github.com/ouraigua/jenkins-library@v0.0.0-20231028010029-fbeaf2f3aa9b/resources/metadata/detectExecuteScan.yaml (about) 1 metadata: 2 name: detectExecuteScan 3 description: Executes Synopsys Detect scan 4 longDescription: | 5 This step executes [Synopsys Detect](https://community.synopsys.com/s/document-item?bundleId=integrations-detect&topicId=introduction.html&_LANG=enus) scans. 6 Synopsys Detect command line utlity can be used to run various scans including BlackDuck and Polaris scans. This step allows users to run BlackDuck scans by default. 7 Please configure your BlackDuck server Url using the serverUrl parameter and the API token of your user using the apiToken parameter for this step. 8 spec: 9 inputs: 10 resources: 11 - name: buildDescriptor 12 type: stash 13 - name: checkmarx 14 type: stash 15 secrets: 16 - name: detectTokenCredentialsId 17 aliases: 18 - name: apiTokenCredentialsId 19 description: Jenkins 'Secret text' credentials ID containing the API token used to authenticate with the Synopsis Detect (formerly BlackDuck) Server. 20 type: jenkins 21 - name: githubTokenCredentialsId 22 description: Jenkins 'Secret text' credentials ID containing token to authenticate to GitHub. 23 type: jenkins 24 - name: golangPrivateModulesGitTokenCredentialsId 25 description: Jenkins 'Username with password' credentials ID containing username/password for http access to your git repos where your go private modules are stored. 26 type: jenkins 27 params: 28 - name: token 29 aliases: 30 - name: blackduckToken 31 - name: detectToken 32 - name: apiToken 33 deprecated: true 34 - name: detect/apiToken 35 deprecated: true 36 description: Api token to be used for connectivity with Synopsis Detect server. 37 type: string 38 mandatory: true 39 secret: true 40 resourceRef: 41 - name: detectTokenCredentialsId 42 type: secret 43 - type: vaultSecret 44 name: detectVaultSecretName 45 default: detect 46 scope: 47 - PARAMETERS 48 - STAGES 49 - STEPS 50 - name: codeLocation 51 description: An override for the name Detect will use for the scan file it creates. 52 type: string 53 scope: 54 - PARAMETERS 55 - STAGES 56 - STEPS 57 - name: projectName 58 description: Name of the Synopsis Detect (formerly BlackDuck) project. 59 aliases: 60 - name: detect/projectName 61 type: string 62 mandatory: true 63 scope: 64 - PARAMETERS 65 - STAGES 66 - STEPS 67 - name: scanners 68 description: List of scanners to be used for Synopsis Detect (formerly BlackDuck) scan. 69 aliases: 70 - name: detect/scanners 71 type: "[]string" 72 default: 73 - signature 74 possibleValues: 75 - signature 76 - source 77 scope: 78 - PARAMETERS 79 - STAGES 80 - STEPS 81 - name: scanPaths 82 description: List of paths which should be scanned by the Synopsis Detect (formerly BlackDuck) scan. 83 aliases: 84 - name: detect/scanPaths 85 type: "[]string" 86 default: 87 - "." 88 scope: 89 - PARAMETERS 90 - STAGES 91 - STEPS 92 - name: dependencyPath 93 description: Absolute Path of the dependency management file of the project. This path represents the folder which contains the pom file, package.json etc. If the project contains multiple pom files, provide the path to the parent pom file or the base folder of the project 94 aliases: 95 - name: detect/dependencyPath 96 type: "string" 97 default: "." 98 scope: 99 - PARAMETERS 100 - STAGES 101 - STEPS 102 - name: unmap 103 description: Unmap flag will unmap all previous code locations and keep only the current scan results in the specified project version. Set this parameter to true, when the project version needs to store only the latest scan results. 104 aliases: 105 - name: detect/unmap 106 type: bool 107 scope: 108 - PARAMETERS 109 - STAGES 110 - STEPS 111 - name: scanProperties 112 description: Properties passed to the Synopsis Detect (formerly BlackDuck) scan. You can find details in the [Synopsis Detect documentation](https://community.synopsys.com/s/document-item?bundleId=integrations-detect&topicId=properties%2Fall-properties.html&_LANG=enus) 113 aliases: 114 - name: detect/scanProperties 115 type: "[]string" 116 default: 117 - --blackduck.signature.scanner.memory=4096 118 - --detect.timeout=6000 119 - --blackduck.trust.cert=true 120 - --logging.level.com.synopsys.integration=DEBUG 121 - --detect.maven.excluded.scopes=test 122 scope: 123 - PARAMETERS 124 - STAGES 125 - STEPS 126 - name: serverUrl 127 description: Server URL to the Synopsis Detect (formerly BlackDuck) Server. 128 aliases: 129 - name: detect/serverUrl 130 type: string 131 mandatory: true 132 scope: 133 - PARAMETERS 134 - STAGES 135 - STEPS 136 - name: groups 137 description: Users groups to be assigned for the Project 138 aliases: 139 - name: detect/groups 140 type: "[]string" 141 scope: 142 - PARAMETERS 143 - STAGES 144 - STEPS 145 - name: failOn 146 description: Mark the current build as fail based on the policy categories applied. 147 longDescription: | 148 A list of policies can be provided which will be applied after the scan is completed. These policies if violated will mark the build/scan result as failed. 149 The list of accepted values can be found at [Synopsys detect documentation](https://community.synopsys.com/s/document-item?bundleId=integrations-detect&topicId=properties%2Fconfiguration%2Fproject.html&anchor=fail-on-policy-violation-severities&_LANG=enus) 150 aliases: 151 - name: detect/failOn 152 type: "[]string" 153 default: 154 - BLOCKER 155 possibleValues: 156 - ALL 157 - BLOCKER 158 - CRITICAL 159 - MAJOR 160 - MINOR 161 - NONE 162 scope: 163 - PARAMETERS 164 - STAGES 165 - STEPS 166 - name: versioningModel 167 type: string 168 description: The versioning model used for result reporting (based on the artifact version). Example 1.2.3 using `major` will result in version 1 169 longDescription: |- 170 The versioning model used for result reporting (based on the artifact version). 171 For example: the version 1.2.3 of the artifact will result in a version 1 to report into, when `versioningModel: major` is used and will result in a version 1.2 when `versioningModel: major-minor` is used. 172 Recommendation for a Continuous Delivery process is to use `versioningModel: major`. 173 scope: 174 - PARAMETERS 175 - GENERAL 176 - STAGES 177 - STEPS 178 default: "major" 179 possibleValues: 180 - major 181 - major-minor 182 - semantic 183 - full 184 - name: version 185 aliases: 186 - name: projectVersion 187 - name: detect/projectVersion 188 type: string 189 description: Defines the version number of the artifact being build in the pipeline. It is used as source for the Detect version. 190 longDescription: |- 191 Defines the version number of the artifact being build in the pipeline. 192 It is used for build version creation and as source for the Detect version. 193 **Typically it is available through the pipeline run.** 194 The project version of the Detect project is calculated using the [`versioningModel`](#versioningmodel). 195 resourceRef: 196 - name: commonPipelineEnvironment 197 param: artifactVersion 198 scope: 199 - PARAMETERS 200 - STAGES 201 - STEPS 202 - name: customScanVersion 203 type: string 204 description: "A custom version used along with the uploaded scan results." 205 longDescription: |- 206 Defines a custom version for the Detect scan which deviates from the typical versioning pattern using [`version`](#version) and [`versioningModel`](#versioningModel). 207 It allows to set non-numeric versions as well and supersedes the value of [`version`](#version) which is calculated automatically. 208 The parameter is also used by other scan steps (e.g. Fortify, Sonar, WhiteSource) and thus allows a common custom version across scan tools. 209 scope: [GENERAL, STAGES, STEPS, PARAMETERS] 210 - name: projectSettingsFile 211 type: string 212 description: "Path or url to the mvn settings file that should be used as project settings file." 213 scope: 214 - GENERAL 215 - PARAMETERS 216 - STAGES 217 - STEPS 218 aliases: 219 - name: maven/projectSettingsFile 220 - name: globalSettingsFile 221 type: string 222 description: "Path or url to the mvn settings file that should be used as global settings file" 223 scope: 224 - GENERAL 225 - PARAMETERS 226 - STAGES 227 - STEPS 228 aliases: 229 - name: maven/globalSettingsFile 230 - name: m2Path 231 type: string 232 description: Path to the location of the local repository that should be used. 233 scope: 234 - GENERAL 235 - STEPS 236 - STAGES 237 - PARAMETERS 238 aliases: 239 - name: maven/m2Path 240 - name: installArtifacts 241 type: bool 242 description: 243 "If enabled, it will install all artifacts to the local maven repository to make them available before running detect. 244 This is required if any maven module has dependencies to other modules in the repository and they were not installed before." 245 scope: 246 - GENERAL 247 - STEPS 248 - STAGES 249 - PARAMETERS 250 - name: includedPackageManagers 251 description: 252 "The package managers that need to be included for this scan. Providing the package manager names with this parameter will ensure that the build descriptor file of that package manager will be searched in the scan folder 253 For the complete list of possible values for this parameter, please refer [Synopsys detect documentation](https://community.synopsys.com/s/document-item?bundleId=integrations-detect&topicId=properties%2Fconfiguration%2Fdetector.html&_LANG=enus&anchor=detector-types-included-advanced)" 254 aliases: 255 - name: detect/includedPackageManagers 256 type: "[]string" 257 scope: 258 - PARAMETERS 259 - STAGES 260 - STEPS 261 - name: excludedPackageManagers 262 description: 263 "The package managers that need to be excluded for this scan. Providing the package manager names with this parameter will ensure that the build descriptor file of that package manager will be ignored in the scan folder 264 For the complete list of possible values for this parameter, please refer [Synopsys detect documentation](https://community.synopsys.com/s/document-item?bundleId=integrations-detect&topicId=properties%2Fconfiguration%2Fdetector.html&_LANG=enus&anchor=detector-types-excluded-advanced)" 265 aliases: 266 - name: detect/excludedPackageManagers 267 type: "[]string" 268 scope: 269 - PARAMETERS 270 - STAGES 271 - STEPS 272 - name: mavenExcludedScopes 273 description: "The maven scopes that need to be excluded from the scan. For example, setting the value 'test' will exclude all components which are defined with a test scope in maven" 274 aliases: 275 - name: detect/mavenExcludedScopes 276 type: "[]string" 277 scope: 278 - PARAMETERS 279 - STAGES 280 - STEPS 281 - name: detectTools 282 description: 283 "The type of BlackDuck scanners to include while running the BlackDuck scan. By default All scanners are included. 284 For the complete list of possible values, Please refer [Synopsys detect documentation](https://community.synopsys.com/s/document-item?bundleId=integrations-detect&topicId=properties%2Fconfiguration%2Fpaths.html&_LANG=enus&anchor=detect-tools-included)" 285 aliases: 286 - name: detect/detectTools 287 type: "[]string" 288 scope: 289 - PARAMETERS 290 - STAGES 291 - STEPS 292 - name: scanOnChanges 293 description: 294 "This flag determines if the scan is submitted to the server. If set to true, then the scan request is submitted to the server only when changes are detected in the Open Source Bill of Materials 295 If the flag is set to false, then the scan request is submitted to server regardless of any changes. 296 For more details please refer to the [documentation](https://github.com/blackducksoftware/detect_rescan/blob/master/README.md)" 297 type: bool 298 scope: 299 - PARAMETERS 300 - STAGES 301 - STEPS 302 deprecated: true 303 - name: useDetect7 304 description: 305 "This flag allows to use the currently supported 8 version of Detect Script instead of v7" 306 aliases: 307 - name: detect/useDetect7 308 type: bool 309 scope: 310 - PARAMETERS 311 - STAGES 312 - STEPS 313 default: false 314 - name: useDetect8 315 description: 316 "This flag allows to use the currently supported 8 version of Detect Script instead of v7" 317 aliases: 318 - name: detect/useDetect8 319 deprecated: true 320 type: bool 321 scope: 322 - PARAMETERS 323 - STAGES 324 - STEPS 325 default: true 326 deprecated: true 327 - name: successOnSkip 328 description: 329 "This flag allows forces Black Duck to exit with 0 error code if any step is skipped" 330 aliases: 331 - name: detect/successOnSkip 332 deprecated: true 333 type: bool 334 scope: 335 - PARAMETERS 336 - STAGES 337 - STEPS 338 default: true 339 deprecated: true 340 - name: customEnvironmentVariables 341 description: 342 "A list of environment variables which can be set to prepare the environment to run a BlackDuck scan. This includes a list of environment variables defined by 343 Synopsys. The full list can be found [here](https://community.synopsys.com/s/document-item?bundleId=integrations-detect&topicId=configuring%2Fenvvars.html&_LANG=enus) 344 This list affects the detect script downloaded while running the scan. Right now only detect7.sh is available for downloading" 345 type: "[]string" 346 scope: 347 - PARAMETERS 348 - STAGES 349 - STEPS 350 - name: minScanInterval 351 description: 352 "This parameter controls the frequency (in number of hours) at which the signature scan is re-submitted for scan. When set to a 353 value greater than 0, the signature scans are skipped until the specified number of hours has elapsed since the last signature scan." 354 type: int 355 scope: 356 - PARAMETERS 357 - STAGES 358 - STEPS 359 - name: githubToken 360 description: "GitHub personal access token as per 361 https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line" 362 scope: 363 - GENERAL 364 - PARAMETERS 365 - STAGES 366 - STEPS 367 type: string 368 secret: true 369 aliases: 370 - name: access_token 371 resourceRef: 372 - name: githubTokenCredentialsId 373 type: secret 374 - type: vaultSecret 375 default: github 376 name: githubVaultSecretName 377 - name: createResultIssue 378 type: bool 379 description: Activate creation of a result issue in GitHub. 380 longDescription: | 381 Whether the step creates a GitHub issue containing the scan results in the originating repo. 382 Since optimized pipelines are headless the creation is implicitly activated for scheduled runs. 383 resourceRef: 384 - name: commonPipelineEnvironment 385 param: custom/isOptimizedAndScheduled 386 scope: 387 - GENERAL 388 - PARAMETERS 389 - STAGES 390 - STEPS 391 default: false 392 - name: githubApiUrl 393 description: "Set the GitHub API URL." 394 scope: 395 - GENERAL 396 - PARAMETERS 397 - STAGES 398 - STEPS 399 type: string 400 default: "https://api.github.com" 401 - name: owner 402 aliases: 403 - name: githubOrg 404 description: "Set the GitHub organization." 405 resourceRef: 406 - name: commonPipelineEnvironment 407 param: github/owner 408 scope: 409 - GENERAL 410 - PARAMETERS 411 - STAGES 412 - STEPS 413 type: string 414 - name: repository 415 aliases: 416 - name: githubRepo 417 description: "Set the GitHub repository." 418 resourceRef: 419 - name: commonPipelineEnvironment 420 param: github/repository 421 scope: 422 - GENERAL 423 - PARAMETERS 424 - STAGES 425 - STEPS 426 type: string 427 - name: assignees 428 description: Defines the assignees for the Github Issue created/updated with the results of the scan as a list of login names. 429 scope: 430 - PARAMETERS 431 - STAGES 432 - STEPS 433 type: "[]string" 434 default: [] 435 mandatory: false 436 - name: customTlsCertificateLinks 437 type: "[]string" 438 description: "List of download links to custom TLS certificates. This is required to ensure trusted connections to instances with repositories (like nexus) when publish flag is set to true." 439 scope: 440 - GENERAL 441 - PARAMETERS 442 - STAGES 443 - STEPS 444 - name: failOnSevereVulnerabilities 445 type: bool 446 description: Whether to fail the step on severe vulnerabilties or not 447 scope: 448 - PARAMETERS 449 default: true 450 - name: buildTool 451 type: string 452 description: "Defines the tool which is used for building the artifact." 453 scope: 454 - GENERAL 455 - PARAMETERS 456 - STAGES 457 - STEPS 458 resourceRef: 459 - name: commonPipelineEnvironment 460 param: buildTool 461 - name: excludedDirectories 462 description: 463 "List of directories which should be excluded from the scan." 464 aliases: 465 - name: detect/excludedDirectories 466 type: "[]string" 467 scope: 468 - PARAMETERS 469 - STAGES 470 - STEPS 471 - name: npmDependencyTypesExcluded 472 description: 473 "List of npm dependency types which Detect should exclude from the BOM." 474 aliases: 475 - name: detect/npmDependencyTypesExcluded 476 type: "[]string" 477 scope: 478 - PARAMETERS 479 - STAGES 480 - STEPS 481 possibleValues: 482 - NONE 483 - DEV 484 - PEER 485 - name: npmArguments 486 description: 487 "List of additional arguments that Detect will add at then end of the npm ls command line when Detect executes the NPM CLI Detector on an NPM project." 488 aliases: 489 - name: detect/npmArguments 490 type: "[]string" 491 scope: 492 - PARAMETERS 493 - STAGES 494 - STEPS 495 - name: privateModules 496 type: "string" 497 description: Tells go which modules shall be considered to be private (by setting [GOPRIVATE](https://pkg.go.dev/cmd/go#hdr-Configuration_for_downloading_non_public_code)). 498 scope: 499 - GENERAL 500 - STEPS 501 - STAGES 502 - PARAMETERS 503 alias: 504 - goprivate 505 - name: privateModulesGitToken 506 description: GitHub personal access token as per https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line. 507 scope: 508 - GENERAL 509 - PARAMETERS 510 - STAGES 511 - STEPS 512 type: string 513 secret: true 514 resourceRef: 515 - name: golangPrivateModulesGitTokenCredentialsId 516 type: secret 517 param: password 518 - type: vaultSecret 519 name: golangPrivateModulesGitTokenVaultSecret 520 default: golang 521 outputs: 522 resources: 523 - name: influx 524 type: influx 525 params: 526 - name: step_data 527 fields: 528 - name: detect 529 type: bool 530 - name: detect_data 531 fields: 532 - name: vulnerabilities 533 type: int 534 - name: major_vulnerabilities 535 type: int 536 - name: minor_vulnerabilities 537 type: int 538 - name: components 539 type: int 540 - name: policy_violations 541 type: int 542 - name: reports 543 type: reports 544 params: 545 - filePattern: "**/*BlackDuck_RiskReport.pdf" 546 type: blackduck-ip 547 - filePattern: "**/blackduck-ip.json" 548 type: blackduck-ip 549 - filePattern: "**/toolrun_detectExecute_*.json" 550 type: blackduck-ip 551 - filePattern: "**/piper_detect_policy_violation_report.html" 552 type: blackduck-ip 553 - filePattern: "**/*BlackDuck_RiskReport.pdf" 554 type: blackduck-security 555 - filePattern: "**/detectExecuteScan_policy_*.json" 556 type: blackduck-security 557 - filePattern: "**/piper_detect_vulnerability_report.html" 558 type: blackduck-security 559 - filePattern: "**/toolrun_detectExecute_*.json" 560 type: blackduck-security 561 - filePattern: "**/piper_detect_vulnerability.sarif" 562 type: blackduck-security 563 - filePattern: "**/piper_hub_detect_sbom.xml" 564 type: blackduck-security 565 containers: 566 - name: openjdk 567 image: openjdk:11 568 workingDir: /root 569 options: 570 - name: -u 571 value: "0"