jenkinsci / fortify-plugin

Fortify Jenkins plugin
https://plugins.jenkins.io/fortify
Other
23 stars 31 forks source link

Fortify plugin in pipeline job #13

Closed raghanag closed 3 years ago

raghanag commented 4 years ago

Hi, I am trying to use the fortify plugin in the pipeline syntax, here is my jenkinsfile, and I am getting the below error. I have followed the steps mentioned here Any help would be appreciated. I checked the env variables and my FORTIFY_HOME is pointing to /tools/fortify/bin.

  agent {
    kubernetes {
      cloud 'kubernetes'
      label 'k8s-agent'
    }
  }

  tools { nodejs "nodejs-10.15.3" }
  options {
    timeout(time: 30, unit: 'MINUTES')
  }
  stages {
    stage('fortify scan'){
      steps {

        fortifyClean addJVMOptions: '', buildID: '${JOB_NAME}-${BUILD_NUMBER}', debug: true, logFile: '', maxHeap: '', verbose: true
        fortifyTranslate addJVMOptions: '', buildID: '${JOB_NAME}-${BUILD_NUMBER}', excludeList: '', logFile: './${JOB_NAME}-${BUILD_NUMBER}-translation.log', maxHeap: '', projectScanType: fortifyJava(javaAddOptions: '', javaClasspath: '', javaSrcFiles: '"packages/ui-components/src/**/*"', javaVersion: '1.8')
        fortifyScan addJVMOptions: '-64', addOptions: '', buildID: '${JOB_NAME}-${BUILD_NUMBER}', customRulepacks: '', logFile: './${JOB_NAME}-${BUILD_NUMBER}-scan.log', maxHeap: '8000', resultsFile: '${JOB_NAME}-${BUILD_NUMBER}-results.fpr'
        fortifyUpload appName: 'Demo', appVersion: 'Rel13', failureCriteria: '[fortify priority order]:critical OR high', filterSet: '', pollingInterval: '', resultsFile: ''
        //Generate pdf report from fpr report
        sh 'pwd'
        sh '/tools/fortify/bin/BIRTReportGenerator -template "Developer Workbook" -source ${JOB_NAME}-${BUILD_NUMBER}-results.fpr -output ${JOB_NAME}-${BUILD_NUMBER}-results.pdf -format PDF -showSuppressed -UseFortifyPriorityOrder'
      }
    }
  }

}

Fortify Jenkins plugin v 19.1.29
Launching Fortify SCA scan command
executable not found: sourceanalyzer
    home: /tools/fortify/bin
    path: null
    workspace: /home/jenkins/demo/workspace/demo-naga
[demo-naga] $ sourceanalyzer -Dcom.fortify.sca.ProjectRoot=/home/jenkins/demo/workspace/demo-naga/.fortify -b demo-naga-230 -Xmx8000M -64 -logfile ./demo-naga-230-scan.log -scan -f demo-naga-230-results.fpr```
young-s-park commented 4 years ago

@raghanag This "error" message can be a little misleading. If the sourceanalyzer executable cannot be found in the FORTIFY_HOME, it will attempt to run as if it were on the system PATH. The command you see on the next line is what gets executed. So if you have the PATH set on your system, and sourceanalyzer is on that PATH, then it should execute properly.

raghanag commented 4 years ago

@young-s-park does that mean my fortify commands are executing as expected, how can I verify if it's executing as expected or not. image

ilatypov commented 4 years ago

the PATH+EXTRA system works for Scripted Pipeline. If it does not work for Declarative, please file a separate RFE in pipeline-model-definition-plugin. Workaround would I guess be something like (untested)

environment {
STUFF = "${MTI_HOME}/linux:${MTI_HOME}/bin:${QUARTUS_HOME}/bin:${DCP_LOC}/bin"
}
// …
steps {
withEnv(["PATH+EXTRA=$STUFF"]) {
sh 'whatever'
}
}

https://issues.jenkins-ci.org/browse/JENKINS-41339?focusedCommentId=357645&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-357645

ilatypov commented 4 years ago

The "does not work for Declarative" part settled in my head only now.

pipeline {
    environment {
        EXTRAPATH = "TOOLDIR/fortify/bin"
        PATH = "${env.PATH}:${EXTRAPATH}"
    }
    stages {
        [..]
        stage('Fortify translate') {
            steps {
                fortifyTranslate 
                        projectScanType: fortifyMaven3(mavenOptions: 
                            "package -Dfortify.sca.sourceanalyzer.executable=TOOLDIR/fortify/bin/sourceanalyzer")
            }
        }
    }
}
ilatypov commented 4 years ago

The above stops working if the FORTIFY_HOME variable needs defining separately for each machine or label. I think it's because the following line runs on the server (thanks, declarative pipelines?).

https://github.com/jenkinsci/fortify-plugin/blob/8bc3a30de117a906abe81c52021cc2a5a3941fb8/src/main/java/com/fortify/plugin/jenkins/steps/FortifyClean.java#L72

My current work-around is to define hard-coded default values for the pipeline "parameters", even for the agent "master" which runs on the same machine with the server...

    agent {
        label 'master'
    }

    parameters {
        string(name: 'FORTIFY_HOME', defaultValue: "/MYTOOLDIR/fortify", 
            description: 'A work-around to the plugin using FORTIFY_HOME of the Jenkins server instead of that of the agent')
        string(name: 'PATH', defaultValue: 
            "/MYTOOLDIR/fortify/bin:/usr/local/FOO/bin:/usr/local/openjdk-8/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", 
            description: 'A work-around to the plugin using PATH of the Jenkins server instead of that of the agent')
    }

I wish Jenkins in general and this plugin in particular gave precendence to the agent's environment. I did not try to find the exact API to fetch that in the context of the plugin running on the server but aiming the given "agent".

ashnazg commented 4 years ago

The OP's description seems to match my suspicion that when using the plugin in a container, the executable search might be running on the master rather than in the container, and thus the executable isn't found... but then in 19.x, the code doesn't bail out at this point, and the "system PATH" option in the container can be allowed to work. Now in 20.x, an exception is thrown by that first executable search, giving no change for a container to try the "system PATH" way.

See #21 and #23... I'm thinking this plugin's previous ability to work in a container might have been unintentional / coincidental, but now 20.x prevents it.

vrulevskyi commented 3 years ago

Hi @raghanag, this issue has been fixed in a new Fortify Jenkins plugin release v20.2.34. Please, check it out. In case if you need further help, please, reopen this issue or create another one. Closing the issue for now.