1
0
mirror of https://github.com/SAP/jenkins-library.git synced 2024-12-12 10:55:20 +02:00
Commit Graph

53 Commits

Author SHA1 Message Date
Leonard Heilos
c15448b4e0
feat(whitesourceExecuteScan): allow to specify InstallCommand (#4376)
* feat(whitesourceExecuteScan) allow to specify InstallCommand

* reorder imports

---------

Co-authored-by: sumeet patil <sumeet.patil@sap.com>
Co-authored-by: Andrei Kireev <andrei.kireev@sap.com>
2023-05-30 16:00:02 +02:00
Andrei Kireev
27a3e687a5
Fix issue with not generating sarif file when projectName was specified (#4199)
* Fixed bug in generating sarif file in whitesource step

---------

Co-authored-by: sumeet patil <sumeet.patil@sap.com>
2023-02-07 16:10:21 +01:00
Vyacheslav Starostin
8071337a44
fix(whitesourceExecuteScan): respect versioning model and custom scan version (#4187)
* Test

* Test

* Test

* Respect customScanVersion if filled

* Add test case

* Clean up

* Respect versioningModel

* Add test case

* Clean up

* Clean up
2023-01-16 23:14:33 +06:00
Oliver Nocon
a2815c4567
fix(whitesourceExecuteScan): properly handle policy violations (#4089)
* fix(whitesourceExecuteScan): properly handle policy violations

* update files

* update formatting

Co-authored-by: Sven Merk <33895725+nevskrem@users.noreply.github.com>
2022-11-07 11:16:07 +01:00
Sven Merk
ea04a63412
fix(whitesourceExecuteScan): Fix processing of assessment (#4059)
* Fix potential nil reference

* Fix handling of assessed vulns

* Fix test code

* Add error detail

* Fix parsing

* Adding debug output

* Fix nil reference

* fix

* Add debug

* Update cmd/whitesourceExecuteScan.go

Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>

* Update cmd/whitesourceExecuteScan.go

* Update cmd/whitesourceExecuteScan.go

* Fix fmt

Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2022-10-13 10:34:02 +00:00
Sven Merk
21416d82ed
Fix SBOM component generation (#3958)
* Further improve library types

* Fix translate

* Added debug output

* Enhance data

* Added debug output

* Fix code

* Added test

* Fix test
2022-08-12 11:59:47 +02:00
Sven Merk
c81e741224
Refinement of SARIF generation for BD and WS (#3942)
* Fix docs and format

* Assessment format added

* Added sample file

* Added parsing

* Added packageurl implementation

* Slight refinement

* Refactored assessment options

* Adapted sample file

* First attempt of ws sbom gen

* Reworked SBOM generation

* Fix test code

* Add assessment handling

* Update dependencies

* Added golden test

* Small fix

* feat(fortify): Added a check for fortify binary in $PATH (#3925)

* added check for fortifyupdate and sourceanalyzer bin

Co-authored-by: sumeet patil <sumeet.patil@sap.com>

* Modify SARIF

* Enhanced SARID contents

* Small refinement for hub detect

* Small adjustments

* Extend SARIF contents

* Consistency to Mend part

* Fix tests

* Fix merge

* Fix test

* Add debug log, enhance output

* Enhance meta info

* Fix libType for node

* Fix log entry

* Fix pointers and test

* Fix test

* Fix library types

* Fix test

* Extend libType mappings

Co-authored-by: Vinayak S <vinayaks439@gmail.com>
Co-authored-by: sumeet patil <sumeet.patil@sap.com>
2022-08-11 13:12:14 +02:00
Sven Merk
b3f37650a2
SBOM creation for Mend (#3934)
* Fix docs and format

* Assessment format added

* Added sample file

* Added parsing

* Added packageurl implementation

* Slight refinement

* Refactored assessment options

* Adapted sample file

* First attempt of ws sbom gen

* Reworked SBOM generation

* Fix test code

* Add assessment handling

* Update dependencies

* Added golden test

* Small fix

Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2022-08-09 13:56:01 +02:00
Oliver Nocon
a46f796bcd
chore: cleanup reporting & some incorrect file usage in tests (#3943)
* chore: cleanup reporting & some incorrect file usage in tests

* cleanup interface

* chore: remove comment

* preserve error handling

* Rename FileUtils.go to fileUtils.go

* clean up formatting

* chore: address static check findings

* fix brittle test

* chore: cleanup formatting
2022-08-09 10:57:02 +02:00
Oliver Nocon
d640d72dc6
feat: improve vulnerability reporting via GitHub issues (#3924)
* feat: improve vulnerability reporting via GitHub issues

* feat: update reports

* chore: add tls cert links

* only write log on error

* chore: update formatting

* chore: update handling of direct dependencies

* chore: fix linting issue

* chore: minor updates
2022-08-02 08:26:26 +02:00
Oliver Nocon
f6a6448631
chore: fix linting issues (#3878)
* chore: fix linting issues

* add more fixes

* correct formatting

* Delete depl.yaml
2022-07-21 09:04:21 +02:00
Oliver Nocon
890c437c3f
fix(whitesourceExecuteScan): failOnSevereVulnerabilities (#3894)
* fix(whitesourceExecuteScan): failOnSevereVulnerabilities

failOnSevereVulnerabilities has not been considered properly for security vulnerabilities.

* chore: remove comment

* chore: update formatting
2022-07-18 14:36:29 +02:00
Oliver Nocon
b7c0831b7f
feat: allow OSVM scans to succeed with vulnerabilities (#3889)
For running open source vulnerability scans in de-coupled processes
it is helpful to allow that steps only create
compliance reports to inform users/teams
but not fail the pipeline.

This can now be achieved constitently with the flag:
`failOnSevereVulnerabilities`

Co-authored-by: Sven Merk <33895725+nevskrem@users.noreply.github.com>
2022-07-12 11:43:24 +02:00
Anil Keshav
e6724d7f05
fix (whitesourceExecuteScan) keep tar extension for target image donwload (#3774)
* explicitly adding tar extension to project name when constructing the targetFilePath for whitesource docker image download

* comments

* correcting comment for better readability

* replace spaces in the project name with underscroe

* better comments

* passing legacy format download

* appending format to value

* keeping the download format for protecode as legacy

* improving docu

* keeping legacy format the default

* keeping tar file name same as project name to avoid duplicate names

* keeping legacy format download hard coded

Co-authored-by: anilkeshav27 <you@example.com>
2022-05-13 18:56:41 +02:00
Christian Volk
22f6aa156f
feat(docker): use crane for pulling docker images (#3652) 2022-03-23 10:02:00 +01:00
Sven Merk
c30e93bc6a
feat(detectExecuteScan): SARIF export and GH issue creation (#3637)
* Added SARIF and GH issue creation
2022-03-17 15:32:48 +01:00
Christian Volk
421168a169
fix(whitesourceExecuteScan): docker image download if dockerConfigJSON is set in vault (#3591)
Co-authored-by: ffeldmann <f.feldmann@sap.com>
2022-02-28 13:57:23 +01:00
Sven Merk
a1988f6808
feat(whitesourceExecuteScan): GitHub issue creation + SARIF (#3535)
* Add GH issue creation + SARIF

* Code cleanup

* Fix fmt, add debug

* Code enhancements

* Fix

* Added debug info

* Rework UA log scan

* Fix code

* read UA version

* Fix nil reference

* Extraction

* Credentials

* Issue creation

* Error handling

* Fix issue creation

* query escape

* Query escape 2

* Revert

* Test avoid update

* HTTP client

* Add support for custom TLS certs

* Fix code

* Fix code 2

* Fix code 3

* Disable cert check

* Fix auth

* Remove implicit trust

* Skip verification

* Fix

* Fix client

* Fix HTTP auth

* Fix trusted certs

* Trim version

* Code

* Add token

* Added token handling to client

* Fix token

* Cleanup

* Fix token

* Token rework

* Fix code

* Kick out oauth client

* Kick out oauth client

* Transport wrapping

* Token

* Simplification

* Refactor

* Variation

* Check

* Fix

* Debug

* Switch client

* Variation

* Debug

* Switch to cert check

* Add debug

* Parse self

* Cleanup

* Update resources/metadata/whitesourceExecuteScan.yaml

* Add debug

* Expose subjects

* Patch

* Debug

* Debug2

* Debug3

* Fix logging response body

* Cleanup

* Cleanup

* Fix request body logging

* Cleanup import

* Fix import cycle

* Cleanup

* Fix fmt

* Fix NopCloser reference

* Regenerate

* Reintroduce

* Fix test

* Fix tests

* Correction

* Fix error

* Code fix

* Fix tests

* Add tests

* Fix code climate issues

* Code climate

* Code climate again

* Code climate again

* Fix fmt

* Fix fmt 2

Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2022-02-23 09:30:19 +01:00
Christian Volk
b0e4599d4d
feat(malwareExecuteScan): refactoring and docker support (#3421)
* feat(malwareExecuteScan): add support for scanning docker images

* refactoring

* print out finding if available

* generate toolrecord for malware scan

* persist scan report

* docs

* fix

* fix

* rollback cmd/init_unix.go

* auhenticated pull

* fix

* fix: report shall be consistent with the api model

* gcs upload

* fix linter
2022-01-24 09:48:01 +01:00
Giridhar Shenoy
ad0a3bda2b
Whitesource Docker scan : use the project name as the tar file path (#3256)
* add file path as project name

* fix test for containerSaveImage

Co-authored-by: Sven Merk <33895725+nevskrem@users.noreply.github.com>
2021-12-13 16:14:32 +01:00
Oliver Nocon
f431054b6f
feat(WhiteSource): consume credentials from cpe (#3206)
* feat: func for Docker config.json

Provide re-use function to create/update Docker conifg.json

* add comment

* update WhiteSource step

* fixes and additional tests
2021-11-15 07:48:40 +01:00
Christian Volk
eee3c2302b
feat(whitesourceExecuteScan): evaluate dockerConfigJSON from pipeline… (#3185)
* feat(whitesourceExecuteScan): evaluate dockerConfigJSON from pipeline environment

* Update cmd/whitesourceExecuteScan_test.go

Co-authored-by: Giridhar Shenoy <giridhar.shenoy@sap.com>

Co-authored-by: Giridhar Shenoy <giridhar.shenoy@sap.com>
Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2021-10-25 09:07:46 +02:00
Pavel Busko
6fc8a4be2d
updated go.mod dependencies (#3167)
Co-authored-by: Johannes Dillmann <j.dillmann@sap.com>
2021-10-13 10:39:45 +02:00
larsbrueckner
ab396ce6f3
toolrecord: fix web ui URLs for whitesource, close #6 (#3096) 2021-09-10 13:20:54 +02:00
larsbrueckner
45cb97c8d9
pkg/toolrecord: log json marshalling errors; fix issues in whitesource and blackduck (#3049)
* pkg/toolrecord: log json marshalling errors

* toolrecord package: add internal check to ensure that generated files
are not empty

* cmd/whitesourceExecuteScan.go : rework createToolRecordWhitesource to
include all scanned projects

* pkg/toolrecord: new helper function to override default display values

* cmd/whitesourceExecuteScan: improve toolrecord file

* cmd/detectExecuteScan.go fix toolrecord file creation #3

* pkg/toolrecord: log json marshalling errors

* toolrecord package: add internal check to ensure that generated files
are not empty

* cmd/whitesourceExecuteScan.go : rework createToolRecordWhitesource to
include all scanned projects

* pkg/toolrecord: new helper function to override default display values

* cmd/whitesourceExecuteScan: improve toolrecord file

* fix merge conflict
2021-09-09 10:50:33 +02:00
larsbrueckner
dbbbe1f0b3
Updates to toolrecord framework (#2986)
* Toolrecord framework -
provide a common entry point for post processing code scan results

Changes to be committed:
	new file:   pkg/toolrecord/REAMDE_toolrecord.md
	new file:   pkg/toolrecord/toolrecord_main.go
	new file:   pkg/toolrecord/toolrecord_test.go

* Add toolrecord file to Checkmarx results
modified:   cmd/checkmarxExecuteScan.go

* Add toolrecord file to Fortify results
	modified:   cmd/fortifyExecuteScan.go

* Add toolrecord file to Whitesource results
modified:   cmd/whitesourceExecuteScan.go

* unset umask (#2927)

* (feat) adds error logging output for downloading reports from whitesource (#2928)

* Add toolrecord file to Protecode results

* address code climate findings (1/2)

* address codeclimate findings (2/2)

* add comments to all methods

* Toolrecord library:
- move all toolrun files into a subdirectory
- fix timestamp generation in filenames

* add protecode group's URL to toolrecord data

* fix syntax error from previous commit in cmd/protecodeExecuteScan.go

* toolrecord: fix projectVersionID and generated URLs in fortifyExecuteScan.go

* cmd/fortifyExecuteScan.go: replace a hard-coded servername with
config.ServerURL

* update description

* add toolrecord file to detectExecuteScan

* toolrecord/whitesource: add project names as context

Co-authored-by: Kevin Stiehl <kevin.stiehl@numericas.de>
Co-authored-by: ffeldmann <felix@bnbit.de>
Co-authored-by: Sven Merk <33895725+nevskrem@users.noreply.github.com>
2021-07-23 08:48:48 +02:00
ffeldmann
3f6eb603c7
Error logging (#2947)
* (feat) adds error logging output for downloading reports from whitesource

* Extended error logging with errors.Wrapf()

* Adjusted whitesource tests
2021-06-30 11:11:41 +02:00
larsbrueckner
61fe88e199
Add "toolrecord" files to Fortify, Checkmarx, Protecode and Whitesource results (#2929)
* Toolrecord framework -
provide a common entry point for post processing code scan results

Changes to be committed:
	new file:   pkg/toolrecord/REAMDE_toolrecord.md
	new file:   pkg/toolrecord/toolrecord_main.go
	new file:   pkg/toolrecord/toolrecord_test.go

* Add toolrecord file to Checkmarx results
modified:   cmd/checkmarxExecuteScan.go

* Add toolrecord file to Fortify results
	modified:   cmd/fortifyExecuteScan.go

* Add toolrecord file to Whitesource results
modified:   cmd/whitesourceExecuteScan.go

* unset umask (#2927)

* (feat) adds error logging output for downloading reports from whitesource (#2928)

* Add toolrecord file to Protecode results

* address code climate findings (1/2)

* address codeclimate findings (2/2)

* add comments to all methods

Co-authored-by: Kevin Stiehl <kevin.stiehl@numericas.de>
Co-authored-by: ffeldmann <felix@bnbit.de>
Co-authored-by: Sven Merk <33895725+nevskrem@users.noreply.github.com>
2021-06-23 15:05:00 +02:00
Johannes Schneider
3fa46f20d3
report vulnerability reports in the aggregated vulnerability report only (#2915) 2021-06-17 13:58:10 +02:00
Sven Merk
7fa31ae9cc
feat(http): Resilience via retry on intermittent communication issues (#2877)
* feat(http): Resilience on connectivity issues

* Update whitesourceExecuteScan.go

* Update splunk_test.go

* Fix initialization

* Change http interaction

* Fix fmt and tests

* Final test fix
2021-06-15 11:13:24 +02:00
Johannes Schneider
c22e0a1f0e
[WhitesourceExecuteScan] Fix Inconsistencies in Aggregated Report (#2872)
Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com>
2021-06-09 15:56:56 +02:00
Sven Merk
b7b775c981
Update whitesourceExecuteScan.go (#2875) 2021-06-08 11:03:57 +02:00
Oliver Nocon
4b666003c8
feat(reporting) update markdown reports (#2819) 2021-05-11 08:01:02 +02:00
Oliver Nocon
5899746767
chore: update error categories (#2827) 2021-05-10 17:44:28 +02:00
Sven Merk
534cba767c
fix(whitesourceExecuteScan): Add retry capability for download operations (#2808)
Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2021-05-05 15:49:28 +02:00
pkrasnousov
e9464b2594
feat(whitesourcescan): add param workDir to whitesourcescan (#2791)
* Add dir to whitesource scan

* Add default for "dir" option

* Change param name to workDir

* Change param name WorkDir to ScanPath

Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2021-05-03 10:53:16 +02:00
Oliver Nocon
d04a7c2eb3
feat(pipelineCreateScanSummary) Create groovy wrapper (#2743)
* feat(pipelineCreateScanSummary) Create groovy wrapper

* add command to binary

* stash step reports

* update stash

* fix typo

* unstash reports first

* update reporting

* update json reporting

* update tests & enhance logging

* update md report

* update md reporting

* fix rendering

* update tests
2021-04-15 07:45:06 +02:00
Oliver Nocon
9b6a8cb3b6
feat(whitesource): create json report (#2699)
* feat(withesource): create json report

* proper constant value

* update generation
2021-03-19 11:10:08 +01:00
Oliver Nocon
2048c00d2c
whitesource: use only Unified Agent for scanning (#2707)
don't use native build-tool specific plugins any longer.
They have been deprecated by WhiteSource mid 2019 already.

Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com>
2021-03-19 09:58:24 +01:00
Sven Merk
d52a1a3619
Influx step execution reporting (#2700)
* Influx step execution reporting

* influx for newmanExecute added

Co-authored-by: lndrschlz <leander.schulz01@sap.com>
2021-03-18 10:32:03 +01:00
Christopher Fenner
f999925788
fix(influx): correct data type of influx measurements (#2171)
* update data type of influx measurements

* Update checkmarx.yaml

* pick changes from #1885 for testing

* update generated code

* update to new datatype

* adjust to type changes

* change back to string type

* Update fortifyExecuteScan.go

* add typo to be backward compatible

* change type to int for files_scanned and lines_of_code_scanned

* add typo

* add measurements to whitesource

* update generated sources

* adjust test cases

Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2021-03-10 16:00:53 +01:00
Oliver Nocon
d47a17c8fc
feat(whitesource): consolidated reporting and versioning alignment (#2571)
* update reporting and add todo comments

* enhance reporting, allow directory creation for reports

* properly pass reports

* update templating and increase verbosity of errors

* add todo

* add detail table

* update sorting

* add test and improve error message

* fix error message in test

* extend tests

* enhance tests

* enhance versioning behavior accoring to #1846

* create markdown overview report

* small fix

* fix small issue

* make sure that report directory exists

* align reporting directory with default directory from UA

* add missing comments

* add policy check incl. tests

* enhance logging and tests

* update versioning to allow custom version usage properly

* fix report paths and golang image

* update styling of md

* update test
2021-02-10 16:18:00 +01:00
Oliver Nocon
a104b2a06d
feat(whitesourceExecuteScan): UA for all build tools, e.g. maven & npm (#2501)
* feat(whitesource): add config helper

this helps to ease & enforce config settings

* fix accidential change of class

* add todos wrt java download

* use existing scanOptions, add option to download jre

* update generation

* fix generation

* allow running UA via go library

* correct image, improve logging

* add removal of downloaded JVM

* update java creation and deletion

* refactor and add log output

* remove obsolete ToDo

* increase test coverage

* increase test coverage

* adding aliases and tests

* make go modules as default

* maven: update behavior of projectNaming

* add Docker capabilities

* correct parameter name

* retrieve Docker coordinates

* docker coordinates only to provide artifact

* add ToDos

* add mta capability

* add aliases, mvn arguments for settings

* clean up groovy part

* update defaults

* add container for pip

* add defaults, add maven specifics, ...

* properly download settings

* maven: check existence of excluded files

* fix reporting

* Update CommonStepsTest.groovy

* update comment

* fix CodeClimate finding

* add tests for pip & fix minor issues

* fix order of pip build descriptors

* update pip container options

* fix pip virtualEnv parameter

* update report permissions

* fix test

* update container options

* add use fileUtils to load properties file

* update parameter description

* adding Docker scanning defaults

* clean up configHelper

* consider also npm tool cache

* add todos
2021-02-03 14:52:48 +01:00
Stephan Aßmus
eff38f6c9d
whitesourcExecuteScan-go: Additional fixes (#2315)
* Make sure the UA scan is known to the scan object. Fixes downloading reports later on.
* Move polling into pkg/whitesource, add test for e2e scan
* Remove conditions from stash config resource
* Don't use version stored in CPE. This will prevent the versioningModel from being applied.
2020-11-10 09:09:51 +01:00
Oliver Nocon
26cfbf7357
fix(whitesourceExecuteScan) properly handle output resources (#2266)
* fix(whitesourceExecuteScan) properly handle output resources

* fix merge issues

* add required aliases

* update generation

* fix reading custom and container environment parameters from cpe

Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com>
2020-11-02 08:51:58 +01:00
Daniel Kurzynski
a2656a5f71
Install artifacts before whitesource scan (#2280) 2020-10-30 15:05:14 +01:00
Stephan Aßmus
86f335811c
whitesourceExecuteScan-go: Implement parameters "timeout", "createProductFromPipeline" (#2246) 2020-10-29 09:21:01 +01:00
Stephan Aßmus
260ca2c5a5
whitesourceExecuteScan: Re-organize code between step and whitesource package (#2207) 2020-10-20 09:49:26 +02:00
Kevin Hudemann
6c2f8365c1
WhiteSource: Remove performance-tests from default maven excludes (#2176)
This change fixes an issue with the default maven excludes where the step would fail when performance tests are present in the project, but are not a module in the root pom. In addition, it provides a small fix of a method where a wrong path was passed to an error.
2020-10-15 08:08:00 +02:00
Stephan Aßmus
ed97142f6d
Pass correct module path to npm.InstallAllDependencies() (#2144)
We are already in the module's directory.
2020-10-09 08:33:36 +02:00