Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Current »


This section is focused on describing how CI is connected to our different scanning tools and how the code scan generates the

resulting reports. 


Currently, we have 3 code scan tools linked in our Jenkins CI:



NexusIQWhiteSourceSonarcloud
URLhttps://nexus-iq.wl.linuxfoundation.org/assets/index.html#/management/view/organization/a044ccf18614413dbe45464a5524f784https://saas.whitesourcesoftware.com/https://sonarcloud.io/organizations/onap/projects
PurposeLicense and vulnerabilityLicense and vulnerabilityCode coverage from testing
Access

Automatic for all committer groups.

Not in a group? Contact support.linuxfoundation.org

On case basis. 

Contact support.linuxfoundation.org

Automatic if part of the ONAP GitHub org

Contact support.linuxfoundation.org for GitHub invite (Include GitHub ID)

Jenkins

https://jenkins.onap.org/view/CLM/

All projects must have Nexus IQ scans:

https://docs.releng.linuxfoundation.org/projects/global-jjb/en/latest/jjb/lf-maven-jobs.html#maven-clm

https://jenkins.onap.org/view/WhiteSource/

Only few projects are implemented. Rest of the projects is still under discussion.

https://docs.releng.linuxfoundation.org/projects/global-jjb/en/latest/jjb/lf-whitesource-jobs.html

https://jenkins.onap.org/view/All-Sonar/

All projects must have Sonar scans:

https://docs.releng.linuxfoundation.org/projects/global-jjb/en/latest/jjb/lf-maven-jobs.html#lf-infra-maven-sonarcloud

Frequency and triggers

Once per week (Saturdays)

Via Gerrit comments: run-clm

Once per week (Saturdays)

Via Gerrit comments: run-whitesource

Via Gerrit comments: run-sonar

Overall process 


Example job: https://jenkins.onap.org/view/CLM/job/aai-aai-common-maven-clm-master/

  • The job triggers a "clean install dependency:tree com.sonatype.clm:clm-maven-plugin:index"
  • A separate step invokes the Nexus IQ scanner using a Jenkins plugi

Example job: https://jenkins.onap.org/view/WhiteSource/job/aai-aai-common-whitesource-scan-master/

  • The job runs a "clean install" of the code
  • A separate step downloads and runs White Source's Unified Agent to scan the code

Example job: https://jenkins.onap.org/view/All-Sonar/job/aai-aai-common-sonar/

  • The job runs a "clean install" of the code
  • A separate step runs "org.sonarsource.scanner.maven:sonar-maven-plugin:3.7.0.1746:sonar" to process the sca
Example report

https://nexus-iq.wl.linuxfoundation.org/ui/links/application/onap-aai-aai-common/report/356ad44fd6724db292a4daa53e50a1c2

https://saas.whitesourcesoftware.com/Wss/WSS.html#!project;id=1387312

https://sonarcloud.io/dashboard?id=onap_aai-aai-common

  • No labels