Feat: Add Docker Snyk CLI Scanner jobs 45/71345/5
authorJessica Wagantall <jwagantall@linuxfoundation.org>
Tue, 7 Mar 2023 20:54:25 +0000 (12:54 -0800)
committerJessica Wagantall <jwagantall@linuxfoundation.org>
Wed, 8 Mar 2023 02:03:47 +0000 (18:03 -0800)
Introduce Docker Snyk CLI scanner jobs. These jobs can be triggered
to download the latest version of Snyk's CLI scanner and trigger a
scan for Docker based repos. These jobs produce a report which is
published into Snyk's dashboard. These reports are fetched and
reflected back into the LFX Security tool.

Issue: RELENG-4609
Signed-off-by: Jessica Wagantall <jwagantall@linuxfoundation.org>
Change-Id: Ifc9ab4c51393e893b22b06844f3701caaca06c6f

.jjb-test/lf-docker-jobs/docker-jobs.yaml
docs/jjb/lf-docker-jobs.rst
jjb/lf-docker-jobs.yaml
releasenotes/notes/add-docker-snyk-cli-scanner-7c1e372de3a65376.yaml [new file with mode: 0644]
shell/snyk-cli-scanner-run.sh

index 8f8f770..1cfdf58 100644 (file)
@@ -3,6 +3,7 @@
     name: "{project-name}-docker"
     jobs:
       - "{project-name}-gerrit-docker-jobs"
+      - gerrit-docker-snyk-cli
 
     project: docker/project
     project-name: docker-project
index efe6674..a10624b 100644 (file)
@@ -215,3 +215,59 @@ Sample container-tag.yaml File
 
    ---
    tag: 1.0.0
+
+Docker Snyk CLI
+---------------
+
+Builds the code, downloads and runs a Snyk CLI scan of the code into the Snyk dashboard.
+
+:Template Names:
+
+    - {project-name}-docker-snyk-cli-{stream}
+    - gerrit-docker-snyk-cli
+    - github-docker-snyk-cli
+
+:Comment Trigger: run-snyk
+
+:Required parameters:
+
+    :build-node: The node to run build on.
+    :container-public-registry: Docker registry source with base images.
+    :docker-name: Name of the Docker image.
+    :jenkins-ssh-credential: Credential to use for SSH. (Generally configured
+        in defaults.yaml)
+    :mvn-settings: Maven settings.xml file containing Docker credentials.
+    :snyk-token-credential-id: Snyk API token to communicate with Jenkins.
+    :snyk-org-credential-id: Snyk organization ID.
+
+:Optional parameters:
+
+    :branch: Git branch to fetch for the build. (default: master)
+    :build-days-to-keep: Days to keep build logs in Jenkins. (default: 7)
+    :build-timeout: Timeout in minutes before aborting build. (default: 60)
+    :container-tag-method: Specifies the docker tag-choosing method.
+        Options are "latest", "git-describe" or "yaml-file".
+        Option latest uses the "latest" tag.
+        Option git-describe uses the string returned by git-describe,
+        which requires a tag to exist in the repository.
+        Option yaml-file uses the string from file "container-tag.yaml"
+        in the repository. (default: latest)
+    :container-tag-yaml-dir: Directory with container-tag.yaml. (default: $DOCKER_ROOT)
+    :docker-build-args: Arguments for the docker build command.
+    :docker-get-container-tag-script: Path to script that chooses docker tag.
+        (default: ../shell/docker-get-container-tag.sh in global-jjb)
+    :docker-root: Build directory within the repo. (default: $WORKSPACE, the repo root)
+    :git-url: URL clone project from. (default: $GIT_URL/$PROJECT)
+    :pre_docker_build_script: Build script to execute before the main verify
+        builder steps. (default: "")
+    :post_docker_build_script: Build script to execute after the main verify
+        builder steps. (default: "")
+    :snyk-cli-options: Additional Snyk CLI options. (default: '')
+    :stream: Keyword that represents a release code-name.
+        Often the same as the branch. (default: master)
+    :submodule-recursive: Whether to checkout submodules recursively.
+        (default: true)
+    :submodule-timeout: Timeout (in minutes) for checkout operation.
+        (default: 10)
+
+    :gerrit_snyk_triggers: Override Gerrit Triggers.
index 411fe33..7fd937d 100644 (file)
           white-list-target-branches:
             - "{branch}"
           included-regions: "{obj:github_included_regions}"
+
+##################
+# Docker Snyk CLI #
+##################
+
+- lf_docker_snyk_cli: &lf_docker_snyk_cli
+    name: lf-docker-snyk_cli
+
+    ######################
+    # Default parameters #
+    ######################
+
+    branch: master
+    build-days-to-keep: 30 # 30 days for troubleshooting purposes
+    build-timeout: 60
+    container-tag-method: "latest"
+    container-tag-yaml-dir: ""
+    disable-job: false
+    docker-get-container-tag-script: "../shell/docker-get-container-tag.sh"
+    docker-root: "$WORKSPACE"
+    docker-build-args: ""
+    git-url: "$GIT_URL/$PROJECT"
+    github-url: "https://github.com"
+    pre_docker_build_script: "# pre docker build script goes here"
+    post_docker_build_script: "# post docker build script goes here"
+    snyk-cli-options: ""
+    snyk-token-credential-id: snyk-token
+    snyk-org-credential-id: snyk-org
+    stream: master
+    submodule-recursive: true
+    submodule-timeout: 10
+    submodule-disable: false
+
+    gerrit_snyk_triggers:
+      - comment-added-contains-event:
+          comment-contains-value: '^Patch Set\s+\d+:\s+run-snyk\s*$'
+
+    parameters:
+      - lf-infra-parameters:
+          project: "{project}"
+          branch: "{branch}"
+          stream: "{stream}"
+      - string:
+          name: SNYK_CLI_OPTIONS
+          default: "{snyk-cli-options}"
+          description: Additional Snyk CLI commands and options
+
+    wrappers:
+      - credentials-binding:
+          - text:
+              credential-id: "{snyk-token-credential-id}"
+              variable: SNYK_TOKEN
+          - text:
+              credential-id: "{snyk-org-credential-id}"
+              variable: SNYK_ORG
+
+    #####################
+    # Job Configuration #
+    #####################
+
+    disabled: "{disable-job}"
+
+    builders:
+      - lf-infra-pre-build
+      - lf-infra-docker-login:
+          global-settings-file: "global-settings"
+          settings-file: "{mvn-settings}"
+      - shell: "{pre_docker_build_script}"
+      - lf-docker-get-container-tag:
+          container-tag-method: "{container-tag-method}"
+          container-tag-yaml-dir: "{container-tag-yaml-dir}"
+          docker-root: "{docker-root}"
+          docker-get-container-tag-script: "{docker-get-container-tag-script}"
+      - lf-docker-build:
+          docker-build-args: "{docker-build-args}"
+          docker-name: "{docker-name}"
+          docker-root: "{docker-root}"
+          container-public-registry: "{container-public-registry}"
+          container-push-registry: "{container-push-registry}"
+      - shell: "{post_docker_build_script}"
+      - lf-infra-snyk-cli-scanner
+      - lf-provide-maven-settings-cleanup
+      - shell: 'find . -regex ".*karaf/target" | xargs rm -rf'
+
+- job-template:
+    name: "{project-name}-docker-snyk-cli-{stream}"
+    id: gerrit-docker-snyk-cli
+    <<: *lf_docker_common
+    # yamllint disable-line rule:key-duplicates
+    <<: *lf_docker_snyk_cli
+
+    scm:
+      - lf-infra-gerrit-scm:
+          jenkins-ssh-credential: "{jenkins-ssh-credential}"
+          git-url: "{git-url}"
+          refspec: "$GERRIT_REFSPEC"
+          branch: "$GERRIT_BRANCH"
+          submodule-recursive: "{submodule-recursive}"
+          submodule-timeout: "{submodule-timeout}"
+          submodule-disable: "{submodule-disable}"
+          choosing-strategy: default
+
+    triggers:
+      # Build weekly on Saturdays
+      - timed: "H H * * 6"
+      - gerrit:
+          server-name: "{gerrit-server-name}"
+          trigger-on: "{obj:gerrit_snyk_triggers}"
+          projects:
+            - project-compare-type: ANT
+              project-pattern: "{project}"
+              branches:
+                - branch-compare-type: ANT
+                  branch-pattern: "**/{branch}"
+          skip-vote:
+            successful: true
+            failed: true
+            unstable: true
+            notbuilt: true
+
+- job-template:
+    name: "{project-name}-docker-snyk-cli-{stream}"
+    id: github-docker-snyk-cli
+    <<: *lf_docker_common
+    # yamllint disable-line rule:key-duplicates
+    <<: *lf_docker_snyk_cli
+
+    properties:
+      - lf-infra-properties:
+          build-days-to-keep: "{build-days-to-keep}"
+      - github:
+          url: "{github-url}/{github-org}/{project}"
+
+    scm:
+      - lf-infra-github-scm:
+          url: "{git-clone-url}{github-org}/{project}"
+          refspec: ""
+          branch: "refs/heads/{branch}"
+          submodule-recursive: "{submodule-recursive}"
+          submodule-timeout: "{submodule-timeout}"
+          submodule-disable: "{submodule-disable}"
+          choosing-strategy: default
+          jenkins-ssh-credential: "{jenkins-ssh-credential}"
+
+    triggers:
+      # Build weekly on Saturdays
+      - timed: "H H * * 6"
+      - github-pull-request:
+          trigger-phrase: "^run-snyk$"
+          only-trigger-phrase: true
+          status-context: "SNYK scan"
+          permit-all: true
+          github-hooks: true
+          org-list:
+            - "{github-org}"
+          white-list: "{obj:github_pr_allowlist}"
+          admin-list: "{obj:github_pr_admin_list}"
+          white-list-target-branches:
+            - "{branch}"
diff --git a/releasenotes/notes/add-docker-snyk-cli-scanner-7c1e372de3a65376.yaml b/releasenotes/notes/add-docker-snyk-cli-scanner-7c1e372de3a65376.yaml
new file mode 100644 (file)
index 0000000..e67a8c8
--- /dev/null
@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Introduce Docker Snyk CLI scanner jobs. These jobs can be triggered to download the
+    latest version of Snyk's CLI scanner and trigger a scan for Docker based repos. These
+    jobs produce a report which is published into Snyk's dashboard. These reports are
+    fetched and reflected back into the LFX Security tool.
index 8768123..ed667cf 100644 (file)
@@ -31,5 +31,12 @@ snyk --version
 echo "Authenticate with SNYK_TOKEN..."
 snyk auth "$SNYK_CLI"
 echo "Running Snyk CLI..."
-snyk test --json --severity-threshold=low "$SNYK_CLI_OPTIONS" --org="$SNYK_ORG"
-snyk monitor --severity-threshold=low "$SNYK_CLI_OPTIONS" --org="$SNYK_ORG"
+if [[ "$JOB_NAME" =~ "docker" ]]; then
+    snyk container test "$SNYK_CLI_OPTIONS" \
+        "$CONTAINER_PULL_REGISTRY/$DOCKER_NAME:$DOCKER_IMAGE_TAG" --org="$SNYK_ORG"
+    snyk container monitor "$SNYK_CLI_OPTIONS" \
+        "$CONTAINER_PULL_REGISTRY/$DOCKER_NAME:$DOCKER_IMAGE_TAG" --org="$SNYK_ORG"
+else
+    snyk test --json --severity-threshold=low "$SNYK_CLI_OPTIONS" --org="$SNYK_ORG"
+    snyk monitor --severity-threshold=low "$SNYK_CLI_OPTIONS" --org="$SNYK_ORG"
+fi