1
0
mirror of https://github.com/SAP/jenkins-library.git synced 2024-12-14 11:03:09 +02:00
sap-jenkins-library/cmd/whitesourceExecuteScan.go

851 lines
34 KiB
Go
Raw Normal View History

Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
package cmd
import (
"encoding/json"
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
"fmt"
"os"
"path/filepath"
"strconv"
"strings"
"time"
feat(whitesourceExecuteScan): UA for all build tools, e.g. maven & npm (#2501) * feat(whitesource): add config helper this helps to ease & enforce config settings * fix accidential change of class * add todos wrt java download * use existing scanOptions, add option to download jre * update generation * fix generation * allow running UA via go library * correct image, improve logging * add removal of downloaded JVM * update java creation and deletion * refactor and add log output * remove obsolete ToDo * increase test coverage * increase test coverage * adding aliases and tests * make go modules as default * maven: update behavior of projectNaming * add Docker capabilities * correct parameter name * retrieve Docker coordinates * docker coordinates only to provide artifact * add ToDos * add mta capability * add aliases, mvn arguments for settings * clean up groovy part * update defaults * add container for pip * add defaults, add maven specifics, ... * properly download settings * maven: check existence of excluded files * fix reporting * Update CommonStepsTest.groovy * update comment * fix CodeClimate finding * add tests for pip & fix minor issues * fix order of pip build descriptors * update pip container options * fix pip virtualEnv parameter * update report permissions * fix test * update container options * add use fileUtils to load properties file * update parameter description * adding Docker scanning defaults * clean up configHelper * consider also npm tool cache * add todos
2021-02-03 15:52:48 +02:00
piperDocker "github.com/SAP/jenkins-library/pkg/docker"
piperGithub "github.com/SAP/jenkins-library/pkg/github"
feat(whitesourceExecuteScan): UA for all build tools, e.g. maven & npm (#2501) * feat(whitesource): add config helper this helps to ease & enforce config settings * fix accidential change of class * add todos wrt java download * use existing scanOptions, add option to download jre * update generation * fix generation * allow running UA via go library * correct image, improve logging * add removal of downloaded JVM * update java creation and deletion * refactor and add log output * remove obsolete ToDo * increase test coverage * increase test coverage * adding aliases and tests * make go modules as default * maven: update behavior of projectNaming * add Docker capabilities * correct parameter name * retrieve Docker coordinates * docker coordinates only to provide artifact * add ToDos * add mta capability * add aliases, mvn arguments for settings * clean up groovy part * update defaults * add container for pip * add defaults, add maven specifics, ... * properly download settings * maven: check existence of excluded files * fix reporting * Update CommonStepsTest.groovy * update comment * fix CodeClimate finding * add tests for pip & fix minor issues * fix order of pip build descriptors * update pip container options * fix pip virtualEnv parameter * update report permissions * fix test * update container options * add use fileUtils to load properties file * update parameter description * adding Docker scanning defaults * clean up configHelper * consider also npm tool cache * add todos
2021-02-03 15:52:48 +02:00
piperhttp "github.com/SAP/jenkins-library/pkg/http"
ws "github.com/SAP/jenkins-library/pkg/whitesource"
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
"github.com/SAP/jenkins-library/pkg/command"
"github.com/SAP/jenkins-library/pkg/log"
feat(whitesourceExecuteScan): UA for all build tools, e.g. maven & npm (#2501) * feat(whitesource): add config helper this helps to ease & enforce config settings * fix accidential change of class * add todos wrt java download * use existing scanOptions, add option to download jre * update generation * fix generation * allow running UA via go library * correct image, improve logging * add removal of downloaded JVM * update java creation and deletion * refactor and add log output * remove obsolete ToDo * increase test coverage * increase test coverage * adding aliases and tests * make go modules as default * maven: update behavior of projectNaming * add Docker capabilities * correct parameter name * retrieve Docker coordinates * docker coordinates only to provide artifact * add ToDos * add mta capability * add aliases, mvn arguments for settings * clean up groovy part * update defaults * add container for pip * add defaults, add maven specifics, ... * properly download settings * maven: check existence of excluded files * fix reporting * Update CommonStepsTest.groovy * update comment * fix CodeClimate finding * add tests for pip & fix minor issues * fix order of pip build descriptors * update pip container options * fix pip virtualEnv parameter * update report permissions * fix test * update container options * add use fileUtils to load properties file * update parameter description * adding Docker scanning defaults * clean up configHelper * consider also npm tool cache * add todos
2021-02-03 15:52:48 +02:00
"github.com/SAP/jenkins-library/pkg/npm"
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
"github.com/SAP/jenkins-library/pkg/piperutils"
"github.com/SAP/jenkins-library/pkg/reporting"
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
"github.com/SAP/jenkins-library/pkg/telemetry"
"github.com/SAP/jenkins-library/pkg/toolrecord"
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
"github.com/SAP/jenkins-library/pkg/versioning"
feat(whitesourceExecuteScan): UA for all build tools, e.g. maven & npm (#2501) * feat(whitesource): add config helper this helps to ease & enforce config settings * fix accidential change of class * add todos wrt java download * use existing scanOptions, add option to download jre * update generation * fix generation * allow running UA via go library * correct image, improve logging * add removal of downloaded JVM * update java creation and deletion * refactor and add log output * remove obsolete ToDo * increase test coverage * increase test coverage * adding aliases and tests * make go modules as default * maven: update behavior of projectNaming * add Docker capabilities * correct parameter name * retrieve Docker coordinates * docker coordinates only to provide artifact * add ToDos * add mta capability * add aliases, mvn arguments for settings * clean up groovy part * update defaults * add container for pip * add defaults, add maven specifics, ... * properly download settings * maven: check existence of excluded files * fix reporting * Update CommonStepsTest.groovy * update comment * fix CodeClimate finding * add tests for pip & fix minor issues * fix order of pip build descriptors * update pip container options * fix pip virtualEnv parameter * update report permissions * fix test * update container options * add use fileUtils to load properties file * update parameter description * adding Docker scanning defaults * clean up configHelper * consider also npm tool cache * add todos
2021-02-03 15:52:48 +02:00
"github.com/pkg/errors"
"github.com/xuri/excelize/v2"
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
)
// ScanOptions is just used to make the lines less long
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
type ScanOptions = whitesourceExecuteScanOptions
// WhiteSource defines the functions that are expected by the step implementation to
// be available from the WhiteSource system.
type whitesource interface {
GetProductByName(productName string) (ws.Product, error)
CreateProduct(productName string) (string, error)
SetProductAssignments(productToken string, membership, admins, alertReceivers *ws.Assignment) error
GetProjectsMetaInfo(productToken string) ([]ws.Project, error)
GetProjectToken(productToken, projectName string) (string, error)
GetProjectByToken(projectToken string) (ws.Project, error)
GetProjectRiskReport(projectToken string) ([]byte, error)
GetProjectVulnerabilityReport(projectToken string, format string) ([]byte, error)
GetProjectAlerts(projectToken string) ([]ws.Alert, error)
GetProjectAlertsByType(projectToken, alertType string) ([]ws.Alert, error)
GetProjectLibraryLocations(projectToken string) ([]ws.Library, error)
}
type whitesourceUtils interface {
ws.Utils
piperutils.FileUtils
GetArtifactCoordinates(buildTool, buildDescriptorFile string,
options *versioning.Options) (versioning.Coordinates, error)
CreateIssue(ghCreateIssueOptions *piperGithub.CreateIssueOptions) error
Now() time.Time
}
type whitesourceUtilsBundle struct {
*piperhttp.Client
*command.Command
*piperutils.Files
npmExecutor npm.Executor
}
// CreateIssue supplies capability for GitHub issue creation
func (w *whitesourceUtilsBundle) CreateIssue(ghCreateIssueOptions *piperGithub.CreateIssueOptions) error {
return piperGithub.CreateIssue(ghCreateIssueOptions)
}
func (w *whitesourceUtilsBundle) FileOpen(name string, flag int, perm os.FileMode) (ws.File, error) {
return os.OpenFile(name, flag, perm)
}
func (w *whitesourceUtilsBundle) GetArtifactCoordinates(buildTool, buildDescriptorFile string, options *versioning.Options) (versioning.Coordinates, error) {
artifact, err := versioning.GetArtifact(buildTool, buildDescriptorFile, options, w)
if err != nil {
return versioning.Coordinates{}, err
}
return artifact.GetCoordinates()
}
func (w *whitesourceUtilsBundle) getNpmExecutor(config *ws.ScanOptions) npm.Executor {
if w.npmExecutor == nil {
w.npmExecutor = npm.NewExecutor(npm.ExecutorOptions{DefaultNpmRegistry: config.DefaultNpmRegistry})
}
return w.npmExecutor
}
func (w *whitesourceUtilsBundle) FindPackageJSONFiles(config *ws.ScanOptions) ([]string, error) {
return w.getNpmExecutor(config).FindPackageJSONFilesWithExcludes(config.BuildDescriptorExcludeList)
}
func (w *whitesourceUtilsBundle) InstallAllNPMDependencies(config *ws.ScanOptions, packageJSONFiles []string) error {
return w.getNpmExecutor(config).InstallAllDependencies(packageJSONFiles)
}
func (w *whitesourceUtilsBundle) SetOptions(o piperhttp.ClientOptions) {
w.Client.SetOptions(o)
}
func (w *whitesourceUtilsBundle) Now() time.Time {
return time.Now()
}
func newWhitesourceUtils(config *ScanOptions) *whitesourceUtilsBundle {
utils := whitesourceUtilsBundle{
Client: &piperhttp.Client{},
Command: &command.Command{},
Files: &piperutils.Files{},
}
// Reroute cmd output to logging framework
utils.Stdout(log.Writer())
utils.Stderr(log.Writer())
// Configure HTTP Client
utils.SetOptions(piperhttp.ClientOptions{TransportTimeout: time.Duration(config.Timeout) * time.Second})
return &utils
}
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
func newWhitesourceScan(config *ScanOptions) *ws.Scan {
return &ws.Scan{
AggregateProjectName: config.ProjectName,
ProductVersion: config.Version,
}
}
func whitesourceExecuteScan(config ScanOptions, _ *telemetry.CustomData, commonPipelineEnvironment *whitesourceExecuteScanCommonPipelineEnvironment, influx *whitesourceExecuteScanInflux) {
utils := newWhitesourceUtils(&config)
scan := newWhitesourceScan(&config)
sys := ws.NewSystem(config.ServiceURL, config.OrgToken, config.UserToken, time.Duration(config.Timeout)*time.Second)
influx.step_data.fields.whitesource = false
err := runWhitesourceExecuteScan(&config, scan, utils, sys, commonPipelineEnvironment, influx)
if err != nil {
log.Entry().WithError(err).Fatal("step execution failed")
}
influx.step_data.fields.whitesource = true
}
func runWhitesourceExecuteScan(config *ScanOptions, scan *ws.Scan, utils whitesourceUtils, sys whitesource, commonPipelineEnvironment *whitesourceExecuteScanCommonPipelineEnvironment, influx *whitesourceExecuteScanInflux) error {
if err := resolveAggregateProjectName(config, scan, sys); err != nil {
return errors.Wrapf(err, "failed to resolve and aggregate project name")
}
if err := resolveProjectIdentifiers(config, scan, utils, sys); err != nil {
2021-05-10 17:44:28 +02:00
if strings.Contains(fmt.Sprint(err), "User is not allowed to perform this action") {
log.SetErrorCategory(log.ErrorConfiguration)
}
return errors.Wrapf(err, "failed to resolve project identifiers")
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
}
if config.AggregateVersionWideReport {
// Generate a vulnerability report for all projects with version = config.ProjectVersion
// Note that this is not guaranteed that all projects are from the same scan.
// For example, if a module was removed from the source code, the project may still
// exist in the WhiteSource system.
if err := aggregateVersionWideLibraries(config, utils, sys); err != nil {
return errors.Wrapf(err, "failed to aggregate version wide libraries")
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
}
if err := aggregateVersionWideVulnerabilities(config, utils, sys); err != nil {
return errors.Wrapf(err, "failed to aggregate version wide vulnerabilities")
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
}
} else {
if err := runWhitesourceScan(config, scan, utils, sys, commonPipelineEnvironment, influx); err != nil {
return errors.Wrapf(err, "failed to execute WhiteSource scan")
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
}
}
return nil
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
}
func runWhitesourceScan(config *ScanOptions, scan *ws.Scan, utils whitesourceUtils, sys whitesource, commonPipelineEnvironment *whitesourceExecuteScanCommonPipelineEnvironment, influx *whitesourceExecuteScanInflux) error {
feat(whitesourceExecuteScan): UA for all build tools, e.g. maven & npm (#2501) * feat(whitesource): add config helper this helps to ease & enforce config settings * fix accidential change of class * add todos wrt java download * use existing scanOptions, add option to download jre * update generation * fix generation * allow running UA via go library * correct image, improve logging * add removal of downloaded JVM * update java creation and deletion * refactor and add log output * remove obsolete ToDo * increase test coverage * increase test coverage * adding aliases and tests * make go modules as default * maven: update behavior of projectNaming * add Docker capabilities * correct parameter name * retrieve Docker coordinates * docker coordinates only to provide artifact * add ToDos * add mta capability * add aliases, mvn arguments for settings * clean up groovy part * update defaults * add container for pip * add defaults, add maven specifics, ... * properly download settings * maven: check existence of excluded files * fix reporting * Update CommonStepsTest.groovy * update comment * fix CodeClimate finding * add tests for pip & fix minor issues * fix order of pip build descriptors * update pip container options * fix pip virtualEnv parameter * update report permissions * fix test * update container options * add use fileUtils to load properties file * update parameter description * adding Docker scanning defaults * clean up configHelper * consider also npm tool cache * add todos
2021-02-03 15:52:48 +02:00
// Download Docker image for container scan
// ToDo: move it to improve testability
if config.BuildTool == "docker" {
saveImageOptions := containerSaveImageOptions{
ContainerImage: config.ScanImage,
ContainerRegistryURL: config.ScanImageRegistryURL,
ContainerRegistryUser: config.ContainerRegistryUser,
ContainerRegistryPassword: config.ContainerRegistryPassword,
DockerConfigJSON: config.DockerConfigJSON,
FilePath: config.ProjectName,
feat(whitesourceExecuteScan): UA for all build tools, e.g. maven & npm (#2501) * feat(whitesource): add config helper this helps to ease & enforce config settings * fix accidential change of class * add todos wrt java download * use existing scanOptions, add option to download jre * update generation * fix generation * allow running UA via go library * correct image, improve logging * add removal of downloaded JVM * update java creation and deletion * refactor and add log output * remove obsolete ToDo * increase test coverage * increase test coverage * adding aliases and tests * make go modules as default * maven: update behavior of projectNaming * add Docker capabilities * correct parameter name * retrieve Docker coordinates * docker coordinates only to provide artifact * add ToDos * add mta capability * add aliases, mvn arguments for settings * clean up groovy part * update defaults * add container for pip * add defaults, add maven specifics, ... * properly download settings * maven: check existence of excluded files * fix reporting * Update CommonStepsTest.groovy * update comment * fix CodeClimate finding * add tests for pip & fix minor issues * fix order of pip build descriptors * update pip container options * fix pip virtualEnv parameter * update report permissions * fix test * update container options * add use fileUtils to load properties file * update parameter description * adding Docker scanning defaults * clean up configHelper * consider also npm tool cache * add todos
2021-02-03 15:52:48 +02:00
}
dClientOptions := piperDocker.ClientOptions{ImageName: saveImageOptions.ContainerImage, RegistryURL: saveImageOptions.ContainerRegistryURL, LocalPath: ""}
feat(whitesourceExecuteScan): UA for all build tools, e.g. maven & npm (#2501) * feat(whitesource): add config helper this helps to ease & enforce config settings * fix accidential change of class * add todos wrt java download * use existing scanOptions, add option to download jre * update generation * fix generation * allow running UA via go library * correct image, improve logging * add removal of downloaded JVM * update java creation and deletion * refactor and add log output * remove obsolete ToDo * increase test coverage * increase test coverage * adding aliases and tests * make go modules as default * maven: update behavior of projectNaming * add Docker capabilities * correct parameter name * retrieve Docker coordinates * docker coordinates only to provide artifact * add ToDos * add mta capability * add aliases, mvn arguments for settings * clean up groovy part * update defaults * add container for pip * add defaults, add maven specifics, ... * properly download settings * maven: check existence of excluded files * fix reporting * Update CommonStepsTest.groovy * update comment * fix CodeClimate finding * add tests for pip & fix minor issues * fix order of pip build descriptors * update pip container options * fix pip virtualEnv parameter * update report permissions * fix test * update container options * add use fileUtils to load properties file * update parameter description * adding Docker scanning defaults * clean up configHelper * consider also npm tool cache * add todos
2021-02-03 15:52:48 +02:00
dClient := &piperDocker.Client{}
dClient.SetOptions(dClientOptions)
if _, err := runContainerSaveImage(&saveImageOptions, &telemetry.CustomData{}, "./cache", "", dClient, utils); err != nil {
2021-05-10 17:44:28 +02:00
if strings.Contains(fmt.Sprint(err), "no image found") {
log.SetErrorCategory(log.ErrorConfiguration)
}
return errors.Wrapf(err, "failed to download Docker image %v", config.ScanImage)
feat(whitesourceExecuteScan): UA for all build tools, e.g. maven & npm (#2501) * feat(whitesource): add config helper this helps to ease & enforce config settings * fix accidential change of class * add todos wrt java download * use existing scanOptions, add option to download jre * update generation * fix generation * allow running UA via go library * correct image, improve logging * add removal of downloaded JVM * update java creation and deletion * refactor and add log output * remove obsolete ToDo * increase test coverage * increase test coverage * adding aliases and tests * make go modules as default * maven: update behavior of projectNaming * add Docker capabilities * correct parameter name * retrieve Docker coordinates * docker coordinates only to provide artifact * add ToDos * add mta capability * add aliases, mvn arguments for settings * clean up groovy part * update defaults * add container for pip * add defaults, add maven specifics, ... * properly download settings * maven: check existence of excluded files * fix reporting * Update CommonStepsTest.groovy * update comment * fix CodeClimate finding * add tests for pip & fix minor issues * fix order of pip build descriptors * update pip container options * fix pip virtualEnv parameter * update report permissions * fix test * update container options * add use fileUtils to load properties file * update parameter description * adding Docker scanning defaults * clean up configHelper * consider also npm tool cache * add todos
2021-02-03 15:52:48 +02:00
}
}
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
// Start the scan
if err := executeScan(config, scan, utils); err != nil {
return errors.Wrapf(err, "failed to execute Scan")
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
}
feat(whitesourceExecuteScan): UA for all build tools, e.g. maven & npm (#2501) * feat(whitesource): add config helper this helps to ease & enforce config settings * fix accidential change of class * add todos wrt java download * use existing scanOptions, add option to download jre * update generation * fix generation * allow running UA via go library * correct image, improve logging * add removal of downloaded JVM * update java creation and deletion * refactor and add log output * remove obsolete ToDo * increase test coverage * increase test coverage * adding aliases and tests * make go modules as default * maven: update behavior of projectNaming * add Docker capabilities * correct parameter name * retrieve Docker coordinates * docker coordinates only to provide artifact * add ToDos * add mta capability * add aliases, mvn arguments for settings * clean up groovy part * update defaults * add container for pip * add defaults, add maven specifics, ... * properly download settings * maven: check existence of excluded files * fix reporting * Update CommonStepsTest.groovy * update comment * fix CodeClimate finding * add tests for pip & fix minor issues * fix order of pip build descriptors * update pip container options * fix pip virtualEnv parameter * update report permissions * fix test * update container options * add use fileUtils to load properties file * update parameter description * adding Docker scanning defaults * clean up configHelper * consider also npm tool cache * add todos
2021-02-03 15:52:48 +02:00
// ToDo: Check this:
// Why is this required at all, resolveProjectIdentifiers() is already called before the scan in runWhitesourceExecuteScan()
// Could perhaps use scan.updateProjects(sys) directly... have not investigated what could break
if err := resolveProjectIdentifiers(config, scan, utils, sys); err != nil {
return errors.Wrapf(err, "failed to resolve project identifiers")
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
}
log.Entry().Info("-----------------------------------------------------")
log.Entry().Infof("Product Version: '%s'", config.Version)
log.Entry().Info("Scanned projects:")
for _, project := range scan.ScannedProjects() {
log.Entry().Infof(" Name: '%s', token: %s", project.Name, project.Token)
}
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
log.Entry().Info("-----------------------------------------------------")
paths, err := checkAndReportScanResults(config, scan, utils, sys, influx)
piperutils.PersistReportsAndLinks("whitesourceExecuteScan", "", paths, nil)
persistScannedProjects(config, scan, commonPipelineEnvironment)
if err != nil {
return errors.Wrapf(err, "failed to check and report scan results")
}
return nil
}
func checkAndReportScanResults(config *ScanOptions, scan *ws.Scan, utils whitesourceUtils, sys whitesource, influx *whitesourceExecuteScanInflux) ([]piperutils.Path, error) {
reportPaths := []piperutils.Path{}
if !config.Reporting && !config.SecurityVulnerabilities {
return reportPaths, nil
}
// Wait for WhiteSource backend to propagate the changes before downloading any reports.
if err := scan.BlockUntilReportsAreReady(sys); err != nil {
return reportPaths, err
}
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
if config.Reporting {
var err error
reportPaths, err = scan.DownloadReports(ws.ReportOptions{
ReportDirectory: ws.ReportsDirectory,
VulnerabilityReportFormat: config.VulnerabilityReportFormat,
}, utils, sys)
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
if err != nil {
return reportPaths, err
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
}
}
checkErrors := []string{}
rPath, err := checkPolicyViolations(config, scan, sys, utils, reportPaths, influx)
if err != nil {
checkErrors = append(checkErrors, fmt.Sprint(err))
}
reportPaths = append(reportPaths, rPath)
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
if config.SecurityVulnerabilities {
rPaths, err := checkSecurityViolations(config, scan, sys, utils, influx)
reportPaths = append(reportPaths, rPaths...)
if err != nil {
checkErrors = append(checkErrors, fmt.Sprint(err))
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
}
}
// create toolrecord file
// tbd - how to handle verifyOnly
toolRecordFileName, err := createToolRecordWhitesource("./", config, scan)
if err != nil {
// do not fail until the framework is well established
log.Entry().Warning("TR_WHITESOURCE: Failed to create toolrecord file ...", err)
} else {
reportPaths = append(reportPaths, piperutils.Path{Target: toolRecordFileName})
}
if len(checkErrors) > 0 {
return reportPaths, fmt.Errorf(strings.Join(checkErrors, ": "))
}
return reportPaths, nil
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
}
func createWhiteSourceProduct(config *ScanOptions, sys whitesource) (string, error) {
log.Entry().Infof("Attempting to create new WhiteSource product for '%s'..", config.ProductName)
productToken, err := sys.CreateProduct(config.ProductName)
if err != nil {
return "", fmt.Errorf("failed to create WhiteSource product: %w", err)
}
var admins ws.Assignment
for _, address := range config.EmailAddressesOfInitialProductAdmins {
admins.UserAssignments = append(admins.UserAssignments, ws.UserAssignment{Email: address})
}
err = sys.SetProductAssignments(productToken, nil, &admins, nil)
if err != nil {
return "", fmt.Errorf("failed to set admins on new WhiteSource product: %w", err)
}
return productToken, nil
}
func resolveProjectIdentifiers(config *ScanOptions, scan *ws.Scan, utils whitesourceUtils, sys whitesource) error {
if len(scan.AggregateProjectName) > 0 && (len(config.Version)+len(config.CustomScanVersion) > 0) {
if config.Version == "" {
config.Version = config.CustomScanVersion
}
} else {
options := &versioning.Options{
feat(whitesourceExecuteScan): UA for all build tools, e.g. maven & npm (#2501) * feat(whitesource): add config helper this helps to ease & enforce config settings * fix accidential change of class * add todos wrt java download * use existing scanOptions, add option to download jre * update generation * fix generation * allow running UA via go library * correct image, improve logging * add removal of downloaded JVM * update java creation and deletion * refactor and add log output * remove obsolete ToDo * increase test coverage * increase test coverage * adding aliases and tests * make go modules as default * maven: update behavior of projectNaming * add Docker capabilities * correct parameter name * retrieve Docker coordinates * docker coordinates only to provide artifact * add ToDos * add mta capability * add aliases, mvn arguments for settings * clean up groovy part * update defaults * add container for pip * add defaults, add maven specifics, ... * properly download settings * maven: check existence of excluded files * fix reporting * Update CommonStepsTest.groovy * update comment * fix CodeClimate finding * add tests for pip & fix minor issues * fix order of pip build descriptors * update pip container options * fix pip virtualEnv parameter * update report permissions * fix test * update container options * add use fileUtils to load properties file * update parameter description * adding Docker scanning defaults * clean up configHelper * consider also npm tool cache * add todos
2021-02-03 15:52:48 +02:00
DockerImage: config.ScanImage,
ProjectSettingsFile: config.ProjectSettingsFile,
GlobalSettingsFile: config.GlobalSettingsFile,
M2Path: config.M2Path,
}
coordinates, err := utils.GetArtifactCoordinates(config.BuildTool, config.BuildDescriptorFile, options)
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
if err != nil {
return errors.Wrap(err, "failed to get build artifact description")
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
}
if len(config.Version) > 0 {
log.Entry().Infof("Resolving product version from default provided '%s' with versioning '%s'", config.Version, config.VersioningModel)
coordinates.Version = config.Version
}
feat(whitesourceExecuteScan): UA for all build tools, e.g. maven & npm (#2501) * feat(whitesource): add config helper this helps to ease & enforce config settings * fix accidential change of class * add todos wrt java download * use existing scanOptions, add option to download jre * update generation * fix generation * allow running UA via go library * correct image, improve logging * add removal of downloaded JVM * update java creation and deletion * refactor and add log output * remove obsolete ToDo * increase test coverage * increase test coverage * adding aliases and tests * make go modules as default * maven: update behavior of projectNaming * add Docker capabilities * correct parameter name * retrieve Docker coordinates * docker coordinates only to provide artifact * add ToDos * add mta capability * add aliases, mvn arguments for settings * clean up groovy part * update defaults * add container for pip * add defaults, add maven specifics, ... * properly download settings * maven: check existence of excluded files * fix reporting * Update CommonStepsTest.groovy * update comment * fix CodeClimate finding * add tests for pip & fix minor issues * fix order of pip build descriptors * update pip container options * fix pip virtualEnv parameter * update report permissions * fix test * update container options * add use fileUtils to load properties file * update parameter description * adding Docker scanning defaults * clean up configHelper * consider also npm tool cache * add todos
2021-02-03 15:52:48 +02:00
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
nameTmpl := `{{list .GroupID .ArtifactID | join "-" | trimAll "-"}}`
name, version := versioning.DetermineProjectCoordinatesWithCustomVersion(nameTmpl, config.VersioningModel, config.CustomScanVersion, coordinates)
if scan.AggregateProjectName == "" {
log.Entry().Infof("Resolved project name '%s' from descriptor file", name)
scan.AggregateProjectName = name
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
}
config.Version = version
log.Entry().Infof("Resolved product version '%s'", version)
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
}
scan.ProductVersion = validateProductVersion(config.Version)
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
if err := resolveProductToken(config, sys); err != nil {
return errors.Wrap(err, "error resolving product token")
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
}
if err := resolveAggregateProjectToken(config, sys); err != nil {
return errors.Wrap(err, "error resolving aggregate project token")
}
return scan.UpdateProjects(config.ProductToken, sys)
}
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
// resolveProductToken resolves the token of the WhiteSource Product specified by config.ProductName,
// unless the user provided a token in config.ProductToken already, or it was previously resolved.
// If no Product can be found for the given config.ProductName, and the parameter
// config.CreatePipelineFromProduct is set, an attempt will be made to create the product and
// configure the initial product admins.
func resolveProductToken(config *ScanOptions, sys whitesource) error {
if config.ProductToken != "" {
return nil
}
log.Entry().Infof("Attempting to resolve product token for product '%s'..", config.ProductName)
product, err := sys.GetProductByName(config.ProductName)
if err != nil && config.CreateProductFromPipeline {
product = ws.Product{}
product.Token, err = createWhiteSourceProduct(config, sys)
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
if err != nil {
return errors.Wrapf(err, "failed to create whitesource product")
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
}
}
if err != nil {
return errors.Wrapf(err, "failed to get product by name")
}
log.Entry().Infof("Resolved product token: '%s'..", product.Token)
config.ProductToken = product.Token
return nil
}
// resolveAggregateProjectName checks if config.ProjectToken is configured, and if so, expects a WhiteSource
// project with that token to exist. The AggregateProjectName in the ws.Scan is then configured with that
// project's name.
func resolveAggregateProjectName(config *ScanOptions, scan *ws.Scan, sys whitesource) error {
if config.ProjectToken == "" {
return nil
}
log.Entry().Infof("Attempting to resolve aggregate project name for token '%s'..", config.ProjectToken)
// If the user configured the "projectToken" parameter, we expect this project to exist in the backend.
project, err := sys.GetProjectByToken(config.ProjectToken)
if err != nil {
return errors.Wrapf(err, "failed to get project by token")
}
nameVersion := strings.Split(project.Name, " - ")
scan.AggregateProjectName = nameVersion[0]
log.Entry().Infof("Resolve aggregate project name '%s'..", scan.AggregateProjectName)
return nil
}
// resolveAggregateProjectToken fetches the token of the WhiteSource Project specified by config.ProjectName
// and stores it in config.ProjectToken.
// The user can configure a projectName or projectToken of the project to be used as for aggregation of scan results.
func resolveAggregateProjectToken(config *ScanOptions, sys whitesource) error {
if config.ProjectToken != "" || config.ProjectName == "" {
return nil
}
log.Entry().Infof("Attempting to resolve project token for project '%s'..", config.ProjectName)
fullProjName := fmt.Sprintf("%s - %s", config.ProjectName, config.Version)
projectToken, err := sys.GetProjectToken(config.ProductToken, fullProjName)
if err != nil {
return errors.Wrapf(err, "failed to get project token")
}
// A project may not yet exist for this project name-version combo.
// It will be created by the scan, we retrieve the token again after scanning.
if projectToken != "" {
log.Entry().Infof("Resolved project token: '%s'..", projectToken)
config.ProjectToken = projectToken
} else {
log.Entry().Infof("Project '%s' not yet present in WhiteSource", fullProjName)
}
return nil
}
// validateProductVersion makes sure that the version does not contain a dash "-".
func validateProductVersion(version string) string {
// TrimLeft() removes all "-" from the beginning, unlike TrimPrefix()!
version = strings.TrimLeft(version, "-")
if strings.Contains(version, "-") {
version = strings.SplitN(version, "-", 1)[0]
}
return version
}
func wsScanOptions(config *ScanOptions) *ws.ScanOptions {
return &ws.ScanOptions{
feat(whitesourceExecuteScan): UA for all build tools, e.g. maven & npm (#2501) * feat(whitesource): add config helper this helps to ease & enforce config settings * fix accidential change of class * add todos wrt java download * use existing scanOptions, add option to download jre * update generation * fix generation * allow running UA via go library * correct image, improve logging * add removal of downloaded JVM * update java creation and deletion * refactor and add log output * remove obsolete ToDo * increase test coverage * increase test coverage * adding aliases and tests * make go modules as default * maven: update behavior of projectNaming * add Docker capabilities * correct parameter name * retrieve Docker coordinates * docker coordinates only to provide artifact * add ToDos * add mta capability * add aliases, mvn arguments for settings * clean up groovy part * update defaults * add container for pip * add defaults, add maven specifics, ... * properly download settings * maven: check existence of excluded files * fix reporting * Update CommonStepsTest.groovy * update comment * fix CodeClimate finding * add tests for pip & fix minor issues * fix order of pip build descriptors * update pip container options * fix pip virtualEnv parameter * update report permissions * fix test * update container options * add use fileUtils to load properties file * update parameter description * adding Docker scanning defaults * clean up configHelper * consider also npm tool cache * add todos
2021-02-03 15:52:48 +02:00
BuildTool: config.BuildTool,
ScanType: "", // no longer provided via config
OrgToken: config.OrgToken,
UserToken: config.UserToken,
ProductName: config.ProductName,
ProductToken: config.ProductToken,
ProductVersion: config.Version,
ProjectName: config.ProjectName,
feat(whitesourceExecuteScan): UA for all build tools, e.g. maven & npm (#2501) * feat(whitesource): add config helper this helps to ease & enforce config settings * fix accidential change of class * add todos wrt java download * use existing scanOptions, add option to download jre * update generation * fix generation * allow running UA via go library * correct image, improve logging * add removal of downloaded JVM * update java creation and deletion * refactor and add log output * remove obsolete ToDo * increase test coverage * increase test coverage * adding aliases and tests * make go modules as default * maven: update behavior of projectNaming * add Docker capabilities * correct parameter name * retrieve Docker coordinates * docker coordinates only to provide artifact * add ToDos * add mta capability * add aliases, mvn arguments for settings * clean up groovy part * update defaults * add container for pip * add defaults, add maven specifics, ... * properly download settings * maven: check existence of excluded files * fix reporting * Update CommonStepsTest.groovy * update comment * fix CodeClimate finding * add tests for pip & fix minor issues * fix order of pip build descriptors * update pip container options * fix pip virtualEnv parameter * update report permissions * fix test * update container options * add use fileUtils to load properties file * update parameter description * adding Docker scanning defaults * clean up configHelper * consider also npm tool cache * add todos
2021-02-03 15:52:48 +02:00
BuildDescriptorFile: config.BuildDescriptorFile,
BuildDescriptorExcludeList: config.BuildDescriptorExcludeList,
PomPath: config.BuildDescriptorFile,
M2Path: config.M2Path,
GlobalSettingsFile: config.GlobalSettingsFile,
ProjectSettingsFile: config.ProjectSettingsFile,
InstallArtifacts: config.InstallArtifacts,
DefaultNpmRegistry: config.DefaultNpmRegistry,
AgentDownloadURL: config.AgentDownloadURL,
AgentFileName: config.AgentFileName,
ConfigFilePath: config.ConfigFilePath,
Includes: config.Includes,
Excludes: config.Excludes,
feat(whitesourceExecuteScan): UA for all build tools, e.g. maven & npm (#2501) * feat(whitesource): add config helper this helps to ease & enforce config settings * fix accidential change of class * add todos wrt java download * use existing scanOptions, add option to download jre * update generation * fix generation * allow running UA via go library * correct image, improve logging * add removal of downloaded JVM * update java creation and deletion * refactor and add log output * remove obsolete ToDo * increase test coverage * increase test coverage * adding aliases and tests * make go modules as default * maven: update behavior of projectNaming * add Docker capabilities * correct parameter name * retrieve Docker coordinates * docker coordinates only to provide artifact * add ToDos * add mta capability * add aliases, mvn arguments for settings * clean up groovy part * update defaults * add container for pip * add defaults, add maven specifics, ... * properly download settings * maven: check existence of excluded files * fix reporting * Update CommonStepsTest.groovy * update comment * fix CodeClimate finding * add tests for pip & fix minor issues * fix order of pip build descriptors * update pip container options * fix pip virtualEnv parameter * update report permissions * fix test * update container options * add use fileUtils to load properties file * update parameter description * adding Docker scanning defaults * clean up configHelper * consider also npm tool cache * add todos
2021-02-03 15:52:48 +02:00
JreDownloadURL: config.JreDownloadURL,
AgentURL: config.AgentURL,
ServiceURL: config.ServiceURL,
ScanPath: config.ScanPath,
feat(whitesourceExecuteScan): UA for all build tools, e.g. maven & npm (#2501) * feat(whitesource): add config helper this helps to ease & enforce config settings * fix accidential change of class * add todos wrt java download * use existing scanOptions, add option to download jre * update generation * fix generation * allow running UA via go library * correct image, improve logging * add removal of downloaded JVM * update java creation and deletion * refactor and add log output * remove obsolete ToDo * increase test coverage * increase test coverage * adding aliases and tests * make go modules as default * maven: update behavior of projectNaming * add Docker capabilities * correct parameter name * retrieve Docker coordinates * docker coordinates only to provide artifact * add ToDos * add mta capability * add aliases, mvn arguments for settings * clean up groovy part * update defaults * add container for pip * add defaults, add maven specifics, ... * properly download settings * maven: check existence of excluded files * fix reporting * Update CommonStepsTest.groovy * update comment * fix CodeClimate finding * add tests for pip & fix minor issues * fix order of pip build descriptors * update pip container options * fix pip virtualEnv parameter * update report permissions * fix test * update container options * add use fileUtils to load properties file * update parameter description * adding Docker scanning defaults * clean up configHelper * consider also npm tool cache * add todos
2021-02-03 15:52:48 +02:00
Verbose: GeneralConfig.Verbose,
}
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
}
// Unified Agent is the only supported option by WhiteSource going forward:
// The Unified Agent will be used to perform the scan.
func executeScan(config *ScanOptions, scan *ws.Scan, utils whitesourceUtils) error {
options := wsScanOptions(config)
// Execute scan with Unified Agent jar file
if err := scan.ExecuteUAScan(options, utils); err != nil {
return errors.Wrapf(err, "failed to execute Unified Agent scan")
}
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
return nil
}
func checkPolicyViolations(config *ScanOptions, scan *ws.Scan, sys whitesource, utils whitesourceUtils, reportPaths []piperutils.Path, influx *whitesourceExecuteScanInflux) (piperutils.Path, error) {
policyViolationCount := 0
for _, project := range scan.ScannedProjects() {
alerts, err := sys.GetProjectAlertsByType(project.Token, "REJECTED_BY_POLICY_RESOURCE")
if err != nil {
return piperutils.Path{}, fmt.Errorf("failed to retrieve project policy alerts from WhiteSource: %w", err)
}
policyViolationCount += len(alerts)
}
violations := struct {
PolicyViolations int `json:"policyViolations"`
Reports []string `json:"reports"`
}{
PolicyViolations: policyViolationCount,
Reports: []string{},
}
for _, report := range reportPaths {
_, reportFile := filepath.Split(report.Target)
violations.Reports = append(violations.Reports, reportFile)
}
violationContent, err := json.Marshal(violations)
if err != nil {
return piperutils.Path{}, fmt.Errorf("failed to marshal policy violation data: %w", err)
}
jsonViolationReportPath := filepath.Join(ws.ReportsDirectory, "whitesource-ip.json")
err = utils.FileWrite(jsonViolationReportPath, violationContent, 0666)
if err != nil {
return piperutils.Path{}, fmt.Errorf("failed to write policy violation report: %w", err)
}
policyReport := piperutils.Path{Name: "WhiteSource Policy Violation Report", Target: jsonViolationReportPath}
// create a json report to be used later, e.g. issue creation in GitHub
ipReport := reporting.ScanReport{
ReportTitle: "WhiteSource IP Report",
Subheaders: []reporting.Subheader{
{Description: "WhiteSource product name", Details: config.ProductName},
{Description: "Filtered project names", Details: strings.Join(scan.ScannedProjectNames(), ", ")},
},
Overview: []reporting.OverviewRow{
{Description: "Total number of licensing vulnerabilities", Details: fmt.Sprint(policyViolationCount)},
},
SuccessfulScan: policyViolationCount == 0,
ReportTime: utils.Now(),
}
// JSON reports are used by step pipelineCreateSummary in order to e.g. prepare an issue creation in GitHub
// ignore JSON errors since structure is in our hands
jsonReport, _ := ipReport.ToJSON()
if exists, _ := utils.DirExists(reporting.StepReportDirectory); !exists {
err := utils.MkdirAll(reporting.StepReportDirectory, 0777)
if err != nil {
return policyReport, errors.Wrap(err, "failed to create reporting directory")
}
}
feat(whitesourceExecuteScan): GitHub issue creation + SARIF (#3535) * Add GH issue creation + SARIF * Code cleanup * Fix fmt, add debug * Code enhancements * Fix * Added debug info * Rework UA log scan * Fix code * read UA version * Fix nil reference * Extraction * Credentials * Issue creation * Error handling * Fix issue creation * query escape * Query escape 2 * Revert * Test avoid update * HTTP client * Add support for custom TLS certs * Fix code * Fix code 2 * Fix code 3 * Disable cert check * Fix auth * Remove implicit trust * Skip verification * Fix * Fix client * Fix HTTP auth * Fix trusted certs * Trim version * Code * Add token * Added token handling to client * Fix token * Cleanup * Fix token * Token rework * Fix code * Kick out oauth client * Kick out oauth client * Transport wrapping * Token * Simplification * Refactor * Variation * Check * Fix * Debug * Switch client * Variation * Debug * Switch to cert check * Add debug * Parse self * Cleanup * Update resources/metadata/whitesourceExecuteScan.yaml * Add debug * Expose subjects * Patch * Debug * Debug2 * Debug3 * Fix logging response body * Cleanup * Cleanup * Fix request body logging * Cleanup import * Fix import cycle * Cleanup * Fix fmt * Fix NopCloser reference * Regenerate * Reintroduce * Fix test * Fix tests * Correction * Fix error * Code fix * Fix tests * Add tests * Fix code climate issues * Code climate * Code climate again * Code climate again * Fix fmt * Fix fmt 2 Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2022-02-23 10:30:19 +02:00
if err := utils.FileWrite(filepath.Join(reporting.StepReportDirectory, fmt.Sprintf("whitesourceExecuteScan_ip_%v.json", ws.ReportSha(config.ProductName, scan))), jsonReport, 0666); err != nil {
return policyReport, errors.Wrapf(err, "failed to write json report")
}
// we do not add the json report to the overall list of reports for now,
// since it is just an intermediary report used as input for later
// and there does not seem to be real benefit in archiving it.
if policyViolationCount > 0 {
log.SetErrorCategory(log.ErrorCompliance)
influx.whitesource_data.fields.policy_violations = policyViolationCount
return policyReport, fmt.Errorf("%v policy violation(s) found", policyViolationCount)
}
return policyReport, nil
}
func checkSecurityViolations(config *ScanOptions, scan *ws.Scan, sys whitesource, utils whitesourceUtils, influx *whitesourceExecuteScanInflux) ([]piperutils.Path, error) {
var reportPaths []piperutils.Path
// Check for security vulnerabilities and fail the build if cvssSeverityLimit threshold is crossed
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
// convert config.CvssSeverityLimit to float64
cvssSeverityLimit, err := strconv.ParseFloat(config.CvssSeverityLimit, 64)
if err != nil {
log.SetErrorCategory(log.ErrorConfiguration)
return reportPaths, fmt.Errorf("failed to parse parameter cvssSeverityLimit (%s) "+
"as floating point number: %w", config.CvssSeverityLimit, err)
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
}
if config.ProjectToken != "" {
project := ws.Project{Name: config.ProjectName, Token: config.ProjectToken}
// ToDo: see if HTML report generation is really required here
// we anyway need to do some refactoring here since config.ProjectToken != "" essentially indicates an aggregated project
if _, _, err := checkProjectSecurityViolations(cvssSeverityLimit, project, sys, influx); err != nil {
return reportPaths, err
}
} else {
feat(whitesourceExecuteScan): UA for all build tools, e.g. maven & npm (#2501) * feat(whitesource): add config helper this helps to ease & enforce config settings * fix accidential change of class * add todos wrt java download * use existing scanOptions, add option to download jre * update generation * fix generation * allow running UA via go library * correct image, improve logging * add removal of downloaded JVM * update java creation and deletion * refactor and add log output * remove obsolete ToDo * increase test coverage * increase test coverage * adding aliases and tests * make go modules as default * maven: update behavior of projectNaming * add Docker capabilities * correct parameter name * retrieve Docker coordinates * docker coordinates only to provide artifact * add ToDos * add mta capability * add aliases, mvn arguments for settings * clean up groovy part * update defaults * add container for pip * add defaults, add maven specifics, ... * properly download settings * maven: check existence of excluded files * fix reporting * Update CommonStepsTest.groovy * update comment * fix CodeClimate finding * add tests for pip & fix minor issues * fix order of pip build descriptors * update pip container options * fix pip virtualEnv parameter * update report permissions * fix test * update container options * add use fileUtils to load properties file * update parameter description * adding Docker scanning defaults * clean up configHelper * consider also npm tool cache * add todos
2021-02-03 15:52:48 +02:00
vulnerabilitiesCount := 0
var errorsOccured []string
allAlerts := []ws.Alert{}
for _, project := range scan.ScannedProjects() {
feat(whitesourceExecuteScan): UA for all build tools, e.g. maven & npm (#2501) * feat(whitesource): add config helper this helps to ease & enforce config settings * fix accidential change of class * add todos wrt java download * use existing scanOptions, add option to download jre * update generation * fix generation * allow running UA via go library * correct image, improve logging * add removal of downloaded JVM * update java creation and deletion * refactor and add log output * remove obsolete ToDo * increase test coverage * increase test coverage * adding aliases and tests * make go modules as default * maven: update behavior of projectNaming * add Docker capabilities * correct parameter name * retrieve Docker coordinates * docker coordinates only to provide artifact * add ToDos * add mta capability * add aliases, mvn arguments for settings * clean up groovy part * update defaults * add container for pip * add defaults, add maven specifics, ... * properly download settings * maven: check existence of excluded files * fix reporting * Update CommonStepsTest.groovy * update comment * fix CodeClimate finding * add tests for pip & fix minor issues * fix order of pip build descriptors * update pip container options * fix pip virtualEnv parameter * update report permissions * fix test * update container options * add use fileUtils to load properties file * update parameter description * adding Docker scanning defaults * clean up configHelper * consider also npm tool cache * add todos
2021-02-03 15:52:48 +02:00
// collect errors and aggregate vulnerabilities from all projects
if vulCount, alerts, err := checkProjectSecurityViolations(cvssSeverityLimit, project, sys, influx); err != nil {
allAlerts = append(allAlerts, alerts...)
feat(whitesourceExecuteScan): UA for all build tools, e.g. maven & npm (#2501) * feat(whitesource): add config helper this helps to ease & enforce config settings * fix accidential change of class * add todos wrt java download * use existing scanOptions, add option to download jre * update generation * fix generation * allow running UA via go library * correct image, improve logging * add removal of downloaded JVM * update java creation and deletion * refactor and add log output * remove obsolete ToDo * increase test coverage * increase test coverage * adding aliases and tests * make go modules as default * maven: update behavior of projectNaming * add Docker capabilities * correct parameter name * retrieve Docker coordinates * docker coordinates only to provide artifact * add ToDos * add mta capability * add aliases, mvn arguments for settings * clean up groovy part * update defaults * add container for pip * add defaults, add maven specifics, ... * properly download settings * maven: check existence of excluded files * fix reporting * Update CommonStepsTest.groovy * update comment * fix CodeClimate finding * add tests for pip & fix minor issues * fix order of pip build descriptors * update pip container options * fix pip virtualEnv parameter * update report permissions * fix test * update container options * add use fileUtils to load properties file * update parameter description * adding Docker scanning defaults * clean up configHelper * consider also npm tool cache * add todos
2021-02-03 15:52:48 +02:00
vulnerabilitiesCount += vulCount
errorsOccured = append(errorsOccured, fmt.Sprint(err))
}
}
feat(whitesourceExecuteScan): GitHub issue creation + SARIF (#3535) * Add GH issue creation + SARIF * Code cleanup * Fix fmt, add debug * Code enhancements * Fix * Added debug info * Rework UA log scan * Fix code * read UA version * Fix nil reference * Extraction * Credentials * Issue creation * Error handling * Fix issue creation * query escape * Query escape 2 * Revert * Test avoid update * HTTP client * Add support for custom TLS certs * Fix code * Fix code 2 * Fix code 3 * Disable cert check * Fix auth * Remove implicit trust * Skip verification * Fix * Fix client * Fix HTTP auth * Fix trusted certs * Trim version * Code * Add token * Added token handling to client * Fix token * Cleanup * Fix token * Token rework * Fix code * Kick out oauth client * Kick out oauth client * Transport wrapping * Token * Simplification * Refactor * Variation * Check * Fix * Debug * Switch client * Variation * Debug * Switch to cert check * Add debug * Parse self * Cleanup * Update resources/metadata/whitesourceExecuteScan.yaml * Add debug * Expose subjects * Patch * Debug * Debug2 * Debug3 * Fix logging response body * Cleanup * Cleanup * Fix request body logging * Cleanup import * Fix import cycle * Cleanup * Fix fmt * Fix NopCloser reference * Regenerate * Reintroduce * Fix test * Fix tests * Correction * Fix error * Code fix * Fix tests * Add tests * Fix code climate issues * Code climate * Code climate again * Code climate again * Fix fmt * Fix fmt 2 Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2022-02-23 10:30:19 +02:00
log.Entry().Debugf("Aggregated %v alerts for scanned projects", len(allAlerts))
feat(whitesourceExecuteScan): GitHub issue creation + SARIF (#3535) * Add GH issue creation + SARIF * Code cleanup * Fix fmt, add debug * Code enhancements * Fix * Added debug info * Rework UA log scan * Fix code * read UA version * Fix nil reference * Extraction * Credentials * Issue creation * Error handling * Fix issue creation * query escape * Query escape 2 * Revert * Test avoid update * HTTP client * Add support for custom TLS certs * Fix code * Fix code 2 * Fix code 3 * Disable cert check * Fix auth * Remove implicit trust * Skip verification * Fix * Fix client * Fix HTTP auth * Fix trusted certs * Trim version * Code * Add token * Added token handling to client * Fix token * Cleanup * Fix token * Token rework * Fix code * Kick out oauth client * Kick out oauth client * Transport wrapping * Token * Simplification * Refactor * Variation * Check * Fix * Debug * Switch client * Variation * Debug * Switch to cert check * Add debug * Parse self * Cleanup * Update resources/metadata/whitesourceExecuteScan.yaml * Add debug * Expose subjects * Patch * Debug * Debug2 * Debug3 * Fix logging response body * Cleanup * Cleanup * Fix request body logging * Cleanup import * Fix import cycle * Cleanup * Fix fmt * Fix NopCloser reference * Regenerate * Reintroduce * Fix test * Fix tests * Correction * Fix error * Code fix * Fix tests * Add tests * Fix code climate issues * Code climate * Code climate again * Code climate again * Fix fmt * Fix fmt 2 Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2022-02-23 10:30:19 +02:00
if config.CreateResultIssue && vulnerabilitiesCount > 0 && len(config.GithubToken) > 0 && len(config.GithubAPIURL) > 0 && len(config.Owner) > 0 && len(config.Repository) > 0 {
log.Entry().Debugf("Creating result issues for %v alert(s)", vulnerabilitiesCount)
issueDetails := make([]reporting.IssueDetail, len(allAlerts))
piperutils.CopyAtoB(allAlerts, issueDetails)
err = reporting.UploadMultipleReportsToGithub(&issueDetails, config.GithubToken, config.GithubAPIURL, config.Owner, config.Repository, config.Assignees, config.CustomTLSCertificateLinks, utils)
feat(whitesourceExecuteScan): GitHub issue creation + SARIF (#3535) * Add GH issue creation + SARIF * Code cleanup * Fix fmt, add debug * Code enhancements * Fix * Added debug info * Rework UA log scan * Fix code * read UA version * Fix nil reference * Extraction * Credentials * Issue creation * Error handling * Fix issue creation * query escape * Query escape 2 * Revert * Test avoid update * HTTP client * Add support for custom TLS certs * Fix code * Fix code 2 * Fix code 3 * Disable cert check * Fix auth * Remove implicit trust * Skip verification * Fix * Fix client * Fix HTTP auth * Fix trusted certs * Trim version * Code * Add token * Added token handling to client * Fix token * Cleanup * Fix token * Token rework * Fix code * Kick out oauth client * Kick out oauth client * Transport wrapping * Token * Simplification * Refactor * Variation * Check * Fix * Debug * Switch client * Variation * Debug * Switch to cert check * Add debug * Parse self * Cleanup * Update resources/metadata/whitesourceExecuteScan.yaml * Add debug * Expose subjects * Patch * Debug * Debug2 * Debug3 * Fix logging response body * Cleanup * Cleanup * Fix request body logging * Cleanup import * Fix import cycle * Cleanup * Fix fmt * Fix NopCloser reference * Regenerate * Reintroduce * Fix test * Fix tests * Correction * Fix error * Code fix * Fix tests * Add tests * Fix code climate issues * Code climate * Code climate again * Code climate again * Fix fmt * Fix fmt 2 Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2022-02-23 10:30:19 +02:00
if err != nil {
errorsOccured = append(errorsOccured, fmt.Sprint(err))
}
}
scanReport := ws.CreateCustomVulnerabilityReport(config.ProductName, scan, &allAlerts, cvssSeverityLimit)
paths, err := ws.WriteCustomVulnerabilityReports(config.ProductName, scan, scanReport, utils)
if err != nil {
errorsOccured = append(errorsOccured, fmt.Sprint(err))
}
reportPaths = append(reportPaths, paths...)
sarif := ws.CreateSarifResultFile(scan, &allAlerts)
paths, err = ws.WriteSarifFile(sarif, utils)
if err != nil {
errorsOccured = append(errorsOccured, fmt.Sprint(err))
}
feat(whitesourceExecuteScan): GitHub issue creation + SARIF (#3535) * Add GH issue creation + SARIF * Code cleanup * Fix fmt, add debug * Code enhancements * Fix * Added debug info * Rework UA log scan * Fix code * read UA version * Fix nil reference * Extraction * Credentials * Issue creation * Error handling * Fix issue creation * query escape * Query escape 2 * Revert * Test avoid update * HTTP client * Add support for custom TLS certs * Fix code * Fix code 2 * Fix code 3 * Disable cert check * Fix auth * Remove implicit trust * Skip verification * Fix * Fix client * Fix HTTP auth * Fix trusted certs * Trim version * Code * Add token * Added token handling to client * Fix token * Cleanup * Fix token * Token rework * Fix code * Kick out oauth client * Kick out oauth client * Transport wrapping * Token * Simplification * Refactor * Variation * Check * Fix * Debug * Switch client * Variation * Debug * Switch to cert check * Add debug * Parse self * Cleanup * Update resources/metadata/whitesourceExecuteScan.yaml * Add debug * Expose subjects * Patch * Debug * Debug2 * Debug3 * Fix logging response body * Cleanup * Cleanup * Fix request body logging * Cleanup import * Fix import cycle * Cleanup * Fix fmt * Fix NopCloser reference * Regenerate * Reintroduce * Fix test * Fix tests * Correction * Fix error * Code fix * Fix tests * Add tests * Fix code climate issues * Code climate * Code climate again * Code climate again * Fix fmt * Fix fmt 2 Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2022-02-23 10:30:19 +02:00
reportPaths = append(reportPaths, paths...)
feat(whitesourceExecuteScan): UA for all build tools, e.g. maven & npm (#2501) * feat(whitesource): add config helper this helps to ease & enforce config settings * fix accidential change of class * add todos wrt java download * use existing scanOptions, add option to download jre * update generation * fix generation * allow running UA via go library * correct image, improve logging * add removal of downloaded JVM * update java creation and deletion * refactor and add log output * remove obsolete ToDo * increase test coverage * increase test coverage * adding aliases and tests * make go modules as default * maven: update behavior of projectNaming * add Docker capabilities * correct parameter name * retrieve Docker coordinates * docker coordinates only to provide artifact * add ToDos * add mta capability * add aliases, mvn arguments for settings * clean up groovy part * update defaults * add container for pip * add defaults, add maven specifics, ... * properly download settings * maven: check existence of excluded files * fix reporting * Update CommonStepsTest.groovy * update comment * fix CodeClimate finding * add tests for pip & fix minor issues * fix order of pip build descriptors * update pip container options * fix pip virtualEnv parameter * update report permissions * fix test * update container options * add use fileUtils to load properties file * update parameter description * adding Docker scanning defaults * clean up configHelper * consider also npm tool cache * add todos
2021-02-03 15:52:48 +02:00
if len(errorsOccured) > 0 {
if vulnerabilitiesCount > 0 {
log.SetErrorCategory(log.ErrorCompliance)
}
return reportPaths, fmt.Errorf(strings.Join(errorsOccured, ": "))
}
}
return reportPaths, nil
}
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
// checkSecurityViolations checks security violations and returns an error if the configured severity limit is crossed.
func checkProjectSecurityViolations(cvssSeverityLimit float64, project ws.Project, sys whitesource, influx *whitesourceExecuteScanInflux) (int, []ws.Alert, error) {
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
// get project alerts (vulnerabilities)
alerts, err := sys.GetProjectAlertsByType(project.Token, "SECURITY_VULNERABILITY")
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
if err != nil {
return 0, alerts, fmt.Errorf("failed to retrieve project alerts from WhiteSource: %w", err)
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
}
feat(whitesourceExecuteScan): GitHub issue creation + SARIF (#3535) * Add GH issue creation + SARIF * Code cleanup * Fix fmt, add debug * Code enhancements * Fix * Added debug info * Rework UA log scan * Fix code * read UA version * Fix nil reference * Extraction * Credentials * Issue creation * Error handling * Fix issue creation * query escape * Query escape 2 * Revert * Test avoid update * HTTP client * Add support for custom TLS certs * Fix code * Fix code 2 * Fix code 3 * Disable cert check * Fix auth * Remove implicit trust * Skip verification * Fix * Fix client * Fix HTTP auth * Fix trusted certs * Trim version * Code * Add token * Added token handling to client * Fix token * Cleanup * Fix token * Token rework * Fix code * Kick out oauth client * Kick out oauth client * Transport wrapping * Token * Simplification * Refactor * Variation * Check * Fix * Debug * Switch client * Variation * Debug * Switch to cert check * Add debug * Parse self * Cleanup * Update resources/metadata/whitesourceExecuteScan.yaml * Add debug * Expose subjects * Patch * Debug * Debug2 * Debug3 * Fix logging response body * Cleanup * Cleanup * Fix request body logging * Cleanup import * Fix import cycle * Cleanup * Fix fmt * Fix NopCloser reference * Regenerate * Reintroduce * Fix test * Fix tests * Correction * Fix error * Code fix * Fix tests * Add tests * Fix code climate issues * Code climate * Code climate again * Code climate again * Fix fmt * Fix fmt 2 Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2022-02-23 10:30:19 +02:00
severeVulnerabilities, nonSevereVulnerabilities := ws.CountSecurityVulnerabilities(&alerts, cvssSeverityLimit)
influx.whitesource_data.fields.minor_vulnerabilities = nonSevereVulnerabilities
influx.whitesource_data.fields.major_vulnerabilities = severeVulnerabilities
influx.whitesource_data.fields.vulnerabilities = nonSevereVulnerabilities + severeVulnerabilities
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
if nonSevereVulnerabilities > 0 {
log.Entry().Warnf("WARNING: %v Open Source Software Security vulnerabilities with "+
"CVSS score below threshold %.1f detected in project %s.", nonSevereVulnerabilities,
cvssSeverityLimit, project.Name)
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
} else if len(alerts) == 0 {
log.Entry().Infof("No Open Source Software Security vulnerabilities detected in project %s",
project.Name)
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
}
// https://github.com/SAP/jenkins-library/blob/master/vars/whitesourceExecuteScan.groovy#L558
if severeVulnerabilities > 0 {
2021-05-10 17:44:28 +02:00
log.SetErrorCategory(log.ErrorCompliance)
return severeVulnerabilities, alerts, fmt.Errorf("%v Open Source Software Security vulnerabilities with CVSS score greater "+
"or equal to %.1f detected in project %s",
severeVulnerabilities, cvssSeverityLimit, project.Name)
}
return 0, alerts, nil
}
func aggregateVersionWideLibraries(config *ScanOptions, utils whitesourceUtils, sys whitesource) error {
log.Entry().Infof("Aggregating list of libraries used for all projects with version: %s", config.Version)
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
projects, err := sys.GetProjectsMetaInfo(config.ProductToken)
if err != nil {
return errors.Wrapf(err, "failed to get projects meta info")
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
}
versionWideLibraries := map[string][]ws.Library{} // maps project name to slice of libraries
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
for _, project := range projects {
projectVersion := strings.Split(project.Name, " - ")[1]
projectName := strings.Split(project.Name, " - ")[0]
if projectVersion == config.Version {
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
libs, err := sys.GetProjectLibraryLocations(project.Token)
if err != nil {
return errors.Wrapf(err, "failed to get project library locations")
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
}
log.Entry().Infof("Found project: %s with %v libraries.", project.Name, len(libs))
versionWideLibraries[projectName] = libs
}
}
if err := newLibraryCSVReport(versionWideLibraries, config, utils); err != nil {
return errors.Wrapf(err, "failed toget new libary CSV report")
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
}
return nil
}
func aggregateVersionWideVulnerabilities(config *ScanOptions, utils whitesourceUtils, sys whitesource) error {
log.Entry().Infof("Aggregating list of vulnerabilities for all projects with version: %s", config.Version)
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
projects, err := sys.GetProjectsMetaInfo(config.ProductToken)
if err != nil {
return errors.Wrapf(err, "failed to get projects meta info")
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
}
var versionWideAlerts []ws.Alert // all alerts for a given project version
projectNames := `` // holds all project tokens considered a part of the report for debugging
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
for _, project := range projects {
projectVersion := strings.Split(project.Name, " - ")[1]
if projectVersion == config.Version {
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
projectNames += project.Name + "\n"
alerts, err := sys.GetProjectAlertsByType(project.Token, "SECURITY_VULNERABILITY")
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
if err != nil {
return errors.Wrapf(err, "failed to get project alerts by type")
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
}
log.Entry().Infof("Found project: %s with %v vulnerabilities.", project.Name, len(alerts))
versionWideAlerts = append(versionWideAlerts, alerts...)
}
}
reportPath := filepath.Join(ws.ReportsDirectory, "project-names-aggregated.txt")
feat(whitesourceExecuteScan): UA for all build tools, e.g. maven & npm (#2501) * feat(whitesource): add config helper this helps to ease & enforce config settings * fix accidential change of class * add todos wrt java download * use existing scanOptions, add option to download jre * update generation * fix generation * allow running UA via go library * correct image, improve logging * add removal of downloaded JVM * update java creation and deletion * refactor and add log output * remove obsolete ToDo * increase test coverage * increase test coverage * adding aliases and tests * make go modules as default * maven: update behavior of projectNaming * add Docker capabilities * correct parameter name * retrieve Docker coordinates * docker coordinates only to provide artifact * add ToDos * add mta capability * add aliases, mvn arguments for settings * clean up groovy part * update defaults * add container for pip * add defaults, add maven specifics, ... * properly download settings * maven: check existence of excluded files * fix reporting * Update CommonStepsTest.groovy * update comment * fix CodeClimate finding * add tests for pip & fix minor issues * fix order of pip build descriptors * update pip container options * fix pip virtualEnv parameter * update report permissions * fix test * update container options * add use fileUtils to load properties file * update parameter description * adding Docker scanning defaults * clean up configHelper * consider also npm tool cache * add todos
2021-02-03 15:52:48 +02:00
if err := utils.FileWrite(reportPath, []byte(projectNames), 0666); err != nil {
return errors.Wrapf(err, "failed to write report: %s", reportPath)
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
}
if err := newVulnerabilityExcelReport(versionWideAlerts, config, utils); err != nil {
return errors.Wrapf(err, "failed to create new vulnerability excel report")
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
}
return nil
}
const wsReportTimeStampLayout = "20060102-150405"
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
// outputs an slice of alerts to an excel file
func newVulnerabilityExcelReport(alerts []ws.Alert, config *ScanOptions, utils whitesourceUtils) error {
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
file := excelize.NewFile()
streamWriter, err := file.NewStreamWriter("Sheet1")
if err != nil {
return err
}
styleID, err := file.NewStyle(`{"font":{"color":"#777777"}}`)
if err != nil {
return err
}
if err := fillVulnerabilityExcelReport(alerts, streamWriter, styleID); err != nil {
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
return err
}
if err := streamWriter.Flush(); err != nil {
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
return err
}
if err := utils.MkdirAll(ws.ReportsDirectory, 0777); err != nil {
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
return err
}
fileName := filepath.Join(ws.ReportsDirectory,
fmt.Sprintf("vulnerabilities-%s.xlsx", utils.Now().Format(wsReportTimeStampLayout)))
stream, err := utils.FileOpen(fileName, os.O_WRONLY|os.O_TRUNC|os.O_CREATE, 0666)
if err != nil {
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
return err
}
if err := file.Write(stream); err != nil {
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
return err
}
filePath := piperutils.Path{Name: "aggregated-vulnerabilities", Target: fileName}
piperutils.PersistReportsAndLinks("whitesourceExecuteScan", "", []piperutils.Path{filePath}, nil)
return nil
}
func fillVulnerabilityExcelReport(alerts []ws.Alert, streamWriter *excelize.StreamWriter, styleID int) error {
rows := []struct {
axis string
title string
}{
{"A1", "Severity"},
{"B1", "Library"},
{"C1", "Vulnerability Id"},
{"D1", "CVSS 3"},
{"E1", "Project"},
{"F1", "Resolution"},
}
for _, row := range rows {
err := streamWriter.SetRow(row.axis, []interface{}{excelize.Cell{StyleID: styleID, Value: row.title}})
if err != nil {
return err
}
}
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
for i, alert := range alerts {
row := make([]interface{}, 6)
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
vuln := alert.Vulnerability
row[0] = vuln.CVSS3Severity
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
row[1] = alert.Library.Filename
row[2] = vuln.Name
row[3] = vuln.CVSS3Score
row[4] = alert.Project
row[5] = vuln.FixResolutionText
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
cell, _ := excelize.CoordinatesToCellName(1, i+2)
if err := streamWriter.SetRow(cell, row); err != nil {
log.Entry().Errorf("failed to write alert row: %v", err)
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
}
}
return nil
}
// outputs an slice of libraries to an excel file based on projects with version == config.Version
func newLibraryCSVReport(libraries map[string][]ws.Library, config *ScanOptions, utils whitesourceUtils) error {
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
output := "Library Name, Project Name\n"
for projectName, libraries := range libraries {
log.Entry().Infof("Writing %v libraries for project %s to excel report..", len(libraries), projectName)
for _, library := range libraries {
output += library.Name + ", " + projectName + "\n"
}
}
// Ensure reporting directory exists
if err := utils.MkdirAll(ws.ReportsDirectory, 0777); err != nil {
return errors.Wrapf(err, "failed to create directories: %s", ws.ReportsDirectory)
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
}
// Write result to file
fileName := fmt.Sprintf("%s/libraries-%s.csv", ws.ReportsDirectory,
utils.Now().Format(wsReportTimeStampLayout))
feat(whitesourceExecuteScan): UA for all build tools, e.g. maven & npm (#2501) * feat(whitesource): add config helper this helps to ease & enforce config settings * fix accidential change of class * add todos wrt java download * use existing scanOptions, add option to download jre * update generation * fix generation * allow running UA via go library * correct image, improve logging * add removal of downloaded JVM * update java creation and deletion * refactor and add log output * remove obsolete ToDo * increase test coverage * increase test coverage * adding aliases and tests * make go modules as default * maven: update behavior of projectNaming * add Docker capabilities * correct parameter name * retrieve Docker coordinates * docker coordinates only to provide artifact * add ToDos * add mta capability * add aliases, mvn arguments for settings * clean up groovy part * update defaults * add container for pip * add defaults, add maven specifics, ... * properly download settings * maven: check existence of excluded files * fix reporting * Update CommonStepsTest.groovy * update comment * fix CodeClimate finding * add tests for pip & fix minor issues * fix order of pip build descriptors * update pip container options * fix pip virtualEnv parameter * update report permissions * fix test * update container options * add use fileUtils to load properties file * update parameter description * adding Docker scanning defaults * clean up configHelper * consider also npm tool cache * add todos
2021-02-03 15:52:48 +02:00
if err := utils.FileWrite(fileName, []byte(output), 0666); err != nil {
return errors.Wrapf(err, "failed to write file: %s", fileName)
}
filePath := piperutils.Path{Name: "aggregated-libraries", Target: fileName}
piperutils.PersistReportsAndLinks("whitesourceExecuteScan", "", []piperutils.Path{filePath}, nil)
return nil
}
// persistScannedProjects writes all actually scanned WhiteSource project names as list
// into the Common Pipeline Environment, from where it can be used by sub-sequent steps.
func persistScannedProjects(config *ScanOptions, scan *ws.Scan, commonPipelineEnvironment *whitesourceExecuteScanCommonPipelineEnvironment) {
projectNames := []string{}
if config.ProjectName != "" {
projectNames = []string{config.ProjectName + " - " + config.Version}
} else {
projectNames = scan.ScannedProjectNames()
}
commonPipelineEnvironment.custom.whitesourceProjectNames = projectNames
Whitesource scan (MVP) (#1658) * Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00
}
// create toolrecord file for whitesource
//
func createToolRecordWhitesource(workspace string, config *whitesourceExecuteScanOptions, scan *ws.Scan) (string, error) {
record := toolrecord.New(workspace, "whitesource", config.ServiceURL)
wsUiRoot := "https://saas.whitesourcesoftware.com"
productURL := wsUiRoot + "/Wss/WSS.html#!product;token=" + config.ProductToken
err := record.AddKeyData("product",
config.ProductToken,
config.ProductName,
productURL)
if err != nil {
return "", err
}
max_idx := 0
for idx, project := range scan.ScannedProjects() {
max_idx = idx
name := project.Name
token := project.Token
projectURL := ""
if token != "" {
projectURL = wsUiRoot + "/Wss/WSS.html#!project;token=" + token
} else {
// token is empty, provide a dummy to have an indication
token = "unknown"
}
err = record.AddKeyData("project",
token,
name,
projectURL)
if err != nil {
return "", err
}
}
// set overall display data to product if there
// is more than one project
if max_idx > 1 {
record.SetOverallDisplayData(config.ProductName, productURL)
}
err = record.Persist()
if err != nil {
return "", err
}
return record.GetFileName(), nil
}