1
0
mirror of https://github.com/SAP/jenkins-library.git synced 2025-01-06 04:13:55 +02:00
sap-jenkins-library/vars/snykExecute.groovy

158 lines
5.9 KiB
Groovy
Raw Normal View History

import static com.sap.piper.Prerequisites.checkScript
2018-06-25 13:14:46 +02:00
import com.sap.piper.ConfigurationHelper
import com.sap.piper.GenerateDocumentation
2018-06-25 13:14:46 +02:00
import com.sap.piper.Utils
import com.sap.piper.mta.MtaMultiplexer
import com.sap.piper.MapUtils
2018-06-25 13:14:46 +02:00
import groovy.transform.Field
@Field def STEP_NAME = getClass().getName()
2018-06-25 13:14:46 +02:00
@Field Set GENERAL_CONFIG_KEYS = [
/**
* Credentials for accessing the Snyk API.
* @possibleValues Jenkins credentials id
*/
'snykCredentialsId'
]
2018-06-25 13:14:46 +02:00
@Field Set STEP_CONFIG_KEYS = GENERAL_CONFIG_KEYS.plus([
/**
* The path to the build descriptor file, e.g. `./package.json`.
*/
2018-06-25 13:14:46 +02:00
'buildDescriptorFile',
/** @see dockerExecute */
2018-06-25 13:14:46 +02:00
'dockerImage',
/** @see dockerExecute*/
'dockerEnvVars',
/** @see dockerExecute */
'dockerOptions',
/** @see dockerExecute*/
'dockerWorkspace',
/**
* Only scanType 'mta': Exclude modules from MTA projects.
*/
2018-06-26 16:08:03 +02:00
'exclude',
/**
* Monitor the application's dependencies for new vulnerabilities.
*/
2018-06-25 13:14:46 +02:00
'monitor',
//TODO: move to general
/**
* The type of project that should be scanned.
* @possibleValues `npm`, `mta`
*/
2018-06-25 13:14:46 +02:00
'scanType',
/**
* Only needed for `monitor: true`: The organisation ID to determine the organisation to report to.
*/
2018-06-25 13:14:46 +02:00
'snykOrg',
/**
* Generate and archive a JSON report.
*/
2018-06-26 15:47:46 +02:00
'toJson',
/**
* Generate and archive a HTML report.
*/
2018-06-26 15:47:46 +02:00
'toHtml'
2018-06-25 13:14:46 +02:00
])
@Field Set PARAMETER_KEYS = STEP_CONFIG_KEYS
//https://snyk.io/docs/continuous-integration/
/**
* This step performs an open source vulnerability scan on a *Node project* or *Node module inside an MTA project* through snyk.io.
*/
@GenerateDocumentation
2018-08-30 16:33:07 +02:00
void call(Map parameters = [:]) {
2018-06-26 13:17:12 +02:00
handlePipelineStepErrors(stepName: STEP_NAME, stepParameters: parameters) {
2018-06-25 13:14:46 +02:00
def utils = parameters.juStabUtils ?: new Utils()
def script = checkScript(this, parameters) ?: this
2018-06-25 13:14:46 +02:00
Map config = ConfigurationHelper.newInstance(this)
.loadStepDefaults()
2018-06-25 13:14:46 +02:00
.mixinGeneralConfig(script.commonPipelineEnvironment, GENERAL_CONFIG_KEYS)
.mixinStepConfig(script.commonPipelineEnvironment, STEP_CONFIG_KEYS)
.mixinStageConfig(script.commonPipelineEnvironment, parameters.stageName?:env.STAGE_NAME, STEP_CONFIG_KEYS)
2018-06-25 13:14:46 +02:00
.mixin(parameters, PARAMETER_KEYS)
// check mandatory paramerers
2018-06-26 13:18:21 +02:00
.withMandatoryProperty('dockerImage')
.withMandatoryProperty('snykCredentialsId')
2018-06-25 13:14:46 +02:00
.use()
new Utils().pushToSWA([
step: STEP_NAME,
stepParamKey1: 'scriptMissing',
stepParam1: parameters?.script == null
], config)
2018-06-25 13:14:46 +02:00
utils.unstashAll(config.stashContent)
switch(config.scanType) {
case 'mta':
def scanJobs = [failFast: false]
// create job for each package.json with scanType: 'npm'
scanJobs.putAll(MtaMultiplexer.createJobs(
2018-06-26 16:08:03 +02:00
this, parameters, config.exclude, 'Snyk', 'package.json', 'npm'
2018-06-26 15:34:32 +02:00
){options -> snykExecute(options)})
2018-06-25 13:14:46 +02:00
// execute scan jobs in parallel
parallel scanJobs
break
case 'npm':
// set default file for scanType
def path = config.buildDescriptorFile.replace('package.json', '')
try{
withCredentials([string(
credentialsId: config.snykCredentialsId,
variable: 'token'
)]) {
dockerExecute(
script: script,
2018-06-25 13:14:46 +02:00
dockerImage: config.dockerImage,
dockerEnvVars: MapUtils.merge(['SNYK_TOKEN': token],config.dockerEnvVars?:[:]),
dockerWorkspace: config.dockerWorkspace,
dockerOptions: config.dockerOptions,
stashContent: config.stashContent
2018-06-25 13:14:46 +02:00
) {
sh returnStatus: true, script: """
node --version
npm --version
"""
2018-06-25 13:14:46 +02:00
// install Snyk
2018-06-26 15:08:46 +02:00
sh 'npm install snyk --global --quiet'
2018-06-26 15:47:46 +02:00
if(config.toHtml){
config.toJson = true
sh 'npm install snyk-to-html --global --quiet'
}
2018-06-25 13:14:46 +02:00
// install NPM dependencies
sh "cd '${path}' && npm install --quiet"
// execute Snyk scan
def cmd = []
cmd.push("cd '${path}'")
if(config.monitor) {
cmd.push('&& snyk monitor')
if(config.snykOrg)
cmd.push("--org=${config.snykOrg}")
}
cmd.push('&& snyk test')
if(config.toJson)
2018-06-26 16:05:43 +02:00
cmd.push("--json > snyk.json")
2018-06-26 16:00:26 +02:00
try{
sh cmd.join(' ')
}finally{
2018-06-26 16:05:43 +02:00
if(config.toHtml) sh "snyk-to-html -i ${path}snyk.json -o ${path}snyk.html"
2018-06-26 16:00:26 +02:00
}
2018-06-25 13:14:46 +02:00
}
}
}finally{
2018-06-26 16:05:43 +02:00
if(config.toJson) archiveArtifacts "${path.replaceAll('\\./', '')}snyk.json"
if(config.toHtml) archiveArtifacts "${path.replaceAll('\\./', '')}snyk.html"
2018-06-25 13:14:46 +02:00
}
break
default:
error "[ERROR][${STEP_NAME}] ScanType '${config.scanType}' not supported!"
}
}
}