mirror of
https://github.com/SAP/jenkins-library.git
synced 2024-12-14 11:03:09 +02:00
449 lines
15 KiB
YAML
449 lines
15 KiB
YAML
metadata:
|
|
name: checkmarxExecuteScan
|
|
description: Checkmarx is the recommended tool for security scans of JavaScript, iOS, Swift and Ruby code.
|
|
longDescription: |-
|
|
Checkmarx is a Static Application Security Testing (SAST) tool to analyze i.e. Java- or TypeScript, Swift, Golang, Ruby code,
|
|
and many other programming languages for security flaws based on a set of provided rules/queries that can be customized and extended.
|
|
|
|
This step by default enforces a specific audit baseline for findings and therefore ensures that:
|
|
|
|
* No 'To Verify' High and Medium issues exist in your project
|
|
* Total number of High and Medium 'Confirmed' or 'Urgent' issues is zero
|
|
* 10% of all Low issues are 'Confirmed' or 'Not Exploitable'
|
|
|
|
You can adapt above thresholds specifically using the provided configuration parameters and i.e. check for `absolute`
|
|
thresholds instead of `percentage` whereas we strongly recommend you to stay with the defaults provided.
|
|
spec:
|
|
inputs:
|
|
secrets:
|
|
- name: checkmarxCredentialsId
|
|
description: Jenkins 'Username with password' credentials ID containing username and password to communicate with the Checkmarx backend.
|
|
type: jenkins
|
|
- name: githubTokenCredentialsId
|
|
description: Jenkins 'Secret text' credentials ID containing token to authenticate to GitHub.
|
|
type: jenkins
|
|
resources:
|
|
- name: checkmarx
|
|
type: stash
|
|
params:
|
|
- name: assignees
|
|
description: Defines the assignees for the Github Issue created/updated with the results of the scan as a list of login names.
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
type: "[]string"
|
|
default: []
|
|
- name: avoidDuplicateProjectScans
|
|
type: bool
|
|
description: Tell Checkmarx to skip the scan if no code change is detected
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: true
|
|
aliases:
|
|
- name: notForceScan
|
|
- name: filterPattern
|
|
type: string
|
|
description: The filter pattern used to zip the files relevant for scanning, patterns can be negated by setting an exclamation mark in front i.e. `!test/*.js` would avoid adding any javascript files located in the test directory
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default:
|
|
"!**/node_modules/**, !**/.xmake/**, !**/*_test.go, !**/vendor/**/*.go,
|
|
**/*.html, **/*.xml, **/*.go, **/*.py, **/*.js, **/*.scala, **/*.ts"
|
|
- name: fullScanCycle
|
|
type: string
|
|
description: Indicates how often a full scan should happen between the incremental scans when activated
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: 5
|
|
- name: fullScansScheduled
|
|
type: bool
|
|
description: Whether full scans are to be scheduled or not. Should be used in relation with `incremental` and `fullScanCycle`
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: true
|
|
- name: generatePdfReport
|
|
type: bool
|
|
description: Whether to generate a PDF report of the analysis results or not
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: true
|
|
- name: githubApiUrl
|
|
description: "Set the GitHub API URL."
|
|
scope:
|
|
- GENERAL
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
type: string
|
|
default: "https://api.github.com"
|
|
- name: githubToken
|
|
description: "GitHub personal access token as per
|
|
https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line"
|
|
scope:
|
|
- GENERAL
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
type: string
|
|
secret: true
|
|
aliases:
|
|
- name: access_token
|
|
resourceRef:
|
|
- name: githubTokenCredentialsId
|
|
type: secret
|
|
- type: vaultSecret
|
|
default: github
|
|
name: githubVaultSecretName
|
|
- name: incremental
|
|
type: bool
|
|
description: Whether incremental scans are to be applied which optimizes the scan time but might reduce detection capabilities. Therefore full scans are still required from time to time and should be scheduled via `fullScansScheduled` and `fullScanCycle`
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: true
|
|
- name: maxRetries
|
|
type: int
|
|
description: Maximum number of HTTP request retries upon intermittend connetion interrupts
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: 3
|
|
- name: owner
|
|
aliases:
|
|
- name: githubOrg
|
|
description: "Set the GitHub organization."
|
|
resourceRef:
|
|
- name: commonPipelineEnvironment
|
|
param: github/owner
|
|
scope:
|
|
- GENERAL
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
type: string
|
|
- name: password
|
|
type: string
|
|
description: The password to authenticate
|
|
mandatory: true
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
secret: true
|
|
resourceRef:
|
|
- name: checkmarxCredentialsId
|
|
type: secret
|
|
param: password
|
|
- type: vaultSecret
|
|
name: checkmarxVaultSecretName
|
|
default: checkmarx
|
|
- name: preset
|
|
type: string
|
|
description: The preset to use for scanning, if not set explicitly the step will attempt to look up the project's setting based on the availability of `checkmarxCredentialsId`
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: null
|
|
- name: projectName
|
|
aliases:
|
|
- name: checkmarxProject
|
|
- name: checkMarxProjectName
|
|
deprecated: true
|
|
type: string
|
|
description: The name of the Checkmarx project to scan into
|
|
mandatory: true
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
- name: pullRequestName
|
|
type: string
|
|
description: Used to supply the name for the newly created PR project branch when being used in pull request scenarios
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
- name: repository
|
|
aliases:
|
|
- name: githubRepo
|
|
description: "Set the GitHub repository."
|
|
resourceRef:
|
|
- name: commonPipelineEnvironment
|
|
param: github/repository
|
|
scope:
|
|
- GENERAL
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
type: string
|
|
- name: serverUrl
|
|
aliases:
|
|
- name: checkmarxServerUrl
|
|
type: string
|
|
description: The URL pointing to the root of the Checkmarx server to be used
|
|
mandatory: true
|
|
scope:
|
|
- GENERAL
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
- name: engineConfigurationID
|
|
type: string
|
|
description: The engine configuration ID to be used, if not set explicitly the project's default will be used
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: "1"
|
|
aliases:
|
|
- name: sourceEncoding
|
|
- name: teamId
|
|
aliases:
|
|
- name: checkmarxGroupId
|
|
- name: groupId
|
|
deprecated: true
|
|
type: string
|
|
description: The group ID related to your team which can be obtained via the Pipeline Syntax plugin as described in the `Details` section
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
- name: teamName
|
|
type: string
|
|
description: The full name of the team to assign newly created projects to which is preferred to teamId
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
- name: username
|
|
type: string
|
|
description: The username to authenticate
|
|
mandatory: true
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
secret: true
|
|
resourceRef:
|
|
- name: checkmarxCredentialsId
|
|
type: secret
|
|
param: username
|
|
- type: vaultSecret
|
|
name: checkmarxVaultSecretName
|
|
default: checkmarx
|
|
- name: verifyOnly
|
|
type: bool
|
|
description: Whether the step shall only apply verification checks or whether it does a full scan and check cycle
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: false
|
|
- name: vulnerabilityThresholdEnabled
|
|
type: bool
|
|
description: Whether the thresholds are enabled or not. If enabled the build will be set to `vulnerabilityThresholdResult` in case a specific threshold value is exceeded
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: true
|
|
- name: vulnerabilityThresholdHigh
|
|
type: int
|
|
description: The specific threshold for high severity findings
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: 100
|
|
- name: vulnerabilityThresholdMedium
|
|
type: int
|
|
description: The specific threshold for medium severity findings
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: 100
|
|
- name: vulnerabilityThresholdLow
|
|
type: int
|
|
description: The specific threshold for low severity findings
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: 10
|
|
- name: vulnerabilityThresholdLowPerQuery
|
|
type: bool
|
|
description: Flag to activate/deactivate the threshold of low severity findings per query
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: false
|
|
- name: vulnerabilityThresholdLowPerQueryMax
|
|
type: int
|
|
description: Upper threshold of low severity findings per query (in absolute number)
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: 10
|
|
- name: vulnerabilityThresholdResult
|
|
type: string
|
|
description: The result of the build in case thresholds are enabled and exceeded
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: FAILURE
|
|
possibleValues:
|
|
- FAILURE
|
|
- name: vulnerabilityThresholdUnit
|
|
type: string
|
|
description: The unit for the threshold to apply.
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: percentage
|
|
- name: isOptimizedAndScheduled
|
|
type: bool
|
|
description: Whether the pipeline runs in optimized mode and the current execution is a scheduled one
|
|
resourceRef:
|
|
- name: commonPipelineEnvironment
|
|
param: custom/isOptimizedAndScheduled
|
|
scope:
|
|
- PARAMETERS
|
|
- name: createResultIssue
|
|
type: bool
|
|
description: Activate creation of a result issue in GitHub.
|
|
longDescription: |
|
|
Whether the step creates a GitHub issue containing the scan results in the originating repo.
|
|
Since optimized pipelines are headless the creation is implicitly activated for scheduled runs.
|
|
resourceRef:
|
|
- name: commonPipelineEnvironment
|
|
param: custom/isOptimizedAndScheduled
|
|
scope:
|
|
- GENERAL
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: false
|
|
- name: convertToSarif
|
|
type: bool
|
|
description: "Convert the Checkmarx XML scan results to the open SARIF standard."
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: true
|
|
outputs:
|
|
resources:
|
|
- name: influx
|
|
type: influx
|
|
params:
|
|
- name: step_data
|
|
fields:
|
|
- name: checkmarx
|
|
type: bool
|
|
- name: checkmarx_data
|
|
fields:
|
|
- name: high_issues
|
|
type: int
|
|
- name: high_not_false_positive
|
|
type: int
|
|
- name: high_not_exploitable
|
|
type: int
|
|
- name: high_confirmed
|
|
type: int
|
|
- name: high_urgent
|
|
type: int
|
|
- name: high_proposed_not_exploitable
|
|
type: int
|
|
- name: high_to_verify
|
|
type: int
|
|
- name: medium_issues
|
|
type: int
|
|
- name: medium_not_false_positive
|
|
type: int
|
|
- name: medium_not_exploitable
|
|
type: int
|
|
- name: medium_confirmed
|
|
type: int
|
|
- name: medium_urgent
|
|
type: int
|
|
- name: medium_proposed_not_exploitable
|
|
type: int
|
|
- name: medium_to_verify
|
|
type: int
|
|
- name: low_issues
|
|
type: int
|
|
- name: low_not_false_positive
|
|
type: int
|
|
- name: low_not_exploitable
|
|
type: int
|
|
- name: low_confirmed
|
|
type: int
|
|
- name: low_urgent
|
|
type: int
|
|
- name: low_proposed_not_exploitable
|
|
type: int
|
|
- name: low_to_verify
|
|
type: int
|
|
- name: information_issues
|
|
type: int
|
|
- name: information_not_false_positive
|
|
type: int
|
|
- name: information_not_exploitable
|
|
type: int
|
|
- name: information_confirmed
|
|
type: int
|
|
- name: information_urgent
|
|
type: int
|
|
- name: information_proposed_not_exploitable
|
|
type: int
|
|
- name: information_to_verify
|
|
type: int
|
|
- name: lines_of_code_scanned
|
|
type: int
|
|
- name: files_scanned
|
|
type: int
|
|
- name: initiator_name
|
|
- name: owner
|
|
- name: scan_id
|
|
- name: project_id
|
|
- name: projectName
|
|
- name: team
|
|
- name: team_full_path_on_report_date
|
|
- name: scan_start
|
|
- name: scan_time
|
|
- name: checkmarx_version
|
|
- name: scan_type
|
|
- name: preset
|
|
- name: deep_link
|
|
- name: report_creation_time
|
|
- name: reports
|
|
type: reports
|
|
params:
|
|
- filePattern: "**/piper_checkmarx_report.html"
|
|
type: checkmarx
|
|
- filePattern: "**/CxSASTResults_*.xml"
|
|
type: checkmarx
|
|
- filePattern: "**/ScanReport.*"
|
|
type: checkmarx
|
|
- filePattern: "**/toolrun_checkmarx_*.json"
|
|
type: checkmarx
|