// Code generated by piper's step-generator. DO NOT EDIT. package cmd import ( "fmt" "os" "reflect" "strings" "time" "github.com/SAP/jenkins-library/pkg/config" "github.com/SAP/jenkins-library/pkg/gcs" "github.com/SAP/jenkins-library/pkg/log" "github.com/SAP/jenkins-library/pkg/splunk" "github.com/SAP/jenkins-library/pkg/telemetry" "github.com/SAP/jenkins-library/pkg/validation" "github.com/bmatcuk/doublestar" "github.com/spf13/cobra" ) type codeqlExecuteScanOptions struct { GithubToken string `json:"githubToken,omitempty"` BuildTool string `json:"buildTool,omitempty" validate:"possible-values=custom maven golang npm pip yarn"` BuildCommand string `json:"buildCommand,omitempty"` Language string `json:"language,omitempty"` ModulePath string `json:"modulePath,omitempty"` Database string `json:"database,omitempty"` QuerySuite string `json:"querySuite,omitempty"` UploadResults bool `json:"uploadResults,omitempty"` Threads string `json:"threads,omitempty"` Ram string `json:"ram,omitempty"` AnalyzedRef string `json:"analyzedRef,omitempty"` Repository string `json:"repository,omitempty"` CommitID string `json:"commitId,omitempty"` VulnerabilityThresholdTotal int `json:"vulnerabilityThresholdTotal,omitempty"` CheckForCompliance bool `json:"checkForCompliance,omitempty"` } type codeqlExecuteScanReports struct { } func (p *codeqlExecuteScanReports) persist(stepConfig codeqlExecuteScanOptions, gcpJsonKeyFilePath string, gcsBucketId string, gcsFolderPath string, gcsSubFolder string) { if gcsBucketId == "" { log.Entry().Info("persisting reports to GCS is disabled, because gcsBucketId is empty") return } log.Entry().Info("Uploading reports to Google Cloud Storage...") content := []gcs.ReportOutputParam{ {FilePattern: "**/*.csv", ParamRef: "", StepResultType: "codeql"}, {FilePattern: "**/*.sarif", ParamRef: "", StepResultType: "codeql"}, {FilePattern: "**/toolrun_codeql_*.json", ParamRef: "", StepResultType: "codeql"}, {FilePattern: "**/piper_codeql_report.json", ParamRef: "", StepResultType: "codeql"}, } envVars := []gcs.EnvVar{ {Name: "GOOGLE_APPLICATION_CREDENTIALS", Value: gcpJsonKeyFilePath, Modified: false}, } gcsClient, err := gcs.NewClient(gcs.WithEnvVars(envVars)) if err != nil { log.Entry().Errorf("creation of GCS client failed: %v", err) return } defer gcsClient.Close() structVal := reflect.ValueOf(&stepConfig).Elem() inputParameters := map[string]string{} for i := 0; i < structVal.NumField(); i++ { field := structVal.Type().Field(i) if field.Type.String() == "string" { paramName := strings.Split(field.Tag.Get("json"), ",") paramValue, _ := structVal.Field(i).Interface().(string) inputParameters[paramName[0]] = paramValue } } if err := gcs.PersistReportsToGCS(gcsClient, content, inputParameters, gcsFolderPath, gcsBucketId, gcsSubFolder, doublestar.Glob, os.Stat); err != nil { log.Entry().Errorf("failed to persist reports: %v", err) } } // CodeqlExecuteScanCommand This step executes a codeql scan on the specified project to perform static code analysis and check the source code for security flaws. func CodeqlExecuteScanCommand() *cobra.Command { const STEP_NAME = "codeqlExecuteScan" metadata := codeqlExecuteScanMetadata() var stepConfig codeqlExecuteScanOptions var startTime time.Time var reports codeqlExecuteScanReports var logCollector *log.CollectorHook var splunkClient *splunk.Splunk telemetryClient := &telemetry.Telemetry{} var createCodeqlExecuteScanCmd = &cobra.Command{ Use: STEP_NAME, Short: "This step executes a codeql scan on the specified project to perform static code analysis and check the source code for security flaws.", Long: `This step executes a codeql scan on the specified project to perform static code analysis and check the source code for security flaws. The codeql step triggers a scan locally on your orchestrator (e.g. Jenkins) within a docker container so finally you have to supply a docker image with codeql and Java plus Maven.`, PreRunE: func(cmd *cobra.Command, _ []string) error { startTime = time.Now() log.SetStepName(STEP_NAME) log.SetVerbose(GeneralConfig.Verbose) GeneralConfig.GitHubAccessTokens = ResolveAccessTokens(GeneralConfig.GitHubTokens) path, _ := os.Getwd() fatalHook := &log.FatalHook{CorrelationID: GeneralConfig.CorrelationID, Path: path} log.RegisterHook(fatalHook) err := PrepareConfig(cmd, &metadata, STEP_NAME, &stepConfig, config.OpenPiperFile) if err != nil { log.SetErrorCategory(log.ErrorConfiguration) return err } log.RegisterSecret(stepConfig.GithubToken) if len(GeneralConfig.HookConfig.SentryConfig.Dsn) > 0 { sentryHook := log.NewSentryHook(GeneralConfig.HookConfig.SentryConfig.Dsn, GeneralConfig.CorrelationID) log.RegisterHook(&sentryHook) } if len(GeneralConfig.HookConfig.SplunkConfig.Dsn) > 0 { splunkClient = &splunk.Splunk{} logCollector = &log.CollectorHook{CorrelationID: GeneralConfig.CorrelationID} log.RegisterHook(logCollector) } if err = log.RegisterANSHookIfConfigured(GeneralConfig.CorrelationID); err != nil { log.Entry().WithError(err).Warn("failed to set up SAP Alert Notification Service log hook") } validation, err := validation.New(validation.WithJSONNamesForStructFields(), validation.WithPredefinedErrorMessages()) if err != nil { return err } if err = validation.ValidateStruct(stepConfig); err != nil { log.SetErrorCategory(log.ErrorConfiguration) return err } return nil }, Run: func(_ *cobra.Command, _ []string) { stepTelemetryData := telemetry.CustomData{} stepTelemetryData.ErrorCode = "1" handler := func() { reports.persist(stepConfig, GeneralConfig.GCPJsonKeyFilePath, GeneralConfig.GCSBucketId, GeneralConfig.GCSFolderPath, GeneralConfig.GCSSubFolder) config.RemoveVaultSecretFiles() stepTelemetryData.Duration = fmt.Sprintf("%v", time.Since(startTime).Milliseconds()) stepTelemetryData.ErrorCategory = log.GetErrorCategory().String() stepTelemetryData.PiperCommitHash = GitCommit telemetryClient.SetData(&stepTelemetryData) telemetryClient.Send() if len(GeneralConfig.HookConfig.SplunkConfig.Dsn) > 0 { splunkClient.Send(telemetryClient.GetData(), logCollector) } } log.DeferExitHandler(handler) defer handler() telemetryClient.Initialize(GeneralConfig.NoTelemetry, STEP_NAME) if len(GeneralConfig.HookConfig.SplunkConfig.Dsn) > 0 { splunkClient.Initialize(GeneralConfig.CorrelationID, GeneralConfig.HookConfig.SplunkConfig.Dsn, GeneralConfig.HookConfig.SplunkConfig.Token, GeneralConfig.HookConfig.SplunkConfig.Index, GeneralConfig.HookConfig.SplunkConfig.SendLogs) } codeqlExecuteScan(stepConfig, &stepTelemetryData) stepTelemetryData.ErrorCode = "0" log.Entry().Info("SUCCESS") }, } addCodeqlExecuteScanFlags(createCodeqlExecuteScanCmd, &stepConfig) return createCodeqlExecuteScanCmd } func addCodeqlExecuteScanFlags(cmd *cobra.Command, stepConfig *codeqlExecuteScanOptions) { cmd.Flags().StringVar(&stepConfig.GithubToken, "githubToken", os.Getenv("PIPER_githubToken"), "GitHub personal access token in plain text. NEVER set this parameter in a file commited to a source code repository. This parameter is intended to be used from the command line or set securely via the environment variable listed below. In most pipeline use-cases, you should instead either store the token in Vault (where it can be automatically retrieved by the step from one of the paths listed below) or store it as a Jenkins secret and configure the secret's id via the `githubTokenCredentialsId` parameter.") cmd.Flags().StringVar(&stepConfig.BuildTool, "buildTool", `maven`, "Defines the build tool which is used for building the project.") cmd.Flags().StringVar(&stepConfig.BuildCommand, "buildCommand", os.Getenv("PIPER_buildCommand"), "Command to build the project") cmd.Flags().StringVar(&stepConfig.Language, "language", os.Getenv("PIPER_language"), "The programming language used to analyze.") cmd.Flags().StringVar(&stepConfig.ModulePath, "modulePath", `./`, "Allows providing the path for the module to scan") cmd.Flags().StringVar(&stepConfig.Database, "database", `codeqlDB`, "Path to the CodeQL database to create. This directory will be created, and must not already exist.") cmd.Flags().StringVar(&stepConfig.QuerySuite, "querySuite", os.Getenv("PIPER_querySuite"), "The name of a CodeQL query suite. If omitted, the default query suite for the language of the database being analyzed will be used.") cmd.Flags().BoolVar(&stepConfig.UploadResults, "uploadResults", false, "Allows you to upload codeql SARIF results to your github project. You will need to set githubToken for this.") cmd.Flags().StringVar(&stepConfig.Threads, "threads", `0`, "Use this many threads for the codeql operations.") cmd.Flags().StringVar(&stepConfig.Ram, "ram", os.Getenv("PIPER_ram"), "Use this much ram (MB) for the codeql operations.") cmd.Flags().StringVar(&stepConfig.AnalyzedRef, "analyzedRef", os.Getenv("PIPER_analyzedRef"), "Name of the ref that was analyzed.") cmd.Flags().StringVar(&stepConfig.Repository, "repository", os.Getenv("PIPER_repository"), "URL of the GitHub instance") cmd.Flags().StringVar(&stepConfig.CommitID, "commitId", os.Getenv("PIPER_commitId"), "SHA of commit that was analyzed.") cmd.Flags().IntVar(&stepConfig.VulnerabilityThresholdTotal, "vulnerabilityThresholdTotal", 0, "Threashold for maximum number of allowed vulnerabilities.") cmd.Flags().BoolVar(&stepConfig.CheckForCompliance, "checkForCompliance", false, "If set to true, the piper step checks for compliance based on vulnerability threadholds. Example - If total vulnerabilites are 10 and vulnerabilityThresholdTotal is set as 0, then the steps throws an compliance error.") cmd.MarkFlagRequired("buildTool") } // retrieve step metadata func codeqlExecuteScanMetadata() config.StepData { var theMetaData = config.StepData{ Metadata: config.StepMetadata{ Name: "codeqlExecuteScan", Aliases: []config.Alias{}, Description: "This step executes a codeql scan on the specified project to perform static code analysis and check the source code for security flaws.", }, Spec: config.StepSpec{ Inputs: config.StepInputs{ Secrets: []config.StepSecrets{ {Name: "githubTokenCredentialsId", Description: "Jenkins 'Secret text' credentials ID containing token to authenticate to GitHub.", Type: "jenkins"}, }, Resources: []config.StepResources{ {Name: "commonPipelineEnvironment"}, {Name: "buildDescriptor", Type: "stash"}, {Name: "tests", Type: "stash"}, }, Parameters: []config.StepParameters{ { Name: "githubToken", ResourceRef: []config.ResourceReference{ { Name: "githubTokenCredentialsId", Type: "secret", }, { Name: "githubVaultSecretName", Type: "vaultSecret", Default: "github", }, }, Scope: []string{"GENERAL", "PARAMETERS", "STAGES", "STEPS"}, Type: "string", Mandatory: false, Aliases: []config.Alias{{Name: "access_token"}}, Default: os.Getenv("PIPER_githubToken"), }, { Name: "buildTool", ResourceRef: []config.ResourceReference{}, Scope: []string{"GENERAL", "PARAMETERS", "STAGES", "STEPS"}, Type: "string", Mandatory: true, Aliases: []config.Alias{}, Default: `maven`, }, { Name: "buildCommand", ResourceRef: []config.ResourceReference{}, Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, Type: "string", Mandatory: false, Aliases: []config.Alias{}, Default: os.Getenv("PIPER_buildCommand"), }, { Name: "language", ResourceRef: []config.ResourceReference{}, Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, Type: "string", Mandatory: false, Aliases: []config.Alias{}, Default: os.Getenv("PIPER_language"), }, { Name: "modulePath", ResourceRef: []config.ResourceReference{}, Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, Type: "string", Mandatory: false, Aliases: []config.Alias{}, Default: `./`, }, { Name: "database", ResourceRef: []config.ResourceReference{}, Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, Type: "string", Mandatory: false, Aliases: []config.Alias{}, Default: `codeqlDB`, }, { Name: "querySuite", ResourceRef: []config.ResourceReference{}, Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, Type: "string", Mandatory: false, Aliases: []config.Alias{}, Default: os.Getenv("PIPER_querySuite"), }, { Name: "uploadResults", ResourceRef: []config.ResourceReference{}, Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, Type: "bool", Mandatory: false, Aliases: []config.Alias{}, Default: false, }, { Name: "threads", ResourceRef: []config.ResourceReference{}, Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, Type: "string", Mandatory: false, Aliases: []config.Alias{}, Default: `0`, }, { Name: "ram", ResourceRef: []config.ResourceReference{}, Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, Type: "string", Mandatory: false, Aliases: []config.Alias{}, Default: os.Getenv("PIPER_ram"), }, { Name: "analyzedRef", ResourceRef: []config.ResourceReference{ { Name: "commonPipelineEnvironment", Param: "git/ref", }, }, Scope: []string{}, Type: "string", Mandatory: false, Aliases: []config.Alias{}, Default: os.Getenv("PIPER_analyzedRef"), }, { Name: "repository", ResourceRef: []config.ResourceReference{ { Name: "commonPipelineEnvironment", Param: "git/httpsUrl", }, }, Scope: []string{}, Type: "string", Mandatory: false, Aliases: []config.Alias{{Name: "githubRepo"}}, Default: os.Getenv("PIPER_repository"), }, { Name: "commitId", ResourceRef: []config.ResourceReference{ { Name: "commonPipelineEnvironment", Param: "git/remoteCommitId", }, }, Scope: []string{}, Type: "string", Mandatory: false, Aliases: []config.Alias{}, Default: os.Getenv("PIPER_commitId"), }, { Name: "vulnerabilityThresholdTotal", ResourceRef: []config.ResourceReference{}, Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, Type: "int", Mandatory: false, Aliases: []config.Alias{}, Default: 0, }, { Name: "checkForCompliance", ResourceRef: []config.ResourceReference{}, Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, Type: "bool", Mandatory: false, Aliases: []config.Alias{}, Default: false, }, }, }, Containers: []config.Container{ {}, }, Outputs: config.StepOutputs{ Resources: []config.StepResources{ { Name: "reports", Type: "reports", Parameters: []map[string]interface{}{ {"filePattern": "**/*.csv", "type": "codeql"}, {"filePattern": "**/*.sarif", "type": "codeql"}, {"filePattern": "**/toolrun_codeql_*.json", "type": "codeql"}, {"filePattern": "**/piper_codeql_report.json", "type": "codeql"}, }, }, }, }, }, } return theMetaData }