forked from rcbops/rpc-gating
-
Notifications
You must be signed in to change notification settings - Fork 0
/
checkmarx.groovy
87 lines (85 loc) · 4.52 KB
/
checkmarx.groovy
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
import java.security.SecureRandom
// Upload all folders in the current working directory to checkmarx and scan for vulnerabilities.
// If you wish to scan a subdir of the working dir, call this function within dir("subdir"){}
def scan(String scan_type, String repo_name, String exclude_folders){
withCredentials([
string(
credentialsId: 'CHECKMARX_RE_TEAM_ID',
variable: 'groupId'
),
string(
credentialsId: 'CHECKMARX_SERVER',
variable: 'serverUrl'
)
]){
presets = [
// values generated using the snippet generator
// ${jenkins}/pipeline-syntax/
// sample step > step: general build step
// Build Step > Execute Checkmarx Scan
"default": "36",
"pci": "5",
"all": "1"
]
if (!presets.keySet().contains(scan_type)){
throw new Exception("Invalid scan type: ${scan_type}, should be default or pci")
}
// This step has a habit of throwing NPEs, retry it. RE
waitTime = 8
// Initialize a secure random object
SecureRandom random = new SecureRandom()
retry(7) {
// Try within retry so that sleep can be added on failure.
// This may help if the issue is at the remote end.
try {
step([$class: 'CxScanBuilder',
avoidDuplicateProjectScans: false, // duplicate detection isn't great and kills scans of the same project with different parameters
comment: '',
credentialsId: '',
excludeFolders: exclude_folders,
excludeOpenSourceFolders: '',
exclusionsSetting: 'job',
failBuildOnNewResults: true,
failBuildOnNewSeverity: 'LOW',
filterPattern: '''!**/_cvs/**/*, !**/.svn/**/*, !**/.hg/**/*, !**/.git/**/*, !**/.bzr/**/*, !**/bin/**/*,
!**/obj/**/*, !**/backup/**/*, !**/.idea/**/*, !**/*.DS_Store, !**/*.ipr, !**/*.iws,
!**/*.bak, !**/*.tmp, !**/*.aac, !**/*.aif, !**/*.iff, !**/*.m3u, !**/*.mid, !**/*.mp3,
!**/*.mpa, !**/*.ra, !**/*.wav, !**/*.wma, !**/*.3g2, !**/*.3gp, !**/*.asf, !**/*.asx,
!**/*.avi, !**/*.flv, !**/*.mov, !**/*.mp4, !**/*.mpg, !**/*.rm, !**/*.swf, !**/*.vob,
!**/*.wmv, !**/*.bmp, !**/*.gif, !**/*.jpg, !**/*.png, !**/*.psd, !**/*.tif, !**/*.swf,
!**/*.jar, !**/*.zip, !**/*.rar, !**/*.exe, !**/*.dll, !**/*.pdb, !**/*.7z, !**/*.gz,
!**/*.tar.gz, !**/*.tar, !**/*.gz, !**/*.ahtm, !**/*.ahtml, !**/*.fhtml, !**/*.hdm,
!**/*.hdml, !**/*.hsql, !**/*.ht, !**/*.hta, !**/*.htc, !**/*.htd, !**/*.war, !**/*.ear,
!**/*.htmls, !**/*.ihtml, !**/*.mht, !**/*.mhtm, !**/*.mhtml, !**/*.ssi, !**/*.stm,
!**/*.stml, !**/*.ttml, !**/*.txn, !**/*.xhtm, !**/*.xhtml, !**/*.class, !**/*.iml, !Checkmarx/Reports/*.*''',
fullScanCycle: 10,
generatePdfReport: true,
groupId: groupId,
includeOpenSourceFolders: '',
osaArchiveIncludePatterns: '*.zip, *.war, *.ear, *.tgz',
password: '',
preset: presets[scan_type],
projectName: repo_name,
serverUrl: serverUrl,
sourceEncoding: '1',
username: '',
vulnerabilityThresholdEnabled: true,
highThreshold: 0,
lowThreshold: 0,
mediumThreshold: 0,
vulnerabilityThresholdResult: 'FAILURE',
waitForResultsEnabled: true]
)
} catch (Exception e){
print ("Caught exception while running checkmarx scan: "+e)
sleep(time: waitTime, unit: "SECONDS")
// Exponential backoff - double the wait for each retry with a
// bit of additional random skew, range is [1, 12]
waitTime = waitTime * 2 + random.nextInt(12) + 1
// exception must propagate back to the retry call
throw e
} //try
} // retry
} // withCredentials
}
return this