convert dependency check stage to using npm

refs DE-706 The snykSecurity() plugin doesn’t seem to work on EKS, fortunately we can convert it to using the npm package instead which also reduces complexity. Test Plan 1. Dependency check runs and reports results to snyk on EC2 2. Dependency check runs and reports results to snyk on EKS Change-Id: I317ffe8c90cda6754a2ad5df7227224450b86546 Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/266779 Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> Reviewed-by: Andrea Cirulli <andrea.cirulli@instructure.com> QA-Review: Aaron Ogata <aogata@instructure.com> Product-Review: Aaron Ogata <aogata@instructure.com>
2021-06-09 15:10:16 -07:00 · 2021-06-09 15:10:16 -07:00 · 3400c31a83
parent 71069b8373
commit 3400c31a83
4 changed files with 54 additions and 16 deletions
--- a/2
+++ b/2
@ -462,7 +462,7 @@ pipeline {
                .hooks([onNodeAcquired: lintersStage.&setupNode])
                .nodeRequirements(label: 'canvas-docker', podTemplate: libraryResource('/pod_templates/docker_base.yml'), container: 'docker')
                .required(configuration.isChangeMerged())
-                .execute(lintersStage.&dependencyCheckStage)
+                .execute(dependencyCheckStage.&call)

              extendedStage('Linters')
                .hooks([onNodeAcquired: lintersStage.&setupNode, onNodeReleasing: lintersStage.&tearDownNode])
--- a/build/new-jenkins/library/vars/dependencyCheckStage.groovy
+++ b/build/new-jenkins/library/vars/dependencyCheckStage.groovy
@ -0,0 +1,29 @@
+/*
+ * Copyright (C) 2021 - present Instructure, Inc.
+ *
+ * This file is part of Canvas.
+ *
+ * Canvas is free software: you can redistribute it and/or modify it under
+ * the terms of the GNU Affero General Public License as published by the Free
+ * Software Foundation, version 3 of the License.
+ *
+ * Canvas is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
+ * A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU Affero General Public License along
+ * with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+def setupNode() {
+  distribution.unstashBuildScripts()
+
+  sh './build/new-jenkins/docker-with-flakey-network-protection.sh pull $LINTERS_RUNNER_IMAGE'
+}
+
+def call() {
+  credentials.withSnykCredentials {
+    sh './build/new-jenkins/linters/run-snyk.sh'
+  }
+}
--- a/build/new-jenkins/library/vars/lintersStage.groovy
+++ b/build/new-jenkins/library/vars/lintersStage.groovy
@ -75,21 +75,6 @@ def codeStage() {
  }
 }

-def dependencyCheckStage() {
-  catchError (buildResult: 'SUCCESS', stageResult: 'UNSTABLE') {
-    try {
-      snyk('canvas-lms:ruby', 'Gemfile.lock', "$LINTERS_RUNNER_IMAGE")
-    }
-    catch (err) {
-      if (err.toString().contains('Gemfile.lock does not exist')) {
-        snyk('canvas-lms:ruby', 'Gemfile.lock.next', "$LINTERS_RUNNER_IMAGE")
-      } else {
-        throw err
-      }
-    }
-  }
-}
-
 def masterBouncerStage() {
  credentials.withMasterBouncerCredentials {
    sh 'build/new-jenkins/linters/run-master-bouncer.sh'
--- a/build/new-jenkins/linters/run-snyk.sh
+++ b/build/new-jenkins/linters/run-snyk.sh
@ -0,0 +1,24 @@
+#!/bin/bash
+
+set -o errexit -o errtrace -o nounset -o pipefail -o xtrace
+
+cat <<EOF | docker run --interactive $LINTERS_RUNNER_IMAGE /bin/bash -
+set -ex
+
+TEST_FILE=""
+
+if test -f "Gemfile.lock"; then
+  TEST_FILE="Gemfile.lock"
+elif test -f "Gemfile.lock.next"; then
+  TEST_FILE="Gemfile.lock.next"
+else
+  echo "could not find any supported file to check"
+  exit 1
+fi
+
+echo "checking \$TEST_FILE with snyk"
+
+npx snyk auth $SNYK_TOKEN
+npx snyk test --severity-threshold=low --file=\$TEST_FILE --org=instructure --project-name=canvas-lms:ruby --packageManager=rubygems || true
+npx snyk monitor --severity-threshold=low --file=\$TEST_FILE --org=instructure --project-name=canvas-lms:ruby --packageManager=rubygems
+EOF