From 72d18c4bbad6e819b352c9c401d9f390e0540efd Mon Sep 17 00:00:00 2001 From: "Visser, M (Martin)" Date: Thu, 5 Feb 2026 15:07:12 +0100 Subject: [PATCH 1/4] Replace Distribution Management --- .azure/ci.yml | 41 ++++++++++++++++------------------------- 1 file changed, 16 insertions(+), 25 deletions(-) diff --git a/.azure/ci.yml b/.azure/ci.yml index 06b85a8..f724735 100644 --- a/.azure/ci.yml +++ b/.azure/ci.yml @@ -16,26 +16,29 @@ stages: - stage: Build jobs: - job: BuildJob + displayName: 'Build and Deploy snapshot' steps: - task: DownloadSecureFile@1 + displayName: 'Download Maven Settings' name: mvnsettings inputs: secureFile: mvn-settings.xml - script: | - echo "Commenting out the Maven Central Release plugin" + echo "Commenting out the Maven Central Related plugins" awk 'BEGIN{p=0}//{p=1;buf=$0;next}/<\/plugin>/{buf=buf"\n"$0;if(p&&buf~/org\.sonatype\.central<\/groupId>/&&buf~/central-publishing-maven-plugin<\/artifactId>/){print ""}else{print buf};p=0;next}{if(p){buf=buf"\n"$0}else{print}}' pom.xml > pom.tmp && mv pom.tmp pom.xml - displayName: 'Comment Out Maven Central Release Plugin' + awk 'BEGIN{p=0}//{p=1;buf=$0;next}/<\/plugin>/{buf=buf"\n"$0;if(p&&buf~/org\.apache\.maven\.plugins/&&buf~/maven-gpg-plugin/){print ""}else{print buf};p=0;next}{if(p){buf=buf"\n"$0}else{print}}' pom.xml > pom.tmp && mv pom.tmp pom.xml + displayName: 'Comment Out Maven Central Related plugins' - script: | - echo "adding distribution management to POM" - awk '/<\/project>/ { print " \n \n Release\n $(NEXUS_DIST_MANAGEMENT_RELEASES)\n \n \n Snapshot\n $(NEXUS_DIST_MANAGEMENT_SNAPSHOTS)\n \n "; } 1' pom.xml > pom.tmp && mv pom.tmp pom.xml - displayName: 'Add Distribution Management' - - - script: | - echo "ECHO POM" - cat pom.xml - displayName: 'Show updated POM' + echo "Replacing distributionManagement block" + awk ' + BEGIN {inblock=0} + // {inblock=1; print " \n \n releases\n IP Releases\n $(NEXUS_DIST_MANAGEMENT_RELEASES)\n \n \n snapshot\n IP Snapshots\n $(NEXUS_DIST_MANAGEMENT_SNAPSHOTS)\n \n "; next} + /<\/distributionManagement>/ {inblock=0; next} + {if(!inblock) print} + ' pom.xml > pom.tmp && mv pom.tmp pom.xml + displayName: 'Replace Distribution Management' - task: Maven@4 displayName: Maven Build @@ -45,25 +48,12 @@ stages: goals: 'clean verify' jdkVersionOption: '1.17' - - task: RabobankCQSTask@1 - inputs: - sqServiceConnection: 'Rabobank CQS Service Connection - TEST' - scannerMode: 'maven' - jdkVersion: '1.17' - sqGateName: 'Name of your Quality Gate' - debugMode: 'DEBUG' - qualityGateBreak: false - qualityGateTimeout: '600' - mavenPomFile: 'pom.xml' - extraProperties: | - sonar.verbose=true - sonar.exclusions=**/maven/** - - task: Maven@4 + displayName: Deploy Snapshot inputs: mavenPomFile: 'pom.xml' goals: 'clean deploy' - options: '-B -gs $(mvnsettings.secureFilePath) -DrepositoryId=Snapshot' + options: '-B -s $(mvnsettings.secureFilePath) -ntp' publishJUnitResults: true testResultsFiles: '**/surefire-reports/TEST-*.xml' javaHomeOption: 'JDKVersion' @@ -80,6 +70,7 @@ stages: - task: Rabobank Checkmarx@2 inputs: CheckmarxService: 'Checkmarx-MSC' + mainCheckmarxProject: 'rabobank.shadow-tool-92651-rw' - job: displayName: Rabobank Secret Scanner From 0bc83bec8e46db322cda4855ac0049562952be70 Mon Sep 17 00:00:00 2001 From: "Visser, M (Martin)" Date: Thu, 5 Feb 2026 16:09:08 +0100 Subject: [PATCH 2/4] Replace Distribution Management --- .azure/ci.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.azure/ci.yml b/.azure/ci.yml index f724735..1239063 100644 --- a/.azure/ci.yml +++ b/.azure/ci.yml @@ -1,3 +1,11 @@ +trigger: + branches: + include: + - '*' + exclude: + - main + - release/* + pr: branches: include: @@ -27,7 +35,7 @@ stages: - script: | echo "Commenting out the Maven Central Related plugins" awk 'BEGIN{p=0}//{p=1;buf=$0;next}/<\/plugin>/{buf=buf"\n"$0;if(p&&buf~/org\.sonatype\.central<\/groupId>/&&buf~/central-publishing-maven-plugin<\/artifactId>/){print ""}else{print buf};p=0;next}{if(p){buf=buf"\n"$0}else{print}}' pom.xml > pom.tmp && mv pom.tmp pom.xml - awk 'BEGIN{p=0}//{p=1;buf=$0;next}/<\/plugin>/{buf=buf"\n"$0;if(p&&buf~/org\.apache\.maven\.plugins/&&buf~/maven-gpg-plugin/){print ""}else{print buf};p=0;next}{if(p){buf=buf"\n"$0}else{print}}' pom.xml > pom.tmp && mv pom.tmp pom.xml + awk 'BEGIN{p=0}//{p=1;buf=$0;next}/<\/plugin>/{buf=buf"\n"$0;if(p&&buf~/org\.apache\.maven\.plugins<\/groupId>/&&buf~/maven-gpg-plugin<\/artifactId>/){print ""}else{print buf};p=0;next}{if(p){buf=buf"\n"$0}else{print}}' pom.xml > pom.tmp && mv pom.tmp pom.xml displayName: 'Comment Out Maven Central Related plugins' - script: | From d2b447a96d4a6bb32f61a1557291aa894a75f226 Mon Sep 17 00:00:00 2001 From: "Visser, M (Martin)" Date: Thu, 5 Feb 2026 16:36:27 +0100 Subject: [PATCH 3/4] Add CD pipeline with trigger on tags --- .azure/cd.yml | 100 ++++++++++++++++++++++++++++++++++++++++++++++++++ .azure/ci.yml | 4 +- 2 files changed, 102 insertions(+), 2 deletions(-) create mode 100644 .azure/cd.yml diff --git a/.azure/cd.yml b/.azure/cd.yml new file mode 100644 index 0000000..6cd6863 --- /dev/null +++ b/.azure/cd.yml @@ -0,0 +1,100 @@ +trigger: + tags: + include: + - '*' + +variables: + - group: secure-vars + +pool: + name: 'Shared-EU-VM-Linux-Legacy-M-Prod' + +stages: + - stage: Build + jobs: + - job: BuildJob + displayName: 'Build and Deploy' + steps: + - task: DownloadSecureFile@1 + displayName: 'Download Maven Settings' + name: mvnsettings + inputs: + secureFile: mvn-settings.xml + + - script: | + echo "Commenting out the Maven Central Related plugins" + awk 'BEGIN{p=0}//{p=1;buf=$0;next}/<\/plugin>/{buf=buf"\n"$0;if(p&&buf~/org\.sonatype\.central<\/groupId>/&&buf~/central-publishing-maven-plugin<\/artifactId>/){print ""}else{print buf};p=0;next}{if(p){buf=buf"\n"$0}else{print}}' pom.xml > pom.tmp && mv pom.tmp pom.xml + awk 'BEGIN{p=0}//{p=1;buf=$0;next}/<\/plugin>/{buf=buf"\n"$0;if(p&&buf~/org\.apache\.maven\.plugins<\/groupId>/&&buf~/maven-gpg-plugin<\/artifactId>/){print ""}else{print buf};p=0;next}{if(p){buf=buf"\n"$0}else{print}}' pom.xml > pom.tmp && mv pom.tmp pom.xml + displayName: 'Comment Out Maven Central Related plugins' + + - script: | + echo "Replacing distributionManagement block" + awk ' + BEGIN {inblock=0} + // {inblock=1; print " \n \n releases\n IP Releases\n $(NEXUS_DIST_MANAGEMENT_RELEASES)\n \n \n snapshot\n IP Snapshots\n $(NEXUS_DIST_MANAGEMENT_SNAPSHOTS)\n \n "; next} + /<\/distributionManagement>/ {inblock=0; next} + {if(!inblock) print} + ' pom.xml > pom.tmp && mv pom.tmp pom.xml + displayName: 'Replace Distribution Management' + + - task: Maven@4 + displayName: Maven Build + inputs: + mavenOptions: '-Xmx3072m' + mavenPomFile: 'pom.xml' + goals: 'clean verify' + jdkVersionOption: '1.17' + + - task: Maven@4 + displayName: Deploy Snapshot + inputs: + mavenPomFile: 'pom.xml' + goals: 'clean deploy' + options: '-B -s $(mvnsettings.secureFilePath) -ntp' + publishJUnitResults: true + testResultsFiles: '**/surefire-reports/TEST-*.xml' + javaHomeOption: 'JDKVersion' + jdkVersionOption: '1.17' + mavenOptions: '-Xmx3072m -Daether.dependencyCollector.impl=bf -Daether.dependencyCollector.bf.threads=10 -Daether.dependencyCollector.pool.artifact=hard -Daether.dependencyCollector.pool.dependency=hard ' + mavenAuthenticateFeed: false + effectivePomSkip: false + sonarQubeRunAnalysis: false + + - job: Checkmarx + displayName: Rabobank Checkmarx Scan + pool: Shared-EU-Container-Linux-Compliancy-S-Prod + steps: + - task: Rabobank Checkmarx@2 + inputs: + CheckmarxService: 'Checkmarx-MSC' + mainCheckmarxProject: 'rabobank.shadow-tool-92651-rw' + + - job: + displayName: Rabobank Secret Scanner + pool: Shared-EU-Container-Linux-Compliancy-S-Prod + steps: + - task: secret-scanning-task@0 + + - job: NexusIQ + displayName: Nexus IQ Scan + steps: + - task: JavaToolInstaller@0 + displayName: "Use Java 17" + inputs: + versionSpec: 17 + jdkArchitectureOption: x64 + jdkSourceOption: PreInstalled + + - task: Maven@4 + displayName: 'MavenNexusIQ' + inputs: + goals: 'com.sonatype.clm:clm-maven-plugin:index' + jdkVersion: '17' + + - task: NexusIqPipelineTask@1 + displayName: 'SonatypeEvaluate' + inputs: + nexusIqService: 'Rabobank SCA NexusIQ' + applicationId: 'shadow-tool' + stage: 'Build' + scanTargets: "**/module.xml" diff --git a/.azure/ci.yml b/.azure/ci.yml index 1239063..5e920d6 100644 --- a/.azure/ci.yml +++ b/.azure/ci.yml @@ -105,7 +105,7 @@ stages: - task: NexusIqPipelineTask@1 displayName: 'SonatypeEvaluate' inputs: - nexusIqService: 'Rabobank SCA NexusIQ' # Name of default service connection - applicationId: 'CF-Metrics-Exporter' # REPLACE with applicationId Name of the application in NexusIQ, by default same name as pipeline + nexusIqService: 'Rabobank SCA NexusIQ' + applicationId: 'shadow-tool' stage: 'Build' scanTargets: "**/module.xml" From d478e392380ab2945872c31ee3246e9ccff68111 Mon Sep 17 00:00:00 2001 From: "Visser, M (Martin)" Date: Fri, 6 Feb 2026 08:50:43 +0100 Subject: [PATCH 4/4] Use template for pipeline --- .azure/cd.yml | 94 ++------------------------ .azure/ci.yml | 94 ++------------------------ .azure/templates/build.yml | 132 +++++++++++++++++++++++++++++++++++++ 3 files changed, 144 insertions(+), 176 deletions(-) create mode 100644 .azure/templates/build.yml diff --git a/.azure/cd.yml b/.azure/cd.yml index 6cd6863..c6776ff 100644 --- a/.azure/cd.yml +++ b/.azure/cd.yml @@ -10,91 +10,9 @@ pool: name: 'Shared-EU-VM-Linux-Legacy-M-Prod' stages: - - stage: Build - jobs: - - job: BuildJob - displayName: 'Build and Deploy' - steps: - - task: DownloadSecureFile@1 - displayName: 'Download Maven Settings' - name: mvnsettings - inputs: - secureFile: mvn-settings.xml - - - script: | - echo "Commenting out the Maven Central Related plugins" - awk 'BEGIN{p=0}//{p=1;buf=$0;next}/<\/plugin>/{buf=buf"\n"$0;if(p&&buf~/org\.sonatype\.central<\/groupId>/&&buf~/central-publishing-maven-plugin<\/artifactId>/){print ""}else{print buf};p=0;next}{if(p){buf=buf"\n"$0}else{print}}' pom.xml > pom.tmp && mv pom.tmp pom.xml - awk 'BEGIN{p=0}//{p=1;buf=$0;next}/<\/plugin>/{buf=buf"\n"$0;if(p&&buf~/org\.apache\.maven\.plugins<\/groupId>/&&buf~/maven-gpg-plugin<\/artifactId>/){print ""}else{print buf};p=0;next}{if(p){buf=buf"\n"$0}else{print}}' pom.xml > pom.tmp && mv pom.tmp pom.xml - displayName: 'Comment Out Maven Central Related plugins' - - - script: | - echo "Replacing distributionManagement block" - awk ' - BEGIN {inblock=0} - // {inblock=1; print " \n \n releases\n IP Releases\n $(NEXUS_DIST_MANAGEMENT_RELEASES)\n \n \n snapshot\n IP Snapshots\n $(NEXUS_DIST_MANAGEMENT_SNAPSHOTS)\n \n "; next} - /<\/distributionManagement>/ {inblock=0; next} - {if(!inblock) print} - ' pom.xml > pom.tmp && mv pom.tmp pom.xml - displayName: 'Replace Distribution Management' - - - task: Maven@4 - displayName: Maven Build - inputs: - mavenOptions: '-Xmx3072m' - mavenPomFile: 'pom.xml' - goals: 'clean verify' - jdkVersionOption: '1.17' - - - task: Maven@4 - displayName: Deploy Snapshot - inputs: - mavenPomFile: 'pom.xml' - goals: 'clean deploy' - options: '-B -s $(mvnsettings.secureFilePath) -ntp' - publishJUnitResults: true - testResultsFiles: '**/surefire-reports/TEST-*.xml' - javaHomeOption: 'JDKVersion' - jdkVersionOption: '1.17' - mavenOptions: '-Xmx3072m -Daether.dependencyCollector.impl=bf -Daether.dependencyCollector.bf.threads=10 -Daether.dependencyCollector.pool.artifact=hard -Daether.dependencyCollector.pool.dependency=hard ' - mavenAuthenticateFeed: false - effectivePomSkip: false - sonarQubeRunAnalysis: false - - - job: Checkmarx - displayName: Rabobank Checkmarx Scan - pool: Shared-EU-Container-Linux-Compliancy-S-Prod - steps: - - task: Rabobank Checkmarx@2 - inputs: - CheckmarxService: 'Checkmarx-MSC' - mainCheckmarxProject: 'rabobank.shadow-tool-92651-rw' - - - job: - displayName: Rabobank Secret Scanner - pool: Shared-EU-Container-Linux-Compliancy-S-Prod - steps: - - task: secret-scanning-task@0 - - - job: NexusIQ - displayName: Nexus IQ Scan - steps: - - task: JavaToolInstaller@0 - displayName: "Use Java 17" - inputs: - versionSpec: 17 - jdkArchitectureOption: x64 - jdkSourceOption: PreInstalled - - - task: Maven@4 - displayName: 'MavenNexusIQ' - inputs: - goals: 'com.sonatype.clm:clm-maven-plugin:index' - jdkVersion: '17' - - - task: NexusIqPipelineTask@1 - displayName: 'SonatypeEvaluate' - inputs: - nexusIqService: 'Rabobank SCA NexusIQ' - applicationId: 'shadow-tool' - stage: 'Build' - scanTargets: "**/module.xml" + - template: /.azure/templates/build.yml + parameters: + checkmarxEnabled: true + deployEnabled: true + secretScannerEnabled: true + sonarqubeEnabled: true diff --git a/.azure/ci.yml b/.azure/ci.yml index 5e920d6..83515ce 100644 --- a/.azure/ci.yml +++ b/.azure/ci.yml @@ -21,91 +21,9 @@ pool: name: 'Shared-EU-VM-Linux-Legacy-M-Prod' stages: - - stage: Build - jobs: - - job: BuildJob - displayName: 'Build and Deploy snapshot' - steps: - - task: DownloadSecureFile@1 - displayName: 'Download Maven Settings' - name: mvnsettings - inputs: - secureFile: mvn-settings.xml - - - script: | - echo "Commenting out the Maven Central Related plugins" - awk 'BEGIN{p=0}//{p=1;buf=$0;next}/<\/plugin>/{buf=buf"\n"$0;if(p&&buf~/org\.sonatype\.central<\/groupId>/&&buf~/central-publishing-maven-plugin<\/artifactId>/){print ""}else{print buf};p=0;next}{if(p){buf=buf"\n"$0}else{print}}' pom.xml > pom.tmp && mv pom.tmp pom.xml - awk 'BEGIN{p=0}//{p=1;buf=$0;next}/<\/plugin>/{buf=buf"\n"$0;if(p&&buf~/org\.apache\.maven\.plugins<\/groupId>/&&buf~/maven-gpg-plugin<\/artifactId>/){print ""}else{print buf};p=0;next}{if(p){buf=buf"\n"$0}else{print}}' pom.xml > pom.tmp && mv pom.tmp pom.xml - displayName: 'Comment Out Maven Central Related plugins' - - - script: | - echo "Replacing distributionManagement block" - awk ' - BEGIN {inblock=0} - // {inblock=1; print " \n \n releases\n IP Releases\n $(NEXUS_DIST_MANAGEMENT_RELEASES)\n \n \n snapshot\n IP Snapshots\n $(NEXUS_DIST_MANAGEMENT_SNAPSHOTS)\n \n "; next} - /<\/distributionManagement>/ {inblock=0; next} - {if(!inblock) print} - ' pom.xml > pom.tmp && mv pom.tmp pom.xml - displayName: 'Replace Distribution Management' - - - task: Maven@4 - displayName: Maven Build - inputs: - mavenOptions: '-Xmx3072m' - mavenPomFile: 'pom.xml' - goals: 'clean verify' - jdkVersionOption: '1.17' - - - task: Maven@4 - displayName: Deploy Snapshot - inputs: - mavenPomFile: 'pom.xml' - goals: 'clean deploy' - options: '-B -s $(mvnsettings.secureFilePath) -ntp' - publishJUnitResults: true - testResultsFiles: '**/surefire-reports/TEST-*.xml' - javaHomeOption: 'JDKVersion' - jdkVersionOption: '1.17' - mavenOptions: '-Xmx3072m -Daether.dependencyCollector.impl=bf -Daether.dependencyCollector.bf.threads=10 -Daether.dependencyCollector.pool.artifact=hard -Daether.dependencyCollector.pool.dependency=hard ' - mavenAuthenticateFeed: false - effectivePomSkip: false - sonarQubeRunAnalysis: false - - - job: Checkmarx - displayName: Rabobank Checkmarx Scan - pool: Shared-EU-Container-Linux-Compliancy-S-Prod - steps: - - task: Rabobank Checkmarx@2 - inputs: - CheckmarxService: 'Checkmarx-MSC' - mainCheckmarxProject: 'rabobank.shadow-tool-92651-rw' - - - job: - displayName: Rabobank Secret Scanner - pool: Shared-EU-Container-Linux-Compliancy-S-Prod - steps: - - task: secret-scanning-task@0 - - - job: NexusIQ - displayName: Nexus IQ Scan - steps: - - task: JavaToolInstaller@0 - displayName: "Use Java 17" - inputs: - versionSpec: 17 - jdkArchitectureOption: x64 - jdkSourceOption: PreInstalled - - - task: Maven@4 - displayName: 'MavenNexusIQ' - inputs: - goals: 'com.sonatype.clm:clm-maven-plugin:index' - jdkVersion: '17' - - - task: NexusIqPipelineTask@1 - displayName: 'SonatypeEvaluate' - inputs: - nexusIqService: 'Rabobank SCA NexusIQ' - applicationId: 'shadow-tool' - stage: 'Build' - scanTargets: "**/module.xml" + - template: /.azure/templates/build.yml + parameters: + checkmarxEnabled: true + deployEnabled: false + secretScannerEnabled: true + sonarqubeEnabled: true diff --git a/.azure/templates/build.yml b/.azure/templates/build.yml new file mode 100644 index 0000000..26e8328 --- /dev/null +++ b/.azure/templates/build.yml @@ -0,0 +1,132 @@ +parameters: + - name: checkmarxEnabled + type: boolean + default: true + - name: deployEnabled + type: boolean + default: false + - name: nexusIQEnabled + type: boolean + default: true + - name: secretScannerEnabled + type: boolean + default: true + - name: sonarqubeEnabled + type: boolean + default: true + +stages: + - stage: Build + jobs: + - job: BuildJob + displayName: 'Build' + steps: + - task: DownloadSecureFile@1 + displayName: 'Download Maven Settings' + name: mvnsettings + inputs: + secureFile: mvn-settings.xml + + - script: | + echo "Commenting out the Maven Central Related plugins" + awk 'BEGIN{p=0}//{p=1;buf=$0;next}/<\/plugin>/{buf=buf"\n"$0;if(p&&buf~/org\.sonatype\.central<\/groupId>/&&buf~/central-publishing-maven-plugin<\/artifactId>/){print ""}else{print buf};p=0;next}{if(p){buf=buf"\n"$0}else{print}}' pom.xml > pom.tmp && mv pom.tmp pom.xml + awk 'BEGIN{p=0}//{p=1;buf=$0;next}/<\/plugin>/{buf=buf"\n"$0;if(p&&buf~/org\.apache\.maven\.plugins<\/groupId>/&&buf~/maven-gpg-plugin<\/artifactId>/){print ""}else{print buf};p=0;next}{if(p){buf=buf"\n"$0}else{print}}' pom.xml > pom.tmp && mv pom.tmp pom.xml + displayName: 'Comment Out Maven Central Related plugins' + + - script: | + echo "Replacing distributionManagement block" + awk ' + BEGIN {inblock=0} + // {inblock=1; print " \n \n releases\n IP Releases\n $(NEXUS_DIST_MANAGEMENT_RELEASES)\n \n \n snapshot\n IP Snapshots\n $(NEXUS_DIST_MANAGEMENT_SNAPSHOTS)\n \n "; next} + /<\/distributionManagement>/ {inblock=0; next} + {if(!inblock) print} + ' pom.xml > pom.tmp && mv pom.tmp pom.xml + displayName: 'Replace Distribution Management' + + - task: Maven@4 + displayName: Maven Build + inputs: + mavenPomFile: 'pom.xml' + goals: 'clean verify' + publishJUnitResults: true + testResultsFiles: '**/surefire-reports/TEST-*.xml' + javaHomeOption: 'JDKVersion' + jdkVersionOption: '1.17' + mavenVersionOption: 'Default' + mavenOptions: '-Xmx3072m' + mavenAuthenticateFeed: false + effectivePomSkip: false + sonarQubeRunAnalysis: false + + - ${{ if parameters.sonarqubeEnabled }}: + - task: RabobankCQSTask@1 + displayName: SonarQube Analysis + inputs: + sqServiceConnection: 'Rabobank CQS Service Connection - TEST' + scannerMode: 'maven' + qualityGateBreak: false + + - ${{ if parameters.deployEnabled }}: + - task: Maven@4 + displayName: Deploy + inputs: + mavenPomFile: 'pom.xml' + goals: 'clean deploy' + options: '-B -s $(mvnsettings.secureFilePath) -ntp' + publishJUnitResults: false + javaHomeOption: 'JDKVersion' + jdkVersionOption: '1.17' + mavenVersionOption: 'Default' + mavenOptions: '-Xmx3072m -Daether.dependencyCollector.impl=bf -Daether.dependencyCollector.bf.threads=10 -Daether.dependencyCollector.pool.artifact=hard -Daether.dependencyCollector.pool.dependency=hard' + mavenAuthenticateFeed: false + effectivePomSkip: false + sonarQubeRunAnalysis: false + + - job: Checkmarx + condition: and(succeeded(), eq('${{ parameters.checkmarxEnabled }}', true)) + displayName: Rabobank Checkmarx Scan + pool: Shared-EU-Container-Linux-Compliancy-S-Prod + steps: + - task: Rabobank Checkmarx@2 + inputs: + CheckmarxService: 'Checkmarx-MSC' + mainCheckmarxProject: 'rabobank.shadow-tool-92651-rw' + + - job: + condition: and(succeeded(), eq('${{ parameters.secretScannerEnabled }}', true)) + displayName: Rabobank Secret Scanner + pool: Shared-EU-Container-Linux-Compliancy-S-Prod + steps: + - task: secret-scanning-task@0 + + - job: NexusIQ + condition: and(succeeded(), eq('${{ parameters.nexusIQEnabled }}', true)) + displayName: Nexus IQ Scan + steps: + - task: JavaToolInstaller@0 + displayName: "Use Java 17" + inputs: + versionSpec: 17 + jdkArchitectureOption: x64 + jdkSourceOption: PreInstalled + + - task: Maven@4 + displayName: 'MavenNexusIQ' + inputs: + mavenPomFile: 'pom.xml' + goals: 'com.sonatype.clm:clm-maven-plugin:index' + publishJUnitResults: false + javaHomeOption: 'JDKVersion' + jdkVersionOption: '17' + mavenVersionOption: 'Default' + mavenAuthenticateFeed: false + effectivePomSkip: false + sonarQubeRunAnalysis: false + + - task: NexusIqPipelineTask@1 + displayName: 'SonatypeEvaluate' + inputs: + nexusIqService: 'Rabobank SCA NexusIQ' + applicationId: 'shadow-tool' + stage: 'Build' + scanTargets: "**/module.xml"