-
Notifications
You must be signed in to change notification settings - Fork 3
/
Jenkinsfile_Full
171 lines (153 loc) · 7.86 KB
/
Jenkinsfile_Full
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
/*
* Jenkinsfile that will build and do a Veracode Pipeline scan, Policy Scan and SCA scan
*/
pipeline {
agent any
environment {
VERACODE_APP_NAME = 'NodeGoat' // App Name in the Veracode Platform
}
// this is optional on Linux, if jenkins does not have access to your locally installed docker
//tools {
// these match up with 'Manage Jenkins -> Global Tool Config'
//'org.jenkinsci.plugins.docker.commons.tools.DockerTool' 'docker-latest'
//}
options {
// only keep the last x build logs and artifacts (for space saving)
buildDiscarder(logRotator(numToKeepStr: '20', artifactNumToKeepStr: '20'))
}
stages{
stage ('environment verify') {
steps {
script {
if (isUnix() == true) {
sh 'pwd'
sh 'ls -la'
sh 'echo $PATH'
}
else {
bat 'dir'
bat 'echo %PATH%'
}
}
}
}
stage ('build') {
steps {
// use the NodeJS plugin
nodejs(nodeJSInstallationName: 'NodeJS-12.0.0') {
script {
if(isUnix() == true) {
//sh 'npm config ls'
sh 'npm --version'
sh 'npm install'
}
else {
bat 'npm --version'
bat 'npm install'
}
}
}
}
}
stage ('Veracode pipeline scan') {
steps {
// zip archive for Veracode scanning. Only include stuff we need,
// aka skip things like node_modules directory
zip zipFile: 'upload.zip', archive: false, glob: '*.js,*.json,app/**,artifacts/**,config/**'
echo 'Veracode Pipeline scanning'
withCredentials([ usernamePassword (
credentialsId: 'veracode_login', usernameVariable: 'VERACODE_API_ID', passwordVariable: 'VERACODE_API_KEY') ]) {
script {
// this try-catch block will show the flaws in the Jenkins log, and yet not
// fail the build due to any flaws reported in the pipeline scan
// alternately, you could add --fail_on_severity '', but that would not show the
// flaws in the Jenkins log
try {
if(isUnix() == true) {
sh """
curl -sO https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
unzip pipeline-scan-LATEST.zip pipeline-scan.jar
java -jar pipeline-scan.jar --veracode_api_id '${VERACODE_API_ID}' \
--veracode_api_key '${VERACODE_API_KEY}' \
--file upload.zip
"""
}
else {
powershell """
curl https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip -o pipeline-scan.zip
Expand-Archive -Path pipeline-scan.zip -DestinationPath veracode_scanner
java -jar veracode_scanner\\pipeline-scan.jar --veracode_api_id '${VERACODE_API_ID}' \
--veracode_api_key '${VERACODE_API_KEY}' \
--file upload.zip
"""
}
} catch (err) {
echo 'Pipeline err: ' + err
}
}
}
echo "Pipeline scan done (failures ignored, results avialable in ${WORKSPACE}/results.json)"
}
}
stage ('Veracode scan') {
steps {
// zip archive for Veracode scanning. Only include stuff we need,
// aka skip things like node_modules directory
zip zipFile: 'upload.zip', archive: false, glob: '*.js,*.json,app/**,artifacts/**,config/**'
script {
if(isUnix() == true) {
env.HOST_OS = 'Unix'
}
else {
env.HOST_OS = 'Windows'
}
}
echo 'Veracode scanning'
withCredentials([ usernamePassword (
credentialsId: 'veracode_login', usernameVariable: 'VERACODE_API_ID', passwordVariable: 'VERACODE_API_KEY') ]) {
// fire-and-forget
veracode applicationName: "${VERACODE_APP_NAME}", criticality: 'VeryHigh', debug: true, fileNamePattern: '', pHost: '', pPassword: '', pUser: '', replacementPattern: '', sandboxName: '', scanExcludesPattern: '', scanIncludesPattern: '', scanName: "${BUILD_TAG}-${env.HOST_OS}", uploadExcludesPattern: '', uploadIncludesPattern: 'upload.zip', useIDkey: true, vid: "${VERACODE_API_ID}", vkey: "${VERACODE_API_KEY}"
// wait for scan to complete (timeout: x)
//veracode applicationName: "${VERACODE_APP_NAME}", criticality: 'VeryHigh', debug: true, timeout: 20, fileNamePattern: '', pHost: '', pPassword: '', pUser: '', replacementPattern: '', sandboxName: '', scanExcludesPattern: '', scanIncludesPattern: '', scanName: "${BUILD_TAG}", uploadExcludesPattern: '', uploadIncludesPattern: 'upload.zip', useIDkey: true, vid: "${VERACODE_API_ID}", vkey: "${VERACODE_API_KEY}"
}
}
}
stage ('Veracode SCA') {
steps {
echo 'Veracode SCA'
withCredentials([ string(credentialsId: 'SCA_Token', variable: 'SRCCLR_API_TOKEN')]) {
nodejs(nodeJSInstallationName: 'NodeJS-12.0.0') {
script {
if(isUnix() == true) {
sh "curl -sSL https://download.sourceclear.com/ci.sh | sh"
// debug, no upload
//sh "curl -sSL https://download.sourceclear.com/ci.sh | DEBUG=1 sh -s -- scan --no-upload"
}
else {
// allow-dirty since I was in the middle of updating the readme files,
// really not needed
powershell '''
Set-ExecutionPolicy AllSigned -Scope Process -Force
iex ((New-Object System.Net.WebClient).DownloadString('https://download.srcclr.com/ci.ps1'))
srcclr scan --allow-dirty
'''
}
}
}
}
}
}
stage ('Deploy') {
when { expression { return (isUnix() == true) } }
steps {
echo 'building Docker image'
sh 'docker version'
ansiColor('xterm') {
sh 'docker build -t nodegoat:${BUILD_TAG} .'
}
// split into separate stage??
echo 'Deploying ...'
}
}
}
}