From 7da57bc6a3fc425b941cddbdbdbb8f1ed789f27d Mon Sep 17 00:00:00 2001 From: Simon Bernard Date: Fri, 5 Jan 2024 11:06:05 +0100 Subject: [PATCH 1/2] Add cyclonedx-maven-plugin to generate cycloneDx SBOM --- pom.xml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pom.xml b/pom.xml index a34c7f1eb3..3217ee852b 100644 --- a/pom.xml +++ b/pom.xml @@ -508,6 +508,11 @@ Contributors: + + org.cyclonedx + cyclonedx-maven-plugin + 2.7.10 + From f62b3539eae6f63dfabd67b4dc9348eb35c01a6e Mon Sep 17 00:00:00 2001 From: Simon Bernard Date: Thu, 4 Jan 2024 17:14:05 +0100 Subject: [PATCH 2/2] Add Weekly Jenkins Build to check dependencies vulnerabilites with trivy --- .jenkins/weekly.jenkins | 60 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 .jenkins/weekly.jenkins diff --git a/.jenkins/weekly.jenkins b/.jenkins/weekly.jenkins new file mode 100644 index 0000000000..27d88bfbd9 --- /dev/null +++ b/.jenkins/weekly.jenkins @@ -0,0 +1,60 @@ +/************************************************************************************ + + Weekly Build : + Checks for vulnerability + +*************************************************************************************/ +pipeline { + agent any + tools { + maven 'apache-maven-latest' + jdk 'temurin-jdk11-latest' + } + options { + timeout (time: 30, unit: 'MINUTES') + buildDiscarder(logRotator(numToKeepStr: '3')) + disableConcurrentBuilds() + durabilityHint('PERFORMANCE_OPTIMIZED') + } + triggers { + // every night between Saturday and Sunday + cron 'H H * * 6' + } + environment { + PATH = "${env.HOME}/bin:${env.PATH}" + } + stages { + stage('Build') { + steps { + // install trivy + sh ''' curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b ~/bin v0.48.2 ''' + + // Build (optional) + sh ''' mvn -B clean install javadoc:javadoc -DskipTests ''' + + // Generate SBOM for maven + sh ''' mvn org.cyclonedx:cyclonedx-maven-plugin:makeBom ''' + + // check for vulnerabilities + // "find" to search file + // xargs to get correct exit code (find always return 0) + sh ''' find . -type f -path '*/target/bom.json' -print0 | xargs -0 -I {} sh -c 'echo "Scanning "{}""; trivy -q --exit-code 1 sbom "{}"' ''' + + // check licenses + // TODO add dash-licenses check when cycloneDx will be supported : https://github.com/eclipse/dash-licenses/issues/191 + } + } + } + post { + unsuccessful { + mail to: 'code@simonbernard.eu', + subject: "Build ${env.BUILD_TAG} failed!", + body: "Check console output at ${env.BUILD_URL} to view the results." + } + fixed { + mail to: 'code@simonbernard.eu', + subject: "Build ${env.BUILD_TAG} back to normal.", + body: "Check console output at ${env.BUILD_URL} to view the results." + } + } +}