mirror of
https://github.com/SAP/jenkins-library.git
synced 2025-01-22 05:33:10 +02:00
c81e741224
* Fix docs and format * Assessment format added * Added sample file * Added parsing * Added packageurl implementation * Slight refinement * Refactored assessment options * Adapted sample file * First attempt of ws sbom gen * Reworked SBOM generation * Fix test code * Add assessment handling * Update dependencies * Added golden test * Small fix * feat(fortify): Added a check for fortify binary in $PATH (#3925) * added check for fortifyupdate and sourceanalyzer bin Co-authored-by: sumeet patil <sumeet.patil@sap.com> * Modify SARIF * Enhanced SARID contents * Small refinement for hub detect * Small adjustments * Extend SARIF contents * Consistency to Mend part * Fix tests * Fix merge * Fix test * Add debug log, enhance output * Enhance meta info * Fix libType for node * Fix log entry * Fix pointers and test * Fix test * Fix library types * Fix test * Extend libType mappings Co-authored-by: Vinayak S <vinayaks439@gmail.com> Co-authored-by: sumeet patil <sumeet.patil@sap.com>
158 lines
5.5 KiB
Go
158 lines
5.5 KiB
Go
package whitesource
|
|
|
|
import (
|
|
"fmt"
|
|
"sort"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/SAP/jenkins-library/pkg/log"
|
|
"github.com/SAP/jenkins-library/pkg/piperutils"
|
|
"github.com/SAP/jenkins-library/pkg/versioning"
|
|
)
|
|
|
|
// Scan stores information about scanned WhiteSource projects (modules).
|
|
type Scan struct {
|
|
// AggregateProjectName stores the name of the WhiteSource project where scans shall be aggregated.
|
|
// It does not include the ProductVersion.
|
|
AggregateProjectName string
|
|
// ProductVersion is the global version that is used across all Projects (modules) during the scan.
|
|
BuildTool string
|
|
ProductToken string
|
|
ProductVersion string
|
|
scannedProjects map[string]Project
|
|
scanTimes map[string]time.Time
|
|
AgentName string
|
|
AgentVersion string
|
|
Coordinates versioning.Coordinates
|
|
}
|
|
|
|
func (s *Scan) init() {
|
|
if s.scannedProjects == nil {
|
|
s.scannedProjects = make(map[string]Project)
|
|
}
|
|
if s.scanTimes == nil {
|
|
s.scanTimes = make(map[string]time.Time)
|
|
}
|
|
}
|
|
|
|
func (s *Scan) versionSuffix() string {
|
|
return " - " + s.ProductVersion
|
|
}
|
|
|
|
// AppendScannedProject checks that no Project with the same name is already contained in the list of scanned projects,
|
|
// and appends a new Project with the given name. The global product version is appended to the name.
|
|
func (s *Scan) AppendScannedProject(projectName string) error {
|
|
if len(projectName) == 0 {
|
|
return fmt.Errorf("projectName must not be empty")
|
|
}
|
|
if strings.HasSuffix(projectName, s.versionSuffix()) {
|
|
return fmt.Errorf("projectName is not expected to include the product version already")
|
|
}
|
|
return s.AppendScannedProjectVersion(projectName + s.versionSuffix())
|
|
}
|
|
|
|
// AppendScannedProjectVersion checks that no Project with the same name is already contained in the list of scanned
|
|
// projects, and appends a new Project with the given name (which is expected to include the product version).
|
|
func (s *Scan) AppendScannedProjectVersion(projectName string) error {
|
|
if !strings.HasSuffix(projectName, s.versionSuffix()) {
|
|
return fmt.Errorf("projectName is expected to include the product version")
|
|
}
|
|
if len(projectName) == len(s.versionSuffix()) {
|
|
return fmt.Errorf("projectName consists only of the product version")
|
|
}
|
|
s.init()
|
|
_, exists := s.scannedProjects[projectName]
|
|
if exists {
|
|
log.Entry().Errorf("A module with the name '%s' was already scanned. "+
|
|
"Your project's modules must have unique names.", projectName)
|
|
return fmt.Errorf("project with name '%s' was already scanned", projectName)
|
|
}
|
|
s.scannedProjects[projectName] = Project{Name: projectName}
|
|
s.scanTimes[projectName] = time.Now()
|
|
return nil
|
|
}
|
|
|
|
// ProjectByName returns a WhiteSource Project previously established via AppendScannedProject().
|
|
func (s *Scan) ProjectByName(projectName string) (Project, bool) {
|
|
project, exists := s.scannedProjects[projectName]
|
|
return project, exists
|
|
}
|
|
|
|
// ScannedProjects returns the WhiteSource projects that have been added via AppendScannedProject() as a slice.
|
|
func (s *Scan) ScannedProjects() []Project {
|
|
var projects []Project
|
|
for _, project := range s.scannedProjects {
|
|
projects = append(projects, project)
|
|
}
|
|
return projects
|
|
}
|
|
|
|
// ScannedProjectNames returns a sorted list of all scanned project names
|
|
func (s *Scan) ScannedProjectNames() []string {
|
|
projectNames := []string{}
|
|
for _, project := range s.ScannedProjects() {
|
|
projectNames = append(projectNames, project.Name)
|
|
}
|
|
// Sorting helps the list become stable across pipeline runs (and in the unit tests),
|
|
// as the order in which we travers map keys is not deterministic.
|
|
sort.Strings(projectNames)
|
|
return projectNames
|
|
}
|
|
|
|
// ScannedProjectTokens returns a sorted list of all scanned project's tokens
|
|
func (s *Scan) ScannedProjectTokens() []string {
|
|
projectTokens := []string{}
|
|
for _, project := range s.ScannedProjects() {
|
|
if len(project.Token) > 0 {
|
|
projectTokens = append(projectTokens, project.Token)
|
|
}
|
|
}
|
|
// Sorting helps the list become stable across pipeline runs (and in the unit tests),
|
|
// as the order in which we travers map keys is not deterministic.
|
|
sort.Strings(projectTokens)
|
|
return projectTokens
|
|
}
|
|
|
|
// ScanTime returns the time at which the respective WhiteSource Project was scanned, or the the
|
|
// zero value of time.Time, if AppendScannedProject() was not called with that name.
|
|
func (s *Scan) ScanTime(projectName string) time.Time {
|
|
if s.scanTimes == nil {
|
|
return time.Time{}
|
|
}
|
|
return s.scanTimes[projectName]
|
|
}
|
|
|
|
type whitesource interface {
|
|
GetProjectsMetaInfo(productToken string) ([]Project, error)
|
|
GetProjectRiskReport(projectToken string) ([]byte, error)
|
|
GetProjectVulnerabilityReport(projectToken string, format string) ([]byte, error)
|
|
}
|
|
|
|
// UpdateProjects pulls the current backend metadata for all WhiteSource projects in the product with
|
|
// the given productToken, and updates all scanned projects with the obtained information.
|
|
func (s *Scan) UpdateProjects(productToken string, sys whitesource) error {
|
|
s.init()
|
|
projects, err := sys.GetProjectsMetaInfo(productToken)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to retrieve WhiteSource projects meta info: %w", err)
|
|
}
|
|
|
|
var projectsToUpdate []string
|
|
for projectName := range s.scannedProjects {
|
|
projectsToUpdate = append(projectsToUpdate, projectName)
|
|
}
|
|
|
|
for _, project := range projects {
|
|
_, exists := s.scannedProjects[project.Name]
|
|
if exists {
|
|
s.scannedProjects[project.Name] = project
|
|
projectsToUpdate, _ = piperutils.RemoveAll(projectsToUpdate, project.Name)
|
|
}
|
|
}
|
|
if len(projectsToUpdate) != 0 {
|
|
log.Entry().Warnf("Could not fetch metadata for projects %v", projectsToUpdate)
|
|
}
|
|
return nil
|
|
}
|