From 5f32d861578702e12e8ac05e74b106df2d1a6e71 Mon Sep 17 00:00:00 2001 From: Jessica Wagantall Date: Wed, 1 Mar 2023 18:30:13 -0800 Subject: [PATCH] Feat: Add Maven Snyk CLI Scanner Introduce Maven Snyk CLI scanner jobs. These jobs can be triggered to download the latest version of Snyk's CLI scanner and trigger a scan for Maven based repos. These jobs produce a report which is published into Snyk's dashboard. These reports are fetched and reflected back into the LFX Security tool. Issue: RELENG-4609 Signed-off-by: Jessica Wagantall Change-Id: I183bd1e8d22caa832b04b7d1d5b078b0a8946285 --- .jjb-test/lf-maven-jobs.yaml | 2 + docs/jjb/lf-maven-jobs.rst | 56 +++++++ jjb/lf-maven-jobs.yaml | 161 +++++++++++++++++++++ ...dd-maven-snyk-cli-scanner-036090df9fa42a17.yaml | 7 + shell/snyk-cli-scanner-run.sh | 26 ++++ 5 files changed, 252 insertions(+) create mode 100644 releasenotes/notes/add-maven-snyk-cli-scanner-036090df9fa42a17.yaml create mode 100644 shell/snyk-cli-scanner-run.sh diff --git a/.jjb-test/lf-maven-jobs.yaml b/.jjb-test/lf-maven-jobs.yaml index 87637662..970e383e 100644 --- a/.jjb-test/lf-maven-jobs.yaml +++ b/.jjb-test/lf-maven-jobs.yaml @@ -6,6 +6,7 @@ - gerrit-maven-javadoc-publish - gerrit-maven-javadoc-verify - gerrit-maven-merge + - gerrit-maven-snyk-cli - gerrit-maven-sonar - gerrit-maven-sonar-verify - gerrit-maven-stage @@ -26,6 +27,7 @@ - github-maven-javadoc-publish - github-maven-javadoc-verify - github-maven-merge + - gerrit-maven-snyk-cli - github-maven-sonar - github-maven-stage - github-maven-verify diff --git a/docs/jjb/lf-maven-jobs.rst b/docs/jjb/lf-maven-jobs.rst index c9208a18..be166c16 100644 --- a/docs/jjb/lf-maven-jobs.rst +++ b/docs/jjb/lf-maven-jobs.rst @@ -104,6 +104,16 @@ lf-infra-sonatype-clm Runs a Sonatype CLM scan against a Maven project and pushes results to Nexus IQ server. +:Optional parameters: + :mvn-goals: The maven goals to perform for the build. + (default: clean install) + +lf-infra-snyk-cli-scanner +------------------------- + +Downloads the latest Snyk CLI and triggers a code scan. It publishes a report into +the Snyk dashboard. + :Optional parameters: :mvn-goals: The maven goals to perform for the build. (default: clean install) @@ -170,6 +180,52 @@ Produces a CLM scan of the code into Nexus IQ Server. :gerrit_merge_triggers: Override Gerrit Triggers. +Maven SNYK CLI +-------------- + +Builds the code, downloads and runs a Snyk CLI scan of the code into the Snyk dashboard. + +:Template Names: + + - {project-name}-maven-snyk-cli-{stream} + - gerrit-maven-snyk-cli + - github-maven-snyk-cli + +:Comment Trigger: run-snyk + +:Required parameters: + + :build-node: The node to run build on. + :jenkins-ssh-credential: Credential to use for SSH. (Generally configured in defaults.yaml) + :mvn-settings: The name of settings file containing credentials for the project. + :snyk-token-credential-id: Snyk API token to communicate with Jenkins. + :snyk-org-credential-id: Snyk organization ID. + +:Optional parameters: + + :branch: The branch to build against. (default: master) + :build-days-to-keep: Days to keep build logs in Jenkins. (default: 7) + :build-timeout: Timeout in minutes before aborting build. (default: 60) + :git-url: URL clone project from. (default: $GIT_URL/$PROJECT) + :java-version: Version of Java to use for the build. (default: openjdk11) + :mvn-global-settings: The name of the Maven global settings to use for + Maven configuration. (default: global-settings) + :mvn-goals: The maven goals to perform for the build. + (default: clean install) + :mvn-opts: Sets MAVEN_OPTS to start up the JVM running Maven. (default: '') + :mvn-params: Parameters to pass to the mvn CLI. (default: '') + :mvn-version: Version of maven to use. (default: mvn35) + :stream: Keyword that represents a release code-name. + Often the same as the branch. (default: master) + :submodule-recursive: Whether to checkout submodules recursively. + (default: true) + :submodule-timeout: Timeout (in minutes) for checkout operation. + (default: 10) + :submodule-disable: Disable submodule checkout operation. + (default: false) + + :gerrit_snyk_triggers: Override Gerrit Triggers. + Maven JavaDoc Publish --------------------- diff --git a/jjb/lf-maven-jobs.yaml b/jjb/lf-maven-jobs.yaml index e4a3442b..73a4744f 100644 --- a/jjb/lf-maven-jobs.yaml +++ b/jjb/lf-maven-jobs.yaml @@ -293,6 +293,167 @@ white-list-target-branches: - "{branch}" +################## +# Maven Snyk CLI # +################## + +- lf_maven_snyk_cli: &lf_maven_snyk_cli + name: lf-maven-snyk_cli + + ###################### + # Default parameters # + ###################### + + branch: master + build-days-to-keep: 30 # 30 days for troubleshooting purposes + build-timeout: 60 + disable-job: false + git-url: "$GIT_URL/$PROJECT" + github-url: "https://github.com" + java-version: openjdk11 + mvn-global-settings: global-settings + mvn-goals: clean install + mvn-opts: "" + mvn-params: "" + mvn-version: mvn35 + snyk-token-credential-id: snyk-token + snyk-org-credential-id: snyk-org + stream: master + submodule-recursive: true + submodule-timeout: 10 + submodule-disable: false + + gerrit_snyk_triggers: + - comment-added-contains-event: + comment-contains-value: '^Patch Set\s+\d+:\s+run-snyk\s*$' + + parameters: + - lf-infra-parameters: + project: "{project}" + branch: "{branch}" + stream: "{stream}" + - lf-infra-maven-parameters: + mvn-opts: "{mvn-opts}" + mvn-params: "{mvn-params}" + mvn-version: "{mvn-version}" + - string: + name: ARCHIVE_ARTIFACTS + default: "{archive-artifacts}" + description: Artifacts to archive to the logs server. + + wrappers: + - credentials-binding: + - text: + credential-id: "{snyk-token-credential-id}" + variable: SNYK_TOKEN + - text: + credential-id: "{snyk-org-credential-id}" + variable: SNYK_ORG + + ##################### + # Job Configuration # + ##################### + + disabled: "{disable-job}" + + builders: + - lf-infra-pre-build + - lf-maven-install: + mvn-version: "{mvn-version}" + - lf-update-java-alternatives: + java-version: "{java-version}" + - lf-provide-maven-settings: + global-settings-file: "{mvn-global-settings}" + settings-file: "{mvn-settings}" + - lf-maven-build: + mvn-goals: "{mvn-goals}" + - lf-infra-snyk-cli-scanner + - lf-provide-maven-settings-cleanup + - shell: 'find . -regex ".*karaf/target" | xargs rm -rf' + +- builder: + name: lf-infra-snyk-cli-scanner + # Download and run the Snyk CLI scanner + builders: + - shell: !include-raw-escape: + - ../shell/snyk-cli-scanner-run.sh + +- job-template: + name: "{project-name}-maven-snyk-cli-{stream}" + id: gerrit-maven-snyk-cli + <<: *lf_maven_common + # yamllint disable-line rule:key-duplicates + <<: *lf_maven_snyk_cli + + scm: + - lf-infra-gerrit-scm: + jenkins-ssh-credential: "{jenkins-ssh-credential}" + git-url: "{git-url}" + refspec: "$GERRIT_REFSPEC" + branch: "$GERRIT_BRANCH" + submodule-recursive: "{submodule-recursive}" + submodule-timeout: "{submodule-timeout}" + submodule-disable: "{submodule-disable}" + choosing-strategy: default + + triggers: + # Build weekly on Saturdays + - timed: "H H * * 6" + - gerrit: + server-name: "{gerrit-server-name}" + trigger-on: "{obj:gerrit_snyk_triggers}" + projects: + - project-compare-type: ANT + project-pattern: "{project}" + branches: + - branch-compare-type: ANT + branch-pattern: "**/{branch}" + skip-vote: + successful: true + failed: true + unstable: true + notbuilt: true + +- job-template: + name: "{project-name}-maven-snyk-cli-{stream}" + id: github-maven-snyk-cli + <<: *lf_maven_common + # yamllint disable-line rule:key-duplicates + <<: *lf_maven_snyk_cli + + properties: + - lf-infra-properties: + build-days-to-keep: "{build-days-to-keep}" + - github: + url: "{github-url}/{github-org}/{project}" + + scm: + - lf-infra-github-scm: + url: "{git-clone-url}{github-org}/{project}" + refspec: "" + branch: "refs/heads/{branch}" + submodule-recursive: "{submodule-recursive}" + submodule-timeout: "{submodule-timeout}" + submodule-disable: "{submodule-disable}" + choosing-strategy: default + jenkins-ssh-credential: "{jenkins-ssh-credential}" + + triggers: + # Build weekly on Saturdays + - timed: "H H * * 6" + - github-pull-request: + trigger-phrase: "^run-snyk$" + only-trigger-phrase: true + status-context: "SNYK scan" + permit-all: true + github-hooks: true + org-list: + - "{github-org}" + white-list: "{obj:github_pr_allowlist}" + admin-list: "{obj:github_pr_admin_list}" + white-list-target-branches: + - "{branch}" + ######################### # Maven Javadoc Publish # ######################### diff --git a/releasenotes/notes/add-maven-snyk-cli-scanner-036090df9fa42a17.yaml b/releasenotes/notes/add-maven-snyk-cli-scanner-036090df9fa42a17.yaml new file mode 100644 index 00000000..2c0db0b4 --- /dev/null +++ b/releasenotes/notes/add-maven-snyk-cli-scanner-036090df9fa42a17.yaml @@ -0,0 +1,7 @@ +--- +features: + - | + Introduce Maven Snyk CLI scanner jobs. These jobs can be triggered to download the + latest version of Snyk's CLI scanner and trigger a scan for Maven based repos. These + jobs produce a report which is published into Snyk's dashboard. These reports are + fetched and reflected back into the LFX Security tool. diff --git a/shell/snyk-cli-scanner-run.sh b/shell/snyk-cli-scanner-run.sh new file mode 100644 index 00000000..63ba1cd3 --- /dev/null +++ b/shell/snyk-cli-scanner-run.sh @@ -0,0 +1,26 @@ +#!/bin/bash -l +# SPDX-License-Identifier: EPL-1.0 +############################################################################## +# Copyright (c) 2023 The Linux Foundation and others. +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Eclipse Public License v1.0 +# which accompanies this distribution, and is available at +# http://www.eclipse.org/legal/epl-v10.html +############################################################################## +echo "---> snyk-cli-scanner-run.sh" + +# Add mvn to PATH so that the Snyk CLI can use it +export PATH=$PATH:"$M2_HOME"/bin +# Download and install the latest Snyk scanner +echo "Installing Snyk (latest)..." +curl https://static.snyk.io/cli/latest/snyk-linux -o snyk +sudo chmod +x ./snyk +sudo mv ./snyk /usr/local/bin/ +echo "Verifying Snyk version..." +snyk --version +echo "Authenticate with SNYK_TOKEN..." +snyk auth "$SNYK_CLI" +echo "Running Snyk CLI..." +snyk test --json --severity-threshold=low --org="$SNYK_ORG" +snyk monitor --severity-threshold=low --org="$SNYK_ORG" -- 2.16.6