From a5d271b0e9219ad7fc080856a22fbf56bbbc62fb Mon Sep 17 00:00:00 2001 From: Marek Novotny Date: Mon, 11 Sep 2023 14:45:22 +0200 Subject: [PATCH 1/7] [GH-15736] Run Prisma Scan Pipeline also on Main Standalone Jar --- docker/prisma/Dockerfile.mainjars | 2 + ...file.scanningjars => Dockerfile.steamjars} | 0 .../jenkinsfiles/Jenkinsfile-PrismaScan | 89 ++++++++++--------- 3 files changed, 47 insertions(+), 44 deletions(-) create mode 100644 docker/prisma/Dockerfile.mainjars rename docker/prisma/{Dockerfile.scanningjars => Dockerfile.steamjars} (100%) diff --git a/docker/prisma/Dockerfile.mainjars b/docker/prisma/Dockerfile.mainjars new file mode 100644 index 000000000000..c9eff19411b5 --- /dev/null +++ b/docker/prisma/Dockerfile.mainjars @@ -0,0 +1,2 @@ +FROM alpine:latest +COPY ./h2o-assemblies/main/build/libs/*.jar /tmp/ diff --git a/docker/prisma/Dockerfile.scanningjars b/docker/prisma/Dockerfile.steamjars similarity index 100% rename from docker/prisma/Dockerfile.scanningjars rename to docker/prisma/Dockerfile.steamjars diff --git a/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan b/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan index fd5eebaa8161..91f42584da03 100644 --- a/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan +++ b/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan @@ -3,15 +3,49 @@ @Library('test-shared-library') _ def dockerImage -def branchOrTag -def steamImage -pipeline { - agent { node { label 'linux&&docker' } } +def setScanningStages(assemblyType, startingStageIndex) { + def assemblyImage + stage("${startingStageIndex}. Scan ${assemblyType} jar using Prisma"){ + steps { + script{ + branchName = "${env.BRANCH_NAME}".replace('/','-') + assemblyImage = "h2o-assemblies/${assemblyType}:${BUILD_NUMBER}-${branchName}" + + sh "docker build . -t ${assemblyImage} -f ./docker/prisma/Dockerfile.${assemblyType}jars" + + // scan the image + prismaCloudScanImage ca: '', + cert: '', + dockerAddress: 'unix:///var/run/docker.sock', + image: "${assemblyImage}", + key: '', + logLevel: 'info', + podmanPath: '', + project: '', + resultsFile: "prisma-${assemblyType}-scan-results.json", + ignoreImageBuildTime:true + } - parameters { - string(name: 'BRANCH_OR_TAG', defaultValue: 'master', description: 'Enter branch or tag you want to scan.') + } } + stage("${startingStageIndex + 1}. Export results for ${assemblyType} jar to CSV"){ + steps{ + withCredentials([usernamePassword(credentialsId: 'twistlock_credentials', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) { + sh "curl -k -u \$USERNAME:\$PASSWORD https://mr-0xz1:8083/api/v1/scans/download?search=${assemblyImage} > ${assemblyImage}.csv" + } + archiveArtifacts artifacts: "${assemblyImage}.csv" + } + } + stage("${startingStageIndex + 2}. Publish report for ${assemblyType} jar"){ + steps{ + prismaCloudPublish resultsFilePattern: "prisma-${assemblyType}-scan-results.json" + } + } +} + +pipeline { + agent { node { label 'linux&&docker' } } options { ansiColor('xterm') @@ -29,53 +63,20 @@ pipeline { } } - stage('1. Build jar') { + stage('1. Build jars') { steps { script{ dockerImage.inside(){ sh "./gradlew :h2o-assemblies:steam:shadowJar" + sh "./gradlew :h2o-assemblies:main:shadowJar" archiveArtifacts artifacts: "h2o-assemblies/steam/build/libs/*.jar" + archiveArtifacts artifacts: "h2o-assemblies/main/build/libs/*.jar" } } } } - stage('2. Scan jar using Prisma'){ - steps { - script{ - branchOrTag = "${BRANCH_OR_TAG}".replace('/','-') - steamImage = "h2o-assemblies/steam:${BUILD_NUMBER}-${branchOrTag}" - - sh "docker build . -t ${steamImage} -f ./docker/prisma/Dockerfile.scanningjars" - - // scan the image - prismaCloudScanImage ca: '', - cert: '', - dockerAddress: 'unix:///var/run/docker.sock', - image: "${steamImage}", - key: '', - logLevel: 'info', - podmanPath: '', - project: '', - resultsFile: 'prisma-cloud-scan-results.json', - ignoreImageBuildTime:true - } - - } - } - stage('3. Export results to CSV'){ - steps{ - withCredentials([usernamePassword(credentialsId: 'twistlock_credentials', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) { - sh "curl -k -u \$USERNAME:\$PASSWORD https://mr-0xz1:8083/api/v1/scans/download?search=${steamImage} > ${steamImage}.csv" - } - archiveArtifacts artifacts: "${steamImage}.csv" - } - } - stage('4. Publish report'){ - steps{ - prismaCloudPublish resultsFilePattern: 'prisma-cloud-scan-results.json' - } - } - + setScanningStages("steam", 2) + setScanningStages("main", 5) } post { From c78e699d7d682166198b77b7811039b60cc31e7c Mon Sep 17 00:00:00 2001 From: Marek Novotny Date: Mon, 11 Sep 2023 15:05:33 +0200 Subject: [PATCH 2/7] Add return statement --- .../jenkinsfiles/Jenkinsfile-PrismaScan | 60 ++++++++++--------- 1 file changed, 31 insertions(+), 29 deletions(-) diff --git a/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan b/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan index 91f42584da03..bf37de42d301 100644 --- a/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan +++ b/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan @@ -5,41 +5,43 @@ def dockerImage def setScanningStages(assemblyType, startingStageIndex) { - def assemblyImage - stage("${startingStageIndex}. Scan ${assemblyType} jar using Prisma"){ - steps { - script{ - branchName = "${env.BRANCH_NAME}".replace('/','-') - assemblyImage = "h2o-assemblies/${assemblyType}:${BUILD_NUMBER}-${branchName}" + return { + def assemblyImage + stage("${startingStageIndex}. Scan ${assemblyType} jar using Prisma") { + steps { + script { + branchName = "${env.BRANCH_NAME}".replace('/', '-') + assemblyImage = "h2o-assemblies/${assemblyType}:${BUILD_NUMBER}-${branchName}" - sh "docker build . -t ${assemblyImage} -f ./docker/prisma/Dockerfile.${assemblyType}jars" + sh "docker build . -t ${assemblyImage} -f ./docker/prisma/Dockerfile.${assemblyType}jars" - // scan the image - prismaCloudScanImage ca: '', - cert: '', - dockerAddress: 'unix:///var/run/docker.sock', - image: "${assemblyImage}", - key: '', - logLevel: 'info', - podmanPath: '', - project: '', - resultsFile: "prisma-${assemblyType}-scan-results.json", - ignoreImageBuildTime:true - } + // scan the image + prismaCloudScanImage ca: '', + cert: '', + dockerAddress: 'unix:///var/run/docker.sock', + image: "${assemblyImage}", + key: '', + logLevel: 'info', + podmanPath: '', + project: '', + resultsFile: "prisma-${assemblyType}-scan-results.json", + ignoreImageBuildTime: true + } + } } - } - stage("${startingStageIndex + 1}. Export results for ${assemblyType} jar to CSV"){ - steps{ - withCredentials([usernamePassword(credentialsId: 'twistlock_credentials', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) { - sh "curl -k -u \$USERNAME:\$PASSWORD https://mr-0xz1:8083/api/v1/scans/download?search=${assemblyImage} > ${assemblyImage}.csv" + stage("${startingStageIndex + 1}. Export results for ${assemblyType} jar to CSV") { + steps { + withCredentials([usernamePassword(credentialsId: 'twistlock_credentials', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) { + sh "curl -k -u \$USERNAME:\$PASSWORD https://mr-0xz1:8083/api/v1/scans/download?search=${assemblyImage} > ${assemblyImage}.csv" + } + archiveArtifacts artifacts: "${assemblyImage}.csv" } - archiveArtifacts artifacts: "${assemblyImage}.csv" } - } - stage("${startingStageIndex + 2}. Publish report for ${assemblyType} jar"){ - steps{ - prismaCloudPublish resultsFilePattern: "prisma-${assemblyType}-scan-results.json" + stage("${startingStageIndex + 2}. Publish report for ${assemblyType} jar") { + steps { + prismaCloudPublish resultsFilePattern: "prisma-${assemblyType}-scan-results.json" + } } } } From acce870a80a78fffda29a04fa95df9f425f81830 Mon Sep 17 00:00:00 2001 From: Marek Novotny Date: Mon, 11 Sep 2023 15:08:54 +0200 Subject: [PATCH 3/7] Add composite stage --- scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan b/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan index bf37de42d301..3bd860f9c23c 100644 --- a/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan +++ b/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan @@ -77,8 +77,10 @@ pipeline { } } } - setScanningStages("steam", 2) - setScanningStages("main", 5) + stage("Scanning stages") { + setScanningStages("steam", 2) + setScanningStages("main", 5) + } } post { From fc6020ba4c69c647ee4b08fd038704ab073d2c92 Mon Sep 17 00:00:00 2001 From: Marek Novotny Date: Mon, 11 Sep 2023 15:14:20 +0200 Subject: [PATCH 4/7] Remove return statement --- .../jenkinsfiles/Jenkinsfile-PrismaScan | 61 +++++++++---------- 1 file changed, 29 insertions(+), 32 deletions(-) diff --git a/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan b/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan index 3bd860f9c23c..31231e82f683 100644 --- a/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan +++ b/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan @@ -5,43 +5,41 @@ def dockerImage def setScanningStages(assemblyType, startingStageIndex) { - return { - def assemblyImage - stage("${startingStageIndex}. Scan ${assemblyType} jar using Prisma") { - steps { - script { - branchName = "${env.BRANCH_NAME}".replace('/', '-') - assemblyImage = "h2o-assemblies/${assemblyType}:${BUILD_NUMBER}-${branchName}" - - sh "docker build . -t ${assemblyImage} -f ./docker/prisma/Dockerfile.${assemblyType}jars" + def assemblyImage + stage("${startingStageIndex}. Scan ${assemblyType} jar using Prisma") { + steps { + script { + branchName = "${env.BRANCH_NAME}".replace('/', '-') + assemblyImage = "h2o-assemblies/${assemblyType}:${BUILD_NUMBER}-${branchName}" - // scan the image - prismaCloudScanImage ca: '', - cert: '', - dockerAddress: 'unix:///var/run/docker.sock', - image: "${assemblyImage}", - key: '', - logLevel: 'info', - podmanPath: '', - project: '', - resultsFile: "prisma-${assemblyType}-scan-results.json", - ignoreImageBuildTime: true - } + sh "docker build . -t ${assemblyImage} -f ./docker/prisma/Dockerfile.${assemblyType}jars" + // scan the image + prismaCloudScanImage ca: '', + cert: '', + dockerAddress: 'unix:///var/run/docker.sock', + image: "${assemblyImage}", + key: '', + logLevel: 'info', + podmanPath: '', + project: '', + resultsFile: "prisma-${assemblyType}-scan-results.json", + ignoreImageBuildTime: true } + } - stage("${startingStageIndex + 1}. Export results for ${assemblyType} jar to CSV") { - steps { - withCredentials([usernamePassword(credentialsId: 'twistlock_credentials', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) { - sh "curl -k -u \$USERNAME:\$PASSWORD https://mr-0xz1:8083/api/v1/scans/download?search=${assemblyImage} > ${assemblyImage}.csv" - } - archiveArtifacts artifacts: "${assemblyImage}.csv" + } + stage("${startingStageIndex + 1}. Export results for ${assemblyType} jar to CSV") { + steps { + withCredentials([usernamePassword(credentialsId: 'twistlock_credentials', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) { + sh "curl -k -u \$USERNAME:\$PASSWORD https://mr-0xz1:8083/api/v1/scans/download?search=${assemblyImage} > ${assemblyImage}.csv" } + archiveArtifacts artifacts: "${assemblyImage}.csv" } - stage("${startingStageIndex + 2}. Publish report for ${assemblyType} jar") { - steps { - prismaCloudPublish resultsFilePattern: "prisma-${assemblyType}-scan-results.json" - } + } + stage("${startingStageIndex + 2}. Publish report for ${assemblyType} jar") { + steps { + prismaCloudPublish resultsFilePattern: "prisma-${assemblyType}-scan-results.json" } } } @@ -81,7 +79,6 @@ pipeline { setScanningStages("steam", 2) setScanningStages("main", 5) } - } post { always { From fb76d1a53a82836a52ccf17ce5a03f58c0fade8e Mon Sep 17 00:00:00 2001 From: Marek Novotny Date: Mon, 11 Sep 2023 15:18:32 +0200 Subject: [PATCH 5/7] Add steps --- scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan b/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan index 31231e82f683..b404511045b7 100644 --- a/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan +++ b/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan @@ -76,8 +76,10 @@ pipeline { } } stage("Scanning stages") { - setScanningStages("steam", 2) - setScanningStages("main", 5) + steps { + setScanningStages("steam", 2) + setScanningStages("main", 5) + } } } post { From 981fd6566b817a9cf7c449d7700ed9b9027353ab Mon Sep 17 00:00:00 2001 From: Marek Novotny Date: Mon, 11 Sep 2023 15:34:48 +0200 Subject: [PATCH 6/7] Remove steps from inner stages --- .../jenkinsfiles/Jenkinsfile-PrismaScan | 61 +++++++++---------- 1 file changed, 29 insertions(+), 32 deletions(-) diff --git a/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan b/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan index b404511045b7..b3ba1bbc2872 100644 --- a/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan +++ b/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan @@ -4,43 +4,36 @@ def dockerImage -def setScanningStages(assemblyType, startingStageIndex) { +def setScanningStages(assemblyType, stageIndex) { def assemblyImage - stage("${startingStageIndex}. Scan ${assemblyType} jar using Prisma") { - steps { - script { - branchName = "${env.BRANCH_NAME}".replace('/', '-') - assemblyImage = "h2o-assemblies/${assemblyType}:${BUILD_NUMBER}-${branchName}" + stage("${stageIndex}.A. Scan ${assemblyType} jar using Prisma") { + script { + branchName = "${env.BRANCH_NAME}".replace('/', '-') + assemblyImage = "h2o-assemblies/${assemblyType}:${BUILD_NUMBER}-${branchName}" - sh "docker build . -t ${assemblyImage} -f ./docker/prisma/Dockerfile.${assemblyType}jars" - - // scan the image - prismaCloudScanImage ca: '', - cert: '', - dockerAddress: 'unix:///var/run/docker.sock', - image: "${assemblyImage}", - key: '', - logLevel: 'info', - podmanPath: '', - project: '', - resultsFile: "prisma-${assemblyType}-scan-results.json", - ignoreImageBuildTime: true - } + sh "docker build . -t ${assemblyImage} -f ./docker/prisma/Dockerfile.${assemblyType}jars" + // scan the image + prismaCloudScanImage ca: '', + cert: '', + dockerAddress: 'unix:///var/run/docker.sock', + image: "${assemblyImage}", + key: '', + logLevel: 'info', + podmanPath: '', + project: '', + resultsFile: "prisma-${assemblyType}-scan-results.json", + ignoreImageBuildTime: true } } - stage("${startingStageIndex + 1}. Export results for ${assemblyType} jar to CSV") { - steps { - withCredentials([usernamePassword(credentialsId: 'twistlock_credentials', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) { - sh "curl -k -u \$USERNAME:\$PASSWORD https://mr-0xz1:8083/api/v1/scans/download?search=${assemblyImage} > ${assemblyImage}.csv" - } - archiveArtifacts artifacts: "${assemblyImage}.csv" + stage("${stageIndex}.B. Export results for ${assemblyType} jar to CSV") { + withCredentials([usernamePassword(credentialsId: 'twistlock_credentials', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) { + sh "curl -k -u \$USERNAME:\$PASSWORD https://mr-0xz1:8083/api/v1/scans/download?search=${assemblyImage} > ${assemblyImage}.csv" } + archiveArtifacts artifacts: "${assemblyImage}.csv" } - stage("${startingStageIndex + 2}. Publish report for ${assemblyType} jar") { - steps { - prismaCloudPublish resultsFilePattern: "prisma-${assemblyType}-scan-results.json" - } + stage("${stageIndex}.C. Publish report for ${assemblyType} jar") { + prismaCloudPublish resultsFilePattern: "prisma-${assemblyType}-scan-results.json" } } @@ -75,10 +68,14 @@ pipeline { } } } - stage("Scanning stages") { + stage('2. Scan steam assembly jar') { steps { setScanningStages("steam", 2) - setScanningStages("main", 5) + } + } + stage('3. Scan main assembly jar') { + steps { + setScanningStages("main", 3) } } } From a47682058b18270a79987592f120f216e14326f9 Mon Sep 17 00:00:00 2001 From: Marek Novotny Date: Mon, 11 Sep 2023 16:14:25 +0200 Subject: [PATCH 7/7] Update titles --- scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan b/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan index b3ba1bbc2872..2a58ae9c62a3 100644 --- a/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan +++ b/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan @@ -68,12 +68,12 @@ pipeline { } } } - stage('2. Scan steam assembly jar') { + stage('2. Steam assembly jar') { steps { setScanningStages("steam", 2) } } - stage('3. Scan main assembly jar') { + stage('3. Main assembly jar') { steps { setScanningStages("main", 3) }