github.com/jaylevin/jenkins-library@v1.230.4/resources/metadata/detectExecuteScan.yaml (about) 1 metadata: 2 name: detectExecuteScan 3 description: Executes Synopsys Detect scan 4 longDescription: | 5 This step executes [Synopsys Detect](https://synopsys.atlassian.net/wiki/spaces/INTDOCS/pages/62423113/Synopsys+Detect) scans. 6 Synopsys Detect command line utlity can be used to run various scans including BlackDuck and Polaris scans. This step allows users to run BlackDuck scans by default. 7 Please configure your BlackDuck server Url using the serverUrl parameter and the API token of your user using the apiToken parameter for this step. 8 spec: 9 inputs: 10 resources: 11 - name: buildDescriptor 12 type: stash 13 - name: checkmarx 14 type: stash 15 secrets: 16 - name: detectTokenCredentialsId 17 aliases: 18 - name: apiTokenCredentialsId 19 description: Jenkins 'Secret text' credentials ID containing the API token used to authenticate with the Synopsis Detect (formerly BlackDuck) Server. 20 type: jenkins 21 params: 22 - name: token 23 aliases: 24 - name: blackduckToken 25 - name: detectToken 26 - name: apiToken 27 deprecated: true 28 - name: detect/apiToken 29 deprecated: true 30 description: Api token to be used for connectivity with Synopsis Detect server. 31 type: string 32 mandatory: true 33 secret: true 34 resourceRef: 35 - name: detectTokenCredentialsId 36 type: secret 37 - type: vaultSecret 38 name: detectVaultSecretName 39 default: detect 40 scope: 41 - PARAMETERS 42 - STAGES 43 - STEPS 44 - name: codeLocation 45 description: An override for the name Detect will use for the scan file it creates. 46 type: string 47 scope: 48 - PARAMETERS 49 - STAGES 50 - STEPS 51 - name: projectName 52 description: Name of the Synopsis Detect (formerly BlackDuck) project. 53 aliases: 54 - name: detect/projectName 55 type: string 56 mandatory: true 57 scope: 58 - PARAMETERS 59 - STAGES 60 - STEPS 61 - name: scanners 62 description: List of scanners to be used for Synopsis Detect (formerly BlackDuck) scan. 63 aliases: 64 - name: detect/scanners 65 type: "[]string" 66 default: 67 - signature 68 possibleValues: 69 - signature 70 - source 71 scope: 72 - PARAMETERS 73 - STAGES 74 - STEPS 75 - name: scanPaths 76 description: List of paths which should be scanned by the Synopsis Detect (formerly BlackDuck) scan. 77 aliases: 78 - name: detect/scanPaths 79 type: "[]string" 80 default: 81 - "." 82 scope: 83 - PARAMETERS 84 - STAGES 85 - STEPS 86 - name: dependencyPath 87 description: Absolute Path of the dependency management file of the project. This path represents the folder which contains the pom file, package.json etc. If the project contains multiple pom files, provide the path to the parent pom file or the base folder of the project 88 aliases: 89 - name: detect/dependencyPath 90 type: "string" 91 default: "." 92 scope: 93 - PARAMETERS 94 - STAGES 95 - STEPS 96 - name: unmap 97 description: Unmap flag will unmap all previous code locations and keep only the current scan results in the specified project version. Set this parameter to true, when the project version needs to store only the latest scan results. 98 aliases: 99 - name: detect/unmap 100 type: bool 101 scope: 102 - PARAMETERS 103 - STAGES 104 - STEPS 105 - name: scanProperties 106 description: Properties passed to the Synopsis Detect (formerly BlackDuck) scan. You can find details in the [Synopsis Detect documentation](https://synopsys.atlassian.net/wiki/spaces/INTDOCS/pages/622846/Using+Synopsys+Detect+Properties) 107 aliases: 108 - name: detect/scanProperties 109 type: "[]string" 110 default: 111 - --blackduck.signature.scanner.memory=4096 112 - --detect.timeout=6000 113 - --blackduck.trust.cert=true 114 - --logging.level.com.synopsys.integration=DEBUG 115 - --detect.maven.excluded.scopes=test 116 scope: 117 - PARAMETERS 118 - STAGES 119 - STEPS 120 - name: serverUrl 121 description: Server URL to the Synopsis Detect (formerly BlackDuck) Server. 122 aliases: 123 - name: detect/serverUrl 124 type: string 125 mandatory: true 126 scope: 127 - PARAMETERS 128 - STAGES 129 - STEPS 130 - name: groups 131 description: Users groups to be assigned for the Project 132 aliases: 133 - name: detect/groups 134 type: "[]string" 135 scope: 136 - PARAMETERS 137 - STAGES 138 - STEPS 139 - name: failOn 140 description: Mark the current build as fail based on the policy categories applied. 141 longDescription: | 142 A list of policies can be provided which will be applied after the scan is completed. These policies if violated will mark the build/scan result as failed. 143 The list of accepted values can be found at [Synopsys detect documentation](https://blackducksoftware.github.io/synopsys-detect/latest/properties/configuration/project/#fail-on-policy-violation-severities) 144 aliases: 145 - name: detect/failOn 146 type: "[]string" 147 default: 148 - BLOCKER 149 possibleValues: 150 - ALL 151 - BLOCKER 152 - CRITICAL 153 - MAJOR 154 - MINOR 155 - NONE 156 scope: 157 - PARAMETERS 158 - STAGES 159 - STEPS 160 - name: versioningModel 161 type: string 162 description: The versioning model used for result reporting (based on the artifact version). Example 1.2.3 using `major` will result in version 1 163 longDescription: |- 164 The versioning model used for result reporting (based on the artifact version). 165 For example: the version 1.2.3 of the artifact will result in a version 1 to report into, when `versioningModel: major` is used and will result in a version 1.2 when `versioningModel: major-minor` is used. 166 Recommendation for a Continuous Delivery process is to use `versioningModel: major`. 167 scope: 168 - PARAMETERS 169 - GENERAL 170 - STAGES 171 - STEPS 172 default: "major" 173 possibleValues: 174 - major 175 - major-minor 176 - semantic 177 - full 178 - name: version 179 aliases: 180 - name: projectVersion 181 - name: detect/projectVersion 182 type: string 183 description: Defines the version number of the artifact being build in the pipeline. It is used as source for the Detect version. 184 longDescription: |- 185 Defines the version number of the artifact being build in the pipeline. 186 It is used for build version creation and as source for the Detect version. 187 **Typically it is available through the pipeline run.** 188 The project version of the Detect project is calculated using the [`versioningModel`](#versioningmodel). 189 resourceRef: 190 - name: commonPipelineEnvironment 191 param: artifactVersion 192 scope: 193 - PARAMETERS 194 - STAGES 195 - STEPS 196 - name: customScanVersion 197 type: string 198 description: "A custom version used along with the uploaded scan results." 199 longDescription: |- 200 Defines a custom version for the Detect scan which deviates from the typical versioning pattern using [`version`](#version) and [`versioningModel`](#versioningModel). 201 It allows to set non-numeric versions as well and supersedes the value of [`version`](#version) which is calculated automatically. 202 The parameter is also used by other scan steps (e.g. Fortify, Sonar, WhiteSource) and thus allows a common custom version across scan tools. 203 scope: [GENERAL, STAGES, STEPS, PARAMETERS] 204 - name: projectSettingsFile 205 type: string 206 description: "Path or url to the mvn settings file that should be used as project settings file." 207 scope: 208 - GENERAL 209 - PARAMETERS 210 - STAGES 211 - STEPS 212 aliases: 213 - name: maven/projectSettingsFile 214 - name: globalSettingsFile 215 type: string 216 description: "Path or url to the mvn settings file that should be used as global settings file" 217 scope: 218 - GENERAL 219 - PARAMETERS 220 - STAGES 221 - STEPS 222 aliases: 223 - name: maven/globalSettingsFile 224 - name: m2Path 225 type: string 226 description: Path to the location of the local repository that should be used. 227 scope: 228 - GENERAL 229 - STEPS 230 - STAGES 231 - PARAMETERS 232 aliases: 233 - name: maven/m2Path 234 - name: installArtifacts 235 type: bool 236 description: 237 "If enabled, it will install all artifacts to the local maven repository to make them available before running detect. 238 This is required if any maven module has dependencies to other modules in the repository and they were not installed before." 239 scope: 240 - GENERAL 241 - STEPS 242 - STAGES 243 - PARAMETERS 244 - name: includedPackageManagers 245 description: 246 "The package managers that need to be included for this scan. Providing the package manager names with this parameter will ensure that the build descriptor file of that package manager will be searched in the scan folder 247 For the complete list of possible values for this parameter, please refer [Synopsys detect documentation](https://synopsys.atlassian.net/wiki/spaces/INTDOCS/pages/631407160/Configuring+Detect+General+Properties#Detector-types-included-(Advanced))" 248 aliases: 249 - name: detect/includedPackageManagers 250 type: "[]string" 251 scope: 252 - PARAMETERS 253 - STAGES 254 - STEPS 255 - name: excludedPackageManagers 256 description: 257 "The package managers that need to be excluded for this scan. Providing the package manager names with this parameter will ensure that the build descriptor file of that package manager will be ignored in the scan folder 258 For the complete list of possible values for this parameter, please refer [Synopsys detect documentation](https://synopsys.atlassian.net/wiki/spaces/INTDOCS/pages/631407160/Configuring+Detect+General+Properties#%5BhardBreak%5DDetector-types-excluded-(Advanced))" 259 aliases: 260 - name: detect/excludedPackageManagers 261 type: "[]string" 262 scope: 263 - PARAMETERS 264 - STAGES 265 - STEPS 266 - name: mavenExcludedScopes 267 description: "The maven scopes that need to be excluded from the scan. For example, setting the value 'test' will exclude all components which are defined with a test scope in maven" 268 aliases: 269 - name: detect/mavenExcludedScopes 270 type: "[]string" 271 scope: 272 - PARAMETERS 273 - STAGES 274 - STEPS 275 - name: detectTools 276 description: 277 "The type of BlackDuck scanners to include while running the BlackDuck scan. By default All scanners are included. 278 For the complete list of possible values, Please refer [Synopsys detect documentation](https://synopsys.atlassian.net/wiki/spaces/INTDOCS/pages/631407160/Configuring+Detect+General+Properties#Detect-tools-included)" 279 aliases: 280 - name: detect/detectTools 281 type: "[]string" 282 scope: 283 - PARAMETERS 284 - STAGES 285 - STEPS 286 - name: scanOnChanges 287 description: 288 "This flag determines if the scan is submitted to the server. If set to true, then the scan request is submitted to the server only when changes are detected in the Open Source Bill of Materials 289 If the flag is set to false, then the scan request is submitted to server regardless of any changes. 290 For more details please refer to the [documentation](https://github.com/blackducksoftware/detect_rescan/blob/master/README.md)" 291 type: bool 292 scope: 293 - PARAMETERS 294 - STAGES 295 - STEPS 296 - name: customEnvironmentVariables 297 description: 298 "A list of environment variables which can be set to prepare the environment to run a BlackDuck scan. This includes a list of environment variables defined by 299 Synopsys. The full list can be found [here](https://synopsys.atlassian.net/wiki/spaces/IA/pages/1562214619/Shell+Script+Reference+6.9.0) 300 This list affects the detect script downloaded while running the scan. By default detect7.sh will be used. To continue using detect6, please use DETECT_LATEST_RELEASE_VERSION and set it to a valid value 301 defined [here](https://community.synopsys.com/s/document-item?bundleId=integrations-detect&topicId=releasenotes.html&_LANG=enus)" 302 type: "[]string" 303 scope: 304 - PARAMETERS 305 - STAGES 306 - STEPS 307 - name: githubToken 308 description: "GitHub personal access token as per 309 https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line" 310 scope: 311 - GENERAL 312 - PARAMETERS 313 - STAGES 314 - STEPS 315 type: string 316 secret: true 317 aliases: 318 - name: access_token 319 resourceRef: 320 - name: githubTokenCredentialsId 321 type: secret 322 - type: vaultSecret 323 default: github 324 name: githubVaultSecretName 325 - name: createResultIssue 326 type: bool 327 description: Activate creation of a result issue in GitHub. 328 longDescription: | 329 Whether the step creates a GitHub issue containing the scan results in the originating repo. 330 Since optimized pipelines are headless the creation is implicitly activated for scheduled runs. 331 resourceRef: 332 - name: commonPipelineEnvironment 333 param: custom/isOptimizedAndScheduled 334 scope: 335 - GENERAL 336 - PARAMETERS 337 - STAGES 338 - STEPS 339 default: false 340 - name: githubApiUrl 341 description: "Set the GitHub API URL." 342 scope: 343 - GENERAL 344 - PARAMETERS 345 - STAGES 346 - STEPS 347 type: string 348 default: "https://api.github.com" 349 - name: owner 350 aliases: 351 - name: githubOrg 352 description: "Set the GitHub organization." 353 resourceRef: 354 - name: commonPipelineEnvironment 355 param: github/owner 356 scope: 357 - GENERAL 358 - PARAMETERS 359 - STAGES 360 - STEPS 361 type: string 362 - name: repository 363 aliases: 364 - name: githubRepo 365 description: "Set the GitHub repository." 366 resourceRef: 367 - name: commonPipelineEnvironment 368 param: github/repository 369 scope: 370 - GENERAL 371 - PARAMETERS 372 - STAGES 373 - STEPS 374 type: string 375 - name: assignees 376 description: Defines the assignees for the Github Issue created/updated with the results of the scan as a list of login names. 377 scope: 378 - PARAMETERS 379 - STAGES 380 - STEPS 381 type: "[]string" 382 default: [] 383 mandatory: false 384 - name: customTlsCertificateLinks 385 type: "[]string" 386 description: "List of download links to custom TLS certificates. This is required to ensure trusted connections to instances with repositories (like nexus) when publish flag is set to true." 387 scope: 388 - GENERAL 389 - PARAMETERS 390 - STAGES 391 - STEPS 392 outputs: 393 resources: 394 - name: influx 395 type: influx 396 params: 397 - name: step_data 398 fields: 399 - name: detect 400 type: bool 401 - name: detect_data 402 fields: 403 - name: vulnerabilities 404 type: int 405 - name: major_vulnerabilities 406 type: int 407 - name: minor_vulnerabilities 408 type: int 409 - name: components 410 type: int 411 - name: policy_violations 412 type: int 413 - name: reports 414 type: reports 415 params: 416 - filePattern: "**/*BlackDuck_RiskReport.pdf" 417 type: blackduck-ip 418 - filePattern: "blackduck-ip.json" 419 type: blackduck-ip 420 - filePattern: "**/toolrun_detectExecute_*.json" 421 type: blackduck-ip 422 - filePattern: "**/piper_detect_vulnerability_report.html" 423 type: blackduck-ip 424 - filePattern: "**/detectExecuteScan_oss_*.json" 425 type: blackduck-ip 426 - filePattern: "**/piper_detect_policy_violation_report.html" 427 type: blackduck-ip 428 - filePattern: "**/detectExecuteScan_policy_*.json" 429 type: blackduck-ip 430 containers: 431 - name: openjdk 432 image: openjdk:11 433 workingDir: /root 434 options: 435 - name: -u 436 value: "0"