diff --git a/Jenkinsfile b/Jenkinsfile index c2f52f1..9b47c15 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -5,6 +5,10 @@ pipeline { agent none + environment { + SNYK_API_KEY = credentials('snyk-api-key') + } + stages { stage('Initialize Config') { agent { @@ -133,7 +137,7 @@ pipeline { script { def stageConfig = jslReadYamlConfig('sca') def codeLanguages = stageConfig?.codeLanguages.join(',') - jslSecuritySCA(codeLanguages) + jslSoftwareCompositionAnalysis(codeLanguages, env.appName) } } } @@ -226,10 +230,7 @@ pipeline { stage('Docker Container Scanning') { agent { - kubernetes { - cloud 'kubernetes-cloud' - label 'jenkins-dockersec-agent' - } + label 'DockerVM' } when { expression { @@ -243,16 +244,15 @@ pipeline { } } steps { - container('jenkins-dockersec-agent') { - jslStageWrapper('Docker Container Scanning') { - script { - def stageConfig = jslReadYamlConfig('containerScan') - def containerName = stageConfig?.containerName - def containerTag = stageConfig?.containerTag - jslContainerSecurityScanning(containerName, containerTag) - } + jslStageWrapper('Docker Container Scanning') { + script { + def stageConfig = jslReadYamlConfig('containerScan') + def containerName = stageConfig?.containerName + def containerTag = stageConfig?.containerTag + jslContainerSecurityScanning(containerName, containerTag) } } + } } @@ -353,10 +353,7 @@ pipeline { ////////// Deploy to Production ////////// stage('Deploy') { agent { - kubernetes { - cloud 'kubernetes-cloud' - label 'jenkins-deploy-agent' - } + label 'DockerVM' } when { anyOf { @@ -370,23 +367,23 @@ pipeline { } } steps { - container('jenkins-deploy-agent') { - jslStageWrapper('Deploy') { - script { - def stageConfig = jslReadYamlConfig('deploy') - jslKubernetesDeploy([ - 'serviceName': env.appName, - 'tlsCredId': stageConfig?.tlsCredId, - 'secretsCredentials': stageConfig?.secretsCredentials, - 'secretsSetStrings': stageConfig?.secretsSetStrings, - 'serviceCredentials': stageConfig?.serviceCredentials, - 'serviceSetStrings': stageConfig?.serviceSetStrings - ]) + jslStageWrapper('Deploy') { + script { + def stageConfig = jslReadYamlConfig('deploy') + + jslKubernetesDeploy([ + 'serviceName': env.appName, + 'tlsCredId': stageConfig?.tlsCredId, + 'secretsCredentials': stageConfig?.secretsCredentials, + 'secretsSetStrings': stageConfig?.secretsSetStrings, + 'serviceCredentials': stageConfig?.serviceCredentials, + 'serviceSetStrings': stageConfig?.serviceSetStrings + ]) - } } } + } } } diff --git a/pipeline-config.yaml b/pipeline-config.yaml index 93ec142..962eee7 100644 --- a/pipeline-config.yaml +++ b/pipeline-config.yaml @@ -9,21 +9,21 @@ stages: branches: - release unitTesting: - enabled: true + enabled: false branches: [] secretScanning: - enabled: true + enabled: false branches: - release sca: - enabled: true + enabled: false branches: - release codeLanguages: - Python - Javascript sast: - enabled: true + enabled: false branches: - release codeLanguages: @@ -43,20 +43,20 @@ stages: containerName: secusphere containerTag: latest releaseToTest: - enabled: true + enabled: false branches: - release serviceName: secusphere containerTag: latest testRelease: - enabled: true + enabled: false branches: - release targetUrl: 'http://192.168.0.68:5010' dastTestType: full apiTargetUrl: 'http://192.168.0.68:5010/api/openapi.yaml' securityQualityGate: - enabled: true + enabled: false branches: - release deploy: diff --git a/sonar-project.properties b/sonar-project.properties index 0953cde..0f5f783 100644 --- a/sonar-project.properties +++ b/sonar-project.properties @@ -1,5 +1,5 @@ # must be unique in a given SonarQube instance -sonar.projectKey=SECUSPHERE +sonar.projectKey=SECUSPHERE--SecuSphere # --- optional properties --- diff --git a/src/vr/api/vulns/vulnerabilities.py b/src/vr/api/vulns/vulnerabilities.py index b151f5b..b06dd96 100644 --- a/src/vr/api/vulns/vulnerabilities.py +++ b/src/vr/api/vulns/vulnerabilities.py @@ -100,7 +100,7 @@ def update_vulnerabilities_status(app_cmdb_id, scan_id, req_raw): .join(VulnerabilityScans, VulnerabilityScans.ID == Vulnerabilities.ScanId) \ .join(DockerImages, DockerImages.ID == Vulnerabilities.DockerImageId) \ .filter(text( - f"(Vulnerabilities.Status NOT LIKE 'Closed-%' OR Vulnerabilities.Status='Closed-Mitigated') AND (Vulnerabilities.ApplicationId='{app_cmdb_id}') AND (Vulnerabilities.SourceType='{scan_type.split('CI/CD-')[1]}') AND (Vulnerabilities.InitialScanId!='{scan_id}') AND (DockerImages.ImageName=='{req_raw['dockerImg']}')")) \ + f"(Vulnerabilities.Status NOT LIKE 'Closed-%' OR Vulnerabilities.Status='Closed-Mitigated') AND (Vulnerabilities.ApplicationId='{app_cmdb_id}') AND (Vulnerabilities.SourceType='{scan_type.split('CI/CD-')[1]}') AND (Vulnerabilities.InitialScanId!='{scan_id}') AND (DockerImages.ImageName='{req_raw['dockerImg']}')")) \ .all() else: previous_vulns = Vulnerabilities\