From 3400c31a83e844e5033f66f0c2db31c58877bcca Mon Sep 17 00:00:00 2001 From: Aaron Ogata Date: Wed, 9 Jun 2021 15:10:16 -0700 Subject: [PATCH] convert dependency check stage to using npm MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit refs DE-706 The snykSecurity() plugin doesn’t seem to work on EKS, fortunately we can convert it to using the npm package instead which also reduces complexity. Test Plan 1. Dependency check runs and reports results to snyk on EC2 2. Dependency check runs and reports results to snyk on EKS Change-Id: I317ffe8c90cda6754a2ad5df7227224450b86546 Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/266779 Tested-by: Service Cloud Jenkins Reviewed-by: Andrea Cirulli QA-Review: Aaron Ogata Product-Review: Aaron Ogata --- Jenkinsfile | 2 +- .../library/vars/dependencyCheckStage.groovy | 29 +++++++++++++++++++ .../library/vars/lintersStage.groovy | 15 ---------- build/new-jenkins/linters/run-snyk.sh | 24 +++++++++++++++ 4 files changed, 54 insertions(+), 16 deletions(-) create mode 100644 build/new-jenkins/library/vars/dependencyCheckStage.groovy create mode 100755 build/new-jenkins/linters/run-snyk.sh diff --git a/Jenkinsfile b/Jenkinsfile index 6a5913df8e9..bd44157f757 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -462,7 +462,7 @@ pipeline { .hooks([onNodeAcquired: lintersStage.&setupNode]) .nodeRequirements(label: 'canvas-docker', podTemplate: libraryResource('/pod_templates/docker_base.yml'), container: 'docker') .required(configuration.isChangeMerged()) - .execute(lintersStage.&dependencyCheckStage) + .execute(dependencyCheckStage.&call) extendedStage('Linters') .hooks([onNodeAcquired: lintersStage.&setupNode, onNodeReleasing: lintersStage.&tearDownNode]) diff --git a/build/new-jenkins/library/vars/dependencyCheckStage.groovy b/build/new-jenkins/library/vars/dependencyCheckStage.groovy new file mode 100644 index 00000000000..6875d860a4e --- /dev/null +++ b/build/new-jenkins/library/vars/dependencyCheckStage.groovy @@ -0,0 +1,29 @@ +/* + * Copyright (C) 2021 - present Instructure, Inc. + * + * This file is part of Canvas. + * + * Canvas is free software: you can redistribute it and/or modify it under + * the terms of the GNU Affero General Public License as published by the Free + * Software Foundation, version 3 of the License. + * + * Canvas is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR + * A PARTICULAR PURPOSE. See the GNU Affero General Public License for more + * details. + * + * You should have received a copy of the GNU Affero General Public License along + * with this program. If not, see . + */ + +def setupNode() { + distribution.unstashBuildScripts() + + sh './build/new-jenkins/docker-with-flakey-network-protection.sh pull $LINTERS_RUNNER_IMAGE' +} + +def call() { + credentials.withSnykCredentials { + sh './build/new-jenkins/linters/run-snyk.sh' + } +} diff --git a/build/new-jenkins/library/vars/lintersStage.groovy b/build/new-jenkins/library/vars/lintersStage.groovy index de0dad17de4..fd447bd680d 100644 --- a/build/new-jenkins/library/vars/lintersStage.groovy +++ b/build/new-jenkins/library/vars/lintersStage.groovy @@ -75,21 +75,6 @@ def codeStage() { } } -def dependencyCheckStage() { - catchError (buildResult: 'SUCCESS', stageResult: 'UNSTABLE') { - try { - snyk('canvas-lms:ruby', 'Gemfile.lock', "$LINTERS_RUNNER_IMAGE") - } - catch (err) { - if (err.toString().contains('Gemfile.lock does not exist')) { - snyk('canvas-lms:ruby', 'Gemfile.lock.next', "$LINTERS_RUNNER_IMAGE") - } else { - throw err - } - } - } -} - def masterBouncerStage() { credentials.withMasterBouncerCredentials { sh 'build/new-jenkins/linters/run-master-bouncer.sh' diff --git a/build/new-jenkins/linters/run-snyk.sh b/build/new-jenkins/linters/run-snyk.sh new file mode 100755 index 00000000000..8276cb91573 --- /dev/null +++ b/build/new-jenkins/linters/run-snyk.sh @@ -0,0 +1,24 @@ +#!/bin/bash + +set -o errexit -o errtrace -o nounset -o pipefail -o xtrace + +cat <