ExternalVendorCode/corda
1
0
Fork 0
mirror of https://github.com/corda/corda.git synced 2025-02-22 10:10:59 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #7308 from corda/connelm/INFRA-1955/forward-merge-45-46

Browse Source 
INFRA-1955: Merging forward from 4.5 to 4.6
This commit is contained in:
Ronan Browne 2023-03-14 14:39:55 +00:00 committed by GitHub
commit 7c2391e3fd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 41 additions and 105 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
.ci/dev/nightly-regression/JenkinsfileSnykScan Normal file
View File

@ -0,0 +1,7 @@
@Library('corda-shared-build-pipeline-steps')
cordaSnykScanPipeline (
snykTokenId: 'c4-os-snyk-api-token-secret',
// specify the Gradle submodules to scan and monitor on snyk Server
modulesToScan: ['node', 'capsule', 'bridge', 'bridgecapsule']
)

139
.ci/dev/regression/Jenkinsfile vendored
View File

@ -5,6 +5,10 @@
*/ */
@Library('corda-shared-build-pipeline-steps') @Library('corda-shared-build-pipeline-steps')
import com.r3.build.utils.GitUtils
GitUtils gitUtils = new GitUtils(this)
/** /**
* Sense environment * Sense environment
*/ */
@ -14,34 +18,6 @@ boolean isInternalRelease = (env.TAG_NAME =~ /^internal-release-.*$/)
boolean isReleaseCandidate = (env.TAG_NAME =~ /^(release-.*(RC|HC).*(?<!_JDK11))$/) boolean isReleaseCandidate = (env.TAG_NAME =~ /^(release-.*(RC|HC).*(?<!_JDK11))$/)
boolean isReleasePatch = (env.TAG_NAME =~ /^release.*([1-9]\d*|0)(\.([1-9]\d*|0)){2}$/) boolean isReleasePatch = (env.TAG_NAME =~ /^release.*([1-9]\d*|0)(\.([1-9]\d*|0)){2}$/)
/*
** calculate the stage for NexusIQ evaluation
** * build for snapshots
** * stage-release: for release candidates and for health checks
** * release: for GA release
*/
def nexusDefaultIqStage = "build"
if (isReleaseTag) {
switch (env.TAG_NAME) {
case ~/.*-RC\d+(-.*)?/: nexusDefaultIqStage = "stage-release"; break;
case ~/.*-HC\d+(-.*)?/: nexusDefaultIqStage = "stage-release"; break;
default: nexusDefaultIqStage = "release"
}
}
/**
* make sure calculated default value of NexusIQ stage is first in the list
* thus making it default for the `choice` parameter
*/
def nexusIqStageChoices = [nexusDefaultIqStage].plus(
[
'develop',
'build',
'stage-release',
'release',
'operate'
].minus([nexusDefaultIqStage]))
/** /**
* Common Gradle arguments for all Gradle executions * Common Gradle arguments for all Gradle executions
*/ */
@ -54,7 +30,7 @@ String COMMON_GRADLE_PARAMS = [
].join(' ') ].join(' ')
pipeline { pipeline {
agent { label 'standard' } agent { label 'standard-latest-ami' }
/* /*
* List options in alphabetical order * List options in alphabetical order
@ -67,7 +43,6 @@ pipeline {
} }
parameters { parameters {
choice choices: nexusIqStageChoices, description: 'NexusIQ stage for code evaluation', name: 'nexusIqStage'
booleanParam defaultValue: true, description: 'Run tests during this build?', name: 'DO_TEST' booleanParam defaultValue: true, description: 'Run tests during this build?', name: 'DO_TEST'
} }
@ -81,7 +56,9 @@ pipeline {
CORDA_ARTIFACTORY_USERNAME = "${env.ARTIFACTORY_CREDENTIALS_USR}" CORDA_ARTIFACTORY_USERNAME = "${env.ARTIFACTORY_CREDENTIALS_USR}"
DOCKER_URL = "https://index.docker.io/v1/" DOCKER_URL = "https://index.docker.io/v1/"
EMAIL_RECIPIENTS = credentials('corda4-email-recipient') EMAIL_RECIPIENTS = credentials('corda4-email-recipient')
SNYK_API_KEY = "c4-os-snyk" SNYK_API_KEY = "c4-os-snyk" //Jenkins credential type: Snyk Api token
SNYK_API_TOKEN = credentials('c4-os-snyk-api-token-secret') //Jenkins credential type: Secret text
C4_OS_SNYK_ORG_ID = credentials('corda4-os-snyk-org-id')
} }
stages { stages {
@ -104,90 +81,36 @@ pipeline {
stash name: 'compiled', useDefaultExcludes: false stash name: 'compiled', useDefaultExcludes: false
} }
} }
stage('Sonatype Check') {
stage('Snyk Security') {
when {
expression { isReleaseTag || isReleaseCandidate || isReleaseBranch }
}
steps { steps {
script { script {
sh "./gradlew --no-daemon properties | grep -E '^(version|group):' >version-properties" // Invoke Snyk for each Gradle sub project we wish to scan
/* every build related to Corda X.Y (GA, RC, HC, patch or snapshot) uses the same NexusIQ application */ def modulesToScan = ['node', 'capsule', 'bridge', 'bridgecapsule']
def version = sh (returnStdout: true, script: "grep ^version: version-properties | sed -e 's/^version: \\([0-9]\\+\\(\\.[0-9]\\+\\)\\+\\).*\$/\\1/'").trim() modulesToScan.each { module ->
def groupId = sh (returnStdout: true, script: "grep ^group: version-properties | sed -e 's/^group: //'").trim() snykSecurityScan("${env.SNYK_API_KEY}", "--sub-project=$module --configuration-matching='^runtimeClasspath\$' --prune-repeated-subdependencies --debug --target-reference='${env.BRANCH_NAME}' --project-tags=Branch='${env.BRANCH_NAME.replaceAll("[^0-9|a-z|A-Z]+","_")}'")
def artifactId = 'corda' }
nexusAppId = "${groupId}-${artifactId}-${version}"
} }
nexusPolicyEvaluation (
failBuildOnNetworkError: false,
iqApplication: selectedApplication(nexusAppId), // application *has* to exist before a build starts!
iqScanPatterns: [[scanPattern: 'node/capsule/build/libs/corda*.jar']],
iqStage: params.nexusIqStage
)
} }
} }
stage('Generate Wiki Report') {
stage('Generate Snyk License Report') {
when { when {
expression { isReleaseTag && !isInternalRelease && !isReleaseCandidate } expression { isReleaseTag || isReleaseCandidate || isReleaseBranch }
beforeAgent true
}
agent {
docker {
image 'nexusiq-sonatype-cli:latest'
reuseNode true
registryUrl 'https://engineering-docker.software.r3.com/'
registryCredentialsId 'artifactory-credentials'
}
}
options {
retry(3)
}
environment {
NEXUS_APP_ID="${nexusAppId}"
NEXUS_APP_STAGE="${params.nexusIqStage}"
NEXUSIQ_CREDENTIALS = credentials('jenkins-nexusiq-credentials')
} }
steps { steps {
sh '''\ snykLicenseGeneration(env.SNYK_API_TOKEN, env.C4_OS_SNYK_ORG_ID)
rm -f wiki-report.md
env NEXUSIQ_USERNAME="${NEXUSIQ_CREDENTIALS_USR}" \
NEXUSIQ_PASSWORD="${NEXUSIQ_CREDENTIALS_PSW}" \
/opt/app/wrapper wiki-report \
--app "${NEXUS_APP_ID}" \
--stage "${NEXUS_APP_STAGE}" >wiki-report.md
'''.stripIndent()
archiveArtifacts 'wiki-report.md'
} }
} post {
stage('Generate Licence Report') { always {
when { script {
expression { isReleaseTag && !isInternalRelease && !isReleaseCandidate } archiveArtifacts artifacts: 'snyk-license-report/*-snyk-license-report.html', allowEmptyArchive: true, fingerprint: true
beforeAgent true }
}
agent {
docker {
image 'nexusiq-licence-report:latest'
reuseNode true
registryUrl 'https://engineering-docker.software.r3.com/'
registryCredentialsId 'artifactory-credentials'
} }
} }
options {
retry(3)
}
environment {
NEXUS_APP_ID="${nexusAppId}"
NEXUS_APP_STAGE="${params.nexusIqStage}"
NEXUSIQ_CREDENTIALS = credentials('jenkins-nexusiq-credentials')
}
steps {
sh '''\
rm -rf report
env NEXUSIQ_USERNAME="${NEXUSIQ_CREDENTIALS_USR}" \
NEXUSIQ_PASSWORD="${NEXUSIQ_CREDENTIALS_PSW}" \
/opt/app/wrapper --write --outdir report \
--force \
--app "${NEXUS_APP_ID}" \
--stage "${NEXUS_APP_STAGE}"
'''.stripIndent()
archiveArtifacts 'report/*.md'
}
} }
stage('Snyk Security') { stage('Snyk Security') {
@ -391,6 +314,9 @@ pipeline {
post { post {
always { always {
script { script {
if (gitUtils.isReleaseTag()) {
gitUtils.getGitLog(env.TAG_NAME, env.GIT_URL.replace('https://github.com/corda/', ''), scm.userRemoteConfigs[0].credentialsId)
}
try { try {
if (params.DO_TEST) { if (params.DO_TEST) {
unstash 'allure-input' unstash 'allure-input'
@ -455,7 +381,10 @@ pipeline {
} }
unstable { unstable {
script { script {
sendSlackNotifications("warning", "BUILD UNSTABLE - Unstable Builds are likely a result of Nexus Sonar Scanner violations", false, "#corda-corda4-open-source-build-notifications") sendSlackNotifications("warning", "BUILD UNSTABLE", false, "#corda-corda4-open-source-build-notifications")
if (isReleaseTag || isReleaseCandidate || isReleaseBranch) {
snykSecurityScan.generateHtmlElements()
}
if (isReleaseTag || isReleaseCandidate || isReleaseBranch) { if (isReleaseTag || isReleaseCandidate || isReleaseBranch) {
snykSecurityScan.generateHtmlElements() snykSecurityScan.generateHtmlElements()
} }