github.com/jaylevin/jenkins-library@v1.230.4/documentation/docs/steps/protecodeExecuteScan.md

github.com/jaylevin/jenkins-library@v1.230.4/documentation/docs/steps/protecodeExecuteScan.md (about)

     1  # ${docGenStepName}
     2  
     3  ## ${docGenDescription}
     4  
     5  ## Prerequisites
     6  
     7  1. Create a Username / Password credential with the Protecode user in your Jenkins credential store
     8  1. Look up your Group ID using REST API via `curl -u <username> "https://<protecode host>/api/groups/"`.
     9  
    10  If the image is on a protected registry you can provide a Docker `config.json` file containing the credential information for the registry.
    11  You can either use `docker login` (see the [Docker documentation](https://docs.docker.com/engine/reference/commandline/login/) for details) or you can create the file manually using the following script.
    12  
    13  ```shell
    14  #!/bin/bash
    15  auth=$(echo -n "$USER:$PASSWORD" | base64 -w0)
    16  cat <<EOF > config.json
    17  {
    18      "auths": {
    19          "$REGISTRY": {
    20              "auth": "$auth"
    21          }
    22      }
    23  }
    24  EOF
    25  ```
    26  
    27  `REGISTRY` is the URL of the protected registry (Example: `https://index.docker.io/v1`).
    28  
    29  Attention: If you reference the file in --dockerConfigJSON or upload the file to the Jenkins credential store, the file has to be named `config.json`.
    30  
    31  ## ${docGenParameters}
    32  
    33  ### Details
    34  
    35  * The Protecode scan step is able to send a file addressed via parameter `filePath` to the backend for scanning it for known vulnerabilities.
    36  * Alternatively an HTTP URL can be specified via `fetchUrl`. Protecode will then download the artifact from there and scan it.
    37  * To support docker image scanning please provide `scanImage` with a docker like URL poiting to the image tag within the docker registry being used.
    38  * To receive the result it polls until the job completes.
    39  * Once the job has completed a PDF report is pulled from the backend and archived in the build
    40  * Finally the scan result is being analysed for critical findings with a CVSS v3 score >= 7.0 and if such findings are detected the build is failed based on the configuration setting `failOnSevereVulnerabilities`.
    41  * During the analysis all CVEs which are triaged are ignored and will not provoke the build to fail.
    42  
    43  ## ${docGenConfiguration}