github.com/xgoffin/jenkins-library@v1.154.0/vars/snykExecute.groovy (about) 1 import static com.sap.piper.Prerequisites.checkScript 2 3 import com.sap.piper.ConfigurationHelper 4 import com.sap.piper.GenerateDocumentation 5 import com.sap.piper.Utils 6 import com.sap.piper.mta.MtaMultiplexer 7 import com.sap.piper.MapUtils 8 9 import groovy.transform.Field 10 11 @Field def STEP_NAME = getClass().getName() 12 13 @Field Set GENERAL_CONFIG_KEYS = [ 14 /** 15 * Credentials for accessing the Snyk API. 16 * @possibleValues Jenkins credentials id 17 */ 18 'snykCredentialsId' 19 ] 20 @Field Set STEP_CONFIG_KEYS = GENERAL_CONFIG_KEYS.plus([ 21 /** 22 * The path to the build descriptor file, e.g. `./package.json`. 23 */ 24 'buildDescriptorFile', 25 /** @see dockerExecute */ 26 'dockerImage', 27 /** @see dockerExecute*/ 28 'dockerEnvVars', 29 /** @see dockerExecute */ 30 'dockerOptions', 31 /** @see dockerExecute*/ 32 'dockerWorkspace', 33 /** 34 * Only scanType 'mta': Exclude modules from MTA projects. 35 */ 36 'exclude', 37 /** 38 * Monitor the application's dependencies for new vulnerabilities. 39 */ 40 'monitor', 41 //TODO: move to general 42 /** 43 * The type of project that should be scanned. 44 * @possibleValues `npm`, `mta` 45 */ 46 'scanType', 47 /** 48 * Only needed for `monitor: true`: The organisation ID to determine the organisation to report to. 49 */ 50 'snykOrg', 51 /** 52 * Generate and archive a JSON report. 53 */ 54 'toJson', 55 /** 56 * Generate and archive a HTML report. 57 */ 58 'toHtml' 59 ]) 60 @Field Set PARAMETER_KEYS = STEP_CONFIG_KEYS 61 62 //https://snyk.io/docs/continuous-integration/ 63 /** 64 * This step performs an open source vulnerability scan on a *Node project* or *Node module inside an MTA project* through snyk.io. 65 */ 66 @GenerateDocumentation 67 void call(Map parameters = [:]) { 68 handlePipelineStepErrors(stepName: STEP_NAME, stepParameters: parameters) { 69 def script = checkScript(this, parameters) ?: this 70 def utils = parameters.juStabUtils ?: new Utils() 71 String stageName = parameters.stageName ?: env.STAGE_NAME 72 73 Map config = ConfigurationHelper.newInstance(this) 74 .loadStepDefaults([:], stageName) 75 .mixinGeneralConfig(script.commonPipelineEnvironment, GENERAL_CONFIG_KEYS) 76 .mixinStepConfig(script.commonPipelineEnvironment, STEP_CONFIG_KEYS) 77 .mixinStageConfig(script.commonPipelineEnvironment, stageName, STEP_CONFIG_KEYS) 78 .mixin(parameters, PARAMETER_KEYS) 79 // check mandatory parameters 80 .withMandatoryProperty('dockerImage') 81 .withMandatoryProperty('snykCredentialsId') 82 .use() 83 84 utils.pushToSWA([ 85 step: STEP_NAME, 86 stepParamKey1: 'scriptMissing', 87 stepParam1: parameters?.script == null 88 ], config) 89 90 utils.unstashAll(config.stashContent) 91 92 switch(config.scanType) { 93 case 'mta': 94 def scanJobs = [failFast: false] 95 // create job for each package.json with scanType: 'npm' 96 scanJobs.putAll(MtaMultiplexer.createJobs( 97 this, parameters, config.exclude, 'Snyk', 'package.json', 'npm' 98 ){options -> snykExecute(options)}) 99 // execute scan jobs in parallel 100 parallel scanJobs 101 break 102 case 'npm': 103 // set default file for scanType 104 def path = config.buildDescriptorFile.replace('package.json', '') 105 try{ 106 withCredentials([string( 107 credentialsId: config.snykCredentialsId, 108 variable: 'token' 109 )]) { 110 dockerExecute( 111 script: script, 112 dockerImage: config.dockerImage, 113 dockerEnvVars: MapUtils.merge(['SNYK_TOKEN': token],config.dockerEnvVars?:[:]), 114 dockerWorkspace: config.dockerWorkspace, 115 dockerOptions: config.dockerOptions, 116 stashContent: config.stashContent 117 ) { 118 sh returnStatus: true, script: """ 119 node --version 120 npm --version 121 """ 122 // install Snyk 123 sh 'npm install snyk --global --quiet' 124 if(config.toHtml){ 125 config.toJson = true 126 sh 'npm install snyk-to-html --global --quiet' 127 } 128 // install NPM dependencies 129 sh "cd '${path}' && npm install --quiet" 130 // execute Snyk scan 131 def cmd = [] 132 cmd.push("cd '${path}'") 133 if(config.monitor) { 134 cmd.push('&& snyk monitor') 135 if(config.snykOrg) 136 cmd.push("--org=${config.snykOrg}") 137 } 138 cmd.push('&& snyk test') 139 if(config.toJson) 140 cmd.push("--json > snyk.json") 141 try{ 142 sh cmd.join(' ') 143 }finally{ 144 if(config.toHtml) sh "snyk-to-html -i ${path}snyk.json -o ${path}snyk.html" 145 } 146 } 147 } 148 }finally{ 149 if(config.toJson) archiveArtifacts "${path.replaceAll('\\./', '')}snyk.json" 150 if(config.toHtml) archiveArtifacts "${path.replaceAll('\\./', '')}snyk.html" 151 } 152 break 153 default: 154 error "[ERROR][${STEP_NAME}] ScanType '${config.scanType}' not supported!" 155 } 156 } 157 }