github.com/verrazzano/verrazzano@v1.7.0/ci/scan-results/Jenkinsfile (about) 1 // Copyright (c) 2021, 2023, Oracle and/or its affiliates. 2 // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. 3 4 pipeline { 5 options { 6 timestamps () 7 copyArtifactPermission('/upload-scan-report') 8 } 9 10 agent { 11 docker { 12 image "${RUNNER_DOCKER_IMAGE}" 13 args "${RUNNER_DOCKER_ARGS}" 14 label "2.0-large" 15 registryCredentialsId 'ocir-pull-and-push-account' 16 } 17 } 18 19 parameters { 20 booleanParam (name: 'TEST_RUN', 21 description: 'Indicate whether this is a TEST run, which will do some stuff but will not try uploading anything, ignored for master/release-* runs', 22 defaultValue: true) 23 } 24 25 triggers { cron("@daily") } 26 27 environment { 28 CLEAN_BRANCH_NAME = "${env.BRANCH_NAME.replace("/", "%2F")}" 29 30 OCI_CLI_TENANCY = credentials('oci-dev-tenancy') 31 OCI_CLI_USER = credentials('oci-dev-user-ocid') 32 OCI_CLI_FINGERPRINT = credentials('oci-dev-api-key-fingerprint') 33 OCI_CLI_KEY_FILE = credentials('oci-dev-api-key-file') 34 OCI_CLI_REGION = "us-ashburn-1" 35 OCI_REGION = "${env.OCI_CLI_REGION}" 36 37 OCIR_COMPARTMENT_ID = credentials('ocir-scan-compartment') 38 OCIR_SCAN_REGISTRY = credentials('ocir-scan-registry') 39 OCIR_REPOSITORY_BASE = credentials('ocir-scan-repository-path') 40 OCIR_PATH_FILTER = ".*" 41 DOCKER_SCAN_CREDS = credentials('v8odev-ocir') 42 43 OCI_OS_NAMESPACE = credentials('oci-os-namespace') 44 OCI_OS_BUCKET = "verrazzano-builds" 45 OCI_SCAN_BUCKET = "verrazzano-scan-results" 46 47 GITHUB_ACCESS_TOKEN = credentials('github-api-token-release-process') 48 49 SCANNER_PATH = "~/scanners" 50 } 51 52 stages { 53 stage('Fetch Scan Results') { 54 steps { 55 script { 56 try { 57 sh """ 58 echo "${DOCKER_SCAN_CREDS_PSW}" | docker login ${env.OCIR_SCAN_REGISTRY} -u ${DOCKER_SCAN_CREDS_USR} --password-stdin 59 """ 60 } catch(error) { 61 echo "docker login failed, retrying after sleep" 62 retry(4) { 63 sleep(30) 64 sh """ 65 echo "${DOCKER_SCAN_CREDS_PSW}" | docker login ${env.OCIR_SCAN_REGISTRY} -u ${DOCKER_SCAN_CREDS_USR} --password-stdin 66 """ 67 } 68 } 69 70 sh """ 71 git fetch --tags 72 echo "${env.GITHUB_ACCESS_TOKEN}" | gh auth login --with-token 73 74 # Install Trivy and Grype 75 mkdir -p ~/scanners 76 echo "Download and install Grype" 77 curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b ${env.SCANNER_PATH} 78 79 echo "Download and install Trivy" 80 curl -sSfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b ${env.SCANNER_PATH} 81 82 echo "Fetching scan results for branch: ${CLEAN_BRANCH_NAME}" 83 ci/scripts/get_branch_scan_results.sh 84 python ci/scripts/generate_html_report.py scan-results/latest-periodic/consolidated.csv scan-results/latest-periodic 85 """ 86 } 87 } 88 post { 89 always { 90 archiveArtifacts artifacts: 'boms/**,scan-results/**', allowEmptyArchive: true 91 } 92 failure { 93 script { 94 if (env.BRANCH_NAME == "master" || env.BRANCH_NAME ==~ "release-.*" || env.BRANCH_NAME ==~ "mark/*") { 95 slackSend ( message: "Job Failed - \"${env.JOB_NAME}\" build: ${env.BUILD_NUMBER}\n\nView the log at:\n ${env.BUILD_URL}\n\nBlue Ocean:\n${env.RUN_DISPLAY_URL}" ) 96 } 97 } 98 } 99 } 100 } 101 } 102 post { 103 success { 104 script { 105 if (env.BRANCH_NAME == "master" || env.BRANCH_NAME ==~ "release-.*" || params.TEST_RUN == false) { 106 build job: '/upload-scan-report', parameters: [ 107 string(name: 'UPSTREAM_JOB', value: "${env.JOB_NAME}"), 108 string(name: 'UPSTREAM_BUILD', value: "${env.BUILD_NUMBER}") 109 ], propagate: false, wait: false 110 } 111 } 112 } 113 } 114 }