mirror of
https://github.com/SAP/jenkins-library.git
synced 2024-12-14 11:03:09 +02:00
9c4446ae0a
Sets git reference and gitRemoteCommitId. Jenkins has 2 strategies - 'Merging the pull request with the current target branch revision' and 'The current pull request revision'. When 'Merging the pull request with the current target branch revision' is run, Jenkins creates a local merge commit and runs a job for that particular merge commitId. This commitId is then used for codeql to upload sarif, on upload it throws an error as the merge commit does not exist in github. To resolve this we have introduces a new variable 'gitRemoteCommitId' in commonPipelineEnvironment which gives the remote merge commit id.
126 lines
4.3 KiB
YAML
126 lines
4.3 KiB
YAML
metadata:
|
|
name: codeqlExecuteScan
|
|
description: This step executes a codeql scan on the specified project to perform static code analysis and check the source code for security flaws.
|
|
longDescription: |-
|
|
This step executes a codeql scan on the specified project to perform static code analysis and check the source code for security flaws.
|
|
|
|
The codeql step triggers a scan locally on your orchestrator (e.g. Jenkins) within a docker container so finally you have to supply a docker image with codeql
|
|
and Java plus Maven.
|
|
|
|
spec:
|
|
inputs:
|
|
secrets:
|
|
- name: githubTokenCredentialsId
|
|
description: Jenkins 'Secret text' credentials ID containing token to authenticate to GitHub.
|
|
type: jenkins
|
|
params:
|
|
- name: githubToken
|
|
description: "GitHub personal access token as per
|
|
https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line"
|
|
scope:
|
|
- GENERAL
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
type: string
|
|
secret: true
|
|
aliases:
|
|
- name: access_token
|
|
resourceRef:
|
|
- name: githubTokenCredentialsId
|
|
type: secret
|
|
- type: vaultSecret
|
|
default: github
|
|
name: githubVaultSecretName
|
|
- name: buildTool
|
|
type: string
|
|
description: Defines the build tool which is used for building the project.
|
|
longDescription: |-
|
|
Based on the build tool the step will try to auto build the project. The step will try to auto select
|
|
the language and the build command. You can override the language and the build command by specifiying it seperatly.
|
|
mandatory: true
|
|
scope:
|
|
- GENERAL
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
possibleValues:
|
|
- custom
|
|
- maven
|
|
- golang
|
|
- npm
|
|
- pip
|
|
- yarn
|
|
default: "maven"
|
|
- name: buildCommand
|
|
type: string
|
|
description: "Command to build the project"
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
- name: language
|
|
type: string
|
|
description: "The programming language used to analyze."
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
- name: modulePath
|
|
type: string
|
|
description: "Allows providing the path for the module to scan"
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: "./"
|
|
- name: querySuite
|
|
type: string
|
|
description: "The name of a CodeQL query suite. If omitted, the default query suite for the language of the database being analyzed will be used."
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
- name: uploadResults
|
|
type: bool
|
|
description: "Allows you to upload codeql SARIF results to your github project. You will need to set githubToken for this."
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: false
|
|
- name: analyzedRef
|
|
type: string
|
|
description: "Name of the ref that was analyzed."
|
|
longDescription: |-
|
|
If this ref is a pull request merge commit, then use refs/pulls/1234/merge or refs/pulls/1234/head (depending on whether or not this commit corresponds to the HEAD or MERGE commit of the PR).
|
|
Otherwise, this should be a branch: refs/heads/branch-name. If omitted, the CLI will attempt to automatically populate this from the current branch of the checkout path, if this exists.
|
|
resourceRef:
|
|
- name: commonPipelineEnvironment
|
|
param: git/ref
|
|
- name: repository
|
|
aliases:
|
|
- name: githubRepo
|
|
description: "URL of the GitHub instance"
|
|
resourceRef:
|
|
- name: commonPipelineEnvironment
|
|
param: git/httpsUrl
|
|
type: string
|
|
- name: commitId
|
|
description: "SHA of commit that was analyzed."
|
|
resourceRef:
|
|
- name: commonPipelineEnvironment
|
|
param: git/remoteCommitId
|
|
type: string
|
|
containers:
|
|
- image: ""
|
|
outputs:
|
|
resources:
|
|
- name: reports
|
|
type: reports
|
|
params:
|
|
- filePattern: "**/*.csv"
|
|
type: codeql
|
|
- filePattern: "**/*.sarif"
|
|
type: codeql
|