1
0
mirror of https://github.com/SAP/jenkins-library.git synced 2025-01-06 04:13:55 +02:00
sap-jenkins-library/resources/metadata/codeqlExecuteScan.yaml
Daria Kuznetsova 96f5508c8a
fix(codeqlExecuteScan): moved flag checkIfCompliance (#4443)
* moved checkForCompliance flag, updated description of sarif check params

* added generated codeqlExecuteScan

* moved appending reports before checking for compliance

---------

Co-authored-by: sumeet patil <sumeet.patil@sap.com>
2023-07-11 22:02:54 +05:30

192 lines
6.8 KiB
YAML

metadata:
name: codeqlExecuteScan
description: This step executes a codeql scan on the specified project to perform static code analysis and check the source code for security flaws.
longDescription: |-
This step executes a codeql scan on the specified project to perform static code analysis and check the source code for security flaws.
The codeql step triggers a scan locally on your orchestrator (e.g. Jenkins) within a docker container so finally you have to supply a docker image with codeql
and Java plus Maven.
spec:
inputs:
secrets:
- name: githubTokenCredentialsId
description: Jenkins 'Secret text' credentials ID containing token to authenticate to GitHub.
type: jenkins
resources:
- name: commonPipelineEnvironment
resourceSpec:
type: piperEnvironment
- name: buildDescriptor
type: stash
- name: tests
type: stash
params:
- name: githubToken
description: "GitHub personal access token in plain text. NEVER set this parameter in a file commited to a source code repository. This parameter is intended to be used from the command line or set securely via the environment variable listed below. In most pipeline use-cases, you should instead either store the token in Vault (where it can be automatically retrieved by the step from one of the paths listed below) or store it as a Jenkins secret and configure the secret's id via the `githubTokenCredentialsId` parameter."
scope:
- GENERAL
- PARAMETERS
- STAGES
- STEPS
type: string
secret: true
aliases:
- name: access_token
resourceRef:
- name: githubTokenCredentialsId
type: secret
- type: vaultSecret
default: github
name: githubVaultSecretName
- name: buildTool
type: string
description: Defines the build tool which is used for building the project.
longDescription: |-
Based on the build tool the step will try to auto build the project. The step will try to auto select
the language and the build command. You can override the language and the build command by specifiying it seperatly.
mandatory: true
scope:
- GENERAL
- PARAMETERS
- STAGES
- STEPS
possibleValues:
- custom
- maven
- golang
- npm
- pip
- yarn
default: "maven"
- name: buildCommand
type: string
description: "Command to build the project"
scope:
- PARAMETERS
- STAGES
- STEPS
- name: language
type: string
description: "The programming language used to analyze."
scope:
- PARAMETERS
- STAGES
- STEPS
- name: modulePath
type: string
description: "Allows providing the path for the module to scan"
scope:
- PARAMETERS
- STAGES
- STEPS
default: "./"
- name: database
type: string
description: "Path to the CodeQL database to create. This directory will be created, and must not already exist."
scope:
- PARAMETERS
- STAGES
- STEPS
default: "codeqlDB"
- name: querySuite
type: string
description: "The name of a CodeQL query suite. If omitted, the default query suite for the language of the database being analyzed will be used."
scope:
- PARAMETERS
- STAGES
- STEPS
- name: uploadResults
type: bool
description: "Allows you to upload codeql SARIF results to your github project. You will need to set githubToken for this."
scope:
- PARAMETERS
- STAGES
- STEPS
default: false
- name: sarifCheckMaxRetries
type: int
description: "Maximum number of retries when waiting for the server to finish processing the SARIF upload."
scope:
- PARAMETERS
- STAGES
- STEPS
default: 10
- name: sarifCheckRetryInterval
type: int
description: "Interval in seconds between retries when waiting for the server to finish processing the SARIF upload."
scope:
- PARAMETERS
- STAGES
- STEPS
default: 30
- name: threads
type: string
description: "Use this many threads for the codeql operations."
scope:
- PARAMETERS
- STAGES
- STEPS
default: "0"
- name: ram
type: string
description: "Use this much ram (MB) for the codeql operations."
scope:
- PARAMETERS
- STAGES
- STEPS
- name: analyzedRef
type: string
description: "Name of the ref that was analyzed."
longDescription: |-
If this ref is a pull request merge commit, then use refs/pulls/1234/merge or refs/pulls/1234/head (depending on whether or not this commit corresponds to the HEAD or MERGE commit of the PR).
Otherwise, this should be a branch: refs/heads/branch-name. If omitted, the CLI will attempt to automatically populate this from the current branch of the checkout path, if this exists.
resourceRef:
- name: commonPipelineEnvironment
param: git/ref
- name: repository
aliases:
- name: githubRepo
description: "URL of the GitHub instance"
resourceRef:
- name: commonPipelineEnvironment
param: git/httpsUrl
type: string
- name: commitId
description: "SHA of commit that was analyzed."
resourceRef:
- name: commonPipelineEnvironment
param: git/remoteCommitId
type: string
- name: vulnerabilityThresholdTotal
description: "Threashold for maximum number of allowed vulnerabilities."
type: int
default: 0
scope:
- PARAMETERS
- STAGES
- STEPS
- name: checkForCompliance
description: "If set to true, the piper step checks for compliance based on vulnerability threadholds. Example - If total vulnerabilites are 10 and vulnerabilityThresholdTotal is set as 0, then the steps throws an compliance error."
type: bool
default: false
scope:
- PARAMETERS
- STAGES
- STEPS
containers:
- image: ""
outputs:
resources:
- name: reports
type: reports
params:
- filePattern: "**/*.csv"
type: codeql
- filePattern: "**/*.sarif"
type: codeql
- filePattern: "**/toolrun_codeql_*.json"
type: codeql
- filePattern: "**/piper_codeql_report.json"
type: codeql