1
0
mirror of https://github.com/SAP/jenkins-library.git synced 2024-12-12 10:55:20 +02:00

detectExecuteScan : Bug fix : Dont consider ignored components (#3867)

* fix project version limiting issue

* add tests for detectExecute

* fix bug with vuln count

* adjust unit tests

* update documentation for detect versions
This commit is contained in:
Giridhar Shenoy 2022-07-11 10:50:31 +02:00 committed by GitHub
parent c4868f566f
commit e6115a54b2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 27 additions and 3 deletions

View File

@ -443,6 +443,9 @@ func createVulnerabilityReport(config detectExecuteScanOptions, vulns *bd.Vulner
}
func isActiveVulnerability(v bd.Vulnerability) bool {
if v.Ignored {
return false
}
switch v.VulnerabilityWithRemediation.RemediationStatus {
case "NEW":
return true
@ -456,6 +459,9 @@ func isActiveVulnerability(v bd.Vulnerability) bool {
}
func isMajorVulnerability(v bd.Vulnerability) bool {
if v.Ignored {
return false
}
switch v.VulnerabilityWithRemediation.Severity {
case "CRITICAL":
return true

View File

@ -270,7 +270,7 @@ func addDetectExecuteScanFlags(cmd *cobra.Command, stepConfig *detectExecuteScan
cmd.Flags().StringSliceVar(&stepConfig.MavenExcludedScopes, "mavenExcludedScopes", []string{}, "The maven scopes that need to be excluded from the scan. For example, setting the value 'test' will exclude all components which are defined with a test scope in maven")
cmd.Flags().StringSliceVar(&stepConfig.DetectTools, "detectTools", []string{}, "The type of BlackDuck scanners to include while running the BlackDuck scan. By default All scanners are included. For the complete list of possible values, Please refer [Synopsys detect documentation](https://synopsys.atlassian.net/wiki/spaces/INTDOCS/pages/631407160/Configuring+Detect+General+Properties#Detect-tools-included)")
cmd.Flags().BoolVar(&stepConfig.ScanOnChanges, "scanOnChanges", false, "This flag determines if the scan is submitted to the server. If set to true, then the scan request is submitted to the server only when changes are detected in the Open Source Bill of Materials If the flag is set to false, then the scan request is submitted to server regardless of any changes. For more details please refer to the [documentation](https://github.com/blackducksoftware/detect_rescan/blob/master/README.md)")
cmd.Flags().StringSliceVar(&stepConfig.CustomEnvironmentVariables, "customEnvironmentVariables", []string{}, "A list of environment variables which can be set to prepare the environment to run a BlackDuck scan. This includes a list of environment variables defined by Synopsys. The full list can be found [here](https://synopsys.atlassian.net/wiki/spaces/IA/pages/1562214619/Shell+Script+Reference+6.9.0) This list affects the detect script downloaded while running the scan. By default detect7.sh will be used. To continue using detect6, please use DETECT_LATEST_RELEASE_VERSION and set it to a valid value defined [here](https://community.synopsys.com/s/document-item?bundleId=integrations-detect&topicId=releasenotes.html&_LANG=enus)")
cmd.Flags().StringSliceVar(&stepConfig.CustomEnvironmentVariables, "customEnvironmentVariables", []string{}, "A list of environment variables which can be set to prepare the environment to run a BlackDuck scan. This includes a list of environment variables defined by Synopsys. The full list can be found [here](https://synopsys.atlassian.net/wiki/spaces/IA/pages/1562214619/Shell+Script+Reference+6.9.0) This list affects the detect script downloaded while running the scan. By default detect7.sh will be used. To continue using different versions of detect, please use DETECT_LATEST_RELEASE_VERSION and set it to a valid value defined [here](https://community.synopsys.com/s/document-item?bundleId=integrations-detect&topicId=releasenotes.html&_LANG=enus) Additionally, please note, depending on the Project certain versions of detect will be required. For example: For Swift version 5.5 and lower, Detect 7.13.0 is the minimum required version. For Swift version 5.6 and higher, Detect 7.14.0 is required ")
cmd.Flags().StringVar(&stepConfig.GithubToken, "githubToken", os.Getenv("PIPER_githubToken"), "GitHub personal access token as per https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line")
cmd.Flags().BoolVar(&stepConfig.CreateResultIssue, "createResultIssue", false, "Activate creation of a result issue in GitHub.")
cmd.Flags().StringVar(&stepConfig.GithubAPIURL, "githubApiUrl", `https://api.github.com`, "Set the GitHub API URL.")

View File

@ -639,9 +639,22 @@ func TestIsMajorVulnerability(t *testing.T) {
v := bd.Vulnerability{
Name: "",
VulnerabilityWithRemediation: vr,
Ignored: false,
}
assert.True(t, isMajorVulnerability(v))
})
t.Run("Case Ignored Components", func(t *testing.T) {
vr := bd.VulnerabilityWithRemediation{
OverallScore: 7.5,
Severity: "HIGH",
}
v := bd.Vulnerability{
Name: "",
VulnerabilityWithRemediation: vr,
Ignored: true,
}
assert.False(t, isMajorVulnerability(v))
})
t.Run("Case False", func(t *testing.T) {
vr := bd.VulnerabilityWithRemediation{
OverallScore: 7.5,
@ -650,6 +663,7 @@ func TestIsMajorVulnerability(t *testing.T) {
v := bd.Vulnerability{
Name: "",
VulnerabilityWithRemediation: vr,
Ignored: false,
}
assert.False(t, isMajorVulnerability(v))
})

View File

@ -79,6 +79,7 @@ type Vulnerabilities struct {
type Vulnerability struct {
Name string `json:"componentName,omitempty"`
Version string `json:"componentVersionName,omitempty"`
Ignored bool `json:"ignored,omitempty"`
VulnerabilityWithRemediation `json:"vulnerabilityWithRemediation,omitempty"`
}

View File

@ -297,8 +297,11 @@ spec:
description:
"A list of environment variables which can be set to prepare the environment to run a BlackDuck scan. This includes a list of environment variables defined by
Synopsys. The full list can be found [here](https://synopsys.atlassian.net/wiki/spaces/IA/pages/1562214619/Shell+Script+Reference+6.9.0)
This list affects the detect script downloaded while running the scan. By default detect7.sh will be used. To continue using detect6, please use DETECT_LATEST_RELEASE_VERSION and set it to a valid value
defined [here](https://community.synopsys.com/s/document-item?bundleId=integrations-detect&topicId=releasenotes.html&_LANG=enus)"
This list affects the detect script downloaded while running the scan. By default detect7.sh will be used. To continue using different versions of detect, please use DETECT_LATEST_RELEASE_VERSION and set it to a valid value
defined [here](https://community.synopsys.com/s/document-item?bundleId=integrations-detect&topicId=releasenotes.html&_LANG=enus)
Additionally, please note, depending on the Project certain versions of detect will be required.
For example: For Swift version 5.5 and lower, Detect 7.13.0 is the minimum required version.
For Swift version 5.6 and higher, Detect 7.14.0 is required "
type: "[]string"
scope:
- PARAMETERS