github.com/verrazzano/verrazzano@v1.7.0/release/builds/JenkinsfileScanReleaseBundle

github.com/verrazzano/verrazzano@v1.7.0/release/builds/JenkinsfileScanReleaseBundle (about)

     1  // Copyright (c) 2022, 2023, Oracle and/or its affiliates.
     2  // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
     3  
     4  pipeline {
     5      options {
     6          skipDefaultCheckout true
     7          timestamps ()
     8      }
     9  
    10      agent {
    11         docker {
    12              image "${RELEASE_RUNNER_IMAGE}"
    13              args "${RELEASE_RUNNER_DOCKER_ARGS}"
    14              registryUrl "${RUNNER_DOCKER_REGISTRY_URL}"
    15              registryCredentialsId 'ocir-pull-and-push-account'
    16              label "internal"
    17          }
    18      }
    19  
    20      parameters {
    21          string (description: 'The verrazzano development version (major.minor.patch format, e.g. 1.0.1)', name: 'VERRAZZANO_DEV_VERSION', defaultValue: 'NONE', trim: true)
    22          string (description: 'The git commit used to build the distributions being scanned', name: 'GIT_COMMIT_TO_USE', defaultValue: 'NONE', trim: true )
    23          booleanParam (description: 'Indicate whether this is a test run', name: 'TEST_RUN', defaultValue: true)
    24          booleanParam (description: 'Enable scanning for test run. Scanning is always done if not a test run, it is disabled for test runs unless this is enabled', name: 'ENABLE_TEST_SCAN', defaultValue: false)
    25      }
    26  
    27      environment {
    28          NETRC_FILE = credentials('netrc')
    29  
    30          OBJECT_STORAGE_NS = credentials('oci-os-namespace')
    31          OBJECT_STORAGE_BUCKET="verrazzano-builds"
    32          OCI_OS_COMMIT_BUCKET="verrazzano-builds-by-commit"
    33          OCI_REGION="us-phoenix-1"
    34          OCI_CLI_AUTH="api_key"
    35          OCI_CLI_TENANCY = credentials('oci-tenancy')
    36          OCI_CLI_USER = credentials('oci-user-ocid')
    37          OCI_CLI_FINGERPRINT = credentials('oci-api-key-fingerprint')
    38          OCI_CLI_KEY_FILE = credentials('oci-api-key')
    39  
    40          RELEASE_BINARIES_DIR = "${WORKSPACE}/release/scripts/release_work"
    41          TIMESTAMP = sh(returnStdout: true, script: "date +%Y%m%d%H%M%S").trim()
    42  
    43          RELEASE_VERSION = "${params.VERRAZZANO_DEV_VERSION}"
    44          VERRAZZANO_RELEASE_PREFIX = "verrazzano-${RELEASE_VERSION}"
    45          VERRAZZANO_LITE_BUNDLE = "${VERRAZZANO_RELEASE_PREFIX}-lite.zip"
    46          VERRAZZANO_FULL_BUNDLE = "${VERRAZZANO_RELEASE_PREFIX}.zip"
    47  
    48          VZ_LITE = "vz-lite"
    49          VZ_FULL = "vz-full"
    50  
    51          SCANNER_HOME = "${WORKSPACE}/scanner_home"
    52          SCAN_REPORT_BASE_DIR = "${WORKSPACE}/scan_report_dir"
    53      }
    54  
    55      stages {
    56          stage('Clean workspace and checkout') {
    57              steps {
    58                  sh """
    59                      echo "${NODE_LABELS}"
    60                  """
    61                  script {
    62                      def scmInfo = checkout scm
    63                      env.GIT_COMMIT = scmInfo.GIT_COMMIT
    64                      env.GIT_BRANCH = scmInfo.GIT_BRANCH
    65                      echo "SCM checkout of ${env.GIT_BRANCH} at ${env.GIT_COMMIT}"
    66                  }
    67                  sh """
    68                      cp -f "${NETRC_FILE}" $HOME/.netrc
    69                      chmod 600 $HOME/.netrc
    70                  """
    71  
    72                  script {
    73                      def props = readProperties file: '.verrazzano-development-version'
    74                      VERRAZZANO_DEV_VERSION = props['verrazzano-development-version']
    75                      TIMESTAMP = sh(returnStdout: true, script: "date +%Y%m%d%H%M%S").trim()
    76                      SHORT_COMMIT_HASH = sh(returnStdout: true, script: "git rev-parse --short=8 ${params.GIT_COMMIT_TO_USE}").trim()
    77                  }
    78              }
    79          }
    80  
    81          stage('Download Distributions') {
    82              steps {
    83                  script {
    84                      sh """
    85                          mkdir -p ${RELEASE_BINARIES_DIR}
    86                          cd ${WORKSPACE}/release/scripts
    87                          ./get_release_artifacts.sh ${env.BRANCH_NAME} ${SHORT_COMMIT_HASH} ${VERRAZZANO_LITE_BUNDLE} ${RELEASE_BINARIES_DIR}/${VZ_LITE}
    88                          ./get_release_artifacts.sh ${env.BRANCH_NAME} ${SHORT_COMMIT_HASH} ${VERRAZZANO_FULL_BUNDLE} ${RELEASE_BINARIES_DIR}/${VZ_FULL}
    89                      """
    90                  }
    91              }
    92          }
    93  
    94          stage('Scan Distribution Binaries') {
    95              environment {
    96                  SCANNER_ARCHIVE_LOCATION = credentials('scanner-archive-location')
    97                  SCANNER_ARCHIVE_FILE = credentials('scanner-archive-file')
    98                  VIRUS_DEFINITION_LOCATION = credentials('virus-definition-location')
    99                  NO_PROXY_SUFFIX = credentials('cdn-no-proxy')
   100              }
   101              when {
   102                 allOf {
   103                     not { buildingTag() }
   104                     expression {return params.TEST_RUN == false || params.ENABLE_TEST_SCAN == true }
   105                 }
   106              }
   107              steps {
   108                  script {
   109                      // The scan takes more than 3 hours for the full bundle, so setting a higher timeout
   110                      timeout(time: 300, unit: 'MINUTES') {
   111                          sh """
   112                              cd ${WORKSPACE}/release/scripts
   113  
   114                              # Scan Verrazzano lite distribution
   115                              ./scan_release_binaries.sh ${RELEASE_BINARIES_DIR}/${VZ_LITE} ${SCANNER_HOME} ${SCAN_REPORT_BASE_DIR}/${VZ_LITE} "Lite"
   116  
   117                              # Scan Verrazzano full distribution
   118                              ./scan_release_binaries.sh ${RELEASE_BINARIES_DIR}/${VZ_FULL} ${SCANNER_HOME} ${SCAN_REPORT_BASE_DIR}/${VZ_FULL} "Full" "true"
   119                          """
   120                     }
   121                  }
   122              }
   123          }
   124  
   125          stage('Copy Results to Object Stores') {
   126              steps {
   127                  script {
   128                      sh """
   129                          if [ $params.TEST_RUN == true ] ; then
   130                            if [ $params.ENABLE_TEST_SCAN == true ] ; then
   131                              echo "TEST_RUN is set to true, NOT pushing scan artifacts to object storage, but confirming they exist to be pushed"
   132                              echo ""
   133                              ls ${SCAN_REPORT_BASE_DIR}/${VZ_LITE}/scan_report.out
   134                              ls ${SCAN_REPORT_BASE_DIR}/${VZ_LITE}/scan_summary.out
   135                              ls ${SCAN_REPORT_BASE_DIR}/${VZ_FULL}/scan_report.out
   136                              ls ${SCAN_REPORT_BASE_DIR}/${VZ_FULL}/scan_summary.out
   137                            else
   138                              echo "TEST_RUN is set to true, ENABLE_TEST_SCAN is set to false. NOT pushing anything to object storage, and didn't scan anything"
   139                            fi
   140                          else
   141                            # We only store in the per commit ephemeral location, the release process will get the scan results from the ephemeral location only since these are asynchronously updated separately.
   142                            # This avoid complexity here trying to detect the last periodic state, and trying to copy the results into there (and avoids race conditions)
   143                            oci --region ${OCI_REGION} os object put --force --namespace ${OBJECT_STORAGE_NS} -bn ${OCI_OS_COMMIT_BUCKET} --name ephemeral/${env.BRANCH_NAME}/${SHORT_COMMIT_HASH}/verrazzano_${params.VERRAZZANO_DEV_VERSION}-scan_report_vz_lite.out --file ${SCAN_REPORT_BASE_DIR}/${VZ_LITE}/scan_report.out
   144                            oci --region ${OCI_REGION} os object put --force --namespace ${OBJECT_STORAGE_NS} -bn ${OCI_OS_COMMIT_BUCKET} --name ephemeral/${env.BRANCH_NAME}/${SHORT_COMMIT_HASH}/verrazzano_${params.VERRAZZANO_DEV_VERSION}-scan_summary_vz_lite.out --file ${SCAN_REPORT_BASE_DIR}/${VZ_LITE}/scan_summary.out
   145                            oci --region ${OCI_REGION} os object put --force --namespace ${OBJECT_STORAGE_NS} -bn ${OCI_OS_COMMIT_BUCKET} --name ephemeral/${env.BRANCH_NAME}/${SHORT_COMMIT_HASH}/verrazzano_${params.VERRAZZANO_DEV_VERSION}-scan_report_vz_full.out --file ${SCAN_REPORT_BASE_DIR}/${VZ_FULL}/scan_report.out
   146                            oci --region ${OCI_REGION} os object put --force --namespace ${OBJECT_STORAGE_NS} -bn ${OCI_OS_COMMIT_BUCKET} --name ephemeral/${env.BRANCH_NAME}/${SHORT_COMMIT_HASH}/verrazzano_${params.VERRAZZANO_DEV_VERSION}-scan_summary_vz_full.out --file ${SCAN_REPORT_BASE_DIR}/${VZ_FULL}/scan_summary.out
   147                          fi
   148                      """
   149                  }
   150              }
   151          }
   152  
   153  
   154      }
   155      post {
   156          always {
   157              archiveArtifacts artifacts: "**/scan_report*.out,**/scan_summary*.out,", allowEmptyArchive: true
   158          }
   159          cleanup {
   160              deleteDir()
   161          }
   162      }
   163  }