mirror of
https://github.com/SAP/jenkins-library.git
synced 2024-12-12 10:55:20 +02:00
f9f0cbfd33
Co-authored-by: Philipp Stehle <philipp.stehle@sap.com>
639 lines
21 KiB
YAML
639 lines
21 KiB
YAML
metadata:
|
|
name: fortifyExecuteScan
|
|
description: This step executes a Fortify scan on the specified project to perform static code analysis and check the source code for security flaws.
|
|
longDescription: |-
|
|
This step executes a Fortify scan on the specified project to perform static code analysis and check the source code for security flaws.
|
|
|
|
The Fortify step triggers a scan locally on your Jenkins within a docker container so finally you have to supply a docker image with a Fortify SCA
|
|
and Java plus Maven or alternatively Python installed into it for being able to perform any scans.
|
|
!!! hint "Scanning MTA projects"
|
|
Build type `maven` requires a so called aggregator pom which includes all modules to be scanned. If used in a mta-project which includes non-java submodules as maven dependency (e.g. node via frontend-maven-plugin), exclude those by specifying java path explicitly, e.g. `java/**/src/main/java/**/*`.
|
|
|
|
Besides triggering a scan the step verifies the results after they have been uploaded and processed by the Fortify SSC. By default the following KPIs are enforced:
|
|
* All issues must be audited from the Corporate Security Requirements folder.
|
|
* All issues must be audited from the Audit All folder.
|
|
* At least one issue per category must be audited from the Spot Checks of Each Category folder.
|
|
* Nothing needs to be audited from the Optional folder.
|
|
|
|
spec:
|
|
inputs:
|
|
secrets:
|
|
- name: fortifyCredentialsId
|
|
description: Jenkins 'Secret text' credentials ID containing token to authenticate to Fortify SSC.
|
|
type: jenkins
|
|
- name: githubTokenCredentialsId
|
|
description: Jenkins 'Secret text' credentials ID containing token to authenticate to GitHub.
|
|
type: jenkins
|
|
resources:
|
|
- name: commonPipelineEnvironment
|
|
resourceSpec:
|
|
type: piperEnvironment
|
|
- name: buildDescriptor
|
|
type: stash
|
|
- name: deployDescriptor
|
|
type: stash
|
|
- name: tests
|
|
type: stash
|
|
- name: opensourceConfiguration
|
|
type: stash
|
|
params:
|
|
- name: additionalScanParameters
|
|
description: List of additional scan parameters to be used for Fortify sourceanalyzer command execution.
|
|
type: "[]string"
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
- name: authToken
|
|
type: string
|
|
description: "The FortifyToken to use for authentication"
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
mandatory: true
|
|
secret: true
|
|
resourceRef:
|
|
- name: fortifyCredentialsId
|
|
type: secret
|
|
- type: vaultSecret
|
|
name: fortifyVaultSecretName
|
|
default: fortify
|
|
- name: buildDescriptorExcludeList
|
|
type: "[]string"
|
|
description: "List of build descriptors and therefore modules to exclude from the scan and assessment activities."
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: ["unit-tests/pom.xml", "integration-tests/pom.xml"]
|
|
- name: customScanVersion
|
|
type: string
|
|
description: Custom version of the Fortify project used as source.
|
|
longDescription: |-
|
|
Defines a custom version for the Fortify scan which deviates from the typical versioning pattern using [`version`](#version) and [`versioningModel`](#versioningModel).
|
|
It allows to set non-numeric versions as well and supersedes the value of [`version`](#version) which is calculated automatically.
|
|
The parameter is also used by other scan steps (e.g. Detect, Sonar, WhiteSource) and thus allows a common custom version across scan tools.
|
|
scope:
|
|
- GENERAL
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
- name: githubToken
|
|
description: "GitHub personal access token as per
|
|
https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line"
|
|
scope:
|
|
- GENERAL
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
type: string
|
|
secret: true
|
|
aliases:
|
|
- name: access_token
|
|
resourceRef:
|
|
- name: githubTokenCredentialsId
|
|
type: secret
|
|
- type: vaultSecret
|
|
default: github
|
|
name: githubVaultSecretName
|
|
- name: autoCreate
|
|
type: bool
|
|
description:
|
|
"Whether Fortify project and project version shall be implicitly auto created in case they
|
|
cannot be found in the backend"
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
- name: modulePath
|
|
type: string
|
|
description: "Allows providing the path for the module to scan"
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: "./"
|
|
- name: pythonRequirementsFile
|
|
type: string
|
|
description:
|
|
"The requirements file used in `buildTool: 'pip'` to populate
|
|
the build environment with the necessary dependencies"
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
- name: autodetectClasspath
|
|
type: bool
|
|
description: "Whether the classpath is automatically determined via build tool i.e. maven or pip or not at all"
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: true
|
|
- name: mustAuditIssueGroups
|
|
type: string
|
|
description: "Comma separated list of issue groups that must be audited completely"
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: "Corporate Security Requirements, Audit All"
|
|
- name: spotAuditIssueGroups
|
|
type: string
|
|
description:
|
|
"Comma separated list of issue groups that are spot checked and for which `spotCheckMinimum`
|
|
audited issues are enforced"
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: "Spot Checks of Each Category"
|
|
- name: pythonRequirementsInstallSuffix
|
|
type: string
|
|
description:
|
|
"The suffix for the command used to install the requirements file in `buildTool: 'pip'` to populate
|
|
the build environment with the necessary dependencies"
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
- name: pythonVersion
|
|
type: string
|
|
description: "Python version to be used in `buildTool: 'pip'`"
|
|
scope:
|
|
- GENERAL
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: python3
|
|
- name: uploadResults
|
|
type: bool
|
|
description: "Whether results shall be uploaded or not"
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: true
|
|
- name: version
|
|
aliases:
|
|
- name: fortifyProjectVersion
|
|
deprecated: true
|
|
type: string
|
|
description: Version used in conjunction with [`versioningModel`](#versioningModel) to identify the Fortify project to be created and used for results aggregation.
|
|
longDescription: |-
|
|
Version used in conjunction with [`versioningModel`](#versioningModel) to identify the Fortify project to be created and used for results aggregation.
|
|
This is usually determined automatically based on the information in the buildTool specific build descriptor file.
|
|
scope:
|
|
- GENERAL
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
resourceRef:
|
|
- name: commonPipelineEnvironment
|
|
param: artifactVersion
|
|
- name: buildDescriptorFile
|
|
type: string
|
|
conditions:
|
|
- conditionRef: strings-equal
|
|
params:
|
|
- name: buildTool
|
|
value: maven
|
|
description: "Path to the build descriptor file addressing the module/folder to be scanned."
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: ./pom.xml
|
|
- name: buildDescriptorFile
|
|
type: string
|
|
conditions:
|
|
- conditionRef: strings-equal
|
|
params:
|
|
- name: buildTool
|
|
value: pip
|
|
description: "Path to the build descriptor file addressing the module/folder to be scanned."
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: ./setup.py
|
|
- name: commitId
|
|
description: "Set the Git commit ID for identifying artifacts throughout the scan."
|
|
resourceRef:
|
|
- name: commonPipelineEnvironment
|
|
param: git/commitId
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
type: string
|
|
- name: commitMessage
|
|
description: "Set the Git commit message for identifying pull request merges throughout the scan."
|
|
resourceRef:
|
|
- name: commonPipelineEnvironment
|
|
param: git/commitMessage
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
type: string
|
|
- name: githubApiUrl
|
|
description: "Set the GitHub API URL."
|
|
scope:
|
|
- GENERAL
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
type: string
|
|
default: "https://api.github.com"
|
|
- name: owner
|
|
aliases:
|
|
- name: githubOrg
|
|
description: "Set the GitHub organization."
|
|
resourceRef:
|
|
- name: commonPipelineEnvironment
|
|
param: github/owner
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
type: string
|
|
- name: repository
|
|
aliases:
|
|
- name: githubRepo
|
|
description: "Set the GitHub repository."
|
|
resourceRef:
|
|
- name: commonPipelineEnvironment
|
|
param: github/repository
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
type: string
|
|
- name: memory
|
|
type: string
|
|
description: "The amount of memory granted to the translate/scan executions"
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: "-Xmx4G -Xms512M"
|
|
- name: updateRulePack
|
|
type: bool
|
|
description: "Whether the rule pack shall be updated and pulled from Fortify SSC before scanning or not"
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: true
|
|
- name: reportDownloadEndpoint
|
|
aliases:
|
|
- name: fortifyReportDownloadEndpoint
|
|
type: string
|
|
description: "Fortify SSC endpoint for Report downloads"
|
|
scope:
|
|
- GENERAL
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: "/transfer/reportDownload.html"
|
|
- name: pollingMinutes
|
|
type: int
|
|
description:
|
|
"The number of minutes for which an uploaded FPR artifact''s status is being polled to finish
|
|
queuing/processing, if exceeded polling will be stopped and an error will be thrown"
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: 30
|
|
- name: quickScan
|
|
type: bool
|
|
description:
|
|
"Whether a quick scan should be performed, please consult the related Fortify documentation on
|
|
JAM on the impact of this setting"
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: false
|
|
- name: translate
|
|
type: string
|
|
description:
|
|
"Options for translate phase of Fortify. Most likely, you do not need to set this parameter.
|
|
See src, exclude. If `'src'` and `'exclude'` are set they are automatically used. Technical details:
|
|
It has to be a JSON string of list of maps with required key `'src'`, and optional keys `'exclude'`,
|
|
`'libDirs'`, `'aspnetcore'`, and `'dotNetCoreVersion'`"
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
- name: src
|
|
type: "[]string"
|
|
description:
|
|
"A list of source directories to scan. Wildcards can be used, e.g., `'src/main/java/**/*'`.
|
|
If `'translate'` is set, this will ignored. The default value for `buildTool: 'maven'` is
|
|
`['**/*.xml', '**/*.html', '**/*.jsp', '**/*.js', '**/src/main/resources/**/*', '**/src/main/java/**/*',
|
|
'**/target/main/java/**/*', '**/target/main/resources/**/*', '**/target/generated-sources/**/*']`, for
|
|
`buildTool: 'pip'` it is `['./**/*']`."
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
- name: exclude
|
|
type: "[]string"
|
|
description:
|
|
"A list of directories/files to be excluded from the scan. Wildcards can be used, e.g.,
|
|
`'**/Test.java'`. If `translate` is set, this will ignored. The default value for `buildTool: 'maven'` is
|
|
`['**/src/test/**/*']`, for `buildTool: 'pip'` it is `['./**/tests/**/*', './**/setup.py']`."
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
- name: apiEndpoint
|
|
aliases:
|
|
- name: fortifyApiEndpoint
|
|
type: string
|
|
description: "Fortify SSC endpoint used for uploading the scan results and checking the audit state"
|
|
scope:
|
|
- GENERAL
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: "/api/v1"
|
|
- name: reportType
|
|
type: string
|
|
description: The type of report to be generated
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: "PDF"
|
|
- name: pythonAdditionalPath
|
|
type: "[]string"
|
|
description: "A list of additional paths which can be used in `buildTool: 'pip'` for customization purposes"
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: ["./lib", "."]
|
|
deprecated: true
|
|
- name: artifactUrl
|
|
type: string
|
|
description:
|
|
"Path/URL pointing to an additional artifact repository for resolution of additional
|
|
artifacts during the build"
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
- name: considerSuspicious
|
|
type: bool
|
|
description: "Whether suspicious issues should trigger the check to fail or not"
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: true
|
|
- name: fprUploadEndpoint
|
|
aliases:
|
|
- name: fortifyFprUploadEndpoint
|
|
type: string
|
|
description: "Fortify SSC endpoint for FPR uploads"
|
|
scope:
|
|
- GENERAL
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: "/upload/resultFileUpload.html"
|
|
- name: projectName
|
|
aliases:
|
|
- name: fortifyProjectName
|
|
type: string
|
|
description: "The project used for reporting results in SSC"
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: '{{list .GroupID .ArtifactID | join "-" | trimAll "-"}}'
|
|
- name: reporting
|
|
type: bool
|
|
description: Influences whether a report is generated or not
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: false
|
|
- name: serverUrl
|
|
aliases:
|
|
- name: fortifyServerUrl
|
|
- name: sscUrl
|
|
deprecated: true
|
|
type: string
|
|
description: "Fortify SSC Url to be used for accessing the APIs"
|
|
mandatory: true
|
|
scope:
|
|
- GENERAL
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
- name: pullRequestMessageRegexGroup
|
|
type: int
|
|
description: "The group number for extracting the pull request id in `'pullRequestMessageRegex'`"
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: 1
|
|
- name: deltaMinutes
|
|
type: int
|
|
description:
|
|
"The number of minutes for which an uploaded FPR artifact is considered to be recent and
|
|
healthy, if exceeded an error will be thrown"
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: 5
|
|
- name: spotCheckMinimum
|
|
type: int
|
|
description:
|
|
"The minimum number of issues that must be audited per category in the `Spot Checks of each
|
|
Category` folder to avoid an error being thrown"
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: 1
|
|
- name: fprDownloadEndpoint
|
|
aliases:
|
|
- name: fortifyFprDownloadEndpoint
|
|
type: string
|
|
description: "Fortify SSC endpoint for FPR downloads"
|
|
scope:
|
|
- GENERAL
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: "/download/currentStateFprDownload.html"
|
|
- name: versioningModel
|
|
aliases:
|
|
- name: defaultVersioningModel
|
|
deprecated: true
|
|
type: string
|
|
description:
|
|
"The default project versioning model used for creating the version based on the build descriptor version to report results in SSC, can be one of `'major'`,
|
|
`'major-minor'`, `'semantic'`, `'full'`"
|
|
scope:
|
|
- PARAMETERS
|
|
- GENERAL
|
|
- STAGES
|
|
- STEPS
|
|
default: "major"
|
|
possibleValues:
|
|
- major
|
|
- major-minor
|
|
- semantic
|
|
- full
|
|
- name: pythonInstallCommand
|
|
type: string
|
|
description:
|
|
"Additional install command that can be run when `buildTool: 'pip'`
|
|
is used which allows further customizing the execution environment of the scan"
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: "{{.Pip}} install --user ."
|
|
- name: reportTemplateId
|
|
type: int
|
|
description: "Report template ID to be used for generating the Fortify report"
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: 18
|
|
- name: filterSetTitle
|
|
type: string
|
|
description: "Title of the filter set to use for analysing the results"
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: "SAP"
|
|
- name: pullRequestName
|
|
type: string
|
|
description:
|
|
"The name of the pull request branch which will trigger creation of a new version in Fortify
|
|
SSC based on the master branch version"
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
- name: pullRequestMessageRegex
|
|
type: string
|
|
description: "Regex used to identify the PR-XXX reference within the merge commit message"
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: '.*Merge pull request #(\\d+) from.*'
|
|
- name: buildTool
|
|
type: string
|
|
description: "Scan type used for the step which can be `'maven'`, `'pip'`"
|
|
scope:
|
|
- GENERAL
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: maven
|
|
# Global maven settings, should be added to all maven steps
|
|
- name: projectSettingsFile
|
|
type: string
|
|
description: Path to the mvn settings file that should be used as project settings file.
|
|
scope:
|
|
- GENERAL
|
|
- STEPS
|
|
- STAGES
|
|
- PARAMETERS
|
|
aliases:
|
|
- name: maven/projectSettingsFile
|
|
- name: globalSettingsFile
|
|
type: string
|
|
description: Path to the mvn settings file that should be used as global settings file.
|
|
scope:
|
|
- GENERAL
|
|
- STEPS
|
|
- STAGES
|
|
- PARAMETERS
|
|
aliases:
|
|
- name: maven/globalSettingsFile
|
|
- name: m2Path
|
|
type: string
|
|
description: Path to the location of the local repository that should be used.
|
|
scope:
|
|
- GENERAL
|
|
- STEPS
|
|
- STAGES
|
|
- PARAMETERS
|
|
aliases:
|
|
- name: maven/m2Path
|
|
- name: verifyOnly
|
|
type: bool
|
|
description: Whether the step shall only apply verification checks or whether it does a full scan and check cycle
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: false
|
|
- name: installArtifacts
|
|
type: bool
|
|
description:
|
|
"If enabled, it will install all artifacts to the local maven repository to make them available before running Fortify.
|
|
This is required if any maven module has dependencies to other modules in the repository and they were not installed before."
|
|
scope:
|
|
- GENERAL
|
|
- STEPS
|
|
- STAGES
|
|
- PARAMETERS
|
|
containers:
|
|
- image: ""
|
|
outputs:
|
|
resources:
|
|
- name: influx
|
|
type: influx
|
|
params:
|
|
- name: step_data
|
|
fields:
|
|
- name: fortify
|
|
type: bool
|
|
- name: fortify_data
|
|
fields:
|
|
- name: projectName
|
|
- name: projectVersion
|
|
- name: projectVersionId
|
|
type: int64
|
|
- name: violations
|
|
type: int
|
|
- name: corporateTotal
|
|
type: int
|
|
- name: corporateAudited
|
|
type: int
|
|
- name: auditAllTotal
|
|
type: int
|
|
- name: auditAllAudited
|
|
type: int
|
|
- name: spotChecksTotal
|
|
type: int
|
|
- name: spotChecksAudited
|
|
type: int
|
|
- name: spotChecksGap
|
|
type: int
|
|
- name: suspicious
|
|
type: int
|
|
- name: exploitable
|
|
type: int
|
|
- name: suppressed
|
|
type: int
|