULTS_LINK) commitShortSha = (params.COMMIT_SHA) ? params.COMMIT_SHA : git.log([count:1, format: "%h"]) dir("${env.WORKSPACE}/${params.GIT_PROJECT}") { git.checkout(commitShortSha) } } stage('Svace analyze') { sh """ tar -xf ${svaceBuildResults} ${svaceCmd} config --svace-dir ./${env.JENKINS_SVACE_BUILD_DIR} THREAD_NUMBER ${buildThreads} ${svaceCmd} analyze --log-level brief --svace-dir ./${env.JENKINS_SVACE_BUILD_DIR} """ } stage('Upload results') { withVault([configuration: configuration, vaultSecrets: secrets]) { String branch = params.BRANCH String mainBranch = params.MAIN_BRANCH nexusSvaceSarifRepoPath = "${params.GIT_PROJECT}/${params.BRANCH}/${commitShortSha}" if (params.BUILD_PLATFORM) { branch += '_' + params.BUILD_PLATFORM mainBranch += '_' + params.BUILD_PLATFORM nexusSvaceSarifRepoPath += '/' + params.BUILD_PLATFORM } sh """ ${svaceCmd} svres2sarif \ ${env.JENKINS_SVACE_BUILD_DIR}/.svace-dir/analyze-res/svace_analysis.svres \ -o ${env.JENKINS_SVACE_SARIF_FILE} cd ${env.JENKINS_SVACE_BUILD_DIR} ${svacerCmd} import --svace ${svaceCmd} \ --project ${params.GIT_PROJECT} \ --branch ${branch} \ --snapshot "${commitShortSha} - `date -R`" \ --source-tree ${env.WORKSPACE}/${params.GIT_PROJECT} \ --if-no-branch clone-${mainBranch} ${svacerCmd} upload --ssl \ --user ${VAULT_SVACER_LOGIN} \ --password ${VAULT_SVACER_PASS} \ --ldap_server ${ldapServer} """ nexus.upload([artifactPath: "${env.JENKINS_SVACE_SARIF_FILE}", repository: env.JENKINS_SVACE_NEXUS_REPO, path: nexusSvaceSarifRepoPath]) }} } catch(err) { echo 'ERROR: ' + err.getMessage() currentBuild.result = 'FAILURE' } finally { cleanWs() } }