From f39b3310ed00c93b409bf95ce81dad7c6cd3ba9a Mon Sep 17 00:00:00 2001 From: Christian Sagel Date: Fri, 29 Apr 2022 10:47:31 +0200 Subject: [PATCH] Add snyk integration (#56) ## Decription This patch adds snyk monitoring to the build pipeline. It will hook itself into the check and publish stages. The patch also sets a dependency helper plugin net.wooga.cve-dependency-resolution which applies overrides for dependencies with know fixes for security issues. ## Changes * ![ADD] `snyk` monitoring * ![ADD] `net.wooga.snyk-wdk-java` snyk convention plugin * ![ADD] `net.wogoa.cve-dependency-resolution` plugin --- Jenkinsfile | 3 ++- build.gradle | 24 ++++++++++++++++-------- settings.gradle | 6 ++++++ 3 files changed, 24 insertions(+), 9 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 92c299d..3c5e124 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -23,7 +23,8 @@ usernamePassword(credentialsId: 'github_integration', passwordVariable: 'githubPassword', usernameVariable: 'githubUser'), usernamePassword(credentialsId: 'github_integration_2', passwordVariable: 'githubPassword2', usernameVariable: 'githubUser2'), usernamePassword(credentialsId: 'npm_test_credentials', passwordVariable: 'npm_test_credentials_pass', usernameVariable: 'npm_test_credentials_user'), - string(credentialsId: 'atlas_node_release_coveralls_token', variable: 'coveralls_token')]) { + string(credentialsId: 'atlas_node_release_coveralls_token', variable: 'coveralls_token'), + string(credentialsId: 'atlas_plugins_snyk_token', variable: 'SNYK_TOKEN')]) { def testEnvironment = [ 'macos' : [ diff --git a/build.gradle b/build.gradle index 2052e01..71844b9 100644 --- a/build.gradle +++ b/build.gradle @@ -16,7 +16,10 @@ */ plugins { - id 'net.wooga.plugins' version '3.0.0-rc.2' + id 'net.wooga.plugins' version '3.1.0' + id 'net.wooga.snyk' version '0.10.0' + id "net.wooga.snyk-gradle-plugin" version "0.2.0" + id "net.wooga.cve-dependency-resolution" version "0.4.0" } group 'net.wooga.gradle' @@ -31,7 +34,7 @@ repositories { dependencies { // TODO: Figure out how to address this once the below rejected versions finally work, they don't work when resolved to - testImplementation('org.jfrog.artifactory.client:artifactory-java-client-services:(2.9, 3]') { + testImplementation('org.jfrog.artifactory.client:artifactory-java-client-services:[2.9, 3[') { exclude module: 'logback-classic' version { reject("2.11.1", "2.11.0") @@ -39,16 +42,16 @@ dependencies { } } testImplementation 'org.kohsuke:github-api:1.3+' - testImplementation 'com.wooga.gradle:gradle-commons-test:(1,2]' + testImplementation 'com.wooga.gradle:gradle-commons-test:[1,2[' - implementation 'org.ajoberstar.grgit:grgit-core:(4.1,5]' - implementation 'org.ajoberstar.grgit:grgit-gradle:(4.1,5]' + implementation 'org.ajoberstar.grgit:grgit-core:[4.1.1,5[' + implementation 'org.ajoberstar.grgit:grgit-gradle:[4.1.1,5[' implementation "com.github.node-gradle:gradle-node-plugin:3.2.1" // Internal wooga plugins - implementation 'com.wooga.gradle:gradle-commons:(1,2]' - implementation 'gradle.plugin.net.wooga.gradle:atlas-version:1+' - implementation 'gradle.plugin.net.wooga.gradle:atlas-github:(2, 3]' + implementation 'com.wooga.gradle:gradle-commons:[1,2[' + implementation 'gradle.plugin.net.wooga.gradle:atlas-version:[1,2[' + implementation 'gradle.plugin.net.wooga.gradle:atlas-github:[2, 3[' } pluginBundle { @@ -71,3 +74,8 @@ gradlePlugin { github { repositoryName = "wooga/atlas-node-release" } + +cveHandler { + configurations("compileClasspath", "runtimeClasspath", "testCompileClasspath", "testRuntimeClasspath", "integrationTestCompileClasspath", "integrationTestRuntimeClasspath") +} + diff --git a/settings.gradle b/settings.gradle index 1e31479..f801ff8 100644 --- a/settings.gradle +++ b/settings.gradle @@ -31,5 +31,11 @@ include 'shared' include 'api' include 'services:webservice' */ +pluginManagement { + repositories { + mavenCentral() + gradlePluginPortal() + } +} rootProject.name = 'atlas-node-release'