Closed OliverNocon closed 2 years ago
olga1981
commented
3 years ago @OliverNocon one question reg. "custom thresholds for compliance issues": I assume for security you mean the rule CVSS >= 7. What are the threshold for compliance? How do they correlate with respective tool policies?
github-actions[bot]
commented
2 years ago Thank you for your contribution! This issue is stale because it has been open 60 days with no activity. In order to keep it open, please remove stale label or add a comment within the next 10 days. If you need a Piper team member to remove the stale label make sure to add @SAP/jenkins-library-team to your comment.
github-actions[bot]
commented
2 years ago Issue got stale and no further activity happened. It has automatically been closed. Please re-open in case you still consider it relevant.
Detect scan so far relies purely on reports created by the BlackDuck.
So far there is no evaluation of custom thresholds for compliance issues.
In order to allow easy evaluation of issues the step should retrieve vulnerabilities / compliance issues from the backend via API and based on that also create a report. This report can then be archived in Jenkins and also used as input for creating a GitHub issue on the team's source code repository.
Good example how this can be done is the step whitesourceExecuteScan.