-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathJenkinsfile
More file actions
87 lines (81 loc) · 3.98 KB
/
Jenkinsfile
File metadata and controls
87 lines (81 loc) · 3.98 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
pipeline {
agent any
stages {
stage('Setup') {
steps {
echo 'Setting up..'
withCredentials([usernamePassword(credentialsId: 'MAYHEM_CREDENTIALS', usernameVariable: 'MAYHEM_USERNAME', passwordVariable: 'MAYHEM_TOKEN')]) {
sh """
# Setup aarch64 (preinstalled) and x86_64 (download to install)
mkdir -p ~/bin
export PATH=\${PATH}:~/bin
curl -Lo ~/bin/mayhem-x86_64 ${MAYHEM_URL}/cli/Linux/mayhem && chmod +x ~/bin/mayhem-x86_64
# Login to mayhem and docker
mayhem-\$(arch) login --url ${MAYHEM_URL} --token ${MAYHEM_TOKEN}
REGISTRY=\$(mayhem-\$(arch) docker-registry)
echo "${MAYHEM_TOKEN}" | docker login -u ${MAYHEM_USERNAME} --password-stdin \${REGISTRY}
"""
}
}
}
stage('Build') {
steps {
echo 'Building..'
sh """
echo "Compiling the code..."
export PATH=\${PATH}:~/bin
REGISTRY=\$(mayhem-\$(arch) docker-registry)
docker build --platform=linux/amd64 -t \${REGISTRY}/lighttpd:${env.BRANCH_NAME} .
docker push \${REGISTRY}/lighttpd:${env.BRANCH_NAME}
echo "Compile complete."
"""
}
}
stage('Mayhem for Code') {
matrix {
agent any
axes {
axis {
name 'TARGET'
values 'lighttpd', 'mayhemit'
}
}
stages {
stage('Mayhem for Code') {
steps {
echo 'Scanning..'
sh """#!/bin/bash
export PATH=\${PATH}:~/bin
REGISTRY=\$(mayhem-\$(arch) docker-registry)
# Run Mayhem
run=\$(mayhem-\$(arch) --verbosity info run . --project forallsecure-demo/mcode-action-examples/${TARGET} --owner forallsecure-demo --image \${REGISTRY}/lighttpd:${env.BRANCH_NAME} --file mayhem/Mayhemfile.${TARGET} --duration 60 --branch-name ${env.BRANCH_NAME} --revision ${env.GIT_COMMIT} 2>/dev/null);
# Fail if no output was given
if [ -z "\${run}" ]; then exit 1; fi
# Determine run name
runName=\$(echo \${run} | awk -F / '{ print \$(NF-1) }');
# Wait for job to complete and artifacts to be ready
mayhem-\$(arch) --verbosity info wait \${run} --owner forallsecure-demo --fail-on-defects --sarif sarif-\${runName}.sarif --junit junit-\${runName}.xml;
status=\$(mayhem-\$(arch) --verbosity info show --owner forallsecure-demo --format json \${run} | jq '.[0].status')
if [[ \${status} == *"stopped"* || \${status} == *"failed"* ]]; then exit 2; fi
"""
}
}
}
post {
always {
echo 'Archive....'
archiveArtifacts artifacts: 'junit-*.xml, sarif-*.sarif',
allowEmptyArchive: true,
fingerprint: true,
onlyIfSuccessful: false
junit 'junit-*.xml'
recordIssues(
enabledForFailure: true,
tool: sarif(id: "sarif-${TARGET}", pattern: 'sarif-*.sarif')
)
}
}
}
}
}
}