1
0
mirror of https://github.com/SAP/jenkins-library.git synced 2025-01-18 05:18:24 +02:00
Sven Merk cbe368fe36
Checkmarx as golang (#1075)
* Added base functionality for checkmarx interaction

* Extend http client with file upload capabilities

* Latest changes

* Add debug logging

* Introduce Uploader interface

* Add tests for checkmarx client

* Hook new checkmarx command

* Improve coverage

* Add tests

* Improved test coverage and fixed code

* Add influx reporting

* Add alternation capabilities

* Add groovy step

* Try fix cmd

* Enhancements

* Fix report generation

* Final performance improvements

* Fix code

* Structure code, cleanup

* Improvements

* Fix codeclimate issue

* Update groovy

* Adapt latest changes to http

* Fix test

* Fix http tests

* Fix test

* Fix test

* Fix test 2

* Fix code

* Fix code 2

* Fix code

* Code

* Fix

* Fix

* Add report and link handling

* Fix returns, add groovy test

* Review comments

* Added doc template

* Docs update

* Remove SAP internals

* Better status display

* Add name to link

* Fix test

* Fix

* Fix verbose handling

* Fix verbose handling 2

* Fix verbose handling 3

* Fix

* Tiny improvements

* Regenerate

* Fix test

* Fix test code

* Fix verbosity issue

* Fix test

* Fix test

* Fix test
2020-01-27 23:40:53 +01:00

263 lines
8.6 KiB
YAML

metadata:
name: checkmarxExecuteScan
description: Checkmarx is the recommended tool for security scans of JavaScript, iOS, Swift and Ruby code.
longDescription: |-
Checkmarx is a Static Application Security Testing (SAST) tool to analyze i.e. Java- or TypeScript, Swift, Golang, Ruby code,
and many other programming languages for security flaws based on a set of provided rules/queries that can be customized and extended.
This step by default enforces a specific audit baseline for findings and therefore ensures that:
* No 'To Verify' High and Medium issues exist in your project
* Total number of High and Medium 'Confirmed' or 'Urgent' issues is zero
* 10% of all Low issues are 'Confirmed' or 'Not Exploitable'
You can adapt above thresholds specifically using the provided configuration parameters and i.e. check for `absolute`
thresholds instead of `percentage` whereas we strongly recommend you to stay with the defaults provided.
spec:
inputs:
secrets:
- name: checkmarxCredentialsId
description: The technical user/password credential used to communicate with the Checkmarx backend
type: jenkins
params:
- name: avoidDuplicateProjectScans
type: bool
description: Whether duplicate scans of the same project state shall be avoided or not
mandatory: false
scope:
- PARAMETERS
- STAGES
- STEPS
default: false
- name: filterPattern
type: string
description: The filter pattern used to zip the files relevant for scanning, patterns can be negated by setting an exclamation mark in front i.e. `!test/*.js` would avoid adding any javascript files located in the test directory
mandatory: false
scope:
- PARAMETERS
- STAGES
- STEPS
default: '!**/node_modules/**, !**/.xmake/**, !**/*_test.go, !**/vendor/**/*.go,
**/*.html, **/*.xml, **/*.go, **/*.py, **/*.js, **/*.scala, **/*.ts'
- name: fullScanCycle
type: string
description: Indicates how often a full scan should happen between the incremental scans when activated
mandatory: false
scope:
- PARAMETERS
- STAGES
- STEPS
default: 5
- name: fullScansScheduled
type: bool
description: Whether full scans are to be scheduled or not. Should be used in relation with `incremental` and `fullScanCycle`
mandatory: false
scope:
- PARAMETERS
- STAGES
- STEPS
default: true
- name: generatePdfReport
type: bool
description: Whether to generate a PDF report of the analysis results or not
mandatory: false
scope:
- PARAMETERS
- STAGES
- STEPS
default: true
- name: incremental
type: bool
description: Whether incremental scans are to be applied which optimizes the scan time but might reduce detection capabilities. Therefore full scans are still required from time to time and should be scheduled via `fullScansScheduled` and `fullScanCycle`
mandatory: false
scope:
- PARAMETERS
- STAGES
- STEPS
default: true
- name: password
type: string
description: The password to authenticate
mandatory: true
scope:
- PARAMETERS
- STAGES
- STEPS
- name: preset
type: string
description: The preset to use for scanning, if not set explicitly the step will attempt to look up the project's setting based on the availability of `checkmarxCredentialsId`
mandatory: false
scope:
- PARAMETERS
- STAGES
- STEPS
default: null
- name: projectName
aliases:
- name: checkmarxProject
type: string
description: The name of the Checkmarx project to scan into
mandatory: true
scope:
- PARAMETERS
- STAGES
- STEPS
- name: pullRequestName
type: string
description: Used to supply the name for the newly created PR project branch when being used in pull request scenarios
mandatory: false
scope:
- PARAMETERS
- STAGES
- STEPS
- name: serverUrl
aliases:
- name: checkmarxServerUrl
type: string
description: The URL pointing to the root of the Checkmarx server to be used
mandatory: true
scope:
- GENERAL
- PARAMETERS
- STAGES
- STEPS
- name: sourceEncoding
type: string
description: The source encoding to be used, if not set explicitly the project's default will be used
mandatory: false
scope:
- PARAMETERS
- STAGES
- STEPS
default: '1'
- name: teamId
aliases:
- name: checkmarxGroupId
type: string
description: The group ID related to your team which can be obtained via the Pipeline Syntax plugin as described in the `Details` section
mandatory: false
scope:
- PARAMETERS
- STAGES
- STEPS
- name: teamName
type: string
description: The full name of the team to assign newly created projects to which is preferred to teamId
mandatory: false
scope:
- PARAMETERS
- STAGES
- STEPS
- name: username
type: string
description: The username to authenticate
mandatory: true
scope:
- PARAMETERS
- STAGES
- STEPS
- name: vulnerabilityThresholdEnabled
type: bool
description: Whether the thresholds are enabled or not. If enabled the build will be set to `vulnerabilityThresholdResult` in case a specific threshold value is exceeded
mandatory: false
scope:
- PARAMETERS
- STAGES
- STEPS
default: true
- name: vulnerabilityThresholdHigh
type: int
description: The specific threshold for high severity findings
mandatory: false
scope:
- PARAMETERS
- STAGES
- STEPS
default: 100
- name: vulnerabilityThresholdLow
type: int
description: The specific threshold for low severity findings
mandatory: false
scope:
- PARAMETERS
- STAGES
- STEPS
default: 10
- name: vulnerabilityThresholdMedium
type: int
description: The specific threshold for medium severity findings
mandatory: false
scope:
- PARAMETERS
- STAGES
- STEPS
default: 100
- name: vulnerabilityThresholdResult
type: string
description: The result of the build in case thresholds are enabled and exceeded
mandatory: false
scope:
- PARAMETERS
- STAGES
- STEPS
default: FAILURE
- name: vulnerabilityThresholdUnit
type: string
description: The unit for the threshold to apply.
mandatory: false
scope:
- PARAMETERS
- STAGES
- STEPS
default: percentage
outputs:
resources:
- name: influx
type: influx
params:
- name: checkmarx_data
fields:
- name: high_issues
- name: high_not_false_postive
- name: high_not_exploitable
- name: high_confirmed
- name: high_urgent
- name: high_proposed_not_exploitable
- name: high_to_verify
- name: medium_issues
- name: medium_not_false_postive
- name: medium_not_exploitable
- name: medium_confirmed
- name: medium_urgent
- name: medium_proposed_not_exploitable
- name: medium_to_verify
- name: low_issues
- name: low_not_false_postive
- name: low_not_exploitable
- name: low_confirmed
- name: low_urgent
- name: low_proposed_not_exploitable
- name: low_to_verify
- name: information_issues
- name: information_not_false_postive
- name: information_not_exploitable
- name: information_confirmed
- name: information_urgent
- name: information_proposed_not_exploitable
- name: information_to_verify
- name: initiator_name
- name: owner
- name: scan_id
- name: project_id
- name: project_name
- name: team
- name: team_full_path_on_report_date
- name: scan_start
- name: scan_time
- name: lines_of_code_scanned
- name: files_scanned
- name: checkmarx_version
- name: scan_type
- name: preset
- name: deep_link
- name: report_creation_time