This repository has been archived by the owner on Oct 28, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 2
/
step.sh
210 lines (176 loc) · 5.73 KB
/
step.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
#!/bin/bash
set -eou pipefail
function bashversion() {
bash_version=$(bash --version | grep 1 | sed -nre 's/^[^0-9]*(([0-9]+\.)*[0-9]+).*/\1/p')
v1=$(echo ${bash_version} | cut -d'.' -f1)
v2=$(echo ${bash_version} | cut -d'.' -f2)
new_bash=0
if [ "$v1" -ge "4" ]; then
new_bash=1
elif [ "$v1" -eq "4" ] && [ "$v2" -gt "3" ]; then
new_bash=1
fi
echo "$new_bash"
}
# for swift and objective-c
function snykscannerios-run() {
export GEM_HOME=$HOME/.gem
ruby_version="$(gem env | grep .gem/ruby | sed 's:.*.gem/::' | head -1)"
export PATH=$GEM_HOME/${ruby_version}/bin:$PATH
gem install cocoapods --user-install
pod install --project-directory=${project_directory} # for podfile
bundle install # for gemfile
echo "--- Running iOS dependency scan"
./snyk test --all-projects --severity-threshold=${severity_threshold}
}
# for java and kotlin
function snykscannerandroid-run() {
echo "--- Install gradle"
curl https://downloads.gradle-dn.com/distributions/gradle-7.5.1-bin.zip --output gradle-7.5.1-bin.zip
unzip -qq -d /opt/gradle gradle-7.5.1-bin.zip
export PATH=$PATH:/opt/gradle/gradle-7.5.1/bin
new_bash=$(bashversion)
gradlew=()
if [ "$new_bash" -eq "1" ]; then
gradlew="$(find ${CODEFOLDER} -name 'gradlew')"
readarray -d ' ' gradlew < <(echo ${gradlew//"gradlew"/" "})
else
while IFS= read -r -d $'\0'; do
gradlew+=("$REPLY")
done < <(find ${CODEFOLDER} -name 'gradlew' -print0)
fi
for i in "${gradlew[@]}"
do
dir=$(echo "$i" | sed 's|.*\\\(.*\)|\1|')
cd $dir
chmod +x ${dir}/gradlew
done
cd ${CODEFOLDER}
scan_print="--- Running Android dependency scan"
if [[ ${js_scan} == "true" ]]; then
scan_print="--- Running Android and javascript dependency scan"
snykscannerjs-run
fi
echo "--- Checking all build.gradle files in the project"
gradle_files=()
if [ "$new_bash" -eq "1" ]; then
gradle_files="$(find ${CODEFOLDER} -name 'build.gradle')"
readarray -d ' ' gradle_files < <(echo ${gradle_files//"build.gradle"/" "})
else
while IFS= read -r -d $'\0'; do
gradle_files+=("$REPLY")
done < <(find ${CODEFOLDER} -name 'build.gradle' -print0)
fi
len=${#gradle_files[@]};
if [[ len -gt 0 ]]; then
echo $scan_print
./snyk test --all-projects --severity-threshold=${severity_threshold}
else
echo '!!! No gradle requirement file was found'
fi
}
function snykscannerjs-run() {
echo "--- Downloading and installing project javascript dependencies."
new_bash=$(bashversion)
echo "--- Checking all yarn.lock files in the project"
yarn_files=()
if [ "$new_bash" -eq "1" ]; then
yarn_files="$(find ${CODEFOLDER} -name 'yarn.lock' -print0)"
readarray -d ' ' yarn_files < <(echo ${yarn_files//"yarn.lock"/" "})
else
while IFS= read -r -d $'\0'; do
yarn_files+=("$REPLY")
done < <(find ${CODEFOLDER} -name 'yarn.lock' -print0)
fi
len=${#yarn_files[@]};
if [[ len -gt 0 ]]; then
echo "--- Running yarn installation"
for i in "${yarn_files[@]}"
do
dir=$(echo "$i" | sed 's|.*\\\(.*\)|\1|')
cd $dir
echo "Running yarn install for $dir"
yarn install
done
cd ${CODEFOLDER}
fi
echo "--- Checking all package-lock.json files in the project"
npm_files=()
if [ "$new_bash" -eq "1" ]; then
npm_files="$(find ${CODEFOLDER} -name 'package-lock.json' -print0)"
readarray -d ' ' npm_files < <(echo ${npm_files//"package-lock.json"/" "})
else
while IFS= read -r -d $'\0'; do
npm_files+=("$REPLY")
done < <(find ${CODEFOLDER} -name 'package-lock.json' -print0)
fi
len=${#npm_files[@]};
if [[ len -gt 0 ]]; then
echo "--- Running npm installation"
for i in "${npm_files[@]}"
do
dir=$(echo "$i" | sed 's|.*\\\(.*\)|\1|')
cd $dir
echo "Running npm install for $i"
npm install
done
cd ${CODEFOLDER}
fi
}
function main(){
ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
CODEFOLDER=${BITRISE_SOURCE_DIR}
if [[ -z "${os_list}" ]]
then
echo "os input is not valid"
exit 1
fi
if [[ -z "${org_name}" ]]
then
echo "org_name input is not valid"
exit 1
fi
echo "+++ Running Snyk Vulnerability Scanner Pipeline Step."
echo "--- Identifying the application to scan."
echo "Project path: ${CODEFOLDER}"
echo "--- Downloading Snyk CLI"
if [[ $OSTYPE == 'darwin'* ]]; then
echo "OS: MacOS"
curl https://static.snyk.io/cli/latest/snyk-macos -o snyk
else
echo "OS: Linux"
curl https://static.snyk.io/cli/latest/snyk-linux -o snyk
fi
chmod +x ./snyk
echo "--- Authenticating to Snyk."
./snyk auth ${snyk_auth_token}
./snyk config set org=${org_name}
# check if there are SAST findings
sast_findings=false
echo "--- Running code analysis scan"
{
./snyk code test --severity-threshold=${severity_threshold}
} || {
sast_findings=true
}
# check if there are dependency findings
dep_findings=false
{
if [[ ${os_list} == "ios" ]]; then
snykscannerios-run
elif [[ ${os_list} == "android" ]]; then
snykscannerandroid-run
else
echo "Unknown OS value"
exit 1
fi
} || {
dep_findings=true
}
if [ "$sast_findings" == "true" ] || [ "$dep_findings" == "true" ]; then
exit 1
else
exit 0
fi
}
main