102 lines
4.2 KiB
Groovy
102 lines
4.2 KiB
Groovy
@Library('shared-lib') _
|
|
|
|
import tech.avroid.api.Nexus
|
|
import tech.avroid.scm.Git
|
|
|
|
String buildThreads = '16'
|
|
String svaceVersion = '3.4.240312'
|
|
String svacerVersion = '8-0-1'
|
|
String svaceCmd = "/data/opt/svace-${svaceVersion}-x64-linux/bin/svace"
|
|
String svacerCmd = "/data/opt/svacer-${svacerVersion}/bin/svacer"
|
|
String svaceBuildResult = ''
|
|
String commitShortSha = ''
|
|
String svaceResultsDir = 'svace_analysis'
|
|
String svaceSarifResultFile = "svace_analysis.sarif2"
|
|
String ldapServer = 'FreeIPA'
|
|
|
|
// Nexus variables
|
|
Nexus nexus = new Nexus(this, env.JENKINS_NEXUS_URL, env.JENKINS_NEXUS_CREDENTIALS)
|
|
String svaceNexusRepo = 'devsecops-raw-svace_results'
|
|
String nexusSvaceSarifRepoPath
|
|
|
|
properties([
|
|
buildDiscarder(logRotator(artifactNumToKeepStr: '50',
|
|
numToKeepStr: '50')),
|
|
parameters([
|
|
string(name: 'GIT_PROJECT', defaultValue: ''),
|
|
string(name: 'BRANCH', defaultValue: ''),
|
|
string(name: 'COMMIT_SHA', defaultValue: ''),
|
|
string(name: 'SVACE_BUILD_RESULTS_LINK', defaultValue: '')
|
|
])
|
|
])
|
|
|
|
node('svace') {
|
|
try {
|
|
stage('env') {
|
|
println "Using agent ${env.NODE_NAME} (${env.JENKINS_URL})"
|
|
println "param GIT_PROJECT ${params.GIT_PROJECT}"
|
|
println "param BRANCH ${params.BRANCH}"
|
|
println "param COMMIT_SHA ${params.COMMIT_SHA}"
|
|
println "param SVACE_BUILD_RESULTS_LINK ${params.SVACE_BUILD_RESULTS_LINK}"
|
|
println "WORKSPACE: ${env.WORKSPACE}"
|
|
sh 'printenv'
|
|
}
|
|
|
|
stage('Download') {
|
|
Git git = new Git(this, env.JENKINS_GIT_CREDENTIALS_SSH)
|
|
|
|
git.clone([
|
|
urlRepo: "${env.JENKINS_GIT_REPOSITORY_SSH_URL}/${params.GIT_PROJECT}",
|
|
branch: params.BRANCH,
|
|
path: "${env.WORKSPACE}/${params.GIT_PROJECT}",
|
|
])
|
|
svaceBuildResults = nexus.download(params.SVACE_BUILD_RESULTS_LINK)
|
|
commitShortSha = (params.COMMIT_SHA) ? params.COMMIT_SHA : git.log([count:1, format: "%h"])
|
|
dir("${env.WORKSPACE}/${params.GIT_PROJECT}") {
|
|
git.checkout(commitShortSha)
|
|
}
|
|
}
|
|
|
|
stage('Svace analyze') {
|
|
sh """
|
|
tar -xf ${svaceBuildResults}
|
|
${svaceCmd} config --svace-dir ./${svaceResultsDir} THREAD_NUMBER ${buildThreads}
|
|
${svaceCmd} analyze --log-level brief --svace-dir ./${svaceResultsDir}
|
|
"""
|
|
}
|
|
|
|
withCredentials([usernamePassword(
|
|
credentialsId: env.JENKINS_SVACER_CREDENTIALS,
|
|
usernameVariable: 'SVACER_USER',
|
|
passwordVariable: 'SVACER_PASS'
|
|
)]) {
|
|
stage('Upload results') {
|
|
nexusSvaceSarifRepoPath = "${params.GIT_PROJECT}/${params.BRANCH}/${commitShortSha}"
|
|
sh """
|
|
${svaceCmd} svres2sarif ${svaceResultsDir}/.svace-dir/analyze-res/svace_analysis.svres -o ${svaceSarifResultFile}
|
|
cd ${svaceResultsDir}
|
|
|
|
${svacerCmd} import --svace ${svaceCmd} \
|
|
--project ${params.GIT_PROJECT} \
|
|
--branch ${params.BRANCH} \
|
|
--snapshot "${commitShortSha} - `date -R`" \
|
|
--source-tree ${env.WORKSPACE}/${params.GIT_PROJECT}
|
|
|
|
${svacerCmd} upload --ssl \
|
|
--user ${SVACER_USER} \
|
|
--password ${SVACER_PASS} \
|
|
--ldap_server ${ldapServer}
|
|
"""
|
|
nexus.upload([artifactPath: "${svaceSarifResultFile}",
|
|
repository: svaceNexusRepo,
|
|
path: nexusSvaceSarifRepoPath])
|
|
}
|
|
}
|
|
} catch(err) {
|
|
echo 'ERROR: ' + err.getMessage()
|
|
currentBuild.result = 'FAILURE'
|
|
} finally {
|
|
cleanWs()
|
|
}
|
|
}
|