github.com/ouraigua/jenkins-library@v0.0.0-20231028010029-fbeaf2f3aa9b/resources/metadata/protecodeExecuteScan.yaml (about) 1 metadata: 2 name: protecodeExecuteScan 3 description: Black Duck Binary Analysis (BDBA), previously known as Protecode is an Open Source Vulnerability Scanner that is capable of scanning binaries. It can be used to scan docker images but is supports many other programming languages especially those of the C family. 4 longDescription: |- 5 Black Duck Binary Analysis (previously known as Protecode) is an Open Source Vulnerability Scan tool which provides the composition of Open Source components in a product along with Security information (no license info is provided). 6 BDBA (Protecode) uses a combination of static binary analysis techniques to X-ray the provided software package to identify third-party software components and their exact versions with a high level of confidence. Methods range from simple string matching to proprietary patent-pending techniques. 7 8 !!! hint "Auditing findings (Triaging)" 9 Triaging is now supported by the BDBA (Protecode) backend and also Piper does consider this information during the analysis of the scan results though product versions are not supported by BDBA (Protecode). Therefore please make sure that the `fileName` you are providing does either contain a stable version or that it does not contain one at all. By ensuring that you are able to triage CVEs globally on the upload file's name without affecting any other artifacts scanned in the same BDBA (Protecode) group and as such triaged vulnerabilities will be considered during the next scan and will not fail the build anymore. 10 spec: 11 inputs: 12 secrets: 13 - name: protecodeCredentialsId 14 description: Jenkins 'Username with password' credentials ID containing username and password to authenticate to the Protecode system. 15 type: jenkins 16 - name: protecodeApiKeyCredentialsId 17 description: Jenkins 'Secret text' credentials ID containing API Key/token to authenticate to BDBA server. 18 type: jenkins 19 - name: dockerConfigJsonCredentialsId 20 description: Jenkins 'Secret file' credentials ID containing Docker config.json (with registry credential(s)). You can create it like explained in [Prerequisites](https://www.project-piper.io/steps/protecodeExecuteScan/#prerequisites). 21 type: jenkins 22 aliases: 23 - name: dockerCredentialsId 24 deprecated: true 25 params: 26 - name: excludeCVEs 27 aliases: 28 - name: protecodeExcludeCVEs 29 type: string 30 description: "DEPRECATED: Do use triaging within the Protecode UI instead" 31 scope: 32 - PARAMETERS 33 - STAGES 34 - STEPS 35 default: "" 36 - name: failOnSevereVulnerabilities 37 aliases: 38 - name: protecodeFailOnSevereVulnerabilities 39 type: bool 40 description: Whether to fail the step on severe vulnerabilties or not 41 scope: 42 - PARAMETERS 43 - STAGES 44 - STEPS 45 default: true 46 - name: scanImage 47 aliases: 48 - name: dockerImage 49 type: string 50 description: "The reference to the docker image to scan with Protecode. Note: If possible please also check [fetchUrl](https://www.project-piper.io/steps/protecodeExecuteScan/#fetchurl) parameter, which might help you to optimize upload time." 51 resourceRef: 52 - name: commonPipelineEnvironment 53 param: container/imageNameTag 54 scope: 55 - GENERAL 56 - PARAMETERS 57 - STAGES 58 - STEPS 59 - name: dockerRegistryUrl 60 type: string 61 description: The reference to the docker registry to scan with Protecode 62 resourceRef: 63 - name: commonPipelineEnvironment 64 param: container/registryUrl 65 scope: 66 - GENERAL 67 - PARAMETERS 68 - STAGES 69 - STEPS 70 - name: containerRegistryPassword 71 description: "For `buildTool: docker`: Password for container registry access - typically provided by the CI/CD environment." 72 type: string 73 scope: 74 - PARAMETERS 75 - STAGES 76 - STEPS 77 secret: true 78 resourceRef: 79 - name: commonPipelineEnvironment 80 param: container/repositoryPassword 81 - name: commonPipelineEnvironment 82 param: custom/repositoryPassword 83 - name: containerRegistryUser 84 description: "For `buildTool: docker`: Username for container registry access - typically provided by the CI/CD environment." 85 type: string 86 scope: 87 - PARAMETERS 88 - STAGES 89 - STEPS 90 secret: true 91 resourceRef: 92 - name: commonPipelineEnvironment 93 param: container/repositoryUsername 94 - name: commonPipelineEnvironment 95 param: custom/repositoryUsername 96 - name: dockerConfigJSON 97 type: string 98 description: Path to the file `.docker/config.json` - this is typically provided by your CI/CD system. You can find more details about the Docker credentials in the [Docker documentation](https://docs.docker.com/engine/reference/commandline/login/). 99 scope: 100 - PARAMETERS 101 - STAGES 102 - STEPS 103 secret: true 104 resourceRef: 105 - name: commonPipelineEnvironment 106 param: custom/dockerConfigJSON 107 - name: dockerConfigJsonCredentialsId 108 type: secret 109 - type: vaultSecretFile 110 name: dockerConfigFileVaultSecretName 111 default: docker-config 112 - name: cleanupMode 113 type: string 114 description: Decides which parts are removed from the Protecode backend after the scan 115 scope: 116 - PARAMETERS 117 - STAGES 118 - STEPS 119 default: binary 120 possibleValues: 121 - none 122 - binary 123 - complete 124 - name: filePath 125 type: string 126 description: The path to the file from local workspace to scan with Protecode 127 scope: 128 - PARAMETERS 129 - STAGES 130 - STEPS 131 - name: timeoutMinutes 132 aliases: 133 - name: protecodeTimeoutMinutes 134 type: string 135 description: The timeout to wait for the scan to finish 136 scope: 137 - PARAMETERS 138 - STAGES 139 - STEPS 140 default: 60 141 - name: serverUrl 142 aliases: 143 - name: protecodeServerUrl 144 type: string 145 description: The URL to the Protecode backend 146 mandatory: true 147 scope: 148 - GENERAL 149 - PARAMETERS 150 - STAGES 151 - STEPS 152 - name: reportFileName 153 type: string 154 description: The file name of the report to be created 155 scope: 156 - PARAMETERS 157 - STAGES 158 - STEPS 159 default: protecode_report.pdf 160 - name: fetchUrl 161 type: string 162 description: The URL to fetch the file or image to scan with Protecode. 163 longDescription: The URL to fetch the file or image to scan with Protecode. The URL must be accessible via public HTTP GET request. To fetch a docker image the URL needs a 'docker-registry-' prefix. 164 scope: 165 - PARAMETERS 166 - STAGES 167 - STEPS 168 - name: group 169 aliases: 170 - name: protecodeGroup 171 type: string 172 description: The Protecode group ID of your team 173 mandatory: true 174 scope: 175 - PARAMETERS 176 - STAGES 177 - STEPS 178 - name: verifyOnly 179 aliases: 180 - name: reuseExisting 181 deprecated: true 182 type: bool 183 description: Whether the step shall only apply verification checks or whether it does a full scan and check cycle 184 scope: 185 - PARAMETERS 186 - STAGES 187 - STEPS 188 default: false 189 - name: replaceProductId 190 type: int 191 description: Specify <replaceProductId> which application binary will be replaced and rescanned and product id remains unchanged. By using this parameter, Protecode avoids creating multiple same products. Note this will affect results and feeds. If product id is not specified, then Piper starts auto detection mechanism, more precisely it searches a product id with scanned product name in that specified group, if there are several scans have been done with the same product name then the latest scan id will be fetched from BDBA backend. After obtaining product id, Piper re-uploads / replaces new binary without affecting already existing product id. 192 scope: 193 - PARAMETERS 194 - STAGES 195 - STEPS 196 - name: username 197 aliases: 198 - name: user 199 deprecated: true 200 type: string 201 description: User which is used for the protecode scan 202 mandatory: true 203 scope: 204 - PARAMETERS 205 - STAGES 206 - STEPS 207 secret: true 208 resourceRef: 209 - name: protecodeCredentialsId 210 type: secret 211 param: username 212 - type: vaultSecret 213 name: protecodeVaultSecretName 214 default: protecode 215 - name: password 216 type: string 217 description: Password which is used for the user 218 mandatory: true 219 scope: 220 - PARAMETERS 221 - STAGES 222 - STEPS 223 secret: true 224 resourceRef: 225 - name: protecodeCredentialsId 226 type: secret 227 param: password 228 - type: vaultSecret 229 name: protecodeVaultSecretName 230 default: protecode 231 - name: userAPIKey 232 type: string 233 description: User API key which is used for API calls. Replacement for username and password / basic authentication. 234 scope: 235 - PARAMETERS 236 - STAGES 237 - STEPS 238 secret: true 239 resourceRef: 240 - name: protecodeApiKeyCredentialsId 241 type: secret 242 param: userAPIKey 243 - type: vaultSecret 244 name: protecodeApiKeyVaultSecretName 245 default: protecode 246 - name: version 247 aliases: 248 - name: artifactVersion 249 deprecated: true 250 type: string 251 description: The version of the artifact to allow identification in protecode backend 252 resourceRef: 253 - name: commonPipelineEnvironment 254 param: artifactVersion 255 scope: 256 - PARAMETERS 257 - STAGES 258 - STEPS 259 - name: customScanVersion 260 type: string 261 description: "A custom version used along with the uploaded scan results." 262 longDescription: |- 263 Defines a custom version for the BDBA scan which deviates from the typical versioning pattern using [`version`](#version) and [`versioningModel`](#versioningModel). 264 It allows to set non-numeric versions as well and supersedes the value of [`version`](#version) which is calculated automatically. 265 The parameter is also used by other scan steps (e.g. Fortify, Sonar, WhiteSource) and thus allows a common custom version across scan tools. 266 scope: [GENERAL, STAGES, STEPS, PARAMETERS] 267 - name: versioningModel 268 type: string 269 description: The versioning model used for result reporting (based on the artifact version). Example 1.2.3 using `major` will result in version 1 270 longDescription: |- 271 The versioning model used for result reporting (based on the artifact version). 272 For example: the version 1.2.3 of the artifact will result in a version 1 to report into, when `versioningModel: major` is used and will result in a version 1.2 when `versioningModel: major-minor` is used. 273 Recommendation for a Continuous Delivery process is to use `versioningModel: major`. 274 scope: 275 - PARAMETERS 276 - GENERAL 277 - STAGES 278 - STEPS 279 default: "major" 280 possibleValues: 281 - major 282 - major-minor 283 - semantic 284 - full 285 - name: pullRequestName 286 type: string 287 description: The name of the pull request 288 scope: 289 - PARAMETERS 290 - STAGES 291 - STEPS 292 - name: customDataJSONMap 293 type: string 294 description: 295 "The JSON map of key-value pairs to be included in this scan's Custom Data (See protecode API)." 296 scope: 297 - GENERAL 298 - STEPS 299 - STAGES 300 - PARAMETERS 301 outputs: 302 resources: 303 - name: influx 304 type: influx 305 params: 306 - name: step_data 307 fields: 308 - name: protecode 309 type: bool 310 - name: protecode_data 311 fields: 312 - name: excluded_vulnerabilities 313 type: int 314 - name: historical_vulnerabilities 315 type: int 316 - name: major_vulnerabilities 317 type: int 318 - name: minor_vulnerabilities 319 type: int 320 - name: triaged_vulnerabilities 321 type: int 322 - name: vulnerabilities 323 type: int 324 - name: reports 325 type: reports 326 params: 327 - filePattern: "**/toolrun_protecode_*.json" 328 type: protecode 329 - paramRef: reportFileName 330 type: protecode 331 - filePattern: "**/protecodeExecuteScan.json" 332 type: protecode 333 - filePattern: "**/protecodescan_vulns.json" 334 type: protecode