Avroid/jenkins-pipelines
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f67eb2090b3c5466c74b4ab8c42c5381c6bb16d2
jenkins-pipelines/pipelines/DevSecOps/svace-analyze.groovy
Aleksandr Vodyanov f67eb2090b [DO-1528] update svacer and svace (!69) 
Co-authored-by: aleksandr.vodyanov <aleksandr.vodyanov@avroid.tech>
Reviewed-on: https://git.avroid.tech/DevOps/jenkins-pipelines/pulls/69
Reviewed-by: Andrey Danin <andrey.danin@avroid.team>
2025-01-29 16:20:03 +03:00

129 lines
4.9 KiB
Groovy
Raw Blame History

@Library('shared-lib') _
import tech.avroid.api.Nexus
import tech.avroid.scm.Git
String buildThreads = '28'
String svaceBuildResults = ''
String commitShortSha = ''
String ldapServer = 'FreeIPA'
String nexusSvaceSarifRepoPath = ''
// Nexus variables
Nexus nexus = new Nexus(this, env.JENKINS_NEXUS_URL, env.JENKINS_NEXUS_CREDENTIALS)
Map configuration = [
vaultUrl: env.JENKINS_VAULT_URL,
vaultCredentialId: env.JENKINS_VAULT_TOKEN,
engineVersion: 2
]
List secrets = [
[path: "team-devops/accounts/ldap/service_accounts/svc_svacer", engineVersion: 2, secretValues:
[
[envVar: 'VAULT_SVACER_LOGIN', vaultKey: 'login'],
[envVar: 'VAULT_SVACER_PASS', vaultKey: 'password'],
]
]
]
properties([
buildDiscarder(logRotator(artifactNumToKeepStr: '50',
numToKeepStr: '50')),
parameters([
string(name: 'GIT_PROJECT', defaultValue: ''),
string(name: 'BRANCH', defaultValue: ''),
string(name: 'COMMIT_SHA', defaultValue: ''),
string(name: 'MAIN_BRANCH', defaultValue: 'master'),
string(name: 'SVACE_BUILD_RESULTS_LINK', defaultValue: ''),
string(name: 'BUILD_PLATFORM',
defaultValue: '',
description: 'name, version and arch of build. Example: aurora5_armv7hl')
])
])
node('svace') {
try {
stage('env') {
println "Using agent ${env.NODE_NAME} (${env.JENKINS_URL})"
println "param GIT_PROJECT ${params.GIT_PROJECT}"
println "param BRANCH ${params.BRANCH}"
println "param COMMIT_SHA ${params.COMMIT_SHA}"
println "param SVACE_BUILD_RESULTS_LINK ${params.SVACE_BUILD_RESULTS_LINK}"
println "param MAIN_BRANCH ${params.MAIN_BRANCH}"
println "param BUILD_PLATFORM ${params.BUILD_PLATFORM}"
println "WORKSPACE: ${env.WORKSPACE}"
sh 'printenv'
}
stage('Download') {
Git git = new Git(this, env.JENKINS_GIT_CREDENTIALS_SSH)
Boolean isDisableSubmodules = (params.GIT_PROJECT == 'Eisen/OS') ? true : false
git.clone([
urlRepo: "${env.JENKINS_GIT_REPOSITORY_SSH_URL}/${params.GIT_PROJECT}",
branch: params.BRANCH,
path: "${env.WORKSPACE}/${params.GIT_PROJECT}",
disableSubmodules: isDisableSubmodules,
shallow: false
])
svaceBuildResults = nexus.download(params.SVACE_BUILD_RESULTS_LINK)
commitShortSha = (params.COMMIT_SHA) ? params.COMMIT_SHA : git.log([count:1, format: "%h"])
dir("${env.WORKSPACE}/${params.GIT_PROJECT}") {
git.checkout(commitShortSha)
}
}
stage('Svace analyze') {
sh """
tar -xf ${svaceBuildResults}
svace config --svace-dir ./${env.JENKINS_SVACE_BUILD_DIR} THREAD_NUMBER ${buildThreads}
svace analyze --log-level brief --svace-dir ./${env.JENKINS_SVACE_BUILD_DIR}
"""
}
stage('Upload results') {
withVault([configuration: configuration, vaultSecrets: secrets]) {
String branch = params.BRANCH
String mainBranch = params.MAIN_BRANCH
nexusSvaceSarifRepoPath = "${params.GIT_PROJECT}/${params.BRANCH}/${commitShortSha}"
if (params.BUILD_PLATFORM) {
branch += '_' + params.BUILD_PLATFORM
mainBranch += '_' + params.BUILD_PLATFORM
nexusSvaceSarifRepoPath += '/' + params.BUILD_PLATFORM
}
sh """
svace svres2sarif \
${env.JENKINS_SVACE_BUILD_DIR}/.svace-dir/analyze-res/svace_analysis.svres \
-o ${env.JENKINS_SVACE_SARIF_FILE}
cd ${env.JENKINS_SVACE_BUILD_DIR}
svacer import --svace svace \
--project ${params.GIT_PROJECT} \
--branch ${branch} \
--snapshot "${commitShortSha} - `date -R`" \
--source-tree ${env.WORKSPACE}/${params.GIT_PROJECT} \
--if-no-branch clone-${mainBranch}
svacer upload --ssl \
--user ${VAULT_SVACER_LOGIN} \
--password ${VAULT_SVACER_PASS} \
--ldap_server ${ldapServer}
"""
nexus.upload([artifactPath: "${env.JENKINS_SVACE_SARIF_FILE}",
repository: env.JENKINS_SVACE_NEXUS_REPO,
path: nexusSvaceSarifRepoPath])
}}
} catch(err) {
echo 'ERROR: ' + err.getMessage()
currentBuild.result = 'FAILURE'
} finally {
cleanWs()
}
}
Reference in New Issue View Git Blame Copy Permalink