1
0
mirror of https://github.com/SAP/jenkins-library.git synced 2024-12-14 11:03:09 +02:00
Commit Graph

46 Commits

Author SHA1 Message Date
xgoffin
3f6e4b9e3b
feat(fortifyExecuteScan): added parameter to generated sarif file (#3644)
* fix(sarif): change format to fit omitempty cases better

* feat(fortifyExecuteScan): include category in sarif file

* fix(fortifyExecuteScan): access to undefined pointer in some cases

Co-authored-by: Sven Merk <33895725+nevskrem@users.noreply.github.com>
2022-03-17 13:09:15 +01:00
Eugene Kortelyov
8ced7f8184
Feature/fortify execute scan gradle (#3582)
* initial fortify gradle commit

* initial fortify gradle commit

Co-authored-by: Sven Merk <33895725+nevskrem@users.noreply.github.com>
Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2022-02-28 11:35:38 +01:00
Sven Merk
a1988f6808
feat(whitesourceExecuteScan): GitHub issue creation + SARIF (#3535)
* Add GH issue creation + SARIF

* Code cleanup

* Fix fmt, add debug

* Code enhancements

* Fix

* Added debug info

* Rework UA log scan

* Fix code

* read UA version

* Fix nil reference

* Extraction

* Credentials

* Issue creation

* Error handling

* Fix issue creation

* query escape

* Query escape 2

* Revert

* Test avoid update

* HTTP client

* Add support for custom TLS certs

* Fix code

* Fix code 2

* Fix code 3

* Disable cert check

* Fix auth

* Remove implicit trust

* Skip verification

* Fix

* Fix client

* Fix HTTP auth

* Fix trusted certs

* Trim version

* Code

* Add token

* Added token handling to client

* Fix token

* Cleanup

* Fix token

* Token rework

* Fix code

* Kick out oauth client

* Kick out oauth client

* Transport wrapping

* Token

* Simplification

* Refactor

* Variation

* Check

* Fix

* Debug

* Switch client

* Variation

* Debug

* Switch to cert check

* Add debug

* Parse self

* Cleanup

* Update resources/metadata/whitesourceExecuteScan.yaml

* Add debug

* Expose subjects

* Patch

* Debug

* Debug2

* Debug3

* Fix logging response body

* Cleanup

* Cleanup

* Fix request body logging

* Cleanup import

* Fix import cycle

* Cleanup

* Fix fmt

* Fix NopCloser reference

* Regenerate

* Reintroduce

* Fix test

* Fix tests

* Correction

* Fix error

* Code fix

* Fix tests

* Add tests

* Fix code climate issues

* Code climate

* Code climate again

* Code climate again

* Fix fmt

* Fix fmt 2

Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2022-02-23 09:30:19 +01:00
Oliver Nocon
a4a0873081
feat(checkmarx): create GitHub issue with findings (#3543)
* feat(checkmarx): create GitHub issue with findings

* add github issue reporting
2022-02-17 15:16:55 +01:00
xgoffin
2cebf370c9
feat(fortifyExecuteScan): added conversion to SARIF for FPR files (#3485)
* feat(FPRtoSARIF): boilerplate & comments

* Feat(Ingest): Build done, Vulnerabilities partway

* feat(Vulnerabilities): now entirely parsed

* feat(Ingestion): handle Description object

* feat(FprToSarif): integration in Piper step, full xml structure

* feat(fpr_to_sarif): base program. Need to replace names in messages

* feat(fpr_to_sarif): message substitution and custom definition integration

* fix(fpr_to_sarif): missing replacement in tools object

* fix(fortifyExecuteScan): unit tests

* fix(fpr_to_sarif): failing unit test

* Fix fortify folder creation for generating sarif

* deletion of unzip folder

* fix(fortifyExecuteScan): change logging to info

* feat(fpr_to_sarif): better unit test

* fix(fpr_to_sarif): pr tests failing

* feat(fpr_to_sarif): add specific properties to sarif

* feat(fpr_to_sarif): severity integration

* fix(fpr_to_sarif): unit test fixed

Co-authored-by: Sven Merk <33895725+nevskrem@users.noreply.github.com>
Co-authored-by: Sumeet PATIL <sumeet.patil@sap.com>
2022-02-08 14:10:40 +01:00
Sven Merk
01c6f1a66c
fix(fortifyExecuteScan): User assignment based on PR ownership (#3472)
* Debug PR user details

* Check association

* Change to login

* Fix PR creator assignment

* Improve docs

* Fix test
2022-01-27 10:45:45 +01:00
Sven Merk
4e0684cf78
Address further nil references (#3462)
* Address further nil references

* Message text

* Final checks
2022-01-24 17:09:49 +01:00
Sven Merk
ffa82c383e
Fix potential nil reference (#3460) 2022-01-24 11:59:33 +01:00
Sven Merk
6520115950
Upload Fortify scan results to GitHub issue (#3300)
* fix(fortifyExecuteScan): Propagate translation errors

Force translation related errors to stop the execution of the step.

* Extend testcase

* Update fortifyExecuteScan.go

* Fix fmt and test

* Fix code

* feat(fortifyExecuteScan): Create GitHub issue

* Fix expectation

* Fix fmt

* Fix fmt add test

* Added tests

* Go fmt

* Add switch

* Rewrite githubCreateIssue

* Fix tests

* Added switch

* Issue only in case of violations

* Fix CPE reference

* Add  debug message to issue creation/update

* Update fortifyExecuteScan.go

* Add credential for GH to groovy wrapper

* Update fortifyExecuteScan.go
2022-01-21 10:52:17 +01:00
sumeet patil
732845507d
Fortify JSON Report (#3212)
Co-authored-by: Sven Merk <33895725+nevskrem@users.noreply.github.com>
2021-10-29 10:03:01 +02:00
Sven Merk
90110c0702
Enhance fortify influx data (#3040) 2021-08-10 10:49:31 +02:00
larsbrueckner
dbbbe1f0b3
Updates to toolrecord framework (#2986)
* Toolrecord framework -
provide a common entry point for post processing code scan results

Changes to be committed:
	new file:   pkg/toolrecord/REAMDE_toolrecord.md
	new file:   pkg/toolrecord/toolrecord_main.go
	new file:   pkg/toolrecord/toolrecord_test.go

* Add toolrecord file to Checkmarx results
modified:   cmd/checkmarxExecuteScan.go

* Add toolrecord file to Fortify results
	modified:   cmd/fortifyExecuteScan.go

* Add toolrecord file to Whitesource results
modified:   cmd/whitesourceExecuteScan.go

* unset umask (#2927)

* (feat) adds error logging output for downloading reports from whitesource (#2928)

* Add toolrecord file to Protecode results

* address code climate findings (1/2)

* address codeclimate findings (2/2)

* add comments to all methods

* Toolrecord library:
- move all toolrun files into a subdirectory
- fix timestamp generation in filenames

* add protecode group's URL to toolrecord data

* fix syntax error from previous commit in cmd/protecodeExecuteScan.go

* toolrecord: fix projectVersionID and generated URLs in fortifyExecuteScan.go

* cmd/fortifyExecuteScan.go: replace a hard-coded servername with
config.ServerURL

* update description

* add toolrecord file to detectExecuteScan

* toolrecord/whitesource: add project names as context

Co-authored-by: Kevin Stiehl <kevin.stiehl@numericas.de>
Co-authored-by: ffeldmann <felix@bnbit.de>
Co-authored-by: Sven Merk <33895725+nevskrem@users.noreply.github.com>
2021-07-23 08:48:48 +02:00
Sven Merk
9571fd28f4
feat(checkmarxExecuteScan): Reporting for pipeline optimization (#2976)
* Fix exclude and enhance docs

* Fix test

* Fix test

* Add reporting to checkmarx step

* Improve text
2021-07-09 10:19:42 +02:00
Sven Merk
fbcdd07ffc
improve(fortifyExecuteScan): Improve src and exclude maven defaults (#2953)
* Update uiVeri5ExecuteTests.yaml

* Update uiVeri5ExecuteTests.yaml

* Update uiVeri5ExecuteTests.yaml

* Update uiVeri5ExecuteTests.yaml

* Update uiVeri5ExecuteTests.yaml

* Add generated artifact

* Update fortifyExecuteScan.go

* Fix test

* Fix test

* Fix yet another test

* Back and forth

* Fix documentation

* Property to add fortify context to maven build

* Add comment
2021-07-02 09:43:34 +02:00
Sven Merk
7b553e1e9a
fix(fortifyExecuteScan): Address module interdependencies (#2938)
* Make sure artifacts go to local repo

* Just package

* Fix test

* Try out silent mode

* Try fail at end

* Bring resilience back

* Follow new strategy

* Fix test
2021-06-28 12:40:20 +02:00
Sven Merk
e94cbb0840
Revert "fix(fortifyExecuteScan): Support MTA interdepedencies (#2916)" (#2937)
This reverts commit f7bc956058.
2021-06-23 17:20:15 +02:00
larsbrueckner
61fe88e199
Add "toolrecord" files to Fortify, Checkmarx, Protecode and Whitesource results (#2929)
* Toolrecord framework -
provide a common entry point for post processing code scan results

Changes to be committed:
	new file:   pkg/toolrecord/REAMDE_toolrecord.md
	new file:   pkg/toolrecord/toolrecord_main.go
	new file:   pkg/toolrecord/toolrecord_test.go

* Add toolrecord file to Checkmarx results
modified:   cmd/checkmarxExecuteScan.go

* Add toolrecord file to Fortify results
	modified:   cmd/fortifyExecuteScan.go

* Add toolrecord file to Whitesource results
modified:   cmd/whitesourceExecuteScan.go

* unset umask (#2927)

* (feat) adds error logging output for downloading reports from whitesource (#2928)

* Add toolrecord file to Protecode results

* address code climate findings (1/2)

* address codeclimate findings (2/2)

* add comments to all methods

Co-authored-by: Kevin Stiehl <kevin.stiehl@numericas.de>
Co-authored-by: ffeldmann <felix@bnbit.de>
Co-authored-by: Sven Merk <33895725+nevskrem@users.noreply.github.com>
2021-06-23 15:05:00 +02:00
Sven Merk
f7bc956058
fix(fortifyExecuteScan): Support MTA interdepedencies (#2916)
* Make sure artifacts go to local repo

* Just package

* Fix test
2021-06-23 11:55:34 +02:00
Sven Merk
07b90dc10b
fix(fortifyExecuteScan): Throw error on classpath detection issues (#2876)
* Update fortifyExecuteScan.go

* Raise error to the top level

* Update fortifyExecuteScan.go

* Update fortifyExecuteScan.go

* Fix code and test

* Add tests

* Fix test

* Last attempt
2021-06-16 08:15:41 +02:00
Sven Merk
a43f46465a
feat(fortifyExecuteScan): HTML report for Fortify (#2879)
* Tune test

* Fix report implementation

* Fix tests

* Fix values

* Fix code and test

* Report writing fix

* Commit generated sources

* Update cmd/fortifyExecuteScan.go

Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com>

* Externalize report generation

* Fix fmt

* Fix fmt 2

Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com>
2021-06-15 14:53:42 +02:00
Sven Merk
03b5a9aaec
Fix handling of undefined buildTool values (#2719)
* Fix handling of undefined buildTool values

* Fix fmt
2021-03-25 09:59:49 +01:00
Sven Merk
d52a1a3619
Influx step execution reporting (#2700)
* Influx step execution reporting

* influx for newmanExecute added

Co-authored-by: lndrschlz <leander.schulz01@sap.com>
2021-03-18 10:32:03 +01:00
Sven Merk
e1ea56076f
Http improve retry on timeouts (#2681)
* Add sca cmd extensibility

* Fix formatting

* HTTP retry

* Improve handling of retry on timeout

* Go fmt

* Fix test

* Fix test

* Test stability

* Fix test

* Fix test

* Fix test

* Update fortifyExecuteScan.go
2021-03-09 13:41:07 +01:00
Sven Merk
afdc726a01
Fortify cmd parameters for scan (#2680)
* Add sca cmd extensibility

* Fix formatting
2021-03-09 13:16:21 +01:00
Sven Merk
84df77732c
fortifyExecuteScan: Pull request version not considered on upload (#2668) 2021-03-04 09:34:05 +01:00
Sven Merk
d2eb2877e0
fortifyExecuteScan: Functional enhancements (#2647)
* Improvements

* Formatting

* Fix test

* Update resources/metadata/fortify.yaml

Enhance description

Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>

* Unify version handling with ws step

* Part 2

* go fmt

Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2021-02-26 13:43:03 +01:00
shellmann
61c190bb2b
Install artifacts before Fortify scan (#2351)
Co-authored-by: Daniel Kurzynski <daniel.kurzynski@sap.com>
2020-11-16 10:29:21 +01:00
Oliver Nocon
a70933bbd4
fortifyExecuteScan: improve error categorization (#2295)
* fortifyExecuteScan: improve error categorization

* reset error category in success case
2020-11-11 13:04:45 +01:00
Daniel Kurzynski
9a18489cc4
Refactor maven utils and add tests for install artifacts (#2318)
Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com>
2020-11-10 17:14:55 +01:00
Sven Merk
9d737575aa
fortifyExecuteScan: Fix report download (#2244)
* Fix report download

* Update fortifyExecuteScan.go

* Update fortifyExecuteScan_test.go

* Update fortify.go

Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-10-27 13:12:31 +01:00
Oliver Nocon
d0f987c7b5
fortifyExecuteScan: increase timeout (#2240)
fixes #2183
2020-10-27 11:11:53 +01:00
Christopher Fenner
86af3efcfe
fix(influx): adjust influx field types for fortify (#2219)
* adjust influx field types

* fix test case

* simplify type conversion
2020-10-22 11:40:42 +02:00
Sven Merk
58b6c04cd2
Update fortifyExecuteScan.go (#2093)
* Update fortifyExecuteScan.go

* Update fortifyExecuteScan.go

* Docs are lying

Checked the API which returns a status similar to that of artifact

* Update fortifyExecuteScan_test.go
2020-09-29 18:26:16 +02:00
Sven Merk
612d3a645b
Support verify only mode for SAST tools (#2018)
* Support verify only mode for SAST

* Include feedback

* Add tests

* Fix imports
2020-09-18 08:19:34 +02:00
Oliver Nocon
eef3bcde60
Add step for GitHub branch protection check (2) (#2016)
* add step for GitHub branch protection check

* add command to piper command

* remove unnecessary parameter

* Update resources/metadata/githubbranchprotection.yaml

* add groovy part

* update generation & go mod tidy

* update groovy tests

* fix bug with go-github version

* Add step to check GitHub branch protection settings

* include PR review feedabck

Co-authored-by: Sven Merk <33895725+nevskrem@users.noreply.github.com>
2020-09-14 12:05:12 +02:00
Oliver Nocon
d68e466c28
Revert "Add step for GitHub branch protection check (#2010)" (#2014)
This reverts commit f1cfca2e76.
2020-09-11 18:56:51 +02:00
Oliver Nocon
f1cfca2e76
Add step for GitHub branch protection check (#2010)
* add step for GitHub branch protection check

* add command to piper command

* remove unnecessary parameter

* Update resources/metadata/githubbranchprotection.yaml

* add groovy part

* update generation & go mod tidy

* update groovy tests

* fix bug with go-github version

Co-authored-by: Sven Merk <33895725+nevskrem@users.noreply.github.com>
2020-09-11 15:28:43 +02:00
Stephan Aßmus
54444c7e33
fortifyExecuteScan: Fix polling project status (#1908) 2020-08-11 15:29:00 +02:00
Stephan Aßmus
b8f5fd9b28
fortifyExecuteScan: Pass on maven options to versioning (#1895) 2020-08-07 10:31:15 +02:00
Oliver Nocon
d8553ab53d
detectExecuteScan: update versioning (#1845)
* detectExecuteScan: update versioning

align with Fortify to also use the same versioning model by default.

* fix CodeClimate findings
2020-07-27 12:01:59 +02:00
Daniel Kurzynski
0222bf83d1
Run npm scripts in virtual frame buffer and extend command.go to run executable asynchronously (#1669)
Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com>
Co-authored-by: Florian Wilhelm <florian.wilhelm02@sap.com>
2020-06-16 11:42:51 +02:00
Daniel Kurzynski
cf9a41850e
Needed CLI separator for Fortify tools depends on platform (#1616)
* Update fortify.yaml
* src, exclude and pythonAdditionalPaths are now lists of strings
* Re-implement pythonIncludes and pythonExcludes as aliases of src and exclude
* Fix using the correct separator (; on windows, : on everything else)
* Tokenize also python "includes"
* mvnCustomArgs was removed

Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com>
2020-06-02 13:47:07 +02:00
Stephan Aßmus
a24a7aad23
Fortify: Using mvn to auto-resolve classpath needs additional params (#1607)
* also reduce code duplication in token fetching
* concatenate classpaths from multi-maven projects

Co-authored-by: Daniel Kurzynski <daniel.kurzynski@sap.com>
2020-05-29 15:42:35 +02:00
Daniel Kurzynski
0a4309a2c2
Add build project name (#1610)
Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com>
2020-05-28 10:45:06 +02:00
Florian Wilhelm
0857c9a3c6
Allow custom options for src, exclude in fortify translate (#1592)
Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com>
Co-authored-by: Kevin Hudemann <kevin.hudemann@sap.com>
Co-authored-by: Daniel Kurzynski <daniel.kurzynski@sap.com>
2020-05-27 11:45:01 +02:00
Sven Merk
af2a01c064
Fortify implementation in golang (#1428) 2020-05-25 19:48:59 +02:00