forked from codeprimate/password-vault
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathJenkinsfile
96 lines (92 loc) · 3.59 KB
/
Jenkinsfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
pipeline {
agent any
stages {
stage('Precheck') {
steps {
echo '*** Preliminary steps ***'
echo 'Checking tool versions does two things:'
echo ' * Documents versions used for this run'
echo ' * Shows that the tools are installed and work'
sh 'echo Jenkins version: `jenkins --version`'
}
}
// did this in Jenkins
// stage('Clone') {
// steps {
// git 'https://github.com/xenloops/password-vault'
// }
// }
stage('Build') {
steps {
echo '*** Building the project ***'
sh 'echo ant version: `ant -version`'
sh 'ant compile jar' //works
//sh 'ant clean compile'
// Super secret service account creds:
echo '*** These credentials stored securely in Jenkins ***'
withCredentials(
[usernamePassword(
credentialsId: 'test_service_account',
usernameVariable: 'USERNAME',
passwordVariable: 'PASSWORD')
])
{
sh 'echo "Username: $USERNAME"'
sh 'echo "Password: $PASSWORD"'
}
echo '*** Generating hash ***'
sh 'tar -zcf binaries.tar.gz build/classes/passvault'
sh 'echo shasum version: `shasum --version`'
sh 'shasum -a 256 binaries.tar.gz > binaries.hash'
sh 'rm binaries.tar.gz'
echo 'Hash of binary files:'
sh 'cat binaries.hash'
echo 'Still need to compare with independent hash!'
echo 'We\'ll leave that for a homework assignment. :)'
}
}
stage('SBOM') {
steps {
echo '*** Generating SBOM ***'
sh 'echo CycloneDX cdxgen version: `cdxgen --version`'
sh 'cdxgen -o password-vault-bom.json'
echo '*** Checking SBOM ***'
sh 'cyclonedx analyze --input-file password-vault-bom.json'
echo '*** Should really also sign the SBOM ***'
}
}
stage ('SCA') {
steps {
echo '*** Checking dependencies ***'
dependencyCheck additionalArguments: '''
-o .
-s src/passvault
-f ALL
--prettyPrint''', odcInstallation: 'SCA: Dependency-Check'
dependencyCheckPublisher pattern: 'dependency-check-report.xml'
}
}
stage('SAST') {
environment {
SCANNER_HOME = tool 'SonarQube Scanner'
PROJECT_KEY = 'password-vault'
}
steps {
echo '*** Scanning the code...'
// test command here
withSonarQubeEnv('SonarQube server') {
sh '''$SCANNER_HOME/bin/sonar-scanner \
-Dsonar.projectKey=$PROJECT_KEY \
-Dsonar.projectName='Project analyzed by SonarQube' \
-Dsonar.projectVersion=1.0 \
-Dsonar.sources=src \
-Dsonar.language=java \
-Dsonar.sourceEncoding=UTF-8 \
-Dsonar.java.binaries=build/classes/passvault \
-Dsonar.java.libraries=dist/lib
'''
}
}
}
}
}