diff --git a/.azure/cd.yml b/.azure/cd.yml new file mode 100644 index 0000000..c6776ff --- /dev/null +++ b/.azure/cd.yml @@ -0,0 +1,18 @@ +trigger: + tags: + include: + - '*' + +variables: + - group: secure-vars + +pool: + name: 'Shared-EU-VM-Linux-Legacy-M-Prod' + +stages: + - template: /.azure/templates/build.yml + parameters: + checkmarxEnabled: true + deployEnabled: true + secretScannerEnabled: true + sonarqubeEnabled: true diff --git a/.azure/ci.yml b/.azure/ci.yml index 06b85a8..83515ce 100644 --- a/.azure/ci.yml +++ b/.azure/ci.yml @@ -1,3 +1,11 @@ +trigger: + branches: + include: + - '*' + exclude: + - main + - release/* + pr: branches: include: @@ -13,100 +21,9 @@ pool: name: 'Shared-EU-VM-Linux-Legacy-M-Prod' stages: - - stage: Build - jobs: - - job: BuildJob - steps: - - task: DownloadSecureFile@1 - name: mvnsettings - inputs: - secureFile: mvn-settings.xml - - - script: | - echo "Commenting out the Maven Central Release plugin" - awk 'BEGIN{p=0}//{p=1;buf=$0;next}/<\/plugin>/{buf=buf"\n"$0;if(p&&buf~/org\.sonatype\.central<\/groupId>/&&buf~/central-publishing-maven-plugin<\/artifactId>/){print ""}else{print buf};p=0;next}{if(p){buf=buf"\n"$0}else{print}}' pom.xml > pom.tmp && mv pom.tmp pom.xml - displayName: 'Comment Out Maven Central Release Plugin' - - - script: | - echo "adding distribution management to POM" - awk '/<\/project>/ { print " \n \n Release\n $(NEXUS_DIST_MANAGEMENT_RELEASES)\n \n \n Snapshot\n $(NEXUS_DIST_MANAGEMENT_SNAPSHOTS)\n \n "; } 1' pom.xml > pom.tmp && mv pom.tmp pom.xml - displayName: 'Add Distribution Management' - - - script: | - echo "ECHO POM" - cat pom.xml - displayName: 'Show updated POM' - - - task: Maven@4 - displayName: Maven Build - inputs: - mavenOptions: '-Xmx3072m' - mavenPomFile: 'pom.xml' - goals: 'clean verify' - jdkVersionOption: '1.17' - - - task: RabobankCQSTask@1 - inputs: - sqServiceConnection: 'Rabobank CQS Service Connection - TEST' - scannerMode: 'maven' - jdkVersion: '1.17' - sqGateName: 'Name of your Quality Gate' - debugMode: 'DEBUG' - qualityGateBreak: false - qualityGateTimeout: '600' - mavenPomFile: 'pom.xml' - extraProperties: | - sonar.verbose=true - sonar.exclusions=**/maven/** - - - task: Maven@4 - inputs: - mavenPomFile: 'pom.xml' - goals: 'clean deploy' - options: '-B -gs $(mvnsettings.secureFilePath) -DrepositoryId=Snapshot' - publishJUnitResults: true - testResultsFiles: '**/surefire-reports/TEST-*.xml' - javaHomeOption: 'JDKVersion' - jdkVersionOption: '1.17' - mavenOptions: '-Xmx3072m -Daether.dependencyCollector.impl=bf -Daether.dependencyCollector.bf.threads=10 -Daether.dependencyCollector.pool.artifact=hard -Daether.dependencyCollector.pool.dependency=hard ' - mavenAuthenticateFeed: false - effectivePomSkip: false - sonarQubeRunAnalysis: false - - - job: Checkmarx - displayName: Rabobank Checkmarx Scan - pool: Shared-EU-Container-Linux-Compliancy-S-Prod - steps: - - task: Rabobank Checkmarx@2 - inputs: - CheckmarxService: 'Checkmarx-MSC' - - - job: - displayName: Rabobank Secret Scanner - pool: Shared-EU-Container-Linux-Compliancy-S-Prod - steps: - - task: secret-scanning-task@0 - - - job: NexusIQ - displayName: Nexus IQ Scan - steps: - - task: JavaToolInstaller@0 - displayName: "Use Java 17" - inputs: - versionSpec: 17 - jdkArchitectureOption: x64 - jdkSourceOption: PreInstalled - - - task: Maven@4 - displayName: 'MavenNexusIQ' - inputs: - goals: 'com.sonatype.clm:clm-maven-plugin:index' - jdkVersion: '17' - - - task: NexusIqPipelineTask@1 - displayName: 'SonatypeEvaluate' - inputs: - nexusIqService: 'Rabobank SCA NexusIQ' # Name of default service connection - applicationId: 'CF-Metrics-Exporter' # REPLACE with applicationId Name of the application in NexusIQ, by default same name as pipeline - stage: 'Build' - scanTargets: "**/module.xml" + - template: /.azure/templates/build.yml + parameters: + checkmarxEnabled: true + deployEnabled: false + secretScannerEnabled: true + sonarqubeEnabled: true diff --git a/.azure/templates/build.yml b/.azure/templates/build.yml new file mode 100644 index 0000000..26e8328 --- /dev/null +++ b/.azure/templates/build.yml @@ -0,0 +1,132 @@ +parameters: + - name: checkmarxEnabled + type: boolean + default: true + - name: deployEnabled + type: boolean + default: false + - name: nexusIQEnabled + type: boolean + default: true + - name: secretScannerEnabled + type: boolean + default: true + - name: sonarqubeEnabled + type: boolean + default: true + +stages: + - stage: Build + jobs: + - job: BuildJob + displayName: 'Build' + steps: + - task: DownloadSecureFile@1 + displayName: 'Download Maven Settings' + name: mvnsettings + inputs: + secureFile: mvn-settings.xml + + - script: | + echo "Commenting out the Maven Central Related plugins" + awk 'BEGIN{p=0}//{p=1;buf=$0;next}/<\/plugin>/{buf=buf"\n"$0;if(p&&buf~/org\.sonatype\.central<\/groupId>/&&buf~/central-publishing-maven-plugin<\/artifactId>/){print ""}else{print buf};p=0;next}{if(p){buf=buf"\n"$0}else{print}}' pom.xml > pom.tmp && mv pom.tmp pom.xml + awk 'BEGIN{p=0}//{p=1;buf=$0;next}/<\/plugin>/{buf=buf"\n"$0;if(p&&buf~/org\.apache\.maven\.plugins<\/groupId>/&&buf~/maven-gpg-plugin<\/artifactId>/){print ""}else{print buf};p=0;next}{if(p){buf=buf"\n"$0}else{print}}' pom.xml > pom.tmp && mv pom.tmp pom.xml + displayName: 'Comment Out Maven Central Related plugins' + + - script: | + echo "Replacing distributionManagement block" + awk ' + BEGIN {inblock=0} + // {inblock=1; print " \n \n releases\n IP Releases\n $(NEXUS_DIST_MANAGEMENT_RELEASES)\n \n \n snapshot\n IP Snapshots\n $(NEXUS_DIST_MANAGEMENT_SNAPSHOTS)\n \n "; next} + /<\/distributionManagement>/ {inblock=0; next} + {if(!inblock) print} + ' pom.xml > pom.tmp && mv pom.tmp pom.xml + displayName: 'Replace Distribution Management' + + - task: Maven@4 + displayName: Maven Build + inputs: + mavenPomFile: 'pom.xml' + goals: 'clean verify' + publishJUnitResults: true + testResultsFiles: '**/surefire-reports/TEST-*.xml' + javaHomeOption: 'JDKVersion' + jdkVersionOption: '1.17' + mavenVersionOption: 'Default' + mavenOptions: '-Xmx3072m' + mavenAuthenticateFeed: false + effectivePomSkip: false + sonarQubeRunAnalysis: false + + - ${{ if parameters.sonarqubeEnabled }}: + - task: RabobankCQSTask@1 + displayName: SonarQube Analysis + inputs: + sqServiceConnection: 'Rabobank CQS Service Connection - TEST' + scannerMode: 'maven' + qualityGateBreak: false + + - ${{ if parameters.deployEnabled }}: + - task: Maven@4 + displayName: Deploy + inputs: + mavenPomFile: 'pom.xml' + goals: 'clean deploy' + options: '-B -s $(mvnsettings.secureFilePath) -ntp' + publishJUnitResults: false + javaHomeOption: 'JDKVersion' + jdkVersionOption: '1.17' + mavenVersionOption: 'Default' + mavenOptions: '-Xmx3072m -Daether.dependencyCollector.impl=bf -Daether.dependencyCollector.bf.threads=10 -Daether.dependencyCollector.pool.artifact=hard -Daether.dependencyCollector.pool.dependency=hard' + mavenAuthenticateFeed: false + effectivePomSkip: false + sonarQubeRunAnalysis: false + + - job: Checkmarx + condition: and(succeeded(), eq('${{ parameters.checkmarxEnabled }}', true)) + displayName: Rabobank Checkmarx Scan + pool: Shared-EU-Container-Linux-Compliancy-S-Prod + steps: + - task: Rabobank Checkmarx@2 + inputs: + CheckmarxService: 'Checkmarx-MSC' + mainCheckmarxProject: 'rabobank.shadow-tool-92651-rw' + + - job: + condition: and(succeeded(), eq('${{ parameters.secretScannerEnabled }}', true)) + displayName: Rabobank Secret Scanner + pool: Shared-EU-Container-Linux-Compliancy-S-Prod + steps: + - task: secret-scanning-task@0 + + - job: NexusIQ + condition: and(succeeded(), eq('${{ parameters.nexusIQEnabled }}', true)) + displayName: Nexus IQ Scan + steps: + - task: JavaToolInstaller@0 + displayName: "Use Java 17" + inputs: + versionSpec: 17 + jdkArchitectureOption: x64 + jdkSourceOption: PreInstalled + + - task: Maven@4 + displayName: 'MavenNexusIQ' + inputs: + mavenPomFile: 'pom.xml' + goals: 'com.sonatype.clm:clm-maven-plugin:index' + publishJUnitResults: false + javaHomeOption: 'JDKVersion' + jdkVersionOption: '17' + mavenVersionOption: 'Default' + mavenAuthenticateFeed: false + effectivePomSkip: false + sonarQubeRunAnalysis: false + + - task: NexusIqPipelineTask@1 + displayName: 'SonatypeEvaluate' + inputs: + nexusIqService: 'Rabobank SCA NexusIQ' + applicationId: 'shadow-tool' + stage: 'Build' + scanTargets: "**/module.xml"