sap-jenkins-library/resources/metadata/protecode.yaml

metadata:
  name: protecodeExecuteScan
  description: Protecode is an Open Source Vulnerability Scanner that is capable of scanning binaries. It can be used to scan docker images but is supports many other programming languages especially those of the C family.
  longDescription: |-
    Protecode is an Open Source Vulnerability Scanner that is capable of scanning binaries. It can be used to scan docker images but is supports many other programming languages especially those of the C family.

    !!! hint "Auditing findings (Triaging)"
        Triaging is now supported by the Protecode backend and also Piper does consider this information during the analysis of the scan results though product versions are not supported by Protecode. Therefore please make sure that the `fileName` you are providing does either contain a stable version or that it does not contain one at all. By ensuring that you are able to triage CVEs globally on the upload file's name without affecting any other artifacts scanned in the same Protecode group and as such triaged vulnerabilities will be considered during the next scan and will not fail the build anymore.
spec:
  inputs:
    secrets:
      - name: protecodeCredentialsId
        description: Jenkins 'Username with password' credentials ID containing username and password to authenticate to the Protecode system.
        type: jenkins
      - name: dockerConfigJsonCredentialsId
        description: Jenkins 'Secret file' credentials ID containing Docker config.json (with registry credential(s)). You can create it like explained in the Docker Success Center in the article about [how to generate a new auth in the config.json file](https://success.docker.com/article/generate-new-auth-in-config-json-file).
        type: jenkins
        aliases:
          - name: dockerCredentialsId
            deprecated: true
    params:
      - name: excludeCVEs
        aliases:
          - name: protecodeExcludeCVEs
        type: string
        description: "DEPRECATED: Do use triaging within the Protecode UI instead"
        scope:
          - PARAMETERS
          - STAGES
          - STEPS
        default: ""
      - name: failOnSevereVulnerabilities
        aliases:
          - name: protecodeFailOnSevereVulnerabilities
        type: bool
        description: Whether to fail the job on severe vulnerabilties or not
        scope:
          - PARAMETERS
          - STAGES
          - STEPS
        default: true
      - name: scanImage
        aliases:
          - name: dockerImage
        type: string
        description: The reference to the docker image to scan with Protecode
        resourceRef:
          - name: commonPipelineEnvironment
            param: container/imageNameTag
        scope:
          - GENERAL
          - PARAMETERS
          - STAGES
          - STEPS
      - name: dockerRegistryUrl
        type: string
        description: The reference to the docker registry to scan with Protecode
        resourceRef:
          - name: commonPipelineEnvironment
            param: container/registryUrl
        scope:
          - GENERAL
          - PARAMETERS
          - STAGES
          - STEPS
      - name: dockerConfigJSON
        type: string
        description: Path to the file `.docker/config.json` - this is typically provided by your CI/CD system. You can find more details about the Docker credentials in the [Docker documentation](https://docs.docker.com/engine/reference/commandline/login/).
        scope:
          - PARAMETERS
          - STAGES
          - STEPS
        secret: true
        resourceRef:
          - name: dockerConfigJsonCredentialsId
            type: secret
          - type: vaultSecretFile
            paths:
              - $(vaultPath)/docker-config
              - $(vaultBasePath)/$(vaultPipelineName)/docker-config
              - $(vaultBasePath)/GROUP-SECRETS/docker-config
      - name: cleanupMode
        type: string
        description: Decides which parts are removed from the Protecode backend after the scan
        scope:
          - PARAMETERS
          - STAGES
          - STEPS
        default: binary
        possibleValues:
          - none
          - binary
          - complete
      - name: filePath
        type: string
        description: The path to the file from local workspace to scan with Protecode
        scope:
          - PARAMETERS
          - STAGES
          - STEPS
      - name: includeLayers
        type: bool
        description: Flag if the docker layers should be included
        scope:
          - PARAMETERS
          - STAGES
          - STEPS
      - name: timeoutMinutes
        aliases:
          - name: protecodeTimeoutMinutes
        type: string
        description: The timeout to wait for the scan to finish
        scope:
          - PARAMETERS
          - STAGES
          - STEPS
        default: 60
      - name: serverUrl
        aliases:
          - name: protecodeServerUrl
        type: string
        description: The URL to the Protecode backend
        mandatory: true
        scope:
          - GENERAL
          - PARAMETERS
          - STAGES
          - STEPS
      - name: reportFileName
        type: string
        description: The file name of the report to be created
        scope:
          - PARAMETERS
          - STAGES
          - STEPS
        default: protecode_report.pdf
      - name: fetchUrl
        type: string
        description: The URL to fetch the file to scan with Protecode which must be accessible via public HTTP GET request
        scope:
          - PARAMETERS
          - STAGES
          - STEPS
      - name: group
        aliases:
          - name: protecodeGroup
        type: string
        description: The Protecode group ID of your team
        mandatory: true
        scope:
          - PARAMETERS
          - STAGES
          - STEPS
      - name: reuseExisting
        type: bool
        description: Whether to reuse an existing product instead of creating a new one
        scope:
          - PARAMETERS
          - STAGES
          - STEPS
      - name: username
        aliases:
          - name: user
            deprecated: true
        type: string
        description: User which is used for the protecode scan
        mandatory: true
        scope:
          - PARAMETERS
          - STAGES
          - STEPS
        secret: true
        resourceRef:
          - name: protecodeCredentialsId
            type: secret
            param: username
          - type: vaultSecret
            paths:
              - $(vaultPath)/protecode
              - $(vaultBasePath)/$(vaultPipelineName)/protecode
              - $(vaultBasePath)/GROUP-SECRETS/protecode
      - name: password
        type: string
        description: Password which is used for the user
        mandatory: true
        scope:
          - PARAMETERS
          - STAGES
          - STEPS
        secret: true
        resourceRef:
          - name: protecodeCredentialsId
            type: secret
            param: password
          - type: vaultSecret
            paths:
              - $(vaultPath)/protecode
              - $(vaultBasePath)/$(vaultPipelineName)/protecode
              - $(vaultBasePath)/GROUP-SECRETS/protecode
      - name: artifactVersion
        type: string
        description: The version of the artifact to allow identification in protecode backend
        resourceRef:
          - name: commonPipelineEnvironment
            param: artifactVersion
        scope:
          - PARAMETERS
          - STAGES
          - STEPS
      - name: pullRequestName
        type: string
        description: The name of the pull request
        scope:
          - PARAMETERS
          - STAGES
          - STEPS
  outputs:
    resources:
      - name: influx
        type: influx
        params:
          - name: protecode_data
            fields:
              - name: historical_vulnerabilities
              - name: triaged_vulnerabilities
              - name: excluded_vulnerabilities
              - name: minor_vulnerabilities
              - name: major_vulnerabilities
              - name: vulnerabilities
Protecode as GoLang (#1119) * Protecode as go implementation Co-authored-by: Sven Merk <33895725+nevskrem@users.noreply.github.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com> 2020-02-06 17:16:34 +02:00			`metadata:`
			`name: protecodeExecuteScan`
Adjust documentation for Protecode (#1175) 2020-02-12 16:57:39 +02:00			`description: Protecode is an Open Source Vulnerability Scanner that is capable of scanning binaries. It can be used to scan docker images but is supports many other programming languages especially those of the C family.`
Protecode as GoLang (#1119) * Protecode as go implementation Co-authored-by: Sven Merk <33895725+nevskrem@users.noreply.github.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com> 2020-02-06 17:16:34 +02:00			`longDescription: \|-`
Adjust documentation for Protecode (#1175) 2020-02-12 16:57:39 +02:00			`Protecode is an Open Source Vulnerability Scanner that is capable of scanning binaries. It can be used to scan docker images but is supports many other programming languages especially those of the C family.`
Protecode as GoLang (#1119) * Protecode as go implementation Co-authored-by: Sven Merk <33895725+nevskrem@users.noreply.github.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com> 2020-02-06 17:16:34 +02:00
			`!!! hint "Auditing findings (Triaging)"`
			Triaging is now supported by the Protecode backend and also Piper does consider this information during the analysis of the scan results though product versions are not supported by Protecode. Therefore please make sure that the `fileName` you are providing does either contain a stable version or that it does not contain one at all. By ensuring that you are able to triage CVEs globally on the upload file's name without affecting any other artifacts scanned in the same Protecode group and as such triaged vulnerabilities will be considered during the next scan and will not fail the build anymore.
			`spec:`
			`inputs:`
Add / update Jenkins credential descriptions (#2058) 2020-09-23 13:22:51 +02:00			`secrets:`
			`- name: protecodeCredentialsId`
			`description: Jenkins 'Username with password' credentials ID containing username and password to authenticate to the Protecode system.`
			`type: jenkins`
			`- name: dockerConfigJsonCredentialsId`
			`description: Jenkins 'Secret file' credentials ID containing Docker config.json (with registry credential(s)). You can create it like explained in the Docker Success Center in the article about [how to generate a new auth in the config.json file](https://success.docker.com/article/generate-new-auth-in-config-json-file).`
			`type: jenkins`
			`aliases:`
			`- name: dockerCredentialsId`
			`deprecated: true`
Protecode as GoLang (#1119) * Protecode as go implementation Co-authored-by: Sven Merk <33895725+nevskrem@users.noreply.github.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com> 2020-02-06 17:16:34 +02:00			`params:`
refactor: correct yaml format (#1965) 2020-08-31 16:10:28 +02:00			`- name: excludeCVEs`
			`aliases:`
			`- name: protecodeExcludeCVEs`
			`type: string`
			`description: "DEPRECATED: Do use triaging within the Protecode UI instead"`
			`scope:`
			`- PARAMETERS`
			`- STAGES`
			`- STEPS`
fix(protecode): correct default value for excludeCVEs (#2025) * correct default value * regenerate Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com> 2020-09-17 21:05:03 +02:00			`default: ""`
refactor: correct yaml format (#1965) 2020-08-31 16:10:28 +02:00			`- name: failOnSevereVulnerabilities`
			`aliases:`
			`- name: protecodeFailOnSevereVulnerabilities`
			`type: bool`
			`description: Whether to fail the job on severe vulnerabilties or not`
			`scope:`
			`- PARAMETERS`
			`- STAGES`
			`- STEPS`
			`default: true`
			`- name: scanImage`
			`aliases:`
			`- name: dockerImage`
			`type: string`
			`description: The reference to the docker image to scan with Protecode`
			`resourceRef:`
			`- name: commonPipelineEnvironment`
			`param: container/imageNameTag`
			`scope:`
			`- GENERAL`
			`- PARAMETERS`
			`- STAGES`
			`- STEPS`
			`- name: dockerRegistryUrl`
			`type: string`
			`description: The reference to the docker registry to scan with Protecode`
			`resourceRef:`
			`- name: commonPipelineEnvironment`
			`param: container/registryUrl`
			`scope:`
			`- GENERAL`
			`- PARAMETERS`
			`- STAGES`
			`- STEPS`
			`- name: dockerConfigJSON`
			`type: string`
			description: Path to the file `.docker/config.json` - this is typically provided by your CI/CD system. You can find more details about the Docker credentials in the [Docker documentation](https://docs.docker.com/engine/reference/commandline/login/).
			`scope:`
			`- PARAMETERS`
			`- STAGES`
			`- STEPS`
			`secret: true`
			`resourceRef:`
			`- name: dockerConfigJsonCredentialsId`
			`type: secret`
(Vault) add vaultSecretFile References (#2314) * add vaultSecretFile References * add vaultRef to protecode Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com> 2020-11-06 19:06:19 +02:00			`- type: vaultSecretFile`
			`paths:`
			`- $(vaultPath)/docker-config`
			`- $(vaultBasePath)/$(vaultPipelineName)/docker-config`
			`- $(vaultBasePath)/GROUP-SECRETS/docker-config`
refactor: correct yaml format (#1965) 2020-08-31 16:10:28 +02:00			`- name: cleanupMode`
			`type: string`
			`description: Decides which parts are removed from the Protecode backend after the scan`
			`scope:`
			`- PARAMETERS`
			`- STAGES`
			`- STEPS`
			`default: binary`
			`possibleValues:`
			`- none`
			`- binary`
			`- complete`
			`- name: filePath`
			`type: string`
			`description: The path to the file from local workspace to scan with Protecode`
			`scope:`
			`- PARAMETERS`
			`- STAGES`
			`- STEPS`
			`- name: includeLayers`
			`type: bool`
			`description: Flag if the docker layers should be included`
			`scope:`
			`- PARAMETERS`
			`- STAGES`
			`- STEPS`
			`- name: timeoutMinutes`
			`aliases:`
			`- name: protecodeTimeoutMinutes`
			`type: string`
			`description: The timeout to wait for the scan to finish`
			`scope:`
			`- PARAMETERS`
			`- STAGES`
			`- STEPS`
			`default: 60`
			`- name: serverUrl`
			`aliases:`
			`- name: protecodeServerUrl`
			`type: string`
			`description: The URL to the Protecode backend`
			`mandatory: true`
			`scope:`
			`- GENERAL`
			`- PARAMETERS`
			`- STAGES`
			`- STEPS`
			`- name: reportFileName`
			`type: string`
			`description: The file name of the report to be created`
			`scope:`
			`- PARAMETERS`
			`- STAGES`
			`- STEPS`
			`default: protecode_report.pdf`
			`- name: fetchUrl`
			`type: string`
			`description: The URL to fetch the file to scan with Protecode which must be accessible via public HTTP GET request`
			`scope:`
			`- PARAMETERS`
			`- STAGES`
			`- STEPS`
			`- name: group`
			`aliases:`
			`- name: protecodeGroup`
			`type: string`
			`description: The Protecode group ID of your team`
			`mandatory: true`
			`scope:`
			`- PARAMETERS`
			`- STAGES`
			`- STEPS`
			`- name: reuseExisting`
			`type: bool`
			`description: Whether to reuse an existing product instead of creating a new one`
			`scope:`
			`- PARAMETERS`
			`- STAGES`
			`- STEPS`
			`- name: username`
			`aliases:`
			`- name: user`
			`deprecated: true`
			`type: string`
			`description: User which is used for the protecode scan`
			`mandatory: true`
			`scope:`
			`- PARAMETERS`
			`- STAGES`
			`- STEPS`
			`secret: true`
			`resourceRef:`
			`- name: protecodeCredentialsId`
			`type: secret`
			`param: username`
feature(protecodeExecuteScan) proper Vault support (#2483) 2020-12-22 18:43:57 +02:00			`- type: vaultSecret`
			`paths:`
			`- $(vaultPath)/protecode`
			`- $(vaultBasePath)/$(vaultPipelineName)/protecode`
			`- $(vaultBasePath)/GROUP-SECRETS/protecode`
refactor: correct yaml format (#1965) 2020-08-31 16:10:28 +02:00			`- name: password`
			`type: string`
			`description: Password which is used for the user`
			`mandatory: true`
			`scope:`
			`- PARAMETERS`
			`- STAGES`
			`- STEPS`
			`secret: true`
			`resourceRef:`
			`- name: protecodeCredentialsId`
			`type: secret`
			`param: password`
feature(protecodeExecuteScan) proper Vault support (#2483) 2020-12-22 18:43:57 +02:00			`- type: vaultSecret`
			`paths:`
			`- $(vaultPath)/protecode`
			`- $(vaultBasePath)/$(vaultPipelineName)/protecode`
			`- $(vaultBasePath)/GROUP-SECRETS/protecode`
refactor: correct yaml format (#1965) 2020-08-31 16:10:28 +02:00			`- name: artifactVersion`
			`type: string`
			`description: The version of the artifact to allow identification in protecode backend`
			`resourceRef:`
			`- name: commonPipelineEnvironment`
			`param: artifactVersion`
			`scope:`
			`- PARAMETERS`
			`- STAGES`
			`- STEPS`
			`- name: pullRequestName`
			`type: string`
			`description: The name of the pull request`
			`scope:`
			`- PARAMETERS`
			`- STAGES`
			`- STEPS`
Protecode as GoLang (#1119) * Protecode as go implementation Co-authored-by: Sven Merk <33895725+nevskrem@users.noreply.github.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com> 2020-02-06 17:16:34 +02:00			`outputs:`
			`resources:`
			`- name: influx`
			`type: influx`
			`params:`
Adjust protecode influx parameter (#1161) 2020-02-07 15:12:40 +02:00			`- name: protecode_data`
Protecode as GoLang (#1119) * Protecode as go implementation Co-authored-by: Sven Merk <33895725+nevskrem@users.noreply.github.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com> 2020-02-06 17:16:34 +02:00			`fields:`
Adjust protecode influx parameter (#1161) 2020-02-07 15:12:40 +02:00			`- name: historical_vulnerabilities`
			`- name: triaged_vulnerabilities`
			`- name: excluded_vulnerabilities`
			`- name: minor_vulnerabilities`
			`- name: major_vulnerabilities`
Protecode as GoLang (#1119) * Protecode as go implementation Co-authored-by: Sven Merk <33895725+nevskrem@users.noreply.github.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com> 2020-02-06 17:16:34 +02:00			`- name: vulnerabilities`