1
0
mirror of https://github.com/SAP/jenkins-library.git synced 2024-12-14 11:03:09 +02:00
sap-jenkins-library/resources/metadata/whitesource.yaml
Jordan Levin 34967c502c
Whitesource scan (MVP) (#1658)
* Whitesource MVP for Gradle, Golang, and NPM/Yarn

* Refactoring

* Refactor and cleanup, better error checking

* publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support

* Run gofmt and cleanup comments

* Resolve PR comments

* Update resources/metadata/whitesource.yaml

Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com>

* Only determine project coordinates if they are missing

Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com>

* Gradle versioning artifact

* fix gradle artifact version regexp and refactor

* Fix token extraction from output buffer

* Fix some issues with pip and jsonfile versioning logic

* Remove useless spacing

* Remove unnecessary test file and fix naming style for JSONDescriptor

* Automatically download wss-unified-agent if file does not exist

* adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring

* adds config.ReportDirectoryName, improves readability

* Version-wide reporting for vulnerabilities and list of libraries.

* Refactor and improve build accuracy

* fix sed command

* Add includes file pattern config option

* Adds --exclude command line flag

* run go mod tidy and regenerate step framework

* Fix unit tests

* revert changes

* poll project status before downloading reports

* merge with master

* go mod tidy, go fmt, and fix whitesource unit test

* sync go.mod

* sync go.mod again

Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com>
Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com>
Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-01 07:54:13 +02:00

564 lines
16 KiB
YAML

metadata:
name: whitesourceExecuteScan
description: BETA
longDescription: |-
BETA
With this step [WhiteSource](https://www.whitesourcesoftware.com) security and license compliance scans can be executed and assessed.
WhiteSource is a Software as a Service offering based on a so called unified agent that locally determines the dependency
tree of a node.js, Java, Python, Ruby, or Scala based solution and sends it to the WhiteSource server for a policy based license compliance
check and additional Free and Open Source Software Publicly Known Vulnerabilities detection.
!!! note "Docker Images"
The underlying Docker images are public and specific to the solution's programming language(s) and therefore may have to be exchanged
to fit to and support the relevant scenario. The default Python environment used is i.e. Python 3 based.
!!! warn "Restrictions"
Currently the step does contain hardened scan configurations for `scanType` `'pip'` and `'go'`. Other environments are still being elaborated,
so please thoroughly check your results and do not take them for granted by default.
Also not all environments have been thoroughly tested already therefore you might need to tweak around with the default containers used or
create your own ones to adequately support your scenario. To do so please modify `dockerImage` and `dockerWorkspace` parameters.
The step expects an environment containing the programming language related compiler/interpreter as well as the related build tool. For a list
of the supported build tools per environment please refer to the [WhiteSource Unified Agent Documentation](https://whitesource.atlassian.net/wiki/spaces/WD/pages/33718339/Unified+Agent).
spec:
inputs:
params:
- name: buildDescriptorFile
type: string
description: Explicit path to the build descriptor file.
mandatory: false
scope:
- PARAMETERS
- STAGES
- STEPS
default: null
conditions:
- conditionRef: strings-equal
params:
- name: scanType
value: golang
- name: buildDescriptorFile
type: string
description: Explicit path to the build descriptor file.
mandatory: false
scope:
- PARAMETERS
- STAGES
- STEPS
default: ./pom.xml
conditions:
- conditionRef: strings-equal
params:
- name: scanType
value: maven
- name: buildDescriptorFile
type: string
description: Explicit path to the build descriptor file.
mandatory: false
scope:
- PARAMETERS
- STAGES
- STEPS
default: null
conditions:
- conditionRef: strings-equal
params:
- name: scanType
value: mta
- name: buildDescriptorFile
type: string
description: Explicit path to the build descriptor file.
mandatory: false
scope:
- PARAMETERS
- STAGES
- STEPS
default: ./package.json
conditions:
- conditionRef: strings-equal
params:
- name: scanType
value: npm
- name: buildDescriptorFile
type: string
description: Explicit path to the build descriptor file.
mandatory: false
scope:
- PARAMETERS
- STAGES
- STEPS
default: ./setup.py
conditions:
- conditionRef: strings-equal
params:
- name: scanType
value: pip
- name: buildDescriptorFile
type: string
description: Explicit path to the build descriptor file.
mandatory: false
scope:
- PARAMETERS
- STAGES
- STEPS
default: ./build.sbt
conditions:
- conditionRef: strings-equal
params:
- name: scanType
value: sbt
- name: buildDescriptorFile
type: string
description: Explicit path to the build descriptor file.
mandatory: false
scope:
- PARAMETERS
- STAGES
- STEPS
default: ./dub.json
conditions:
- conditionRef: strings-equal
params:
- name: scanType
value: dub
- name: defaultVersioningModel
type: string
description: The default project versioning model used in case `projectVersion` parameter is empty for creating the version based on the build descriptor version to report results in Whitesource, can be one of `'major'`, `'major-minor'`, `'semantic'`, `'full'`
scope:
- PARAMETERS
- STAGES
- STEPS
default: 'major'
- name: createProductFromPipeline
type: bool
description: Whether to create the related WhiteSource product on the fly based on the supplied pipeline configuration.
mandatory: false
scope:
- PARAMETERS
- STAGES
- STEPS
default: true
- name: securityVulnerabilities
type: bool
description: Whether security compliance is considered and reported as part of the assessment.
mandatory: false
scope:
- PARAMETERS
- STAGES
- STEPS
default: true
- name: timeout
type: string
description: Timeout in seconds until a HTTP call is forcefully terminated.
mandatory: false
scope:
- PARAMETERS
- STAGES
- STEPS
default: 0
- name: agentDownloadUrl
type: string
description: URL used to download the latest version of the WhiteSource Unified Agent.
mandatory: false
scope:
- PARAMETERS
- STAGES
- STEPS
default: https://github.com/whitesource/unified-agent-distribution/releases/latest/download/wss-unified-agent.jar
- name: configFilePath
type: string
description: Explicit path to the WhiteSource Unified Agent configuration file.
mandatory: false
scope:
- PARAMETERS
- STAGES
- STEPS
default: ./wss-generated-file.config
- name: reportDirectoryName
type: string
description: Name of the directory to save vulnerability/risk reports to
mandatory: false
scope:
- PARAMETERS
- STAGES
- STEPS
default: "whitesource-reports"
- name: aggregateVersionWideReport
type: bool
description: 'This does not run a scan, instead just generated a report for all projects with projectVersion = config.ProductVersion'
mandatory: false
scope:
- PARAMETERS
- STAGES
- STEPS
default: false
- name: vulnerabilityReportFormat
type: string
description: Format of the file the vulnerability report is written to.
mandatory: false
possibleValues: [xlsx, json, xml]
scope:
- PARAMETERS
- STAGES
- STEPS
default: xlsx
- name: parallelLimit
type: string
description: 'Limit of parallel jobs being run at once in case of `scanType:
''mta''` based scenarios, defaults to `15`.'
mandatory: false
scope:
- PARAMETERS
- STAGES
- STEPS
default: 15
- name: reporting
type: bool
description: Whether assessment is being done at all, defaults to `true`.
mandatory: false
scope:
- PARAMETERS
- STAGES
- STEPS
default: true
- name: serviceUrl
type: string
description: URL to the WhiteSource server API used for communication.
mandatory: false
scope:
- GENERAL
- PARAMETERS
- STAGES
- STEPS
default: https://saas.whitesourcesoftware.com/api
- name: buildDescriptorExcludeList
type: string
description: List of build descriptors and therefore modules to exclude from the scan and assessment activities.
mandatory: false
scope:
- PARAMETERS
- STAGES
- STEPS
default: []
- name: orgToken
type: string
description: WhiteSource token identifying your organization.
mandatory: true
scope:
- GENERAL
- PARAMETERS
- STAGES
- STEPS
default: null
- name: userToken
type: string
description: WhiteSource token identifying the user executing the scan
mandatory: true
scope:
- GENERAL
- PARAMETERS
- STAGES
- STEPS
default: null
- name: licensingVulnerabilities
type: bool
description: Whether license compliance is considered and reported as part of the assessment.
mandatory: false
scope:
- PARAMETERS
- STAGES
- STEPS
default: true
- name: agentFileName
type: string
description: Locally used name for the Unified Agent jar file after download.
mandatory: false
scope:
- PARAMETERS
- STAGES
- STEPS
default: wss-unified-agent.jar
- name: emailAddressesOfInitialProductAdmins
type: string
description: The list of email addresses to assign as product admins for newly created WhiteSource products.
mandatory: false
scope:
- PARAMETERS
- STAGES
- STEPS
default: []
- name: productVersion
type: string
description: Version of the WhiteSource product to be created and used for results aggregation, usually determined automatically.
mandatory: false
scope:
- GENERAL
- PARAMETERS
- STAGES
- STEPS
default: null
- name: jreDownloadUrl
type: string
description: URL used for downloading the Java Runtime Environment (JRE) required to run the WhiteSource Unified Agent.
mandatory: false
scope:
- GENERAL
- PARAMETERS
- STAGES
- STEPS
default: null
- name: productName
type: string
description: Name of the WhiteSource product to be created and used for results aggregation.
mandatory: true
scope:
- GENERAL
- PARAMETERS
- STAGES
- STEPS
default: null
- name: projectName
aliases:
- name: whitesourceProjectName
type: string
description: "The project used for reporting results in Whitesource"
scope:
- PARAMETERS
- STAGES
- STEPS
default: '{{list .GroupID .ArtifactID | join "-" | trimAll "-"}}'
- name: projectToken
type: string
description: Project token to execute scan on
mandatory: false
scope:
- GENERAL
- PARAMETERS
- STAGES
- STEPS
default: null
- name: vulnerabilityReportTitle
type: string
description: Title of vulnerability report written during the assessment phase.
mandatory: false
scope:
- PARAMETERS
- STAGES
- STEPS
default: WhiteSource Security Vulnerability Report
- name: installCommand
type: string
description: Install command that can be used to populate the default docker image for some scenarios.
mandatory: false
scope:
- PARAMETERS
- STAGES
- STEPS
default: null
- name: scanType
type: string
description: Type of development stack used to implement the solution.
mandatory: false
scope:
- GENERAL
- PARAMETERS
- STAGES
- STEPS
default: null
possibleValues: ["golang", "npm", "gradle", "pip"]
- name: cvssSeverityLimit
type: string
description: Limit of tollerable CVSS v3 score upon assessment and in consequence fails the build, defaults to `-1`.
mandatory: false
scope:
- PARAMETERS
- STAGES
- STEPS
default: -1
- name: includes
type: string
description: Space separated list of file path patterns to include in the scan, slashes must be escaped for sed
mandatory: false
scope:
- PARAMETERS
- STAGES
- STEPS
default: '**\/src\/main\/**\/*.java **\/*.py **\/*.go **\/*.js **\/*.ts'
- name: excludes
type: string
description: Space separated list of file path patterns to exclude in the scan
mandatory: false
scope:
- PARAMETERS
- STAGES
- STEPS
default: 'tests/**/*.py **/src/test/**/*.java'
- name: productToken
type: string
description: Token of the WhiteSource product to be created and used for results aggregation, usually determined automatically.
mandatory: false
scope:
- GENERAL
- PARAMETERS
- STAGES
- STEPS
default: null
- name: agentParameters
type: string
description: Additional parameters passed to the Unified Agent command line.
mandatory: false
scope:
- PARAMETERS
- STAGES
- STEPS
default: ''
secrets:
- name: userTokenCredentialsId
type: jenkins
- name: orgAdminUserTokenCredentialsId
type: jenkins
resources:
- name: buildDescriptor
type: stash
conditions:
- conditionRef: strings-equal
params:
- name: scanType
value: golang
- name: opensourceConfiguration
type: stash
conditions:
- conditionRef: strings-equal
params:
- name: scanType
value: golang
- name: checkmarx
type: stash
conditions:
- conditionRef: strings-equal
params:
- name: scanType
value: golang
- name: buildDescriptor
type: stash
conditions:
- conditionRef: strings-equal
params:
- name: scanType
value: maven
- name: opensourceConfiguration
type: stash
conditions:
- conditionRef: strings-equal
params:
- name: scanType
value: maven
- name: buildDescriptor
type: stash
conditions:
- conditionRef: strings-equal
params:
- name: scanType
value: mta
- name: opensourceConfiguration
type: stash
conditions:
- conditionRef: strings-equal
params:
- name: scanType
value: mta
- name: buildDescriptor
type: stash
conditions:
- conditionRef: strings-equal
params:
- name: scanType
value: npm
- name: opensourceConfiguration
type: stash
conditions:
- conditionRef: strings-equal
params:
- name: scanType
value: npm
- name: buildDescriptor
type: stash
conditions:
- conditionRef: strings-equal
params:
- name: scanType
value: pip
- name: opensourceConfiguration
type: stash
conditions:
- conditionRef: strings-equal
params:
- name: scanType
value: pip
- name: buildDescriptor
type: stash
conditions:
- conditionRef: strings-equal
params:
- name: scanType
value: sbt
- name: opensourceConfiguration
type: stash
conditions:
- conditionRef: strings-equal
params:
- name: scanType
value: sbt
- name: buildDescriptor
type: stash
conditions:
- conditionRef: strings-equal
params:
- name: scanType
value: dub
- name: checkmarx
type: stash
conditions:
- conditionRef: strings-equal
params:
- name: scanType
value: dub
containers:
- image: maven:3.5-jdk-8
workingDir: /home/java
env: []
conditions:
- conditionRef: strings-equal
params:
- name: scanType
value: maven
- image: null
workingDir: null
env: []
conditions:
- conditionRef: strings-equal
params:
- name: scanType
value: mta
- image: node:lts-stretch
workingDir: /home/node
env: []
conditions:
- conditionRef: strings-equal
params:
- name: scanType
value: npm
- image: hseeberger/scala-sbt:8u181_2.12.8_1.2.8
workingDir: /home/scala
env: []
conditions:
- conditionRef: strings-equal
params:
- name: scanType
value: sbt
- image: buildpack-deps:stretch-curl
workingDir: /home/dub
env: []
conditions:
- conditionRef: strings-equal
params:
- name: scanType
value: dub