Feat: Add Maven Snyk CLI Scanner 90/71290/7
authorJessica Wagantall <jwagantall@linuxfoundation.org>
Thu, 2 Mar 2023 02:30:13 +0000 (18:30 -0800)
committerJessica Wagantall <jwagantall@linuxfoundation.org>
Fri, 3 Mar 2023 17:55:42 +0000 (09:55 -0800)
Introduce Maven Snyk CLI scanner jobs. These jobs can be triggered
to download the latest version of Snyk's CLI scanner and trigger a
scan for Maven based repos.

These jobs produce a report which is published into Snyk's dashboard.
These reports are fetched and reflected back into the LFX Security tool.

Issue: RELENG-4609
Signed-off-by: Jessica Wagantall <jwagantall@linuxfoundation.org>
Change-Id: I183bd1e8d22caa832b04b7d1d5b078b0a8946285

.jjb-test/lf-maven-jobs.yaml
docs/jjb/lf-maven-jobs.rst
jjb/lf-maven-jobs.yaml
releasenotes/notes/add-maven-snyk-cli-scanner-036090df9fa42a17.yaml [new file with mode: 0644]
shell/snyk-cli-scanner-run.sh [new file with mode: 0644]

index 8763766..970e383 100644 (file)
@@ -6,6 +6,7 @@
       - gerrit-maven-javadoc-publish
       - gerrit-maven-javadoc-verify
       - gerrit-maven-merge
+      - gerrit-maven-snyk-cli
       - gerrit-maven-sonar
       - gerrit-maven-sonar-verify
       - gerrit-maven-stage
@@ -26,6 +27,7 @@
       - github-maven-javadoc-publish
       - github-maven-javadoc-verify
       - github-maven-merge
+      - gerrit-maven-snyk-cli
       - github-maven-sonar
       - github-maven-stage
       - github-maven-verify
index c9208a1..be166c1 100644 (file)
@@ -104,6 +104,16 @@ lf-infra-sonatype-clm
 Runs a Sonatype CLM scan against a Maven project and pushes results to
 Nexus IQ server.
 
+:Optional parameters:
+    :mvn-goals: The maven goals to perform for the build.
+        (default: clean install)
+
+lf-infra-snyk-cli-scanner
+-------------------------
+
+Downloads the latest Snyk CLI and triggers a code scan. It publishes a report into
+the Snyk dashboard.
+
 :Optional parameters:
     :mvn-goals: The maven goals to perform for the build.
         (default: clean install)
@@ -170,6 +180,52 @@ Produces a CLM scan of the code into Nexus IQ Server.
 
     :gerrit_merge_triggers: Override Gerrit Triggers.
 
+Maven SNYK CLI
+--------------
+
+Builds the code, downloads and runs a Snyk CLI scan of the code into the Snyk dashboard.
+
+:Template Names:
+
+    - {project-name}-maven-snyk-cli-{stream}
+    - gerrit-maven-snyk-cli
+    - github-maven-snyk-cli
+
+:Comment Trigger: run-snyk
+
+:Required parameters:
+
+    :build-node:    The node to run build on.
+    :jenkins-ssh-credential: Credential to use for SSH. (Generally configured in defaults.yaml)
+    :mvn-settings: The name of settings file containing credentials for the project.
+    :snyk-token-credential-id: Snyk API token to communicate with Jenkins.
+    :snyk-org-credential-id: Snyk organization ID.
+
+:Optional parameters:
+
+    :branch: The branch to build against. (default: master)
+    :build-days-to-keep: Days to keep build logs in Jenkins. (default: 7)
+    :build-timeout: Timeout in minutes before aborting build. (default: 60)
+    :git-url: URL clone project from. (default: $GIT_URL/$PROJECT)
+    :java-version: Version of Java to use for the build. (default: openjdk11)
+    :mvn-global-settings: The name of the Maven global settings to use for
+        Maven configuration. (default: global-settings)
+    :mvn-goals: The maven goals to perform for the build.
+        (default: clean install)
+    :mvn-opts: Sets MAVEN_OPTS to start up the JVM running Maven. (default: '')
+    :mvn-params: Parameters to pass to the mvn CLI. (default: '')
+    :mvn-version: Version of maven to use. (default: mvn35)
+    :stream: Keyword that represents a release code-name.
+        Often the same as the branch. (default: master)
+    :submodule-recursive: Whether to checkout submodules recursively.
+        (default: true)
+    :submodule-timeout: Timeout (in minutes) for checkout operation.
+        (default: 10)
+    :submodule-disable: Disable submodule checkout operation.
+        (default: false)
+
+    :gerrit_snyk_triggers: Override Gerrit Triggers.
+
 Maven JavaDoc Publish
 ---------------------
 
index e4a3442..73a4744 100644 (file)
           white-list-target-branches:
             - "{branch}"
 
+##################
+# Maven Snyk CLI #
+##################
+
+- lf_maven_snyk_cli: &lf_maven_snyk_cli
+    name: lf-maven-snyk_cli
+
+    ######################
+    # Default parameters #
+    ######################
+
+    branch: master
+    build-days-to-keep: 30 # 30 days for troubleshooting purposes
+    build-timeout: 60
+    disable-job: false
+    git-url: "$GIT_URL/$PROJECT"
+    github-url: "https://github.com"
+    java-version: openjdk11
+    mvn-global-settings: global-settings
+    mvn-goals: clean install
+    mvn-opts: ""
+    mvn-params: ""
+    mvn-version: mvn35
+    snyk-token-credential-id: snyk-token
+    snyk-org-credential-id: snyk-org
+    stream: master
+    submodule-recursive: true
+    submodule-timeout: 10
+    submodule-disable: false
+
+    gerrit_snyk_triggers:
+      - comment-added-contains-event:
+          comment-contains-value: '^Patch Set\s+\d+:\s+run-snyk\s*$'
+
+    parameters:
+      - lf-infra-parameters:
+          project: "{project}"
+          branch: "{branch}"
+          stream: "{stream}"
+      - lf-infra-maven-parameters:
+          mvn-opts: "{mvn-opts}"
+          mvn-params: "{mvn-params}"
+          mvn-version: "{mvn-version}"
+      - string:
+          name: ARCHIVE_ARTIFACTS
+          default: "{archive-artifacts}"
+          description: Artifacts to archive to the logs server.
+
+    wrappers:
+      - credentials-binding:
+          - text:
+              credential-id: "{snyk-token-credential-id}"
+              variable: SNYK_TOKEN
+          - text:
+              credential-id: "{snyk-org-credential-id}"
+              variable: SNYK_ORG
+
+    #####################
+    # Job Configuration #
+    #####################
+
+    disabled: "{disable-job}"
+
+    builders:
+      - lf-infra-pre-build
+      - lf-maven-install:
+          mvn-version: "{mvn-version}"
+      - lf-update-java-alternatives:
+          java-version: "{java-version}"
+      - lf-provide-maven-settings:
+          global-settings-file: "{mvn-global-settings}"
+          settings-file: "{mvn-settings}"
+      - lf-maven-build:
+          mvn-goals: "{mvn-goals}"
+      - lf-infra-snyk-cli-scanner
+      - lf-provide-maven-settings-cleanup
+      - shell: 'find . -regex ".*karaf/target" | xargs rm -rf'
+
+- builder:
+    name: lf-infra-snyk-cli-scanner
+    # Download and run the Snyk CLI scanner
+    builders:
+      - shell: !include-raw-escape:
+          - ../shell/snyk-cli-scanner-run.sh
+
+- job-template:
+    name: "{project-name}-maven-snyk-cli-{stream}"
+    id: gerrit-maven-snyk-cli
+    <<: *lf_maven_common
+    # yamllint disable-line rule:key-duplicates
+    <<: *lf_maven_snyk_cli
+
+    scm:
+      - lf-infra-gerrit-scm:
+          jenkins-ssh-credential: "{jenkins-ssh-credential}"
+          git-url: "{git-url}"
+          refspec: "$GERRIT_REFSPEC"
+          branch: "$GERRIT_BRANCH"
+          submodule-recursive: "{submodule-recursive}"
+          submodule-timeout: "{submodule-timeout}"
+          submodule-disable: "{submodule-disable}"
+          choosing-strategy: default
+
+    triggers:
+      # Build weekly on Saturdays
+      - timed: "H H * * 6"
+      - gerrit:
+          server-name: "{gerrit-server-name}"
+          trigger-on: "{obj:gerrit_snyk_triggers}"
+          projects:
+            - project-compare-type: ANT
+              project-pattern: "{project}"
+              branches:
+                - branch-compare-type: ANT
+                  branch-pattern: "**/{branch}"
+          skip-vote:
+            successful: true
+            failed: true
+            unstable: true
+            notbuilt: true
+
+- job-template:
+    name: "{project-name}-maven-snyk-cli-{stream}"
+    id: github-maven-snyk-cli
+    <<: *lf_maven_common
+    # yamllint disable-line rule:key-duplicates
+    <<: *lf_maven_snyk_cli
+
+    properties:
+      - lf-infra-properties:
+          build-days-to-keep: "{build-days-to-keep}"
+      - github:
+          url: "{github-url}/{github-org}/{project}"
+
+    scm:
+      - lf-infra-github-scm:
+          url: "{git-clone-url}{github-org}/{project}"
+          refspec: ""
+          branch: "refs/heads/{branch}"
+          submodule-recursive: "{submodule-recursive}"
+          submodule-timeout: "{submodule-timeout}"
+          submodule-disable: "{submodule-disable}"
+          choosing-strategy: default
+          jenkins-ssh-credential: "{jenkins-ssh-credential}"
+
+    triggers:
+      # Build weekly on Saturdays
+      - timed: "H H * * 6"
+      - github-pull-request:
+          trigger-phrase: "^run-snyk$"
+          only-trigger-phrase: true
+          status-context: "SNYK scan"
+          permit-all: true
+          github-hooks: true
+          org-list:
+            - "{github-org}"
+          white-list: "{obj:github_pr_allowlist}"
+          admin-list: "{obj:github_pr_admin_list}"
+          white-list-target-branches:
+            - "{branch}"
+
 #########################
 # Maven Javadoc Publish #
 #########################
diff --git a/releasenotes/notes/add-maven-snyk-cli-scanner-036090df9fa42a17.yaml b/releasenotes/notes/add-maven-snyk-cli-scanner-036090df9fa42a17.yaml
new file mode 100644 (file)
index 0000000..2c0db0b
--- /dev/null
@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Introduce Maven Snyk CLI scanner jobs. These jobs can be triggered to download the
+    latest version of Snyk's CLI scanner and trigger a scan for Maven based repos. These
+    jobs produce a report which is published into Snyk's dashboard. These reports are
+    fetched and reflected back into the LFX Security tool.
diff --git a/shell/snyk-cli-scanner-run.sh b/shell/snyk-cli-scanner-run.sh
new file mode 100644 (file)
index 0000000..63ba1cd
--- /dev/null
@@ -0,0 +1,26 @@
+#!/bin/bash -l
+# SPDX-License-Identifier: EPL-1.0
+##############################################################################
+# Copyright (c) 2023 The Linux Foundation and others.
+#
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+##############################################################################
+echo "---> snyk-cli-scanner-run.sh"
+
+# Add mvn to PATH so that the Snyk CLI can use it
+export PATH=$PATH:"$M2_HOME"/bin
+# Download and install the latest Snyk scanner
+echo "Installing Snyk (latest)..."
+curl https://static.snyk.io/cli/latest/snyk-linux -o snyk
+sudo chmod +x ./snyk
+sudo mv ./snyk /usr/local/bin/
+echo "Verifying Snyk version..."
+snyk --version
+echo "Authenticate with SNYK_TOKEN..."
+snyk auth "$SNYK_CLI"
+echo "Running Snyk CLI..."
+snyk test --json --severity-threshold=low --org="$SNYK_ORG"
+snyk monitor --severity-threshold=low --org="$SNYK_ORG"