mirror of
https://github.com/SAP/jenkins-library.git
synced 2024-12-14 11:03:09 +02:00
564 lines
16 KiB
YAML
564 lines
16 KiB
YAML
|
metadata:
|
||
|
name: whitesourceExecuteScan
|
||
|
description: BETA
|
||
|
longDescription: |-
|
||
|
BETA
|
||
|
With this step [WhiteSource](https://www.whitesourcesoftware.com) security and license compliance scans can be executed and assessed.
|
||
|
WhiteSource is a Software as a Service offering based on a so called unified agent that locally determines the dependency
|
||
|
tree of a node.js, Java, Python, Ruby, or Scala based solution and sends it to the WhiteSource server for a policy based license compliance
|
||
|
check and additional Free and Open Source Software Publicly Known Vulnerabilities detection.
|
||
|
!!! note "Docker Images"
|
||
|
The underlying Docker images are public and specific to the solution's programming language(s) and therefore may have to be exchanged
|
||
|
to fit to and support the relevant scenario. The default Python environment used is i.e. Python 3 based.
|
||
|
!!! warn "Restrictions"
|
||
|
Currently the step does contain hardened scan configurations for `scanType` `'pip'` and `'go'`. Other environments are still being elaborated,
|
||
|
so please thoroughly check your results and do not take them for granted by default.
|
||
|
Also not all environments have been thoroughly tested already therefore you might need to tweak around with the default containers used or
|
||
|
create your own ones to adequately support your scenario. To do so please modify `dockerImage` and `dockerWorkspace` parameters.
|
||
|
The step expects an environment containing the programming language related compiler/interpreter as well as the related build tool. For a list
|
||
|
of the supported build tools per environment please refer to the [WhiteSource Unified Agent Documentation](https://whitesource.atlassian.net/wiki/spaces/WD/pages/33718339/Unified+Agent).
|
||
|
spec:
|
||
|
inputs:
|
||
|
params:
|
||
|
- name: buildDescriptorFile
|
||
|
type: string
|
||
|
description: Explicit path to the build descriptor file.
|
||
|
mandatory: false
|
||
|
scope:
|
||
|
- PARAMETERS
|
||
|
- STAGES
|
||
|
- STEPS
|
||
|
default: null
|
||
|
conditions:
|
||
|
- conditionRef: strings-equal
|
||
|
params:
|
||
|
- name: scanType
|
||
|
value: golang
|
||
|
- name: buildDescriptorFile
|
||
|
type: string
|
||
|
description: Explicit path to the build descriptor file.
|
||
|
mandatory: false
|
||
|
scope:
|
||
|
- PARAMETERS
|
||
|
- STAGES
|
||
|
- STEPS
|
||
|
default: ./pom.xml
|
||
|
conditions:
|
||
|
- conditionRef: strings-equal
|
||
|
params:
|
||
|
- name: scanType
|
||
|
value: maven
|
||
|
- name: buildDescriptorFile
|
||
|
type: string
|
||
|
description: Explicit path to the build descriptor file.
|
||
|
mandatory: false
|
||
|
scope:
|
||
|
- PARAMETERS
|
||
|
- STAGES
|
||
|
- STEPS
|
||
|
default: null
|
||
|
conditions:
|
||
|
- conditionRef: strings-equal
|
||
|
params:
|
||
|
- name: scanType
|
||
|
value: mta
|
||
|
- name: buildDescriptorFile
|
||
|
type: string
|
||
|
description: Explicit path to the build descriptor file.
|
||
|
mandatory: false
|
||
|
scope:
|
||
|
- PARAMETERS
|
||
|
- STAGES
|
||
|
- STEPS
|
||
|
default: ./package.json
|
||
|
conditions:
|
||
|
- conditionRef: strings-equal
|
||
|
params:
|
||
|
- name: scanType
|
||
|
value: npm
|
||
|
- name: buildDescriptorFile
|
||
|
type: string
|
||
|
description: Explicit path to the build descriptor file.
|
||
|
mandatory: false
|
||
|
scope:
|
||
|
- PARAMETERS
|
||
|
- STAGES
|
||
|
- STEPS
|
||
|
default: ./setup.py
|
||
|
conditions:
|
||
|
- conditionRef: strings-equal
|
||
|
params:
|
||
|
- name: scanType
|
||
|
value: pip
|
||
|
- name: buildDescriptorFile
|
||
|
type: string
|
||
|
description: Explicit path to the build descriptor file.
|
||
|
mandatory: false
|
||
|
scope:
|
||
|
- PARAMETERS
|
||
|
- STAGES
|
||
|
- STEPS
|
||
|
default: ./build.sbt
|
||
|
conditions:
|
||
|
- conditionRef: strings-equal
|
||
|
params:
|
||
|
- name: scanType
|
||
|
value: sbt
|
||
|
- name: buildDescriptorFile
|
||
|
type: string
|
||
|
description: Explicit path to the build descriptor file.
|
||
|
mandatory: false
|
||
|
scope:
|
||
|
- PARAMETERS
|
||
|
- STAGES
|
||
|
- STEPS
|
||
|
default: ./dub.json
|
||
|
conditions:
|
||
|
- conditionRef: strings-equal
|
||
|
params:
|
||
|
- name: scanType
|
||
|
value: dub
|
||
|
- name: defaultVersioningModel
|
||
|
type: string
|
||
|
description: The default project versioning model used in case `projectVersion` parameter is empty for creating the version based on the build descriptor version to report results in Whitesource, can be one of `'major'`, `'major-minor'`, `'semantic'`, `'full'`
|
||
|
scope:
|
||
|
- PARAMETERS
|
||
|
- STAGES
|
||
|
- STEPS
|
||
|
default: 'major'
|
||
|
- name: createProductFromPipeline
|
||
|
type: bool
|
||
|
description: Whether to create the related WhiteSource product on the fly based on the supplied pipeline configuration.
|
||
|
mandatory: false
|
||
|
scope:
|
||
|
- PARAMETERS
|
||
|
- STAGES
|
||
|
- STEPS
|
||
|
default: true
|
||
|
- name: securityVulnerabilities
|
||
|
type: bool
|
||
|
description: Whether security compliance is considered and reported as part of the assessment.
|
||
|
mandatory: false
|
||
|
scope:
|
||
|
- PARAMETERS
|
||
|
- STAGES
|
||
|
- STEPS
|
||
|
default: true
|
||
|
- name: timeout
|
||
|
type: string
|
||
|
description: Timeout in seconds until a HTTP call is forcefully terminated.
|
||
|
mandatory: false
|
||
|
scope:
|
||
|
- PARAMETERS
|
||
|
- STAGES
|
||
|
- STEPS
|
||
|
default: 0
|
||
|
- name: agentDownloadUrl
|
||
|
type: string
|
||
|
description: URL used to download the latest version of the WhiteSource Unified Agent.
|
||
|
mandatory: false
|
||
|
scope:
|
||
|
- PARAMETERS
|
||
|
- STAGES
|
||
|
- STEPS
|
||
|
default: https://github.com/whitesource/unified-agent-distribution/releases/latest/download/wss-unified-agent.jar
|
||
|
- name: configFilePath
|
||
|
type: string
|
||
|
description: Explicit path to the WhiteSource Unified Agent configuration file.
|
||
|
mandatory: false
|
||
|
scope:
|
||
|
- PARAMETERS
|
||
|
- STAGES
|
||
|
- STEPS
|
||
|
default: ./wss-generated-file.config
|
||
|
- name: reportDirectoryName
|
||
|
type: string
|
||
|
description: Name of the directory to save vulnerability/risk reports to
|
||
|
mandatory: false
|
||
|
scope:
|
||
|
- PARAMETERS
|
||
|
- STAGES
|
||
|
- STEPS
|
||
|
default: "whitesource-reports"
|
||
|
- name: aggregateVersionWideReport
|
||
|
type: bool
|
||
|
description: 'This does not run a scan, instead just generated a report for all projects with projectVersion = config.ProductVersion'
|
||
|
mandatory: false
|
||
|
scope:
|
||
|
- PARAMETERS
|
||
|
- STAGES
|
||
|
- STEPS
|
||
|
default: false
|
||
|
- name: vulnerabilityReportFormat
|
||
|
type: string
|
||
|
description: Format of the file the vulnerability report is written to.
|
||
|
mandatory: false
|
||
|
possibleValues: [xlsx, json, xml]
|
||
|
scope:
|
||
|
- PARAMETERS
|
||
|
- STAGES
|
||
|
- STEPS
|
||
|
default: xlsx
|
||
|
- name: parallelLimit
|
||
|
type: string
|
||
|
description: 'Limit of parallel jobs being run at once in case of `scanType:
|
||
|
''mta''` based scenarios, defaults to `15`.'
|
||
|
mandatory: false
|
||
|
scope:
|
||
|
- PARAMETERS
|
||
|
- STAGES
|
||
|
- STEPS
|
||
|
default: 15
|
||
|
- name: reporting
|
||
|
type: bool
|
||
|
description: Whether assessment is being done at all, defaults to `true`.
|
||
|
mandatory: false
|
||
|
scope:
|
||
|
- PARAMETERS
|
||
|
- STAGES
|
||
|
- STEPS
|
||
|
default: true
|
||
|
- name: serviceUrl
|
||
|
type: string
|
||
|
description: URL to the WhiteSource server API used for communication.
|
||
|
mandatory: false
|
||
|
scope:
|
||
|
- GENERAL
|
||
|
- PARAMETERS
|
||
|
- STAGES
|
||
|
- STEPS
|
||
|
default: https://saas.whitesourcesoftware.com/api
|
||
|
- name: buildDescriptorExcludeList
|
||
|
type: string
|
||
|
description: List of build descriptors and therefore modules to exclude from the scan and assessment activities.
|
||
|
mandatory: false
|
||
|
scope:
|
||
|
- PARAMETERS
|
||
|
- STAGES
|
||
|
- STEPS
|
||
|
default: []
|
||
|
- name: orgToken
|
||
|
type: string
|
||
|
description: WhiteSource token identifying your organization.
|
||
|
mandatory: true
|
||
|
scope:
|
||
|
- GENERAL
|
||
|
- PARAMETERS
|
||
|
- STAGES
|
||
|
- STEPS
|
||
|
default: null
|
||
|
- name: userToken
|
||
|
type: string
|
||
|
description: WhiteSource token identifying the user executing the scan
|
||
|
mandatory: true
|
||
|
scope:
|
||
|
- GENERAL
|
||
|
- PARAMETERS
|
||
|
- STAGES
|
||
|
- STEPS
|
||
|
default: null
|
||
|
- name: licensingVulnerabilities
|
||
|
type: bool
|
||
|
description: Whether license compliance is considered and reported as part of the assessment.
|
||
|
mandatory: false
|
||
|
scope:
|
||
|
- PARAMETERS
|
||
|
- STAGES
|
||
|
- STEPS
|
||
|
default: true
|
||
|
- name: agentFileName
|
||
|
type: string
|
||
|
description: Locally used name for the Unified Agent jar file after download.
|
||
|
mandatory: false
|
||
|
scope:
|
||
|
- PARAMETERS
|
||
|
- STAGES
|
||
|
- STEPS
|
||
|
default: wss-unified-agent.jar
|
||
|
- name: emailAddressesOfInitialProductAdmins
|
||
|
type: string
|
||
|
description: The list of email addresses to assign as product admins for newly created WhiteSource products.
|
||
|
mandatory: false
|
||
|
scope:
|
||
|
- PARAMETERS
|
||
|
- STAGES
|
||
|
- STEPS
|
||
|
default: []
|
||
|
- name: productVersion
|
||
|
type: string
|
||
|
description: Version of the WhiteSource product to be created and used for results aggregation, usually determined automatically.
|
||
|
mandatory: false
|
||
|
scope:
|
||
|
- GENERAL
|
||
|
- PARAMETERS
|
||
|
- STAGES
|
||
|
- STEPS
|
||
|
default: null
|
||
|
- name: jreDownloadUrl
|
||
|
type: string
|
||
|
description: URL used for downloading the Java Runtime Environment (JRE) required to run the WhiteSource Unified Agent.
|
||
|
mandatory: false
|
||
|
scope:
|
||
|
- GENERAL
|
||
|
- PARAMETERS
|
||
|
- STAGES
|
||
|
- STEPS
|
||
|
default: null
|
||
|
- name: productName
|
||
|
type: string
|
||
|
description: Name of the WhiteSource product to be created and used for results aggregation.
|
||
|
mandatory: true
|
||
|
scope:
|
||
|
- GENERAL
|
||
|
- PARAMETERS
|
||
|
- STAGES
|
||
|
- STEPS
|
||
|
default: null
|
||
|
- name: projectName
|
||
|
aliases:
|
||
|
- name: whitesourceProjectName
|
||
|
type: string
|
||
|
description: "The project used for reporting results in Whitesource"
|
||
|
scope:
|
||
|
- PARAMETERS
|
||
|
- STAGES
|
||
|
- STEPS
|
||
|
default: '{{list .GroupID .ArtifactID | join "-" | trimAll "-"}}'
|
||
|
- name: projectToken
|
||
|
type: string
|
||
|
description: Project token to execute scan on
|
||
|
mandatory: false
|
||
|
scope:
|
||
|
- GENERAL
|
||
|
- PARAMETERS
|
||
|
- STAGES
|
||
|
- STEPS
|
||
|
default: null
|
||
|
- name: vulnerabilityReportTitle
|
||
|
type: string
|
||
|
description: Title of vulnerability report written during the assessment phase.
|
||
|
mandatory: false
|
||
|
scope:
|
||
|
- PARAMETERS
|
||
|
- STAGES
|
||
|
- STEPS
|
||
|
default: WhiteSource Security Vulnerability Report
|
||
|
- name: installCommand
|
||
|
type: string
|
||
|
description: Install command that can be used to populate the default docker image for some scenarios.
|
||
|
mandatory: false
|
||
|
scope:
|
||
|
- PARAMETERS
|
||
|
- STAGES
|
||
|
- STEPS
|
||
|
default: null
|
||
|
- name: scanType
|
||
|
type: string
|
||
|
description: Type of development stack used to implement the solution.
|
||
|
mandatory: false
|
||
|
scope:
|
||
|
- GENERAL
|
||
|
- PARAMETERS
|
||
|
- STAGES
|
||
|
- STEPS
|
||
|
default: null
|
||
|
possibleValues: ["golang", "npm", "gradle", "pip"]
|
||
|
- name: cvssSeverityLimit
|
||
|
type: string
|
||
|
description: Limit of tollerable CVSS v3 score upon assessment and in consequence fails the build, defaults to `-1`.
|
||
|
mandatory: false
|
||
|
scope:
|
||
|
- PARAMETERS
|
||
|
- STAGES
|
||
|
- STEPS
|
||
|
default: -1
|
||
|
- name: includes
|
||
|
type: string
|
||
|
description: Space separated list of file path patterns to include in the scan, slashes must be escaped for sed
|
||
|
mandatory: false
|
||
|
scope:
|
||
|
- PARAMETERS
|
||
|
- STAGES
|
||
|
- STEPS
|
||
|
default: '**\/src\/main\/**\/*.java **\/*.py **\/*.go **\/*.js **\/*.ts'
|
||
|
- name: excludes
|
||
|
type: string
|
||
|
description: Space separated list of file path patterns to exclude in the scan
|
||
|
mandatory: false
|
||
|
scope:
|
||
|
- PARAMETERS
|
||
|
- STAGES
|
||
|
- STEPS
|
||
|
default: 'tests/**/*.py **/src/test/**/*.java'
|
||
|
- name: productToken
|
||
|
type: string
|
||
|
description: Token of the WhiteSource product to be created and used for results aggregation, usually determined automatically.
|
||
|
mandatory: false
|
||
|
scope:
|
||
|
- GENERAL
|
||
|
- PARAMETERS
|
||
|
- STAGES
|
||
|
- STEPS
|
||
|
default: null
|
||
|
- name: agentParameters
|
||
|
type: string
|
||
|
description: Additional parameters passed to the Unified Agent command line.
|
||
|
mandatory: false
|
||
|
scope:
|
||
|
- PARAMETERS
|
||
|
- STAGES
|
||
|
- STEPS
|
||
|
default: ''
|
||
|
secrets:
|
||
|
- name: userTokenCredentialsId
|
||
|
type: jenkins
|
||
|
- name: orgAdminUserTokenCredentialsId
|
||
|
type: jenkins
|
||
|
resources:
|
||
|
- name: buildDescriptor
|
||
|
type: stash
|
||
|
conditions:
|
||
|
- conditionRef: strings-equal
|
||
|
params:
|
||
|
- name: scanType
|
||
|
value: golang
|
||
|
- name: opensourceConfiguration
|
||
|
type: stash
|
||
|
conditions:
|
||
|
- conditionRef: strings-equal
|
||
|
params:
|
||
|
- name: scanType
|
||
|
value: golang
|
||
|
- name: checkmarx
|
||
|
type: stash
|
||
|
conditions:
|
||
|
- conditionRef: strings-equal
|
||
|
params:
|
||
|
- name: scanType
|
||
|
value: golang
|
||
|
- name: buildDescriptor
|
||
|
type: stash
|
||
|
conditions:
|
||
|
- conditionRef: strings-equal
|
||
|
params:
|
||
|
- name: scanType
|
||
|
value: maven
|
||
|
- name: opensourceConfiguration
|
||
|
type: stash
|
||
|
conditions:
|
||
|
- conditionRef: strings-equal
|
||
|
params:
|
||
|
- name: scanType
|
||
|
value: maven
|
||
|
- name: buildDescriptor
|
||
|
type: stash
|
||
|
conditions:
|
||
|
- conditionRef: strings-equal
|
||
|
params:
|
||
|
- name: scanType
|
||
|
value: mta
|
||
|
- name: opensourceConfiguration
|
||
|
type: stash
|
||
|
conditions:
|
||
|
- conditionRef: strings-equal
|
||
|
params:
|
||
|
- name: scanType
|
||
|
value: mta
|
||
|
- name: buildDescriptor
|
||
|
type: stash
|
||
|
conditions:
|
||
|
- conditionRef: strings-equal
|
||
|
params:
|
||
|
- name: scanType
|
||
|
value: npm
|
||
|
- name: opensourceConfiguration
|
||
|
type: stash
|
||
|
conditions:
|
||
|
- conditionRef: strings-equal
|
||
|
params:
|
||
|
- name: scanType
|
||
|
value: npm
|
||
|
- name: buildDescriptor
|
||
|
type: stash
|
||
|
conditions:
|
||
|
- conditionRef: strings-equal
|
||
|
params:
|
||
|
- name: scanType
|
||
|
value: pip
|
||
|
- name: opensourceConfiguration
|
||
|
type: stash
|
||
|
conditions:
|
||
|
- conditionRef: strings-equal
|
||
|
params:
|
||
|
- name: scanType
|
||
|
value: pip
|
||
|
- name: buildDescriptor
|
||
|
type: stash
|
||
|
conditions:
|
||
|
- conditionRef: strings-equal
|
||
|
params:
|
||
|
- name: scanType
|
||
|
value: sbt
|
||
|
- name: opensourceConfiguration
|
||
|
type: stash
|
||
|
conditions:
|
||
|
- conditionRef: strings-equal
|
||
|
params:
|
||
|
- name: scanType
|
||
|
value: sbt
|
||
|
- name: buildDescriptor
|
||
|
type: stash
|
||
|
conditions:
|
||
|
- conditionRef: strings-equal
|
||
|
params:
|
||
|
- name: scanType
|
||
|
value: dub
|
||
|
- name: checkmarx
|
||
|
type: stash
|
||
|
conditions:
|
||
|
- conditionRef: strings-equal
|
||
|
params:
|
||
|
- name: scanType
|
||
|
value: dub
|
||
|
containers:
|
||
|
- image: maven:3.5-jdk-8
|
||
|
workingDir: /home/java
|
||
|
env: []
|
||
|
conditions:
|
||
|
- conditionRef: strings-equal
|
||
|
params:
|
||
|
- name: scanType
|
||
|
value: maven
|
||
|
- image: null
|
||
|
workingDir: null
|
||
|
env: []
|
||
|
conditions:
|
||
|
- conditionRef: strings-equal
|
||
|
params:
|
||
|
- name: scanType
|
||
|
value: mta
|
||
|
- image: node:lts-stretch
|
||
|
workingDir: /home/node
|
||
|
env: []
|
||
|
conditions:
|
||
|
- conditionRef: strings-equal
|
||
|
params:
|
||
|
- name: scanType
|
||
|
value: npm
|
||
|
- image: hseeberger/scala-sbt:8u181_2.12.8_1.2.8
|
||
|
workingDir: /home/scala
|
||
|
env: []
|
||
|
conditions:
|
||
|
- conditionRef: strings-equal
|
||
|
params:
|
||
|
- name: scanType
|
||
|
value: sbt
|
||
|
- image: buildpack-deps:stretch-curl
|
||
|
workingDir: /home/dub
|
||
|
env: []
|
||
|
conditions:
|
||
|
- conditionRef: strings-equal
|
||
|
params:
|
||
|
- name: scanType
|
||
|
value: dub
|