Feature/fortify execute scan gradle (#3582)

* initial fortify gradle commit * initial fortify gradle commit Co-authored-by: Sven Merk <33895725+nevskrem@users.noreply.github.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2025-01-18 05:18:24 +02:00 · 2022-02-28 13:35:38 +03:00 · 2022-02-28 13:35:38 +03:00 · 8ced7f8184
commit 8ced7f8184
parent a67b4ce558
4 changed files with 48 additions and 6 deletions
--- a/cmd/fortifyExecuteScan.go
+++ b/cmd/fortifyExecuteScan.go
@ -25,6 +25,7 @@ import (

 	"github.com/SAP/jenkins-library/pkg/command"
 	"github.com/SAP/jenkins-library/pkg/fortify"
+	"github.com/SAP/jenkins-library/pkg/gradle"
 	"github.com/SAP/jenkins-library/pkg/log"
 	"github.com/SAP/jenkins-library/pkg/maven"
 	"github.com/SAP/jenkins-library/pkg/piperutils"
@ -44,6 +45,8 @@ type pullRequestService interface {

 type fortifyUtils interface {
 	maven.Utils
+	gradle.Utils
+
 	SetDir(d string)
 	GetArtifact(buildTool, buildDescriptorFile string, options *versioning.Options) (versioning.Artifact, error)
 	CreateIssue(ghCreateIssueOptions *piperGithub.CreateIssueOptions) error
--- a/cmd/fortifyExecuteScan_generated.go
+++ b/cmd/fortifyExecuteScan_generated.go
@ -208,7 +208,7 @@ func FortifyExecuteScanCommand() *cobra.Command {
 		Long: `This step executes a Fortify scan on the specified project to perform static code analysis and check the source code for security flaws.

 The Fortify step triggers a scan locally on your Jenkins within a docker container so finally you have to supply a docker image with a Fortify SCA
-and Java plus Maven or alternatively Python installed into it for being able to perform any scans.
+and Java plus Maven / Gradle or alternatively Python installed into it for being able to perform any scans.
 !!! hint "Scanning MTA projects"
    Build type ` + "`" + `maven` + "`" + ` requires a so called aggregator pom which includes all modules to be scanned. If used in a mta-project which includes non-java submodules as maven dependency (e.g. node via frontend-maven-plugin), exclude those by specifying java path explicitly, e.g. ` + "`" + `java/**/src/main/java/**/*` + "`" + `.

@ -345,7 +345,7 @@ func addFortifyExecuteScanFlags(cmd *cobra.Command, stepConfig *fortifyExecuteSc
 	cmd.Flags().StringVar(&stepConfig.FilterSetTitle, "filterSetTitle", `SAP`, "Title of the filter set to use for analysing the results")
 	cmd.Flags().StringVar(&stepConfig.PullRequestName, "pullRequestName", os.Getenv("PIPER_pullRequestName"), "The name of the pull request branch which will trigger creation of a new version in Fortify SSC based on the master branch version")
 	cmd.Flags().StringVar(&stepConfig.PullRequestMessageRegex, "pullRequestMessageRegex", `.*Merge pull request #(\\d+) from.*`, "Regex used to identify the PR-XXX reference within the merge commit message")
-	cmd.Flags().StringVar(&stepConfig.BuildTool, "buildTool", `maven`, "Scan type used for the step which can be `'maven'`, `'pip'`")
+	cmd.Flags().StringVar(&stepConfig.BuildTool, "buildTool", `maven`, "Scan type used for the step which can be `'maven'`, `'pip'` or `'gradle'`")
 	cmd.Flags().StringVar(&stepConfig.ProjectSettingsFile, "projectSettingsFile", os.Getenv("PIPER_projectSettingsFile"), "Path to the mvn settings file that should be used as project settings file.")
 	cmd.Flags().StringVar(&stepConfig.GlobalSettingsFile, "globalSettingsFile", os.Getenv("PIPER_globalSettingsFile"), "Path to the mvn settings file that should be used as global settings file.")
 	cmd.Flags().StringVar(&stepConfig.M2Path, "m2Path", os.Getenv("PIPER_m2Path"), "Path to the location of the local repository that should be used.")
@ -571,6 +571,16 @@ func fortifyExecuteScanMetadata() config.StepData {
 						Default:     `./setup.py`,
 						Conditions:  []config.Condition{{ConditionRef: "strings-equal", Params: []config.Param{{Name: "buildTool", Value: "pip"}}}},
 					},
+					{
+						Name:        "buildDescriptorFile",
+						ResourceRef: []config.ResourceReference{},
+						Scope:       []string{"PARAMETERS", "STAGES", "STEPS"},
+						Type:        "string",
+						Mandatory:   false,
+						Aliases:     []config.Alias{},
+						Default:     `./build.gradle`,
+						Conditions:  []config.Condition{{ConditionRef: "strings-equal", Params: []config.Param{{Name: "buildTool", Value: "gradle"}}}},
+					},
 					{
 						Name: "commitId",
 						ResourceRef: []config.ResourceReference{
--- a/pkg/versioning/gradle.go
+++ b/pkg/versioning/gradle.go
@ -40,7 +40,18 @@ func (g *Gradle) init() error {
 			versionField:     g.versionField,
 			writeFile:        g.writeFile,
 		}
-		err := g.propertiesFile.init()
+		f, err := os.Open(g.path)
+		if err != nil {
+			return err
+		}
+		fi, err := f.Stat()
+		if err != nil {
+			return err
+		}
+		if fi.IsDir() {
+			g.propertiesFile.path += "build.gradle"
+		}
+		err = g.propertiesFile.init()
 		if err != nil {
 			return err
 		}
@ -56,7 +67,12 @@ func (g *Gradle) initGetArtifact() error {
 	if g.gradlePropsOut == nil {
 		gradlePropsBuffer := &bytes.Buffer{}
 		g.execRunner.Stdout(gradlePropsBuffer)
-		err := g.execRunner.RunExecutable("gradle", "properties", "--no-daemon", "--console=plain", "-q")
+		var p []string
+		p = append(p, "properties", "--no-daemon", "--console=plain", "-q")
+		if g.path != "" {
+			p = append(p, "-p", g.path)
+		}
+		err := g.execRunner.RunExecutable("gradle", p...)
 		if err != nil {
 			return err
 		}
--- a/resources/metadata/fortifyExecuteScan.yaml
+++ b/resources/metadata/fortifyExecuteScan.yaml
@ -5,7 +5,7 @@ metadata:
    This step executes a Fortify scan on the specified project to perform static code analysis and check the source code for security flaws.

    The Fortify step triggers a scan locally on your Jenkins within a docker container so finally you have to supply a docker image with a Fortify SCA
-    and Java plus Maven or alternatively Python installed into it for being able to perform any scans.
+    and Java plus Maven / Gradle or alternatively Python installed into it for being able to perform any scans.
    !!! hint "Scanning MTA projects"
        Build type `maven` requires a so called aggregator pom which includes all modules to be scanned. If used in a mta-project which includes non-java submodules as maven dependency (e.g. node via frontend-maven-plugin), exclude those by specifying java path explicitly, e.g. `java/**/src/main/java/**/*`.

@ -226,6 +226,19 @@ spec:
          - STAGES
          - STEPS
        default: ./setup.py
+      - name: buildDescriptorFile
+        type: string
+        conditions:
+          - conditionRef: strings-equal
+            params:
+              - name: buildTool
+                value: gradle
+        description: "Path to the build descriptor file addressing the module/folder to be scanned."
+        scope:
+          - PARAMETERS
+          - STAGES
+          - STEPS
+        default: ./build.gradle
      - name: commitId
        description: "Set the Git commit ID for identifying artifacts throughout the scan."
        resourceRef:
@ -559,7 +572,7 @@ spec:
        default: '.*Merge pull request #(\\d+) from.*'
      - name: buildTool
        type: string
-        description: "Scan type used for the step which can be `'maven'`, `'pip'`"
+        description: "Scan type used for the step which can be `'maven'`, `'pip'` or `'gradle'`"
        scope:
          - GENERAL
          - PARAMETERS