github.com/jaylevin/jenkins-library@v1.230.4/resources/metadata/protecodeExecuteScan.yaml (about) 1 metadata: 2 name: protecodeExecuteScan 3 description: Black Duck Binary Analysis (BDBA), previously known as Protecode is an Open Source Vulnerability Scanner that is capable of scanning binaries. It can be used to scan docker images but is supports many other programming languages especially those of the C family. 4 longDescription: |- 5 Black Duck Binary Analysis (previously known as Protecode) is an Open Source Vulnerability Scan tool which provides the composition of Open Source components in a product along with Security information (no license info is provided). 6 BDBA (Protecode) uses a combination of static binary analysis techniques to X-ray the provided software package to identify third-party software components and their exact versions with a high level of confidence. Methods range from simple string matching to proprietary patent-pending techniques. 7 8 !!! hint "Auditing findings (Triaging)" 9 Triaging is now supported by the BDBA (Protecode) backend and also Piper does consider this information during the analysis of the scan results though product versions are not supported by BDBA (Protecode). Therefore please make sure that the `fileName` you are providing does either contain a stable version or that it does not contain one at all. By ensuring that you are able to triage CVEs globally on the upload file's name without affecting any other artifacts scanned in the same BDBA (Protecode) group and as such triaged vulnerabilities will be considered during the next scan and will not fail the build anymore. 10 spec: 11 inputs: 12 secrets: 13 - name: protecodeCredentialsId 14 description: Jenkins 'Username with password' credentials ID containing username and password to authenticate to the Protecode system. 15 type: jenkins 16 - name: dockerConfigJsonCredentialsId 17 description: Jenkins 'Secret file' credentials ID containing Docker config.json (with registry credential(s)). You can create it like explained in [Prerequisites](https://www.project-piper.io/steps/protecodeExecuteScan/#prerequisites). 18 type: jenkins 19 aliases: 20 - name: dockerCredentialsId 21 deprecated: true 22 params: 23 - name: excludeCVEs 24 aliases: 25 - name: protecodeExcludeCVEs 26 type: string 27 description: "DEPRECATED: Do use triaging within the Protecode UI instead" 28 scope: 29 - PARAMETERS 30 - STAGES 31 - STEPS 32 default: "" 33 - name: failOnSevereVulnerabilities 34 aliases: 35 - name: protecodeFailOnSevereVulnerabilities 36 type: bool 37 description: Whether to fail the job on severe vulnerabilties or not 38 scope: 39 - PARAMETERS 40 - STAGES 41 - STEPS 42 default: true 43 - name: scanImage 44 aliases: 45 - name: dockerImage 46 type: string 47 description: "The reference to the docker image to scan with Protecode. Note: If possible please also check [fetchUrl](https://www.project-piper.io/steps/protecodeExecuteScan/#fetchurl) parameter, which might help you to optimize upload time." 48 resourceRef: 49 - name: commonPipelineEnvironment 50 param: container/imageNameTag 51 scope: 52 - GENERAL 53 - PARAMETERS 54 - STAGES 55 - STEPS 56 - name: dockerRegistryUrl 57 type: string 58 description: The reference to the docker registry to scan with Protecode 59 resourceRef: 60 - name: commonPipelineEnvironment 61 param: container/registryUrl 62 scope: 63 - GENERAL 64 - PARAMETERS 65 - STAGES 66 - STEPS 67 - name: dockerConfigJSON 68 type: string 69 description: Path to the file `.docker/config.json` - this is typically provided by your CI/CD system. You can find more details about the Docker credentials in the [Docker documentation](https://docs.docker.com/engine/reference/commandline/login/). 70 scope: 71 - PARAMETERS 72 - STAGES 73 - STEPS 74 secret: true 75 resourceRef: 76 - name: commonPipelineEnvironment 77 param: custom/dockerConfigJSON 78 - name: dockerConfigJsonCredentialsId 79 type: secret 80 - type: vaultSecretFile 81 name: dockerConfigFileVaultSecretName 82 default: docker-config 83 - name: cleanupMode 84 type: string 85 description: Decides which parts are removed from the Protecode backend after the scan 86 scope: 87 - PARAMETERS 88 - STAGES 89 - STEPS 90 default: binary 91 possibleValues: 92 - none 93 - binary 94 - complete 95 - name: filePath 96 type: string 97 description: The path to the file from local workspace to scan with Protecode 98 scope: 99 - PARAMETERS 100 - STAGES 101 - STEPS 102 - name: timeoutMinutes 103 aliases: 104 - name: protecodeTimeoutMinutes 105 type: string 106 description: The timeout to wait for the scan to finish 107 scope: 108 - PARAMETERS 109 - STAGES 110 - STEPS 111 default: 60 112 - name: serverUrl 113 aliases: 114 - name: protecodeServerUrl 115 type: string 116 description: The URL to the Protecode backend 117 mandatory: true 118 scope: 119 - GENERAL 120 - PARAMETERS 121 - STAGES 122 - STEPS 123 - name: reportFileName 124 type: string 125 description: The file name of the report to be created 126 scope: 127 - PARAMETERS 128 - STAGES 129 - STEPS 130 default: protecode_report.pdf 131 - name: fetchUrl 132 type: string 133 description: The URL to fetch the file or image to scan with Protecode. 134 longDescription: The URL to fetch the file or image to scan with Protecode. The URL must be accessible via public HTTP GET request. To fetch a docker image the URL needs a 'docker-registry-' prefix. 135 scope: 136 - PARAMETERS 137 - STAGES 138 - STEPS 139 - name: group 140 aliases: 141 - name: protecodeGroup 142 type: string 143 description: The Protecode group ID of your team 144 mandatory: true 145 scope: 146 - PARAMETERS 147 - STAGES 148 - STEPS 149 - name: verifyOnly 150 aliases: 151 - name: reuseExisting 152 deprecated: true 153 type: bool 154 description: Whether the step shall only apply verification checks or whether it does a full scan and check cycle 155 scope: 156 - PARAMETERS 157 - STAGES 158 - STEPS 159 default: false 160 - name: replaceProductId 161 type: int 162 description: Specify <replaceProductId> which application binary will be replaced and rescanned and product id remains unchanged. By using this parameter, Protecode avoids creating multiple same products. Note this will affect results and feeds. If product id is not specified, then Piper starts auto detection mechanism, more precisely it searches a product id with scanned product name in that specified group, if there are several scans have been done with the same product name then the latest scan id will be fetched from BDBA backend. After obtaining product id, Piper re-uploads / replaces new binary without affecting already existing product id. 163 scope: 164 - PARAMETERS 165 - STAGES 166 - STEPS 167 - name: username 168 aliases: 169 - name: user 170 deprecated: true 171 type: string 172 description: User which is used for the protecode scan 173 mandatory: true 174 scope: 175 - PARAMETERS 176 - STAGES 177 - STEPS 178 secret: true 179 resourceRef: 180 - name: protecodeCredentialsId 181 type: secret 182 param: username 183 - type: vaultSecret 184 name: protecodeVaultSecretName 185 default: protecode 186 - name: password 187 type: string 188 description: Password which is used for the user 189 mandatory: true 190 scope: 191 - PARAMETERS 192 - STAGES 193 - STEPS 194 secret: true 195 resourceRef: 196 - name: protecodeCredentialsId 197 type: secret 198 param: password 199 - type: vaultSecret 200 name: protecodeVaultSecretName 201 default: protecode 202 - name: version 203 aliases: 204 - name: artifactVersion 205 deprecated: true 206 type: string 207 description: The version of the artifact to allow identification in protecode backend 208 resourceRef: 209 - name: commonPipelineEnvironment 210 param: artifactVersion 211 scope: 212 - PARAMETERS 213 - STAGES 214 - STEPS 215 - name: customScanVersion 216 type: string 217 description: "A custom version used along with the uploaded scan results." 218 longDescription: |- 219 Defines a custom version for the BDBA scan which deviates from the typical versioning pattern using [`version`](#version) and [`versioningModel`](#versioningModel). 220 It allows to set non-numeric versions as well and supersedes the value of [`version`](#version) which is calculated automatically. 221 The parameter is also used by other scan steps (e.g. Fortify, Sonar, WhiteSource) and thus allows a common custom version across scan tools. 222 scope: [GENERAL, STAGES, STEPS, PARAMETERS] 223 - name: versioningModel 224 type: string 225 description: The versioning model used for result reporting (based on the artifact version). Example 1.2.3 using `major` will result in version 1 226 longDescription: |- 227 The versioning model used for result reporting (based on the artifact version). 228 For example: the version 1.2.3 of the artifact will result in a version 1 to report into, when `versioningModel: major` is used and will result in a version 1.2 when `versioningModel: major-minor` is used. 229 Recommendation for a Continuous Delivery process is to use `versioningModel: major`. 230 scope: 231 - PARAMETERS 232 - GENERAL 233 - STAGES 234 - STEPS 235 default: "major" 236 possibleValues: 237 - major 238 - major-minor 239 - semantic 240 - full 241 - name: pullRequestName 242 type: string 243 description: The name of the pull request 244 scope: 245 - PARAMETERS 246 - STAGES 247 - STEPS 248 outputs: 249 resources: 250 - name: influx 251 type: influx 252 params: 253 - name: step_data 254 fields: 255 - name: protecode 256 type: bool 257 - name: protecode_data 258 fields: 259 - name: excluded_vulnerabilities 260 type: int 261 - name: historical_vulnerabilities 262 type: int 263 - name: major_vulnerabilities 264 type: int 265 - name: minor_vulnerabilities 266 type: int 267 - name: triaged_vulnerabilities 268 type: int 269 - name: vulnerabilities 270 type: int 271 - name: reports 272 type: reports 273 params: 274 - filePattern: "**/toolrun_protecode_*.json" 275 type: protecode 276 - paramRef: reportFileName 277 type: protecode 278 - filePattern: "**/protecodeExecuteScan.json" 279 type: protecode 280 - filePattern: "**/protecodescan_vulns.json" 281 type: protecode