mirror of
https://github.com/SAP/jenkins-library.git
synced 2024-12-12 10:55:20 +02:00
detectExecuteScan : Bug fix : Dont consider ignored components (#3867)
* fix project version limiting issue * add tests for detectExecute * fix bug with vuln count * adjust unit tests * update documentation for detect versions
This commit is contained in:
parent
c4868f566f
commit
e6115a54b2
@ -443,6 +443,9 @@ func createVulnerabilityReport(config detectExecuteScanOptions, vulns *bd.Vulner
|
||||
}
|
||||
|
||||
func isActiveVulnerability(v bd.Vulnerability) bool {
|
||||
if v.Ignored {
|
||||
return false
|
||||
}
|
||||
switch v.VulnerabilityWithRemediation.RemediationStatus {
|
||||
case "NEW":
|
||||
return true
|
||||
@ -456,6 +459,9 @@ func isActiveVulnerability(v bd.Vulnerability) bool {
|
||||
}
|
||||
|
||||
func isMajorVulnerability(v bd.Vulnerability) bool {
|
||||
if v.Ignored {
|
||||
return false
|
||||
}
|
||||
switch v.VulnerabilityWithRemediation.Severity {
|
||||
case "CRITICAL":
|
||||
return true
|
||||
|
@ -270,7 +270,7 @@ func addDetectExecuteScanFlags(cmd *cobra.Command, stepConfig *detectExecuteScan
|
||||
cmd.Flags().StringSliceVar(&stepConfig.MavenExcludedScopes, "mavenExcludedScopes", []string{}, "The maven scopes that need to be excluded from the scan. For example, setting the value 'test' will exclude all components which are defined with a test scope in maven")
|
||||
cmd.Flags().StringSliceVar(&stepConfig.DetectTools, "detectTools", []string{}, "The type of BlackDuck scanners to include while running the BlackDuck scan. By default All scanners are included. For the complete list of possible values, Please refer [Synopsys detect documentation](https://synopsys.atlassian.net/wiki/spaces/INTDOCS/pages/631407160/Configuring+Detect+General+Properties#Detect-tools-included)")
|
||||
cmd.Flags().BoolVar(&stepConfig.ScanOnChanges, "scanOnChanges", false, "This flag determines if the scan is submitted to the server. If set to true, then the scan request is submitted to the server only when changes are detected in the Open Source Bill of Materials If the flag is set to false, then the scan request is submitted to server regardless of any changes. For more details please refer to the [documentation](https://github.com/blackducksoftware/detect_rescan/blob/master/README.md)")
|
||||
cmd.Flags().StringSliceVar(&stepConfig.CustomEnvironmentVariables, "customEnvironmentVariables", []string{}, "A list of environment variables which can be set to prepare the environment to run a BlackDuck scan. This includes a list of environment variables defined by Synopsys. The full list can be found [here](https://synopsys.atlassian.net/wiki/spaces/IA/pages/1562214619/Shell+Script+Reference+6.9.0) This list affects the detect script downloaded while running the scan. By default detect7.sh will be used. To continue using detect6, please use DETECT_LATEST_RELEASE_VERSION and set it to a valid value defined [here](https://community.synopsys.com/s/document-item?bundleId=integrations-detect&topicId=releasenotes.html&_LANG=enus)")
|
||||
cmd.Flags().StringSliceVar(&stepConfig.CustomEnvironmentVariables, "customEnvironmentVariables", []string{}, "A list of environment variables which can be set to prepare the environment to run a BlackDuck scan. This includes a list of environment variables defined by Synopsys. The full list can be found [here](https://synopsys.atlassian.net/wiki/spaces/IA/pages/1562214619/Shell+Script+Reference+6.9.0) This list affects the detect script downloaded while running the scan. By default detect7.sh will be used. To continue using different versions of detect, please use DETECT_LATEST_RELEASE_VERSION and set it to a valid value defined [here](https://community.synopsys.com/s/document-item?bundleId=integrations-detect&topicId=releasenotes.html&_LANG=enus) Additionally, please note, depending on the Project certain versions of detect will be required. For example: For Swift version 5.5 and lower, Detect 7.13.0 is the minimum required version. For Swift version 5.6 and higher, Detect 7.14.0 is required ")
|
||||
cmd.Flags().StringVar(&stepConfig.GithubToken, "githubToken", os.Getenv("PIPER_githubToken"), "GitHub personal access token as per https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line")
|
||||
cmd.Flags().BoolVar(&stepConfig.CreateResultIssue, "createResultIssue", false, "Activate creation of a result issue in GitHub.")
|
||||
cmd.Flags().StringVar(&stepConfig.GithubAPIURL, "githubApiUrl", `https://api.github.com`, "Set the GitHub API URL.")
|
||||
|
@ -639,9 +639,22 @@ func TestIsMajorVulnerability(t *testing.T) {
|
||||
v := bd.Vulnerability{
|
||||
Name: "",
|
||||
VulnerabilityWithRemediation: vr,
|
||||
Ignored: false,
|
||||
}
|
||||
assert.True(t, isMajorVulnerability(v))
|
||||
})
|
||||
t.Run("Case Ignored Components", func(t *testing.T) {
|
||||
vr := bd.VulnerabilityWithRemediation{
|
||||
OverallScore: 7.5,
|
||||
Severity: "HIGH",
|
||||
}
|
||||
v := bd.Vulnerability{
|
||||
Name: "",
|
||||
VulnerabilityWithRemediation: vr,
|
||||
Ignored: true,
|
||||
}
|
||||
assert.False(t, isMajorVulnerability(v))
|
||||
})
|
||||
t.Run("Case False", func(t *testing.T) {
|
||||
vr := bd.VulnerabilityWithRemediation{
|
||||
OverallScore: 7.5,
|
||||
@ -650,6 +663,7 @@ func TestIsMajorVulnerability(t *testing.T) {
|
||||
v := bd.Vulnerability{
|
||||
Name: "",
|
||||
VulnerabilityWithRemediation: vr,
|
||||
Ignored: false,
|
||||
}
|
||||
assert.False(t, isMajorVulnerability(v))
|
||||
})
|
||||
|
@ -79,6 +79,7 @@ type Vulnerabilities struct {
|
||||
type Vulnerability struct {
|
||||
Name string `json:"componentName,omitempty"`
|
||||
Version string `json:"componentVersionName,omitempty"`
|
||||
Ignored bool `json:"ignored,omitempty"`
|
||||
VulnerabilityWithRemediation `json:"vulnerabilityWithRemediation,omitempty"`
|
||||
}
|
||||
|
||||
|
@ -297,8 +297,11 @@ spec:
|
||||
description:
|
||||
"A list of environment variables which can be set to prepare the environment to run a BlackDuck scan. This includes a list of environment variables defined by
|
||||
Synopsys. The full list can be found [here](https://synopsys.atlassian.net/wiki/spaces/IA/pages/1562214619/Shell+Script+Reference+6.9.0)
|
||||
This list affects the detect script downloaded while running the scan. By default detect7.sh will be used. To continue using detect6, please use DETECT_LATEST_RELEASE_VERSION and set it to a valid value
|
||||
defined [here](https://community.synopsys.com/s/document-item?bundleId=integrations-detect&topicId=releasenotes.html&_LANG=enus)"
|
||||
This list affects the detect script downloaded while running the scan. By default detect7.sh will be used. To continue using different versions of detect, please use DETECT_LATEST_RELEASE_VERSION and set it to a valid value
|
||||
defined [here](https://community.synopsys.com/s/document-item?bundleId=integrations-detect&topicId=releasenotes.html&_LANG=enus)
|
||||
Additionally, please note, depending on the Project certain versions of detect will be required.
|
||||
For example: For Swift version 5.5 and lower, Detect 7.13.0 is the minimum required version.
|
||||
For Swift version 5.6 and higher, Detect 7.14.0 is required "
|
||||
type: "[]string"
|
||||
scope:
|
||||
- PARAMETERS
|
||||
|
Loading…
Reference in New Issue
Block a user