sap-jenkins-library/pkg/whitesource/scan.go

package whitesource

import (
	"fmt"
	"sort"
	"strings"
	"time"

	"github.com/SAP/jenkins-library/pkg/log"
	"github.com/SAP/jenkins-library/pkg/piperutils"
)

// Scan stores information about scanned WhiteSource projects (modules).
type Scan struct {
	// AggregateProjectName stores the name of the WhiteSource project where scans shall be aggregated.
	// It does not include the ProductVersion.
	AggregateProjectName string
	// ProductVersion is the global version that is used across all Projects (modules) during the scan.
	ProductVersion  string
	scannedProjects map[string]Project
	scanTimes       map[string]time.Time
	AgentName       string
	AgentVersion    string
}

func (s *Scan) init() {
	if s.scannedProjects == nil {
		s.scannedProjects = make(map[string]Project)
	}
	if s.scanTimes == nil {
		s.scanTimes = make(map[string]time.Time)
	}
}

func (s *Scan) versionSuffix() string {
	return " - " + s.ProductVersion
}

// AppendScannedProject checks that no Project with the same name is already contained in the list of scanned projects,
// and appends a new Project with the given name. The global product version is appended to the name.
func (s *Scan) AppendScannedProject(projectName string) error {
	if len(projectName) == 0 {
		return fmt.Errorf("projectName must not be empty")
	}
	if strings.HasSuffix(projectName, s.versionSuffix()) {
		return fmt.Errorf("projectName is not expected to include the product version already")
	}
	return s.AppendScannedProjectVersion(projectName + s.versionSuffix())
}

// AppendScannedProjectVersion checks that no Project with the same name is already contained in the list of scanned
// projects,  and appends a new Project with the given name (which is expected to include the product version).
func (s *Scan) AppendScannedProjectVersion(projectName string) error {
	if !strings.HasSuffix(projectName, s.versionSuffix()) {
		return fmt.Errorf("projectName is expected to include the product version")
	}
	if len(projectName) == len(s.versionSuffix()) {
		return fmt.Errorf("projectName consists only of the product version")
	}
	s.init()
	_, exists := s.scannedProjects[projectName]
	if exists {
		log.Entry().Errorf("A module with the name '%s' was already scanned. "+
			"Your project's modules must have unique names.", projectName)
		return fmt.Errorf("project with name '%s' was already scanned", projectName)
	}
	s.scannedProjects[projectName] = Project{Name: projectName}
	s.scanTimes[projectName] = time.Now()
	return nil
}

// ProjectByName returns a WhiteSource Project previously established via AppendScannedProject().
func (s *Scan) ProjectByName(projectName string) (Project, bool) {
	project, exists := s.scannedProjects[projectName]
	return project, exists
}

// ScannedProjects returns the WhiteSource projects that have been added via AppendScannedProject() as a slice.
func (s *Scan) ScannedProjects() []Project {
	var projects []Project
	for _, project := range s.scannedProjects {
		projects = append(projects, project)
	}
	return projects
}

// ScannedProjectNames returns a sorted list of all scanned project names
func (s *Scan) ScannedProjectNames() []string {
	projectNames := []string{}
	for _, project := range s.ScannedProjects() {
		projectNames = append(projectNames, project.Name)
	}
	// Sorting helps the list become stable across pipeline runs (and in the unit tests),
	// as the order in which we travers map keys is not deterministic.
	sort.Strings(projectNames)
	return projectNames
}

// ScanTime returns the time at which the respective WhiteSource Project was scanned, or the the
// zero value of time.Time, if AppendScannedProject() was not called with that name.
func (s *Scan) ScanTime(projectName string) time.Time {
	if s.scanTimes == nil {
		return time.Time{}
	}
	return s.scanTimes[projectName]
}

type whitesource interface {
	GetProjectsMetaInfo(productToken string) ([]Project, error)
	GetProjectRiskReport(projectToken string) ([]byte, error)
	GetProjectVulnerabilityReport(projectToken string, format string) ([]byte, error)
}

// UpdateProjects pulls the current backend metadata for all WhiteSource projects in the product with
// the given productToken, and updates all scanned projects with the obtained information.
func (s *Scan) UpdateProjects(productToken string, sys whitesource) error {
	s.init()
	projects, err := sys.GetProjectsMetaInfo(productToken)
	if err != nil {
		return fmt.Errorf("failed to retrieve WhiteSource projects meta info: %w", err)
	}

	var projectsToUpdate []string
	for projectName := range s.scannedProjects {
		projectsToUpdate = append(projectsToUpdate, projectName)
	}

	for _, project := range projects {
		_, exists := s.scannedProjects[project.Name]
		if exists {
			s.scannedProjects[project.Name] = project
			projectsToUpdate, _ = piperutils.RemoveAll(projectsToUpdate, project.Name)
		}
	}
	if len(projectsToUpdate) != 0 {
		log.Entry().Warnf("Could not fetch metadata for projects %v", projectsToUpdate)
	}
	return nil
}
whitesourceExecuteScan: Re-organize code between step and whitesource package (#2207) 2020-10-20 09:49:26 +02:00			`package whitesource`

			`import (`
			`"fmt"`
feat(pipelineCreateScanSummary) Create groovy wrapper (#2743) * feat(pipelineCreateScanSummary) Create groovy wrapper * add command to binary * stash step reports * update stash * fix typo * unstash reports first * update reporting * update json reporting * update tests & enhance logging * update md report * update md reporting * fix rendering * update tests 2021-04-15 07:45:06 +02:00			`"sort"`
whitesourceExecuteScan: Re-organize code between step and whitesource package (#2207) 2020-10-20 09:49:26 +02:00			`"strings"`
			`"time"`
feat(whitesourceExecuteScan): UA for all build tools, e.g. maven & npm (#2501) * feat(whitesource): add config helper this helps to ease & enforce config settings * fix accidential change of class * add todos wrt java download * use existing scanOptions, add option to download jre * update generation * fix generation * allow running UA via go library * correct image, improve logging * add removal of downloaded JVM * update java creation and deletion * refactor and add log output * remove obsolete ToDo * increase test coverage * increase test coverage * adding aliases and tests * make go modules as default * maven: update behavior of projectNaming * add Docker capabilities * correct parameter name * retrieve Docker coordinates * docker coordinates only to provide artifact * add ToDos * add mta capability * add aliases, mvn arguments for settings * clean up groovy part * update defaults * add container for pip * add defaults, add maven specifics, ... * properly download settings * maven: check existence of excluded files * fix reporting * Update CommonStepsTest.groovy * update comment * fix CodeClimate finding * add tests for pip & fix minor issues * fix order of pip build descriptors * update pip container options * fix pip virtualEnv parameter * update report permissions * fix test * update container options * add use fileUtils to load properties file * update parameter description * adding Docker scanning defaults * clean up configHelper * consider also npm tool cache * add todos 2021-02-03 15:52:48 +02:00
			`"github.com/SAP/jenkins-library/pkg/log"`
			`"github.com/SAP/jenkins-library/pkg/piperutils"`
whitesourceExecuteScan: Re-organize code between step and whitesource package (#2207) 2020-10-20 09:49:26 +02:00			`)`

			`// Scan stores information about scanned WhiteSource projects (modules).`
			`type Scan struct {`
			`// AggregateProjectName stores the name of the WhiteSource project where scans shall be aggregated.`
			`// It does not include the ProductVersion.`
			`AggregateProjectName string`
			`// ProductVersion is the global version that is used across all Projects (modules) during the scan.`
			`ProductVersion string`
			`scannedProjects map[string]Project`
			`scanTimes map[string]time.Time`
feat(whitesourceExecuteScan): GitHub issue creation + SARIF (#3535) * Add GH issue creation + SARIF * Code cleanup * Fix fmt, add debug * Code enhancements * Fix * Added debug info * Rework UA log scan * Fix code * read UA version * Fix nil reference * Extraction * Credentials * Issue creation * Error handling * Fix issue creation * query escape * Query escape 2 * Revert * Test avoid update * HTTP client * Add support for custom TLS certs * Fix code * Fix code 2 * Fix code 3 * Disable cert check * Fix auth * Remove implicit trust * Skip verification * Fix * Fix client * Fix HTTP auth * Fix trusted certs * Trim version * Code * Add token * Added token handling to client * Fix token * Cleanup * Fix token * Token rework * Fix code * Kick out oauth client * Kick out oauth client * Transport wrapping * Token * Simplification * Refactor * Variation * Check * Fix * Debug * Switch client * Variation * Debug * Switch to cert check * Add debug * Parse self * Cleanup * Update resources/metadata/whitesourceExecuteScan.yaml * Add debug * Expose subjects * Patch * Debug * Debug2 * Debug3 * Fix logging response body * Cleanup * Cleanup * Fix request body logging * Cleanup import * Fix import cycle * Cleanup * Fix fmt * Fix NopCloser reference * Regenerate * Reintroduce * Fix test * Fix tests * Correction * Fix error * Code fix * Fix tests * Add tests * Fix code climate issues * Code climate * Code climate again * Code climate again * Fix fmt * Fix fmt 2 Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com> 2022-02-23 10:30:19 +02:00			`AgentName string`
			`AgentVersion string`
whitesourceExecuteScan: Re-organize code between step and whitesource package (#2207) 2020-10-20 09:49:26 +02:00			`}`

			`func (s *Scan) init() {`
			`if s.scannedProjects == nil {`
			`s.scannedProjects = make(map[string]Project)`
			`}`
			`if s.scanTimes == nil {`
			`s.scanTimes = make(map[string]time.Time)`
			`}`
			`}`

whitesourcExecuteScan-go: Additional fixes (#2315) * Make sure the UA scan is known to the scan object. Fixes downloading reports later on. * Move polling into pkg/whitesource, add test for e2e scan * Remove conditions from stash config resource * Don't use version stored in CPE. This will prevent the versioningModel from being applied. 2020-11-10 10:09:51 +02:00			`func (s *Scan) versionSuffix() string {`
			`return " - " + s.ProductVersion`
			`}`

whitesourceExecuteScan: Re-organize code between step and whitesource package (#2207) 2020-10-20 09:49:26 +02:00			`// AppendScannedProject checks that no Project with the same name is already contained in the list of scanned projects,`
			`// and appends a new Project with the given name. The global product version is appended to the name.`
			`func (s *Scan) AppendScannedProject(projectName string) error {`
whitesourcExecuteScan-go: Additional fixes (#2315) * Make sure the UA scan is known to the scan object. Fixes downloading reports later on. * Move polling into pkg/whitesource, add test for e2e scan * Remove conditions from stash config resource * Don't use version stored in CPE. This will prevent the versioningModel from being applied. 2020-11-10 10:09:51 +02:00			`if len(projectName) == 0 {`
			`return fmt.Errorf("projectName must not be empty")`
			`}`
			`if strings.HasSuffix(projectName, s.versionSuffix()) {`
			`return fmt.Errorf("projectName is not expected to include the product version already")`
			`}`
			`return s.AppendScannedProjectVersion(projectName + s.versionSuffix())`
whitesourceExecuteScan: Re-organize code between step and whitesource package (#2207) 2020-10-20 09:49:26 +02:00			`}`

			`// AppendScannedProjectVersion checks that no Project with the same name is already contained in the list of scanned`
			`// projects, and appends a new Project with the given name (which is expected to include the product version).`
			`func (s *Scan) AppendScannedProjectVersion(projectName string) error {`
whitesourcExecuteScan-go: Additional fixes (#2315) * Make sure the UA scan is known to the scan object. Fixes downloading reports later on. * Move polling into pkg/whitesource, add test for e2e scan * Remove conditions from stash config resource * Don't use version stored in CPE. This will prevent the versioningModel from being applied. 2020-11-10 10:09:51 +02:00			`if !strings.HasSuffix(projectName, s.versionSuffix()) {`
whitesourceExecuteScan: Re-organize code between step and whitesource package (#2207) 2020-10-20 09:49:26 +02:00			`return fmt.Errorf("projectName is expected to include the product version")`
			`}`
whitesourcExecuteScan-go: Additional fixes (#2315) * Make sure the UA scan is known to the scan object. Fixes downloading reports later on. * Move polling into pkg/whitesource, add test for e2e scan * Remove conditions from stash config resource * Don't use version stored in CPE. This will prevent the versioningModel from being applied. 2020-11-10 10:09:51 +02:00			`if len(projectName) == len(s.versionSuffix()) {`
			`return fmt.Errorf("projectName consists only of the product version")`
			`}`
whitesourceExecuteScan: Re-organize code between step and whitesource package (#2207) 2020-10-20 09:49:26 +02:00			`s.init()`
			`_, exists := s.scannedProjects[projectName]`
			`if exists {`
			`log.Entry().Errorf("A module with the name '%s' was already scanned. "+`
			`"Your project's modules must have unique names.", projectName)`
			`return fmt.Errorf("project with name '%s' was already scanned", projectName)`
			`}`
			`s.scannedProjects[projectName] = Project{Name: projectName}`
			`s.scanTimes[projectName] = time.Now()`
			`return nil`
			`}`

			`// ProjectByName returns a WhiteSource Project previously established via AppendScannedProject().`
			`func (s *Scan) ProjectByName(projectName string) (Project, bool) {`
			`project, exists := s.scannedProjects[projectName]`
			`return project, exists`
			`}`

			`// ScannedProjects returns the WhiteSource projects that have been added via AppendScannedProject() as a slice.`
			`func (s *Scan) ScannedProjects() []Project {`
			`var projects []Project`
			`for _, project := range s.scannedProjects {`
			`projects = append(projects, project)`
			`}`
			`return projects`
			`}`

feat(pipelineCreateScanSummary) Create groovy wrapper (#2743) * feat(pipelineCreateScanSummary) Create groovy wrapper * add command to binary * stash step reports * update stash * fix typo * unstash reports first * update reporting * update json reporting * update tests & enhance logging * update md report * update md reporting * fix rendering * update tests 2021-04-15 07:45:06 +02:00			`// ScannedProjectNames returns a sorted list of all scanned project names`
			`func (s *Scan) ScannedProjectNames() []string {`
			`projectNames := []string{}`
			`for _, project := range s.ScannedProjects() {`
			`projectNames = append(projectNames, project.Name)`
			`}`
			`// Sorting helps the list become stable across pipeline runs (and in the unit tests),`
			`// as the order in which we travers map keys is not deterministic.`
			`sort.Strings(projectNames)`
			`return projectNames`
			`}`

whitesourceExecuteScan: Re-organize code between step and whitesource package (#2207) 2020-10-20 09:49:26 +02:00			`// ScanTime returns the time at which the respective WhiteSource Project was scanned, or the the`
			`// zero value of time.Time, if AppendScannedProject() was not called with that name.`
			`func (s *Scan) ScanTime(projectName string) time.Time {`
			`if s.scanTimes == nil {`
			`return time.Time{}`
			`}`
			`return s.scanTimes[projectName]`
			`}`

			`type whitesource interface {`
			`GetProjectsMetaInfo(productToken string) ([]Project, error)`
			`GetProjectRiskReport(projectToken string) ([]byte, error)`
			`GetProjectVulnerabilityReport(projectToken string, format string) ([]byte, error)`
			`}`

			`// UpdateProjects pulls the current backend metadata for all WhiteSource projects in the product with`
			`// the given productToken, and updates all scanned projects with the obtained information.`
			`func (s *Scan) UpdateProjects(productToken string, sys whitesource) error {`
			`s.init()`
			`projects, err := sys.GetProjectsMetaInfo(productToken)`
			`if err != nil {`
			`return fmt.Errorf("failed to retrieve WhiteSource projects meta info: %w", err)`
			`}`

			`var projectsToUpdate []string`
			`for projectName := range s.scannedProjects {`
			`projectsToUpdate = append(projectsToUpdate, projectName)`
			`}`

			`for _, project := range projects {`
			`_, exists := s.scannedProjects[project.Name]`
			`if exists {`
			`s.scannedProjects[project.Name] = project`
			`projectsToUpdate, _ = piperutils.RemoveAll(projectsToUpdate, project.Name)`
			`}`
			`}`
			`if len(projectsToUpdate) != 0 {`
			`log.Entry().Warnf("Could not fetch metadata for projects %v", projectsToUpdate)`
			`}`
			`return nil`
			`}`