Avroid/jenkins-pipelines
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b00f43811b211e3c25f69c7211347d472953d35d
jenkins-pipelines/pipelines/DevSecOps/svace-analyze.groovy
aleksandr.vodyanov b00f43811b [DO-736] fix main branch (!30) 
Reviewed-on: https://git.avroid.tech/DevOps/jenkins-pipelines/pulls/30
Co-authored-by: aleksandr.vodyanov <aleksandr.vodyanov@avroid.tech>
Co-committed-by: aleksandr.vodyanov <aleksandr.vodyanov@avroid.tech>
2024-07-18 11:01:35 +03:00

120 lines
4.8 KiB
Groovy
Raw Blame History

@Library('shared-lib') _
import tech.avroid.api.Nexus
import tech.avroid.scm.Git
String buildThreads = '16'
String svaceVersion = '3.4.240312'
String svacerVersion = '8-0-1'
String svaceCmd = "/data/opt/svace-${svaceVersion}-x64-linux/bin/svace"
String svacerCmd = "/data/opt/svacer-${svacerVersion}/bin/svacer"
String svaceBuildResults = ''
String commitShortSha = ''
String svaceResultsDir = 'svace_analysis'
String svaceSarifResultFile = "svace_analysis.sarif2"
String ldapServer = 'FreeIPA'
// Nexus variables
Nexus nexus = new Nexus(this, env.JENKINS_NEXUS_URL, env.JENKINS_NEXUS_CREDENTIALS)
String svaceNexusRepo = 'devsecops-raw-svace_results'
String nexusSvaceSarifRepoPath
properties([
buildDiscarder(logRotator(artifactNumToKeepStr: '50',
numToKeepStr: '50')),
parameters([
string(name: 'GIT_PROJECT', defaultValue: ''),
string(name: 'BRANCH', defaultValue: ''),
string(name: 'COMMIT_SHA', defaultValue: ''),
string(name: 'MAIN_BRANCH', defaultValue: 'master'),
string(name: 'SVACE_BUILD_RESULTS_LINK', defaultValue: ''),
string(name: 'BUILD_PLATFORM',
defaultValue: '',
description: 'name, version and arch of build. Example: aurora5_armv7hl')
])
])
node('svace') {
try {
stage('env') {
println "Using agent ${env.NODE_NAME} (${env.JENKINS_URL})"
println "param GIT_PROJECT ${params.GIT_PROJECT}"
println "param BRANCH ${params.BRANCH}"
println "param COMMIT_SHA ${params.COMMIT_SHA}"
println "param SVACE_BUILD_RESULTS_LINK ${params.SVACE_BUILD_RESULTS_LINK}"
println "param MAIN_BRANCH ${params.MAIN_BRANCH}"
println "param BUILD_PLATFORM ${params.BUILD_PLATFORM}"
println "WORKSPACE: ${env.WORKSPACE}"
sh 'printenv'
}
stage('Download') {
Git git = new Git(this, env.JENKINS_GIT_CREDENTIALS_SSH)
git.clone([
urlRepo: "${env.JENKINS_GIT_REPOSITORY_SSH_URL}/${params.GIT_PROJECT}",
branch: params.BRANCH,
path: "${env.WORKSPACE}/${params.GIT_PROJECT}",
])
svaceBuildResults = nexus.download(params.SVACE_BUILD_RESULTS_LINK)
commitShortSha = (params.COMMIT_SHA) ? params.COMMIT_SHA : git.log([count:1, format: "%h"])
dir("${env.WORKSPACE}/${params.GIT_PROJECT}") {
git.checkout(commitShortSha)
}
}
stage('Svace analyze') {
sh """
tar -xf ${svaceBuildResults}
${svaceCmd} config --svace-dir ./${svaceResultsDir} THREAD_NUMBER ${buildThreads}
${svaceCmd} analyze --log-level brief --svace-dir ./${svaceResultsDir}
"""
}
withCredentials([usernamePassword(
credentialsId: env.JENKINS_SVACER_CREDENTIALS,
usernameVariable: 'SVACER_USER',
passwordVariable: 'SVACER_PASS'
)]) {
stage('Upload results') {
String branch = params.BRANCH
String mainBranch = params.MAIN_BRANCH
if (params.BUILD_PLATFORM) {
branch += params.BRANCH
mainBranch += params.MAIN_BRANCH
}
nexusSvaceSarifRepoPath = "${params.GIT_PROJECT}/${params.BRANCH}/${commitShortSha}"
sh """
${svaceCmd} svres2sarif \
${svaceResultsDir}/.svace-dir/analyze-res/svace_analysis.svres \
-o ${svaceSarifResultFile}
cd ${svaceResultsDir}
${svacerCmd} import --svace ${svaceCmd} \
--project ${params.GIT_PROJECT} \
--branch ${branch} \
--snapshot "${commitShortSha} - `date -R`" \
--source-tree ${env.WORKSPACE}/${params.GIT_PROJECT} \
--if-no-branch clone-${mainBranch}
${svacerCmd} upload --ssl \
--user ${SVACER_USER} \
--password ${SVACER_PASS} \
--ldap_server ${ldapServer}
"""
nexus.upload([artifactPath: "${svaceSarifResultFile}",
repository: svaceNexusRepo,
path: nexusSvaceSarifRepoPath])
}
}
} catch(err) {
echo 'ERROR: ' + err.getMessage()
currentBuild.result = 'FAILURE'
} finally {
cleanWs()
}
}
Reference in New Issue View Git Blame Copy Permalink