I have SQ setup on Jenkins, and the project I’d like to scan now has two separate repositories, and I essentially need the dependencies from both pom.xml’s to successfully scan one API.
How can I add a Jenkins step to scan one pom.xml in repo A, then scan pom.xml from repo B, all before it fails.
So in your case, you need repo A to be available since repo B has dependencies generated from repo A?
I guess that if you want two generate two separate scans, you can add a step in your Jenkins Job to clone and scan then the repo. But it's not really clean as you're mixing 2 CI/CD.
Maybe an idea would be to install the POM modules in a shared .m2 repository or something like a Nexus repo, so that all dependencies are shared among projects.
Sorry if this is not clear.
Related
I implemented an OWASP Dependency Checker like https://github.com/dependency-check/Dependency-Check_Action. But I do not use the CLI, I use the maven plugin. Every night a docker image is build via the GitHub Actions to get the latest vulnerabilities database, which is stored in the .m2 directory.
So, now I want to use this action in a GitHub Workflow. Everything works fine apart from one use case: To build and install a maven project to the local .m2 repository and enable my action to access these artifacts.
Extract from workflow file
- uses: actions/setup-java#v3
with:
distribution: temurin
java-version: '17'
cache: maven <- local maven repo
- mvn install ...
- uses: mycoolaction#main <- create another intern maven repo in the docker image. this want the artifacts from the prev mvn install
Can I pass the maven repo from the runner to my action? Or copy the artifacts?
Things I have tried:
Docker Image is built at start up. Artifacts do not exists at this point. I cannot copy the files from the action - and maybe here are some security gates?
Actions like https://github.com/addnab/docker-run-action and mounting the .m2 als volume. Did not work out. But probably worth to investigate further.
Do you think it is possible to achieve the merge of the two .m2 repos (runner and action)? Am I missing something?
P.S. I want to maintain the OWASP check via gloabl workflows and not maintaining every single pom in the organization.
While I am writing this, I think of a solution via parent pom. But on a new version I would also have to update each pom to the new version...
I would be very grateful if someone could share his or her experience and opinion with me to achieve the best maintainable solution in this case.
Thanks in advance!
I am working with a project that consists of several (3 or 4) git repositories. Each repository uses maven to build it.
I need to run fortify against all the repositories, but I want just a single fpr report containing the results for all the repositories not one per repository.
Is there a recommended way to do this?
Note: there is no overarching pom.xml that builds the entire application just individual pom.xml files for each repository.
Any tips would be appreciated.
We are using Fortify 16.11 on a Linux server.
Translate all the repositories into the same build id (-b <build_id>).
Once they are all translated, run the -scan command on that <build_id>
I have setup a CI Workflow in Jenkins to build project from bitbucket server.
I followed this Excluded Regions in Jenkins with Git
I made configuration such that ,when ever any changes are pushed into the repository, Jenkins will trigger a build.
I felt Repository is having too many checkins and each project is having separate workflows in Jenkins. So I used the "Polling ignores commits in certain places" option
But it seems not working.
I think this may be a bug as well.
Please see screenshot attached.
Scenario
I have 3 projects named Project1,Project2 and Project3
I want to look only changes in Project1 and then build.
For that i gave "Project1/.*" in the Included Regions. But even when changes are done to Project2 / Project 3, Jenkins triggers a build.
Doubt:
The Repository structure is as below
Project : TestForJenkins
Repository : JenkinsRepo
Project1,Project2,Project3,Packages,.gitignore
Since Project1 is at toplevel in repository, please let me know if i am giving wrong lookup path by providing "Project1/.*" in included region section.
I have an Build agent on a server with two builds definitions. Unfortunately if I queue the two builds, each one will create a folder and get the repository from TFS. What settings should I make in order to configure the two builds to use the same local repository?
You don't. Each build definition has a unique clone of the repository for, at a minimum, one very good reason (although there are others): Builds can run in parallel. What if you had two build definitions pointing to the same repository folder running at the same time? That's right, you'd hit all sorts of problems with locked file access/concurrency.
I'm trying to setup master/slave on two osx machines, while using only slave for build.
Have one main git repo for the project but few additional files are kept in separate git repository. After adding two git repositories noticed after checkout it's creating two project directories under workspace and one has "#2" in the name.
That makes a problem with copying/accessing files between two repositories using $WORKSPACE variable as directory "project_name#2" is not logically part or $WORKSPACE (getting file not found error). And also cannot know which repo will be in which directory with every new build.
And more confusing sometimes it even pulls one repo to the master machine even though I've set that the build executes only on slave.
I'd appreciate any advice or suggestion?
If you're using the GIT plugin you can use advance cloning settings and specify a sub folder to clone to. make sure to clone to different folders under your workspace and then you can access both. I'm doing that in some of my projects and it works like a charm.
Use : https://wiki.jenkins-ci.org/display/JENKINS/Multiple+SCMs+Plugin
Good luck!