1
0
mirror of https://github.com/SAP/jenkins-library.git synced 2024-12-14 11:03:09 +02:00
sap-jenkins-library/pkg/whitesource/scan.go
Sven Merk c81e741224
Refinement of SARIF generation for BD and WS (#3942)
* Fix docs and format

* Assessment format added

* Added sample file

* Added parsing

* Added packageurl implementation

* Slight refinement

* Refactored assessment options

* Adapted sample file

* First attempt of ws sbom gen

* Reworked SBOM generation

* Fix test code

* Add assessment handling

* Update dependencies

* Added golden test

* Small fix

* feat(fortify): Added a check for fortify binary in $PATH (#3925)

* added check for fortifyupdate and sourceanalyzer bin

Co-authored-by: sumeet patil <sumeet.patil@sap.com>

* Modify SARIF

* Enhanced SARID contents

* Small refinement for hub detect

* Small adjustments

* Extend SARIF contents

* Consistency to Mend part

* Fix tests

* Fix merge

* Fix test

* Add debug log, enhance output

* Enhance meta info

* Fix libType for node

* Fix log entry

* Fix pointers and test

* Fix test

* Fix library types

* Fix test

* Extend libType mappings

Co-authored-by: Vinayak S <vinayaks439@gmail.com>
Co-authored-by: sumeet patil <sumeet.patil@sap.com>
2022-08-11 13:12:14 +02:00

158 lines
5.5 KiB
Go

package whitesource
import (
"fmt"
"sort"
"strings"
"time"
"github.com/SAP/jenkins-library/pkg/log"
"github.com/SAP/jenkins-library/pkg/piperutils"
"github.com/SAP/jenkins-library/pkg/versioning"
)
// Scan stores information about scanned WhiteSource projects (modules).
type Scan struct {
// AggregateProjectName stores the name of the WhiteSource project where scans shall be aggregated.
// It does not include the ProductVersion.
AggregateProjectName string
// ProductVersion is the global version that is used across all Projects (modules) during the scan.
BuildTool string
ProductToken string
ProductVersion string
scannedProjects map[string]Project
scanTimes map[string]time.Time
AgentName string
AgentVersion string
Coordinates versioning.Coordinates
}
func (s *Scan) init() {
if s.scannedProjects == nil {
s.scannedProjects = make(map[string]Project)
}
if s.scanTimes == nil {
s.scanTimes = make(map[string]time.Time)
}
}
func (s *Scan) versionSuffix() string {
return " - " + s.ProductVersion
}
// AppendScannedProject checks that no Project with the same name is already contained in the list of scanned projects,
// and appends a new Project with the given name. The global product version is appended to the name.
func (s *Scan) AppendScannedProject(projectName string) error {
if len(projectName) == 0 {
return fmt.Errorf("projectName must not be empty")
}
if strings.HasSuffix(projectName, s.versionSuffix()) {
return fmt.Errorf("projectName is not expected to include the product version already")
}
return s.AppendScannedProjectVersion(projectName + s.versionSuffix())
}
// AppendScannedProjectVersion checks that no Project with the same name is already contained in the list of scanned
// projects, and appends a new Project with the given name (which is expected to include the product version).
func (s *Scan) AppendScannedProjectVersion(projectName string) error {
if !strings.HasSuffix(projectName, s.versionSuffix()) {
return fmt.Errorf("projectName is expected to include the product version")
}
if len(projectName) == len(s.versionSuffix()) {
return fmt.Errorf("projectName consists only of the product version")
}
s.init()
_, exists := s.scannedProjects[projectName]
if exists {
log.Entry().Errorf("A module with the name '%s' was already scanned. "+
"Your project's modules must have unique names.", projectName)
return fmt.Errorf("project with name '%s' was already scanned", projectName)
}
s.scannedProjects[projectName] = Project{Name: projectName}
s.scanTimes[projectName] = time.Now()
return nil
}
// ProjectByName returns a WhiteSource Project previously established via AppendScannedProject().
func (s *Scan) ProjectByName(projectName string) (Project, bool) {
project, exists := s.scannedProjects[projectName]
return project, exists
}
// ScannedProjects returns the WhiteSource projects that have been added via AppendScannedProject() as a slice.
func (s *Scan) ScannedProjects() []Project {
var projects []Project
for _, project := range s.scannedProjects {
projects = append(projects, project)
}
return projects
}
// ScannedProjectNames returns a sorted list of all scanned project names
func (s *Scan) ScannedProjectNames() []string {
projectNames := []string{}
for _, project := range s.ScannedProjects() {
projectNames = append(projectNames, project.Name)
}
// Sorting helps the list become stable across pipeline runs (and in the unit tests),
// as the order in which we travers map keys is not deterministic.
sort.Strings(projectNames)
return projectNames
}
// ScannedProjectTokens returns a sorted list of all scanned project's tokens
func (s *Scan) ScannedProjectTokens() []string {
projectTokens := []string{}
for _, project := range s.ScannedProjects() {
if len(project.Token) > 0 {
projectTokens = append(projectTokens, project.Token)
}
}
// Sorting helps the list become stable across pipeline runs (and in the unit tests),
// as the order in which we travers map keys is not deterministic.
sort.Strings(projectTokens)
return projectTokens
}
// ScanTime returns the time at which the respective WhiteSource Project was scanned, or the the
// zero value of time.Time, if AppendScannedProject() was not called with that name.
func (s *Scan) ScanTime(projectName string) time.Time {
if s.scanTimes == nil {
return time.Time{}
}
return s.scanTimes[projectName]
}
type whitesource interface {
GetProjectsMetaInfo(productToken string) ([]Project, error)
GetProjectRiskReport(projectToken string) ([]byte, error)
GetProjectVulnerabilityReport(projectToken string, format string) ([]byte, error)
}
// UpdateProjects pulls the current backend metadata for all WhiteSource projects in the product with
// the given productToken, and updates all scanned projects with the obtained information.
func (s *Scan) UpdateProjects(productToken string, sys whitesource) error {
s.init()
projects, err := sys.GetProjectsMetaInfo(productToken)
if err != nil {
return fmt.Errorf("failed to retrieve WhiteSource projects meta info: %w", err)
}
var projectsToUpdate []string
for projectName := range s.scannedProjects {
projectsToUpdate = append(projectsToUpdate, projectName)
}
for _, project := range projects {
_, exists := s.scannedProjects[project.Name]
if exists {
s.scannedProjects[project.Name] = project
projectsToUpdate, _ = piperutils.RemoveAll(projectsToUpdate, project.Name)
}
}
if len(projectsToUpdate) != 0 {
log.Entry().Warnf("Could not fetch metadata for projects %v", projectsToUpdate)
}
return nil
}