From 9e1349be0e1ef251b09fcb33748e952827a39192 Mon Sep 17 00:00:00 2001 From: Jessica Wagantall Date: Mon, 6 Mar 2023 16:41:08 -0800 Subject: [PATCH] Feat: Add Go Snyk CLI Scanner jobs Introduce Go Snyk CLI scanner jobs. These jobs can be triggered to download the latest version of Snyk's CLI scanner and trigger a scan for Go based repos. These jobs produce a report which is published into Snyk's dashboard. These reports are fetched and reflected back into the LFX Security tool. Issue: RELENG-4609 Signed-off-by: Jessica Wagantall Change-Id: Id1f80d255896b44977979322fae663da13c95287 --- .jjb-test/lf-go-jobs/go-jobs.yaml | 2 + docs/jjb/lf-go-jobs.rst | 39 ++++++ jjb/lf-go-jobs.yaml | 150 +++++++++++++++++++++ .../add-go-snyk-cli-scanner-7242dd3eb230fe2a.yaml | 6 + 4 files changed, 197 insertions(+) create mode 100644 releasenotes/notes/add-go-snyk-cli-scanner-7242dd3eb230fe2a.yaml diff --git a/.jjb-test/lf-go-jobs/go-jobs.yaml b/.jjb-test/lf-go-jobs/go-jobs.yaml index 7fb59d83..69dde4cc 100644 --- a/.jjb-test/lf-go-jobs/go-jobs.yaml +++ b/.jjb-test/lf-go-jobs/go-jobs.yaml @@ -2,6 +2,7 @@ - project: name: "gerrit-go-jobs" jobs: + - "gerrit-go-snyk-cli" - "gerrit-go-verify" project: go/project @@ -12,6 +13,7 @@ - project: name: "github-go-jobs" jobs: + - "gerrit-go-snyk-cli" - "github-go-verify" project: go/project diff --git a/docs/jjb/lf-go-jobs.rst b/docs/jjb/lf-go-jobs.rst index 020b6000..5dc105cc 100644 --- a/docs/jjb/lf-go-jobs.rst +++ b/docs/jjb/lf-go-jobs.rst @@ -22,6 +22,45 @@ Common Jenkins configuration for Go jobs. Job Templates ============= +Go SNYK CLI +----------- + +Builds the code, downloads and runs a Snyk CLI scan of the code into the Snyk dashboard. + +:Template Names: + + - {project-name}-go-snyk-cli-{stream} + - gerrit-go-snyk-cli + - github-go-snyk-cli + +:Comment Trigger: run-snyk + +:Required parameters: + + :build-node: The node to run build on. + :jenkins-ssh-credential: Credential to use for SSH. (Generally configured in defaults.yaml) + :snyk-token-credential-id: Snyk API token to communicate with Jenkins. + :snyk-org-credential-id: Snyk organization ID. + +:Optional parameters: + + :branch: The branch to build against. (default: master) + :build-days-to-keep: Days to keep build logs in Jenkins. (default: 7) + :build-timeout: Timeout in minutes before aborting build. (default: 60) + :git-url: URL clone project from. (default: $GIT_URL/$PROJECT) + :java-version: Version of Java to use for the build. (default: openjdk11) + :snyk-cli-options: Additional Snyk CLI options. (default: '') + :stream: Keyword that represents a release code-name. + Often the same as the branch. (default: master) + :submodule-recursive: Whether to checkout submodules recursively. + (default: true) + :submodule-timeout: Timeout (in minutes) for checkout operation. + (default: 10) + :submodule-disable: Disable submodule checkout operation. + (default: false) + + :gerrit_snyk_triggers: Override Gerrit Triggers. + Go Verify --------- diff --git a/jjb/lf-go-jobs.yaml b/jjb/lf-go-jobs.yaml index 312b6ea8..dc1a7086 100644 --- a/jjb/lf-go-jobs.yaml +++ b/jjb/lf-go-jobs.yaml @@ -23,6 +23,12 @@ # Default parameters # ###################### + archive-artifacts: > + **/*.log + **/hs_err_*.log + **/target/**/feature.xml + **/target/failsafe-reports/failsafe-summary.xml + **/target/surefire-reports/*-output.txt branch: master build-days-to-keep: 7 build-timeout: 60 @@ -58,6 +64,150 @@ publishers: - lf-infra-publish +############### +# Go Snyk CLI # +############### + +- lf_go_snyk_cli: &lf_go_snyk_cli + name: lf-go-snyk_cli + + ###################### + # Default parameters # + ###################### + + branch: master + build-days-to-keep: 30 # 30 days for troubleshooting purposes + build-timeout: 60 + disable-job: false + git-url: "$GIT_URL/$PROJECT" + github-url: "https://github.com" + java-version: openjdk11 + mvn-version: mvn35 + snyk-cli-options: "" + snyk-token-credential-id: snyk-token + snyk-org-credential-id: snyk-org + stream: master + submodule-recursive: true + submodule-timeout: 10 + submodule-disable: false + + gerrit_snyk_triggers: + - comment-added-contains-event: + comment-contains-value: '^Patch Set\s+\d+:\s+run-snyk\s*$' + + parameters: + - lf-infra-parameters: + project: "{project}" + branch: "{branch}" + stream: "{stream}" + - string: + name: SNYK_CLI_OPTIONS + default: "{snyk-cli-options}" + description: Additional Snyk CLI commands and options + - string: + name: ARCHIVE_ARTIFACTS + default: "{archive-artifacts}" + description: Artifacts to archive to the logs server. + + wrappers: + - credentials-binding: + - text: + credential-id: "{snyk-token-credential-id}" + variable: SNYK_TOKEN + - text: + credential-id: "{snyk-org-credential-id}" + variable: SNYK_ORG + + ##################### + # Job Configuration # + ##################### + + disabled: "{disable-job}" + + builders: + - lf-infra-pre-build + - lf-update-java-alternatives: + java-version: "{java-version}" + - lf-go-test: + go-root: "{go-root}" + - lf-infra-snyk-cli-scanner + +- job-template: + name: "{project-name}-go-snyk-cli-{stream}" + id: gerrit-go-snyk-cli + <<: *lf_go_common + # yamllint disable-line rule:key-duplicates + <<: *lf_go_snyk_cli + + scm: + - lf-infra-gerrit-scm: + jenkins-ssh-credential: "{jenkins-ssh-credential}" + git-url: "{git-url}" + refspec: "$GERRIT_REFSPEC" + branch: "$GERRIT_BRANCH" + submodule-recursive: "{submodule-recursive}" + submodule-timeout: "{submodule-timeout}" + submodule-disable: "{submodule-disable}" + choosing-strategy: default + + triggers: + # Build weekly on Saturdays + - timed: "H H * * 6" + - gerrit: + server-name: "{gerrit-server-name}" + trigger-on: "{obj:gerrit_snyk_triggers}" + projects: + - project-compare-type: ANT + project-pattern: "{project}" + branches: + - branch-compare-type: ANT + branch-pattern: "**/{branch}" + skip-vote: + successful: true + failed: true + unstable: true + notbuilt: true + +- job-template: + name: "{project-name}-go-snyk-cli-{stream}" + id: github-go-snyk-cli + <<: *lf_go_common + # yamllint disable-line rule:key-duplicates + <<: *lf_go_snyk_cli + + properties: + - lf-infra-properties: + build-days-to-keep: "{build-days-to-keep}" + - github: + url: "{github-url}/{github-org}/{project}" + + scm: + - lf-infra-github-scm: + url: "{git-clone-url}{github-org}/{project}" + refspec: "" + branch: "refs/heads/{branch}" + submodule-recursive: "{submodule-recursive}" + submodule-timeout: "{submodule-timeout}" + submodule-disable: "{submodule-disable}" + choosing-strategy: default + jenkins-ssh-credential: "{jenkins-ssh-credential}" + + triggers: + # Build weekly on Saturdays + - timed: "H H * * 6" + - github-pull-request: + trigger-phrase: "^run-snyk$" + only-trigger-phrase: true + status-context: "SNYK scan" + permit-all: true + github-hooks: true + org-list: + - "{github-org}" + white-list: "{obj:github_pr_allowlist}" + admin-list: "{obj:github_pr_admin_list}" + white-list-target-branches: + - "{branch}" + ############# # Go Verify # ############# diff --git a/releasenotes/notes/add-go-snyk-cli-scanner-7242dd3eb230fe2a.yaml b/releasenotes/notes/add-go-snyk-cli-scanner-7242dd3eb230fe2a.yaml new file mode 100644 index 00000000..bb8de0fe --- /dev/null +++ b/releasenotes/notes/add-go-snyk-cli-scanner-7242dd3eb230fe2a.yaml @@ -0,0 +1,6 @@ +--- +features: + Introduce Go Snyk CLI scanner jobs. These jobs can be triggered to download the + latest version of Snyk's CLI scanner and trigger a scan for Go based repos. These + jobs produce a report which is published into Snyk's dashboard. These reports are + fetched and reflected back into the LFX Security tool. -- 2.16.6