Leonard Heilos
c15448b4e0
feat(whitesourceExecuteScan): allow to specify InstallCommand ( #4376 )
...
* feat(whitesourceExecuteScan) allow to specify InstallCommand
* reorder imports
---------
Co-authored-by: sumeet patil <sumeet.patil@sap.com>
Co-authored-by: Andrei Kireev <andrei.kireev@sap.com>
2023-05-30 16:00:02 +02:00
Andrei Kireev
27a3e687a5
Fix issue with not generating sarif file when projectName was specified ( #4199 )
...
* Fixed bug in generating sarif file in whitesource step
---------
Co-authored-by: sumeet patil <sumeet.patil@sap.com>
2023-02-07 16:10:21 +01:00
Vyacheslav Starostin
8071337a44
fix(whitesourceExecuteScan): respect versioning model and custom scan version ( #4187 )
...
* Test
* Test
* Test
* Respect customScanVersion if filled
* Add test case
* Clean up
* Respect versioningModel
* Add test case
* Clean up
* Clean up
2023-01-16 23:14:33 +06:00
Oliver Nocon
a2815c4567
fix(whitesourceExecuteScan): properly handle policy violations ( #4089 )
...
* fix(whitesourceExecuteScan): properly handle policy violations
* update files
* update formatting
Co-authored-by: Sven Merk <33895725+nevskrem@users.noreply.github.com>
2022-11-07 11:16:07 +01:00
Sven Merk
ea04a63412
fix(whitesourceExecuteScan): Fix processing of assessment ( #4059 )
...
* Fix potential nil reference
* Fix handling of assessed vulns
* Fix test code
* Add error detail
* Fix parsing
* Adding debug output
* Fix nil reference
* fix
* Add debug
* Update cmd/whitesourceExecuteScan.go
Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
* Update cmd/whitesourceExecuteScan.go
* Update cmd/whitesourceExecuteScan.go
* Fix fmt
Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2022-10-13 10:34:02 +00:00
Sven Merk
21416d82ed
Fix SBOM component generation ( #3958 )
...
* Further improve library types
* Fix translate
* Added debug output
* Enhance data
* Added debug output
* Fix code
* Added test
* Fix test
2022-08-12 11:59:47 +02:00
Sven Merk
c81e741224
Refinement of SARIF generation for BD and WS ( #3942 )
...
* Fix docs and format
* Assessment format added
* Added sample file
* Added parsing
* Added packageurl implementation
* Slight refinement
* Refactored assessment options
* Adapted sample file
* First attempt of ws sbom gen
* Reworked SBOM generation
* Fix test code
* Add assessment handling
* Update dependencies
* Added golden test
* Small fix
* feat(fortify): Added a check for fortify binary in $PATH (#3925 )
* added check for fortifyupdate and sourceanalyzer bin
Co-authored-by: sumeet patil <sumeet.patil@sap.com>
* Modify SARIF
* Enhanced SARID contents
* Small refinement for hub detect
* Small adjustments
* Extend SARIF contents
* Consistency to Mend part
* Fix tests
* Fix merge
* Fix test
* Add debug log, enhance output
* Enhance meta info
* Fix libType for node
* Fix log entry
* Fix pointers and test
* Fix test
* Fix library types
* Fix test
* Extend libType mappings
Co-authored-by: Vinayak S <vinayaks439@gmail.com>
Co-authored-by: sumeet patil <sumeet.patil@sap.com>
2022-08-11 13:12:14 +02:00
Sven Merk
b3f37650a2
SBOM creation for Mend ( #3934 )
...
* Fix docs and format
* Assessment format added
* Added sample file
* Added parsing
* Added packageurl implementation
* Slight refinement
* Refactored assessment options
* Adapted sample file
* First attempt of ws sbom gen
* Reworked SBOM generation
* Fix test code
* Add assessment handling
* Update dependencies
* Added golden test
* Small fix
Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2022-08-09 13:56:01 +02:00
Oliver Nocon
a46f796bcd
chore: cleanup reporting & some incorrect file usage in tests ( #3943 )
...
* chore: cleanup reporting & some incorrect file usage in tests
* cleanup interface
* chore: remove comment
* preserve error handling
* Rename FileUtils.go to fileUtils.go
* clean up formatting
* chore: address static check findings
* fix brittle test
* chore: cleanup formatting
2022-08-09 10:57:02 +02:00
Oliver Nocon
d640d72dc6
feat: improve vulnerability reporting via GitHub issues ( #3924 )
...
* feat: improve vulnerability reporting via GitHub issues
* feat: update reports
* chore: add tls cert links
* only write log on error
* chore: update formatting
* chore: update handling of direct dependencies
* chore: fix linting issue
* chore: minor updates
2022-08-02 08:26:26 +02:00
Oliver Nocon
f6a6448631
chore: fix linting issues ( #3878 )
...
* chore: fix linting issues
* add more fixes
* correct formatting
* Delete depl.yaml
2022-07-21 09:04:21 +02:00
Oliver Nocon
890c437c3f
fix(whitesourceExecuteScan): failOnSevereVulnerabilities ( #3894 )
...
* fix(whitesourceExecuteScan): failOnSevereVulnerabilities
failOnSevereVulnerabilities has not been considered properly for security vulnerabilities.
* chore: remove comment
* chore: update formatting
2022-07-18 14:36:29 +02:00
Oliver Nocon
b7c0831b7f
feat: allow OSVM scans to succeed with vulnerabilities ( #3889 )
...
For running open source vulnerability scans in de-coupled processes
it is helpful to allow that steps only create
compliance reports to inform users/teams
but not fail the pipeline.
This can now be achieved constitently with the flag:
`failOnSevereVulnerabilities`
Co-authored-by: Sven Merk <33895725+nevskrem@users.noreply.github.com>
2022-07-12 11:43:24 +02:00
Anil Keshav
e6724d7f05
fix (whitesourceExecuteScan) keep tar extension for target image donwload ( #3774 )
...
* explicitly adding tar extension to project name when constructing the targetFilePath for whitesource docker image download
* comments
* correcting comment for better readability
* replace spaces in the project name with underscroe
* better comments
* passing legacy format download
* appending format to value
* keeping the download format for protecode as legacy
* improving docu
* keeping legacy format the default
* keeping tar file name same as project name to avoid duplicate names
* keeping legacy format download hard coded
Co-authored-by: anilkeshav27 <you@example.com>
2022-05-13 18:56:41 +02:00
Christian Volk
22f6aa156f
feat(docker): use crane for pulling docker images ( #3652 )
2022-03-23 10:02:00 +01:00
Sven Merk
c30e93bc6a
feat(detectExecuteScan): SARIF export and GH issue creation ( #3637 )
...
* Added SARIF and GH issue creation
2022-03-17 15:32:48 +01:00
Christian Volk
421168a169
fix(whitesourceExecuteScan): docker image download if dockerConfigJSON is set in vault ( #3591 )
...
Co-authored-by: ffeldmann <f.feldmann@sap.com>
2022-02-28 13:57:23 +01:00
Sven Merk
a1988f6808
feat(whitesourceExecuteScan): GitHub issue creation + SARIF ( #3535 )
...
* Add GH issue creation + SARIF
* Code cleanup
* Fix fmt, add debug
* Code enhancements
* Fix
* Added debug info
* Rework UA log scan
* Fix code
* read UA version
* Fix nil reference
* Extraction
* Credentials
* Issue creation
* Error handling
* Fix issue creation
* query escape
* Query escape 2
* Revert
* Test avoid update
* HTTP client
* Add support for custom TLS certs
* Fix code
* Fix code 2
* Fix code 3
* Disable cert check
* Fix auth
* Remove implicit trust
* Skip verification
* Fix
* Fix client
* Fix HTTP auth
* Fix trusted certs
* Trim version
* Code
* Add token
* Added token handling to client
* Fix token
* Cleanup
* Fix token
* Token rework
* Fix code
* Kick out oauth client
* Kick out oauth client
* Transport wrapping
* Token
* Simplification
* Refactor
* Variation
* Check
* Fix
* Debug
* Switch client
* Variation
* Debug
* Switch to cert check
* Add debug
* Parse self
* Cleanup
* Update resources/metadata/whitesourceExecuteScan.yaml
* Add debug
* Expose subjects
* Patch
* Debug
* Debug2
* Debug3
* Fix logging response body
* Cleanup
* Cleanup
* Fix request body logging
* Cleanup import
* Fix import cycle
* Cleanup
* Fix fmt
* Fix NopCloser reference
* Regenerate
* Reintroduce
* Fix test
* Fix tests
* Correction
* Fix error
* Code fix
* Fix tests
* Add tests
* Fix code climate issues
* Code climate
* Code climate again
* Code climate again
* Fix fmt
* Fix fmt 2
Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2022-02-23 09:30:19 +01:00
Christian Volk
b0e4599d4d
feat(malwareExecuteScan): refactoring and docker support ( #3421 )
...
* feat(malwareExecuteScan): add support for scanning docker images
* refactoring
* print out finding if available
* generate toolrecord for malware scan
* persist scan report
* docs
* fix
* fix
* rollback cmd/init_unix.go
* auhenticated pull
* fix
* fix: report shall be consistent with the api model
* gcs upload
* fix linter
2022-01-24 09:48:01 +01:00
Giridhar Shenoy
ad0a3bda2b
Whitesource Docker scan : use the project name as the tar file path ( #3256 )
...
* add file path as project name
* fix test for containerSaveImage
Co-authored-by: Sven Merk <33895725+nevskrem@users.noreply.github.com>
2021-12-13 16:14:32 +01:00
Oliver Nocon
f431054b6f
feat(WhiteSource): consume credentials from cpe ( #3206 )
...
* feat: func for Docker config.json
Provide re-use function to create/update Docker conifg.json
* add comment
* update WhiteSource step
* fixes and additional tests
2021-11-15 07:48:40 +01:00
Christian Volk
eee3c2302b
feat(whitesourceExecuteScan): evaluate dockerConfigJSON from pipeline… ( #3185 )
...
* feat(whitesourceExecuteScan): evaluate dockerConfigJSON from pipeline environment
* Update cmd/whitesourceExecuteScan_test.go
Co-authored-by: Giridhar Shenoy <giridhar.shenoy@sap.com>
Co-authored-by: Giridhar Shenoy <giridhar.shenoy@sap.com>
Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2021-10-25 09:07:46 +02:00
Pavel Busko
6fc8a4be2d
updated go.mod dependencies ( #3167 )
...
Co-authored-by: Johannes Dillmann <j.dillmann@sap.com>
2021-10-13 10:39:45 +02:00
larsbrueckner
ab396ce6f3
toolrecord: fix web ui URLs for whitesource, close #6 ( #3096 )
2021-09-10 13:20:54 +02:00
larsbrueckner
45cb97c8d9
pkg/toolrecord: log json marshalling errors; fix issues in whitesource and blackduck ( #3049 )
...
* pkg/toolrecord: log json marshalling errors
* toolrecord package: add internal check to ensure that generated files
are not empty
* cmd/whitesourceExecuteScan.go : rework createToolRecordWhitesource to
include all scanned projects
* pkg/toolrecord: new helper function to override default display values
* cmd/whitesourceExecuteScan: improve toolrecord file
* cmd/detectExecuteScan.go fix toolrecord file creation #3
* pkg/toolrecord: log json marshalling errors
* toolrecord package: add internal check to ensure that generated files
are not empty
* cmd/whitesourceExecuteScan.go : rework createToolRecordWhitesource to
include all scanned projects
* pkg/toolrecord: new helper function to override default display values
* cmd/whitesourceExecuteScan: improve toolrecord file
* fix merge conflict
2021-09-09 10:50:33 +02:00
larsbrueckner
dbbbe1f0b3
Updates to toolrecord framework ( #2986 )
...
* Toolrecord framework -
provide a common entry point for post processing code scan results
Changes to be committed:
new file: pkg/toolrecord/REAMDE_toolrecord.md
new file: pkg/toolrecord/toolrecord_main.go
new file: pkg/toolrecord/toolrecord_test.go
* Add toolrecord file to Checkmarx results
modified: cmd/checkmarxExecuteScan.go
* Add toolrecord file to Fortify results
modified: cmd/fortifyExecuteScan.go
* Add toolrecord file to Whitesource results
modified: cmd/whitesourceExecuteScan.go
* unset umask (#2927 )
* (feat) adds error logging output for downloading reports from whitesource (#2928 )
* Add toolrecord file to Protecode results
* address code climate findings (1/2)
* address codeclimate findings (2/2)
* add comments to all methods
* Toolrecord library:
- move all toolrun files into a subdirectory
- fix timestamp generation in filenames
* add protecode group's URL to toolrecord data
* fix syntax error from previous commit in cmd/protecodeExecuteScan.go
* toolrecord: fix projectVersionID and generated URLs in fortifyExecuteScan.go
* cmd/fortifyExecuteScan.go: replace a hard-coded servername with
config.ServerURL
* update description
* add toolrecord file to detectExecuteScan
* toolrecord/whitesource: add project names as context
Co-authored-by: Kevin Stiehl <kevin.stiehl@numericas.de>
Co-authored-by: ffeldmann <felix@bnbit.de>
Co-authored-by: Sven Merk <33895725+nevskrem@users.noreply.github.com>
2021-07-23 08:48:48 +02:00
ffeldmann
3f6eb603c7
Error logging ( #2947 )
...
* (feat) adds error logging output for downloading reports from whitesource
* Extended error logging with errors.Wrapf()
* Adjusted whitesource tests
2021-06-30 11:11:41 +02:00
larsbrueckner
61fe88e199
Add "toolrecord" files to Fortify, Checkmarx, Protecode and Whitesource results ( #2929 )
...
* Toolrecord framework -
provide a common entry point for post processing code scan results
Changes to be committed:
new file: pkg/toolrecord/REAMDE_toolrecord.md
new file: pkg/toolrecord/toolrecord_main.go
new file: pkg/toolrecord/toolrecord_test.go
* Add toolrecord file to Checkmarx results
modified: cmd/checkmarxExecuteScan.go
* Add toolrecord file to Fortify results
modified: cmd/fortifyExecuteScan.go
* Add toolrecord file to Whitesource results
modified: cmd/whitesourceExecuteScan.go
* unset umask (#2927 )
* (feat) adds error logging output for downloading reports from whitesource (#2928 )
* Add toolrecord file to Protecode results
* address code climate findings (1/2)
* address codeclimate findings (2/2)
* add comments to all methods
Co-authored-by: Kevin Stiehl <kevin.stiehl@numericas.de>
Co-authored-by: ffeldmann <felix@bnbit.de>
Co-authored-by: Sven Merk <33895725+nevskrem@users.noreply.github.com>
2021-06-23 15:05:00 +02:00
Johannes Schneider
3fa46f20d3
report vulnerability reports in the aggregated vulnerability report only ( #2915 )
2021-06-17 13:58:10 +02:00
Sven Merk
7fa31ae9cc
feat(http): Resilience via retry on intermittent communication issues ( #2877 )
...
* feat(http): Resilience on connectivity issues
* Update whitesourceExecuteScan.go
* Update splunk_test.go
* Fix initialization
* Change http interaction
* Fix fmt and tests
* Final test fix
2021-06-15 11:13:24 +02:00
Johannes Schneider
c22e0a1f0e
[WhitesourceExecuteScan] Fix Inconsistencies in Aggregated Report ( #2872 )
...
Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com>
2021-06-09 15:56:56 +02:00
Sven Merk
b7b775c981
Update whitesourceExecuteScan.go ( #2875 )
2021-06-08 11:03:57 +02:00
Oliver Nocon
4b666003c8
feat(reporting) update markdown reports ( #2819 )
2021-05-11 08:01:02 +02:00
Oliver Nocon
5899746767
chore: update error categories ( #2827 )
2021-05-10 17:44:28 +02:00
Sven Merk
534cba767c
fix(whitesourceExecuteScan): Add retry capability for download operations ( #2808 )
...
Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2021-05-05 15:49:28 +02:00
pkrasnousov
e9464b2594
feat(whitesourcescan): add param workDir to whitesourcescan ( #2791 )
...
* Add dir to whitesource scan
* Add default for "dir" option
* Change param name to workDir
* Change param name WorkDir to ScanPath
Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2021-05-03 10:53:16 +02:00
Oliver Nocon
d04a7c2eb3
feat(pipelineCreateScanSummary) Create groovy wrapper ( #2743 )
...
* feat(pipelineCreateScanSummary) Create groovy wrapper
* add command to binary
* stash step reports
* update stash
* fix typo
* unstash reports first
* update reporting
* update json reporting
* update tests & enhance logging
* update md report
* update md reporting
* fix rendering
* update tests
2021-04-15 07:45:06 +02:00
Oliver Nocon
9b6a8cb3b6
feat(whitesource): create json report ( #2699 )
...
* feat(withesource): create json report
* proper constant value
* update generation
2021-03-19 11:10:08 +01:00
Oliver Nocon
2048c00d2c
whitesource: use only Unified Agent for scanning ( #2707 )
...
don't use native build-tool specific plugins any longer.
They have been deprecated by WhiteSource mid 2019 already.
Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com>
2021-03-19 09:58:24 +01:00
Sven Merk
d52a1a3619
Influx step execution reporting ( #2700 )
...
* Influx step execution reporting
* influx for newmanExecute added
Co-authored-by: lndrschlz <leander.schulz01@sap.com>
2021-03-18 10:32:03 +01:00
Christopher Fenner
f999925788
fix(influx): correct data type of influx measurements ( #2171 )
...
* update data type of influx measurements
* Update checkmarx.yaml
* pick changes from #1885 for testing
* update generated code
* update to new datatype
* adjust to type changes
* change back to string type
* Update fortifyExecuteScan.go
* add typo to be backward compatible
* change type to int for files_scanned and lines_of_code_scanned
* add typo
* add measurements to whitesource
* update generated sources
* adjust test cases
Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2021-03-10 16:00:53 +01:00
Oliver Nocon
d47a17c8fc
feat(whitesource): consolidated reporting and versioning alignment ( #2571 )
...
* update reporting and add todo comments
* enhance reporting, allow directory creation for reports
* properly pass reports
* update templating and increase verbosity of errors
* add todo
* add detail table
* update sorting
* add test and improve error message
* fix error message in test
* extend tests
* enhance tests
* enhance versioning behavior accoring to #1846
* create markdown overview report
* small fix
* fix small issue
* make sure that report directory exists
* align reporting directory with default directory from UA
* add missing comments
* add policy check incl. tests
* enhance logging and tests
* update versioning to allow custom version usage properly
* fix report paths and golang image
* update styling of md
* update test
2021-02-10 16:18:00 +01:00
Oliver Nocon
a104b2a06d
feat(whitesourceExecuteScan): UA for all build tools, e.g. maven & npm ( #2501 )
...
* feat(whitesource): add config helper
this helps to ease & enforce config settings
* fix accidential change of class
* add todos wrt java download
* use existing scanOptions, add option to download jre
* update generation
* fix generation
* allow running UA via go library
* correct image, improve logging
* add removal of downloaded JVM
* update java creation and deletion
* refactor and add log output
* remove obsolete ToDo
* increase test coverage
* increase test coverage
* adding aliases and tests
* make go modules as default
* maven: update behavior of projectNaming
* add Docker capabilities
* correct parameter name
* retrieve Docker coordinates
* docker coordinates only to provide artifact
* add ToDos
* add mta capability
* add aliases, mvn arguments for settings
* clean up groovy part
* update defaults
* add container for pip
* add defaults, add maven specifics, ...
* properly download settings
* maven: check existence of excluded files
* fix reporting
* Update CommonStepsTest.groovy
* update comment
* fix CodeClimate finding
* add tests for pip & fix minor issues
* fix order of pip build descriptors
* update pip container options
* fix pip virtualEnv parameter
* update report permissions
* fix test
* update container options
* add use fileUtils to load properties file
* update parameter description
* adding Docker scanning defaults
* clean up configHelper
* consider also npm tool cache
* add todos
2021-02-03 14:52:48 +01:00
Stephan Aßmus
eff38f6c9d
whitesourcExecuteScan-go: Additional fixes ( #2315 )
...
* Make sure the UA scan is known to the scan object. Fixes downloading reports later on.
* Move polling into pkg/whitesource, add test for e2e scan
* Remove conditions from stash config resource
* Don't use version stored in CPE. This will prevent the versioningModel from being applied.
2020-11-10 09:09:51 +01:00
Oliver Nocon
26cfbf7357
fix(whitesourceExecuteScan) properly handle output resources ( #2266 )
...
* fix(whitesourceExecuteScan) properly handle output resources
* fix merge issues
* add required aliases
* update generation
* fix reading custom and container environment parameters from cpe
Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com>
2020-11-02 08:51:58 +01:00
Daniel Kurzynski
a2656a5f71
Install artifacts before whitesource scan ( #2280 )
2020-10-30 15:05:14 +01:00
Stephan Aßmus
86f335811c
whitesourceExecuteScan-go: Implement parameters "timeout", "createProductFromPipeline" ( #2246 )
2020-10-29 09:21:01 +01:00
Stephan Aßmus
260ca2c5a5
whitesourceExecuteScan: Re-organize code between step and whitesource package ( #2207 )
2020-10-20 09:49:26 +02:00
Kevin Hudemann
6c2f8365c1
WhiteSource: Remove performance-tests from default maven excludes ( #2176 )
...
This change fixes an issue with the default maven excludes where the step would fail when performance tests are present in the project, but are not a module in the root pom. In addition, it provides a small fix of a method where a wrong path was passed to an error.
2020-10-15 08:08:00 +02:00
Stephan Aßmus
ed97142f6d
Pass correct module path to npm.InstallAllDependencies() ( #2144 )
...
We are already in the module's directory.
2020-10-09 08:33:36 +02:00