summaryrefslogtreecommitdiffstats
path: root/jjb/ci_gate_security
diff options
context:
space:
mode:
authorAric Gardner <agardner@linuxfoundation.org>2017-06-19 19:00:08 +0000
committerGerrit Code Review <gerrit@opnfv.org>2017-06-19 19:00:08 +0000
commitb9492a0eaac9838fdfb6b070bcec328387881129 (patch)
treea68380ff05ceeb6ed25ee570cf403cb8783b7be5 /jjb/ci_gate_security
parent46b716130c196dabb4b90fd021cfbcda28b468f4 (diff)
parent075027d9f92966e2e688db3d31529fabee6f3dec (diff)
Merge "Add weekly job for security scan"
Diffstat (limited to 'jjb/ci_gate_security')
-rwxr-xr-xjjb/ci_gate_security/anteater-clone-all-repos.sh33
-rw-r--r--jjb/ci_gate_security/anteater-report-to-gerrit.sh2
-rw-r--r--jjb/ci_gate_security/anteater-security-audit-weekly.sh37
-rw-r--r--jjb/ci_gate_security/opnfv-ci-gate-security.yml30
4 files changed, 101 insertions, 1 deletions
diff --git a/jjb/ci_gate_security/anteater-clone-all-repos.sh b/jjb/ci_gate_security/anteater-clone-all-repos.sh
new file mode 100755
index 000000000..8a9e73d85
--- /dev/null
+++ b/jjb/ci_gate_security/anteater-clone-all-repos.sh
@@ -0,0 +1,33 @@
+#!/bin/bash
+# SPDX-license-identifier: Apache-2.0
+set -o errexit
+set -o pipefail
+set -o nounset
+export PATH=$PATH:/usr/local/bin/
+
+
+#WORKSPACE="$(pwd)"
+
+cd $WORKSPACE
+if [ ! -d "$WORKSPACE/allrepos" ]; then
+ mkdir $WORKSPACE/allrepos
+fi
+
+cd $WORKSPACE/allrepos
+
+declare -a PROJECT_LIST
+EXCLUDE_PROJECTS="All-Projects|All-Users|securedlab"
+
+PROJECT_LIST=($(ssh gerrit.opnfv.org -p 29418 gerrit ls-projects | egrep -v $EXCLUDE_PROJECTS))
+echo "PROJECT_LIST=(${PROJECT_LIST[*]})" > $WORKSPACE/opnfv-projects.sh
+
+for PROJECT in ${PROJECT_LIST[@]}; do
+ echo "> Cloning $PROJECT"
+ if [ ! -d "$PROJECT" ]; then
+ git clone "https://gerrit.opnfv.org/gerrit/$PROJECT.git"
+ else
+ pushd "$PROJECT" > /dev/null
+ git pull -f
+ popd > /dev/null
+ fi
+done
diff --git a/jjb/ci_gate_security/anteater-report-to-gerrit.sh b/jjb/ci_gate_security/anteater-report-to-gerrit.sh
index 71c5a0679..fc3018fb4 100644
--- a/jjb/ci_gate_security/anteater-report-to-gerrit.sh
+++ b/jjb/ci_gate_security/anteater-report-to-gerrit.sh
@@ -1,5 +1,5 @@
#!/bin/bash
-set -o errexit
+# SPDX-license-identifier: Apache-2.0
set -o pipefail
export PATH=$PATH:/usr/local/bin/
EXITSTATUS=0
diff --git a/jjb/ci_gate_security/anteater-security-audit-weekly.sh b/jjb/ci_gate_security/anteater-security-audit-weekly.sh
new file mode 100644
index 000000000..99f2820ec
--- /dev/null
+++ b/jjb/ci_gate_security/anteater-security-audit-weekly.sh
@@ -0,0 +1,37 @@
+#!/bin/bash
+# SPDX-license-identifier: Apache-2.0
+
+echo "--------------------------------------------------------"
+vols="-v $WORKSPACE/allrepos/:/home/opnfv/anteater/allrepos/"
+echo "Pulling releng-anteater docker image"
+echo "--------------------------------------------------------"
+docker pull opnfv/releng-anteater
+echo "--------------------------------------------------------"
+cmd="docker run --user nobody -id $vols opnfv/releng-anteater /bin/bash"
+echo "Running docker command $cmd"
+container_id=$($cmd)
+echo "Container ID is $container_id"
+source $WORKSPACE/opnfv-projects.sh
+for project in "${PROJECT_LIST[@]}"
+
+do
+ cmd="anteater --project testproj --path /home/opnfv/anteater/allrepos/$project"
+ echo "Executing command inside container"
+ echo "$cmd"
+ echo "--------------------------------------------------------"
+ docker exec $container_id $cmd > $WORKSPACE/"$project".securityaudit.log 2>&1
+done
+
+exit_code=$?
+echo "--------------------------------------------------------"
+echo "Stopping docker container with ID $container_id"
+docker stop $container_id
+
+
+#gsutil cp $WORKSPACE/securityaudit.log \
+# gs://$GS_URL/$PROJECT-securityaudit-weekly.log 2>&1
+#
+#gsutil -m setmeta \
+# -h "Content-Type:text/html" \
+# -h "Cache-Control:private, max-age=0, no-transform" \
+# gs://$GS_URL/$PROJECT-securityaudit-weekly.log > /dev/null 2>&1
diff --git a/jjb/ci_gate_security/opnfv-ci-gate-security.yml b/jjb/ci_gate_security/opnfv-ci-gate-security.yml
index e2ad03eae..2cbb5cd99 100644
--- a/jjb/ci_gate_security/opnfv-ci-gate-security.yml
+++ b/jjb/ci_gate_security/opnfv-ci-gate-security.yml
@@ -1,3 +1,4 @@
+# SPDX-license-identifier: Apache-2.0
########################
# Job configuration for opnfv-anteater (security audit)
########################
@@ -9,6 +10,7 @@
jobs:
- 'opnfv-security-audit-verify-{stream}'
+ - 'opnfv-security-audit-weekly-{stream}'
stream:
- master:
@@ -20,6 +22,26 @@
# job templates
########################
- job-template:
+ name: 'opnfv-security-audit-weekly-{stream}'
+
+ disabled: '{obj:disabled}'
+
+ parameters:
+ - label:
+ name: SLAVE_LABEL
+ default: 'ericsson-build3'
+ description: 'Slave label on Jenkins'
+ - project-parameter:
+ project: releng
+ branch: '{branch}'
+
+ triggers:
+ - timed: '0 H/6 * * *'
+
+ builders:
+ - anteater-security-audit-weekly
+
+- job-template:
name: 'opnfv-security-audit-verify-{stream}'
disabled: '{obj:disabled}'
@@ -85,3 +107,11 @@
builders:
- shell:
!include-raw: ./anteater-report-to-gerrit.sh
+
+- builder:
+ name: anteater-security-audit-weekly
+ builders:
+ - shell:
+ !include-raw:
+ - ./anteater-clone-all-repos.sh
+ - ./anteater-security-audit-weekly.sh