Merge remote-tracking branch 'origin/rel-3.44.0'

h2oai · Nov 28, 2023 · 53fa57c · 53fa57c
2 parents a730ec8 + 1de99be
commit 53fa57c
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 17 deletions.
diff --git a/docker/prisma/Dockerfile b/docker/prisma/Dockerfile
@@ -6,6 +6,8 @@ ENV DIRECTORIES=".config .npm .cache .local"
 RUN for dir in $DIRECTORIES; do \
       mkdir -p /$dir; \
       chown -R 2117:2117 /$dir; \
-    done
+    done 
+
+RUN npm install snyk -g
 
 CMD ["/bin/bash"]
diff --git a/h2o-r/scripts/h2o-r-test-setup.R b/h2o-r/scripts/h2o-r-test-setup.R
@@ -198,7 +198,7 @@ function() {
             ".getExpanded", ".str.list", "is.H2OFrame", ".get.session.property", ".set.session.property",
             ".h2o.maximizing_metrics", ".h2o.doSafeGET", ".parse.h2oconfig", ".h2o.check_java_version",
             "cut.H2OFrame", "as.data.frame.H2OFrame", ".h2o.perfect_auc", ".newExpr", ".h2o.doSafeREST",
-            ".h2o.fromJSON"
+            ".h2o.fromJSON", ".shorten_model_ids", ".calculate_pareto_front", ".h2o.__IMPORT"
          )
 
         for (fn in additional_imports)

diff --git a/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan b/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan
@@ -4,15 +4,25 @@
 
 def dockerImage
 
-def setScanningStages(assemblyType, stageIndex) {
-    def assemblyImage
-    stage("${stageIndex}.A. Scan ${assemblyType} jar using Prisma") {
+def setPrismaScanningStages(assemblyType, stageIndex) {
+    branchName = "${env.BRANCH_NAME}".replace('/', '-')
+    assemblyImage = "h2o-assemblies/${assemblyType}:${BUILD_NUMBER}-${branchName}"
+
+    stage("${stageIndex}.A. Build image for ${assemblyType}") {
         script {
-            branchName = "${env.BRANCH_NAME}".replace('/', '-')
-            assemblyImage = "h2o-assemblies/${assemblyType}:${BUILD_NUMBER}-${branchName}"
-
             sh "docker build . -t ${assemblyImage} -f ./docker/prisma/Dockerfile.${assemblyType}jars"
-
+        }
+    }
+    stage ("${stageIndex}.B. Scan ${assemblyType} jar using Snyk") {
+        withCredentials([string(credentialsId: 'H2O_3_SNYK_TOKEN_JENKINS_TEXT', variable: 'SNYK_TOKEN')]) {
+            script {
+                sh "./snyk container test ${assemblyImage} --file=./docker/prisma/Dockerfile.${assemblyType}jars --severity-threshold=medium --app-vulns --nested-jars-depth=4 | tee ${assemblyImage}-snyk.out || true"
+            }
+            archiveArtifacts artifacts: "${assemblyImage}-snyk.out"
+        }
+    }
+    stage("${stageIndex}.C. Scan ${assemblyType} jar using Prisma") {
+        script {
             // scan the image
             prismaCloudScanImage ca: '',
                     cert: '',
@@ -26,13 +36,13 @@ def setScanningStages(assemblyType, stageIndex) {
                     ignoreImageBuildTime: true
         }
     }
-    stage("${stageIndex}.B. Export results for ${assemblyType} jar to CSV") {
+    stage("${stageIndex}.D. Export results for ${assemblyType} jar to CSV") {
         withCredentials([usernamePassword(credentialsId: 'twistlock_credentials', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
-            sh "curl -k -u \$USERNAME:\$PASSWORD https://mr-0xz1:8083/api/v1/scans/download?search=${assemblyImage} > ${assemblyImage}.csv"
+            sh "curl -k -u \$USERNAME:\$PASSWORD https://mr-0xz1:8083/api/v1/scans/download?search=${assemblyImage} > ${assemblyImage}-prisma.csv"
         }
-        archiveArtifacts artifacts: "${assemblyImage}.csv"
+        archiveArtifacts artifacts: "${assemblyImage}-prisma.csv"
     }
-    stage("${stageIndex}.C. Publish report for ${assemblyType} jar") {
+    stage("${stageIndex}.E. Publish report for ${assemblyType} jar") {
         prismaCloudPublish resultsFilePattern: "prisma-${assemblyType}-scan-results.json"
     }
 }
@@ -52,6 +62,8 @@ pipeline {
                     dir("docker/prisma"){
                         dockerImage = docker.build("node-java","-f Dockerfile .")
                     }
+                    sh "curl --compressed https://static.snyk.io/cli/latest/snyk-linux -o snyk"
+                    sh "chmod +x ./snyk"
                 }
 
             }
@@ -68,14 +80,14 @@ pipeline {
                 }
             }
         }
-        stage('2. Steam assembly jar') {
+        stage('2. Steam assembly jar (Prisma)') {
             steps {
-                setScanningStages("steam", 2)
+                setPrismaScanningStages("steam", 2)
             }
         }
-        stage('3. Main assembly jar') {
+        stage('3. Main assembly jar (Prisma)') {
             steps {
-                setScanningStages("main", 3)
+                setPrismaScanningStages("main", 3)
             }
         }
     }