fix(credentialdiggerScan): get_discoveries and docker image (#4613)

* Improve logs of credentialdiggerScan step * 'Restore step' * Use dockerhub image for Credential Digger * Regenerate credentialdiggerScan * Update docker image tag * Fix report generation with exportAll * Update docker image for credentialdiggerScan * Regenerate credentialdiggerScan step with new docker image * Dont duplicate step name with log.Entry() * Refactor RepoURL according to #4639 --------- Co-authored-by: Marcus Holl <marcus.holl@sap.com> Co-authored-by: Googlom <36107508+Googlom@users.noreply.github.com>
2025-09-16 09:26:22 +02:00 · 2024-07-04 11:59:53 +02:00
parent 4a4c13ff03
commit 64aabd8daa
3 changed files with 27 additions and 16 deletions
--- a/cmd/credentialdiggerScan.go
+++ b/cmd/credentialdiggerScan.go
@@ -45,16 +45,19 @@ func credentialdiggerScan(config credentialdiggerScanOptions, telemetryData *tel
 	provider, prov_err := orchestrator.GetOrchestratorConfigProvider(nil)
 	if prov_err != nil {
 		log.Entry().WithError(prov_err).Error(
-			"credentialdiggerScan: unable to load orchestrator specific configuration.")
+			"Unable to load orchestrator specific configuration.")
 	}
 	if config.Repository == "" {
 		// Get current repository from orchestrator
+		log.Entry().Debug("Repository URL not defined in step configuration. Try get it from orchestrators")
 		repoUrlOrchestrator := provider.RepoURL()
 		if repoUrlOrchestrator == "n/a" {
 			// Jenkins configuration error
-			log.Entry().WithError(errors.New(
-				fmt.Sprintf("Unknown repository URL %s", repoUrlOrchestrator))).Error(
+			configError := errors.New(fmt.Sprintf("Unknown repository URL %s", repoUrlOrchestrator))
+			log.Entry().WithError(configError).Error(
 				"Repository URL n/a. Please verify git plugin is installed.")
+			// The repository to scan was not identified. Return an error
+			return configError
 		}
 		config.Repository = repoUrlOrchestrator
 		log.Entry().Debug("Use current repository: ", repoUrlOrchestrator)
@@ -69,7 +72,7 @@ func credentialdiggerScan(config credentialdiggerScanOptions, telemetryData *tel
 	log.Entry().Info("Load rules")
 	err := credentialdiggerAddRules(&config, telemetryData, utils)
 	if err != nil {
-		log.Entry().Error("credentialdiggerScan: Failed running credentialdigger add_rules")
+		log.Entry().Error("Failed running credentialdigger add_rules")
 		return err
 	}
 	log.Entry().Info("Rules added")
@@ -93,17 +96,21 @@ func credentialdiggerScan(config credentialdiggerScanOptions, telemetryData *tel
 	}
 	// err is an error exit number when there are findings
 	if err == nil {
-		log.Entry().Info("No discoveries found in this repo")
-		// If there are no findings, there is no need to export an empty report
-		return nil
+		log.Entry().Info("No leaks found in this repo with scan")
+		// Even if there are no leaks, the user may still want to export all
+		// the discoveries (param exportAll set to true)
 	}

 	// 3: Get discoveries
 	err = credentialdiggerGetDiscoveries(&config, telemetryData, utils)
 	if err != nil {
-		// The exit number is the number of discoveries
+		// The exit number is the number of discoveries exported
 		// Therefore, this error is not relevant, if raised
 		log.Entry().Warn("There are findings to review")
+	} else {
+		// There are no discoveries exported, so no need to generate the
+		// artifact
+		return nil
 	}

 	// 4: Export report in workspace
@@ -149,7 +156,8 @@ func credentialdiggerAddRules(config *credentialdiggerScanOptions, telemetryData
 		log.Entry().Debug("Use a local ruleset")
 		// Use rules defined in stashed file
 		if hasRulesFile(config.RulesFile, service) {
-			log.Entry().WithField("file", config.RulesFile).Info("Use stashed rules file from repository")
+			log.Entry().WithField("file", config.RulesFile).Info(
+				"Use stashed rules file from repository")
 			ruleFile = config.RulesFile
 		} else {
 			log.Entry().Info("Use standard pre-defined rules")
@@ -167,14 +175,15 @@ func credentialdiggerGetDiscoveries(config *credentialdiggerScanOptions, telemet
 	// Export all the discoveries or export only new ones
 	if !config.ExportAll {
 		cmd_list = append(cmd_list, "--state", "new")
+	} else {
+		log.Entry().Info("Export all discoveries")
 	}
 	err := executeCredentialDiggerProcess(service, cmd_list)
 	if err != nil {
-		log.Entry().Error("credentialdiggerScan: Failed running credentialdigger get_discoveries")
-		log.Entry().Error(err)
+		log.Entry().Warn("Report generated")
 		return err
 	}
-	log.Entry().Info("Scan complete")
+	log.Entry().Info("Scan complete with no potential leaks")
 	return nil
 }

@@ -203,7 +212,8 @@ func credentialdiggerBuildCommonArgs(config *credentialdiggerScanOptions) []stri
 }

 func credentialdiggerScanSnapshot(config *credentialdiggerScanOptions, telemetryData *telemetry.CustomData, service credentialdiggerUtils) error {
-	log.Entry().Infof("Scan Snapshot %v from repo %v", config.Snapshot, config.Repository)
+	log.Entry().Infof(
+		"Scan Snapshot %v from repo %v", config.Snapshot, config.Repository)
 	cmd_list := []string{"scan_snapshot",
 		"--snapshot", config.Snapshot}
 	cmd_list = append(cmd_list, credentialdiggerBuildCommonArgs(config)...)
@@ -218,7 +228,8 @@ func credentialdiggerScanSnapshot(config *credentialdiggerScanOptions, telemetry
 }

 func credentialdiggerScanPR(config *credentialdiggerScanOptions, telemetryData *telemetry.CustomData, service credentialdiggerUtils) error {
-	log.Entry().Infof("Scan PR %v from repo %v", config.PrNumber, config.Repository)
+	log.Entry().Infof(
+		"Scan PR %v from repo %v", config.PrNumber, config.Repository)
 	cmd_list := []string{"scan_pr",
 		"--pr", strconv.Itoa(config.PrNumber),
 		"--api_endpoint", config.APIURL}
--- a/cmd/credentialdiggerScan_generated.go
+++ b/cmd/credentialdiggerScan_generated.go
@@ -264,7 +264,7 @@ func credentialdiggerScanMetadata() config.StepData {
 				},
 			},
 			Containers: []config.Container{
-				{Image: "credentialdigger.int.repositories.cloud.sap/credential_digger:4.9.2"},
+				{Image: "saposs/credentialdigger:4.14.0"},
 			},
 			Outputs: config.StepOutputs{
 				Resources: []config.StepResources{
--- a/resources/metadata/credentialdiggerScan.yaml
+++ b/resources/metadata/credentialdiggerScan.yaml
@@ -121,4 +121,4 @@ spec:
          - filePattern: "**/report*.csv"
            type: credentialdigger-report
  containers:
-    - image: "credentialdigger.int.repositories.cloud.sap/credential_digger:4.9.2"
+    - image: saposs/credentialdigger:4.14.0