summaryrefslogtreecommitdiffstats
path: root/jjb/ci_gate_security
AgeCommit message (Collapse)AuthorFilesLines
2019-05-12Remove Functest from security scan listCédric Ollivier1-2/+1
Security scanning always fails due to falsy rules (e.g. wget in Dockerfile) which have never been updated. It avoids falsy failures in Functest gate jobs. Change-Id: Ie7d82c6117733bdd02f0d5bc9dcd6d4974830049 Signed-off-by: Cédric Ollivier <cedric.ollivier@orange.com>
2018-12-17Remove Copper and refs to CopperAimee Ukasick1-2/+1
Issue-ID: COPPER-37, COPPER-38, COPPER-40 Copper was terminated so removing build files and refs to the copper project. A ticket has been submitted to the OPNFV Helpdesk to make the Copper repo read-only. Change-Id: I9b9ec88abd5c2ade816fc588c5549af0c6b6ee13 Signed-off-by: Aimee Ukasick <aimeeu.opensource@gmail.com>
2018-12-07Switch Builder for Weekly CI Security ScanningTrevor Bramwell1-1/+1
Instead of running these specifically on ericsson-build3, we target them to run on any of the build servers since the job just runs a docker container. Change-Id: Ia05adb20bcb84a0a2a187c81ef25b9dcbc99e020 Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
2018-10-15Ensure jobs don't get queued on offline buildersTrevor Bramwell1-0/+2
A change to the NodeLabelParameter config in JJB caused any jobs using the plugin to possibly have their jobs triggered on builders which weren't online. This in turn caused the queue to backup and newer jobs are blocked waiting for older ones to complete, which never happens as they're never queued on an online builder. The 'all-nodes' parameter ensure jobs that are set to run concurrently don't trigger across all available nodes at once, as this will include offline nodes as well. As this is the default of the plugin, projects which need it can enable it individually. Change-Id: Ia690eef078209b6b056dad85613dda6868b18271 Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
2018-05-17Remove reverify for opnfv-lint and gate-securityAric Gardner1-2/+0
This is temporary, using reverify does not work in global-jjb for for now remove surrounding jobs so that users dont think its working. I've been told we can add reverify into global-jjb after that is done, I will re-add these. Change-Id: I533ff7c15d55d2630504ca18416583c167228c0d Signed-off-by: Aric Gardner <agardner@linuxfoundation.org>
2018-05-16Rename files under jjb from 'yml' to 'yaml'Trevor Bramwell1-0/+0
global-jjb only supports the .yaml file ending for jjb jobs. Instead of waiting for a release we're going to rename the files. Change-Id: Icf3339eacd2320c583333e02250998cf6b1881f7 Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
2018-04-20Cleanup Archived projectsagardner1-5/+1
Removing archived projects from jjb These project dont need any jobs associated with them escalator fastpathmetrics inspector lsoapi movie multisite octopus openretriever prediction Change-Id: Ibbe49e54ed326f502157c7892022b7a62173b72d Signed-off-by: agardner <agardner@linuxfoundation.org>
2018-01-23Add GERRIT_REFSPEC to 'project-parameter' MacroTrevor Bramwell1-4/+0
GERRIT_REFSPEC is always passed by the gerrit-trigger plugin when a job is triggered by Gerrit. Because it is not explicily defined, there is no way to manually trigger jobs, as the git clone looks up the list of refs by GERRIT_REFSPEC. Being able to manually trigger jobs (with node parameters so they can be restricted) is very helpful in debugging CI issues. Change-Id: I8a1d9ea380902fc95f30482e5acb616347709ab1 Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
2018-01-12Fix 'copper' in Gerrit Trigger for Security ScanTrevor Bramwell1-1/+1
'copper' was incorrectly listed as 'cooper' in the gerrit trigger for the security scanning job. Fixing this will ensure patchsets against copper are scanned. Change-Id: Ie32148647638612b0da2d810c50dd5c0ea078844 Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
2017-11-29Clean Anteater Weekly Workspace after Emailing PTLTrevor Bramwell1-1/+2
The workspace is cleaned immediately after anteater is ran. This removes the securityaudit.log which the emails to PTLs should contain. Change-Id: I0afa4c69035e411aebe7cfea625ebafe5796d236 Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
2017-11-29Fix Anteater Weekly Reporting JobTrevor Bramwell2-1/+4
- Does not output the full scan to the console log - Updates the email-ext defaults to include any *.log file in the root of the workspace. This should include securityaudit.log - Adds 'GERRIT_REFSPEC' to the list of job parameters as required by 'git-scm-gerrit' - Fixes email-ptl macros so projects with extra repos have the proper recipients. Change-Id: Ibf22bf0683fc1f88de07ef3bb4717769c6ea0174 Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
2017-11-27Email Weekly Anteater Reports to PTLsTrevor Bramwell3-72/+126
Completely replaces the current weekly security scan job. Instead of publishing weekly security scan reports they will be emailed to individual project PTLs. Uses a modified copy of 'anteater-security-audit.sh' to ensure the security scan job is not affected in this change. A later change will be made to merge the file back in and update the jobs. This is why 'anteater-parameters' are added to both jobs-templates. Change-Id: Ia8ebffbfce7a2d4feb83ef68ff0ab0c7bb4d2104 Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
2017-11-13Weekly Anteater Project Additionslukehinds1-1/+1
https://wiki.opnfv.org/display/INF/Project+Roll+Out+for+Anteater Week begining November the 13th Please wait for merge of https://gerrit.opnfv.org/gerrit/47121 first. Change-Id: I9629c60c15c264db778400b454fe99acd06fb881 Signed-off-by: lukehinds <lhinds@redhat.com>
2017-10-11Fix incorrect comment that security report postedTrevor Bramwell1-1/+1
A string is added to the build that a security report is being reported to Gerrit, even when it is not. This moves the string to just before the line when the comment is posted so we aren't lying to developers. Change-Id: I73840d025e8be86b6ac02772b22b22c4abd29422 Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
2017-10-10Only Submit Security Scan Results that ExistTrevor Bramwell1-5/+8
When anteater runs it generates a shortlog containing any errors that were encountered during it's run. If no errors exist it will still create an empty file 'shortlog'. A review containing no content will be attempt to be posted and fail with: fatal: Argument "{COMMIT | CHANGE,PATCHSET}" is required Instead of attempting to post nothing, the job should just skip submitting a review. Change-Id: I3feacb15e47dea204783053b3e67a9aa81ba164d Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
2017-10-03Fix Security Scan Shortlog FormatTrevor Bramwell1-1/+1
The current Anteater shortlog output still contains single and double quotes, causing comments to not be posted to Gerrit. So instead of trying to escape the quotations they should be removed entirely. JIRA: RELENG-272 Change-Id: I8a2565c85763d7617ced73702a12e28bf634678a Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
2017-09-21Run CI Security Gate Check on all OPNFV BuildersTrevor Bramwell1-1/+1
Enable the security gating check to run on all machines labled 'opnfv-build'. This will allow the job to run as long as one of these machines are online. JIRA: RELENG-313 Change-Id: Icc792f7732c6cc3ca49bd8db32027fc146f8b1cd Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
2017-09-21Change Anteater Report Directory PermissionsTrevor Bramwell1-0/+2
Setting this to allow all users to read/write the permissions enable the container to write to the volume mounted reports directory even though it is owned by the Jenkins user. JIRA: RELENG-313 Change-Id: Ib26e9b98cd17607c98a180888593c42376458f7f Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
2017-09-11Fix Yamllint Violations for jjb/ci_gate_securityTrevor Bramwell1-64/+70
JIRA: RELENG-254 Change-Id: If4bfdc2ddaadb4e17d0bc0dc2948780bcbbb10ae Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
2017-09-05fuel: Enable OPNFV CI gate securityAlexandru Avadanii1-1/+1
Fuel project was left out of the list of projects against which security audit jobs should run, so enable it. Change-Id: I6d59197f78dfaf381d634c9d1821a7383506276c Signed-off-by: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
2017-08-24Remove final ' placed at the end of each line by sedagardner1-1/+1
I dont think the ' does anything good, as it ends up in the output remove extraneous cat Change-Id: I4ca62672aa361d370275bd74864f0fc179da9f0b Signed-off-by: agardner <agardner@linuxfoundation.org>
2017-08-08Merge "export detailed logs for each project"Serena Feng2-1/+7
2017-07-16export detailed logs for each projectJulien2-1/+7
1. mapping .reports mapped into docker 2. export ./reports/* JIRA: RELENG-279 Change-Id: I4eef3b75589a9d8f36801931d1fd31b7e247c07a Signed-off-by: Julien <zhang.jun3g@zte.com.cn>
2017-07-16Fix anteater job failed because of quatation marksJulien1-4/+4
When quatation marks exist in 'gerrit review' comment, it will failed: just like: https://build.opnfv.org/ci/job/opnfv-security-audit-verify-master/877/console JIRA: RELENG-280 Change-Id: I3536873cb4b31290bae56fd127a00f3b27ba0b9f Signed-off-by: Julien <zhang.jun3g@zte.com.cn>
2017-07-11Update Path to Anteater for Weekly Security ScanTrevor Bramwell1-1/+1
This is a port from the patchset verify job and is needed due to changes in the docker container. Change-Id: I54626e4681ab25f6d947aaa2dcf969e5b2e0bab9 Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
2017-07-11Weekly Anteater Project Additionslukehinds1-1/+1
https://wiki.opnfv.org/display/INF/Project+Roll+Out+for+Anteater Week begining July the 10th Change-Id: Ifc6e59f2298ae8d83679a3817c82a2cc6ec4acd6 Signed-off-by: lukehinds <lhinds@redhat.com>
2017-07-03Weekly Anteater Project Additionslukehinds1-1/+2
https://wiki.opnfv.org/display/INF/Project+Roll+Out+for+Anteater Week begining July the 2nd Depends-on: I3610868930f0d6033e528548dceb09b3279b6b8d Change-Id: I541ab95f054e8159f41f16520083f71ea2dc5d1f Signed-off-by: lukehinds <lhinds@redhat.com>
2017-06-27Pass fully qualified anteater path to Docker runTrevor Bramwell1-1/+1
With moving anteater into a virtualenv inside the container, it is no longer installed to a location accessible by the default PATH. Using the absolute path to the anteater binary should allow this to run. Change-Id: I978e96d6de1b6c7bb63ff877b5bc77e1b6ee44df Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
2017-06-23Merge "Add octopus|pharos|functest to ci gate security"Aric Gardner1-1/+1
2017-06-22Merge "Directly Run Anteater Docker Container"Luke Hinds1-10/+6
2017-06-21Directly Run Anteater Docker ContainerTrevor Bramwell1-10/+6
The current approach is to run /bin/bash in a fully privilaged docker container as the root user and exec the anteater command from this. There are a couple of reasons this approach doesn't make sense: 1) anteater is not a long running service 2) anteater doesn't need any privilaged access to the host 3) anteater is already a compiled binary and can be ran directly Because the anteater container doesn't need access to all the host devices nor is it running docker containers inside of docker, the `--privileged=true` flag can be removed. Note: '--rm' is added as well to ensure volumes do not persist past the container lifecycle and lead to build server running out of disk space. JIRA: RELENG-250 Change-Id: I1ec90b3737abf591b6b3373fe2fc8f52cdcfb11a Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
2017-06-21Add octopus|pharos|functest to ci gate securityagardner1-1/+1
JIRA: RELENG-252 Change-Id: I884853cc3faf4cd24832bf5f35078a0913f2a0b3 Signed-off-by: agardner <agardner@linuxfoundation.org>
2017-06-20--user nobody did not work on ericsson-build3agardner2-2/+2
also change job to only run weekly Change-Id: I5f0d5f1d7020c02b2f3ec76aa7f5da2196184529 Signed-off-by: agardner <agardner@linuxfoundation.org>
2017-06-19Add weekly job for security scanAric Gardner4-14/+115
Added license headers remove errexit from report to gerrit run as --user nobody Change-Id: I4b65dbae1f255015877766a0afa44e9b9898651c Signed-off-by: Aric Gardner <agardner@linuxfoundation.org> Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
2017-06-14Add releng repo to security checkAric Gardner2-13/+14
some formatting changes to shell script Change-Id: I301cb4b385df81a81de5ba230c5a4709461703a3 Signed-off-by: Aric Gardner <agardner@linuxfoundation.org>
2017-06-14Add exit status, remove awk warningAric Gardner2-2/+8
Change-Id: I090e601b45b58fae4235867536553570f2674f9a Signed-off-by: Aric Gardner <agardner@linuxfoundation.org>
2017-06-14Move gerrit comment logic to its own fileAric Gardner3-24/+21
this file will become too complicated to escape inside the job definition. Change-Id: I3e167bee5d315a7ff3b52e7274b68c3146dfbd03 Signed-off-by: Aric Gardner <agardner@linuxfoundation.org>
2017-06-14Fix gerrit commentAric Gardner2-3/+1
Change-Id: Id1340090fbf410f9eda5e115f554fee778d26b90 Signed-off-by: Aric Gardner <agardner@linuxfoundation.org>
2017-06-14We cant report the results if anteater exits 1Aric Gardner1-1/+3
So I guess we put the voting logic in the report results to gerrit step Change-Id: I5a6d8c7986bc317648bbb7512ba4f8357bbb4f3c Signed-off-by: Aric Gardner <agardner@linuxfoundation.org>
2017-06-14Report anteater results to gerrit.Aric Gardner2-2/+2
used tee to create audit log Change-Id: I6941e142064cf7c9b4586660be69df2a02807af3 Signed-off-by: Aric Gardner <agardner@linuxfoundation.org>
2017-06-14Fix skip vote on anteaterjobAric Gardner1-5/+5
looks like the spacing was off Change-Id: Ief6d15d122add79b8f9492550ce4ceecafe545bd Signed-off-by: Aric Gardner <agardner@linuxfoundation.org>
2017-06-13anteater: Fix jjb scriptFatih Degirmenci1-1/+1
Change-Id: Ib42cef840ff8118c32676efdf8c21c315c1f4911 Signed-off-by: Fatih Degirmenci <fatih.degirmenci@ericsson.com>
2017-06-13move to a server that docker works onAric Gardner1-1/+1
Change-Id: Ibb3cc5a2425d9f2f79e27c86e22b176fd36cb3dc Signed-off-by: Aric Gardner <agardner@linuxfoundation.org>
2017-06-13Change git baseAric Gardner1-0/+4
Change-Id: I988a95141886d53b7b14f3ab5c673f589786ae7a Signed-off-by: Aric Gardner <agardner@linuxfounation.org>
2017-06-13run anteater ci gate on lf-build2Aric Gardner1-0/+4
Change-Id: I21aca84c2ce5526f4a0942b21c50455c3d8aa4bd Signed-off-by: Aric Gardner <agardner@linuxfounation.org>
2017-06-13releng-anteater: Create script to run checks and adjust jjbFatih Degirmenci2-12/+39
Change-Id: I7f161b5f939eaeba019ce882a9977908ee0c01b8 Signed-off-by: Fatih Degirmenci <fatih.degirmenci@ericsson.com> Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
2017-06-01Add Job Configuration for Anteaterlukehinds1-0/+105
Change adds anteater Docker push and renames securityaudit to ci_gate_security Change-Id: Ibf7d930003e7d59cb84a3ddb72962a150590418b Signed-off-by: lukehinds <lhinds@redhat.com>