sap-jenkins-library/resources/metadata/codeqlExecuteScan.yaml

metadata:
  name: codeqlExecuteScan
  description: This step executes a codeql scan on the specified project to perform static code analysis and check the source code for security flaws.
  longDescription: |-
    This step executes a codeql scan on the specified project to perform static code analysis and check the source code for security flaws.

    The codeql step triggers a scan locally on your orchestrator (e.g. Jenkins) within a docker container so finally you have to supply a docker image with codeql
    and Java plus Maven.

spec:
  inputs:
    secrets:
      - name: githubTokenCredentialsId
        description: Jenkins 'Secret text' credentials ID containing token to authenticate to GitHub.
        type: jenkins
    params:
      - name: githubToken
        description: "GitHub personal access token as per
          https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line"
        scope:
          - GENERAL
          - PARAMETERS
          - STAGES
          - STEPS
        type: string
        secret: true
        aliases:
          - name: access_token
        resourceRef:
          - name: githubTokenCredentialsId
            type: secret
          - type: vaultSecret
            default: github
            name: githubVaultSecretName
      - name: buildTool
        type: string
        description: Defines the build tool which is used for building the project.
        longDescription: |-
          Based on the build tool the step will try to auto build the project. The step will try to auto select
          the language and the build command. You can override the language and the build command by specifiying it seperatly.
        mandatory: true
        scope:
          - GENERAL
          - PARAMETERS
          - STAGES
          - STEPS
        possibleValues:
          - custom
          - maven
          - golang
          - npm
          - pip
          - yarn
        default: "maven"
      - name: buildCommand
        type: string
        description: "Command to build the project"
        scope:
          - PARAMETERS
          - STAGES
          - STEPS
      - name: language
        type: string
        description: "The programming language used to analyze."
        scope:
          - PARAMETERS
          - STAGES
          - STEPS
      - name: modulePath
        type: string
        description: "Allows providing the path for the module to scan"
        scope:
          - PARAMETERS
          - STAGES
          - STEPS
        default: "./"
      - name: database
        type: string
        description: "Path to the CodeQL database to create. This directory will be created, and must not already exist."
        scope:
          - PARAMETERS
          - STAGES
          - STEPS
        default: "codeqlDB"
      - name: querySuite
        type: string
        description: "The name of a CodeQL query suite. If omitted, the default query suite for the language of the database being analyzed will be used."
        scope:
          - PARAMETERS
          - STAGES
          - STEPS
      - name: uploadResults
        type: bool
        description: "Allows you to upload codeql SARIF results to your github project. You will need to set githubToken for this."
        scope:
          - PARAMETERS
          - STAGES
          - STEPS
        default: false
      - name: analyzedRef
        type: string
        description: "Name of the ref that was analyzed."
        longDescription: |-
          If this ref is a pull request merge commit, then use refs/pulls/1234/merge or refs/pulls/1234/head (depending on whether or not this commit corresponds to the HEAD or MERGE commit of the PR).
          Otherwise, this should be a branch: refs/heads/branch-name. If omitted, the CLI will attempt to automatically populate this from the current branch of the checkout path, if this exists.
        resourceRef:
          - name: commonPipelineEnvironment
            param: git/ref
      - name: repository
        aliases:
          - name: githubRepo
        description: "URL of the GitHub instance"
        resourceRef:
          - name: commonPipelineEnvironment
            param: git/httpsUrl
        type: string
      - name: commitId
        description: "SHA of commit that was analyzed."
        resourceRef:
          - name: commonPipelineEnvironment
            param: git/remoteCommitId
        type: string
  containers:
    - image: ""
  outputs:
    resources:
      - name: reports
        type: reports
        params:
          - filePattern: "**/*.csv"
            type: codeql
          - filePattern: "**/*.sarif"
            type: codeql
feat(codeql): new codeql piper step (#3765) * codeql piper step 2022-06-24 09:04:24 +02:00			`metadata:`
			`name: codeqlExecuteScan`
			`description: This step executes a codeql scan on the specified project to perform static code analysis and check the source code for security flaws.`
			`longDescription: \|-`
			`This step executes a codeql scan on the specified project to perform static code analysis and check the source code for security flaws.`

			`The codeql step triggers a scan locally on your orchestrator (e.g. Jenkins) within a docker container so finally you have to supply a docker image with codeql`
			`and Java plus Maven.`

			`spec:`
			`inputs:`
			`secrets:`
			`- name: githubTokenCredentialsId`
			`description: Jenkins 'Secret text' credentials ID containing token to authenticate to GitHub.`
			`type: jenkins`
			`params:`
			`- name: githubToken`
			`description: "GitHub personal access token as per`
			`https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line"`
			`scope:`
			`- GENERAL`
			`- PARAMETERS`
			`- STAGES`
			`- STEPS`
			`type: string`
			`secret: true`
			`aliases:`
			`- name: access_token`
			`resourceRef:`
			`- name: githubTokenCredentialsId`
			`type: secret`
			`- type: vaultSecret`
			`default: github`
			`name: githubVaultSecretName`
			`- name: buildTool`
			`type: string`
			`description: Defines the build tool which is used for building the project.`
			`longDescription: \|-`
			`Based on the build tool the step will try to auto build the project. The step will try to auto select`
			`the language and the build command. You can override the language and the build command by specifiying it seperatly.`
			`mandatory: true`
			`scope:`
			`- GENERAL`
			`- PARAMETERS`
			`- STAGES`
			`- STEPS`
			`possibleValues:`
			`- custom`
			`- maven`
			`- golang`
			`- npm`
			`- pip`
			`- yarn`
			`default: "maven"`
			`- name: buildCommand`
			`type: string`
			`description: "Command to build the project"`
			`scope:`
			`- PARAMETERS`
			`- STAGES`
			`- STEPS`
			`- name: language`
			`type: string`
			`description: "The programming language used to analyze."`
			`scope:`
			`- PARAMETERS`
			`- STAGES`
			`- STEPS`
			`- name: modulePath`
			`type: string`
			`description: "Allows providing the path for the module to scan"`
			`scope:`
			`- PARAMETERS`
			`- STAGES`
			`- STEPS`
			`default: "./"`
feat(codeql): new codeql db parameter (#3902) 2022-07-20 10:07:57 +02:00			`- name: database`
			`type: string`
			`description: "Path to the CodeQL database to create. This directory will be created, and must not already exist."`
			`scope:`
			`- PARAMETERS`
			`- STAGES`
			`- STEPS`
			`default: "codeqlDB"`
feat(codeql): new codeql piper step (#3765) * codeql piper step 2022-06-24 09:04:24 +02:00			`- name: querySuite`
			`type: string`
			`description: "The name of a CodeQL query suite. If omitted, the default query suite for the language of the database being analyzed will be used."`
			`scope:`
			`- PARAMETERS`
			`- STAGES`
			`- STEPS`
			`- name: uploadResults`
			`type: bool`
			`description: "Allows you to upload codeql SARIF results to your github project. You will need to set githubToken for this."`
			`scope:`
			`- PARAMETERS`
			`- STAGES`
			`- STEPS`
			`default: false`
			`- name: analyzedRef`
			`type: string`
			`description: "Name of the ref that was analyzed."`
			`longDescription: \|-`
			`If this ref is a pull request merge commit, then use refs/pulls/1234/merge or refs/pulls/1234/head (depending on whether or not this commit corresponds to the HEAD or MERGE commit of the PR).`
			`Otherwise, this should be a branch: refs/heads/branch-name. If omitted, the CLI will attempt to automatically populate this from the current branch of the checkout path, if this exists.`
			`resourceRef:`
			`- name: commonPipelineEnvironment`
			`param: git/ref`
			`- name: repository`
			`aliases:`
			`- name: githubRepo`
			`description: "URL of the GitHub instance"`
			`resourceRef:`
			`- name: commonPipelineEnvironment`
			`param: git/httpsUrl`
			`type: string`
			`- name: commitId`
			`description: "SHA of commit that was analyzed."`
			`resourceRef:`
			`- name: commonPipelineEnvironment`
feat(codeql) merge commit git reference (#3877) Sets git reference and gitRemoteCommitId. Jenkins has 2 strategies - 'Merging the pull request with the current target branch revision' and 'The current pull request revision'. When 'Merging the pull request with the current target branch revision' is run, Jenkins creates a local merge commit and runs a job for that particular merge commitId. This commitId is then used for codeql to upload sarif, on upload it throws an error as the merge commit does not exist in github. To resolve this we have introduces a new variable 'gitRemoteCommitId' in commonPipelineEnvironment which gives the remote merge commit id. 2022-07-12 10:25:17 +02:00			`param: git/remoteCommitId`
feat(codeql): new codeql piper step (#3765) * codeql piper step 2022-06-24 09:04:24 +02:00			`type: string`
			`containers:`
			`- image: ""`
			`outputs:`
			`resources:`
			`- name: reports`
			`type: reports`
			`params:`
			`- filePattern: "*/.csv"`
			`type: codeql`
			`- filePattern: "*/.sarif"`
			`type: codeql`