search

indigo-dc / jenkins-pipeline-library

Jenkins pipeline library with common functionalities for CI/CD environments, mainly targeted for the implementation of the SQA baseline requirements from https://indigo-dc.github.io/sqa-baseline/
Apache License 2.0
11 stars 6 forks source link

Support Find Security Bugs #136

Open samuelbernardolip opened 3 years ago

samuelbernardolip commented 3 years ago

Tool for java security testing: https://find-sec-bugs.github.io/

Jenkins plugin: https://plugins.jenkins.io/findbugs

Documentation: https://find-sec-bugs.github.io/tutorials.htm https://github.com/find-sec-bugs/find-sec-bugs/wiki/Jenkins-Tutorial https://github.com/find-sec-bugs/find-sec-bugs/wiki/Maven-configuration

samuelbernardolip commented 3 years ago

Feedback from Amanda:

Tested the FindTheBugs tool (now it's called SpotBugs) during this week. Found several problems to install the plugin because it's not in the official documentation. Managed to install it in the container and need to update the maven version also. Require help about the targets that need to be run. Modified the pom.xml to add the spotbugs section as explaied here (https://spotbugs.github.io/spotbugs-maven-plugin/usage.html).

Tried to run the tests, but the results by now are: i) errors ii) working fine but it seems that spotbugs is not ran

Job output in https://github.com/EOSC-synergy/saps-scheduler/tree/sqa

amcaar commented 3 years ago

Hi, this issue is solved by the brazilian team, we have found the appropriate way to execute the security tests with this command: mvn -f pom.xml -B -DskipTests clean package com.github.spotbugs:spotbugs-maven-plugin:check

We can also add the -fn option to obtain the security report but avoiding the pipeline fails because of the security problems. I think we can close the issue.

samuelbernardolip commented 3 years ago

Thank you @amcaar I will leave this issue open to link it with the maven tool development.