diff options
Diffstat (limited to 'jjb/ci_gate_security')
-rwxr-xr-x | jjb/ci_gate_security/anteater-clone-all-repos.sh | 33 | ||||
-rw-r--r-- | jjb/ci_gate_security/anteater-report-to-gerrit.sh | 10 | ||||
-rw-r--r-- | jjb/ci_gate_security/anteater-security-audit-weekly.sh | 37 | ||||
-rw-r--r-- | jjb/ci_gate_security/anteater-security-audit.sh | 20 | ||||
-rw-r--r-- | jjb/ci_gate_security/opnfv-ci-gate-security.yml | 37 |
5 files changed, 120 insertions, 17 deletions
diff --git a/jjb/ci_gate_security/anteater-clone-all-repos.sh b/jjb/ci_gate_security/anteater-clone-all-repos.sh new file mode 100755 index 000000000..8a9e73d85 --- /dev/null +++ b/jjb/ci_gate_security/anteater-clone-all-repos.sh @@ -0,0 +1,33 @@ +#!/bin/bash +# SPDX-license-identifier: Apache-2.0 +set -o errexit +set -o pipefail +set -o nounset +export PATH=$PATH:/usr/local/bin/ + + +#WORKSPACE="$(pwd)" + +cd $WORKSPACE +if [ ! -d "$WORKSPACE/allrepos" ]; then + mkdir $WORKSPACE/allrepos +fi + +cd $WORKSPACE/allrepos + +declare -a PROJECT_LIST +EXCLUDE_PROJECTS="All-Projects|All-Users|securedlab" + +PROJECT_LIST=($(ssh gerrit.opnfv.org -p 29418 gerrit ls-projects | egrep -v $EXCLUDE_PROJECTS)) +echo "PROJECT_LIST=(${PROJECT_LIST[*]})" > $WORKSPACE/opnfv-projects.sh + +for PROJECT in ${PROJECT_LIST[@]}; do + echo "> Cloning $PROJECT" + if [ ! -d "$PROJECT" ]; then + git clone "https://gerrit.opnfv.org/gerrit/$PROJECT.git" + else + pushd "$PROJECT" > /dev/null + git pull -f + popd > /dev/null + fi +done diff --git a/jjb/ci_gate_security/anteater-report-to-gerrit.sh b/jjb/ci_gate_security/anteater-report-to-gerrit.sh index 71c5a0679..00a78ceba 100644 --- a/jjb/ci_gate_security/anteater-report-to-gerrit.sh +++ b/jjb/ci_gate_security/anteater-report-to-gerrit.sh @@ -1,5 +1,5 @@ #!/bin/bash -set -o errexit +# SPDX-license-identifier: Apache-2.0 set -o pipefail export PATH=$PATH:/usr/local/bin/ EXITSTATUS=0 @@ -12,14 +12,14 @@ if [[ -e securityaudit.log ]] ; then if grep ERROR securityaudit.log; then EXITSTATUS=1 fi - - cat securityaudit.log | awk -F"ERROR - " '{print $2}' > shortlog - + + cat securityaudit.log | awk -F"ERROR - " '{print $2}' | sed -e "s/\"/\\\\\"/g;s/\'/\\\\\'/g"> shortlog + ssh -p 29418 gerrit.opnfv.org \ "gerrit review -p $GERRIT_PROJECT \ -m \"$(cat shortlog)\" \ $GERRIT_PATCHSET_REVISION \ --notify NONE" - + exit $EXITSTATUS fi diff --git a/jjb/ci_gate_security/anteater-security-audit-weekly.sh b/jjb/ci_gate_security/anteater-security-audit-weekly.sh new file mode 100644 index 000000000..11909636a --- /dev/null +++ b/jjb/ci_gate_security/anteater-security-audit-weekly.sh @@ -0,0 +1,37 @@ +#!/bin/bash +# SPDX-license-identifier: Apache-2.0 + +echo "--------------------------------------------------------" +vols="-v $WORKSPACE/allrepos/:/home/opnfv/anteater/allrepos/" +echo "Pulling releng-anteater docker image" +echo "--------------------------------------------------------" +docker pull opnfv/releng-anteater +echo "--------------------------------------------------------" +cmd="docker run -id $vols opnfv/releng-anteater /bin/bash" +echo "Running docker command $cmd" +container_id=$($cmd) +echo "Container ID is $container_id" +source $WORKSPACE/opnfv-projects.sh +for project in "${PROJECT_LIST[@]}" + +do + cmd="/home/opnfv/venv/bin/anteater --project testproj --path /home/opnfv/anteater/allrepos/$project" + echo "Executing command inside container" + echo "$cmd" + echo "--------------------------------------------------------" + docker exec $container_id $cmd > $WORKSPACE/"$project".securityaudit.log 2>&1 +done + +exit_code=$? +echo "--------------------------------------------------------" +echo "Stopping docker container with ID $container_id" +docker stop $container_id + + +#gsutil cp $WORKSPACE/securityaudit.log \ +# gs://$GS_URL/$PROJECT-securityaudit-weekly.log 2>&1 +# +#gsutil -m setmeta \ +# -h "Content-Type:text/html" \ +# -h "Cache-Control:private, max-age=0, no-transform" \ +# gs://$GS_URL/$PROJECT-securityaudit-weekly.log > /dev/null 2>&1 diff --git a/jjb/ci_gate_security/anteater-security-audit.sh b/jjb/ci_gate_security/anteater-security-audit.sh index d5c0e407c..35f9354e0 100644 --- a/jjb/ci_gate_security/anteater-security-audit.sh +++ b/jjb/ci_gate_security/anteater-security-audit.sh @@ -1,5 +1,7 @@ #!/bin/bash cd $WORKSPACE +REPORTDIR='.reports' +mkdir -p $REPORTDIR echo "Generating patchset file to list changed files" git diff HEAD^1 --name-only | sed "s#^#/home/opnfv/anteater/$PROJECT/#" > $WORKSPACE/patchset echo "Changed files are" @@ -7,7 +9,7 @@ echo "--------------------------------------------------------" cat $WORKSPACE/patchset echo "--------------------------------------------------------" -vols="-v $WORKSPACE:/home/opnfv/anteater/$PROJECT" +vols="-v $WORKSPACE:/home/opnfv/anteater/$PROJECT -v $WORKSPACE/$REPORTDIR:/home/opnfv/anteater/$REPORTDIR" envs="-e PROJECT=$PROJECT" echo "Pulling releng-anteater docker image" @@ -15,18 +17,14 @@ echo "--------------------------------------------------------" docker pull opnfv/releng-anteater echo "--------------------------------------------------------" -cmd="sudo docker run --privileged=true -id $envs $vols opnfv/releng-anteater /bin/bash" -echo "Running docker command $cmd" -container_id=$($cmd) -echo "Container ID is $container_id" -cmd="anteater --project $PROJECT --patchset /home/opnfv/anteater/$PROJECT/patchset" -echo "Executing command inside container" +cmd="docker run -i $envs $vols --rm opnfv/releng-anteater \ +/home/opnfv/venv/bin/anteater --project $PROJECT --patchset /home/opnfv/anteater/$PROJECT/patchset" +echo "Running docker container" echo "$cmd" -echo "--------------------------------------------------------" -docker exec $container_id $cmd > $WORKSPACE/securityaudit.log 2>&1 +$cmd > $WORKSPACE/securityaudit.log 2>&1 exit_code=$? echo "--------------------------------------------------------" -echo "Stopping docker container with ID $container_id" -docker stop $container_id +echo "Docker container exited with code: $exit_code" +echo "--------------------------------------------------------" cat securityaudit.log exit 0 diff --git a/jjb/ci_gate_security/opnfv-ci-gate-security.yml b/jjb/ci_gate_security/opnfv-ci-gate-security.yml index e2ad03eae..55d629cb4 100644 --- a/jjb/ci_gate_security/opnfv-ci-gate-security.yml +++ b/jjb/ci_gate_security/opnfv-ci-gate-security.yml @@ -1,3 +1,4 @@ +# SPDX-license-identifier: Apache-2.0 ######################## # Job configuration for opnfv-anteater (security audit) ######################## @@ -9,6 +10,7 @@ jobs: - 'opnfv-security-audit-verify-{stream}' + - 'opnfv-security-audit-weekly-{stream}' stream: - master: @@ -20,6 +22,26 @@ # job templates ######################## - job-template: + name: 'opnfv-security-audit-weekly-{stream}' + + disabled: '{obj:disabled}' + + parameters: + - label: + name: SLAVE_LABEL + default: 'ericsson-build3' + description: 'Slave label on Jenkins' + - project-parameter: + project: releng + branch: '{branch}' + + triggers: + - timed: '@weekly' + + builders: + - anteater-security-audit-weekly + +- job-template: name: 'opnfv-security-audit-verify-{stream}' disabled: '{obj:disabled}' @@ -55,7 +77,7 @@ comment-contains-value: 'reverify' projects: - project-compare-type: 'REG_EXP' - project-pattern: 'sandbox|releng' + project-pattern: 'apex|armband|bamboo|barometer|bottlenecks|calipso|compass4nfv|conductor|cooper|cperf|daisy|doctor|dovetail|dpacc|enfv|escalator|fds|functest|octopus|pharos|releng|sandbox|yardstick' branches: - branch-compare-type: 'ANT' branch-pattern: '**/{branch}' @@ -71,6 +93,10 @@ builders: - anteater-security-audit - report-security-audit-result-to-gerrit + publishers: + - archive-artifacts: + artifacts: ".reports/*" + ######################## # builder macros ######################## @@ -85,3 +111,12 @@ builders: - shell: !include-raw: ./anteater-report-to-gerrit.sh + +- builder: + name: anteater-security-audit-weekly + builders: + - shell: + !include-raw: + - ./anteater-clone-all-repos.sh + - ./anteater-security-audit-weekly.sh + |