sap-jenkins-library/vars/snykExecute.groovy

import static com.sap.piper.Prerequisites.checkScript

import com.sap.piper.ConfigurationHelper
import com.sap.piper.GenerateDocumentation
import com.sap.piper.Utils
import com.sap.piper.mta.MtaMultiplexer

import groovy.transform.Field

@Field def STEP_NAME = getClass().getName()

@Field Set GENERAL_CONFIG_KEYS = [
    /**
     * Credentials for accessing the Snyk API.
     * @possibleValues Jenkins credentials id
     */
    'snykCredentialsId'
]
@Field Set STEP_CONFIG_KEYS = GENERAL_CONFIG_KEYS.plus([
    /**
     * The path to the build descriptor file, e.g. `./package.json`.
     */
    'buildDescriptorFile',
    /** @see dockerExecute */
    'dockerImage',
    /**
     * Only scanType 'mta': Exclude modules from MTA projects.
     */
    'exclude',
    /**
     * Monitor the application's dependencies for new vulnerabilities.
     */
    'monitor',
    //TODO: move to general
    /**
     * The type of project that should be scanned.
     * @possibleValues `npm`, `mta`
     */
    'scanType',
    /**
     * Only needed for `monitor: true`: The organisation ID to determine the organisation to report to.
     */
    'snykOrg',
    /**
     * Generate and archive a JSON report.
     */
    'toJson',
    /**
     * Generate and archive a HTML report.
     */
    'toHtml'
])
@Field Set PARAMETER_KEYS = STEP_CONFIG_KEYS

//https://snyk.io/docs/continuous-integration/
/**
 * This step performs an open source vulnerability scan on a *Node project* or *Node module inside an MTA project* through snyk.io.
 */
@GenerateDocumentation
void call(Map parameters = [:]) {
    handlePipelineStepErrors(stepName: STEP_NAME, stepParameters: parameters) {
        def utils = parameters.juStabUtils ?: new Utils()

        def script = checkScript(this, parameters) ?: this

        Map config = ConfigurationHelper.newInstance(this)
            .loadStepDefaults()
            .mixinGeneralConfig(script.commonPipelineEnvironment, GENERAL_CONFIG_KEYS)
            .mixinStepConfig(script.commonPipelineEnvironment, STEP_CONFIG_KEYS)
            .mixinStageConfig(script.commonPipelineEnvironment, parameters.stageName?:env.STAGE_NAME, STEP_CONFIG_KEYS)
            .mixin(parameters, PARAMETER_KEYS)
            // check mandatory paramerers
            .withMandatoryProperty('dockerImage')
            .withMandatoryProperty('snykCredentialsId')
            .use()

        new Utils().pushToSWA([
            step: STEP_NAME,
            stepParamKey1: 'scriptMissing',
            stepParam1: parameters?.script == null
        ], config)

        utils.unstashAll(config.stashContent)

        switch(config.scanType) {
            case 'mta':
                def scanJobs = [failFast: false]
                // create job for each package.json with scanType: 'npm'
                scanJobs.putAll(MtaMultiplexer.createJobs(
                    this, parameters, config.exclude, 'Snyk', 'package.json', 'npm'
                ){options -> snykExecute(options)})
                // execute scan jobs in parallel
                parallel scanJobs
                break
            case 'npm':
                // set default file for scanType
                def path = config.buildDescriptorFile.replace('package.json', '')
                try{
                    withCredentials([string(
                        credentialsId: config.snykCredentialsId,
                        variable: 'token'
                    )]) {
                        dockerExecute(
                            script: script,
                            dockerImage: config.dockerImage,
                            stashContent: config.stashContent,
                            dockerEnvVars: ['SNYK_TOKEN': token]
                        ) {
                            // install Snyk
                            sh 'npm install snyk --global --quiet'
                            if(config.toHtml){
                                config.toJson = true
                                sh 'npm install snyk-to-html --global --quiet'
                            }
                            // install NPM dependencies
                            sh "cd '${path}' && npm install --quiet"
                            // execute Snyk scan
                            def cmd = []
                            cmd.push("cd '${path}'")
                            if(config.monitor) {
                                cmd.push('&& snyk monitor')
                                if(config.snykOrg)
                                    cmd.push("--org=${config.snykOrg}")
                            }
                            cmd.push('&& snyk test')
                            if(config.toJson)
                                cmd.push("--json > snyk.json")
                            try{
                                sh cmd.join(' ')
                            }finally{
                                if(config.toHtml) sh "snyk-to-html -i ${path}snyk.json -o ${path}snyk.html"
                            }
                        }
                    }
                }finally{
                    if(config.toJson) archiveArtifacts "${path.replaceAll('\\./', '')}snyk.json"
                    if(config.toHtml) archiveArtifacts "${path.replaceAll('\\./', '')}snyk.html"
                }
                break
            default:
                error "[ERROR][${STEP_NAME}] ScanType '${config.scanType}' not supported!"
        }
    }
}
Ensure script is mandatory parameter ... only in case a step uses the script at all. 2018-09-21 16:55:31 +02:00			`import static com.sap.piper.Prerequisites.checkScript`

add step for Snyk scan execution 2018-06-25 13:14:46 +02:00			`import com.sap.piper.ConfigurationHelper`
snykExecute: add missing documentation (#570) * add docs for snykExecute * add link to new docs page 2019-03-18 12:08:41 +02:00			`import com.sap.piper.GenerateDocumentation`
add step for Snyk scan execution 2018-06-25 13:14:46 +02:00			`import com.sap.piper.Utils`
			`import com.sap.piper.mta.MtaMultiplexer`

			`import groovy.transform.Field`

Step name is not a string literal anymore Having the step name always the same like the file name, which is in turn the class name is redundant. 2018-11-29 10:54:05 +02:00			`@Field def STEP_NAME = getClass().getName()`
add step for Snyk scan execution 2018-06-25 13:14:46 +02:00
snykExecute: add missing documentation (#570) * add docs for snykExecute * add link to new docs page 2019-03-18 12:08:41 +02:00			`@Field Set GENERAL_CONFIG_KEYS = [`
			`/**`
			`* Credentials for accessing the Snyk API.`
			`* @possibleValues Jenkins credentials id`
			`*/`
			`'snykCredentialsId'`
			`]`
add step for Snyk scan execution 2018-06-25 13:14:46 +02:00			`@Field Set STEP_CONFIG_KEYS = GENERAL_CONFIG_KEYS.plus([`
snykExecute: add missing documentation (#570) * add docs for snykExecute * add link to new docs page 2019-03-18 12:08:41 +02:00			`/**`
			* The path to the build descriptor file, e.g. `./package.json`.
			`*/`
add step for Snyk scan execution 2018-06-25 13:14:46 +02:00			`'buildDescriptorFile',`
snykExecute: add missing documentation (#570) * add docs for snykExecute * add link to new docs page 2019-03-18 12:08:41 +02:00			`/** @see dockerExecute */`
add step for Snyk scan execution 2018-06-25 13:14:46 +02:00			`'dockerImage',`
snykExecute: add missing documentation (#570) * add docs for snykExecute * add link to new docs page 2019-03-18 12:08:41 +02:00			`/**`
			`* Only scanType 'mta': Exclude modules from MTA projects.`
			`*/`
rename exclude parameter 2018-06-26 16:08:03 +02:00			`'exclude',`
snykExecute: add missing documentation (#570) * add docs for snykExecute * add link to new docs page 2019-03-18 12:08:41 +02:00			`/**`
			`* Monitor the application's dependencies for new vulnerabilities.`
			`*/`
add step for Snyk scan execution 2018-06-25 13:14:46 +02:00			`'monitor',`
snykExecute: add missing documentation (#570) * add docs for snykExecute * add link to new docs page 2019-03-18 12:08:41 +02:00			`//TODO: move to general`
			`/**`
			`* The type of project that should be scanned.`
			* @possibleValues `npm`, `mta`
			`*/`
add step for Snyk scan execution 2018-06-25 13:14:46 +02:00			`'scanType',`
snykExecute: add missing documentation (#570) * add docs for snykExecute * add link to new docs page 2019-03-18 12:08:41 +02:00			`/**`
			* Only needed for `monitor: true`: The organisation ID to determine the organisation to report to.
			`*/`
add step for Snyk scan execution 2018-06-25 13:14:46 +02:00			`'snykOrg',`
snykExecute: add missing documentation (#570) * add docs for snykExecute * add link to new docs page 2019-03-18 12:08:41 +02:00			`/**`
			`* Generate and archive a JSON report.`
			`*/`
add snyk html report 2018-06-26 15:47:46 +02:00			`'toJson',`
snykExecute: add missing documentation (#570) * add docs for snykExecute * add link to new docs page 2019-03-18 12:08:41 +02:00			`/**`
			`* Generate and archive a HTML report.`
			`*/`
add snyk html report 2018-06-26 15:47:46 +02:00			`'toHtml'`
add step for Snyk scan execution 2018-06-25 13:14:46 +02:00			`])`
			`@Field Set PARAMETER_KEYS = STEP_CONFIG_KEYS`

snykExecute: add missing documentation (#570) * add docs for snykExecute * add link to new docs page 2019-03-18 12:08:41 +02:00			`//https://snyk.io/docs/continuous-integration/`
			`/**`
			`* This step performs an open source vulnerability scan on a Node project or Node module inside an MTA project through snyk.io.`
			`*/`
			`@GenerateDocumentation`
remove step return types 2018-08-30 16:33:07 +02:00			`void call(Map parameters = [:]) {`
fix method name 2018-06-26 13:17:12 +02:00			`handlePipelineStepErrors(stepName: STEP_NAME, stepParameters: parameters) {`
add step for Snyk scan execution 2018-06-25 13:14:46 +02:00			`def utils = parameters.juStabUtils ?: new Utils()`
Ensure script is mandatory parameter ... only in case a step uses the script at all. 2018-09-21 16:55:31 +02:00
script = this as fallback instead of map with cpe of current step o The map does not provide access to e.g. sh, echo. o this has the same cpe as property as it is constructed with the current map approach. 2018-10-31 09:40:12 +02:00			`def script = checkScript(this, parameters) ?: this`
add step for Snyk scan execution 2018-06-25 13:14:46 +02:00
Introduce dedicated factory method for configuration helper 2018-10-17 11:05:20 +02:00			`Map config = ConfigurationHelper.newInstance(this)`
don't use load step defaults as implicit factory method. 2018-09-07 10:08:16 +02:00			`.loadStepDefaults()`
add step for Snyk scan execution 2018-06-25 13:14:46 +02:00			`.mixinGeneralConfig(script.commonPipelineEnvironment, GENERAL_CONFIG_KEYS)`
			`.mixinStepConfig(script.commonPipelineEnvironment, STEP_CONFIG_KEYS)`
swtich stage/step config loading to correct order (#250) 2018-08-15 10:37:34 +02:00			`.mixinStageConfig(script.commonPipelineEnvironment, parameters.stageName?:env.STAGE_NAME, STEP_CONFIG_KEYS)`
add step for Snyk scan execution 2018-06-25 13:14:46 +02:00			`.mixin(parameters, PARAMETER_KEYS)`
			`// check mandatory paramerers`
fix method name 2018-06-26 13:18:21 +02:00			`.withMandatoryProperty('dockerImage')`
			`.withMandatoryProperty('snykCredentialsId')`
add step for Snyk scan execution 2018-06-25 13:14:46 +02:00			`.use()`

Analytics: add step parameter keys (#442) * add stepParamKey values * camelCase 2019-01-21 09:47:34 +02:00			`new Utils().pushToSWA([`
			`step: STEP_NAME,`
			`stepParamKey1: 'scriptMissing',`
			`stepParam1: parameters?.script == null`
			`], config)`
add telemetry reporting to steps (#243) add telemetry to all steps using ConfigurationHelper. Other steps need to be switched to ConfigurationHelper first. update docs 2018-08-09 11:35:33 +02:00
add step for Snyk scan execution 2018-06-25 13:14:46 +02:00			`utils.unstashAll(config.stashContent)`

			`switch(config.scanType) {`
			`case 'mta':`
			`def scanJobs = [failFast: false]`
			`// create job for each package.json with scanType: 'npm'`
			`scanJobs.putAll(MtaMultiplexer.createJobs(`
rename exclude parameter 2018-06-26 16:08:03 +02:00			`this, parameters, config.exclude, 'Snyk', 'package.json', 'npm'`
correct step name 2018-06-26 15:34:32 +02:00			`){options -> snykExecute(options)})`
add step for Snyk scan execution 2018-06-25 13:14:46 +02:00			`// execute scan jobs in parallel`
			`parallel scanJobs`
			`break`
			`case 'npm':`
			`// set default file for scanType`
			`def path = config.buildDescriptorFile.replace('package.json', '')`
			`try{`
			`withCredentials([string(`
			`credentialsId: config.snykCredentialsId,`
			`variable: 'token'`
			`)]) {`
			`dockerExecute(`
Docker execution - make sure that script is passed (#403) 2018-11-28 11:46:47 +02:00			`script: script,`
add step for Snyk scan execution 2018-06-25 13:14:46 +02:00			`dockerImage: config.dockerImage,`
			`stashContent: config.stashContent,`
			`dockerEnvVars: ['SNYK_TOKEN': token]`
			`) {`
			`// install Snyk`
add step tests 2018-06-26 15:08:46 +02:00			`sh 'npm install snyk --global --quiet'`
add snyk html report 2018-06-26 15:47:46 +02:00			`if(config.toHtml){`
			`config.toJson = true`
			`sh 'npm install snyk-to-html --global --quiet'`
			`}`
add step for Snyk scan execution 2018-06-25 13:14:46 +02:00			`// install NPM dependencies`
			`sh "cd '${path}' && npm install --quiet"`
			`// execute Snyk scan`
			`def cmd = []`
			`cmd.push("cd '${path}'")`
			`if(config.monitor) {`
			`cmd.push('&& snyk monitor')`
			`if(config.snykOrg)`
			`cmd.push("--org=${config.snykOrg}")`
			`}`
			`cmd.push('&& snyk test')`
			`if(config.toJson)`
add snyk html report 2018-06-26 16:05:43 +02:00			`cmd.push("--json > snyk.json")`
add snyk html report 2018-06-26 16:00:26 +02:00			`try{`
			`sh cmd.join(' ')`
			`}finally{`
add snyk html report 2018-06-26 16:05:43 +02:00			`if(config.toHtml) sh "snyk-to-html -i ${path}snyk.json -o ${path}snyk.html"`
add snyk html report 2018-06-26 16:00:26 +02:00			`}`
add step for Snyk scan execution 2018-06-25 13:14:46 +02:00			`}`
			`}`
			`}finally{`
add snyk html report 2018-06-26 16:05:43 +02:00			`if(config.toJson) archiveArtifacts "${path.replaceAll('\\./', '')}snyk.json"`
			`if(config.toHtml) archiveArtifacts "${path.replaceAll('\\./', '')}snyk.html"`
add step for Snyk scan execution 2018-06-25 13:14:46 +02:00			`}`
			`break`
			`default:`
			`error "[ERROR][${STEP_NAME}] ScanType '${config.scanType}' not supported!"`
			`}`
			`}`
			`}`