diff options
Diffstat (limited to 'ansible_collections/netapp_eseries/santricity/vars')
7 files changed, 254 insertions, 0 deletions
diff --git a/ansible_collections/netapp_eseries/santricity/vars/hubPreCheck.groovy b/ansible_collections/netapp_eseries/santricity/vars/hubPreCheck.groovy new file mode 100644 index 00000000..43f0efef --- /dev/null +++ b/ansible_collections/netapp_eseries/santricity/vars/hubPreCheck.groovy @@ -0,0 +1,8 @@ +def call(Map optional) { + if (optional.docker) { + echo "Ensuring that Docker is available on the system." + sh """ + docker --version + """ + } +} diff --git a/ansible_collections/netapp_eseries/santricity/vars/hubScan.groovy b/ansible_collections/netapp_eseries/santricity/vars/hubScan.groovy new file mode 100644 index 00000000..ca99cee4 --- /dev/null +++ b/ansible_collections/netapp_eseries/santricity/vars/hubScan.groovy @@ -0,0 +1,13 @@ +def call(Map optional = [:], String projectName, String projectVersion) { + optional.projectName = projectName + optional.projectVersion = projectVersion + call(optional) +} + +def call(Map optional) { + // Correctly set if the scan is intended for production. + // hubScan uses the variable 'staging' (defaulting to true), and hubScanProject uses 'productionScan' (defaulting to false). + optional.productionScan = !((boolean) optional.staging) + + hubScanProject(optional) +} diff --git a/ansible_collections/netapp_eseries/santricity/vars/hubScanDocker.groovy b/ansible_collections/netapp_eseries/santricity/vars/hubScanDocker.groovy new file mode 100644 index 00000000..10ced62f --- /dev/null +++ b/ansible_collections/netapp_eseries/santricity/vars/hubScanDocker.groovy @@ -0,0 +1,76 @@ +def call(Map optional, String projectName, String projectVersion, String imageDirectory) { + optional.projectName = projectName + optional.projectVersion = projectVersion + optional.imageDirectory = imageDirectory + call(optional) +} + + +def call(Map optional) { + + String projectVersion = optional.projectVersion + String projectName = optional.projectName + String imageDirectory = optional.imageDirectory + String url = "https://blackduck.eng.netapp.com" + String credId = 'hubProductionToken' + + if((boolean) optional.staging){ + url = "https://blackduck-staging.eng.netapp.com" + credId = 'hubStagingToken' + } + + BLACKDUCK_SKIP_PHONE_HOME = true + withCredentials([string(credentialsId: credId, variable: 'TOKEN')]) { + String memory = optional.scannerMemoryMb ?: '8192' + String logLevel = optional.logLevel ?: 'INFO' + String coreCount = optional.coreCount ?: 1 + String timeoutMinutes = optional.timeout ?: 60 + + sh''' wget -qN http://esgweb.eng.netapp.com/~lorenp/synopsys-detect-6.0.0-air-gap.zip -O /tmp/synopsys-detect.zip + unzip -u -d /tmp/tools /tmp/synopsys-detect.zip + rm -f /tmp/synopsys-detect.zip + ''' + + // Create the temporary directory for the scan logs + def scanTempDir = sh(returnStdout: true, script: "mktemp --directory \"/tmp/synopsys-detect-${projectName}-${projectVersion}-XXXXXXXXXX\"").trim() + + echo "Initiating Hub Scanning Process on every image in ${imageDirectory}" + echo "Sending results to ${url}" + echo "Using a logLevel of ${logLevel}" + echo "Additional parameters: ${optional}" + echo "Running with a timeout value of ${timeoutMinutes} minutes" + + // We need to locate all of the images to scan. + sh "find ${imageDirectory} -type f -iname '*.tar'> listFiles" + def files = readFile( "listFiles" ).split('\n'); + try { + files.each { + def fileName = it.split('/')[-1]; + timeout(time: "${timeoutMinutes}", unit: 'MINUTES') { + // Run a single scan for each image we find, using the filename as a scan identifier + sh """ + java -Xms4096m -Xmx8192m -Xss1024m -jar /tmp/tools/synopsys-detect-6.0.0.jar \ + --blackduck.url=${url} \ + --detect.blackduck.signature.scanner.memory="${memory}" \ + --detect.blackduck.signature.scanner.individual.file.matching="ALL" \ + --blackduck.api.token=${TOKEN} \ + --detect.docker.tar=${it} \ + --detect.parallel.processors=${coreCount} \ + --detect.code.location.name=${projectName}-${projectVersion}-${fileName} \ + --detect.project.name=${projectName} \ + --detect.project.version.name=${projectVersion} \ + --detect.cleanup=false \ + --blackduck.trust.cert=true \ + --detect.output.path=${scanTempDir} \ + --logging.level.com.synopsys.integration="${logLevel}" + + """ + } + } + } finally { + dir("${scanTempDir}") { + deleteDir() + } + } + } +} diff --git a/ansible_collections/netapp_eseries/santricity/vars/hubScanProject.groovy b/ansible_collections/netapp_eseries/santricity/vars/hubScanProject.groovy new file mode 100644 index 00000000..b980d7da --- /dev/null +++ b/ansible_collections/netapp_eseries/santricity/vars/hubScanProject.groovy @@ -0,0 +1,123 @@ +/** + * Initiate a scan of Synopsys Detect. By default the working directory ('./') is scanned and all detectors are enabled. + * Java MUST be installed for this to be successful, and it is suggested to scan in a docker container due to the + * detector possibly building the project automatically. + * + * The 'optional' map supports these fields: + * - clearPriorScans: false. Clear previous scans (but doesn't delete them) for the associated project and version on the server. + * - coreCount: -1. Scanner parallel processors where -1 uses the number of cores on the system. + * - disableDetector: false. Disable the synopsys detector; the detector SHOULD be run but it can result in build issues + * and can be disabled. + * - logLevel: info. Logging level of synopsys. + * - productionScan: false. Set this to true to send scan results to the production blackduck server; staging is used by default. + * - scanOpts: [:]. A map of additional hub command-line arguments, or overrides, depending on project needs. for example, + * users can control the detector search depth with optional.scanOpts["--detect.detector.search.depth"] = "0". + * - scannerMemoryMB: 1024. + * - timeout: 60. Maximum scan timeout, in minutes, before failing the build. + * + * Important implementation notes: + * - Java must be installed and in the path. + * - A temporary directory, scanTempDir, is created at '/tmp/synopsys-detect-<projectName>-<projectVersion>-XXXXXXXX'. + * This temporary is DELETED after the scan to avoid excessive storage usage. + * - Synopsys Detect Air Gap (600MB+ zip, 1.5GB+ extracted) is generated at '$scanTempDir/synopsys-detect-air-gap/<synopVersion>'. + * This path is deleted along with the temp dir after the scan. + * - The files in $scanTempDir/runs/** are archived. + * - URLs + * - https://synopsys.atlassian.net/wiki/spaces/INTDOCS/pages/622673/Synopsys+Detect+Properties + * - https://synopsys.atlassian.net/wiki/spaces/INTDOCS/pages/62423113/Synopsys+Detect + * + * @param optional map of optional arguments + * @param projectName the name of the project + * @param projectVersion the version of the project + */ +def call(Map optional = [:], String projectName, String projectVersion) { + optional.projectName = projectName + optional.projectVersion = projectVersion + optional.scanOpts = (Map) optional.scanOpts ?: [:] + call(optional) +} + +def call(Map optional) { + String projectVersion = optional.projectVersion + String projectName = optional.projectName + String synopsysDetectVersion = optional.synopsysDetectVersion ?: "6.3.0" + BLACKDUCK_SKIP_PHONE_HOME = true + + String url = "https://blackduck-staging.eng.netapp.com" + String credId = 'hubStagingToken' + + // Use the production server if productionScan is explicitly set to true + if (new Boolean(optional.productionScan)) { + url = "https://blackduck.eng.netapp.com" + credId = 'hubProductionToken' + } + + withCredentials([string(credentialsId: credId, variable: 'TOKEN')]) { + String timeoutMinutes = optional.timeout ?: 60 + + // Create the temporary directory for the scan logs and the extracted hub-detect zip + def scanTempDir = sh(returnStdout: true, script: "mktemp --directory \"/tmp/synopsys-detect-${projectName}-${projectVersion}-XXXXXXXXXX\"").trim() + def synopsysDir = "${scanTempDir}/synopsys-detect-air-gap/${synopsysDetectVersion}" + setupSynopsysDetect(synopsysDetectVersion, synopsysDir: synopsysDir) + + echo "Using temporary directory ${scanTempDir}" + echo "Sending results to ${url}" + echo "Additional parameters: ${optional}" + echo "Using timeout of ${timeoutMinutes} minutes" + + Map m = [:] + m["--blackduck.trust.cert"] = "true" + m["--blackduck.url"] = url + m["--blackduck.api.token"] = TOKEN + m["--detect.project.name"] = projectName + m["--detect.project.version.name"] = projectVersion + m["--detect.code.location.name"] = "${projectName}-${projectVersion}" + m["--detect.project.codelocation.unmap"] = optional.clearPriorScans ?: "false" + m["--detect.blackduck.signature.scanner.memory"] = optional.scannerMemoryMB ?: "1024" + m["--detect.parallel.processors"] = optional.coreCount ?: -1 + m["--detect.cleanup"] = "false" + m["--detect.blackduck.signature.scanner.paths"] = optional.scanDir ?: './' + m["--detect.output.path"] = scanTempDir + m["--logging.level.com.synopsys.integration"] = optional.logLevel ?: "INFO" + m["--detect.detector.search.depth"] = "3" + m["--detect.sbt.report.depth"] = "3" + m["--detect.blackduck.signature.scanner.exclusion.name.patterns"] = "node_modules,.git,.gradle" + m["--detect.blackduck.signature.scanner.exclusion.pattern.search.depth"] = "30" + m["--detect.docker.inspector.air.gap.path"] = "${synopsysDir}/packaged-inspectors/docker" + m["--detect.nuget.inspector.air.gap.path"] = "${synopsysDir}/packaged-inspectors/nuget" + m["--detect.gradle.inspector.air.gap.path"] = "${synopsysDir}/packaged-inspectors/gradle" + m["--detect.blackduck.signature.scanner.individual.file.matching"] = "ALL" + + if (optional.cloneVersion) { + m["--detect.clone.project.version.name"] = optional.cloneVersion + } + if ((boolean) optional.disableDetector) { + m["--detect.tools.excluded"] = "DETECTOR" + } + + m.putAll((Map) optional.scanOpts) + + synopsysArgs = m.collectEntries { k, v -> ["$k=$v"] }.keySet().join(" \\\n ") + synopsysExec = "java -Xms1024m -Xmx2048m -jar ${synopsysDir}/synopsys-detect-${synopsysDetectVersion}.jar ${synopsysArgs}" + echo "The blackduck scan execute command: \n'${synopsysExec}'" + + try { + timeout(time: "${timeoutMinutes}", unit: 'MINUTES') { + sh """ + ${synopsysExec} + # Delete any existing docker extractions from this scan to avoid excessive storage use. + rm -rf ${scanTempDir}/runs/*/extractions || true + mv ${scanTempDir}/runs synopsysRuns + """ + + // NOTE: Archiving works **ONLY** in the build workspace. All artifacts must be copied to the workspace. + // Ignore gz to avoid archiving docker images. + archiveArtifacts artifacts: "synopsysRuns/**", excludes: "**/*.gz" + } + } finally { + dir("${scanTempDir}") { + deleteDir() + } + } + } +} diff --git a/ansible_collections/netapp_eseries/santricity/vars/setupBlackduckBuildParameters.groovy b/ansible_collections/netapp_eseries/santricity/vars/setupBlackduckBuildParameters.groovy new file mode 100644 index 00000000..c2e15a08 --- /dev/null +++ b/ansible_collections/netapp_eseries/santricity/vars/setupBlackduckBuildParameters.groovy @@ -0,0 +1,16 @@ +def call(Map options = [:]) { + String buildArtifactKeepNum = options.buildArtifactKeepNum ?: '15' + String buildKeepNum = options.buildKeepNum ?: '30' + // The default cron schedule is one build between 1:xx pm - 4:xx pm on Monday + String buildCronSchedule = options.buildCronSchedule ?: 'H H(13-16) * * 1' + + properties([ + parameters([ + choice(name: 'logLevel', choices: ['WARN', 'INFO', 'DEBUG', 'TRACE'], description: 'Set the logging level. WARN is the default.') + ]), + buildDiscarder( + logRotator(artifactNumToKeepStr: buildArtifactKeepNum, numToKeepStr: buildKeepNum) + ), + pipelineTriggers([cron(buildCronSchedule)]) + ]) +} diff --git a/ansible_collections/netapp_eseries/santricity/vars/setupBuildParameters.groovy b/ansible_collections/netapp_eseries/santricity/vars/setupBuildParameters.groovy new file mode 100644 index 00000000..8e049575 --- /dev/null +++ b/ansible_collections/netapp_eseries/santricity/vars/setupBuildParameters.groovy @@ -0,0 +1,3 @@ +def call(Map options = [:]) { + setupBlackduckBuildParameters(options) +} diff --git a/ansible_collections/netapp_eseries/santricity/vars/setupSynopsysDetect.groovy b/ansible_collections/netapp_eseries/santricity/vars/setupSynopsysDetect.groovy new file mode 100644 index 00000000..f5eed5c4 --- /dev/null +++ b/ansible_collections/netapp_eseries/santricity/vars/setupSynopsysDetect.groovy @@ -0,0 +1,15 @@ + +def call(Map options = [:], String synopsysDetectVersion) { + options.synopsysDir = options.synopsysDir ?: "/tmp/synopsys-detect-air-gap/${synopsysDetectVersion}" + if (new File(options.synopsysDir).exists()) { + echo "No need to fetch synopsys-${synopsysDetectVersion}, directory exists ${options.synopsysDir}" + return + } + + sh """ + wget -qN http://esgweb.eng.netapp.com/~blucas/packages/synopsys-detect-${synopsysDetectVersion}-air-gap.zip -O synopsys-detect.zip + mkdir -p ${options.synopsysDir} + unzip -q -d ${options.synopsysDir} -u synopsys-detect.zip + rm -f synopsys-detect.zip + """ +} |