forked from fmeringdal/nettu-meet
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Jenkinsfile
213 lines (211 loc) · 11.1 KB
/
Jenkinsfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
pipeline {
agent any
environment {
DEPTRACK_URL="https://s410-exam.cyber-ed.space:8081"
DEPTRACK_API_KEY="odt_SfCq7Csub3peq7Y6lSlQy5Ngp9sSYpJl"
DOJO_URL="https://s410-exam.cyber-ed.space:8083"
DOJO_API_TOKEN="c5b50032ffd2e0aa02e2ff56ac23f0e350af75b4"
}
stages {
stage ('semgrep') {
agent { label "alpine" }
steps {
script {
catchError(buildResult: 'SUCCESS', stageResult: 'FAILURE') {
sh '''
echo "Running semgrep..."
apk add python3 py3-pip py3-virtualenv
python3 -m venv venv
. venv/bin/activate
pip install semgrep
mkdir reports/
semgrep scan --config=auto . --exclude=venv --json > reports/semgrep.json
'''
archiveArtifacts artifacts: 'reports/semgrep.json', allowEmptyArchive: true
stash includes: 'reports/semgrep.json', name: 'semgrep-report'
}
}
}
}
stage ('trivy') {
agent { label "dind" }
steps {
script {
sh '''
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt update
sudo apt install trivy
mkdir reports/
cd server
trivy fs --format cyclonedx -o ../reports/sbom.json package-lock.json
#docker build . -t nettu-meet:latest -f Dockerfile
#trivy image --format cyclonedx -o ../reports/sbom.json nettu-meet-server:latest
trivy sbom -f json -o ../reports/trivy.json ../reports/sbom.json
'''
archiveArtifacts artifacts: 'reports/*', allowEmptyArchive: true
stash includes: 'reports/sbom.json', name: 'sbom'
stash includes: 'reports/trivy.json', name: 'trivy-report'
}
}
}
stage ('deptrack') {
agent { label "dind" }
steps {
unstash "sbom"
sh '''
ls reports/sbom.json
cd reports/
response_code=$(curl -k --silent --output /dev/null --write-out %{http_code} \
-X "POST" "${DEPTRACK_URL}/api/v1/bom" \
-H "Content-Type:multipart/form-data" -H "X-Api-Key:${DEPTRACK_API_KEY}" \
-F "autoCreate=true" -F "projectName=dronloko" -F "projectVersion=1.0" -F "[email protected]")
echo $response_code
'''
}
}
stage ('owasp zap') {
agent { label "dind" }
steps {
sh '''
mkdir reports/
sudo apt update
sudo apt install -y wget openjdk-11-jre
wget -q https://github.com/zaproxy/zaproxy/releases/download/v2.15.0/ZAP_2.15.0_Linux.tar.gz
tar xzf ZAP_2.15.0_Linux.tar.gz
ZAP_2.15.0/zap.sh -cmd -addonupdate -addoninstall wappalyzer -addoninstall pscanrulesBeta
ZAP_2.15.0/zap.sh -cmd -quickurl https://s410-exam.cyber-ed.space:8084 -quickout $(pwd)/owaspzap.json
cp $(pwd)/owaspzap.json reports/
'''
archiveArtifacts artifacts: 'reports/*', allowEmptyArchive: true
stash includes: 'reports/owaspzap.json', name: 'owaspzap-report'
}
}
stage ('defect dojo') {
steps {
//unstash "semgrep-report"
unstash "trivy-report"
//unstash "owaspzap-report
sh '''
cd reports/
#curl -X "POST" -kL "${DOJO_URL}/api/v2/import-scan/" -H "accept: application/json" -H "Authorization: Token ${DOJO_API_TOKEN}" -H "Content-Type: multipart/form-data" -F "active=true" -F "verified=true" -F "deduplication_on_engagement=true" -F "minimum_severity=High" -F "scan_date=2024-08-31" -F "engagement_end_date=2024-08-31" -F "group_by=component_name" -F "tags=" -F "product_name=dronloko" -F "[email protected];type=application/json" -F "auto_create_context=true" -F "scan_type=Semgrep JSON Report" -F "engagement=1"
curl -X "POST" -kL "${DOJO_URL}/api/v2/import-scan/" -H "accept: application/json" -H "Authorization: Token ${DOJO_API_TOKEN}" -H "Content-Type: multipart/form-data" -F "active=true" -F "verified=true" -F "deduplication_on_engagement=true" -F "minimum_severity=High" -F "scan_date=2024-08-31" -F "engagement_end_date=2024-08-31" -F "group_by=component_name" -F "tags=" -F "product_name=dronloko" -F "[email protected];type=application/json" -F "auto_create_context=true" -F "scan_type=Trivy Scan" -F "engagement=2"
#curl -X "POST" -kL "${DOJO_URL}/api/v2/import-scan/" -H "accept: application/json" -H "Authorization: Token ${DOJO_API_TOKEN}" -H "Content-Type: multipart/form-data" -F "active=true" -F "verified=true" -F "deduplication_on_engagement=true" -F "minimum_severity=High" -F "scan_date=2024-08-31" -F "engagement_end_date=2024-08-31" -F "group_by=component_name" -F "tags=" -F "product_name=dronloko" -F "[email protected];type=application/json" -F "auto_create_context=true" -F "scan_type=ZAP Scan" -F "engagement=3"
#curl -k -X POST "${DOJO_URL}/api/v2/import-scan/" -H Authorization:"Token ${DOJO_API_TOKEN}" -H "Content-Type:multipart/form-data" -H "accept:application/json" -F scan_type="Trivy Scan" -F "[email protected];type=application/json" -F "engagement=2" -F "product_name=dronloko"
'''
}
}
/*stage ('defect dojo 2') {
agent { label "dind" }
steps {
sh '''
curl -k -X 'POST' 'https://s410-exam.cyber-ed.space:8083/api/v2/import-scan/' \
-H "accept: application/json" \
-H "Content-Type: multipart/form-data" \
-H "Authorization: Token c5b50032ffd2e0aa02e2ff56ac23f0e350af75b4" \
-F "[email protected]" \
-F "minimum_severity=High" \
-F "product_name=dronloko" \
-F "product_type_name=dronloko" \
-F "auto_create_context=True" \
-F "scan_type=Semgrep JSON Report" \
-F "engagement_name=dronloko" \
-F "active=true" \
-F "verified=true" \
-F "test_title=dronloko" \
-F "close_old_findings=true" \
-F "close_old_findings_product_scope=true" \
-F "scan_date=$(date +%F)"
curl -k -X 'POST' 'https://s410-exam.cyber-ed.space:8083/api/v2/import-scan/' \
-H "accept: application/json" \
-H "Content-Type: multipart/form-data" \
-H "Authorization: Token c5b50032ffd2e0aa02e2ff56ac23f0e350af75b4" \
-F "[email protected]" \
-F "minimum_severity=High" \
-F "product_name=dronloko" \
-F "product_type_name=dronloko" \
-F "auto_create_context=True" \
-F "scan_type=ZAP Scan" \
-F "engagement_name=dronloko" \
-F "active=true" \
-F "verified=true" \
-F "test_title=dronloko" \
-F "close_old_findings=true" \
-F "close_old_findings_product_scope=true" \
-F "scan_date=$(date +%F)"
curl -k -X 'POST' 'https://s410-exam.cyber-ed.space:8083/api/v2/import-scan/' \
-H "accept: application/json" \
-H "Content-Type: multipart/form-data" \
-H "Authorization: Token c5b50032ffd2e0aa02e2ff56ac23f0e350af75b4" \
-F "[email protected]" \
-F "minimum_severity=High" \
-F "product_name=dronloko" \
-F "product_type_name=dronloko" \
-F "auto_create_context=True" \
-F "scan_type=Trivy Scan" \
-F "engagement_name=dronloko" \
-F "active=true" \
-F "verified=true" \
-F "test_title=dronloko" \
-F "close_old_findings=true" \
-F "close_old_findings_product_scope=true" \
-F "scan_date=$(date +%F)"
'''
}
}*/
stage ('quality gate') {
agent { label "dind" }
steps {
unstash "semgrep-report"
unstash "trivy-report"
unstash "owaspzap-report"
sh '''
sudo apt update
sudo apt install -y jq
cd reports/
e=$(cat semgrep.json | jq | grep -iE '\"severity\": \"ERROR\"' | wc -l)
w=$(cat semgrep.json | jq | grep -iE '\"severity\": \"WARNING\"' | wc -l)
echo "Semgrep: Found $e errors"
echo "Semgrep: Found $e warnings"
if [ $e -ge 2 ] || [ $w -gt 10 ]; then
echo "Semgrep QualityGate failed"
#exit "Semgrep QualityGate failed"
fi
c=$(cat trivy.json | jq | grep -iE "\"severity\": \"CRITICAL\"" | wc -l )
h=$(cat trivy.json | jq | grep -iE "\"severity\": \"HIGH\"" | wc -l)
m=$(cat trivy.json | jq | grep -iE "\"severity\": \"MEDIUM\"" | wc -l)
l=$(cat trivy.json | jq | grep -iE "\"severity\": \"LOW\"" | wc -l)
echo "trivy: Found $c critical severity findings"
echo "trivy: Found $h high severity findings"
echo "trivy: Found $m medium severity findings"
echo "trivy: Found $l low severity findings"
if [ $c -ge 1 ] || [ $h -ge 5 ] || [ $m -ge 10] || [ $l -ge 15]; then
echo "Trivy QualityGate failed"
#exit("Trivy QualityGate failed")
fi
c=$(cat owaspzap.json | jq | grep -E "\"riskdesc\": \"Critical\"" | wc -l )
h=$(cat owaspzap.json | jq | grep -E "\"riskdesc\": \"High\"" | wc -l)
m=$(cat owaspzap.json | jq | grep -E "\"riskdesc\": \"Medium\"" | wc -l)
l=$(cat owaspzap.json | jq | grep -E "\"riskdesc\": \"Low\"" | wc -l)
if [ $c -ge 1 ] || [ $h -ge 10 ] || [ $m -ge 9 ] || [ $l -ge 7 ]; then
echo "OWASP ZAP QualityGate failed"
#exit("OWASP ZAP QualityGate failed")
fi
'''
}
}
stage ( 'toxic repos' ) {
agent { label "dind" }
steps {
unstash "semgrep-report"
sh '''
cd reports/
wget https://github.com/toxic-repos/toxic-repos/blob/main/data/json/toxic-repos.json
cat bom.json | jq -r '.[]' | grep -iE "\"name\": \"[a-z0-9]+\"" | awk -F " " '{ print $2 }' | awk -F "\"" '{ print $2 }' > packages
while read package; do grep -iE "\"name\": \"$package\"" toxic-repos.json; done < packages > packages_scan
'''
archiveArtifacts artifacts: 'reports/*', allowEmptyArchive: true
}
}
}
}