detectExecuteScan¶
Executes Synopsys Detect scan
Description¶
This step executes Synopsys Detect scans. Synopsys Detect command line utlity can be used to run various scans including BlackDuck and Polaris scans. This step allows users to run BlackDuck scans by default. Please configure your BlackDuck server Url using the serverUrl parameter and the API token of your user using the apiToken parameter for this step.
Usage¶
We recommend to define values of step parameters via .pipeline/config.yml file.
In this case, calling the step is essentially reduced to defining the step name.
Calling the step can be done either in an orchestrator specific way (e.g. via a Jenkins library step) or on the command line.
library('piper-lib-os')
detectExecuteScan script: this
piper detectExecuteScan
Outputs¶
Output type | Details |
---|---|
influx | measurement step_data
detect_data |
Prerequisites¶
You need to store the API token for the Detect service as 'Secret text' credential in your Jenkins system.
Parameters¶
Overview - Step¶
Overview - Execution Environment¶
Orchestrator-specific only
These parameters are relevant for orchestrator usage and not considered when using the command line option.
Name | Mandatory | Additional information |
---|---|---|
containerCommand | no | |
containerName | no | |
containerShell | no | |
dockerEnvVars | no | |
dockerImage | no | |
dockerName | no | |
dockerOptions | no | |
dockerPullImage | no | |
dockerVolumeBind | no | |
dockerWorkspace | no | |
sidecarEnvVars | no | |
sidecarImage | no | |
sidecarName | no | |
sidecarOptions | no | |
sidecarPullImage | no | |
sidecarReadyCommand | no | |
sidecarVolumeBind | no | |
sidecarWorkspace | no | |
stashContent | no |
Details¶
assignees¶
Defines the assignees for the Github Issue created/updated with the results of the scan as a list of login names.
Scope | Details |
---|---|
Aliases | - |
Type | []string |
Mandatory | no |
Default | |
Secret | no |
Configuration scope |
|
Resource references | none |
buildDescriptorList¶
List of build descriptors and therefore modules for execution of the npm scripts. The elements have to be paths to the build descriptors.
Scope | Details |
---|---|
Aliases | - |
Type | []string |
Mandatory | no |
Default | $PIPER_buildDescriptorList (if set) |
Secret | no |
Configuration scope |
|
Resource references | none |
buildMTA¶
Experiment parameter for MTA projects building
Scope | Details |
---|---|
Aliases | - |
Type | bool |
Mandatory | no |
Default | false |
Possible values | - true - false |
Secret | no |
Configuration scope |
|
Resource references | none |
buildMaven¶
Experiment parameter for maven multi-modules projects building
Scope | Details |
---|---|
Aliases | - |
Type | bool |
Mandatory | no |
Default | false |
Possible values | - true - false |
Secret | no |
Configuration scope |
|
Resource references | none |
buildTool¶
Defines the tool which is used for building the artifact.
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | $PIPER_buildTool (if set) |
Secret | no |
Configuration scope |
|
Resource references | commonPipelineEnvironment: reference to: buildTool |
codeLocation¶
An override for the name Detect will use for the scan file it creates.
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | $PIPER_codeLocation (if set) |
Secret | no |
Configuration scope |
|
Resource references | none |
containerCommand¶
Jenkins-specific: Used for proper environment setup.
Kubernetes only: Allows to specify start command for container created with dockerImage parameter to overwrite Piper default (/usr/bin/tail -f /dev/null).
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | |
Secret | no |
Configuration scope |
|
Resource references | none |
containerName¶
Jenkins-specific: Used for proper environment setup.
Optional configuration in combination with containerMap to define the container where the commands should be executed in.
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | openjdk |
Secret | no |
Configuration scope |
|
Resource references | none |
containerShell¶
Jenkins-specific: Used for proper environment setup.
Allows to specify the shell to be executed for container with containerName.
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | |
Secret | no |
Configuration scope |
|
Resource references | none |
createResultIssue¶
Whether the step creates a GitHub issues containing the scan results in the originating repo. For each vulnerability a separate issue will be created. Since optimized pipelines are headless the creation is implicitly activated for scheduled runs.
Scope | Details |
---|---|
Aliases | - |
Type | bool |
Mandatory | no |
Default | false |
Possible values | - true - false |
Secret | no |
Configuration scope |
|
Resource references | commonPipelineEnvironment: reference to: custom/isOptimizedAndScheduled |
customEnvironmentVariables¶
A list of environment variables which can be set to prepare the environment to run a BlackDuck scan. This includes a list of environment variables defined by Synopsys. The full list can be found here This list affects the detect script downloaded while running the scan. Right now only detect7.sh is available for downloading
Scope | Details |
---|---|
Aliases | - |
Type | []string |
Mandatory | no |
Default | $PIPER_customEnvironmentVariables (if set) |
Secret | no |
Configuration scope |
|
Resource references | none |
customScanVersion¶
Defines a custom version for the Detect scan which deviates from the typical versioning pattern using version
and versioningModel
.
It allows to set non-numeric versions as well and supersedes the value of version
which is calculated automatically.
The parameter is also used by other scan steps (e.g. Fortify, Sonar, WhiteSource) and thus allows a common custom version across scan tools.
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | $PIPER_customScanVersion (if set) |
Secret | no |
Configuration scope |
|
Resource references | none |
customTlsCertificateLinks¶
List of download links to custom TLS certificates. This is required to ensure trusted connections to instances with repositories (like nexus) when publish flag is set to true.
Scope | Details |
---|---|
Aliases | - |
Type | []string |
Mandatory | no |
Default | $PIPER_customTlsCertificateLinks (if set) |
Secret | no |
Configuration scope |
|
Resource references | none |
defaultNpmRegistry¶
URL of the npm registry to use. Defaults to https://registry.npmjs.org/
Scope | Details |
---|---|
Aliases | npm/defaultNpmRegistry |
Type | string |
Mandatory | no |
Default | $PIPER_defaultNpmRegistry (if set) |
Secret | no |
Configuration scope |
|
Resource references | none |
dependencyPath¶
Absolute Path of the dependency management file of the project. This path represents the folder which contains the pom file, package.json etc. If the project contains multiple pom files, provide the path to the parent pom file or the base folder of the project
Scope | Details |
---|---|
Aliases | detect/dependencyPath |
Type | string |
Mandatory | no |
Default | . |
Secret | no |
Configuration scope |
|
Resource references | none |
detectTools¶
The type of BlackDuck scanners to include while running the BlackDuck scan. By default All scanners are included. For the complete list of possible values, Please refer Synopsys detect documentation
Scope | Details |
---|---|
Aliases | detect/detectTools |
Type | []string |
Mandatory | no |
Default | $PIPER_detectTools (if set) |
Secret | no |
Configuration scope |
|
Resource references | none |
dockerEnvVars¶
Jenkins-specific: Used for proper environment setup.
Environment variables to set in the container, e.g. [http_proxy: "proxy:8080"].
Scope | Details |
---|---|
Aliases | - |
Type | map[string]string |
Mandatory | no |
Default | |
Secret | no |
Configuration scope |
|
Resource references | none |
dockerImage¶
Jenkins-specific: Used for proper environment setup.
Name of the docker image that should be used. If empty, Docker is not used and the command is executed directly on the Jenkins system.
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | openjdk:11 |
Secret | no |
Configuration scope |
|
Resource references | none |
dockerName¶
Jenkins-specific: Used for proper environment setup.
Kubernetes only: Name of the container launching dockerImage. SideCar only: Name of the container in local network.
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | openjdk |
Secret | no |
Configuration scope |
|
Resource references | none |
dockerOptions¶
Jenkins-specific: Used for proper environment setup.
Docker options to be set when starting the container.
Scope | Details |
---|---|
Aliases | - |
Type | []string |
Mandatory | no |
Default | [{-u 0}] |
Secret | no |
Configuration scope |
|
Resource references | none |
dockerPullImage¶
Jenkins-specific: Used for proper environment setup.
Set this to 'false' to bypass a docker image pull. Useful during development process. Allows testing of images which are available in the local registry only.
Scope | Details |
---|---|
Aliases | - |
Type | bool |
Mandatory | no |
Default | true |
Possible values | - true - false |
Secret | no |
Configuration scope |
|
Resource references | none |
dockerVolumeBind¶
Jenkins-specific: Used for proper environment setup.
Volumes that should be mounted into the docker container.
Scope | Details |
---|---|
Aliases | - |
Type | map[string]string |
Mandatory | no |
Default | |
Secret | no |
Configuration scope |
|
Resource references | none |
dockerWorkspace¶
Jenkins-specific: Used for proper environment setup.
Kubernetes only: Specifies a dedicated user home directory for the container which will be passed as value for environment variable HOME
.
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | /root |
Secret | no |
Configuration scope |
|
Resource references | none |
enableDiagnostics¶
Parameter to enable diagnostics file generation by detect script
Scope | Details |
---|---|
Aliases | - |
Type | bool |
Mandatory | no |
Default | false |
Possible values | - true - false |
Secret | no |
Configuration scope |
|
Resource references | none |
excludedDirectories¶
List of directories which should be excluded from the scan.
Scope | Details |
---|---|
Aliases | detect/excludedDirectories |
Type | []string |
Mandatory | no |
Default | $PIPER_excludedDirectories (if set) |
Secret | no |
Configuration scope |
|
Resource references | none |
excludedPackageManagers¶
The package managers that need to be excluded for this scan. Providing the package manager names with this parameter will ensure that the build descriptor file of that package manager will be ignored in the scan folder For the complete list of possible values for this parameter, please refer Synopsys detect documentation
Scope | Details |
---|---|
Aliases | detect/excludedPackageManagers |
Type | []string |
Mandatory | no |
Default | $PIPER_excludedPackageManagers (if set) |
Secret | no |
Configuration scope |
|
Resource references | none |
failOn¶
A list of policies can be provided which will be applied after the scan is completed. These policies if violated will mark the build/scan result as failed. The list of accepted values can be found at Synopsys detect documentation
Scope | Details |
---|---|
Aliases | detect/failOn |
Type | []string |
Mandatory | no |
Default | - BLOCKER |
Possible values | - ALL - BLOCKER - CRITICAL - MAJOR - MINOR - NONE |
Secret | no |
Configuration scope |
|
Resource references | none |
failOnSevereVulnerabilities¶
Whether to fail the step on severe vulnerabilties or not
Scope | Details |
---|---|
Aliases | - |
Type | bool |
Mandatory | no |
Default | true |
Possible values | - true - false |
Secret | no |
Configuration scope |
|
Resource references | none |
generateReportsForEmptyProjects¶
If enabled, it will generate reports for empty projects. This could be useful to see the compliance reports in Sirius
Scope | Details |
---|---|
Aliases | - |
Type | bool |
Mandatory | no |
Default | false |
Possible values | - true - false |
Secret | no |
Configuration scope |
|
Resource references | none |
githubApiUrl¶
Set the GitHub API URL.
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | https://api.github.com |
Secret | no |
Configuration scope |
|
Resource references | none |
githubToken¶
GitHub personal access token as per https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
Scope | Details |
---|---|
Aliases | access_token |
Type | string |
Mandatory | no |
Default | $PIPER_githubToken (if set) |
Secret | yes |
Configuration scope |
|
Resource references | Jenkins credential id: id: githubTokenCredentialsId Vault resource: name: githubVaultSecretName default value: github Vault paths:
|
globalSettingsFile¶
Path or url to the mvn settings file that should be used as global settings file
Scope | Details |
---|---|
Aliases | maven/globalSettingsFile |
Type | string |
Mandatory | no |
Default | $PIPER_globalSettingsFile (if set) |
Secret | no |
Configuration scope |
|
Resource references | none |
groups¶
Users groups to be assigned for the Project
Scope | Details |
---|---|
Aliases | detect/groups |
Type | []string |
Mandatory | no |
Default | $PIPER_groups (if set) |
Secret | no |
Configuration scope |
|
Resource references | none |
imageNameTags¶
Images to be scanned (typically filled by CPE)
Scope | Details |
---|---|
Aliases | - |
Type | []string |
Mandatory | mandatory in case of: - scanContainerDistro =ubuntu - scanContainerDistro =centos - scanContainerDistro =alpine |
Default | $PIPER_imageNameTags (if set) |
Secret | no |
Configuration scope |
|
Resource references | commonPipelineEnvironment: reference to: container/imageNameTags |
includedPackageManagers¶
The package managers that need to be included for this scan. Providing the package manager names with this parameter will ensure that the build descriptor file of that package manager will be searched in the scan folder For the complete list of possible values for this parameter, please refer Synopsys detect documentation
Scope | Details |
---|---|
Aliases | detect/includedPackageManagers |
Type | []string |
Mandatory | no |
Default | $PIPER_includedPackageManagers (if set) |
Secret | no |
Configuration scope |
|
Resource references | none |
installArtifacts¶
If enabled, it will install all artifacts to the local maven repository to make them available before running detect. This is required if any maven module has dependencies to other modules in the repository and they were not installed before.
Scope | Details |
---|---|
Aliases | - |
Type | bool |
Mandatory | no |
Default | false |
Possible values | - true - false |
Secret | no |
Configuration scope |
|
Resource references | none |
installNPM¶
Experiment parameter for downloading npm dependencies
Scope | Details |
---|---|
Aliases | - |
Type | bool |
Mandatory | no |
Default | false |
Possible values | - true - false |
Secret | no |
Configuration scope |
|
Resource references | none |
m2Path¶
Path to the location of the local repository that should be used.
Scope | Details |
---|---|
Aliases | maven/m2Path |
Type | string |
Mandatory | no |
Default | $PIPER_m2Path (if set) |
Secret | no |
Configuration scope |
|
Resource references | none |
mavenExcludedScopes¶
The maven scopes that need to be excluded from the scan. For example, setting the value 'test' will exclude all components which are defined with a test scope in maven
Scope | Details |
---|---|
Aliases | detect/mavenExcludedScopes |
Type | []string |
Mandatory | no |
Default | $PIPER_mavenExcludedScopes (if set) |
Secret | no |
Configuration scope |
|
Resource references | none |
minScanInterval¶
[DEPRECATED] This parameter controls the frequency (in number of hours) at which the signature scan is re-submitted for scan. When set to a value greater than 0, the signature scans are skipped until the specified number of hours has elapsed since the last signature scan.
Scope | Details |
---|---|
Aliases | - |
Type | int |
Mandatory | no |
Default | 0 |
Secret | no |
Configuration scope |
|
Resource references | none |
mtaPlatform¶
The platform of the MTA project
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | CF |
Secret | no |
Configuration scope |
|
Resource references | none |
npmArguments¶
List of additional arguments that Detect will add at then end of the npm ls command line when Detect executes the NPM CLI Detector on an NPM project.
Scope | Details |
---|---|
Aliases | detect/npmArguments |
Type | []string |
Mandatory | no |
Default | $PIPER_npmArguments (if set) |
Secret | no |
Configuration scope |
|
Resource references | none |
npmDependencyTypesExcluded¶
List of npm dependency types which Detect should exclude from the BOM.
Scope | Details |
---|---|
Aliases | detect/npmDependencyTypesExcluded |
Type | []string |
Mandatory | no |
Default | $PIPER_npmDependencyTypesExcluded (if set) |
Possible values | - NONE - DEV - PEER |
Secret | no |
Configuration scope |
|
Resource references | none |
owner¶
Set the GitHub organization.
Scope | Details |
---|---|
Aliases | githubOrg |
Type | string |
Mandatory | no |
Default | $PIPER_owner (if set) |
Secret | no |
Configuration scope |
|
Resource references | commonPipelineEnvironment: reference to: github/owner |
pomPath¶
Path to the pom file which should be installed including all children.
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | pom.xml |
Secret | no |
Configuration scope |
|
Resource references | none |
privateModules¶
Tells go which modules shall be considered to be private (by setting GOPRIVATE).
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | $PIPER_privateModules (if set) |
Secret | no |
Configuration scope |
|
Resource references | none |
privateModulesGitToken¶
GitHub personal access token as per https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line.
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | $PIPER_privateModulesGitToken (if set) |
Secret | yes |
Configuration scope |
|
Resource references | Jenkins credential id: id: golangPrivateModulesGitTokenCredentialsId reference to: password Vault resource: name: golangPrivateModulesGitTokenVaultSecret default value: golang Vault paths:
|
projectName¶
Name of the Synopsis Detect (formerly BlackDuck) project.
Scope | Details |
---|---|
Aliases | detect/projectName |
Type | string |
Mandatory | yes |
Default | $PIPER_projectName (if set) |
Secret | no |
Configuration scope |
|
Resource references | none |
projectSettingsFile¶
Path or url to the mvn settings file that should be used as project settings file.
Scope | Details |
---|---|
Aliases | maven/projectSettingsFile |
Type | string |
Mandatory | no |
Default | $PIPER_projectSettingsFile (if set) |
Secret | no |
Configuration scope |
|
Resource references | none |
registryUrl¶
Used accessing for the images to be scanned (typically filled by CPE)
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | mandatory in case of: - scanContainerDistro =ubuntu - scanContainerDistro =centos - scanContainerDistro =alpine |
Default | $PIPER_registryUrl (if set) |
Secret | no |
Configuration scope |
|
Resource references | commonPipelineEnvironment: reference to: container/registryUrl |
repository¶
Set the GitHub repository.
Scope | Details |
---|---|
Aliases | githubRepo |
Type | string |
Mandatory | no |
Default | $PIPER_repository (if set) |
Secret | no |
Configuration scope |
|
Resource references | commonPipelineEnvironment: reference to: github/repository |
repositoryPassword¶
Used accessing for the images to be scanned (typically filled by CPE)
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | mandatory in case of: - scanContainerDistro =ubuntu - scanContainerDistro =centos - scanContainerDistro =alpine |
Default | $PIPER_repositoryPassword (if set) |
Secret | no |
Configuration scope |
|
Resource references | commonPipelineEnvironment: reference to: container/repositoryPassword |
repositoryUsername¶
Used accessing for the images to be scanned (typically filled by CPE)
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | mandatory in case of: - scanContainerDistro =ubuntu - scanContainerDistro =centos - scanContainerDistro =alpine |
Default | $PIPER_repositoryUsername (if set) |
Secret | no |
Configuration scope |
|
Resource references | commonPipelineEnvironment: reference to: container/repositoryUsername |
scanContainerDistro¶
To also scan your images in the CPE, choose the distro
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | $PIPER_scanContainerDistro (if set) |
Possible values | - ubuntu - centos - alpine |
Secret | no |
Configuration scope |
|
Resource references | none |
scanOnChanges¶
This flag determines if the scan is submitted to the server. If set to true, then the scan request is submitted to the server only when changes are detected in the Open Source Bill of Materials If the flag is set to false, then the scan request is submitted to server regardless of any changes. For more details please refer to the documentation
Scope | Details |
---|---|
Aliases | - |
Type | bool |
Mandatory | no |
Default | false |
Possible values | - true - false |
Secret | no |
Configuration scope |
|
Resource references | none |
scanPaths¶
List of paths which should be scanned by the Synopsis Detect (formerly BlackDuck) scan.
Scope | Details |
---|---|
Aliases | detect/scanPaths |
Type | []string |
Mandatory | no |
Default | - . |
Secret | no |
Configuration scope |
|
Resource references | none |
scanProperties¶
Properties passed to the Synopsis Detect (formerly BlackDuck) scan. You can find details in the Synopsis Detect documentation
Scope | Details |
---|---|
Aliases | detect/scanProperties |
Type | []string |
Mandatory | no |
Default | - --blackduck.signature.scanner.memory=4096 - --detect.timeout=6000 - --blackduck.trust.cert=true - --logging.level.com.synopsys.integration=DEBUG - --detect.maven.excluded.scopes=test |
Secret | no |
Configuration scope |
|
Resource references | none |
scanners¶
List of scanners to be used for Synopsis Detect (formerly BlackDuck) scan.
Scope | Details |
---|---|
Aliases | detect/scanners |
Type | []string |
Mandatory | no |
Default | - signature |
Possible values | - signature - source |
Secret | no |
Configuration scope |
|
Resource references | none |
script¶
Jenkins-specific: Used for proper environment setup.
The common script environment of the Jenkinsfile running. Typically the reference to the script calling the pipeline step is provided with the this
parameter, as in script: this
. This allows the function to access the commonPipelineEnvironment
for retrieving, e.g. configuration parameters.
Scope | Details |
---|---|
Aliases | - |
Type | Jenkins Script |
Mandatory | yes |
Default | |
Secret | no |
Configuration scope |
|
Resource references | none |
serverUrl¶
Server URL to the Synopsis Detect (formerly BlackDuck) Server.
Scope | Details |
---|---|
Aliases | - detect/serverUrl - detectServerUrl |
Type | string |
Mandatory | yes |
Default | $PIPER_serverUrl (if set) |
Secret | no |
Configuration scope |
|
Resource references | none |
sidecarEnvVars¶
Jenkins-specific: Used for proper environment setup.
A map of environment variables to set in the sidecar container, similar to dockerEnvVars
.
Scope | Details |
---|---|
Aliases | - |
Type | map[string]string |
Mandatory | no |
Default | |
Secret | no |
Configuration scope |
|
Resource references | none |
sidecarImage¶
Jenkins-specific: Used for proper environment setup.
The name of the docker image of the sidecar container. If empty, no sidecar container is started. Similar to dockerImage
.
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | |
Secret | no |
Configuration scope |
|
Resource references | none |
sidecarName¶
Jenkins-specific: Used for proper environment setup.
Name of the sidecar container. Similar to dockerName
.
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | |
Secret | no |
Configuration scope |
|
Resource references | none |
sidecarOptions¶
Jenkins-specific: Used for proper environment setup.
Options to be set when starting the sidecar container. Similar to dockerOptions
.
Scope | Details |
---|---|
Aliases | - |
Type | []string |
Mandatory | no |
Default | |
Secret | no |
Configuration scope |
|
Resource references | none |
sidecarPullImage¶
Jenkins-specific: Used for proper environment setup.
Set this to 'false' to bypass a docker image pull. Useful during development process. Allows testing of images which are available in the local registry only.
Scope | Details |
---|---|
Aliases | - |
Type | bool |
Mandatory | no |
Default | false |
Possible values | - true - false |
Secret | no |
Configuration scope |
|
Resource references | none |
sidecarReadyCommand¶
Jenkins-specific: Used for proper environment setup.
Command executed inside the container which returns exit code 0 when the container is ready to be used.
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | |
Secret | no |
Configuration scope |
|
Resource references | none |
sidecarVolumeBind¶
Jenkins-specific: Used for proper environment setup.
Volumes that should be mounted into the sidecar container. Similar to dockerVolumeBind
.
Scope | Details |
---|---|
Aliases | - |
Type | map[string]string |
Mandatory | no |
Default | |
Secret | no |
Configuration scope |
|
Resource references | none |
sidecarWorkspace¶
Jenkins-specific: Used for proper environment setup.
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | |
Secret | no |
Configuration scope |
|
Resource references | none |
stashContent¶
Jenkins-specific: Used for proper environment setup.
Specific stashes that should be considered for the step execution.
Scope | Details |
---|---|
Aliases | - |
Type | []string |
Mandatory | no |
Default | - buildDescriptor - checkmarx |
Secret | no |
Configuration scope |
|
Resource references | none |
successOnSkip¶
This flag allows forces Black Duck to exit with 0 error code if any step is skipped
Scope | Details |
---|---|
Aliases | detect/successOnSkip (deprecated) |
Type | bool |
Mandatory | no |
Default | true |
Possible values | - true - false |
Secret | no |
Configuration scope |
|
Resource references | none |
token¶
Api token to be used for connectivity with Synopsis Detect server.
Scope | Details |
---|---|
Aliases | - blackduckToken - detectToken - apiToken (deprecated)- detect/apiToken (deprecated) |
Type | string |
Mandatory | yes |
Default | $PIPER_token (if set) |
Secret | yes |
Configuration scope |
|
Resource references | Jenkins credential id: id: detectTokenCredentialsId Vault resource: name: detectVaultSecretName default value: detect Vault paths:
|
unmap¶
Unmap flag will unmap all previous code locations and keep only the current scan results in the specified project version. Set this parameter to true, when the project version needs to store only the latest scan results.
Scope | Details |
---|---|
Aliases | detect/unmap |
Type | bool |
Mandatory | no |
Default | false |
Possible values | - true - false |
Secret | no |
Configuration scope |
|
Resource references | none |
useDetect9¶
This flag enables the use of the supported version 9 of the Detect Script instead of v8
Scope | Details |
---|---|
Aliases | detect/useDetect9 |
Type | bool |
Mandatory | no |
Default | false |
Possible values | - true - false |
Secret | no |
Configuration scope |
|
Resource references | none |
verbose¶
verbose output
Scope | Details |
---|---|
Aliases | - |
Type | bool |
Mandatory | no |
Default | false |
Possible values | - true - false |
Secret | no |
Configuration scope |
|
Resource references | none |
version¶
Defines the version number of the artifact being build in the pipeline.
It is used for build version creation and as source for the Detect version.
Typically it is available through the pipeline run.
The project version of the Detect project is calculated using the versioningModel
.
Scope | Details |
---|---|
Aliases | - projectVersion - detect/projectVersion |
Type | string |
Mandatory | no |
Default | $PIPER_version (if set) |
Secret | no |
Configuration scope |
|
Resource references | commonPipelineEnvironment: reference to: artifactVersion |
versioningModel¶
The versioning model used for result reporting (based on the artifact version).
For example: the version 1.2.3 of the artifact will result in a version 1 to report into, when versioningModel: major
is used and will result in a version 1.2 when versioningModel: major-minor
is used.
Recommendation for a Continuous Delivery process is to use versioningModel: major
.
Scope | Details |
---|---|
Aliases | - |
Type | string |
Mandatory | no |
Default | major |
Possible values | - major - major-minor - semantic - full |
Secret | no |
Configuration scope |
|
Resource references | none |
detectTokenCredentialsId¶
Jenkins-specific: Used for proper environment setup. See using credentials for details.
Jenkins 'Secret text' credentials ID containing the API token used to authenticate with the Synopsis Detect (formerly BlackDuck) Server.
Scope | Details |
---|---|
Aliases | apiTokenCredentialsId |
Type | string |
Configuration scope |
|
githubTokenCredentialsId¶
Jenkins-specific: Used for proper environment setup. See using credentials for details.
Jenkins 'Secret text' credentials ID containing token to authenticate to GitHub.
Scope | Details |
---|---|
Aliases | - |
Type | string |
Configuration scope |
|
golangPrivateModulesGitTokenCredentialsId¶
Jenkins-specific: Used for proper environment setup. See using credentials for details.
Jenkins 'Username with password' credentials ID containing username/password for http access to your git repos where your go private modules are stored.
Scope | Details |
---|---|
Aliases | - |
Type | string |
Configuration scope |
|
Rapid scan¶
In addition to the full scan, Black Duck also offers a faster and easier scan option, called Rapid Scan. Its main advantage is speed. In most cases, the scan is completed in less than 30 seconds. It doesn't save any information on the Black Duck side. The result can be found in the pipeline console.
- Note By default, Black Duck scans run in 'FULL' mode. Although rapid scans do appropriate security checks for early detection of issues during daily developments, they are not sufficient for production deployment and releases: Only use 'FULL' scans for production deployment and releases.
Running rapid scans on pull requests¶
If you have configured your orchestrator to detect pull requests, then the detecExecuationScan
step in the Piper pipeline can recognize this and change the Black Duck scan mode from 'FULL' to 'RAPID'. This does not affect the usual branch scans.
- Note
- This functionality is not applicable to the GPP (General Purpose Pipeline)
- This can only be used for custom pipelines based on the Jenkins piper library
How to run rapid scans¶
-
Specify all the required parameters for the detectExecution step in .pipeline/config.yml Optionally you can specify
githubApi
andgithubToken
in the detectExecution step to get the result in the pull request comment. For example:... steps: ... detectExecuteScan: serverUrl: 'https://sap-staging.app.blackduck.com/' detectTokenCredentialsId: 'JenkinsCredentialsIdForBlackDuckToken' projectName: 'projectNameInBlackDuckUI' version: 'v1.0' githubApiUrl: 'https://github.wdf.sap.corp/api/v3' githubToken: 'JenkinsCredentialsIdForGithub' ... ...
-
Enable detecExecuationScan in the orchestrator. For example:
@Library('piper-lib') _ @Library('piper-lib-os') __ node { stage('Init') { checkout scm setupPipelineEnvironment script: this } stage('detectExecuteScan') { detectExecuteScan script: this } ... }
-
To run the rapid scan, open a pull request with your changes to the main branch.
Result of the rapid scan¶
If you provide githubApi
and githubToken
, then the pipeline adds the scan result to the comment of the opened pull request.