Skip to content

detectExecuteScan

Executes Synopsys Detect scan

Description

This step executes Synopsys Detect scans. Synopsys Detect command line utlity can be used to run various scans including BlackDuck and Polaris scans. This step allows users to run BlackDuck scans by default. Please configure your BlackDuck server Url using the serverUrl parameter and the API token of your user using the apiToken parameter for this step.

Usage

We recommend to define values of step parameters via .pipeline/config.yml file.
In this case, calling the step is essentially reduced to defining the step name.
Calling the step can be done either in an orchestrator specific way (e.g. via a Jenkins library step) or on the command line.

library('piper-lib-os')

detectExecuteScan script: this
piper detectExecuteScan

Outputs

Output type Details
influx measurement step_data
  • detect
  • measurement detect_data
    • vulnerabilities
    • major_vulnerabilities
    • minor_vulnerabilities
    • components
    • policy_violations

Prerequisites

You need to store the API token for the Detect service as 'Secret text' credential in your Jenkins system.

Parameters

Overview - Step

Name Mandatory Additional information
imageNameTags (yes) mandatory in case of:
- scanContainerDistro=ubuntu
- scanContainerDistro=centos
- scanContainerDistro=alpine
projectName yes
registryUrl (yes) mandatory in case of:
- scanContainerDistro=ubuntu
- scanContainerDistro=centos
- scanContainerDistro=alpine
repositoryPassword (yes) mandatory in case of:
- scanContainerDistro=ubuntu
- scanContainerDistro=centos
- scanContainerDistro=alpine
repositoryUsername (yes) mandatory in case of:
- scanContainerDistro=ubuntu
- scanContainerDistro=centos
- scanContainerDistro=alpine
script (yes) Jenkins only reference to Jenkins main pipeline script
serverUrl yes
token (yes) Vault Secret pass via ENV, Vault or Jenkins credentials (detectTokenCredentialsId)
assignees no
buildDescriptorList no
buildMTA no
buildMaven no
buildTool no
codeLocation no
createResultIssue no
customEnvironmentVariables no
customScanVersion no
customTlsCertificateLinks no
defaultNpmRegistry no
dependencyPath no
detectTools no
enableDiagnostics no
excludedDirectories no
excludedPackageManagers no
failOn no
failOnSevereVulnerabilities no
generateReportsForEmptyProjects no
githubApiUrl no
githubToken no Vault Secret pass via ENV, Vault or Jenkins credentials (githubTokenCredentialsId)
globalSettingsFile no
groups no
includedPackageManagers no
installArtifacts no
installNPM no
m2Path no
mavenExcludedScopes no
minScanInterval no
mtaPlatform no
npmArguments no
npmDependencyTypesExcluded no
owner no
pomPath no
privateModules no
privateModulesGitToken no Vault Secret pass via ENV, Vault or Jenkins credentials (golangPrivateModulesGitTokenCredentialsId)
projectSettingsFile no
repository no
scanContainerDistro no
scanOnChanges no
scanPaths no
scanProperties no
scanners no
successOnSkip no
unmap no
useDetect9 no
verbose no activates debug output
version no
versioningModel no

Overview - Execution Environment

Orchestrator-specific only

These parameters are relevant for orchestrator usage and not considered when using the command line option.

Name Mandatory Additional information
containerCommand no Jenkins only
containerName no Jenkins only
containerShell no Jenkins only
dockerEnvVars no
dockerImage no
dockerName no
dockerOptions no
dockerPullImage no
dockerVolumeBind no Jenkins only
dockerWorkspace no Jenkins only
sidecarEnvVars no
sidecarImage no
sidecarName no
sidecarOptions no
sidecarPullImage no
sidecarReadyCommand no Jenkins only
sidecarVolumeBind no
sidecarWorkspace no Jenkins only
stashContent no Jenkins only

Details

assignees

Defines the assignees for the Github Issue created/updated with the results of the scan as a list of login names.

back to overview

Scope Details
Aliases -
Type []string
Mandatory no
Default
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

buildDescriptorList

List of build descriptors and therefore modules for execution of the npm scripts. The elements have to be paths to the build descriptors.

back to overview

Scope Details
Aliases -
Type []string
Mandatory no
Default $PIPER_buildDescriptorList (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

buildMTA

Experiment parameter for MTA projects building

back to overview

Scope Details
Aliases -
Type bool
Mandatory no
Default false
Possible values - true
- false
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

buildMaven

Experiment parameter for maven multi-modules projects building

back to overview

Scope Details
Aliases -
Type bool
Mandatory no
Default false
Possible values - true
- false
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

buildTool

Defines the tool which is used for building the artifact.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default $PIPER_buildTool (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references commonPipelineEnvironment:
  reference to: buildTool

codeLocation

An override for the name Detect will use for the scan file it creates.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default $PIPER_codeLocation (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

containerCommand

Jenkins-specific: Used for proper environment setup.

Kubernetes only: Allows to specify start command for container created with dockerImage parameter to overwrite Piper default (/usr/bin/tail -f /dev/null).

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

containerName

Jenkins-specific: Used for proper environment setup.

Optional configuration in combination with containerMap to define the container where the commands should be executed in.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default openjdk
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

containerShell

Jenkins-specific: Used for proper environment setup.

Allows to specify the shell to be executed for container with containerName.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

createResultIssue

Whether the step creates a GitHub issues containing the scan results in the originating repo. For each vulnerability a separate issue will be created. Since optimized pipelines are headless the creation is implicitly activated for scheduled runs.

back to overview

Scope Details
Aliases -
Type bool
Mandatory no
Default false
Possible values - true
- false
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references commonPipelineEnvironment:
  reference to: custom/isOptimizedAndScheduled

customEnvironmentVariables

A list of environment variables which can be set to prepare the environment to run a BlackDuck scan. This includes a list of environment variables defined by Synopsys. The full list can be found here This list affects the detect script downloaded while running the scan. Right now only detect7.sh is available for downloading

back to overview

Scope Details
Aliases -
Type []string
Mandatory no
Default $PIPER_customEnvironmentVariables (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

customScanVersion

Defines a custom version for the Detect scan which deviates from the typical versioning pattern using version and versioningModel. It allows to set non-numeric versions as well and supersedes the value of version which is calculated automatically. The parameter is also used by other scan steps (e.g. Fortify, Sonar, WhiteSource) and thus allows a common custom version across scan tools.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default $PIPER_customScanVersion (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

List of download links to custom TLS certificates. This is required to ensure trusted connections to instances with repositories (like nexus) when publish flag is set to true.

back to overview

Scope Details
Aliases -
Type []string
Mandatory no
Default $PIPER_customTlsCertificateLinks (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

defaultNpmRegistry

URL of the npm registry to use. Defaults to https://registry.npmjs.org/

back to overview

Scope Details
Aliases npm/defaultNpmRegistry
Type string
Mandatory no
Default $PIPER_defaultNpmRegistry (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

dependencyPath

Absolute Path of the dependency management file of the project. This path represents the folder which contains the pom file, package.json etc. If the project contains multiple pom files, provide the path to the parent pom file or the base folder of the project

back to overview

Scope Details
Aliases detect/dependencyPath
Type string
Mandatory no
Default .
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

detectTools

The type of BlackDuck scanners to include while running the BlackDuck scan. By default All scanners are included. For the complete list of possible values, Please refer Synopsys detect documentation

back to overview

Scope Details
Aliases detect/detectTools
Type []string
Mandatory no
Default $PIPER_detectTools (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

dockerEnvVars

Jenkins-specific: Used for proper environment setup.

Environment variables to set in the container, e.g. [http_proxy: "proxy:8080"].

back to overview

Scope Details
Aliases -
Type map[string]string
Mandatory no
Default
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

dockerImage

Jenkins-specific: Used for proper environment setup.

Name of the docker image that should be used. If empty, Docker is not used and the command is executed directly on the Jenkins system.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default openjdk:11
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

dockerName

Jenkins-specific: Used for proper environment setup.

Kubernetes only: Name of the container launching dockerImage. SideCar only: Name of the container in local network.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default openjdk
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

dockerOptions

Jenkins-specific: Used for proper environment setup.

Docker options to be set when starting the container.

back to overview

Scope Details
Aliases -
Type []string
Mandatory no
Default [{-u 0}]
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

dockerPullImage

Jenkins-specific: Used for proper environment setup.

Set this to 'false' to bypass a docker image pull. Useful during development process. Allows testing of images which are available in the local registry only.

back to overview

Scope Details
Aliases -
Type bool
Mandatory no
Default true
Possible values - true
- false
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

dockerVolumeBind

Jenkins-specific: Used for proper environment setup.

Volumes that should be mounted into the docker container.

back to overview

Scope Details
Aliases -
Type map[string]string
Mandatory no
Default
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

dockerWorkspace

Jenkins-specific: Used for proper environment setup.

Kubernetes only: Specifies a dedicated user home directory for the container which will be passed as value for environment variable HOME.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default /root
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

enableDiagnostics

Parameter to enable diagnostics file generation by detect script

back to overview

Scope Details
Aliases -
Type bool
Mandatory no
Default false
Possible values - true
- false
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

excludedDirectories

List of directories which should be excluded from the scan.

back to overview

Scope Details
Aliases detect/excludedDirectories
Type []string
Mandatory no
Default $PIPER_excludedDirectories (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

excludedPackageManagers

The package managers that need to be excluded for this scan. Providing the package manager names with this parameter will ensure that the build descriptor file of that package manager will be ignored in the scan folder For the complete list of possible values for this parameter, please refer Synopsys detect documentation

back to overview

Scope Details
Aliases detect/excludedPackageManagers
Type []string
Mandatory no
Default $PIPER_excludedPackageManagers (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

failOn

A list of policies can be provided which will be applied after the scan is completed. These policies if violated will mark the build/scan result as failed. The list of accepted values can be found at Synopsys detect documentation

back to overview

Scope Details
Aliases detect/failOn
Type []string
Mandatory no
Default - BLOCKER
Possible values - ALL
- BLOCKER
- CRITICAL
- MAJOR
- MINOR
- NONE
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

failOnSevereVulnerabilities

Whether to fail the step on severe vulnerabilties or not

back to overview

Scope Details
Aliases -
Type bool
Mandatory no
Default true
Possible values - true
- false
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☐ steps
  • ☐ stages
Resource references none

generateReportsForEmptyProjects

If enabled, it will generate reports for empty projects. This could be useful to see the compliance reports in Sirius

back to overview

Scope Details
Aliases -
Type bool
Mandatory no
Default false
Possible values - true
- false
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

githubApiUrl

Set the GitHub API URL.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default https://api.github.com
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

githubToken

GitHub personal access token as per https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line

back to overview

Scope Details
Aliases access_token
Type string
Mandatory no
Default $PIPER_githubToken (if set)
Secret yes
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references Jenkins credential id:
  id: githubTokenCredentialsId

Vault resource:
  name: githubVaultSecretName
  default value: github

Vault paths:
  • $(vaultPath)/github
  • $(vaultBasePath)/$(vaultPipelineName)/github
  • $(vaultBasePath)/GROUP-SECRETS/github

globalSettingsFile

Path or url to the mvn settings file that should be used as global settings file

back to overview

Scope Details
Aliases maven/globalSettingsFile
Type string
Mandatory no
Default $PIPER_globalSettingsFile (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

groups

Users groups to be assigned for the Project

back to overview

Scope Details
Aliases detect/groups
Type []string
Mandatory no
Default $PIPER_groups (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

imageNameTags

Images to be scanned (typically filled by CPE)

back to overview

Scope Details
Aliases -
Type []string
Mandatory mandatory in case of:
- scanContainerDistro=ubuntu
- scanContainerDistro=centos
- scanContainerDistro=alpine
Default $PIPER_imageNameTags (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references commonPipelineEnvironment:
  reference to: container/imageNameTags

includedPackageManagers

The package managers that need to be included for this scan. Providing the package manager names with this parameter will ensure that the build descriptor file of that package manager will be searched in the scan folder For the complete list of possible values for this parameter, please refer Synopsys detect documentation

back to overview

Scope Details
Aliases detect/includedPackageManagers
Type []string
Mandatory no
Default $PIPER_includedPackageManagers (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

installArtifacts

If enabled, it will install all artifacts to the local maven repository to make them available before running detect. This is required if any maven module has dependencies to other modules in the repository and they were not installed before.

back to overview

Scope Details
Aliases -
Type bool
Mandatory no
Default false
Possible values - true
- false
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

installNPM

Experiment parameter for downloading npm dependencies

back to overview

Scope Details
Aliases -
Type bool
Mandatory no
Default false
Possible values - true
- false
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

m2Path

Path to the location of the local repository that should be used.

back to overview

Scope Details
Aliases maven/m2Path
Type string
Mandatory no
Default $PIPER_m2Path (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

mavenExcludedScopes

The maven scopes that need to be excluded from the scan. For example, setting the value 'test' will exclude all components which are defined with a test scope in maven

back to overview

Scope Details
Aliases detect/mavenExcludedScopes
Type []string
Mandatory no
Default $PIPER_mavenExcludedScopes (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

minScanInterval

[DEPRECATED] This parameter controls the frequency (in number of hours) at which the signature scan is re-submitted for scan. When set to a value greater than 0, the signature scans are skipped until the specified number of hours has elapsed since the last signature scan.

back to overview

Scope Details
Aliases -
Type int
Mandatory no
Default 0
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

mtaPlatform

The platform of the MTA project

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default CF
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

npmArguments

List of additional arguments that Detect will add at then end of the npm ls command line when Detect executes the NPM CLI Detector on an NPM project.

back to overview

Scope Details
Aliases detect/npmArguments
Type []string
Mandatory no
Default $PIPER_npmArguments (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

npmDependencyTypesExcluded

List of npm dependency types which Detect should exclude from the BOM.

back to overview

Scope Details
Aliases detect/npmDependencyTypesExcluded
Type []string
Mandatory no
Default $PIPER_npmDependencyTypesExcluded (if set)
Possible values - NONE
- DEV
- PEER
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

owner

Set the GitHub organization.

back to overview

Scope Details
Aliases githubOrg
Type string
Mandatory no
Default $PIPER_owner (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references commonPipelineEnvironment:
  reference to: github/owner

pomPath

Path to the pom file which should be installed including all children.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default pom.xml
Secret no
Configuration scope
  • ☐ parameter
  • ☐ general
  • ☒ steps
  • ☐ stages
Resource references none

privateModules

Tells go which modules shall be considered to be private (by setting GOPRIVATE).

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default $PIPER_privateModules (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

privateModulesGitToken

GitHub personal access token as per https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default $PIPER_privateModulesGitToken (if set)
Secret yes
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references Jenkins credential id:
  id: golangPrivateModulesGitTokenCredentialsId
  reference to: password

Vault resource:
  name: golangPrivateModulesGitTokenVaultSecret
  default value: golang

Vault paths:
  • $(vaultPath)/golang
  • $(vaultBasePath)/$(vaultPipelineName)/golang
  • $(vaultBasePath)/GROUP-SECRETS/golang

projectName

Name of the Synopsis Detect (formerly BlackDuck) project.

back to overview

Scope Details
Aliases detect/projectName
Type string
Mandatory yes
Default $PIPER_projectName (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

projectSettingsFile

Path or url to the mvn settings file that should be used as project settings file.

back to overview

Scope Details
Aliases maven/projectSettingsFile
Type string
Mandatory no
Default $PIPER_projectSettingsFile (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

registryUrl

Used accessing for the images to be scanned (typically filled by CPE)

back to overview

Scope Details
Aliases -
Type string
Mandatory mandatory in case of:
- scanContainerDistro=ubuntu
- scanContainerDistro=centos
- scanContainerDistro=alpine
Default $PIPER_registryUrl (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references commonPipelineEnvironment:
  reference to: container/registryUrl

repository

Set the GitHub repository.

back to overview

Scope Details
Aliases githubRepo
Type string
Mandatory no
Default $PIPER_repository (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references commonPipelineEnvironment:
  reference to: github/repository

repositoryPassword

Used accessing for the images to be scanned (typically filled by CPE)

back to overview

Scope Details
Aliases -
Type string
Mandatory mandatory in case of:
- scanContainerDistro=ubuntu
- scanContainerDistro=centos
- scanContainerDistro=alpine
Default $PIPER_repositoryPassword (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references commonPipelineEnvironment:
  reference to: container/repositoryPassword

repositoryUsername

Used accessing for the images to be scanned (typically filled by CPE)

back to overview

Scope Details
Aliases -
Type string
Mandatory mandatory in case of:
- scanContainerDistro=ubuntu
- scanContainerDistro=centos
- scanContainerDistro=alpine
Default $PIPER_repositoryUsername (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references commonPipelineEnvironment:
  reference to: container/repositoryUsername

scanContainerDistro

To also scan your images in the CPE, choose the distro

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default $PIPER_scanContainerDistro (if set)
Possible values - ubuntu
- centos
- alpine
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

scanOnChanges

This flag determines if the scan is submitted to the server. If set to true, then the scan request is submitted to the server only when changes are detected in the Open Source Bill of Materials If the flag is set to false, then the scan request is submitted to server regardless of any changes. For more details please refer to the documentation

back to overview

Scope Details
Aliases -
Type bool
Mandatory no
Default false
Possible values - true
- false
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

scanPaths

List of paths which should be scanned by the Synopsis Detect (formerly BlackDuck) scan.

back to overview

Scope Details
Aliases detect/scanPaths
Type []string
Mandatory no
Default - .
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

scanProperties

Properties passed to the Synopsis Detect (formerly BlackDuck) scan. You can find details in the Synopsis Detect documentation

back to overview

Scope Details
Aliases detect/scanProperties
Type []string
Mandatory no
Default - --blackduck.signature.scanner.memory=4096
- --detect.timeout=6000
- --blackduck.trust.cert=true
- --logging.level.com.synopsys.integration=DEBUG
- --detect.maven.excluded.scopes=test
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

scanners

List of scanners to be used for Synopsis Detect (formerly BlackDuck) scan.

back to overview

Scope Details
Aliases detect/scanners
Type []string
Mandatory no
Default - signature
Possible values - signature
- source
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

script

Jenkins-specific: Used for proper environment setup.

The common script environment of the Jenkinsfile running. Typically the reference to the script calling the pipeline step is provided with the this parameter, as in script: this. This allows the function to access the commonPipelineEnvironment for retrieving, e.g. configuration parameters.

back to overview

Scope Details
Aliases -
Type Jenkins Script
Mandatory yes
Default
Secret no
Configuration scope
  • ☐ parameter
  • ☐ general
  • ☐ steps
  • ☐ stages
Resource references none

serverUrl

Server URL to the Synopsis Detect (formerly BlackDuck) Server.

back to overview

Scope Details
Aliases - detect/serverUrl
- detectServerUrl
Type string
Mandatory yes
Default $PIPER_serverUrl (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

sidecarEnvVars

Jenkins-specific: Used for proper environment setup.

A map of environment variables to set in the sidecar container, similar to dockerEnvVars.

back to overview

Scope Details
Aliases -
Type map[string]string
Mandatory no
Default
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

sidecarImage

Jenkins-specific: Used for proper environment setup.

The name of the docker image of the sidecar container. If empty, no sidecar container is started. Similar to dockerImage.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

sidecarName

Jenkins-specific: Used for proper environment setup.

Name of the sidecar container. Similar to dockerName.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

sidecarOptions

Jenkins-specific: Used for proper environment setup.

Options to be set when starting the sidecar container. Similar to dockerOptions.

back to overview

Scope Details
Aliases -
Type []string
Mandatory no
Default
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

sidecarPullImage

Jenkins-specific: Used for proper environment setup.

Set this to 'false' to bypass a docker image pull. Useful during development process. Allows testing of images which are available in the local registry only.

back to overview

Scope Details
Aliases -
Type bool
Mandatory no
Default false
Possible values - true
- false
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

sidecarReadyCommand

Jenkins-specific: Used for proper environment setup.

Command executed inside the container which returns exit code 0 when the container is ready to be used.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

sidecarVolumeBind

Jenkins-specific: Used for proper environment setup.

Volumes that should be mounted into the sidecar container. Similar to dockerVolumeBind.

back to overview

Scope Details
Aliases -
Type map[string]string
Mandatory no
Default
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

sidecarWorkspace

Jenkins-specific: Used for proper environment setup.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

stashContent

Jenkins-specific: Used for proper environment setup.

Specific stashes that should be considered for the step execution.

back to overview

Scope Details
Aliases -
Type []string
Mandatory no
Default - buildDescriptor
- checkmarx
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

successOnSkip

This flag allows forces Black Duck to exit with 0 error code if any step is skipped

back to overview

Scope Details
Aliases detect/successOnSkip (deprecated)
Type bool
Mandatory no
Default true
Possible values - true
- false
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

token

Api token to be used for connectivity with Synopsis Detect server.

back to overview

Scope Details
Aliases - blackduckToken
- detectToken
- apiToken (deprecated)
- detect/apiToken (deprecated)
Type string
Mandatory yes
Default $PIPER_token (if set)
Secret yes
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references Jenkins credential id:
  id: detectTokenCredentialsId

Vault resource:
  name: detectVaultSecretName
  default value: detect

Vault paths:
  • $(vaultPath)/detect
  • $(vaultBasePath)/$(vaultPipelineName)/detect
  • $(vaultBasePath)/GROUP-SECRETS/detect

unmap

Unmap flag will unmap all previous code locations and keep only the current scan results in the specified project version. Set this parameter to true, when the project version needs to store only the latest scan results.

back to overview

Scope Details
Aliases detect/unmap
Type bool
Mandatory no
Default false
Possible values - true
- false
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

useDetect9

This flag enables the use of the supported version 9 of the Detect Script instead of v8

back to overview

Scope Details
Aliases detect/useDetect9
Type bool
Mandatory no
Default false
Possible values - true
- false
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

verbose

verbose output

back to overview

Scope Details
Aliases -
Type bool
Mandatory no
Default false
Possible values - true
- false
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

version

Defines the version number of the artifact being build in the pipeline. It is used for build version creation and as source for the Detect version. Typically it is available through the pipeline run. The project version of the Detect project is calculated using the versioningModel.

back to overview

Scope Details
Aliases - projectVersion
- detect/projectVersion
Type string
Mandatory no
Default $PIPER_version (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references commonPipelineEnvironment:
  reference to: artifactVersion

versioningModel

The versioning model used for result reporting (based on the artifact version). For example: the version 1.2.3 of the artifact will result in a version 1 to report into, when versioningModel: major is used and will result in a version 1.2 when versioningModel: major-minor is used. Recommendation for a Continuous Delivery process is to use versioningModel: major.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default major
Possible values - major
- major-minor
- semantic
- full
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

detectTokenCredentialsId

Jenkins-specific: Used for proper environment setup. See using credentials for details.

Jenkins 'Secret text' credentials ID containing the API token used to authenticate with the Synopsis Detect (formerly BlackDuck) Server.

back to overview

Scope Details
Aliases apiTokenCredentialsId
Type string
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages

githubTokenCredentialsId

Jenkins-specific: Used for proper environment setup. See using credentials for details.

Jenkins 'Secret text' credentials ID containing token to authenticate to GitHub.

back to overview

Scope Details
Aliases -
Type string
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages

golangPrivateModulesGitTokenCredentialsId

Jenkins-specific: Used for proper environment setup. See using credentials for details.

Jenkins 'Username with password' credentials ID containing username/password for http access to your git repos where your go private modules are stored.

back to overview

Scope Details
Aliases -
Type string
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages

Rapid scan

In addition to the full scan, Black Duck also offers a faster and easier scan option, called Rapid Scan. Its main advantage is speed. In most cases, the scan is completed in less than 30 seconds. It doesn't save any information on the Black Duck side. The result can be found in the pipeline console.

  • Note By default, Black Duck scans run in 'FULL' mode. Although rapid scans do appropriate security checks for early detection of issues during daily developments, they are not sufficient for production deployment and releases: Only use 'FULL' scans for production deployment and releases.

Running rapid scans on pull requests

If you have configured your orchestrator to detect pull requests, then the detecExecuationScan step in the Piper pipeline can recognize this and change the Black Duck scan mode from 'FULL' to 'RAPID'. This does not affect the usual branch scans.

  • Note
  • This functionality is not applicable to the GPP (General Purpose Pipeline)
  • This can only be used for custom pipelines based on the Jenkins piper library

How to run rapid scans

  1. Specify all the required parameters for the detectExecution step in .pipeline/config.yml Optionally you can specify githubApi and githubToken in the detectExecution step to get the result in the pull request comment. For example:

    ...
    steps:
      ...
      detectExecuteScan:
        serverUrl: 'https://sap-staging.app.blackduck.com/'
        detectTokenCredentialsId: 'JenkinsCredentialsIdForBlackDuckToken'
        projectName: 'projectNameInBlackDuckUI'
        version: 'v1.0'
        githubApiUrl: 'https://github.wdf.sap.corp/api/v3'
        githubToken: 'JenkinsCredentialsIdForGithub'
      ...
    ...
    
  2. Enable detecExecuationScan in the orchestrator. For example:

    @Library('piper-lib') _
    @Library('piper-lib-os') __
    
    node {
      stage('Init') {
        checkout scm
        setupPipelineEnvironment script: this
      }
      stage('detectExecuteScan') {
         detectExecuteScan script: this
      }
      ...
    }
    
  3. To run the rapid scan, open a pull request with your changes to the main branch.

Result of the rapid scan

If you provide githubApi and githubToken, then the pipeline adds the scan result to the comment of the opened pull request.

blackDuckPullRequestComment