github.com/ouraigua/jenkins-library@v0.0.0-20231028010029-fbeaf2f3aa9b/resources/metadata/whitesourceExecuteScan.yaml (about) 1 metadata: 2 name: whitesourceExecuteScan 3 description: Execute a Mend (formerly known as WhiteSource) scan 4 longDescription: |- 5 With this step [Mend](https://www.mend.io/) (formerly known as Whitesource) security and license compliance scans can be executed and assessed. 6 Mend is a Software as a Service offering based on a so called unified agent that locally determines the dependency 7 tree of a node.js, Java, Python, Ruby, or Scala based solution and sends it to the WhiteSource server for a policy based license compliance 8 check and additional Free and Open Source Software Publicly Known Vulnerabilities detection. 9 10 The step uses the so-called Mend Unified Agent. For details please refer to the [Mend Unified Agent Documentation](https://docs.mend.io/bundle/unified_agent/page/overview_of_the_unified_agent.html). 11 12 !!! note "Docker Images" 13 The underlying Docker images are public and specific to the solution's programming language(s) and therefore may have to be exchanged 14 to fit to and support the relevant scenario. The default Python environment used is i.e. Python 3 based. 15 spec: 16 inputs: 17 secrets: 18 - name: userTokenCredentialsId 19 aliases: 20 - name: whitesourceUserTokenCredentialsId 21 - name: whitesource/userTokenCredentialsId 22 deprecated: true 23 description: Jenkins 'Secret text' credentials ID containing Whitesource user token. 24 type: jenkins 25 - name: orgAdminUserTokenCredentialsId 26 aliases: 27 - name: whitesourceOrgAdminUserTokenCredentialsId 28 - name: whitesource/orgAdminUserTokenCredentialsId 29 deprecated: true 30 description: Jenkins 'Secret text' credentials ID containing Whitesource org admin token. 31 type: jenkins 32 - name: dockerConfigJsonCredentialsId 33 description: Jenkins 'Secret file' credentials ID containing Docker config.json (with registry credential(s)). You can find more details about the Docker credentials in the [Docker documentation](https://docs.docker.com/engine/reference/commandline/login/). 34 type: jenkins 35 aliases: 36 - name: dockerCredentialsId 37 deprecated: true 38 - name: githubTokenCredentialsId 39 description: Jenkins 'Secret text' credentials ID containing token to authenticate to GitHub. 40 type: jenkins 41 - name: golangPrivateModulesGitTokenCredentialsId 42 description: Jenkins 'Username with password' credentials ID containing username/password for http access to your git repos where your go private modules are stored. 43 type: jenkins 44 params: 45 - name: agentDownloadUrl 46 type: string 47 description: "URL used to download the latest version of the WhiteSource Unified Agent." 48 scope: 49 - PARAMETERS 50 - STAGES 51 - STEPS 52 default: https://github.com/whitesource/unified-agent-distribution/releases/latest/download/wss-unified-agent.jar 53 - name: agentFileName 54 type: string 55 description: "Locally used name for the Unified Agent jar file after download." 56 scope: 57 - PARAMETERS 58 - STAGES 59 - STEPS 60 default: "wss-unified-agent.jar" 61 - name: agentParameters 62 type: "[]string" 63 description: "[NOT IMPLEMENTED] List of additional parameters passed to the Unified Agent command line." 64 scope: 65 - PARAMETERS 66 - STAGES 67 - STEPS 68 - name: agentUrl 69 aliases: 70 - name: whitesourceAgentUrl 71 type: string 72 description: "URL to the WhiteSource agent endpoint." 73 scope: 74 - GENERAL 75 - PARAMETERS 76 - STAGES 77 - STEPS 78 default: "https://saas.whitesourcesoftware.com/agent" 79 - name: aggregateVersionWideReport 80 type: bool 81 description: 82 "This does not run a scan, instead just generated a report for all projects with 83 projectVersion = config.ProductVersion" 84 scope: 85 - PARAMETERS 86 - STAGES 87 - STEPS 88 - name: assessmentFile 89 type: string 90 description: "Explicit path to the assessment YAML file." 91 scope: 92 - PARAMETERS 93 - STAGES 94 - STEPS 95 default: "hs-assessments.yaml" 96 - name: buildDescriptorExcludeList 97 type: "[]string" 98 description: "List of build descriptors and therefore modules to exclude from the scan and assessment activities." 99 scope: 100 - PARAMETERS 101 - STAGES 102 - STEPS 103 default: ["unit-tests/pom.xml", "integration-tests/pom.xml"] 104 - name: buildDescriptorFile 105 type: string 106 description: "Explicit path to the build descriptor file." 107 scope: 108 - PARAMETERS 109 - STAGES 110 - STEPS 111 - name: buildTool 112 type: string 113 description: "Defines the tool which is used for building the artifact." 114 mandatory: true 115 scope: 116 - GENERAL 117 - PARAMETERS 118 - STAGES 119 - STEPS 120 resourceRef: 121 - name: commonPipelineEnvironment 122 param: buildTool 123 - name: configFilePath 124 type: string 125 description: "Explicit path to the WhiteSource Unified Agent configuration file." 126 scope: 127 - PARAMETERS 128 - STAGES 129 - STEPS 130 default: ./wss-unified-agent.config 131 - name: containerRegistryPassword 132 description: "For `buildTool: docker`: Password for container registry access - typically provided by the CI/CD environment." 133 type: string 134 scope: 135 - PARAMETERS 136 - STAGES 137 - STEPS 138 secret: true 139 resourceRef: 140 - name: commonPipelineEnvironment 141 param: container/repositoryPassword 142 - name: commonPipelineEnvironment 143 param: custom/repositoryPassword 144 - name: containerRegistryUser 145 description: "For `buildTool: docker`: Username for container registry access - typically provided by the CI/CD environment." 146 type: string 147 scope: 148 - PARAMETERS 149 - STAGES 150 - STEPS 151 secret: true 152 resourceRef: 153 - name: commonPipelineEnvironment 154 param: container/repositoryUsername 155 - name: commonPipelineEnvironment 156 param: custom/repositoryUsername 157 - name: createProductFromPipeline 158 type: bool 159 description: 160 "Whether to create the related WhiteSource product on the fly based on the supplied pipeline 161 configuration." 162 scope: 163 - PARAMETERS 164 - STAGES 165 - STEPS 166 default: true 167 - name: customScanVersion 168 type: string 169 description: Custom version of the WhiteSource project used as source. 170 longDescription: |- 171 Defines a custom version for the WhiteSource scan which deviates from the typical versioning pattern using [`version`](#version) and [`versioningModel`](#versioningModel). 172 It allows to set non-numeric versions as well and supersedes the value of [`version`](#version) which is calculated automatically. 173 The parameter is also used by other scan steps (e.g. Detect, Fortify, Sonar) and thus allows a common custom version across scan tools. 174 scope: 175 - GENERAL 176 - PARAMETERS 177 - STAGES 178 - STEPS 179 - name: cvssSeverityLimit 180 type: string 181 description: "Limit of tolerable CVSS v3 score upon assessment and in consequence fails the build." 182 scope: 183 - PARAMETERS 184 - STAGES 185 - STEPS 186 default: "-1" 187 - name: scanPath 188 type: string 189 description: "Directory where to start WhiteSource scan." 190 scope: 191 - PARAMETERS 192 - STAGES 193 - STEPS 194 default: "." 195 - name: dockerConfigJSON 196 type: string 197 description: Path to the file `.docker/config.json` - this is typically provided by your CI/CD system. You can find more details about the Docker credentials in the [Docker documentation](https://docs.docker.com/engine/reference/commandline/login/). 198 scope: 199 - PARAMETERS 200 - STAGES 201 - STEPS 202 secret: true 203 resourceRef: 204 - name: commonPipelineEnvironment 205 param: custom/dockerConfigJSON 206 - name: dockerConfigJsonCredentialsId 207 type: secret 208 - type: vaultSecretFile 209 name: dockerConfigFileVaultSecretName 210 default: docker-config 211 - name: emailAddressesOfInitialProductAdmins 212 type: "[]string" 213 description: "The list of email addresses to assign as product admins for newly created WhiteSource products." 214 scope: 215 - PARAMETERS 216 - STAGES 217 - STEPS 218 - name: excludes 219 type: "[]string" 220 description: List of file path patterns to exclude in the scan. 221 scope: 222 - PARAMETERS 223 - STAGES 224 - STEPS 225 - name: failOnSevereVulnerabilities 226 type: bool 227 description: Whether to fail the step on severe vulnerabilties or not 228 scope: 229 - PARAMETERS 230 default: true 231 - name: includes 232 type: "[]string" 233 description: List of file path patterns to include in the scan. 234 scope: 235 - PARAMETERS 236 - STAGES 237 - STEPS 238 - name: installCommand 239 type: string 240 description: "Install command that can be used to populate the default docker image for some scenarios." 241 scope: 242 - PARAMETERS 243 - STAGES 244 - STEPS 245 - name: jreDownloadUrl 246 aliases: 247 - name: whitesource/jreDownloadUrl 248 deprecated: true 249 type: string 250 description: 251 "URL used for downloading the Java Runtime Environment (JRE) required to run the 252 WhiteSource Unified Agent." 253 scope: 254 - GENERAL 255 - PARAMETERS 256 - STAGES 257 - STEPS 258 default: "https://github.com/SAP/SapMachine/releases/download/sapmachine-11.0.2/sapmachine-jre-11.0.2_linux-x64_bin.tar.gz" 259 - name: licensingVulnerabilities 260 type: bool 261 description: "[NOT IMPLEMENTED] Whether license compliance is considered and reported as part of the assessment." 262 scope: 263 - PARAMETERS 264 - STAGES 265 - STEPS 266 default: true 267 - name: orgToken 268 aliases: 269 - name: whitesourceOrgToken 270 - name: whitesource/orgToken 271 deprecated: true 272 type: string 273 description: "WhiteSource token identifying your organization." 274 scope: 275 - GENERAL 276 - PARAMETERS 277 - STAGES 278 - STEPS 279 secret: true 280 mandatory: true 281 resourceRef: 282 - name: orgAdminUserTokenCredentialsId 283 type: secret 284 - type: vaultSecret 285 name: whitesourceVaultSecret 286 default: whitesource 287 - name: productName 288 aliases: 289 - name: whitesourceProductName 290 - name: whitesource/productName 291 deprecated: true 292 type: string 293 description: 294 "Name of the WhiteSource product used for results aggregation. 295 This parameter is mandatory if the parameter `createProductFromPipeline` is set to `true` 296 and the WhiteSource product does not yet exist. 297 It is also mandatory if the parameter `productToken` is not provided." 298 scope: 299 - GENERAL 300 - PARAMETERS 301 - STAGES 302 - STEPS 303 - name: productToken 304 aliases: 305 - name: whitesourceProductToken 306 - name: whitesource/productToken 307 deprecated: true 308 type: string 309 description: 310 "Token of the WhiteSource product to be created and used for results aggregation, 311 usually determined automatically. Can optionally be provided as an alternative to `productName`." 312 scope: 313 - GENERAL 314 - PARAMETERS 315 - STAGES 316 - STEPS 317 - name: version 318 aliases: 319 - name: productVersion 320 - name: whitesourceProductVersion 321 - name: whitesource/productVersion 322 deprecated: true 323 type: string 324 description: Version of the WhiteSource product to be created and used for results aggregation. 325 longDescription: |- 326 Version of the WhiteSource product to be created and used for results aggregation. 327 This is usually determined automatically based on the information in the buildTool specific build descriptor file. 328 scope: 329 - GENERAL 330 - PARAMETERS 331 - STAGES 332 - STEPS 333 resourceRef: 334 - name: commonPipelineEnvironment 335 param: artifactVersion 336 - name: projectName 337 aliases: 338 - name: whitesourceProjectName 339 type: string 340 description: 341 "The project name used for reporting results in WhiteSource. 342 When provided, all source modules will be scanned into one aggregated WhiteSource project. 343 For scan types `maven`, `mta`, `npm`, the default is to generate one WhiteSource project per module, 344 whereas the project name is derived from the module's build descriptor. 345 For NPM modules, project aggregation is not supported, the last scanned NPM module will override all 346 previously aggregated scan results!" 347 scope: 348 - PARAMETERS 349 - STAGES 350 - STEPS 351 - name: projectToken 352 type: string 353 description: 354 "Project token to execute scan on. Ignored for scan types `maven`, `mta` and `npm`. 355 Used for project aggregation when scanning with the Unified Agent and can be provided as an 356 alternative to `projectName`." 357 scope: 358 - GENERAL 359 - PARAMETERS 360 - STAGES 361 - STEPS 362 - name: reporting 363 type: bool 364 description: "Whether assessment is being done at all, defaults to `true`" 365 scope: 366 - PARAMETERS 367 - STAGES 368 - STEPS 369 default: true 370 - name: scanImage 371 type: string 372 description: "For `buildTool: docker`: Defines the docker image which should be scanned." 373 resourceRef: 374 - name: commonPipelineEnvironment 375 param: container/imageNameTag 376 scope: 377 - PARAMETERS 378 - STAGES 379 - STEPS 380 - name: scanImageRegistryUrl 381 type: string 382 description: "For `buildTool: docker`: Defines the registry where the scanImage is located." 383 resourceRef: 384 - name: commonPipelineEnvironment 385 param: container/registryUrl 386 scope: 387 - PARAMETERS 388 - STAGES 389 - STEPS 390 - name: securityVulnerabilities 391 type: bool 392 description: "Whether security compliance is considered and reported as part of the assessment." 393 scope: 394 - PARAMETERS 395 - STAGES 396 - STEPS 397 default: true 398 - name: serviceUrl 399 aliases: 400 - name: whitesourceServiceUrl 401 - name: whitesource/serviceUrl 402 deprecated: true 403 type: string 404 description: "URL to the WhiteSource API endpoint." 405 scope: 406 - GENERAL 407 - PARAMETERS 408 - STAGES 409 - STEPS 410 default: "https://saas.whitesourcesoftware.com/api" 411 - name: timeout 412 type: int 413 description: "Timeout in seconds until an HTTP call is forcefully terminated." 414 scope: 415 - PARAMETERS 416 - STAGES 417 - STEPS 418 default: 900 419 - name: userToken 420 type: string 421 description: User token to access WhiteSource. In Jenkins use case this is automatically filled through the credentials. 422 scope: 423 - GENERAL 424 - PARAMETERS 425 - STAGES 426 - STEPS 427 secret: true 428 mandatory: true 429 resourceRef: 430 - name: userTokenCredentialsId 431 type: secret 432 - type: vaultSecret 433 name: whitesourceVaultSecret 434 default: whitesource 435 - name: versioningModel 436 type: string 437 description: 438 "The default project versioning model used in case `projectVersion` parameter is 439 empty for creating the version based on the build descriptor version to report results in 440 Whitesource, can be one of `'major'`, `'major-minor'`, `'semantic'`, `'full'`" 441 scope: 442 - PARAMETERS 443 - STAGES 444 - STEPS 445 - GENERAL 446 default: "major" 447 aliases: 448 - name: defaultVersioningModel 449 - name: vulnerabilityReportFormat 450 type: string 451 description: "Format of the file the vulnerability report is written to." 452 possibleValues: [xlsx, json, xml] 453 scope: 454 - PARAMETERS 455 - STAGES 456 - STEPS 457 default: xlsx 458 - name: vulnerabilityReportTitle 459 type: string 460 description: "Title of vulnerability report written during the assessment phase." 461 scope: 462 - PARAMETERS 463 - STAGES 464 - STEPS 465 default: "WhiteSource Security Vulnerability Report" 466 # Global maven settings, should be added to all maven steps 467 - name: projectSettingsFile 468 type: string 469 description: "Path to the mvn settings file that should be used as project settings file." 470 scope: 471 - GENERAL 472 - STEPS 473 - STAGES 474 - PARAMETERS 475 aliases: 476 - name: maven/projectSettingsFile 477 - name: globalSettingsFile 478 type: string 479 description: "Path to the mvn settings file that should be used as global settings file." 480 scope: 481 - GENERAL 482 - STEPS 483 - STAGES 484 - PARAMETERS 485 aliases: 486 - name: maven/globalSettingsFile 487 - name: m2Path 488 type: string 489 description: "Path to the location of the local repository that should be used." 490 scope: 491 - GENERAL 492 - STEPS 493 - STAGES 494 - PARAMETERS 495 aliases: 496 - name: maven/m2Path 497 - name: installArtifacts 498 type: bool 499 description: 500 "If enabled, it will install all artifacts to the local maven repository to make them available before running whitesource. 501 This is required if any maven module has dependencies to other modules in the repository and they were not installed before." 502 scope: 503 - GENERAL 504 - STEPS 505 - STAGES 506 - PARAMETERS 507 # Global npm settings, should be added to all npm steps 508 - name: defaultNpmRegistry 509 type: string 510 description: "URL of the npm registry to use. Defaults to https://registry.npmjs.org/" 511 scope: 512 - PARAMETERS 513 - GENERAL 514 - STAGES 515 - STEPS 516 aliases: 517 - name: npm/defaultNpmRegistry 518 - name: githubToken 519 description: "GitHub personal access token as per 520 https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line" 521 scope: 522 - GENERAL 523 - PARAMETERS 524 - STAGES 525 - STEPS 526 type: string 527 secret: true 528 aliases: 529 - name: access_token 530 resourceRef: 531 - name: githubTokenCredentialsId 532 type: secret 533 - type: vaultSecret 534 default: github 535 name: githubVaultSecretName 536 - name: createResultIssue 537 type: bool 538 description: Activate creation of a result issue in GitHub. 539 longDescription: | 540 Whether the step creates a GitHub issue containing the scan results in the originating repo. 541 Since optimized pipelines are headless the creation is implicitly activated for scheduled runs. 542 resourceRef: 543 - name: commonPipelineEnvironment 544 param: custom/isOptimizedAndScheduled 545 scope: 546 - GENERAL 547 - PARAMETERS 548 - STAGES 549 - STEPS 550 default: false 551 - name: githubApiUrl 552 description: "Set the GitHub API URL." 553 scope: 554 - GENERAL 555 - PARAMETERS 556 - STAGES 557 - STEPS 558 type: string 559 default: "https://api.github.com" 560 - name: owner 561 aliases: 562 - name: githubOrg 563 description: "Set the GitHub organization." 564 resourceRef: 565 - name: commonPipelineEnvironment 566 param: github/owner 567 scope: 568 - GENERAL 569 - PARAMETERS 570 - STAGES 571 - STEPS 572 type: string 573 - name: repository 574 aliases: 575 - name: githubRepo 576 description: "Set the GitHub repository." 577 resourceRef: 578 - name: commonPipelineEnvironment 579 param: github/repository 580 scope: 581 - GENERAL 582 - PARAMETERS 583 - STAGES 584 - STEPS 585 type: string 586 - name: assignees 587 description: Defines the assignees for the Github Issue created/updated with the results of the scan as a list of login names. 588 scope: 589 - PARAMETERS 590 - STAGES 591 - STEPS 592 type: "[]string" 593 default: [] 594 mandatory: false 595 - name: customTlsCertificateLinks 596 type: "[]string" 597 description: "List of download links to custom TLS certificates. This is required to ensure trusted connections to instances with repositories (like nexus) when publish flag is set to true." 598 scope: 599 - GENERAL 600 - PARAMETERS 601 - STAGES 602 - STEPS 603 - name: privateModules 604 type: "string" 605 description: Tells go which modules shall be considered to be private (by setting [GOPRIVATE](https://pkg.go.dev/cmd/go#hdr-Configuration_for_downloading_non_public_code)). 606 scope: 607 - GENERAL 608 - STEPS 609 - STAGES 610 - PARAMETERS 611 alias: 612 - goprivate 613 - name: privateModulesGitToken 614 description: GitHub personal access token as per https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line. 615 scope: 616 - GENERAL 617 - PARAMETERS 618 - STAGES 619 - STEPS 620 type: string 621 secret: true 622 resourceRef: 623 - name: golangPrivateModulesGitTokenCredentialsId 624 type: secret 625 param: password 626 - type: vaultSecret 627 name: golangPrivateModulesGitTokenVaultSecret 628 default: golang 629 resources: 630 - name: buildDescriptor 631 type: stash 632 - name: opensourceConfiguration 633 type: stash 634 - name: checkmarx 635 type: stash 636 - name: checkmarxOne 637 type: stash 638 outputs: 639 resources: 640 - name: commonPipelineEnvironment 641 type: piperEnvironment 642 params: 643 - name: custom/whitesourceProjectNames 644 type: "[]string" 645 - name: influx 646 type: influx 647 params: 648 - name: step_data 649 fields: 650 - name: whitesource 651 type: bool 652 - name: whitesource_data 653 fields: 654 - name: vulnerabilities 655 type: int 656 - name: major_vulnerabilities 657 type: int 658 - name: minor_vulnerabilities 659 type: int 660 - name: policy_violations 661 type: int 662 - name: reports 663 type: reports 664 params: 665 - filePattern: "**/whitesource-ip.json" 666 type: whitesource-ip 667 - filePattern: "**/*risk-report.pdf" 668 type: whitesource-ip 669 - filePattern: "**/toolrun_whitesource_*.json" 670 type: whitesource-ip 671 - filePattern: "**/piper_whitesource_vulnerability_report.html" 672 type: whitesource-security 673 - filePattern: "**/*risk-report.pdf" 674 type: whitesource-security 675 - filePattern: "**/toolrun_whitesource_*.json" 676 type: whitesource-security 677 - filePattern: "**/piper_whitesource_vulnerability.sarif" 678 type: whitesource-security 679 - filePattern: "**/piper_whitesource_sbom.xml" 680 type: whitesource-security 681 containers: 682 - image: buildpack-deps:stretch-curl 683 workingDir: /tmp 684 env: [] 685 conditions: 686 - conditionRef: strings-equal 687 params: 688 - name: buildTool 689 value: dub 690 - name: buildTool 691 value: docker 692 - image: devxci/mbtci-java11-node14 693 workingDir: /home/mta 694 env: [] 695 conditions: 696 - conditionRef: strings-equal 697 params: 698 - name: buildTool 699 value: mta 700 - image: golang:1 701 workingDir: /go 702 env: [] 703 options: 704 - name: -u 705 value: "0" 706 conditions: 707 - conditionRef: strings-equal 708 params: 709 - name: buildTool 710 value: golang 711 - image: gradle 712 workingDir: /home/gradle 713 env: [] 714 conditions: 715 - conditionRef: strings-equal 716 params: 717 - name: buildTool 718 value: gradle 719 - image: hseeberger/scala-sbt:8u181_2.12.8_1.2.8 720 workingDir: /tmp 721 env: [] 722 conditions: 723 - conditionRef: strings-equal 724 params: 725 - name: buildTool 726 value: sbt 727 - image: maven:3.5-jdk-8 728 workingDir: /tmp 729 env: [] 730 conditions: 731 - conditionRef: strings-equal 732 params: 733 - name: buildTool 734 value: maven 735 - image: node:lts-buster 736 workingDir: /home/node 737 env: [] 738 conditions: 739 - conditionRef: strings-equal 740 params: 741 - name: buildTool 742 value: npm 743 - image: python:3.6-stretch 744 workingDir: /tmp 745 env: [] 746 conditions: 747 - conditionRef: strings-equal 748 params: 749 - name: buildTool 750 value: pip 751 - image: node:lts-buster 752 workingDir: /home/node 753 env: [] 754 conditions: 755 - conditionRef: strings-equal 756 params: 757 - name: buildTool 758 value: yarn