1
0
mirror of https://github.com/SAP/jenkins-library.git synced 2024-12-14 11:03:09 +02:00
sap-jenkins-library/resources/metadata/protecode.yaml
Kevin Stiehl 0f48a229d2
(Vault) add vaultSecretFile References (#2314)
* add vaultSecretFile References

* add vaultRef to protecode

Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-11-06 18:06:19 +01:00

220 lines
7.5 KiB
YAML

metadata:
name: protecodeExecuteScan
description: Protecode is an Open Source Vulnerability Scanner that is capable of scanning binaries. It can be used to scan docker images but is supports many other programming languages especially those of the C family.
longDescription: |-
Protecode is an Open Source Vulnerability Scanner that is capable of scanning binaries. It can be used to scan docker images but is supports many other programming languages especially those of the C family.
!!! hint "Auditing findings (Triaging)"
Triaging is now supported by the Protecode backend and also Piper does consider this information during the analysis of the scan results though product versions are not supported by Protecode. Therefore please make sure that the `fileName` you are providing does either contain a stable version or that it does not contain one at all. By ensuring that you are able to triage CVEs globally on the upload file's name without affecting any other artifacts scanned in the same Protecode group and as such triaged vulnerabilities will be considered during the next scan and will not fail the build anymore.
spec:
inputs:
secrets:
- name: protecodeCredentialsId
description: Jenkins 'Username with password' credentials ID containing username and password to authenticate to the Protecode system.
type: jenkins
- name: dockerConfigJsonCredentialsId
description: Jenkins 'Secret file' credentials ID containing Docker config.json (with registry credential(s)). You can create it like explained in the Docker Success Center in the article about [how to generate a new auth in the config.json file](https://success.docker.com/article/generate-new-auth-in-config-json-file).
type: jenkins
aliases:
- name: dockerCredentialsId
deprecated: true
params:
- name: excludeCVEs
aliases:
- name: protecodeExcludeCVEs
type: string
description: "DEPRECATED: Do use triaging within the Protecode UI instead"
scope:
- PARAMETERS
- STAGES
- STEPS
default: ""
- name: failOnSevereVulnerabilities
aliases:
- name: protecodeFailOnSevereVulnerabilities
type: bool
description: Whether to fail the job on severe vulnerabilties or not
scope:
- PARAMETERS
- STAGES
- STEPS
default: true
- name: scanImage
aliases:
- name: dockerImage
type: string
description: The reference to the docker image to scan with Protecode
resourceRef:
- name: commonPipelineEnvironment
param: container/imageNameTag
scope:
- GENERAL
- PARAMETERS
- STAGES
- STEPS
- name: dockerRegistryUrl
type: string
description: The reference to the docker registry to scan with Protecode
resourceRef:
- name: commonPipelineEnvironment
param: container/registryUrl
scope:
- GENERAL
- PARAMETERS
- STAGES
- STEPS
- name: dockerConfigJSON
type: string
description: Path to the file `.docker/config.json` - this is typically provided by your CI/CD system. You can find more details about the Docker credentials in the [Docker documentation](https://docs.docker.com/engine/reference/commandline/login/).
scope:
- PARAMETERS
- STAGES
- STEPS
secret: true
resourceRef:
- name: dockerConfigJsonCredentialsId
type: secret
- type: vaultSecretFile
paths:
- $(vaultPath)/docker-config
- $(vaultBasePath)/$(vaultPipelineName)/docker-config
- $(vaultBasePath)/GROUP-SECRETS/docker-config
- name: cleanupMode
type: string
description: Decides which parts are removed from the Protecode backend after the scan
scope:
- PARAMETERS
- STAGES
- STEPS
default: binary
possibleValues:
- none
- binary
- complete
- name: filePath
type: string
description: The path to the file from local workspace to scan with Protecode
scope:
- PARAMETERS
- STAGES
- STEPS
- name: includeLayers
type: bool
description: Flag if the docker layers should be included
scope:
- PARAMETERS
- STAGES
- STEPS
- name: timeoutMinutes
aliases:
- name: protecodeTimeoutMinutes
type: string
description: The timeout to wait for the scan to finish
scope:
- PARAMETERS
- STAGES
- STEPS
default: 60
- name: serverUrl
aliases:
- name: protecodeServerUrl
type: string
description: The URL to the Protecode backend
mandatory: true
scope:
- GENERAL
- PARAMETERS
- STAGES
- STEPS
- name: reportFileName
type: string
description: The file name of the report to be created
scope:
- PARAMETERS
- STAGES
- STEPS
default: protecode_report.pdf
- name: fetchUrl
type: string
description: The URL to fetch the file to scan with Protecode which must be accessible via public HTTP GET request
scope:
- PARAMETERS
- STAGES
- STEPS
- name: group
aliases:
- name: protecodeGroup
type: string
description: The Protecode group ID of your team
mandatory: true
scope:
- PARAMETERS
- STAGES
- STEPS
- name: reuseExisting
type: bool
description: Whether to reuse an existing product instead of creating a new one
scope:
- PARAMETERS
- STAGES
- STEPS
- name: username
aliases:
- name: user
deprecated: true
type: string
description: User which is used for the protecode scan
mandatory: true
scope:
- PARAMETERS
- STAGES
- STEPS
secret: true
resourceRef:
- name: protecodeCredentialsId
type: secret
param: username
- name: password
type: string
description: Password which is used for the user
mandatory: true
scope:
- PARAMETERS
- STAGES
- STEPS
secret: true
resourceRef:
- name: protecodeCredentialsId
type: secret
param: password
- name: artifactVersion
type: string
description: The version of the artifact to allow identification in protecode backend
resourceRef:
- name: commonPipelineEnvironment
param: artifactVersion
scope:
- PARAMETERS
- STAGES
- STEPS
- name: pullRequestName
type: string
description: The name of the pull request
scope:
- PARAMETERS
- STAGES
- STEPS
outputs:
resources:
- name: influx
type: influx
params:
- name: protecode_data
fields:
- name: historical_vulnerabilities
- name: triaged_vulnerabilities
- name: excluded_vulnerabilities
- name: minor_vulnerabilities
- name: major_vulnerabilities
- name: vulnerabilities