From 9e9fe401dc9c9c434a6aca02304e25b7b1e1510b Mon Sep 17 00:00:00 2001 From: Adam Valenta Date: Wed, 7 Aug 2024 20:37:00 +0200 Subject: [PATCH] GH-16354 Remove Snyk and add Trivy (#16358) * GH-16354 remove Snyk and add Trivy * remove -pkg-types because it creates empty file if no vulnerability in the jar * Replace special characters with * in order to show it directly in browser --- docker/prisma/Dockerfile | 2 - .../jenkinsfiles/Jenkinsfile-PrismaScan | 40 +++++++++++++------ 2 files changed, 27 insertions(+), 15 deletions(-) diff --git a/docker/prisma/Dockerfile b/docker/prisma/Dockerfile index f0cf92efca0c..60eb3b381dac 100644 --- a/docker/prisma/Dockerfile +++ b/docker/prisma/Dockerfile @@ -8,6 +8,4 @@ RUN for dir in $DIRECTORIES; do \ chown -R 2117:2117 /$dir; \ done -RUN npm install snyk -g - CMD ["/bin/bash"] diff --git a/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan b/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan index 263875e91ab0..0b36d48fb85f 100644 --- a/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan +++ b/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan @@ -3,8 +3,9 @@ @Library('test-shared-library') _ def dockerImage +def trivyVersion = "0.54.1" -def setPrismaScanningStages(assemblyType, stageIndex) { +def setScanningStages(assemblyType, stageIndex) { branchName = "${env.BRANCH_NAME}".replace('/', '-') assemblyImage = "h2o-assemblies/${assemblyType}:${BUILD_NUMBER}-${branchName}" @@ -13,13 +14,25 @@ def setPrismaScanningStages(assemblyType, stageIndex) { sh "docker build . -t ${assemblyImage} -f ./docker/prisma/Dockerfile.${assemblyType}jars" } } - stage ("${stageIndex}.B. Scan ${assemblyType} jar using Snyk") { - withCredentials([string(credentialsId: 'H2O_3_SNYK_TOKEN_JENKINS_TEXT', variable: 'SNYK_TOKEN')]) { - script { - sh "./snyk container test ${assemblyImage} --file=./docker/prisma/Dockerfile.${assemblyType}jars --severity-threshold=medium --app-vulns --nested-jars-depth=4 | tee ${assemblyImage}-snyk.out || true" - } - archiveArtifacts artifacts: "${assemblyImage}-snyk.out" + stage ("${stageIndex}.B. Scan ${assemblyType} jar using Trivy") { + script { + sh "./trivy image ${assemblyImage} --output ${assemblyImage}-trivy.out" + // Replace special characters with * in order to show it directly in browser + sh """ + sed -i 's/─/*/g' ${assemblyImage}-trivy.out + sed -i 's/│/*/g' ${assemblyImage}-trivy.out + sed -i 's/┤/*/g' ${assemblyImage}-trivy.out + sed -i 's/├/*/g' ${assemblyImage}-trivy.out + sed -i 's/┼/*/g' ${assemblyImage}-trivy.out + sed -i 's/┐/*/g' ${assemblyImage}-trivy.out + sed -i 's/┌/*/g' ${assemblyImage}-trivy.out + sed -i 's/└/*/g' ${assemblyImage}-trivy.out + sed -i 's/┘/*/g' ${assemblyImage}-trivy.out + sed -i 's/┬/*/g' ${assemblyImage}-trivy.out + sed -i 's/┴/*/g' ${assemblyImage}-trivy.out + """ } + archiveArtifacts artifacts: "${assemblyImage}-trivy.out" } stage("${stageIndex}.C. Scan ${assemblyType} jar using Prisma") { script { @@ -62,8 +75,9 @@ pipeline { dir("docker/prisma"){ dockerImage = docker.build("node-java","-f Dockerfile .") } - sh "curl --compressed https://static.snyk.io/cli/latest/snyk-linux -o snyk" - sh "chmod +x ./snyk" + sh "wget https://github.com/aquasecurity/trivy/releases/download/v${trivyVersion}/trivy_${trivyVersion}_Linux-64bit.tar.gz" + sh "tar -zxvf trivy_${trivyVersion}_Linux-64bit.tar.gz" + sh "chmod +x ./trivy" } } @@ -80,14 +94,14 @@ pipeline { } } } - stage('2. Steam assembly jar (Prisma)') { + stage('2. Steam assembly jar') { steps { - setPrismaScanningStages("steam", 2) + setScanningStages("steam", 2) } } - stage('3. Main assembly jar (Prisma)') { + stage('3. Main assembly jar') { steps { - setPrismaScanningStages("main", 3) + setScanningStages("main", 3) } } }