diff options
Diffstat (limited to 'jjb/ci_gate_security')
| -rwxr-xr-x | jjb/ci_gate_security/anteater-clone-all-repos.sh | 33 | ||||
| -rw-r--r-- | jjb/ci_gate_security/anteater-report-to-gerrit.sh | 25 | ||||
| -rw-r--r-- | jjb/ci_gate_security/anteater-security-audit-weekly.sh | 37 | ||||
| -rw-r--r-- | jjb/ci_gate_security/anteater-security-audit.sh | 28 | ||||
| -rw-r--r-- | jjb/ci_gate_security/opnfv-ci-gate-security.yml | 117 |
5 files changed, 240 insertions, 0 deletions
diff --git a/jjb/ci_gate_security/anteater-clone-all-repos.sh b/jjb/ci_gate_security/anteater-clone-all-repos.sh new file mode 100755 index 000000000..8a9e73d85 --- /dev/null +++ b/jjb/ci_gate_security/anteater-clone-all-repos.sh @@ -0,0 +1,33 @@ +#!/bin/bash +# SPDX-license-identifier: Apache-2.0 +set -o errexit +set -o pipefail +set -o nounset +export PATH=$PATH:/usr/local/bin/ + + +#WORKSPACE="$(pwd)" + +cd $WORKSPACE +if [ ! -d "$WORKSPACE/allrepos" ]; then + mkdir $WORKSPACE/allrepos +fi + +cd $WORKSPACE/allrepos + +declare -a PROJECT_LIST +EXCLUDE_PROJECTS="All-Projects|All-Users|securedlab" + +PROJECT_LIST=($(ssh gerrit.opnfv.org -p 29418 gerrit ls-projects | egrep -v $EXCLUDE_PROJECTS)) +echo "PROJECT_LIST=(${PROJECT_LIST[*]})" > $WORKSPACE/opnfv-projects.sh + +for PROJECT in ${PROJECT_LIST[@]}; do + echo "> Cloning $PROJECT" + if [ ! -d "$PROJECT" ]; then + git clone "https://gerrit.opnfv.org/gerrit/$PROJECT.git" + else + pushd "$PROJECT" > /dev/null + git pull -f + popd > /dev/null + fi +done diff --git a/jjb/ci_gate_security/anteater-report-to-gerrit.sh b/jjb/ci_gate_security/anteater-report-to-gerrit.sh new file mode 100644 index 000000000..fc3018fb4 --- /dev/null +++ b/jjb/ci_gate_security/anteater-report-to-gerrit.sh @@ -0,0 +1,25 @@ +#!/bin/bash +# SPDX-license-identifier: Apache-2.0 +set -o pipefail +export PATH=$PATH:/usr/local/bin/ +EXITSTATUS=0 + +# This Log should always exist +if [[ -e securityaudit.log ]] ; then + echo -e "\nposting security audit report to gerrit...\n" + + #check if log has errors + if grep ERROR securityaudit.log; then + EXITSTATUS=1 + fi + + cat securityaudit.log | awk -F"ERROR - " '{print $2}' > shortlog + + ssh -p 29418 gerrit.opnfv.org \ + "gerrit review -p $GERRIT_PROJECT \ + -m \"$(cat shortlog)\" \ + $GERRIT_PATCHSET_REVISION \ + --notify NONE" + + exit $EXITSTATUS +fi diff --git a/jjb/ci_gate_security/anteater-security-audit-weekly.sh b/jjb/ci_gate_security/anteater-security-audit-weekly.sh new file mode 100644 index 000000000..436a173bc --- /dev/null +++ b/jjb/ci_gate_security/anteater-security-audit-weekly.sh @@ -0,0 +1,37 @@ +#!/bin/bash +# SPDX-license-identifier: Apache-2.0 + +echo "--------------------------------------------------------" +vols="-v $WORKSPACE/allrepos/:/home/opnfv/anteater/allrepos/" +echo "Pulling releng-anteater docker image" +echo "--------------------------------------------------------" +docker pull opnfv/releng-anteater +echo "--------------------------------------------------------" +cmd="docker run -id $vols opnfv/releng-anteater /bin/bash" +echo "Running docker command $cmd" +container_id=$($cmd) +echo "Container ID is $container_id" +source $WORKSPACE/opnfv-projects.sh +for project in "${PROJECT_LIST[@]}" + +do + cmd="anteater --project testproj --path /home/opnfv/anteater/allrepos/$project" + echo "Executing command inside container" + echo "$cmd" + echo "--------------------------------------------------------" + docker exec $container_id $cmd > $WORKSPACE/"$project".securityaudit.log 2>&1 +done + +exit_code=$? +echo "--------------------------------------------------------" +echo "Stopping docker container with ID $container_id" +docker stop $container_id + + +#gsutil cp $WORKSPACE/securityaudit.log \ +# gs://$GS_URL/$PROJECT-securityaudit-weekly.log 2>&1 +# +#gsutil -m setmeta \ +# -h "Content-Type:text/html" \ +# -h "Cache-Control:private, max-age=0, no-transform" \ +# gs://$GS_URL/$PROJECT-securityaudit-weekly.log > /dev/null 2>&1 diff --git a/jjb/ci_gate_security/anteater-security-audit.sh b/jjb/ci_gate_security/anteater-security-audit.sh new file mode 100644 index 000000000..2b5c26a5a --- /dev/null +++ b/jjb/ci_gate_security/anteater-security-audit.sh @@ -0,0 +1,28 @@ +#!/bin/bash +cd $WORKSPACE +echo "Generating patchset file to list changed files" +git diff HEAD^1 --name-only | sed "s#^#/home/opnfv/anteater/$PROJECT/#" > $WORKSPACE/patchset +echo "Changed files are" +echo "--------------------------------------------------------" +cat $WORKSPACE/patchset +echo "--------------------------------------------------------" + +vols="-v $WORKSPACE:/home/opnfv/anteater/$PROJECT" +envs="-e PROJECT=$PROJECT" + +echo "Pulling releng-anteater docker image" +echo "--------------------------------------------------------" +docker pull opnfv/releng-anteater +echo "--------------------------------------------------------" + +cmd="docker run -i $envs $vols --rm opnfv/releng-anteater \ +anteater --project $PROJECT --patchset /home/opnfv/anteater/$PROJECT/patchset" +echo "Running docker container" +echo "$cmd" +$cmd > $WORKSPACE/securityaudit.log 2>&1 +exit_code=$? +echo "--------------------------------------------------------" +echo "Docker container exited with code: $exit_code" +echo "--------------------------------------------------------" +cat securityaudit.log +exit 0 diff --git a/jjb/ci_gate_security/opnfv-ci-gate-security.yml b/jjb/ci_gate_security/opnfv-ci-gate-security.yml new file mode 100644 index 000000000..719035214 --- /dev/null +++ b/jjb/ci_gate_security/opnfv-ci-gate-security.yml @@ -0,0 +1,117 @@ +# SPDX-license-identifier: Apache-2.0 +######################## +# Job configuration for opnfv-anteater (security audit) +######################## +- project: + + name: anteaterfw + + project: anteaterfw + + jobs: + - 'opnfv-security-audit-verify-{stream}' + - 'opnfv-security-audit-weekly-{stream}' + + stream: + - master: + branch: '{stream}' + gs-pathname: '' + disabled: false + +######################## +# job templates +######################## +- job-template: + name: 'opnfv-security-audit-weekly-{stream}' + + disabled: '{obj:disabled}' + + parameters: + - label: + name: SLAVE_LABEL + default: 'ericsson-build3' + description: 'Slave label on Jenkins' + - project-parameter: + project: releng + branch: '{branch}' + + triggers: + - timed: '@weekly' + + builders: + - anteater-security-audit-weekly + +- job-template: + name: 'opnfv-security-audit-verify-{stream}' + + disabled: '{obj:disabled}' + + parameters: + - label: + name: SLAVE_LABEL + default: 'ericsson-build3' + description: 'Slave label on Jenkins' + - project-parameter: + project: $GERRIT_PROJECT + branch: '{branch}' + - string: + name: GIT_BASE + default: https://gerrit.opnfv.org/gerrit/$PROJECT + description: "Used for overriding the GIT URL coming from Global Jenkins configuration in case if the stuff is done on none-LF HW." + + scm: + - git-scm-gerrit + + triggers: + - gerrit: + server-name: 'gerrit.opnfv.org' + trigger-on: + - patchset-created-event: + exclude-drafts: 'false' + exclude-trivial-rebase: 'false' + exclude-no-code-change: 'false' + - draft-published-event + - comment-added-contains-event: + comment-contains-value: 'recheck' + - comment-added-contains-event: + comment-contains-value: 'reverify' + projects: + - project-compare-type: 'REG_EXP' + project-pattern: 'sandbox|releng' + branches: + - branch-compare-type: 'ANT' + branch-pattern: '**/{branch}' + file-paths: + - compare-type: ANT + pattern: '**' + skip-vote: + successful: true + failed: true + unstable: true + notbuilt: true + + builders: + - anteater-security-audit + - report-security-audit-result-to-gerrit +######################## +# builder macros +######################## +- builder: + name: anteater-security-audit + builders: + - shell: + !include-raw: ./anteater-security-audit.sh + +- builder: + name: report-security-audit-result-to-gerrit + builders: + - shell: + !include-raw: ./anteater-report-to-gerrit.sh + +- builder: + name: anteater-security-audit-weekly + builders: + - shell: + !include-raw: + - ./anteater-clone-all-repos.sh + - ./anteater-security-audit-weekly.sh |