-
Notifications
You must be signed in to change notification settings - Fork 24
/
Jenkinsfile-security
131 lines (121 loc) · 5.89 KB
/
Jenkinsfile-security
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
def version = "8.3"
def changeUrl = env.CHANGE_URL
def job = ""
def errors = []
def running = []
def failedBuild = false
def slackResponse = null
pipeline {
agent none
triggers { cron('@daily') }
stages {
stage('deps-plugins') {
//when { not { changeRequest() } }
agent {
dockerfile {
filename 'ci/dep-check.Dockerfile'
additionalBuildArgs "--build-arg USER_ID=${JENKINS_UID}"
// and share maven cache
args '-v /srv/cache/maven:/home/jenkins/.m2'
}
}
steps {
catchError(buildResult: 'SUCCESS', stageResult: 'FAILURE') {
dir('plugins-common') {
withMaven(globalMavenSettingsConfig: "1bfa2e1a-afda-4cb4-8568-236c44b94dbf",
// don't archive jars
options: [artifactsPublisher(disabled: true)]
) {
// we need to use $MVN_COMMAND to get the settings file path
sh script: 'make generate-pom'
sh script: 'mvn --update-snapshots clean install', label: "common deploy"
}
}
}
catchError(buildResult: 'SUCCESS', stageResult: 'FAILURE') {
dir('plugins-common-private') {
withMaven(globalMavenSettingsConfig: "1bfa2e1a-afda-4cb4-8568-236c44b94dbf",
// don't archive jars
options: [artifactsPublisher(disabled: true)]
) {
// we need to use $MVN_COMMAND to get the settings file path
sh script: 'make generate-pom'
sh script: 'mvn --update-snapshots install package', label: "private common deploy"
}
}
}
script {
SCALA_PLUGINS = sh (
script: 'make scala-plugins-list',
returnStdout: true
).trim().split(' ')
SCALA_PLUGINS.each {
stage("${it}") {
script {
running.add("${it}")
}
catchError(buildResult: 'SUCCESS', stageResult: 'FAILURE') {
try {
dir("${it}") {
sh script: 'make generate-pom', label: 'generate pom.xml'
sh script: 'mvn -U -DsuppressionFiles=../dependency-check-suppression.xml -DskipProvidedScope=true -DfailBuildOnCVSS=7 -DcveValidForHours=48 org.owasp:dependency-check-maven:aggregate', label: "check plugins dependencies"
script {
if (fileExists('src/main/package.json')) {
dir("src/main") {
sh script: 'npm_config_loglevel=error npm ci --no-audit', label: "install dependencies"
sh script: 'npx better-npm-audit audit --level high', label: "check npm dependencies"
}
}
}
sh script: 'mvn -U license:aggregate-third-party-report', label: 'list ${it} dependencies'
}
} catch (exc) {
// Mark the build as failure since it's actually an error
errors.add("${it}")
failedBuild = true
slackResponse = updateSlack(errors, running, slackResponse, version, changeUrl)
slackSend(channel: slackResponse.threadId, message: "Dependency check error on plugin ${it} - <${currentBuild.absoluteUrl}console|Console>", color: "#CC3421")
}
}
script {
running.remove("${it}")
}
}
}
}
}
}
stage('End') {
steps {
script {
updateSlack(errors, running, slackResponse, version, changeUrl)
if (failedBuild) {
error 'End of build'
} else {
echo 'End of build '
}
}
}
}
}
}
def updateSlack(errors, running, slackResponse, version, changeUrl) {
def msg ="*${version} - plugins - dependency check* - <"+currentBuild.absoluteUrl+"|Link>"
if (changeUrl == null) {
def fixed = currentBuild.resultIsBetterOrEqualTo("SUCCESS") && currentBuild.previousBuild.resultIsWorseOrEqualTo("UNSTABLE")
if (errors.isEmpty() && running.isEmpty() && fixed) {
msg += " => All plugin dependencies checked! :white_check_mark:"
def color = "good"
slackSend(channel: "ci-security", message: msg, color: color)
}
if (! errors.isEmpty()) {
msg += "\n*Errors* :x: ("+errors.size()+")\n • " + errors.join("\n • ")
def color = "#CC3421"
if (slackResponse == null) {
slackResponse = slackSend(channel: "ci-security", message: msg, color: color)
}
slackSend(channel: slackResponse.channelId, message: msg, timestamp: slackResponse.ts, color: color)
}
return slackResponse
}
}