From 121e67aa119899f0f77cf4a6d8bf5323c8fcda85 Mon Sep 17 00:00:00 2001
From: ronanbrowne88 <ronan.browne@r3.com>
Date: Sun, 10 Jul 2022 19:33:37 +0100
Subject: [PATCH 1/7] INFRA-1805 add snyk scanning to corda os 4.4
---
.ci/dev/regression/Jenkinsfile | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/.ci/dev/regression/Jenkinsfile b/.ci/dev/regression/Jenkinsfile
index 75e6782014..e2c4a4b6ca 100644
--- a/.ci/dev/regression/Jenkinsfile
+++ b/.ci/dev/regression/Jenkinsfile
@@ -81,6 +81,7 @@ pipeline {
CORDA_ARTIFACTORY_USERNAME = "${env.ARTIFACTORY_CREDENTIALS_USR}"
DOCKER_URL = "https://index.docker.io/v1/"
EMAIL_RECIPIENTS = credentials('corda4-email-recipient')
+ SNYK_API_KEY = "c4-os-snyk"
}
stages {
@@ -189,6 +190,15 @@ pipeline {
}
}
+ stage('Snyk Security') {
+ when {
+ expression { isReleaseTag || isReleaseCandidate || isReleaseBranch }
+ }
+ steps {
+ snykSecurityScan("${env.SNYK_API_KEY}", "--all-sub-projects --prune-repeated-subdependencies --debug --target-reference='${env.BRANCH_NAME}' --project-tags=Branch='${env.BRANCH_NAME.replaceAll("[^0-9|a-z|A-Z]+","_")}'")
+ }
+ }
+
stage('All Tests') {
when {
expression { params.DO_TEST }
From cd577afcd9e8d834756cf106155e988d8bff8cc8 Mon Sep 17 00:00:00 2001
From: ronanbrowne88 <ronan.browne@r3.com>
Date: Mon, 11 Jul 2022 22:01:25 +0100
Subject: [PATCH 2/7] CORE-4769 add snyk scan open source 4.4
---
.ci/dev/regression/Jenkinsfile | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/.ci/dev/regression/Jenkinsfile b/.ci/dev/regression/Jenkinsfile
index e2c4a4b6ca..cdb3a5cc44 100644
--- a/.ci/dev/regression/Jenkinsfile
+++ b/.ci/dev/regression/Jenkinsfile
@@ -442,11 +442,17 @@ pipeline {
success {
script {
sendSlackNotifications("good", "BUILD PASSED", false, "#corda-corda4-open-source-build-notifications")
+ if (isReleaseTag || isReleaseCandidate || isReleaseBranch) {
+ snykSecurityScan.generateHtmlElements()
+ }
}
}
unstable {
script {
sendSlackNotifications("warning", "BUILD UNSTABLE - Unstable Builds are likely a result of Nexus Sonar Scanner violations", false, "#corda-corda4-open-source-build-notifications")
+ if (isReleaseTag || isReleaseCandidate || isReleaseBranch) {
+ snykSecurityScan.generateHtmlElements()
+ }
}
}
failure {
From e4a19f4622f40b35f59aaf8cc004b1d0111f2302 Mon Sep 17 00:00:00 2001
From: ronanbrowne88 <ronan.browne@r3.com>
Date: Sun, 10 Jul 2022 19:33:37 +0100
Subject: [PATCH 3/7] INFRA-1805 add snyk scanning to corda os 4.4
---
.ci/dev/regression/Jenkinsfile | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/.ci/dev/regression/Jenkinsfile b/.ci/dev/regression/Jenkinsfile
index 8c7031f85f..8a40dd814e 100644
--- a/.ci/dev/regression/Jenkinsfile
+++ b/.ci/dev/regression/Jenkinsfile
@@ -81,6 +81,7 @@ pipeline {
CORDA_ARTIFACTORY_USERNAME = "${env.ARTIFACTORY_CREDENTIALS_USR}"
DOCKER_URL = "https://index.docker.io/v1/"
EMAIL_RECIPIENTS = credentials('corda4-email-recipient')
+ SNYK_API_KEY = "c4-os-snyk"
}
stages {
@@ -189,6 +190,15 @@ pipeline {
}
}
+ stage('Snyk Security') {
+ when {
+ expression { isReleaseTag || isReleaseCandidate || isReleaseBranch }
+ }
+ steps {
+ snykSecurityScan("${env.SNYK_API_KEY}", "--all-sub-projects --prune-repeated-subdependencies --debug --target-reference='${env.BRANCH_NAME}' --project-tags=Branch='${env.BRANCH_NAME.replaceAll("[^0-9|a-z|A-Z]+","_")}'")
+ }
+ }
+
stage('All Tests') {
when {
expression { params.DO_TEST }
From 9425bb5c197051e4b62f8b9a9c8efb742ba9fa0d Mon Sep 17 00:00:00 2001
From: ronanbrowne88 <ronan.browne@r3.com>
Date: Mon, 11 Jul 2022 22:01:25 +0100
Subject: [PATCH 4/7] INFRA-1697 minor tidy up
---
.ci/dev/regression/Jenkinsfile | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/.ci/dev/regression/Jenkinsfile b/.ci/dev/regression/Jenkinsfile
index 8a40dd814e..f6a3b34f9f 100644
--- a/.ci/dev/regression/Jenkinsfile
+++ b/.ci/dev/regression/Jenkinsfile
@@ -464,14 +464,20 @@ pipeline {
}
}
success {
- script {
- sendSlackNotifications("good", "BUILD PASSED", false, "#corda-corda4-open-source-build-notifications")
- }
+ script {
+ sendSlackNotifications("good", "BUILD PASSED", false, "#corda-corda4-open-source-build-notifications")
+ if (isReleaseTag || isReleaseCandidate || isReleaseBranch) {
+ snykSecurityScan.generateHtmlElements()
+ }
+ }
}
unstable {
- script {
- sendSlackNotifications("warning", "BUILD UNSTABLE - Unstable Builds are likely a result of Nexus Sonar Scanner violations", false, "#corda-corda4-open-source-build-notifications")
- }
+ script {
+ sendSlackNotifications("warning", "BUILD UNSTABLE - Unstable Builds are likely a result of Nexus Sonar Scanner violations", false, "#corda-corda4-open-source-build-notifications")
+ if (isReleaseTag || isReleaseCandidate || isReleaseBranch) {
+ snykSecurityScan.generateHtmlElements()
+ }
+ }
}
failure {
script {
From cb42ae2980bab38cbefda698e034344f0442d9dd Mon Sep 17 00:00:00 2001
From: Jan Szkaradek <js7656@gmail.com>
Date: Fri, 2 Sep 2022 13:17:03 +0100
Subject: [PATCH 5/7] added modules for snyk scanning (#7233)
---
.ci/dev/regression/Jenkinsfile | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/.ci/dev/regression/Jenkinsfile b/.ci/dev/regression/Jenkinsfile
index f6a3b34f9f..8afcb63f9e 100644
--- a/.ci/dev/regression/Jenkinsfile
+++ b/.ci/dev/regression/Jenkinsfile
@@ -190,12 +190,18 @@ pipeline {
}
}
- stage('Snyk Security') {
+ stage('Snyk Security') {
when {
expression { isReleaseTag || isReleaseCandidate || isReleaseBranch }
}
steps {
- snykSecurityScan("${env.SNYK_API_KEY}", "--all-sub-projects --prune-repeated-subdependencies --debug --target-reference='${env.BRANCH_NAME}' --project-tags=Branch='${env.BRANCH_NAME.replaceAll("[^0-9|a-z|A-Z]+","_")}'")
+ script {
+ // Invoke Snyk for each Gradle sub project we wish to scan
+ def modulesToScan = ['node', 'capsule', 'bridge', 'bridgecapsule']
+ modulesToScan.each { module ->
+ snykSecurityScan("${env.SNYK_API_KEY}", "--sub-project=$module --configuration-matching='^runtimeClasspath\$' --prune-repeated-subdependencies --debug --target-reference='${env.BRANCH_NAME}' --project-tags=Branch='${env.BRANCH_NAME.replaceAll("[^0-9|a-z|A-Z]+","_")}'")
+ }
+ }
}
}
From 19c8dd5cfb54c0f3ccd6670b708ef975b6f91e17 Mon Sep 17 00:00:00 2001
From: Jan Szkaradek <js7656@gmail.com>
Date: Fri, 2 Sep 2022 13:17:31 +0100
Subject: [PATCH 6/7] added modules for snyk scanning (#7232)
---
.ci/dev/regression/Jenkinsfile | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/.ci/dev/regression/Jenkinsfile b/.ci/dev/regression/Jenkinsfile
index cdb3a5cc44..20a3f4bd78 100644
--- a/.ci/dev/regression/Jenkinsfile
+++ b/.ci/dev/regression/Jenkinsfile
@@ -195,7 +195,13 @@ pipeline {
expression { isReleaseTag || isReleaseCandidate || isReleaseBranch }
}
steps {
- snykSecurityScan("${env.SNYK_API_KEY}", "--all-sub-projects --prune-repeated-subdependencies --debug --target-reference='${env.BRANCH_NAME}' --project-tags=Branch='${env.BRANCH_NAME.replaceAll("[^0-9|a-z|A-Z]+","_")}'")
+ script {
+ // Invoke Snyk for each Gradle sub project we wish to scan
+ def modulesToScan = ['node', 'capsule', 'bridge', 'bridgecapsule']
+ modulesToScan.each { module ->
+ snykSecurityScan("${env.SNYK_API_KEY}", "--sub-project=$module --configuration-matching='^runtimeClasspath\$' --prune-repeated-subdependencies --debug --target-reference='${env.BRANCH_NAME}' --project-tags=Branch='${env.BRANCH_NAME.replaceAll("[^0-9|a-z|A-Z]+","_")}'")
+ }
+ }
}
}
From d12a6ddc55aced5ea63673c61d21e510f4f85ce1 Mon Sep 17 00:00:00 2001
From: Connel McGovern <100574906+mcgovc@users.noreply.github.com>
Date: Mon, 12 Dec 2022 13:57:40 +0000
Subject: [PATCH 7/7] INFRA-1904: Enable Snyk Delta on C4 ENT/OS shared
pipeline (#7282)
---
.ci/dev/pr-code-checks/Jenkinsfile | 27 +++++++++++++++++++++++++++
1 file changed, 27 insertions(+)
diff --git a/.ci/dev/pr-code-checks/Jenkinsfile b/.ci/dev/pr-code-checks/Jenkinsfile
index 5cb1058811..7300f52bda 100644
--- a/.ci/dev/pr-code-checks/Jenkinsfile
+++ b/.ci/dev/pr-code-checks/Jenkinsfile
@@ -11,6 +11,14 @@ pipeline {
buildDiscarder(logRotator(daysToKeepStr: '14', artifactDaysToKeepStr: '14'))
}
+ /*
+ * List environment variables in alphabetical order
+ */
+ environment {
+ SNYK_API_TOKEN = credentials('c4-os-snyk-api-token-secret')
+ C4_OS_SNYK_ORG_ID = credentials('c4-os-snyk-org-id')
+ }
+
stages {
stage('Detekt check') {
steps {
@@ -24,6 +32,25 @@ pipeline {
}
}
+ stage('Snyk Delta') {
+ agent {
+ docker {
+ image 'build-zulu-openjdk:8'
+ reuseNode true
+ registryUrl 'https://engineering-docker.software.r3.com/'
+ registryCredentialsId 'artifactory-credentials'
+ args '-v /tmp:/host_tmp'
+ }
+ }
+ environment {
+ GRADLE_USER_HOME = "/host_tmp/gradle"
+ }
+ steps {
+ sh 'mkdir -p ${GRADLE_USER_HOME}'
+ snykDeltaScan(env.SNYK_API_TOKEN, env.C4_OS_SNYK_ORG_ID)
+ }
+ }
+
stage('No API change check') {
steps {
sh "./gradlew --no-daemon generateApi"