This repository has been archived by the owner on Feb 23, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 13
/
Jenkinsfile.blackduck
88 lines (86 loc) · 4.6 KB
/
Jenkinsfile.blackduck
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
pipeline {
agent { label 'linux-docker' }
options {
timeout(time: 1, unit: 'HOURS')
disableConcurrentBuilds()
buildDiscarder(logRotator(artifactNumToKeepStr: '5', numToKeepStr: '20'))
}
parameters {
booleanParam name: "DO_BLACKDUCK_SCAN", description: "Select true to run a blackduck scan. This is only available on trunk and release/* branches."
}
environment {
TAG = "${BRANCH_NAME}-${BUILD_NUMBER}"
PROJECT_NAME = "esg-grafana"
VERSION = "3.0"
QUIET = "yes"
}
stages {
stage('Security Scan'){
when {
expression { return params.DO_BLACKDUCK_SCAN }
}
steps {
script {
docker.build("perf-analyzer-blackduck", "./blackduck").inside("-u 0") {
sh "cd ./plugins/eseries_monitoring/collector && pip --default-timeout=5 --retries 15 install -r requirements.txt"
sh "cd ./ansible && pip --default-timeout=5 --retries 15 install -r requirements.txt"
// Scan the source code of the project
synopsys_detect detectProperties: """
--detect.python.python3=true
--detect.pip.project.name=${PROJECT_NAME}
--detect.pip.project.version.name=${VERSION}
--detect.project.name=${PROJECT_NAME}
--detect.project.version.name=${VERSION}
--detect.cleanup=false
--detect.output.path=/tmp/scanTempDir
--detect.project.code.location.unmap=true
--detect.detector.search.depth=25
--detect.code.location.name=${PROJECT_NAME}_${VERSION}_code
--detect.bom.aggregate.name=${PROJECT_NAME}_${VERSION}_bom
--detect.detector.search.exclusion.paths=scanTempDir
--detect.blackduck.signature.scanner.exclusion.patterns=scanTempDir
"""
// This error occurs when using a non-root user within the container:
// Error creating directory /synopsys-detect/download.
// The curl response was 000, which is not successful - please check your configuration and environment.
// So after the scan do a chmod on the files so that the workspace can be cleaned.
sh "chmod -R 777 ."
}
// The container images are not published by NetApp and therefore do not need to be scanned.
// The Blackduck project will have manual entries added for these component versions.
// Keeping this code around just in case scans are needed in the future.
//
// def images = [
// "${PROJECT_NAME}/ansible:${TAG}",
// "${PROJECT_NAME}/influxdb:${TAG}",
// "${PROJECT_NAME}/grafana:${TAG}",
// "${PROJECT_NAME}-plugin/eseries_monitoring/collector:latest",
// "${PROJECT_NAME}-plugin/eseries_monitoring/webservices:latest"
// ]
// // For each image, perform the blackduck scan.
// images.each() {
// def scanImage = it.substring(it.lastIndexOf("/") + 1, it.lastIndexOf(":"))
// synopsys_detect detectProperties: """
// --detect.project.name=${PROJECT_NAME} \
// --detect.project.version.name=${VERSION} \
// --detect.cleanup=false \
// --detect.output.path=scanTempDir \
// --detect.detector.search.exclusion.paths=scanTempDir/ \
// --detect.detector.search.depth=25 \
// --detect.tools=DOCKER \
// --detect.tools=SIGNATURE_SCAN
// --detect.code.location.name=${PROJECT_NAME}_${VERSION}_container_${scanImage}_code \
// --detect.bom.aggregate.name=${PROJECT_NAME}_${VERSION}_container_${scanImage}_bom \
// --detect.docker.image=${it} \
// """
// }
}
}
}
}
post {
always {
cleanWs deleteDirs: true
}
}
}