jenkins/sap-jenkins-library
1
0
Fork 0
mirror of https://github.com/SAP/jenkins-library.git synced 2025-01-30 05:59:39 +02:00
Code Issues Releases Activity

Needed CLI separator for Fortify tools depends on platform (#1616)

Browse Source 
* Update fortify.yaml
* src, exclude and pythonAdditionalPaths are now lists of strings
* Re-implement pythonIncludes and pythonExcludes as aliases of src and exclude
* Fix using the correct separator (; on windows, : on everything else)
* Tokenize also python "includes"
* mvnCustomArgs was removed

Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com>
This commit is contained in:
Daniel Kurzynski 2020-06-02 13:47:07 +02:00 committed by GitHub
parent 7fc9002ce1
commit cf9a41850e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 386 additions and 397 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

94
cmd/fortifyExecuteScan.go
View File

@ -11,6 +11,7 @@ import (
"os"
"path/filepath"
"regexp"
"runtime"
"strings"
"time"
@ -489,9 +490,6 @@ func autoresolveMavenClasspath(config fortifyExecuteScanOptions, file string, co
Defines: []string{fmt.Sprintf("-Dmdep.outputFile=%v", file), "-DincludeScope=compile"},
ReturnStdout: false,
}
if len(strings.TrimSpace(config.MvnCustomArgs)) > 0 {
executeOptions.Flags = tokenize(config.MvnCustomArgs)
}
_, err := maven.Execute(&executeOptions, command)
if err != nil {
log.Entry().WithError(err).Warn("failed to determine classpath using Maven")
@ -574,7 +572,9 @@ func triggerFortifyScan(config fortifyExecuteScanOptions, command execRunner, bu
}
if config.BuildTool == "pip" {
if config.AutodetectClasspath {
classpath = autoresolvePipClasspath(config.PythonVersion, []string{"-c", "import sys;p=sys.path;p.remove('');print(';'.join(p))"}, classpathFileName, command)
separator := getSeparator()
script := fmt.Sprintf("import sys;p=sys.path;p.remove('');print('%v'.join(p))", separator)
classpath = autoresolvePipClasspath(config.PythonVersion, []string{"-c", script}, classpathFileName, command)
}
// install the dev dependencies
if len(config.PythonRequirementsFile) > 0 {
@ -588,7 +588,7 @@ func triggerFortifyScan(config fortifyExecuteScanOptions, command execRunner, bu
config.Translate, err = populatePipTranslate(&config, classpath)
if err != nil {
log.Entry().WithError(err).Warnf("failed to apply pythonAdditionalPath ('%s') or pythonIncludes ('%s') parameter", config.PythonAdditionalPath, config.PythonIncludes)
log.Entry().WithError(err).Warnf("failed to apply pythonAdditionalPath ('%s') or src ('%s') parameter", config.PythonAdditionalPath, config.Src)
}
}
@ -606,9 +606,14 @@ func populatePipTranslate(config *fortifyExecuteScanOptions, classpath string) (
var translateList []map[string]interface{}
translateList = append(translateList, make(map[string]interface{}))
translateList[0]["pythonPath"] = classpath + ";" + config.PythonAdditionalPath
translateList[0]["pythonIncludes"] = config.PythonIncludes
translateList[0]["pythonExcludes"] = strings.ReplaceAll(config.PythonExcludes, "-exclude ", "")
separator := getSeparator()
translateList[0]["pythonPath"] = classpath + separator +
getSuppliedOrDefaultListAsString(config.PythonAdditionalPath, []string{}, separator)
translateList[0]["src"] = getSuppliedOrDefaultListAsString(
config.Src, []string{"./**/*"}, ":")
translateList[0]["exclude"] = getSuppliedOrDefaultListAsString(
config.Exclude, []string{"./**/tests/**/*", "./**/setup.py"}, separator)
translateJSON, err := json.Marshal(translateList)
@ -624,12 +629,10 @@ func populateMavenTranslate(config *fortifyExecuteScanOptions, classpath string)
translateList = append(translateList, make(map[string]interface{}))
translateList[0]["classpath"] = classpath
if len(config.Src) > 0 {
translateList[0]["src"] = config.Src
}
if len(config.Exclude) > 0 {
translateList[0]["exclude"] = config.Exclude
}
setTranslateEntryIfNotEmpty(translateList[0], "src", ":", config.Src,
[]string{"**/*.xml", "**/*.html", "**/*.jsp", "**/*.js", "**/src/main/resources/**/*", "**/src/main/java/**/*"})
setTranslateEntryIfNotEmpty(translateList[0], "exclude", getSeparator(), config.Exclude, []string{})
translateJSON, err := json.Marshal(translateList)
@ -725,22 +728,19 @@ func determinePullRequestMergeGithub(ctx context.Context, config fortifyExecuteS
}
func appendToOptions(config *fortifyExecuteScanOptions, options []string, t map[string]string) []string {
if config.BuildTool == "windows" {
switch config.BuildTool {
case "windows":
if len(t["aspnetcore"]) > 0 {
options = append(options, "-aspnetcore")
}
if len(t["dotNetCoreVersion"]) > 0 {
options = append(options, "-dotnet-core-version", t["dotNetCoreVersion"])
}
if len(t["exclude"]) > 0 {
options = append(options, "-exclude", t["exclude"])
}
if len(t["libDirs"]) > 0 {
options = append(options, "-libdirs", t["libDirs"])
}
return append(options, tokenize(t["src"])...)
}
if config.BuildTool == "maven" {
case "maven":
if len(t["autoClasspath"]) > 0 {
options = append(options, "-cp", t["autoClasspath"])
} else if len(t["classpath"]) > 0 {
@ -763,12 +763,8 @@ func appendToOptions(config *fortifyExecuteScanOptions, options []string, t map[
if len(t["sourcepath"]) > 0 {
options = append(options, "-sourcepath", t["sourcepath"])
}
if len(t["exclude"]) > 0 {
options = append(options, "-exclude", t["exclude"])
}
return append(options, tokenize(t["src"])...)
}
if config.BuildTool == "pip" {
case "pip":
if len(t["autoClasspath"]) > 0 {
options = append(options, "-python-path", t["autoClasspath"])
} else if len(t["pythonPath"]) > 0 {
@ -777,10 +773,44 @@ func appendToOptions(config *fortifyExecuteScanOptions, options []string, t map[
if len(t["djangoTemplatDirs"]) > 0 {
options = append(options, "-django-template-dirs", t["djangoTemplatDirs"])
}
if len(t["pythonExcludes"]) > 0 {
options = append(options, "-exclude", t["pythonExcludes"])
}
return append(options, t["pythonIncludes"])
default:
return options
}
return options
if len(t["exclude"]) > 0 {
options = append(options, "-exclude", t["exclude"])
}
return append(options, strings.Split(t["src"], ":")...)
}
func getSuppliedOrDefaultList(suppliedList, defaultList []string) []string {
if len(suppliedList) > 0 {
return suppliedList
}
return defaultList
}
func getSuppliedOrDefaultListAsString(suppliedList, defaultList []string, separator string) string {
effectiveList := getSuppliedOrDefaultList(suppliedList, defaultList)
return strings.Join(effectiveList, separator)
}
// setTranslateEntryIfNotEmpty builds a string from either the user-supplied list, or the default list,
// by joining the entries with the given separator. If the resulting string is not empty, it will be
// placed as an entry in the provided map under the given key.
func setTranslateEntryIfNotEmpty(translate map[string]interface{}, key, separator string, suppliedList, defaultList []string) {
value := getSuppliedOrDefaultListAsString(suppliedList, defaultList, separator)
if value != "" {
translate[key] = value
}
}
// getSeparator returns the separator string depending on the host platform. This assumes that
// Piper executes the Fortify command line tools within the same OS platform as it is running on itself.
func getSeparator() string {
if runtime.GOOS == "windows" {
return ";"
}
return ":"
}

158
cmd/fortifyExecuteScan_generated.go
View File

@ -16,58 +16,54 @@ import (
)
type fortifyExecuteScanOptions struct {
AuthToken string `json:"authToken,omitempty"`
GithubToken string `json:"githubToken,omitempty"`
AutoCreate bool `json:"autoCreate,omitempty"`
MvnCustomArgs string `json:"mvnCustomArgs,omitempty"`
ModulePath string `json:"modulePath,omitempty"`
PythonRequirementsFile string `json:"pythonRequirementsFile,omitempty"`
AutodetectClasspath bool `json:"autodetectClasspath,omitempty"`
MustAuditIssueGroups string `json:"mustAuditIssueGroups,omitempty"`
SpotAuditIssueGroups string `json:"spotAuditIssueGroups,omitempty"`
PythonRequirementsInstallSuffix string `json:"pythonRequirementsInstallSuffix,omitempty"`
PythonVersion string `json:"pythonVersion,omitempty"`
UploadResults bool `json:"uploadResults,omitempty"`
BuildDescriptorFile string `json:"buildDescriptorFile,omitempty"`
CommitID string `json:"commitId,omitempty"`
CommitMessage string `json:"commitMessage,omitempty"`
GithubAPIURL string `json:"githubApiUrl,omitempty"`
Owner string `json:"owner,omitempty"`
Repository string `json:"repository,omitempty"`
Memory string `json:"memory,omitempty"`
UpdateRulePack bool `json:"updateRulePack,omitempty"`
PythonExcludes string `json:"pythonExcludes,omitempty"`
ReportDownloadEndpoint string `json:"reportDownloadEndpoint,omitempty"`
PollingMinutes int `json:"pollingMinutes,omitempty"`
QuickScan bool `json:"quickScan,omitempty"`
Translate string `json:"translate,omitempty"`
Src string `json:"src,omitempty"`
Exclude string `json:"exclude,omitempty"`
APIEndpoint string `json:"apiEndpoint,omitempty"`
ReportType string `json:"reportType,omitempty"`
PythonAdditionalPath string `json:"pythonAdditionalPath,omitempty"`
ArtifactURL string `json:"artifactUrl,omitempty"`
ConsiderSuspicious bool `json:"considerSuspicious,omitempty"`
FprUploadEndpoint string `json:"fprUploadEndpoint,omitempty"`
ProjectName string `json:"projectName,omitempty"`
PythonIncludes string `json:"pythonIncludes,omitempty"`
Reporting bool `json:"reporting,omitempty"`
ServerURL string `json:"serverUrl,omitempty"`
BuildDescriptorExcludeList string `json:"buildDescriptorExcludeList,omitempty"`
PullRequestMessageRegexGroup int `json:"pullRequestMessageRegexGroup,omitempty"`
DeltaMinutes int `json:"deltaMinutes,omitempty"`
SpotCheckMinimum int `json:"spotCheckMinimum,omitempty"`
FprDownloadEndpoint string `json:"fprDownloadEndpoint,omitempty"`
DefaultVersioningModel string `json:"defaultVersioningModel,omitempty"`
PythonInstallCommand string `json:"pythonInstallCommand,omitempty"`
ReportTemplateID int `json:"reportTemplateId,omitempty"`
FilterSetTitle string `json:"filterSetTitle,omitempty"`
PullRequestName string `json:"pullRequestName,omitempty"`
PullRequestMessageRegex string `json:"pullRequestMessageRegex,omitempty"`
BuildTool string `json:"buildTool,omitempty"`
ProjectSettingsFile string `json:"projectSettingsFile,omitempty"`
GlobalSettingsFile string `json:"globalSettingsFile,omitempty"`
M2Path string `json:"m2Path,omitempty"`
AuthToken string `json:"authToken,omitempty"`
GithubToken string `json:"githubToken,omitempty"`
AutoCreate bool `json:"autoCreate,omitempty"`
ModulePath string `json:"modulePath,omitempty"`
PythonRequirementsFile string `json:"pythonRequirementsFile,omitempty"`
AutodetectClasspath bool `json:"autodetectClasspath,omitempty"`
MustAuditIssueGroups string `json:"mustAuditIssueGroups,omitempty"`
SpotAuditIssueGroups string `json:"spotAuditIssueGroups,omitempty"`
PythonRequirementsInstallSuffix string `json:"pythonRequirementsInstallSuffix,omitempty"`
PythonVersion string `json:"pythonVersion,omitempty"`
UploadResults bool `json:"uploadResults,omitempty"`
BuildDescriptorFile string `json:"buildDescriptorFile,omitempty"`
CommitID string `json:"commitId,omitempty"`
CommitMessage string `json:"commitMessage,omitempty"`
GithubAPIURL string `json:"githubApiUrl,omitempty"`
Owner string `json:"owner,omitempty"`
Repository string `json:"repository,omitempty"`
Memory string `json:"memory,omitempty"`
UpdateRulePack bool `json:"updateRulePack,omitempty"`
ReportDownloadEndpoint string `json:"reportDownloadEndpoint,omitempty"`
PollingMinutes int `json:"pollingMinutes,omitempty"`
QuickScan bool `json:"quickScan,omitempty"`
Translate string `json:"translate,omitempty"`
Src []string `json:"src,omitempty"`
Exclude []string `json:"exclude,omitempty"`
APIEndpoint string `json:"apiEndpoint,omitempty"`
ReportType string `json:"reportType,omitempty"`
PythonAdditionalPath []string `json:"pythonAdditionalPath,omitempty"`
ArtifactURL string `json:"artifactUrl,omitempty"`
ConsiderSuspicious bool `json:"considerSuspicious,omitempty"`
FprUploadEndpoint string `json:"fprUploadEndpoint,omitempty"`
ProjectName string `json:"projectName,omitempty"`
Reporting bool `json:"reporting,omitempty"`
ServerURL string `json:"serverUrl,omitempty"`
PullRequestMessageRegexGroup int `json:"pullRequestMessageRegexGroup,omitempty"`
DeltaMinutes int `json:"deltaMinutes,omitempty"`
SpotCheckMinimum int `json:"spotCheckMinimum,omitempty"`
FprDownloadEndpoint string `json:"fprDownloadEndpoint,omitempty"`
DefaultVersioningModel string `json:"defaultVersioningModel,omitempty"`
PythonInstallCommand string `json:"pythonInstallCommand,omitempty"`
ReportTemplateID int `json:"reportTemplateId,omitempty"`
FilterSetTitle string `json:"filterSetTitle,omitempty"`
PullRequestName string `json:"pullRequestName,omitempty"`
PullRequestMessageRegex string `json:"pullRequestMessageRegex,omitempty"`
BuildTool string `json:"buildTool,omitempty"`
ProjectSettingsFile string `json:"projectSettingsFile,omitempty"`
GlobalSettingsFile string `json:"globalSettingsFile,omitempty"`
M2Path string `json:"m2Path,omitempty"`
}
type fortifyExecuteScanInflux struct {
@ -193,7 +189,6 @@ func addFortifyExecuteScanFlags(cmd *cobra.Command, stepConfig *fortifyExecuteSc
cmd.Flags().StringVar(&stepConfig.AuthToken, "authToken", os.Getenv("PIPER_authToken"), "The FortifyToken to use for authentication")
cmd.Flags().StringVar(&stepConfig.GithubToken, "githubToken", os.Getenv("PIPER_githubToken"), "GitHub personal access token as per https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line")
cmd.Flags().BoolVar(&stepConfig.AutoCreate, "autoCreate", false, "Whether Fortify project and project version shall be implicitly auto created in case they cannot be found in the backend")
cmd.Flags().StringVar(&stepConfig.MvnCustomArgs, "mvnCustomArgs", ``, "Allows providing additional Maven command line parameters")
cmd.Flags().StringVar(&stepConfig.ModulePath, "modulePath", `./`, "Allows providing the path for the module to scan")
cmd.Flags().StringVar(&stepConfig.PythonRequirementsFile, "pythonRequirementsFile", os.Getenv("PIPER_pythonRequirementsFile"), "The requirements file used in `buildTool: 'pip'` to populate the build environment with the necessary dependencies")
cmd.Flags().BoolVar(&stepConfig.AutodetectClasspath, "autodetectClasspath", true, "Whether the classpath is automatically determined via build tool i.e. maven or pip or not at all")
@ -205,33 +200,30 @@ func addFortifyExecuteScanFlags(cmd *cobra.Command, stepConfig *fortifyExecuteSc
cmd.Flags().StringVar(&stepConfig.BuildDescriptorFile, "buildDescriptorFile", os.Getenv("PIPER_buildDescriptorFile"), "Path to the build descriptor file addressing the module/folder to be scanned. Defaults are for buildTool=`maven`: `./pom.xml`, buildTool=`pip`: `./setup.py`.")
cmd.Flags().StringVar(&stepConfig.CommitID, "commitId", os.Getenv("PIPER_commitId"), "Set the Git commit ID for identifying artifacts throughout the scan.")
cmd.Flags().StringVar(&stepConfig.CommitMessage, "commitMessage", os.Getenv("PIPER_commitMessage"), "Set the Git commit message for identifying pull request merges throughout the scan.")
cmd.Flags().StringVar(&stepConfig.GithubAPIURL, "githubApiUrl", `https://api.github.com`, "Set the GitHub API url.")
cmd.Flags().StringVar(&stepConfig.GithubAPIURL, "githubApiUrl", `https://api.github.com`, "Set the GitHub API URL.")
cmd.Flags().StringVar(&stepConfig.Owner, "owner", os.Getenv("PIPER_owner"), "Set the GitHub organization.")
cmd.Flags().StringVar(&stepConfig.Repository, "repository", os.Getenv("PIPER_repository"), "Set the GitHub repository.")
cmd.Flags().StringVar(&stepConfig.Memory, "memory", `-Xmx4G -Xms512M`, "The amount of memory granted to the translate/scan executions")
cmd.Flags().BoolVar(&stepConfig.UpdateRulePack, "updateRulePack", true, "Whether the rule pack shall be updated and pulled from Fortify SSC before scanning or not")
cmd.Flags().StringVar(&stepConfig.PythonExcludes, "pythonExcludes", `-exclude ./**/tests/**/*;./**/setup.py`, "The excludes pattern used in `buildTool: 'pip'` for excluding specific .py files i.e. tests")
cmd.Flags().StringVar(&stepConfig.ReportDownloadEndpoint, "reportDownloadEndpoint", `/transfer/reportDownload.html`, "Fortify SSC endpoint for Report downloads")
cmd.Flags().IntVar(&stepConfig.PollingMinutes, "pollingMinutes", 30, "The number of minutes for which an uploaded FPR artifact's status is being polled to finish queuing/processing, if exceeded polling will be stopped and an error will be thrown")
cmd.Flags().IntVar(&stepConfig.PollingMinutes, "pollingMinutes", 30, "The number of minutes for which an uploaded FPR artifact''s status is being polled to finish queuing/processing, if exceeded polling will be stopped and an error will be thrown")
cmd.Flags().BoolVar(&stepConfig.QuickScan, "quickScan", false, "Whether a quick scan should be performed, please consult the related Fortify documentation on JAM on the impact of this setting")
cmd.Flags().StringVar(&stepConfig.Translate, "translate", os.Getenv("PIPER_translate"), "Options for translate phase of Fortify. Most likely, you do not need to set this parameter. See src, exclude. If `'src'` and `'exclude'` are set they are automatically used. Technical details: It has to be a JSON string of list of maps with required key `'src'`, and optional keys `'exclude'`, `'libDirs'`, `'aspnetcore'`, and `'dotNetCoreVersion'`")
cmd.Flags().StringVar(&stepConfig.Src, "src", `**/*.xml **/*.html **/*.jsp **/*.js **/src/main/resources/**/* **/src/main/java/**/*`, "Source directories to scan. Multiple entries are separated by space and wildcards can be used, e.g., `'src/main/resources/**/* src/main/java/**/*'`. If `translate` is set, this will ignored.")
cmd.Flags().StringVar(&stepConfig.Exclude, "exclude", os.Getenv("PIPER_exclude"), "Exludes directories/files from scan. Multiple entries are separated by semicolon and wildcards can be used, e.g., `'fileA;fileB;**/Test.java;'`. If `translate` is set, this will ignored.")
cmd.Flags().StringSliceVar(&stepConfig.Src, "src", []string{}, "A list of source directories to scan. Wildcards can be used, e.g., `'src/main/java/**/*'`. If `'translate'` is set, this will ignored. The default value for `buildTool: 'maven'` is ['**/*.xml', '**/*.html', '**/*.jsp', '**/*.js', '**/src/main/resources/**/*', '**/src/main/java/**/*'], for `buildTool: 'pip'` it is ['./**/*'].")
cmd.Flags().StringSliceVar(&stepConfig.Exclude, "exclude", []string{}, "A list of directories/files to be excluded from the scan. Wildcards can be used, e.g., `'**/Test.java'`. If `translate` is set, this will ignored.")
cmd.Flags().StringVar(&stepConfig.APIEndpoint, "apiEndpoint", `/api/v1`, "Fortify SSC endpoint used for uploading the scan results and checking the audit state")
cmd.Flags().StringVar(&stepConfig.ReportType, "reportType", `PDF`, "The type of report to be generated")
cmd.Flags().StringVar(&stepConfig.PythonAdditionalPath, "pythonAdditionalPath", `./lib;.`, "The addional path which can be used in `buildTool: 'pip'` for customization purposes")
cmd.Flags().StringVar(&stepConfig.ArtifactURL, "artifactUrl", os.Getenv("PIPER_artifactUrl"), "Path/Url pointing to an additional artifact repository for resolution of additional artifacts during the build")
cmd.Flags().StringSliceVar(&stepConfig.PythonAdditionalPath, "pythonAdditionalPath", []string{`./lib`, `.`}, "A list of additional paths which can be used in `buildTool: 'pip'` for customization purposes")
cmd.Flags().StringVar(&stepConfig.ArtifactURL, "artifactUrl", os.Getenv("PIPER_artifactUrl"), "Path/URL pointing to an additional artifact repository for resolution of additional artifacts during the build")
cmd.Flags().BoolVar(&stepConfig.ConsiderSuspicious, "considerSuspicious", true, "Whether suspicious issues should trigger the check to fail or not")
cmd.Flags().StringVar(&stepConfig.FprUploadEndpoint, "fprUploadEndpoint", `/upload/resultFileUpload.html`, "Fortify SSC endpoint for FPR uploads")
cmd.Flags().StringVar(&stepConfig.ProjectName, "projectName", `{{list .GroupID .ArtifactID | join "-" | trimAll "-"}}`, "The project used for reporting results in SSC")
cmd.Flags().StringVar(&stepConfig.PythonIncludes, "pythonIncludes", `./**/*`, "The includes pattern used in `buildTool: 'pip'` for including .py files")
cmd.Flags().BoolVar(&stepConfig.Reporting, "reporting", false, "Influences whether a report is generated or not")
cmd.Flags().StringVar(&stepConfig.ServerURL, "serverUrl", os.Getenv("PIPER_serverUrl"), "Fortify SSC Url to be used for accessing the APIs")
cmd.Flags().StringVar(&stepConfig.BuildDescriptorExcludeList, "buildDescriptorExcludeList", `[]`, "Build descriptor files to exclude modules from being scanned")
cmd.Flags().IntVar(&stepConfig.PullRequestMessageRegexGroup, "pullRequestMessageRegexGroup", 1, "The group number for extracting the pull request id in `pullRequestMessageRegex`")
cmd.Flags().IntVar(&stepConfig.PullRequestMessageRegexGroup, "pullRequestMessageRegexGroup", 1, "The group number for extracting the pull request id in `'pullRequestMessageRegex'`")
cmd.Flags().IntVar(&stepConfig.DeltaMinutes, "deltaMinutes", 5, "The number of minutes for which an uploaded FPR artifact is considered to be recent and healthy, if exceeded an error will be thrown")
cmd.Flags().IntVar(&stepConfig.SpotCheckMinimum, "spotCheckMinimum", 1, "The minimum number of issues that must be audited per category in the `Spot Checks of each Category` folder to avoid an error being thrown")
cmd.Flags().StringVar(&stepConfig.FprDownloadEndpoint, "fprDownloadEndpoint", `/download/currentStateFprDownload.html`, "Fortify SSC endpoint for FPR downloads")
cmd.Flags().StringVar(&stepConfig.FprDownloadEndpoint, "fprDownloadEndpoint", `/download/currentStateFprDownload.html`, "Fortify SSC endpoint for FPR downloads")
cmd.Flags().StringVar(&stepConfig.DefaultVersioningModel, "defaultVersioningModel", `major`, "The default project versioning model used in case `projectVersion` parameter is empty for creating the version based on the build descriptor version to report results in SSC, can be one of `'major'`, `'major-minor'`, `'semantic'`, `'full'`")
cmd.Flags().StringVar(&stepConfig.PythonInstallCommand, "pythonInstallCommand", `{{.Pip}} install --user .`, "Additional install command that can be run when `buildTool: 'pip'` is used which allows further customizing the execution environment of the scan")
cmd.Flags().IntVar(&stepConfig.ReportTemplateID, "reportTemplateId", 18, "Report template ID to be used for generating the Fortify report")
@ -280,14 +272,6 @@ func fortifyExecuteScanMetadata() config.StepData {
Mandatory: false,
Aliases: []config.Alias{},
},
{
Name: "mvnCustomArgs",
ResourceRef: []config.ResourceReference{},
Scope: []string{"PARAMETERS", "STAGES", "STEPS"},
Type: "string",
Mandatory: false,
Aliases: []config.Alias{},
},
{
Name: "modulePath",
ResourceRef: []config.ResourceReference{},
@ -416,14 +400,6 @@ func fortifyExecuteScanMetadata() config.StepData {
Mandatory: false,
Aliases: []config.Alias{},
},
{
Name: "pythonExcludes",
ResourceRef: []config.ResourceReference{},
Scope: []string{"PARAMETERS", "STAGES", "STEPS"},
Type: "string",
Mandatory: false,
Aliases: []config.Alias{},
},
{
Name: "reportDownloadEndpoint",
ResourceRef: []config.ResourceReference{},
@ -460,7 +436,7 @@ func fortifyExecuteScanMetadata() config.StepData {
Name: "src",
ResourceRef: []config.ResourceReference{},
Scope: []string{"PARAMETERS", "STAGES", "STEPS"},
Type: "string",
Type: "[]string",
Mandatory: false,
Aliases: []config.Alias{},
},
@ -468,7 +444,7 @@ func fortifyExecuteScanMetadata() config.StepData {
Name: "exclude",
ResourceRef: []config.ResourceReference{},
Scope: []string{"PARAMETERS", "STAGES", "STEPS"},
Type: "string",
Type: "[]string",
Mandatory: false,
Aliases: []config.Alias{},
},
@ -492,7 +468,7 @@ func fortifyExecuteScanMetadata() config.StepData {
Name: "pythonAdditionalPath",
ResourceRef: []config.ResourceReference{},
Scope: []string{"PARAMETERS", "STAGES", "STEPS"},
Type: "string",
Type: "[]string",
Mandatory: false,
Aliases: []config.Alias{},
},
@ -528,14 +504,6 @@ func fortifyExecuteScanMetadata() config.StepData {
Mandatory: false,
Aliases: []config.Alias{{Name: "fortifyProjectName"}},
},
{
Name: "pythonIncludes",
ResourceRef: []config.ResourceReference{},
Scope: []string{"PARAMETERS", "STAGES", "STEPS"},
Type: "string",
Mandatory: false,
Aliases: []config.Alias{},
},
{
Name: "reporting",
ResourceRef: []config.ResourceReference{},
@ -552,14 +520,6 @@ func fortifyExecuteScanMetadata() config.StepData {
Mandatory: false,
Aliases: []config.Alias{{Name: "fortifyServerUrl"}, {Name: "sscUrl"}},
},
{
Name: "buildDescriptorExcludeList",
ResourceRef: []config.ResourceReference{},
Scope: []string{"GENERAL", "PARAMETERS", "STAGES", "STEPS"},
Type: "string",
Mandatory: false,
Aliases: []config.Alias{},
},
{
Name: "pullRequestMessageRegexGroup",
ResourceRef: []config.ResourceReference{},

61
cmd/fortifyExecuteScan_test.go
View File

@ -370,7 +370,12 @@ func TestTriggerFortifyScan(t *testing.T) {
}()
runner := execRunnerMock{}
config := fortifyExecuteScanOptions{BuildTool: "maven", AutodetectClasspath: true, BuildDescriptorFile: "./pom.xml", Memory: "-Xmx4G -Xms2G", Src: "**/*.xml **/*.html **/*.jsp **/*.js src/main/resources/**/* src/main/java/**/*"}
config := fortifyExecuteScanOptions{
BuildTool: "maven",
AutodetectClasspath: true,
BuildDescriptorFile: "./pom.xml",
Memory: "-Xmx4G -Xms2G",
Src: []string{"**/*.xml", "**/*.html", "**/*.jsp", "**/*.js", "src/main/resources/**/*", "src/main/java/**/*"}}
triggerFortifyScan(config, &runner, "test", "testLabel", "my.group-myartifact")
assert.Equal(t, 3, runner.numExecutions)
@ -405,7 +410,9 @@ func TestTriggerFortifyScan(t *testing.T) {
assert.Equal(t, 5, runner.numExecutions)
assert.Equal(t, "python2", runner.executions[0].executable)
assert.Equal(t, []string{"-c", "import sys;p=sys.path;p.remove('');print(';'.join(p))"}, runner.executions[0].parameters)
separator := getSeparator()
template := fmt.Sprintf("import sys;p=sys.path;p.remove('');print('%v'.join(p))", separator)
assert.Equal(t, []string{"-c", template}, runner.executions[0].parameters)
assert.Equal(t, "pip2", runner.executions[1].executable)
assert.Equal(t, []string{"install", "--user", "-r", "./requirements.txt", ""}, runner.executions[1].parameters)
@ -414,7 +421,7 @@ func TestTriggerFortifyScan(t *testing.T) {
assert.Equal(t, []string{"install", "--user"}, runner.executions[2].parameters)
assert.Equal(t, "sourceanalyzer", runner.executions[3].executable)
assert.Equal(t, []string{"-verbose", "-64", "-b", "test", "-Xmx4G", "-Xms2G", "-python-path", "/usr/lib/python35.zip;/usr/lib/python3.5;/usr/lib/python3.5/plat-x86_64-linux-gnu;/usr/lib/python3.5/lib-dynload;/home/piper/.local/lib/python3.5/site-packages;/usr/local/lib/python3.5/dist-packages;/usr/lib/python3/dist-packages;./lib", ""}, runner.executions[3].parameters)
assert.Equal(t, []string{"-verbose", "-64", "-b", "test", "-Xmx4G", "-Xms2G", "-python-path", "/usr/lib/python35.zip;/usr/lib/python3.5;/usr/lib/python3.5/plat-x86_64-linux-gnu;/usr/lib/python3.5/lib-dynload;/home/piper/.local/lib/python3.5/site-packages;/usr/local/lib/python3.5/dist-packages;/usr/lib/python3/dist-packages;./lib", "-exclude", "./**/tests/**/*:./**/setup.py", "./**/*"}, runner.executions[3].parameters)
assert.Equal(t, "sourceanalyzer", runner.executions[4].executable)
assert.Equal(t, []string{"-verbose", "-64", "-b", "test", "-scan", "-Xmx4G", "-Xms2G", "-build-label", "testLabel", "-logfile", "target/fortify-scan.log", "-f", "target/result.fpr"}, runner.executions[4].parameters)
@ -533,7 +540,7 @@ func TestDeterminePullRequestMergeGithub(t *testing.T) {
func TestTranslateProject(t *testing.T) {
t.Run("python", func(t *testing.T) {
execRunner := execRunnerMock{}
config := fortifyExecuteScanOptions{BuildTool: "pip", Memory: "-Xmx4G", Translate: `[{"pythonPath":"./some/path","pythonIncludes":"./**/*","pythonExcludes":"./tests/**/*"}]`}
config := fortifyExecuteScanOptions{BuildTool: "pip", Memory: "-Xmx4G", Translate: `[{"pythonPath":"./some/path","src":"./**/*","exclude":"./tests/**/*"}]`}
translateProject(&config, &execRunner, "/commit/7267658798797", "")
assert.Equal(t, "sourceanalyzer", execRunner.executions[0].executable, "Expected different executable")
assert.Equal(t, []string{"-verbose", "-64", "-b", "/commit/7267658798797", "-Xmx4G", "-python-path", "./some/path", "-exclude", "./tests/**/*", "./**/*"}, execRunner.executions[0].parameters, "Expected different parameters")
@ -544,7 +551,7 @@ func TestTranslateProject(t *testing.T) {
config := fortifyExecuteScanOptions{BuildTool: "windows", Memory: "-Xmx6G", Translate: `[{"aspnetcore":"true","dotNetCoreVersion":"3.5","exclude":"./tests/**/*","libDirs":"tmp/","src":"./**/*"}]`}
translateProject(&config, &execRunner, "/commit/7267658798797", "")
assert.Equal(t, "sourceanalyzer", execRunner.executions[0].executable, "Expected different executable")
assert.Equal(t, []string{"-verbose", "-64", "-b", "/commit/7267658798797", "-Xmx6G", "-aspnetcore", "-dotnet-core-version", "3.5", "-exclude", "./tests/**/*", "-libdirs", "tmp/", "./**/*"}, execRunner.executions[0].parameters, "Expected different parameters")
assert.Equal(t, []string{"-verbose", "-64", "-b", "/commit/7267658798797", "-Xmx6G", "-aspnetcore", "-dotnet-core-version", "3.5", "-libdirs", "tmp/", "-exclude", "./tests/**/*", "./**/*"}, execRunner.executions[0].parameters, "Expected different parameters")
})
t.Run("java", func(t *testing.T) {
@ -613,52 +620,66 @@ func TestAutoresolveClasspath(t *testing.T) {
func TestPopulateMavenTranslate(t *testing.T) {
t.Run("src without translate", func(t *testing.T) {
config := fortifyExecuteScanOptions{Src: "./**/*"}
config := fortifyExecuteScanOptions{Src: []string{"./**/*"}}
translate, err := populateMavenTranslate(&config, "")
assert.NoError(t, err)
assert.Equal(t, `[{"classpath":"","src":"./**/*"}]`, translate, "Expected different parameters")
assert.Equal(t, `[{"classpath":"","src":"./**/*"}]`, translate)
})
t.Run("exclude without translate", func(t *testing.T) {
config := fortifyExecuteScanOptions{Exclude: "./**/*"}
config := fortifyExecuteScanOptions{Exclude: []string{"./**/*"}}
translate, err := populateMavenTranslate(&config, "")
assert.NoError(t, err)
assert.Equal(t, `[{"classpath":"","exclude":"./**/*"}]`, translate, "Expected different parameters")
assert.Equal(t, `[{"classpath":"","exclude":"./**/*","src":"**/*.xml:**/*.html:**/*.jsp:**/*.js:**/src/main/resources/**/*:**/src/main/java/**/*"}]`, translate)
})
t.Run("with translate", func(t *testing.T) {
config := fortifyExecuteScanOptions{Translate: `[{"classpath":""}]`, Src: "./**/*", Exclude: "./**/*"}
config := fortifyExecuteScanOptions{Translate: `[{"classpath":""}]`, Src: []string{"./**/*"}, Exclude: []string{"./**/*"}}
translate, err := populateMavenTranslate(&config, "ignored/path")
assert.NoError(t, err)
assert.Equal(t, `[{"classpath":""}]`, translate, "Expected different parameters")
assert.Equal(t, `[{"classpath":""}]`, translate)
})
}
func TestPopulatePipTranslate(t *testing.T) {
t.Run("PythonAdditionalPath without translate", func(t *testing.T) {
config := fortifyExecuteScanOptions{PythonAdditionalPath: "./lib;."}
config := fortifyExecuteScanOptions{PythonAdditionalPath: []string{"./lib", "."}}
translate, err := populatePipTranslate(&config, "")
separator := getSeparator()
expected := fmt.Sprintf(`[{"exclude":"./**/tests/**/*%v./**/setup.py","pythonPath":"%v./lib%v.","src":"./**/*"}]`,
separator, separator, separator)
assert.NoError(t, err)
assert.Equal(t, `[{"pythonExcludes":"","pythonIncludes":"","pythonPath":";./lib;."}]`, translate, "Expected different parameters")
assert.Equal(t, expected, translate)
})
t.Run("PythonIncludes without translate", func(t *testing.T) {
config := fortifyExecuteScanOptions{PythonIncludes: "./**/*"}
t.Run("Src without translate", func(t *testing.T) {
config := fortifyExecuteScanOptions{Src: []string{"./**/*.py"}}
translate, err := populatePipTranslate(&config, "")
separator := getSeparator()
expected := fmt.Sprintf(
`[{"exclude":"./**/tests/**/*%v./**/setup.py","pythonPath":"%v","src":"./**/*.py"}]`,
separator, separator)
assert.NoError(t, err)
assert.Equal(t, `[{"pythonExcludes":"","pythonIncludes":"./**/*","pythonPath":";"}]`, translate, "Expected different parameters")
assert.Equal(t, expected, translate)
})
t.Run("PythonExcludes without translate", func(t *testing.T) {
config := fortifyExecuteScanOptions{PythonExcludes: "-exclude ./**/tests/**/*;./**/setup.py"}
t.Run("Exclude without translate", func(t *testing.T) {
config := fortifyExecuteScanOptions{Exclude: []string{"./**/tests/**/*"}}
translate, err := populatePipTranslate(&config, "")
separator := getSeparator()
expected := fmt.Sprintf(
`[{"exclude":"./**/tests/**/*","pythonPath":"%v","src":"./**/*"}]`,
separator)
assert.NoError(t, err)
assert.Equal(t, `[{"pythonExcludes":"./**/tests/**/*;./**/setup.py","pythonIncludes":"","pythonPath":";"}]`, translate, "Expected different parameters")
assert.Equal(t, expected, translate)
})
t.Run("with translate", func(t *testing.T) {
config := fortifyExecuteScanOptions{Translate: `[{"pythonPath":""}]`, PythonIncludes: "./**/*", PythonAdditionalPath: "./lib;."}
config := fortifyExecuteScanOptions{
Translate: `[{"pythonPath":""}]`,
Src: []string{"./**/*"},
PythonAdditionalPath: []string{"./lib", "."}}
translate, err := populatePipTranslate(&config, "ignored/path")
assert.NoError(t, err)
assert.Equal(t, `[{"pythonPath":""}]`, translate, "Expected different parameters")

470
resources/metadata/fortify.yaml
View File

@ -12,10 +12,10 @@ spec:
inputs:
secrets:
- name: fortifyCredentialsId
description: Jenkins 'Secret text' credentials ID containing token to authenticate to Fortify SSC.
description: "Jenkins 'Secret text' credentials ID containing token to authenticate to Fortify SSC."
type: jenkins
- name: githubTokenCredentialsId
description: Jenkins 'Secret text' credentials ID containing token to authenticate to GitHub.
description: "Jenkins 'Secret text' credentials ID containing token to authenticate to GitHub."
type: jenkins
resources:
- name: commonPipelineEnvironment
@ -32,235 +32,228 @@ spec:
params:
- name: authToken
type: string
description: The FortifyToken to use for authentication
description: "The FortifyToken to use for authentication"
scope:
- PARAMETERS
- STAGES
- STEPS
- PARAMETERS
- STAGES
- STEPS
mandatory: true
secret: true
- name: githubToken
description: GitHub personal access token as per https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
description: "GitHub personal access token as per
https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line"
scope:
- GENERAL
- PARAMETERS
- STAGES
- STEPS
- GENERAL
- PARAMETERS
- STAGES
- STEPS
type: string
secret: true
- name: autoCreate
type: bool
description: Whether Fortify project and project version shall be implicitly auto created in case they cannot be found in the backend
description: "Whether Fortify project and project version shall be implicitly auto created in case they
cannot be found in the backend"
scope:
- PARAMETERS
- STAGES
- STEPS
- name: mvnCustomArgs
type: string
description: Allows providing additional Maven command line parameters
scope:
- PARAMETERS
- STAGES
- STEPS
default: ''
- PARAMETERS
- STAGES
- STEPS
- name: modulePath
type: string
description: Allows providing the path for the module to scan
description: "Allows providing the path for the module to scan"
scope:
- PARAMETERS
- STAGES
- STEPS
- PARAMETERS
- STAGES
- STEPS
default: './'
- name: pythonRequirementsFile
type: string
description: 'The requirements file used in `buildTool: ''pip''` to populate
the build environment with the necessary dependencies'
description: "The requirements file used in `buildTool: 'pip'` to populate
the build environment with the necessary dependencies"
scope:
- PARAMETERS
- STAGES
- STEPS
- PARAMETERS
- STAGES
- STEPS
- name: autodetectClasspath
type: bool
description: Whether the classpath is automatically determined via build tool i.e. maven or pip or not at all
description: "Whether the classpath is automatically determined via build tool i.e. maven or pip or not at all"
scope:
- PARAMETERS
- STAGES
- STEPS
- PARAMETERS
- STAGES
- STEPS
default: true
- name: mustAuditIssueGroups
type: string
description: Comma separated list of issue groups that must be audited completely
description: "Comma separated list of issue groups that must be audited completely"
scope:
- PARAMETERS
- STAGES
- STEPS
default: 'Corporate Security Requirements, Audit All'
- PARAMETERS
- STAGES
- STEPS
default: "Corporate Security Requirements, Audit All"
- name: spotAuditIssueGroups
type: string
description: 'Comma separated list of issue groups that are spot checked and for which `spotCheckMinimum` audited issues are enforced'
description: "Comma separated list of issue groups that are spot checked and for which `spotCheckMinimum`
audited issues are enforced"
scope:
- PARAMETERS
- STAGES
- STEPS
default: 'Spot Checks of Each Category'
- PARAMETERS
- STAGES
- STEPS
default: "Spot Checks of Each Category"
- name: pythonRequirementsInstallSuffix
type: string
description: 'The suffix for the command used to install the requirements file in `buildTool: ''pip''` to populate
the build environment with the necessary dependencies'
description: "The suffix for the command used to install the requirements file in `buildTool: 'pip'` to populate
the build environment with the necessary dependencies"
scope:
- PARAMETERS
- STAGES
- STEPS
- PARAMETERS
- STAGES
- STEPS
- name: pythonVersion
type: string
description: 'Python version to be used in `buildTool: ''pip''`'
description: "Python version to be used in `buildTool: 'pip'`"
scope:
- GENERAL
- PARAMETERS
- STAGES
- STEPS
- GENERAL
- PARAMETERS
- STAGES
- STEPS
default: python3
- name: uploadResults
type: bool
description: Whether results shall be uploaded or not
description: "Whether results shall be uploaded or not"
scope:
- PARAMETERS
- STAGES
- STEPS
- PARAMETERS
- STAGES
- STEPS
default: true
- name: buildDescriptorFile
type: string
description: 'Path to the build descriptor file addressing the module/folder
description: "Path to the build descriptor file addressing the module/folder
to be scanned. Defaults are for buildTool=`maven`: `./pom.xml`, buildTool=`pip`:
`./setup.py`.'
`./setup.py`."
scope:
- PARAMETERS
- STAGES
- STEPS
- PARAMETERS
- STAGES
- STEPS
- name: commitId
description: 'Set the Git commit ID for identifying artifacts throughout the scan.'
description: "Set the Git commit ID for identifying artifacts throughout the scan."
resourceRef:
- name: commonPipelineEnvironment
param: git/commitId
scope:
- PARAMETERS
- STAGES
- STEPS
- PARAMETERS
- STAGES
- STEPS
type: string
- name: commitMessage
description: 'Set the Git commit message for identifying pull request merges throughout the scan.'
description: "Set the Git commit message for identifying pull request merges throughout the scan."
resourceRef:
- name: commonPipelineEnvironment
param: git/commitMessage
scope:
- PARAMETERS
- STAGES
- STEPS
- PARAMETERS
- STAGES
- STEPS
type: string
- name: githubApiUrl
description: Set the GitHub API url.
description: "Set the GitHub API URL."
scope:
- GENERAL
- PARAMETERS
- STAGES
- STEPS
- GENERAL
- PARAMETERS
- STAGES
- STEPS
type: string
default: https://api.github.com
default: "https://api.github.com"
- name: owner
aliases:
- name: githubOrg
description: 'Set the GitHub organization.'
description: "Set the GitHub organization."
resourceRef:
- name: commonPipelineEnvironment
param: github/owner
scope:
- PARAMETERS
- STAGES
- STEPS
- PARAMETERS
- STAGES
- STEPS
type: string
- name: repository
aliases:
- name: githubRepo
description: 'Set the GitHub repository.'
description: "Set the GitHub repository."
resourceRef:
- name: commonPipelineEnvironment
param: github/repository
scope:
- PARAMETERS
- STAGES
- STEPS
- PARAMETERS
- STAGES
- STEPS
type: string
- name: memory
type: string
description: The amount of memory granted to the translate/scan executions
description: "The amount of memory granted to the translate/scan executions"
scope:
- PARAMETERS
- STAGES
- STEPS
default: -Xmx4G -Xms512M
- PARAMETERS
- STAGES
- STEPS
default: "-Xmx4G -Xms512M"
- name: updateRulePack
type: bool
description: Whether the rule pack shall be updated and pulled from Fortify SSC before scanning or not
description: "Whether the rule pack shall be updated and pulled from Fortify SSC before scanning or not"
scope:
- PARAMETERS
- STAGES
- STEPS
- PARAMETERS
- STAGES
- STEPS
default: true
- name: pythonExcludes
type: string
description: 'The excludes pattern used in `buildTool: ''pip''` for excluding
specific .py files i.e. tests'
scope:
- PARAMETERS
- STAGES
- STEPS
default: -exclude ./**/tests/**/*;./**/setup.py
deprecated: true
- name: reportDownloadEndpoint
aliases:
- name: fortifyReportDownloadEndpoint
type: string
description: Fortify SSC endpoint for Report downloads
description: "Fortify SSC endpoint for Report downloads"
scope:
- GENERAL
- PARAMETERS
- STAGES
- STEPS
default: /transfer/reportDownload.html
- GENERAL
- PARAMETERS
- STAGES
- STEPS
default: "/transfer/reportDownload.html"
- name: pollingMinutes
type: int
description: The number of minutes for which an uploaded FPR artifact's status is being polled to finish queuing/processing, if exceeded polling will be stopped and an error will be thrown
description: "The number of minutes for which an uploaded FPR artifact''s status is being polled to finish
queuing/processing, if exceeded polling will be stopped and an error will be thrown"
scope:
- PARAMETERS
- STAGES
- STEPS
- PARAMETERS
- STAGES
- STEPS
default: 30
- name: quickScan
type: bool
description: Whether a quick scan should be performed, please consult the related Fortify documentation on JAM on the impact of this setting
description: "Whether a quick scan should be performed, please consult the related Fortify documentation on
JAM on the impact of this setting"
scope:
- PARAMETERS
- STAGES
- STEPS
- PARAMETERS
- STAGES
- STEPS
default: false
- name: translate
type: string
description: "Options for translate phase of Fortify. Most likely, you do not need to set this parameter. See src, exclude. If `'src'` and `'exclude'` are set they are automatically used. Technical details: It has to be a JSON string of list of maps with required key `'src'`, and optional keys `'exclude'`, `'libDirs'`, `'aspnetcore'`, and `'dotNetCoreVersion'`"
description: "Options for translate phase of Fortify. Most likely, you do not need to set this parameter.
See src, exclude. If `'src'` and `'exclude'` are set they are automatically used. Technical details:
It has to be a JSON string of list of maps with required key `'src'`, and optional keys `'exclude'`,
`'libDirs'`, `'aspnetcore'`, and `'dotNetCoreVersion'`"
scope:
- PARAMETERS
- STAGES
- STEPS
- name: src
type: string
description: Source directories to scan. Multiple entries are separated by space and wildcards can be used, e.g., `'src/main/resources/**/* src/main/java/**/*'`. If `translate` is set, this will ignored.
type: "[]string"
description: "A list of source directories to scan. Wildcards can be used, e.g., `'src/main/java/**/*'`.
If `'translate'` is set, this will ignored. The default value for `buildTool: 'maven'` is
['**/*.xml', '**/*.html', '**/*.jsp', '**/*.js', '**/src/main/resources/**/*', '**/src/main/java/**/*'], for
`buildTool: 'pip'` it is ['./**/*']."
scope:
- PARAMETERS
- STAGES
- STEPS
default: "**/*.xml **/*.html **/*.jsp **/*.js **/src/main/resources/**/* **/src/main/java/**/*"
- name: exclude
type: string
description: Exludes directories/files from scan. Multiple entries are separated by semicolon and wildcards can be used, e.g., `'fileA;fileB;**/Test.java;'`. If `translate` is set, this will ignored.
type: "[]string"
description: "A list of directories/files to be excluded from the scan. Wildcards can be used, e.g.,
`'**/Test.java'`. If `translate` is set, this will ignored."
scope:
- PARAMETERS
- STAGES
@ -269,198 +262,183 @@ spec:
aliases:
- name: fortifyApiEndpoint
type: string
description: Fortify SSC endpoint used for uploading the scan results and checking the audit state
description: "Fortify SSC endpoint used for uploading the scan results and checking the audit state"
scope:
- GENERAL
- PARAMETERS
- STAGES
- STEPS
default: /api/v1
- GENERAL
- PARAMETERS
- STAGES
- STEPS
default: "/api/v1"
- name: reportType
type: string
description: The type of report to be generated
scope:
- PARAMETERS
- STAGES
- STEPS
default: PDF
- PARAMETERS
- STAGES
- STEPS
default: "PDF"
- name: pythonAdditionalPath
type: string
description: 'The addional path which can be used in `buildTool: ''pip''` for
customization purposes'
type: "[]string"
description: "A list of additional paths which can be used in `buildTool: 'pip'` for customization purposes"
scope:
- PARAMETERS
- STAGES
- STEPS
default: ./lib;.
- PARAMETERS
- STAGES
- STEPS
default: ["./lib", "."]
deprecated: true
- name: artifactUrl
type: string
description: 'Path/Url pointing to an additional artifact repository for resolution of additional artifacts during the build'
description: "Path/URL pointing to an additional artifact repository for resolution of additional
artifacts during the build"
scope:
- PARAMETERS
- STAGES
- STEPS
- PARAMETERS
- STAGES
- STEPS
- name: considerSuspicious
type: bool
description: Whether suspicious issues should trigger the check to fail or not
description: "Whether suspicious issues should trigger the check to fail or not"
scope:
- PARAMETERS
- STAGES
- STEPS
- PARAMETERS
- STAGES
- STEPS
default: true
- name: fprUploadEndpoint
aliases:
- name: fortifyFprUploadEndpoint
- name: fortifyFprUploadEndpoint
type: string
description: Fortify SSC endpoint for FPR uploads
description: "Fortify SSC endpoint for FPR uploads"
scope:
- GENERAL
- PARAMETERS
- STAGES
- STEPS
default: /upload/resultFileUpload.html
- GENERAL
- PARAMETERS
- STAGES
- STEPS
default: "/upload/resultFileUpload.html"
- name: projectName
aliases:
- name: fortifyProjectName
- name: fortifyProjectName
type: string
description: The project used for reporting results in SSC
description: "The project used for reporting results in SSC"
scope:
- PARAMETERS
- STAGES
- STEPS
- PARAMETERS
- STAGES
- STEPS
default: '{{list .GroupID .ArtifactID | join "-" | trimAll "-"}}'
- name: pythonIncludes
type: string
description: 'The includes pattern used in `buildTool: ''pip''` for including
.py files'
scope:
- PARAMETERS
- STAGES
- STEPS
default: ./**/*
deprecated: true
- name: reporting
type: bool
description: Influences whether a report is generated or not
scope:
- PARAMETERS
- STAGES
- STEPS
- PARAMETERS
- STAGES
- STEPS
default: false
- name: serverUrl
aliases:
- name: fortifyServerUrl
- name: sscUrl
deprecated: true
- name: fortifyServerUrl
- name: sscUrl
deprecated: true
type: string
description: Fortify SSC Url to be used for accessing the APIs
description: "Fortify SSC Url to be used for accessing the APIs"
scope:
- GENERAL
- PARAMETERS
- STAGES
- STEPS
- name: buildDescriptorExcludeList
type: string
description: Build descriptor files to exclude modules from being scanned
scope:
- GENERAL
- PARAMETERS
- STAGES
- STEPS
default: []
- GENERAL
- PARAMETERS
- STAGES
- STEPS
- name: pullRequestMessageRegexGroup
type: int
description: The group number for extracting the pull request id in `pullRequestMessageRegex`
description: "The group number for extracting the pull request id in `'pullRequestMessageRegex'`"
scope:
- PARAMETERS
- STAGES
- STEPS
- PARAMETERS
- STAGES
- STEPS
default: 1
- name: deltaMinutes
type: int
description: The number of minutes for which an uploaded FPR artifact is considered to be recent and healthy, if exceeded an error will be thrown
description: "The number of minutes for which an uploaded FPR artifact is considered to be recent and
healthy, if exceeded an error will be thrown"
scope:
- PARAMETERS
- STAGES
- STEPS
- PARAMETERS
- STAGES
- STEPS
default: 5
- name: spotCheckMinimum
type: int
description: The minimum number of issues that must be audited per category in the `Spot Checks of each Category` folder to avoid an error being thrown
description: "The minimum number of issues that must be audited per category in the `Spot Checks of each
Category` folder to avoid an error being thrown"
scope:
- PARAMETERS
- STAGES
- STEPS
- PARAMETERS
- STAGES
- STEPS
default: 1
- name: fprDownloadEndpoint
aliases:
- name: fortifyFprDownloadEndpoint
- name: fortifyFprDownloadEndpoint
type: string
description: Fortify SSC endpoint for FPR downloads
description: "Fortify SSC endpoint for FPR downloads"
scope:
- GENERAL
- PARAMETERS
- STAGES
- STEPS
default: /download/currentStateFprDownload.html
- GENERAL
- PARAMETERS
- STAGES
- STEPS
default: "/download/currentStateFprDownload.html"
- name: defaultVersioningModel
type: string
description: The default project versioning model used in case `projectVersion` parameter is empty for creating the version based on the build descriptor version to report results in SSC, can be one of `'major'`, `'major-minor'`, `'semantic'`, `'full'`
description: "The default project versioning model used in case `projectVersion` parameter is empty for
creating the version based on the build descriptor version to report results in SSC, can be one of `'major'`,
`'major-minor'`, `'semantic'`, `'full'`"
scope:
- PARAMETERS
- STAGES
- STEPS
default: 'major'
- PARAMETERS
- STAGES
- STEPS
default: "major"
- name: pythonInstallCommand
type: string
description: 'Additional install command that can be run when `buildTool: ''pip''`
is used which allows further customizing the execution environment of the
scan'
description: "Additional install command that can be run when `buildTool: 'pip'`
is used which allows further customizing the execution environment of the scan"
scope:
- PARAMETERS
- STAGES
- STEPS
- PARAMETERS
- STAGES
- STEPS
default: "{{.Pip}} install --user ."
- name: reportTemplateId
type: int
description: Report template ID to be used for generating the Fortify report
description: "Report template ID to be used for generating the Fortify report"
scope:
- PARAMETERS
- STAGES
- STEPS
- PARAMETERS
- STAGES
- STEPS
default: 18
- name: filterSetTitle
type: string
description: Title of the filter set to use for analysing the results
description: "Title of the filter set to use for analysing the results"
scope:
- PARAMETERS
- STAGES
- STEPS
- PARAMETERS
- STAGES
- STEPS
default: "SAP"
- name: pullRequestName
type: string
description: The name of the pull request branch which will trigger creation of a new version in Fortify SSC based on the master branch version
description: "The name of the pull request branch which will trigger creation of a new version in Fortify
SSC based on the master branch version"
scope:
- PARAMETERS
- STAGES
- STEPS
- PARAMETERS
- STAGES
- STEPS
- name: pullRequestMessageRegex
type: string
description: Regex used to identify the PR-XXX reference within the merge commit message
description: "Regex used to identify the PR-XXX reference within the merge commit message"
scope:
- PARAMETERS
- STAGES
- STEPS
- PARAMETERS
- STAGES
- STEPS
default: '.*Merge pull request #(\\d+) from.*'
- name: buildTool
type: string
description: Scan type used for the step which can be `'maven'`, `'pip'`
description: "Scan type used for the step which can be `'maven'`, `'pip'`"
scope:
- GENERAL
- PARAMETERS
- STAGES
- STEPS
- GENERAL
- PARAMETERS
- STAGES
- STEPS
default: maven
# Global maven settings, should be added to all maven steps
- name: projectSettingsFile
@ -494,8 +472,8 @@ spec:
aliases:
- name: maven/m2Path
containers:
- image: ppiper/fortify
workingDir: /home/piper
- image: "ppiper/fortify"
workingDir: "/home/piper"
outputs:
resources:
- name: influx