mirror of
https://github.com/SAP/jenkins-library.git
synced 2024-12-14 11:03:09 +02:00
34967c502c
* Whitesource MVP for Gradle, Golang, and NPM/Yarn * Refactoring * Refactor and cleanup, better error checking * publish stepResults, use pkg/versioning, bubble up errors, add gomod versioning support * Run gofmt and cleanup comments * Resolve PR comments * Update resources/metadata/whitesource.yaml Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * Only determine project coordinates if they are missing Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * Gradle versioning artifact * fix gradle artifact version regexp and refactor * Fix token extraction from output buffer * Fix some issues with pip and jsonfile versioning logic * Remove useless spacing * Remove unnecessary test file and fix naming style for JSONDescriptor * Automatically download wss-unified-agent if file does not exist * adds downloadVulnerabilityReport, checkSecurityViolations, minor refactoring * adds config.ReportDirectoryName, improves readability * Version-wide reporting for vulnerabilities and list of libraries. * Refactor and improve build accuracy * fix sed command * Add includes file pattern config option * Adds --exclude command line flag * run go mod tidy and regenerate step framework * Fix unit tests * revert changes * poll project status before downloading reports * merge with master * go mod tidy, go fmt, and fix whitesource unit test * sync go.mod * sync go.mod again Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
564 lines
16 KiB
YAML
564 lines
16 KiB
YAML
metadata:
|
|
name: whitesourceExecuteScan
|
|
description: BETA
|
|
longDescription: |-
|
|
BETA
|
|
With this step [WhiteSource](https://www.whitesourcesoftware.com) security and license compliance scans can be executed and assessed.
|
|
WhiteSource is a Software as a Service offering based on a so called unified agent that locally determines the dependency
|
|
tree of a node.js, Java, Python, Ruby, or Scala based solution and sends it to the WhiteSource server for a policy based license compliance
|
|
check and additional Free and Open Source Software Publicly Known Vulnerabilities detection.
|
|
!!! note "Docker Images"
|
|
The underlying Docker images are public and specific to the solution's programming language(s) and therefore may have to be exchanged
|
|
to fit to and support the relevant scenario. The default Python environment used is i.e. Python 3 based.
|
|
!!! warn "Restrictions"
|
|
Currently the step does contain hardened scan configurations for `scanType` `'pip'` and `'go'`. Other environments are still being elaborated,
|
|
so please thoroughly check your results and do not take them for granted by default.
|
|
Also not all environments have been thoroughly tested already therefore you might need to tweak around with the default containers used or
|
|
create your own ones to adequately support your scenario. To do so please modify `dockerImage` and `dockerWorkspace` parameters.
|
|
The step expects an environment containing the programming language related compiler/interpreter as well as the related build tool. For a list
|
|
of the supported build tools per environment please refer to the [WhiteSource Unified Agent Documentation](https://whitesource.atlassian.net/wiki/spaces/WD/pages/33718339/Unified+Agent).
|
|
spec:
|
|
inputs:
|
|
params:
|
|
- name: buildDescriptorFile
|
|
type: string
|
|
description: Explicit path to the build descriptor file.
|
|
mandatory: false
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: null
|
|
conditions:
|
|
- conditionRef: strings-equal
|
|
params:
|
|
- name: scanType
|
|
value: golang
|
|
- name: buildDescriptorFile
|
|
type: string
|
|
description: Explicit path to the build descriptor file.
|
|
mandatory: false
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: ./pom.xml
|
|
conditions:
|
|
- conditionRef: strings-equal
|
|
params:
|
|
- name: scanType
|
|
value: maven
|
|
- name: buildDescriptorFile
|
|
type: string
|
|
description: Explicit path to the build descriptor file.
|
|
mandatory: false
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: null
|
|
conditions:
|
|
- conditionRef: strings-equal
|
|
params:
|
|
- name: scanType
|
|
value: mta
|
|
- name: buildDescriptorFile
|
|
type: string
|
|
description: Explicit path to the build descriptor file.
|
|
mandatory: false
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: ./package.json
|
|
conditions:
|
|
- conditionRef: strings-equal
|
|
params:
|
|
- name: scanType
|
|
value: npm
|
|
- name: buildDescriptorFile
|
|
type: string
|
|
description: Explicit path to the build descriptor file.
|
|
mandatory: false
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: ./setup.py
|
|
conditions:
|
|
- conditionRef: strings-equal
|
|
params:
|
|
- name: scanType
|
|
value: pip
|
|
- name: buildDescriptorFile
|
|
type: string
|
|
description: Explicit path to the build descriptor file.
|
|
mandatory: false
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: ./build.sbt
|
|
conditions:
|
|
- conditionRef: strings-equal
|
|
params:
|
|
- name: scanType
|
|
value: sbt
|
|
- name: buildDescriptorFile
|
|
type: string
|
|
description: Explicit path to the build descriptor file.
|
|
mandatory: false
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: ./dub.json
|
|
conditions:
|
|
- conditionRef: strings-equal
|
|
params:
|
|
- name: scanType
|
|
value: dub
|
|
- name: defaultVersioningModel
|
|
type: string
|
|
description: The default project versioning model used in case `projectVersion` parameter is empty for creating the version based on the build descriptor version to report results in Whitesource, can be one of `'major'`, `'major-minor'`, `'semantic'`, `'full'`
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: 'major'
|
|
- name: createProductFromPipeline
|
|
type: bool
|
|
description: Whether to create the related WhiteSource product on the fly based on the supplied pipeline configuration.
|
|
mandatory: false
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: true
|
|
- name: securityVulnerabilities
|
|
type: bool
|
|
description: Whether security compliance is considered and reported as part of the assessment.
|
|
mandatory: false
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: true
|
|
- name: timeout
|
|
type: string
|
|
description: Timeout in seconds until a HTTP call is forcefully terminated.
|
|
mandatory: false
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: 0
|
|
- name: agentDownloadUrl
|
|
type: string
|
|
description: URL used to download the latest version of the WhiteSource Unified Agent.
|
|
mandatory: false
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: https://github.com/whitesource/unified-agent-distribution/releases/latest/download/wss-unified-agent.jar
|
|
- name: configFilePath
|
|
type: string
|
|
description: Explicit path to the WhiteSource Unified Agent configuration file.
|
|
mandatory: false
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: ./wss-generated-file.config
|
|
- name: reportDirectoryName
|
|
type: string
|
|
description: Name of the directory to save vulnerability/risk reports to
|
|
mandatory: false
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: "whitesource-reports"
|
|
- name: aggregateVersionWideReport
|
|
type: bool
|
|
description: 'This does not run a scan, instead just generated a report for all projects with projectVersion = config.ProductVersion'
|
|
mandatory: false
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: false
|
|
- name: vulnerabilityReportFormat
|
|
type: string
|
|
description: Format of the file the vulnerability report is written to.
|
|
mandatory: false
|
|
possibleValues: [xlsx, json, xml]
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: xlsx
|
|
- name: parallelLimit
|
|
type: string
|
|
description: 'Limit of parallel jobs being run at once in case of `scanType:
|
|
''mta''` based scenarios, defaults to `15`.'
|
|
mandatory: false
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: 15
|
|
- name: reporting
|
|
type: bool
|
|
description: Whether assessment is being done at all, defaults to `true`.
|
|
mandatory: false
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: true
|
|
- name: serviceUrl
|
|
type: string
|
|
description: URL to the WhiteSource server API used for communication.
|
|
mandatory: false
|
|
scope:
|
|
- GENERAL
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: https://saas.whitesourcesoftware.com/api
|
|
- name: buildDescriptorExcludeList
|
|
type: string
|
|
description: List of build descriptors and therefore modules to exclude from the scan and assessment activities.
|
|
mandatory: false
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: []
|
|
- name: orgToken
|
|
type: string
|
|
description: WhiteSource token identifying your organization.
|
|
mandatory: true
|
|
scope:
|
|
- GENERAL
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: null
|
|
- name: userToken
|
|
type: string
|
|
description: WhiteSource token identifying the user executing the scan
|
|
mandatory: true
|
|
scope:
|
|
- GENERAL
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: null
|
|
- name: licensingVulnerabilities
|
|
type: bool
|
|
description: Whether license compliance is considered and reported as part of the assessment.
|
|
mandatory: false
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: true
|
|
- name: agentFileName
|
|
type: string
|
|
description: Locally used name for the Unified Agent jar file after download.
|
|
mandatory: false
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: wss-unified-agent.jar
|
|
- name: emailAddressesOfInitialProductAdmins
|
|
type: string
|
|
description: The list of email addresses to assign as product admins for newly created WhiteSource products.
|
|
mandatory: false
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: []
|
|
- name: productVersion
|
|
type: string
|
|
description: Version of the WhiteSource product to be created and used for results aggregation, usually determined automatically.
|
|
mandatory: false
|
|
scope:
|
|
- GENERAL
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: null
|
|
- name: jreDownloadUrl
|
|
type: string
|
|
description: URL used for downloading the Java Runtime Environment (JRE) required to run the WhiteSource Unified Agent.
|
|
mandatory: false
|
|
scope:
|
|
- GENERAL
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: null
|
|
- name: productName
|
|
type: string
|
|
description: Name of the WhiteSource product to be created and used for results aggregation.
|
|
mandatory: true
|
|
scope:
|
|
- GENERAL
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: null
|
|
- name: projectName
|
|
aliases:
|
|
- name: whitesourceProjectName
|
|
type: string
|
|
description: "The project used for reporting results in Whitesource"
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: '{{list .GroupID .ArtifactID | join "-" | trimAll "-"}}'
|
|
- name: projectToken
|
|
type: string
|
|
description: Project token to execute scan on
|
|
mandatory: false
|
|
scope:
|
|
- GENERAL
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: null
|
|
- name: vulnerabilityReportTitle
|
|
type: string
|
|
description: Title of vulnerability report written during the assessment phase.
|
|
mandatory: false
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: WhiteSource Security Vulnerability Report
|
|
- name: installCommand
|
|
type: string
|
|
description: Install command that can be used to populate the default docker image for some scenarios.
|
|
mandatory: false
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: null
|
|
- name: scanType
|
|
type: string
|
|
description: Type of development stack used to implement the solution.
|
|
mandatory: false
|
|
scope:
|
|
- GENERAL
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: null
|
|
possibleValues: ["golang", "npm", "gradle", "pip"]
|
|
- name: cvssSeverityLimit
|
|
type: string
|
|
description: Limit of tollerable CVSS v3 score upon assessment and in consequence fails the build, defaults to `-1`.
|
|
mandatory: false
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: -1
|
|
- name: includes
|
|
type: string
|
|
description: Space separated list of file path patterns to include in the scan, slashes must be escaped for sed
|
|
mandatory: false
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: '**\/src\/main\/**\/*.java **\/*.py **\/*.go **\/*.js **\/*.ts'
|
|
- name: excludes
|
|
type: string
|
|
description: Space separated list of file path patterns to exclude in the scan
|
|
mandatory: false
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: 'tests/**/*.py **/src/test/**/*.java'
|
|
- name: productToken
|
|
type: string
|
|
description: Token of the WhiteSource product to be created and used for results aggregation, usually determined automatically.
|
|
mandatory: false
|
|
scope:
|
|
- GENERAL
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: null
|
|
- name: agentParameters
|
|
type: string
|
|
description: Additional parameters passed to the Unified Agent command line.
|
|
mandatory: false
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: ''
|
|
secrets:
|
|
- name: userTokenCredentialsId
|
|
type: jenkins
|
|
- name: orgAdminUserTokenCredentialsId
|
|
type: jenkins
|
|
resources:
|
|
- name: buildDescriptor
|
|
type: stash
|
|
conditions:
|
|
- conditionRef: strings-equal
|
|
params:
|
|
- name: scanType
|
|
value: golang
|
|
- name: opensourceConfiguration
|
|
type: stash
|
|
conditions:
|
|
- conditionRef: strings-equal
|
|
params:
|
|
- name: scanType
|
|
value: golang
|
|
- name: checkmarx
|
|
type: stash
|
|
conditions:
|
|
- conditionRef: strings-equal
|
|
params:
|
|
- name: scanType
|
|
value: golang
|
|
- name: buildDescriptor
|
|
type: stash
|
|
conditions:
|
|
- conditionRef: strings-equal
|
|
params:
|
|
- name: scanType
|
|
value: maven
|
|
- name: opensourceConfiguration
|
|
type: stash
|
|
conditions:
|
|
- conditionRef: strings-equal
|
|
params:
|
|
- name: scanType
|
|
value: maven
|
|
- name: buildDescriptor
|
|
type: stash
|
|
conditions:
|
|
- conditionRef: strings-equal
|
|
params:
|
|
- name: scanType
|
|
value: mta
|
|
- name: opensourceConfiguration
|
|
type: stash
|
|
conditions:
|
|
- conditionRef: strings-equal
|
|
params:
|
|
- name: scanType
|
|
value: mta
|
|
- name: buildDescriptor
|
|
type: stash
|
|
conditions:
|
|
- conditionRef: strings-equal
|
|
params:
|
|
- name: scanType
|
|
value: npm
|
|
- name: opensourceConfiguration
|
|
type: stash
|
|
conditions:
|
|
- conditionRef: strings-equal
|
|
params:
|
|
- name: scanType
|
|
value: npm
|
|
- name: buildDescriptor
|
|
type: stash
|
|
conditions:
|
|
- conditionRef: strings-equal
|
|
params:
|
|
- name: scanType
|
|
value: pip
|
|
- name: opensourceConfiguration
|
|
type: stash
|
|
conditions:
|
|
- conditionRef: strings-equal
|
|
params:
|
|
- name: scanType
|
|
value: pip
|
|
- name: buildDescriptor
|
|
type: stash
|
|
conditions:
|
|
- conditionRef: strings-equal
|
|
params:
|
|
- name: scanType
|
|
value: sbt
|
|
- name: opensourceConfiguration
|
|
type: stash
|
|
conditions:
|
|
- conditionRef: strings-equal
|
|
params:
|
|
- name: scanType
|
|
value: sbt
|
|
- name: buildDescriptor
|
|
type: stash
|
|
conditions:
|
|
- conditionRef: strings-equal
|
|
params:
|
|
- name: scanType
|
|
value: dub
|
|
- name: checkmarx
|
|
type: stash
|
|
conditions:
|
|
- conditionRef: strings-equal
|
|
params:
|
|
- name: scanType
|
|
value: dub
|
|
containers:
|
|
- image: maven:3.5-jdk-8
|
|
workingDir: /home/java
|
|
env: []
|
|
conditions:
|
|
- conditionRef: strings-equal
|
|
params:
|
|
- name: scanType
|
|
value: maven
|
|
- image: null
|
|
workingDir: null
|
|
env: []
|
|
conditions:
|
|
- conditionRef: strings-equal
|
|
params:
|
|
- name: scanType
|
|
value: mta
|
|
- image: node:lts-stretch
|
|
workingDir: /home/node
|
|
env: []
|
|
conditions:
|
|
- conditionRef: strings-equal
|
|
params:
|
|
- name: scanType
|
|
value: npm
|
|
- image: hseeberger/scala-sbt:8u181_2.12.8_1.2.8
|
|
workingDir: /home/scala
|
|
env: []
|
|
conditions:
|
|
- conditionRef: strings-equal
|
|
params:
|
|
- name: scanType
|
|
value: sbt
|
|
- image: buildpack-deps:stretch-curl
|
|
workingDir: /home/dub
|
|
env: []
|
|
conditions:
|
|
- conditionRef: strings-equal
|
|
params:
|
|
- name: scanType
|
|
value: dub
|