Age | Commit message (Collapse) | Author | Files | Lines |
|
Security scanning always fails due to falsy rules (e.g. wget in
Dockerfile) which have never been updated.
It avoids falsy failures in Functest gate jobs.
Change-Id: Ie7d82c6117733bdd02f0d5bc9dcd6d4974830049
Signed-off-by: Cédric Ollivier <cedric.ollivier@orange.com>
|
|
Issue-ID: COPPER-37, COPPER-38, COPPER-40
Copper was terminated so removing build files and refs to the
copper project. A ticket has been submitted to the OPNFV
Helpdesk to make the Copper repo read-only.
Change-Id: I9b9ec88abd5c2ade816fc588c5549af0c6b6ee13
Signed-off-by: Aimee Ukasick <aimeeu.opensource@gmail.com>
|
|
Instead of running these specifically on ericsson-build3, we target them
to run on any of the build servers since the job just runs a docker
container.
Change-Id: Ia05adb20bcb84a0a2a187c81ef25b9dcbc99e020
Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
|
|
A change to the NodeLabelParameter config in JJB caused any jobs using
the plugin to possibly have their jobs triggered on builders which
weren't online.
This in turn caused the queue to backup and newer jobs are blocked
waiting for older ones to complete, which never happens as they're never
queued on an online builder.
The 'all-nodes' parameter ensure jobs that are set to run concurrently
don't trigger across all available nodes at once, as this will include
offline nodes as well. As this is the default of the plugin, projects
which need it can enable it individually.
Change-Id: Ia690eef078209b6b056dad85613dda6868b18271
Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
|
|
This is temporary, using reverify does not work in global-jjb
for for now remove surrounding jobs so that users dont think its working.
I've been told we can add reverify into global-jjb
after that is done, I will re-add these.
Change-Id: I533ff7c15d55d2630504ca18416583c167228c0d
Signed-off-by: Aric Gardner <agardner@linuxfoundation.org>
|
|
global-jjb only supports the .yaml file ending for jjb jobs. Instead of
waiting for a release we're going to rename the files.
Change-Id: Icf3339eacd2320c583333e02250998cf6b1881f7
Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
|
|
Removing archived projects from jjb
These project dont need any jobs associated with them
escalator
fastpathmetrics
inspector
lsoapi
movie
multisite
octopus
openretriever
prediction
Change-Id: Ibbe49e54ed326f502157c7892022b7a62173b72d
Signed-off-by: agardner <agardner@linuxfoundation.org>
|
|
GERRIT_REFSPEC is always passed by the gerrit-trigger plugin when a job
is triggered by Gerrit. Because it is not explicily defined, there is no
way to manually trigger jobs, as the git clone looks up the list of refs
by GERRIT_REFSPEC.
Being able to manually trigger jobs (with node parameters so they can be
restricted) is very helpful in debugging CI issues.
Change-Id: I8a1d9ea380902fc95f30482e5acb616347709ab1
Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
|
|
'copper' was incorrectly listed as 'cooper' in the gerrit trigger for
the security scanning job. Fixing this will ensure patchsets against
copper are scanned.
Change-Id: Ie32148647638612b0da2d810c50dd5c0ea078844
Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
|
|
The workspace is cleaned immediately after anteater is ran. This removes
the securityaudit.log which the emails to PTLs should contain.
Change-Id: I0afa4c69035e411aebe7cfea625ebafe5796d236
Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
|
|
- Does not output the full scan to the console log
- Updates the email-ext defaults to include any *.log file in the root
of the workspace. This should include securityaudit.log
- Adds 'GERRIT_REFSPEC' to the list of job parameters as required by
'git-scm-gerrit'
- Fixes email-ptl macros so projects with extra repos have the proper
recipients.
Change-Id: Ibf22bf0683fc1f88de07ef3bb4717769c6ea0174
Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
|
|
Completely replaces the current weekly security scan job. Instead of
publishing weekly security scan reports they will be emailed to
individual project PTLs.
Uses a modified copy of 'anteater-security-audit.sh' to ensure the
security scan job is not affected in this change. A later change will be
made to merge the file back in and update the jobs. This is why
'anteater-parameters' are added to both jobs-templates.
Change-Id: Ia8ebffbfce7a2d4feb83ef68ff0ab0c7bb4d2104
Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
|
|
https://wiki.opnfv.org/display/INF/Project+Roll+Out+for+Anteater
Week begining November the 13th
Please wait for merge of https://gerrit.opnfv.org/gerrit/47121
first.
Change-Id: I9629c60c15c264db778400b454fe99acd06fb881
Signed-off-by: lukehinds <lhinds@redhat.com>
|
|
A string is added to the build that a security report is being
reported to Gerrit, even when it is not. This moves the string to just
before the line when the comment is posted so we aren't lying to
developers.
Change-Id: I73840d025e8be86b6ac02772b22b22c4abd29422
Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
|
|
When anteater runs it generates a shortlog containing any errors that
were encountered during it's run.
If no errors exist it will still create an empty file 'shortlog'. A
review containing no content will be attempt to be posted and fail with:
fatal: Argument "{COMMIT | CHANGE,PATCHSET}" is required
Instead of attempting to post nothing, the job should just skip
submitting a review.
Change-Id: I3feacb15e47dea204783053b3e67a9aa81ba164d
Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
|
|
The current Anteater shortlog output still contains single and double
quotes, causing comments to not be posted to Gerrit. So instead of
trying to escape the quotations they should be removed entirely.
JIRA: RELENG-272
Change-Id: I8a2565c85763d7617ced73702a12e28bf634678a
Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
|
|
Enable the security gating check to run on all machines labled
'opnfv-build'. This will allow the job to run as long as one of these
machines are online.
JIRA: RELENG-313
Change-Id: Icc792f7732c6cc3ca49bd8db32027fc146f8b1cd
Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
|
|
Setting this to allow all users to read/write the permissions enable the
container to write to the volume mounted reports directory even though
it is owned by the Jenkins user.
JIRA: RELENG-313
Change-Id: Ib26e9b98cd17607c98a180888593c42376458f7f
Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
|
|
JIRA: RELENG-254
Change-Id: If4bfdc2ddaadb4e17d0bc0dc2948780bcbbb10ae
Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
|
|
Fuel project was left out of the list of projects against which
security audit jobs should run, so enable it.
Change-Id: I6d59197f78dfaf381d634c9d1821a7383506276c
Signed-off-by: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
|
|
I dont think the ' does anything good, as it ends up in the output
remove extraneous cat
Change-Id: I4ca62672aa361d370275bd74864f0fc179da9f0b
Signed-off-by: agardner <agardner@linuxfoundation.org>
|
|
|
|
1. mapping .reports mapped into docker
2. export ./reports/*
JIRA: RELENG-279
Change-Id: I4eef3b75589a9d8f36801931d1fd31b7e247c07a
Signed-off-by: Julien <zhang.jun3g@zte.com.cn>
|
|
When quatation marks exist in 'gerrit review' comment, it will failed:
just like:
https://build.opnfv.org/ci/job/opnfv-security-audit-verify-master/877/console
JIRA: RELENG-280
Change-Id: I3536873cb4b31290bae56fd127a00f3b27ba0b9f
Signed-off-by: Julien <zhang.jun3g@zte.com.cn>
|
|
This is a port from the patchset verify job and is needed due to changes
in the docker container.
Change-Id: I54626e4681ab25f6d947aaa2dcf969e5b2e0bab9
Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
|
|
https://wiki.opnfv.org/display/INF/Project+Roll+Out+for+Anteater
Week begining July the 10th
Change-Id: Ifc6e59f2298ae8d83679a3817c82a2cc6ec4acd6
Signed-off-by: lukehinds <lhinds@redhat.com>
|
|
https://wiki.opnfv.org/display/INF/Project+Roll+Out+for+Anteater
Week begining July the 2nd
Depends-on: I3610868930f0d6033e528548dceb09b3279b6b8d
Change-Id: I541ab95f054e8159f41f16520083f71ea2dc5d1f
Signed-off-by: lukehinds <lhinds@redhat.com>
|
|
With moving anteater into a virtualenv inside the container, it is no
longer installed to a location accessible by the default PATH. Using the
absolute path to the anteater binary should allow this to run.
Change-Id: I978e96d6de1b6c7bb63ff877b5bc77e1b6ee44df
Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
|
|
|
|
|
|
The current approach is to run /bin/bash in a fully privilaged docker
container as the root user and exec the anteater command from this.
There are a couple of reasons this approach doesn't make sense:
1) anteater is not a long running service
2) anteater doesn't need any privilaged access to the host
3) anteater is already a compiled binary and can be ran directly
Because the anteater container doesn't need access to all the host
devices nor is it running docker containers inside of docker, the
`--privileged=true` flag can be removed.
Note: '--rm' is added as well to ensure volumes do not persist past the
container lifecycle and lead to build server running out of disk space.
JIRA: RELENG-250
Change-Id: I1ec90b3737abf591b6b3373fe2fc8f52cdcfb11a
Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
|
|
JIRA: RELENG-252
Change-Id: I884853cc3faf4cd24832bf5f35078a0913f2a0b3
Signed-off-by: agardner <agardner@linuxfoundation.org>
|
|
also change job to only run weekly
Change-Id: I5f0d5f1d7020c02b2f3ec76aa7f5da2196184529
Signed-off-by: agardner <agardner@linuxfoundation.org>
|
|
Added license headers
remove errexit from report to gerrit
run as --user nobody
Change-Id: I4b65dbae1f255015877766a0afa44e9b9898651c
Signed-off-by: Aric Gardner <agardner@linuxfoundation.org>
Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
|
|
some formatting changes to shell script
Change-Id: I301cb4b385df81a81de5ba230c5a4709461703a3
Signed-off-by: Aric Gardner <agardner@linuxfoundation.org>
|
|
Change-Id: I090e601b45b58fae4235867536553570f2674f9a
Signed-off-by: Aric Gardner <agardner@linuxfoundation.org>
|
|
this file will become too complicated to escape inside the job
definition.
Change-Id: I3e167bee5d315a7ff3b52e7274b68c3146dfbd03
Signed-off-by: Aric Gardner <agardner@linuxfoundation.org>
|
|
Change-Id: Id1340090fbf410f9eda5e115f554fee778d26b90
Signed-off-by: Aric Gardner <agardner@linuxfoundation.org>
|
|
So I guess we put the voting logic in the report results to
gerrit step
Change-Id: I5a6d8c7986bc317648bbb7512ba4f8357bbb4f3c
Signed-off-by: Aric Gardner <agardner@linuxfoundation.org>
|
|
used tee to create audit log
Change-Id: I6941e142064cf7c9b4586660be69df2a02807af3
Signed-off-by: Aric Gardner <agardner@linuxfoundation.org>
|
|
looks like the spacing was off
Change-Id: Ief6d15d122add79b8f9492550ce4ceecafe545bd
Signed-off-by: Aric Gardner <agardner@linuxfoundation.org>
|
|
Change-Id: Ib42cef840ff8118c32676efdf8c21c315c1f4911
Signed-off-by: Fatih Degirmenci <fatih.degirmenci@ericsson.com>
|
|
Change-Id: Ibb3cc5a2425d9f2f79e27c86e22b176fd36cb3dc
Signed-off-by: Aric Gardner <agardner@linuxfoundation.org>
|
|
Change-Id: I988a95141886d53b7b14f3ab5c673f589786ae7a
Signed-off-by: Aric Gardner <agardner@linuxfounation.org>
|
|
Change-Id: I21aca84c2ce5526f4a0942b21c50455c3d8aa4bd
Signed-off-by: Aric Gardner <agardner@linuxfounation.org>
|
|
Change-Id: I7f161b5f939eaeba019ce882a9977908ee0c01b8
Signed-off-by: Fatih Degirmenci <fatih.degirmenci@ericsson.com>
Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
|
|
Change adds anteater Docker push and renames securityaudit
to ci_gate_security
Change-Id: Ibf7d930003e7d59cb84a3ddb72962a150590418b
Signed-off-by: lukehinds <lhinds@redhat.com>
|