Runs a Sonatype CLM scan against a Maven project and pushes results to
Nexus IQ server.
+:Optional parameters:
+ :mvn-goals: The maven goals to perform for the build.
+ (default: clean install)
+
+lf-infra-snyk-cli-scanner
+-------------------------
+
+Downloads the latest Snyk CLI and triggers a code scan. It publishes a report into
+the Snyk dashboard.
+
:Optional parameters:
:mvn-goals: The maven goals to perform for the build.
(default: clean install)
:gerrit_merge_triggers: Override Gerrit Triggers.
+Maven SNYK CLI
+--------------
+
+Builds the code, downloads and runs a Snyk CLI scan of the code into the Snyk dashboard.
+
+:Template Names:
+
+ - {project-name}-maven-snyk-cli-{stream}
+ - gerrit-maven-snyk-cli
+ - github-maven-snyk-cli
+
+:Comment Trigger: run-snyk
+
+:Required parameters:
+
+ :build-node: The node to run build on.
+ :jenkins-ssh-credential: Credential to use for SSH. (Generally configured in defaults.yaml)
+ :mvn-settings: The name of settings file containing credentials for the project.
+ :snyk-token-credential-id: Snyk API token to communicate with Jenkins.
+ :snyk-org-credential-id: Snyk organization ID.
+
+:Optional parameters:
+
+ :branch: The branch to build against. (default: master)
+ :build-days-to-keep: Days to keep build logs in Jenkins. (default: 7)
+ :build-timeout: Timeout in minutes before aborting build. (default: 60)
+ :git-url: URL clone project from. (default: $GIT_URL/$PROJECT)
+ :java-version: Version of Java to use for the build. (default: openjdk11)
+ :mvn-global-settings: The name of the Maven global settings to use for
+ Maven configuration. (default: global-settings)
+ :mvn-goals: The maven goals to perform for the build.
+ (default: clean install)
+ :mvn-opts: Sets MAVEN_OPTS to start up the JVM running Maven. (default: '')
+ :mvn-params: Parameters to pass to the mvn CLI. (default: '')
+ :mvn-version: Version of maven to use. (default: mvn35)
+ :stream: Keyword that represents a release code-name.
+ Often the same as the branch. (default: master)
+ :submodule-recursive: Whether to checkout submodules recursively.
+ (default: true)
+ :submodule-timeout: Timeout (in minutes) for checkout operation.
+ (default: 10)
+ :submodule-disable: Disable submodule checkout operation.
+ (default: false)
+
+ :gerrit_snyk_triggers: Override Gerrit Triggers.
+
Maven JavaDoc Publish
---------------------
white-list-target-branches:
- "{branch}"
+##################
+# Maven Snyk CLI #
+##################
+
+- lf_maven_snyk_cli: &lf_maven_snyk_cli
+ name: lf-maven-snyk_cli
+
+ ######################
+ # Default parameters #
+ ######################
+
+ branch: master
+ build-days-to-keep: 30 # 30 days for troubleshooting purposes
+ build-timeout: 60
+ disable-job: false
+ git-url: "$GIT_URL/$PROJECT"
+ github-url: "https://github.com"
+ java-version: openjdk11
+ mvn-global-settings: global-settings
+ mvn-goals: clean install
+ mvn-opts: ""
+ mvn-params: ""
+ mvn-version: mvn35
+ snyk-token-credential-id: snyk-token
+ snyk-org-credential-id: snyk-org
+ stream: master
+ submodule-recursive: true
+ submodule-timeout: 10
+ submodule-disable: false
+
+ gerrit_snyk_triggers:
+ - comment-added-contains-event:
+ comment-contains-value: '^Patch Set\s+\d+:\s+run-snyk\s*$'
+
+ parameters:
+ - lf-infra-parameters:
+ project: "{project}"
+ branch: "{branch}"
+ stream: "{stream}"
+ - lf-infra-maven-parameters:
+ mvn-opts: "{mvn-opts}"
+ mvn-params: "{mvn-params}"
+ mvn-version: "{mvn-version}"
+ - string:
+ name: ARCHIVE_ARTIFACTS
+ default: "{archive-artifacts}"
+ description: Artifacts to archive to the logs server.
+
+ wrappers:
+ - credentials-binding:
+ - text:
+ credential-id: "{snyk-token-credential-id}"
+ variable: SNYK_TOKEN
+ - text:
+ credential-id: "{snyk-org-credential-id}"
+ variable: SNYK_ORG
+
+ #####################
+ # Job Configuration #
+ #####################
+
+ disabled: "{disable-job}"
+
+ builders:
+ - lf-infra-pre-build
+ - lf-maven-install:
+ mvn-version: "{mvn-version}"
+ - lf-update-java-alternatives:
+ java-version: "{java-version}"
+ - lf-provide-maven-settings:
+ global-settings-file: "{mvn-global-settings}"
+ settings-file: "{mvn-settings}"
+ - lf-maven-build:
+ mvn-goals: "{mvn-goals}"
+ - lf-infra-snyk-cli-scanner
+ - lf-provide-maven-settings-cleanup
+ - shell: 'find . -regex ".*karaf/target" | xargs rm -rf'
+
+- builder:
+ name: lf-infra-snyk-cli-scanner
+ # Download and run the Snyk CLI scanner
+ builders:
+ - shell: !include-raw-escape:
+ - ../shell/snyk-cli-scanner-run.sh
+
+- job-template:
+ name: "{project-name}-maven-snyk-cli-{stream}"
+ id: gerrit-maven-snyk-cli
+ <<: *lf_maven_common
+ # yamllint disable-line rule:key-duplicates
+ <<: *lf_maven_snyk_cli
+
+ scm:
+ - lf-infra-gerrit-scm:
+ jenkins-ssh-credential: "{jenkins-ssh-credential}"
+ git-url: "{git-url}"
+ refspec: "$GERRIT_REFSPEC"
+ branch: "$GERRIT_BRANCH"
+ submodule-recursive: "{submodule-recursive}"
+ submodule-timeout: "{submodule-timeout}"
+ submodule-disable: "{submodule-disable}"
+ choosing-strategy: default
+
+ triggers:
+ # Build weekly on Saturdays
+ - timed: "H H * * 6"
+ - gerrit:
+ server-name: "{gerrit-server-name}"
+ trigger-on: "{obj:gerrit_snyk_triggers}"
+ projects:
+ - project-compare-type: ANT
+ project-pattern: "{project}"
+ branches:
+ - branch-compare-type: ANT
+ branch-pattern: "**/{branch}"
+ skip-vote:
+ successful: true
+ failed: true
+ unstable: true
+ notbuilt: true
+
+- job-template:
+ name: "{project-name}-maven-snyk-cli-{stream}"
+ id: github-maven-snyk-cli
+ <<: *lf_maven_common
+ # yamllint disable-line rule:key-duplicates
+ <<: *lf_maven_snyk_cli
+
+ properties:
+ - lf-infra-properties:
+ build-days-to-keep: "{build-days-to-keep}"
+ - github:
+ url: "{github-url}/{github-org}/{project}"
+
+ scm:
+ - lf-infra-github-scm:
+ url: "{git-clone-url}{github-org}/{project}"
+ refspec: ""
+ branch: "refs/heads/{branch}"
+ submodule-recursive: "{submodule-recursive}"
+ submodule-timeout: "{submodule-timeout}"
+ submodule-disable: "{submodule-disable}"
+ choosing-strategy: default
+ jenkins-ssh-credential: "{jenkins-ssh-credential}"
+
+ triggers:
+ # Build weekly on Saturdays
+ - timed: "H H * * 6"
+ - github-pull-request:
+ trigger-phrase: "^run-snyk$"
+ only-trigger-phrase: true
+ status-context: "SNYK scan"
+ permit-all: true
+ github-hooks: true
+ org-list:
+ - "{github-org}"
+ white-list: "{obj:github_pr_allowlist}"
+ admin-list: "{obj:github_pr_admin_list}"
+ white-list-target-branches:
+ - "{branch}"
+
#########################
# Maven Javadoc Publish #
#########################
--- /dev/null
+#!/bin/bash -l
+# SPDX-License-Identifier: EPL-1.0
+##############################################################################
+# Copyright (c) 2023 The Linux Foundation and others.
+#
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+##############################################################################
+echo "---> snyk-cli-scanner-run.sh"
+
+# Add mvn to PATH so that the Snyk CLI can use it
+export PATH=$PATH:"$M2_HOME"/bin
+# Download and install the latest Snyk scanner
+echo "Installing Snyk (latest)..."
+curl https://static.snyk.io/cli/latest/snyk-linux -o snyk
+sudo chmod +x ./snyk
+sudo mv ./snyk /usr/local/bin/
+echo "Verifying Snyk version..."
+snyk --version
+echo "Authenticate with SNYK_TOKEN..."
+snyk auth "$SNYK_CLI"
+echo "Running Snyk CLI..."
+snyk test --json --severity-threshold=low --org="$SNYK_ORG"
+snyk monitor --severity-threshold=low --org="$SNYK_ORG"