Add weekly job for security scan

Added license headers
remove errexit from report to gerrit
run as --user nobody

Change-Id: I4b65dbae1f255015877766a0afa44e9b9898651c
Signed-off-by: Aric Gardner <agardner@linuxfoundation.org>
Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>

4 files changed, 115 insertions, 14 deletions

diff --git a/jjb/ci_gate_security/anteater-clone-all-repos.sh b/jjb/ci_gate_security/anteater-clone-all-repos.sh
new file mode 100755
index 000000000..8a9e73d85
--- /dev/null
+++ b/jjb/ci_gate_security/anteater-clone-all-repos.sh
@@ -0,0 +1,33 @@
+#!/bin/bash
+# SPDX-license-identifier: Apache-2.0
+set -o errexit
+set -o pipefail
+set -o nounset
+export PATH=$PATH:/usr/local/bin/
+
+
+#WORKSPACE="$(pwd)"
+
+cd $WORKSPACE
+if [ ! -d "$WORKSPACE/allrepos" ]; then
+  mkdir $WORKSPACE/allrepos
+fi
+
+cd $WORKSPACE/allrepos
+
+declare -a PROJECT_LIST
+EXCLUDE_PROJECTS="All-Projects|All-Users|securedlab"
+
+PROJECT_LIST=($(ssh gerrit.opnfv.org -p 29418 gerrit ls-projects | egrep -v $EXCLUDE_PROJECTS))
+echo "PROJECT_LIST=(${PROJECT_LIST[*]})" > $WORKSPACE/opnfv-projects.sh
+
+for PROJECT in ${PROJECT_LIST[@]}; do
+  echo "> Cloning $PROJECT"
+  if [ ! -d "$PROJECT" ]; then
+    git clone "https://gerrit.opnfv.org/gerrit/$PROJECT.git"
+  else
+    pushd "$PROJECT" > /dev/null
+    git pull -f
+    popd > /dev/null
+  fi
+done
diff --git a/jjb/ci_gate_security/anteater-report-to-gerrit.sh b/jjb/ci_gate_security/anteater-report-to-gerrit.sh
index c0bf9fa5b..fc3018fb4 100644
--- a/jjb/ci_gate_security/anteater-report-to-gerrit.sh
+++ b/jjb/ci_gate_security/anteater-report-to-gerrit.sh
@@ -1,24 +1,25 @@
 #!/bin/bash
-set -o errexit
+# SPDX-license-identifier: Apache-2.0
 set -o pipefail
 export PATH=$PATH:/usr/local/bin/
 EXITSTATUS=0
 
-# If no violations were found, no lint log will exist.
+# This Log should always exist
 if [[ -e securityaudit.log ]] ; then
     echo -e "\nposting security audit report to gerrit...\n"
 
-if grep ERROR securityaudit.log; then 
-EXITSTATUS=1
-fi
-
-    cat securityaudit.log  | awk -F"ERROR -\ " '{print $2}' > shortlog
-
+    #check if log has errors
+    if grep ERROR securityaudit.log; then
+        EXITSTATUS=1
+    fi
+    
+    cat securityaudit.log  | awk -F"ERROR - " '{print $2}' > shortlog
+    
     ssh -p 29418 gerrit.opnfv.org \
         "gerrit review -p $GERRIT_PROJECT \
-         -m \"$(cat shortlog)\" \
-         $GERRIT_PATCHSET_REVISION \
-         --notify NONE"
-
+        -m \"$(cat shortlog)\" \
+        $GERRIT_PATCHSET_REVISION \
+        --notify NONE"
+    
     exit $EXITSTATUS
 fi
diff --git a/jjb/ci_gate_security/anteater-security-audit-weekly.sh b/jjb/ci_gate_security/anteater-security-audit-weekly.sh
new file mode 100644
index 000000000..99f2820ec
--- /dev/null
+++ b/jjb/ci_gate_security/anteater-security-audit-weekly.sh
@@ -0,0 +1,37 @@
+#!/bin/bash
+# SPDX-license-identifier: Apache-2.0
+
+echo "--------------------------------------------------------"
+vols="-v $WORKSPACE/allrepos/:/home/opnfv/anteater/allrepos/"
+echo "Pulling releng-anteater docker image"
+echo "--------------------------------------------------------"
+docker pull opnfv/releng-anteater
+echo "--------------------------------------------------------"
+cmd="docker run --user nobody -id $vols opnfv/releng-anteater /bin/bash"
+echo "Running docker command $cmd"
+container_id=$($cmd)
+echo "Container ID is $container_id"
+source $WORKSPACE/opnfv-projects.sh
+for project in "${PROJECT_LIST[@]}"
+
+do
+  cmd="anteater --project testproj --path /home/opnfv/anteater/allrepos/$project"
+  echo "Executing command inside container"
+  echo "$cmd"
+  echo "--------------------------------------------------------"
+  docker exec $container_id $cmd > $WORKSPACE/"$project".securityaudit.log 2>&1
+done
+
+exit_code=$?
+echo "--------------------------------------------------------"
+echo "Stopping docker container with ID $container_id"
+docker stop $container_id
+
+
+#gsutil cp $WORKSPACE/securityaudit.log \
+#    gs://$GS_URL/$PROJECT-securityaudit-weekly.log 2>&1
+#
+#gsutil -m setmeta \
+#    -h "Content-Type:text/html" \
+#    -h "Cache-Control:private, max-age=0, no-transform" \
+#    gs://$GS_URL/$PROJECT-securityaudit-weekly.log > /dev/null 2>&1
diff --git a/jjb/ci_gate_security/opnfv-ci-gate-security.yml b/jjb/ci_gate_security/opnfv-ci-gate-security.yml
index 2270124e7..2cbb5cd99 100644
--- a/jjb/ci_gate_security/opnfv-ci-gate-security.yml
+++ b/jjb/ci_gate_security/opnfv-ci-gate-security.yml
@@ -1,5 +1,6 @@
+# SPDX-license-identifier: Apache-2.0
 ########################
-# Job configuration for opnfv-lint
+# Job configuration for opnfv-anteater (security audit)
 ########################
 - project:
 
@@ -9,6 +10,7 @@
 
     jobs:
         - 'opnfv-security-audit-verify-{stream}'
+        - 'opnfv-security-audit-weekly-{stream}'
 
     stream:
         - master:
@@ -20,6 +22,26 @@
 # job templates
 ########################
 - job-template:
+    name: 'opnfv-security-audit-weekly-{stream}'
+
+    disabled: '{obj:disabled}'
+
+    parameters:
+        - label:
+            name: SLAVE_LABEL
+            default: 'ericsson-build3'
+            description: 'Slave label on Jenkins'
+        - project-parameter:
+            project: releng
+            branch: '{branch}'
+
+    triggers:
+        - timed: '0 H/6 * * *'
+
+    builders:
+        - anteater-security-audit-weekly
+
+- job-template:
     name: 'opnfv-security-audit-verify-{stream}'
 
     disabled: '{obj:disabled}'
@@ -55,7 +77,7 @@
                     comment-contains-value: 'reverify'
             projects:
               - project-compare-type: 'REG_EXP'
-                project-pattern: 'sandbox'
+                project-pattern: 'sandbox|releng'
                 branches:
                   - branch-compare-type: 'ANT'
                     branch-pattern: '**/{branch}'
@@ -85,3 +107,11 @@
     builders:
         - shell:
             !include-raw: ./anteater-report-to-gerrit.sh
+
+- builder:
+    name: anteater-security-audit-weekly
+    builders:
+        - shell:
+            !include-raw:
+                - ./anteater-clone-all-repos.sh
+                - ./anteater-security-audit-weekly.sh