github.com/jaylevin/jenkins-library@v1.230.4/resources/metadata/whitesourceExecuteScan.yaml (about) 1 metadata: 2 name: whitesourceExecuteScan 3 description: Execute a WhiteSource scan 4 longDescription: |- 5 With this step [WhiteSource](https://www.whitesourcesoftware.com) security and license compliance scans can be executed and assessed. 6 WhiteSource is a Software as a Service offering based on a so called unified agent that locally determines the dependency 7 tree of a node.js, Java, Python, Ruby, or Scala based solution and sends it to the WhiteSource server for a policy based license compliance 8 check and additional Free and Open Source Software Publicly Known Vulnerabilities detection. 9 10 The step uses the so-called WhiteSource Unified Agent. For details please refer to the [WhiteSource Unified Agent Documentation](https://whitesource.atlassian.net/wiki/spaces/WD/pages/33718339/Unified+Agent). 11 12 !!! note "Docker Images" 13 The underlying Docker images are public and specific to the solution's programming language(s) and therefore may have to be exchanged 14 to fit to and support the relevant scenario. The default Python environment used is i.e. Python 3 based. 15 spec: 16 inputs: 17 secrets: 18 - name: userTokenCredentialsId 19 aliases: 20 - name: whitesourceUserTokenCredentialsId 21 - name: whitesource/userTokenCredentialsId 22 deprecated: true 23 description: Jenkins 'Secret text' credentials ID containing Whitesource user token. 24 type: jenkins 25 - name: orgAdminUserTokenCredentialsId 26 aliases: 27 - name: whitesourceOrgAdminUserTokenCredentialsId 28 - name: whitesource/orgAdminUserTokenCredentialsId 29 deprecated: true 30 description: Jenkins 'Secret text' credentials ID containing Whitesource org admin token. 31 type: jenkins 32 - name: dockerConfigJsonCredentialsId 33 description: Jenkins 'Secret file' credentials ID containing Docker config.json (with registry credential(s)). You can find more details about the Docker credentials in the [Docker documentation](https://docs.docker.com/engine/reference/commandline/login/). 34 type: jenkins 35 aliases: 36 - name: dockerCredentialsId 37 deprecated: true 38 - name: githubTokenCredentialsId 39 description: Jenkins 'Secret text' credentials ID containing token to authenticate to GitHub. 40 type: jenkins 41 params: 42 - name: agentDownloadUrl 43 type: string 44 description: "URL used to download the latest version of the WhiteSource Unified Agent." 45 scope: 46 - PARAMETERS 47 - STAGES 48 - STEPS 49 default: https://github.com/whitesource/unified-agent-distribution/releases/latest/download/wss-unified-agent.jar 50 - name: agentFileName 51 type: string 52 description: "Locally used name for the Unified Agent jar file after download." 53 scope: 54 - PARAMETERS 55 - STAGES 56 - STEPS 57 default: "wss-unified-agent.jar" 58 - name: agentParameters 59 type: "[]string" 60 description: "[NOT IMPLEMENTED] List of additional parameters passed to the Unified Agent command line." 61 scope: 62 - PARAMETERS 63 - STAGES 64 - STEPS 65 - name: agentUrl 66 aliases: 67 - name: whitesourceAgentUrl 68 type: string 69 description: "URL to the WhiteSource agent endpoint." 70 scope: 71 - GENERAL 72 - PARAMETERS 73 - STAGES 74 - STEPS 75 default: "https://saas.whitesourcesoftware.com/agent" 76 - name: aggregateVersionWideReport 77 type: bool 78 description: "This does not run a scan, instead just generated a report for all projects with 79 projectVersion = config.ProductVersion" 80 scope: 81 - PARAMETERS 82 - STAGES 83 - STEPS 84 - name: buildDescriptorExcludeList 85 type: "[]string" 86 description: "List of build descriptors and therefore modules to exclude from the scan and assessment activities." 87 scope: 88 - PARAMETERS 89 - STAGES 90 - STEPS 91 default: ["unit-tests/pom.xml", "integration-tests/pom.xml"] 92 - name: buildDescriptorFile 93 type: string 94 description: "Explicit path to the build descriptor file." 95 scope: 96 - PARAMETERS 97 - STAGES 98 - STEPS 99 - name: buildTool 100 type: string 101 description: "Defines the tool which is used for building the artifact." 102 mandatory: true 103 scope: 104 - GENERAL 105 - PARAMETERS 106 - STAGES 107 - STEPS 108 resourceRef: 109 - name: commonPipelineEnvironment 110 param: buildTool 111 - name: configFilePath 112 type: string 113 description: "Explicit path to the WhiteSource Unified Agent configuration file." 114 scope: 115 - PARAMETERS 116 - STAGES 117 - STEPS 118 default: ./wss-unified-agent.config 119 - name: containerRegistryPassword 120 description: "For `buildTool: docker`: Password for container registry access - typically provided by the CI/CD environment." 121 type: string 122 scope: 123 - PARAMETERS 124 - STAGES 125 - STEPS 126 secret: true 127 resourceRef: 128 - name: commonPipelineEnvironment 129 param: container/repositoryPassword 130 - name: commonPipelineEnvironment 131 param: custom/repositoryPassword 132 - name: containerRegistryUser 133 description: "For `buildTool: docker`: Username for container registry access - typically provided by the CI/CD environment." 134 type: string 135 scope: 136 - PARAMETERS 137 - STAGES 138 - STEPS 139 secret: true 140 resourceRef: 141 - name: commonPipelineEnvironment 142 param: container/repositoryUsername 143 - name: commonPipelineEnvironment 144 param: custom/repositoryUsername 145 - name: createProductFromPipeline 146 type: bool 147 description: "Whether to create the related WhiteSource product on the fly based on the supplied pipeline 148 configuration." 149 scope: 150 - PARAMETERS 151 - STAGES 152 - STEPS 153 default: true 154 - name: customScanVersion 155 type: string 156 description: Custom version of the WhiteSource project used as source. 157 longDescription: |- 158 Defines a custom version for the WhiteSource scan which deviates from the typical versioning pattern using [`version`](#version) and [`versioningModel`](#versioningModel). 159 It allows to set non-numeric versions as well and supersedes the value of [`version`](#version) which is calculated automatically. 160 The parameter is also used by other scan steps (e.g. Detect, Fortify, Sonar) and thus allows a common custom version across scan tools. 161 scope: 162 - GENERAL 163 - PARAMETERS 164 - STAGES 165 - STEPS 166 - name: cvssSeverityLimit 167 type: string 168 description: "Limit of tolerable CVSS v3 score upon assessment and in consequence fails the build." 169 scope: 170 - PARAMETERS 171 - STAGES 172 - STEPS 173 default: "-1" 174 - name: scanPath 175 type: string 176 description: "Directory where to start WhiteSource scan." 177 scope: 178 - PARAMETERS 179 - STAGES 180 - STEPS 181 default: "." 182 - name: dockerConfigJSON 183 type: string 184 description: Path to the file `.docker/config.json` - this is typically provided by your CI/CD system. You can find more details about the Docker credentials in the [Docker documentation](https://docs.docker.com/engine/reference/commandline/login/). 185 scope: 186 - PARAMETERS 187 - STAGES 188 - STEPS 189 secret: true 190 resourceRef: 191 - name: commonPipelineEnvironment 192 param: custom/dockerConfigJSON 193 - name: dockerConfigJsonCredentialsId 194 type: secret 195 - type: vaultSecretFile 196 name: dockerConfigFileVaultSecretName 197 default: docker-config 198 - name: emailAddressesOfInitialProductAdmins 199 type: "[]string" 200 description: "The list of email addresses to assign as product admins for newly created WhiteSource products." 201 scope: 202 - PARAMETERS 203 - STAGES 204 - STEPS 205 - name: excludes 206 type: "[]string" 207 description: List of file path patterns to exclude in the scan. 208 scope: 209 - PARAMETERS 210 - STAGES 211 - STEPS 212 - name: includes 213 type: "[]string" 214 description: List of file path patterns to include in the scan. 215 scope: 216 - PARAMETERS 217 - STAGES 218 - STEPS 219 - name: installCommand 220 type: string 221 description: "[NOT IMPLEMENTED] Install command that can be used to populate the default docker image for some scenarios." 222 scope: 223 - PARAMETERS 224 - STAGES 225 - STEPS 226 - name: jreDownloadUrl 227 aliases: 228 - name: whitesource/jreDownloadUrl 229 deprecated: true 230 type: string 231 description: "URL used for downloading the Java Runtime Environment (JRE) required to run the 232 WhiteSource Unified Agent." 233 scope: 234 - GENERAL 235 - PARAMETERS 236 - STAGES 237 - STEPS 238 default: "https://github.com/SAP/SapMachine/releases/download/sapmachine-11.0.2/sapmachine-jre-11.0.2_linux-x64_bin.tar.gz" 239 - name: licensingVulnerabilities 240 type: bool 241 description: "[NOT IMPLEMENTED] Whether license compliance is considered and reported as part of the assessment." 242 scope: 243 - PARAMETERS 244 - STAGES 245 - STEPS 246 default: true 247 - name: orgToken 248 aliases: 249 - name: whitesourceOrgToken 250 - name: whitesource/orgToken 251 deprecated: true 252 type: string 253 description: "WhiteSource token identifying your organization." 254 scope: 255 - GENERAL 256 - PARAMETERS 257 - STAGES 258 - STEPS 259 secret: true 260 mandatory: true 261 resourceRef: 262 - name: orgAdminUserTokenCredentialsId 263 type: secret 264 - type: vaultSecret 265 name: whitesourceVaultSecret 266 default: whitesource 267 - name: productName 268 aliases: 269 - name: whitesourceProductName 270 - name: whitesource/productName 271 deprecated: true 272 type: string 273 description: "Name of the WhiteSource product used for results aggregation. 274 This parameter is mandatory if the parameter `createProductFromPipeline` is set to `true` 275 and the WhiteSource product does not yet exist. 276 It is also mandatory if the parameter `productToken` is not provided." 277 scope: 278 - GENERAL 279 - PARAMETERS 280 - STAGES 281 - STEPS 282 - name: productToken 283 aliases: 284 - name: whitesourceProductToken 285 - name: whitesource/productToken 286 deprecated: true 287 type: string 288 description: "Token of the WhiteSource product to be created and used for results aggregation, 289 usually determined automatically. Can optionally be provided as an alternative to `productName`." 290 scope: 291 - GENERAL 292 - PARAMETERS 293 - STAGES 294 - STEPS 295 - name: version 296 aliases: 297 - name: productVersion 298 - name: whitesourceProductVersion 299 - name: whitesource/productVersion 300 deprecated: true 301 type: string 302 description: Version of the WhiteSource product to be created and used for results aggregation. 303 longDescription: |- 304 Version of the WhiteSource product to be created and used for results aggregation. 305 This is usually determined automatically based on the information in the buildTool specific build descriptor file. 306 scope: 307 - GENERAL 308 - PARAMETERS 309 - STAGES 310 - STEPS 311 resourceRef: 312 - name: commonPipelineEnvironment 313 param: artifactVersion 314 - name: projectName 315 aliases: 316 - name: whitesourceProjectName 317 type: string 318 description: "The project name used for reporting results in WhiteSource. 319 When provided, all source modules will be scanned into one aggregated WhiteSource project. 320 For scan types `maven`, `mta`, `npm`, the default is to generate one WhiteSource project per module, 321 whereas the project name is derived from the module's build descriptor. 322 For NPM modules, project aggregation is not supported, the last scanned NPM module will override all 323 previously aggregated scan results!" 324 scope: 325 - PARAMETERS 326 - STAGES 327 - STEPS 328 - name: projectToken 329 type: string 330 description: "Project token to execute scan on. Ignored for scan types `maven`, `mta` and `npm`. 331 Used for project aggregation when scanning with the Unified Agent and can be provided as an 332 alternative to `projectName`." 333 scope: 334 - GENERAL 335 - PARAMETERS 336 - STAGES 337 - STEPS 338 - name: reporting 339 type: bool 340 description: "Whether assessment is being done at all, defaults to `true`" 341 scope: 342 - PARAMETERS 343 - STAGES 344 - STEPS 345 default: true 346 - name: scanImage 347 type: string 348 description: "For `buildTool: docker`: Defines the docker image which should be scanned." 349 resourceRef: 350 - name: commonPipelineEnvironment 351 param: container/imageNameTag 352 scope: 353 - PARAMETERS 354 - STAGES 355 - STEPS 356 - name: scanImageRegistryUrl 357 type: string 358 description: "For `buildTool: docker`: Defines the registry where the scanImage is located." 359 resourceRef: 360 - name: commonPipelineEnvironment 361 param: container/registryUrl 362 scope: 363 - PARAMETERS 364 - STAGES 365 - STEPS 366 - name: securityVulnerabilities 367 type: bool 368 description: "Whether security compliance is considered and reported as part of the assessment." 369 scope: 370 - PARAMETERS 371 - STAGES 372 - STEPS 373 default: true 374 - name: serviceUrl 375 aliases: 376 - name: whitesourceServiceUrl 377 - name: whitesource/serviceUrl 378 deprecated: true 379 type: string 380 description: "URL to the WhiteSource API endpoint." 381 scope: 382 - GENERAL 383 - PARAMETERS 384 - STAGES 385 - STEPS 386 default: "https://saas.whitesourcesoftware.com/api" 387 - name: timeout 388 type: int 389 description: "Timeout in seconds until an HTTP call is forcefully terminated." 390 scope: 391 - PARAMETERS 392 - STAGES 393 - STEPS 394 default: 900 395 - name: userToken 396 type: string 397 description: User token to access WhiteSource. In Jenkins use case this is automatically filled through the credentials. 398 scope: 399 - GENERAL 400 - PARAMETERS 401 - STAGES 402 - STEPS 403 secret: true 404 mandatory: true 405 resourceRef: 406 - name: userTokenCredentialsId 407 type: secret 408 - type: vaultSecret 409 name: whitesourceVaultSecret 410 default: whitesource 411 - name: versioningModel 412 type: string 413 description: "The default project versioning model used in case `projectVersion` parameter is 414 empty for creating the version based on the build descriptor version to report results in 415 Whitesource, can be one of `'major'`, `'major-minor'`, `'semantic'`, `'full'`" 416 scope: 417 - PARAMETERS 418 - STAGES 419 - STEPS 420 - GENERAL 421 default: "major" 422 aliases: 423 - name: defaultVersioningModel 424 - name: vulnerabilityReportFormat 425 type: string 426 description: "Format of the file the vulnerability report is written to." 427 possibleValues: [xlsx, json, xml] 428 scope: 429 - PARAMETERS 430 - STAGES 431 - STEPS 432 default: xlsx 433 - name: vulnerabilityReportTitle 434 type: string 435 description: "Title of vulnerability report written during the assessment phase." 436 scope: 437 - PARAMETERS 438 - STAGES 439 - STEPS 440 default: "WhiteSource Security Vulnerability Report" 441 # Global maven settings, should be added to all maven steps 442 - name: projectSettingsFile 443 type: string 444 description: "Path to the mvn settings file that should be used as project settings file." 445 scope: 446 - GENERAL 447 - STEPS 448 - STAGES 449 - PARAMETERS 450 aliases: 451 - name: maven/projectSettingsFile 452 - name: globalSettingsFile 453 type: string 454 description: "Path to the mvn settings file that should be used as global settings file." 455 scope: 456 - GENERAL 457 - STEPS 458 - STAGES 459 - PARAMETERS 460 aliases: 461 - name: maven/globalSettingsFile 462 - name: m2Path 463 type: string 464 description: "Path to the location of the local repository that should be used." 465 scope: 466 - GENERAL 467 - STEPS 468 - STAGES 469 - PARAMETERS 470 aliases: 471 - name: maven/m2Path 472 - name: installArtifacts 473 type: bool 474 description: 475 "If enabled, it will install all artifacts to the local maven repository to make them available before running whitesource. 476 This is required if any maven module has dependencies to other modules in the repository and they were not installed before." 477 scope: 478 - GENERAL 479 - STEPS 480 - STAGES 481 - PARAMETERS 482 # Global npm settings, should be added to all npm steps 483 - name: defaultNpmRegistry 484 type: string 485 description: "URL of the npm registry to use. Defaults to https://registry.npmjs.org/" 486 scope: 487 - PARAMETERS 488 - GENERAL 489 - STAGES 490 - STEPS 491 aliases: 492 - name: npm/defaultNpmRegistry 493 - name: githubToken 494 description: "GitHub personal access token as per 495 https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line" 496 scope: 497 - GENERAL 498 - PARAMETERS 499 - STAGES 500 - STEPS 501 type: string 502 secret: true 503 aliases: 504 - name: access_token 505 resourceRef: 506 - name: githubTokenCredentialsId 507 type: secret 508 - type: vaultSecret 509 default: github 510 name: githubVaultSecretName 511 - name: createResultIssue 512 type: bool 513 description: Activate creation of a result issue in GitHub. 514 longDescription: | 515 Whether the step creates a GitHub issue containing the scan results in the originating repo. 516 Since optimized pipelines are headless the creation is implicitly activated for scheduled runs. 517 resourceRef: 518 - name: commonPipelineEnvironment 519 param: custom/isOptimizedAndScheduled 520 scope: 521 - GENERAL 522 - PARAMETERS 523 - STAGES 524 - STEPS 525 default: false 526 - name: githubApiUrl 527 description: "Set the GitHub API URL." 528 scope: 529 - GENERAL 530 - PARAMETERS 531 - STAGES 532 - STEPS 533 type: string 534 default: "https://api.github.com" 535 - name: owner 536 aliases: 537 - name: githubOrg 538 description: "Set the GitHub organization." 539 resourceRef: 540 - name: commonPipelineEnvironment 541 param: github/owner 542 scope: 543 - GENERAL 544 - PARAMETERS 545 - STAGES 546 - STEPS 547 type: string 548 - name: repository 549 aliases: 550 - name: githubRepo 551 description: "Set the GitHub repository." 552 resourceRef: 553 - name: commonPipelineEnvironment 554 param: github/repository 555 scope: 556 - GENERAL 557 - PARAMETERS 558 - STAGES 559 - STEPS 560 type: string 561 - name: assignees 562 description: Defines the assignees for the Github Issue created/updated with the results of the scan as a list of login names. 563 scope: 564 - PARAMETERS 565 - STAGES 566 - STEPS 567 type: "[]string" 568 default: [] 569 mandatory: false 570 - name: customTlsCertificateLinks 571 type: "[]string" 572 description: "List of download links to custom TLS certificates. This is required to ensure trusted connections to instances with repositories (like nexus) when publish flag is set to true." 573 scope: 574 - GENERAL 575 - PARAMETERS 576 - STAGES 577 - STEPS 578 resources: 579 - name: buildDescriptor 580 type: stash 581 - name: opensourceConfiguration 582 type: stash 583 - name: checkmarx 584 type: stash 585 outputs: 586 resources: 587 - name: commonPipelineEnvironment 588 type: piperEnvironment 589 params: 590 - name: custom/whitesourceProjectNames 591 type: "[]string" 592 - name: influx 593 type: influx 594 params: 595 - name: step_data 596 fields: 597 - name: whitesource 598 type: bool 599 - name: whitesource_data 600 fields: 601 - name: vulnerabilities 602 type: int 603 - name: major_vulnerabilities 604 type: int 605 - name: minor_vulnerabilities 606 type: int 607 - name: policy_violations 608 type: int 609 - name: reports 610 type: reports 611 params: 612 - filePattern: "**/whitesource-ip.json" 613 type: whitesource-ip 614 - filePattern: "whitesource-riskReport.pdf" 615 type: whitesource-ip 616 - filePattern: "**/toolrun_whitesource_*.json" 617 type: whitesource-ip 618 - filePattern: "**/piper_whitesource_vulnerability_report.html" 619 type: whitesource-security 620 - filePattern: "whitesource-riskReport.pdf" 621 type: whitesource-security 622 - filePattern: "**/toolrun_whitesource_*.json" 623 type: whitesource-security 624 containers: 625 - image: buildpack-deps:stretch-curl 626 workingDir: /tmp 627 env: [] 628 conditions: 629 - conditionRef: strings-equal 630 params: 631 - name: buildTool 632 value: dub 633 - name: buildTool 634 value: docker 635 - image: devxci/mbtci-java11-node14 636 workingDir: /home/mta 637 env: [] 638 conditions: 639 - conditionRef: strings-equal 640 params: 641 - name: buildTool 642 value: mta 643 - image: golang:1 644 workingDir: /go 645 env: [] 646 options: 647 - name: -u 648 value: "0" 649 conditions: 650 - conditionRef: strings-equal 651 params: 652 - name: buildTool 653 value: golang 654 - image: gradle 655 workingDir: /home/gradle 656 env: [] 657 conditions: 658 - conditionRef: strings-equal 659 params: 660 - name: buildTool 661 value: gradle 662 - image: hseeberger/scala-sbt:8u181_2.12.8_1.2.8 663 workingDir: /tmp 664 env: [] 665 conditions: 666 - conditionRef: strings-equal 667 params: 668 - name: buildTool 669 value: sbt 670 - image: maven:3.5-jdk-8 671 workingDir: /tmp 672 env: [] 673 conditions: 674 - conditionRef: strings-equal 675 params: 676 - name: buildTool 677 value: maven 678 - image: node:lts-stretch 679 workingDir: /home/node 680 env: [] 681 conditions: 682 - conditionRef: strings-equal 683 params: 684 - name: buildTool 685 value: npm 686 - image: python:3.6-stretch 687 workingDir: /tmp 688 env: [] 689 conditions: 690 - conditionRef: strings-equal 691 params: 692 - name: buildTool 693 value: pip 694 - image: node:lts-stretch 695 workingDir: /home/node 696 env: [] 697 conditions: 698 - conditionRef: strings-equal 699 params: 700 - name: buildTool 701 value: yarn