[研究]Jenkins作業(Job)組態的Dependency-Track(DT)設定
2022-09-27
Continuous Integration & Delivery | Dependency-Track
https://docs.dependencytrack.org/usage/cicd/
GitHub - jenkinsci/dependency-track-plugin: Master repository for the official Dependency-Track Jenkins plugin
https://github.com/jenkinsci/dependency-track-plugin
OWASP Dependency-Track | Jenkins plugin
https://plugins.jenkins.io/dependency-track/#releases
********************************************************************************
git 上傳時 Gitea Server 時,用 JenKins 執行 CycloneDX 產生 bom.json 丟給 Dependency Track Server 去分析。
註:Fortify SCA => Micro Focus Static Code Analyzer
(下圖) click 圖片可看 100% 尺寸
Dependency-Track 相關設定
先建立一個 Project
內容如下 (某些名稱修改過)
D:\BuildTool\nuget.exe restore .\WebApplicationDir\WebApplicationSolution.sln REM 自動發佈到測試站 REM 連線要中斷,否則下次再次連線,會失敗,導致 JenKins Job 結束 REM 建立網路芳鄰連線,供發佈 CODE 別台網站根目錄使用 net use * /del /yes net use I: \\192.168.99.166\D$ 密碼 /USER:[AD網域]\[AD使用者帳號] REM 產生給 Dependency-Track 的 SBOM dotnet tool install --global CycloneDX REM 產生 bom.xml,Jenkins 上傳給 Dependency-Track (失敗,或許有其他解法) |
註:目錄說明
- 【句點】表示【D:\Jenkins\workspace\[JenKins作業名稱]\】目錄;
- Jenkins工作目錄依據安裝或設定,未必是【D:\Jenkins\workspace\】,要因應修改;
- 方案.sln 目錄 D:\Jenkins\workspace\[JenKins作業名稱]\WebApplicationDir\WebApplicationSolution.sln
WebApplicationDir 和 WebApplicationSolution 一般名稱會相同,但非絕對。 - WebApplicationDir 和 WebApplicationSolution 一般名稱會相同,但非絕對。
內容如下 (某些名稱修改過)
MSBuild15 |
.\WebApplicationDir\WebApplicationSolution.sln |
/p:DeployOnBuild=true /p:PublishProfile=FolderProfileLab |
內容如下 (某些名稱修改過)
REM 自動發佈到測試站 REM 連線要中斷,否則下次再次連線,會失敗,導致 JenKins Job 結束 net use * /del /yes REM net use /delete I: REM 如果檔案不存在 , 開一個新的檔案並寫入一個不會存在的版本進去 echo %GIT_COMMIT% set FORTIFY_TEMPLATE=D:\FortifyTemplate\MyCompany_All.xml set SubFolder=WebApplicationFrontSolution if not exist %WORKSPACE%\%SubFolder%\git_diff.txt ( echo "file not exists" echo -1 > %WORKSPACE%\%SubFolder%\git_diff.txt ) if exist %WORKSPACE%\%SubFolder%\Assessment_diff.pdf ( echo "oid pdf file found" del %WORKSPACE%\%SubFolder%\Assessment_diff.pdf ) |
內容如下 (某些名稱修改過)
REM 判斷版本差異是否存在 , 如果存在的話才需要做掃描 set FORTIFY_TEMPLATE=D:\FortifyTemplate\MyCompany_All.xml set SubFolder=WebApplicationFrontSolution if exist %WORKSPACE%\%SubFolder%\new.fpr ( echo "clear new record" del %WORKSPACE%\%SubFolder%\new.fpr ) for /f %%i in (%WORKSPACE%\%SubFolder%\git_diff.txt) do set version=%%i if "%GIT_COMMIT%" NEQ "%version%" ( sourceanalyzer.exe -b %JOB_NAME% -clean sourceanalyzer.exe -b %JOB_NAME% msbuild /t:rebuild %WORKSPACE%\%SubFolder%\WebApplicationFrontSolution.sln sourceanalyzer.exe -b %JOB_NAME% -scan -verbose -Xmx14G -format "fpr" -f "%WORKSPACE%\%SubFolder%\new.fpr" ) |
內容如下 (某些名稱修改過)
REM 如果有 old.fpr 做 merge 動作
set SubFolder=WebApplicationFrontSolution
for /f %%i in (%WORKSPACE%\%SubFolder%\git_diff.txt) do set version=%%i
if "%GIT_COMMIT%" NEQ "%version%" (
if exist %WORKSPACE%\%SubFolder%\old.fpr (
echo "merge old record with new record"
FPRUtility.bat -merge -project %WORKSPACE%\%SubFolder%\new.fpr -source %WORKSPACE%\%SubFolder%\old.fpr
)
)
|
內容如下 (某些名稱修改過)
REM 判斷版本差異是否存在 , 如果存在的話才需要轉換成pdf檔案 set FORTIFY_TEMPLATE=D:\FortifyTemplate\MyCompany_All_New.xml set SubFolder=WebApplicationFrontSolution for /f %%i in (%WORKSPACE%\%SubFolder%\git_diff.txt) do set version=%%i if "%GIT_COMMIT%" NEQ "%version%" ( move /Y %WORKSPACE%\%SubFolder%\new.fpr %WORKSPACE%\%SubFolder%\old.fpr REM ReportGenerator.bat -template %FORTIFY_TEMPLATE% -format "pdf" -f "%WORKSPACE%\%SubFolder%\Assessment_diff.pdf" -source "%WORKSPACE%\%SubFolder%\old.fpr" ReportGenerator.bat -template %FORTIFY_TEMPLATE% -format "pdf" -filterSet "Quick View" -f "%WORKSPACE%\%SubFolder%\Assessment_diff.pdf" -source "%WORKSPACE%\%SubFolder%\old.fpr" ) |
內容如下 (某些名稱修改過)
REM 產生完整的報告出來 set FORTIFY_TEMPLATE=D:\FortifyTemplate\MyCompany_All.xml set SubFolder=WebApplicationFrontSolution REM ReportGenerator.bat -template %FORTIFY_TEMPLATE% -format "pdf" -f "%WORKSPACE%\%SubFolder%\Assessment_all.pdf" -source "%WORKSPACE%\%SubFolder%\old.fpr" ReportGenerator.bat -template %FORTIFY_TEMPLATE% -format "pdf" -filterSet "Quick View" -f "%WORKSPACE%\%SubFolder%\Assessment_all.pdf" -source "%WORKSPACE%\%SubFolder%\old.fpr" |
內容如下 (某些名稱修改過)
REM 最後同步專案版本資訊 set SubFolder=WebApplicationFrontSolution echo %GIT_COMMIT% > %WORKSPACE%\%SubFolder%\git_diff.txt |
內容如下 (某些名稱修改過)
WebApplicationFrontSolution bom.json
|
********************************************************************************
完整組態內容如下 (某些名稱修改過)
General 描述 [純文字] 預覽 Office 365 Connector Notification webhooks URL? https://MyCompany.webhook.office.com/webhookb2/123jihj-12ncw/JenkinsCI/324ji23j-17h3 Name? MyCompanyjenkins This build requires lockable resources Throttle builds? 參數化建置? 捨棄舊建置? 必要時同時執行多個建置? 限制專案執行節點? 原始碼管理 無 Git? Repositories? Repository URL? http://192.168.199.145:3000/MyCompany/WebApplicationWeb.git Credentials? 32kl23l23-2je3-21 Branches to build? Branch Specifier (blank for 'any')? */master 儲存庫瀏覽器? Gitea Repository URL? http://192.168.199.145:3000/MyCompany/WebApplicationWeb.git Additional Behaviours 建置觸發程序 遠端觸發建置 (例如: 透過 Script 腳本) ? 驗證 Token MyCompany_COMMIT 可以透過下列 URL 觸發建置: JENKINS_URL/job/Fortify_WebApplicationFrontSolution/build?token=TOKEN_NAME 或 /buildWithParameters?token=TOKEN_NAME Optionally append &cause=Cause+Text to provide text that will be included in the recorded build cause. Generic Webhook Trigger ? 在其他專案建置完成後建置 ? 定期建置 ? 排程 ? H H * * 6 Would last have run at 2022年9月24日 星期六 上午12:34:29 [台北標準時間]; would next run at 2022年10月1日 星期六 上午12:34:29 [台北標準時間]. 輪詢 SCM ? 建置環境 Delete workspace before build starts Use secret text(s) or file(s) ? Color ANSI Console Output Inspect build log for published Gradle build scans Terminate a build if it's stuck With Ant ? 在「畫面輸出」中加入時間戳記 Build Steps 執行 Windows 批次指令 ? 指令 可以參考可用環境變數清單 D:\BuildTool\nuget.exe restore .\WebApplicationDir\WebApplicationSolution.sln Build a Visual Studio project or solution using MSBuild MSBuild Version MSBuild15 MSBuild Build File? .\WebApplicationDir\WebApplicationSolution.sln REM 自動發佈到測試站
REM 連線要中斷,否則下次再次連線,會失敗,導致 JenKins Job 結束
net use * /del /yes
REM net use /delete I:
REM 如果檔案不存在 , 開一個新的檔案並寫入一個不會存在的版本進去
echo %GIT_COMMIT%
set FORTIFY_TEMPLATE=D:\FortifyTemplate\MyCompany_All.xml
set SubFolder=WebApplicationFrontSolution
if not exist %WORKSPACE%\%SubFolder%\git_diff.txt (
echo "file not exists"
echo -1 > %WORKSPACE%\%SubFolder%\git_diff.txt
)
if exist %WORKSPACE%\%SubFolder%\Assessment_diff.pdf (
echo "oid pdf file found"
del %WORKSPACE%\%SubFolder%\Assessment_diff.pdf
)
執行 Windows 批次指令
?
指令
可以參考可用環境變數清單
REM 判斷版本差異是否存在 , 如果存在的話才需要做掃描
set FORTIFY_TEMPLATE=D:\FortifyTemplate\MyCompany_All.xml
set SubFolder=WebApplicationFrontSolution
if exist %WORKSPACE%\%SubFolder%\new.fpr (
echo "clear new record"
del %WORKSPACE%\%SubFolder%\new.fpr
)
for /f %%i in (%WORKSPACE%\%SubFolder%\git_diff.txt) do set version=%%i
if "%GIT_COMMIT%" NEQ "%version%" (
sourceanalyzer.exe -b %JOB_NAME% -clean
sourceanalyzer.exe -b %JOB_NAME% msbuild /t:rebuild %WORKSPACE%\%SubFolder%\WebApplicationFrontSolution.sln
sourceanalyzer.exe -b %JOB_NAME% -scan -verbose -Xmx14G -format "fpr" -f "%WORKSPACE%\%SubFolder%\new.fpr"
)
執行 Windows 批次指令
?
指令
可以參考可用環境變數清單
REM 如果有 old.fpr 做 merge 動作
set SubFolder=WebApplicationFrontSolution
for /f %%i in (%WORKSPACE%\%SubFolder%\git_diff.txt) do set version=%%i
if "%GIT_COMMIT%" NEQ "%version%" (
if exist %WORKSPACE%\%SubFolder%\old.fpr (
echo "merge old record with new record"
FPRUtility.bat -merge -project %WORKSPACE%\%SubFolder%\new.fpr -source %WORKSPACE%\%SubFolder%\old.fpr
)
)
執行 Windows 批次指令
?
指令
可以參考可用環境變數清單
REM 判斷版本差異是否存在 , 如果存在的話才需要轉換成pdf檔案
set FORTIFY_TEMPLATE=D:\FortifyTemplate\MyCompany_All_New.xml
set SubFolder=WebApplicationFrontSolution
for /f %%i in (%WORKSPACE%\%SubFolder%\git_diff.txt) do set version=%%i
if "%GIT_COMMIT%" NEQ "%version%" (
move /Y %WORKSPACE%\%SubFolder%\new.fpr %WORKSPACE%\%SubFolder%\old.fpr
REM ReportGenerator.bat -template %FORTIFY_TEMPLATE% -format "pdf" -f "%WORKSPACE%\%SubFolder%\Assessment_diff.pdf" -source "%WORKSPACE%\%SubFolder%\old.fpr"
ReportGenerator.bat -template %FORTIFY_TEMPLATE% -format "pdf" -filterSet "Quick View" -f "%WORKSPACE%\%SubFolder%\Assessment_diff.pdf" -source "%WORKSPACE%\%SubFolder%\old.fpr"
)
執行 Windows 批次指令
?
指令
可以參考可用環境變數清單
REM 產生完整的報告出來
set FORTIFY_TEMPLATE=D:\FortifyTemplate\MyCompany_All.xml
set SubFolder=WebApplicationFrontSolution
REM ReportGenerator.bat -template %FORTIFY_TEMPLATE% -format "pdf" -f "%WORKSPACE%\%SubFolder%\Assessment_all.pdf" -source "%WORKSPACE%\%SubFolder%\old.fpr"
ReportGenerator.bat -template %FORTIFY_TEMPLATE% -format "pdf" -filterSet "Quick View" -f "%WORKSPACE%\%SubFolder%\Assessment_all.pdf" -source "%WORKSPACE%\%SubFolder%\old.fpr"
執行 Windows 批次指令
?
指令
可以參考可用環境變數清單
REM 最後同步專案版本資訊
set SubFolder=WebApplicationFrontSolution
echo %GIT_COMMIT% > %WORKSPACE%\%SubFolder%\git_diff.txt
Invoke Dependency-Check
Dependency-Check installation
?
6.1.6
Arguments
?
--format ALL
Skip if triggered by SCM changes?
Skip if triggered by upstream changes?
建置後動作
Publish BOM to Dependency-Track
Publish BOM to Dependency-TrackDependency-Track project? WebApplicationFrontSolution Artifact? bom.json Enable synchronous publishing mode? Update project properties? Override global settings? 可編式電子郵件通知 ? Allows the user to disable the publisher, while maintaining the settings Disable Extended Email Publisher ? Project From 專案收件人清單 ? 該接收到這個專案通知的電子郵件信箱清單,以半形逗號分隔。 user1@MyCompany.com.tw,user2@MyCompany.com.tw 專案回覆清單 ? 這個專案 Reply-To 標題裡的電子郵件信箱清單,以半形逗號分隔。 $DEFAULT_REPLYTO 內容類型 ? 預設內容類型 預設主旨 ? $DEFAULT_SUBJECT 預設內容 ? $DEFAULT_CONTENT Changes: ${CHANGES, showPaths=true, format="%a: %r %p \n--\"%m\"", pathFormat="\n\t- %p"} 附件 ? 可以使用 'module/dist/**/*.zip' 這類萬用字元。請參考 Ant fileset 的 @includes,了解詳細格式。基本目錄就是工作區。 WebApplicationFrontSolution/Assessment_all.pdf , WebApplicationFrontSolution/Assessment_diff.pdf, dependency-check-report.html 附上建置紀錄 ? Do Not Attach Build Log 內容 Token 參考? 電子郵件通知? 收件人 以空白隔開的收件人清單。可以用 $PARAM 這樣參考建置參數。建置失敗、變成不穩定或是回復成穩定時都會寄送郵件。 user1@MyCompany.com.tw user2@MyCompany.com.tw 每次建置不穩定都寄送郵件 ? 分別寄送郵件給讓建置爛掉的每個人 REST API Jenkins 2.361.1 |
(完)
相關
[研究]Jenkins作業(Job)組態的Dependency-Track(DT)設定
https://shaurong.blogspot.com/2022/09/jenkinsjobdependency-trackdt.html
[研究]Git上傳、Jenkins自動編譯、發佈 ASP.NET WebForms方案/專案到目的網站根目錄
https://shaurong.blogspot.com/2022/09/gitjenkins-aspnet-webforms.html
[研究][ASP.NET]MSBuild 17.3.1 語法參數說明
https://shaurong.blogspot.com/2022/09/aspnetmsbuild-1731.html
[研究][BAT]從Jenkins拷貝 Fortify SCA 報告
https://shaurong.blogspot.com/2022/03/batjenkins-fortify-sca.html
[研究]Jenkins 找不到 .NET SDK 'Microsoft.NET.Sdk.Web'
https://shaurong.blogspot.com/2022/02/jenkins-net-sdk-microsoftnetsdkweb.html
[研究]Jenkins : error MSB4100 條件 必須評估為布林值
https://shaurong.blogspot.com/2022/02/jenkins-error-msb4100.html
[研究]Jenkins + Fortify SCA,因 Visual Studio 2019 升級 2022,變更 MSBuild 目錄
https://shaurong.blogspot.com/2022/01/jenkins-fortify-sca-visual-studio-2019.html
[研究]疑似 Fortify SCA 或 Jenkins 產生的殘檔
https://shaurong.blogspot.com/2021/11/fortify-sca-jenkins.html
[研究][Gitea + Jenkins + Fortify SCA]此專案參考這部電腦上所缺少的 NuGet 套件。請啟用 NuGet 套件還原
https://shaurong.blogspot.com/2021/08/gitea-jenkins-fortify-sca-nuget-nuget.html
[研究] OWASP Dependency-Track 4.2.2 第三方元件安全管理安裝 (Ubuntu 20.04.2 LTS x64)
https://shaurong.blogspot.com/2021/07/owasp-dependency-track-422-ubuntu-20042.html
[研究]Jenkins 2.289.2-1.1 stable 安裝(CentOS 8.4 x64)
https://shaurong.blogspot.com/2021/07/jenkins-22892-11-stable-centos-84-x64.html
[研究] Jenkins 建置失敗
https://shaurong.blogspot.com/2021/04/jenkins.html
[研究] Jenkins 2.190.3 舊主機搬移到新主機(Win2019)
https://shaurong.blogspot.com/2019/12/jenkins-21903-win2019.html
[研究] Jenkins 2.121.1 LTS + JDK 8 + Maven 3.5.3 安裝 (Windows 2016)
https://shaurong.blogspot.com/2018/06/jenkins-21211-lts-jdk-maven-windows-2016.html
[研究] Jenkins 2.121.1 LTS + JDK 安裝 (Windows 2016)
https://shaurong.blogspot.com/2018/06/jenkins-21211-lts-jdk-windows-2016.html
[研究] Jenkins 2.128 Weekly 安裝 (Windows 2016)
https://shaurong.blogspot.com/2018/06/jekins-2128-weekly-windows-2016.html
[研究] Jenkins 2.121.1 LTS 安裝 (Windows 2016)
https://shaurong.blogspot.com/2018/06/jekins-21211-lts-windows-2016.html
[研究] Jenkins 2.68.1-1 安裝 (CentOS 7.3 x64)
https://shaurong.blogspot.com/2017/07/jenkins-2681-1-centos-73-x64.html
[研究] Jenkins 1.635 安裝 (CentOS 7.1 x64)
https://shaurong.blogspot.com/2015/10/jenkins-1635-centos-71-x64.html
[研究] Jenkins 1.635 安裝 (Windows 2012 R2)
https://shaurong.blogspot.com/2015/10/jenkins-1635-windows-2012-r2.html
沒有留言:
張貼留言