github.com/verrazzano/verrazzano@v1.7.1/ci/scan-results/Jenkinsfile (about) 1 // Copyright (c) 2021, 2024, Oracle and/or its affiliates. 2 // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. 3 4 pipeline { 5 options { 6 timestamps () 7 copyArtifactPermission('/upload-scan-report') 8 } 9 10 agent { 11 docker { 12 image "${RUNNER_DOCKER_IMAGE}" 13 args "${RUNNER_DOCKER_ARGS}" 14 label "2.0-large" 15 registryCredentialsId 'ocir-pull-and-push-account' 16 } 17 } 18 19 parameters { 20 booleanParam (name: 'TEST_RUN', 21 description: 'Indicate whether this is a TEST run, which will do some stuff but will not try uploading anything, ignored for master/release-* runs', 22 defaultValue: true) 23 } 24 25 triggers { cron("@daily") } 26 27 environment { 28 CLEAN_BRANCH_NAME = "${env.BRANCH_NAME.replace("/", "%2F")}" 29 30 OCI_CLI_TENANCY = credentials('oci-dev-tenancy') 31 OCI_CLI_USER = credentials('oci-dev-user-ocid') 32 OCI_CLI_FINGERPRINT = credentials('oci-dev-api-key-fingerprint') 33 OCI_CLI_KEY_FILE = credentials('oci-dev-api-key-file') 34 OCI_CLI_REGION = "us-ashburn-1" 35 OCI_REGION = "${env.OCI_CLI_REGION}" 36 37 OCIR_COMPARTMENT_ID = credentials('ocir-scan-compartment') 38 OCIR_SCAN_REGISTRY = credentials('ocir-scan-registry') 39 OCIR_REPOSITORY_BASE = credentials('ocir-scan-repository-path') 40 OCIR_PATH_FILTER = ".*" 41 DOCKER_SCAN_CREDS = credentials('v8odev-ocir') 42 43 OCI_OS_NAMESPACE = credentials('oci-os-namespace') 44 45 GITHUB_ACCESS_TOKEN = credentials('github-api-token-release-process') 46 47 SCANNER_PATH = "~/scanners" 48 } 49 50 stages { 51 stage('Fetch Scan Results') { 52 steps { 53 script { 54 try { 55 sh """ 56 echo "${DOCKER_SCAN_CREDS_PSW}" | docker login ${env.OCIR_SCAN_REGISTRY} -u ${DOCKER_SCAN_CREDS_USR} --password-stdin 57 """ 58 } catch(error) { 59 echo "docker login failed, retrying after sleep" 60 retry(4) { 61 sleep(30) 62 sh """ 63 echo "${DOCKER_SCAN_CREDS_PSW}" | docker login ${env.OCIR_SCAN_REGISTRY} -u ${DOCKER_SCAN_CREDS_USR} --password-stdin 64 """ 65 } 66 } 67 68 sh """ 69 set -e 70 git fetch --tags 71 echo "${env.GITHUB_ACCESS_TOKEN}" | gh auth login --with-token 72 73 # Install Trivy and Grype 74 mkdir -p ~/scanners 75 echo "Download and install Grype" 76 curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b ${env.SCANNER_PATH} 77 78 echo "Download and install Trivy" 79 curl -sSfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b ${env.SCANNER_PATH} 80 81 echo "Fetching scan results for branch: ${CLEAN_BRANCH_NAME}" 82 ci/scripts/get_branch_scan_results.sh 83 python ci/scripts/generate_html_report.py scan-results/latest-periodic/consolidated.csv scan-results/latest-periodic 84 """ 85 } 86 } 87 post { 88 always { 89 archiveArtifacts artifacts: 'boms/**,scan-results/**', allowEmptyArchive: true 90 } 91 failure { 92 script { 93 if (env.BRANCH_NAME == "master" || env.BRANCH_NAME ==~ "release-.*" || env.BRANCH_NAME ==~ "mark/*") { 94 slackSend ( message: "Job Failed - \"${env.JOB_NAME}\" build: ${env.BUILD_NUMBER}\n\nView the log at:\n ${env.BUILD_URL}\n\nBlue Ocean:\n${env.RUN_DISPLAY_URL}" ) 95 } 96 } 97 } 98 } 99 } 100 } 101 post { 102 success { 103 script { 104 if (env.BRANCH_NAME == "master" || env.BRANCH_NAME ==~ "release-.*" || params.TEST_RUN == false) { 105 build job: '/upload-scan-report', parameters: [ 106 string(name: 'UPSTREAM_JOB', value: "${env.JOB_NAME}"), 107 string(name: 'UPSTREAM_BUILD', value: "${env.BUILD_NUMBER}") 108 ], propagate: false, wait: false 109 } 110 } 111 } 112 } 113 }