|
1 | 1 | #!/bin/bash -e |
2 | 2 | # |
3 | | -# Copyright (c) 2020, 2023 Oracle and/or its affiliates. |
| 3 | +# Copyright (c) 2020, 2025 Oracle and/or its affiliates. |
4 | 4 | # |
5 | 5 | # Licensed under the Apache License, Version 2.0 (the "License"); |
6 | 6 | # you may not use this file except in compliance with the License. |
|
15 | 15 | # limitations under the License. |
16 | 16 | # |
17 | 17 |
|
| 18 | +set -o pipefail || true # trace ERR through pipes |
| 19 | +set -o errtrace || true # trace ERR through commands and functions |
| 20 | +set -o errexit || true # exit the script if any statement returns a non-true return value |
| 21 | + |
18 | 22 | # Path to this script |
19 | | -[ -h "${0}" ] && readonly SCRIPT_PATH="$(readlink "${0}")" || readonly SCRIPT_PATH="${0}" |
| 23 | +if [ -h "${0}" ] ; then |
| 24 | + SCRIPT_PATH="$(readlink "${0}")" |
| 25 | +else |
| 26 | + # shellcheck disable=SC155 |
| 27 | + SCRIPT_PATH="${0}" |
| 28 | +fi |
| 29 | +readonly SCRIPT_PATH |
20 | 30 |
|
21 | | -# Load pipeline environment setup and define WS_DIR |
22 | | -. $(dirname -- "${SCRIPT_PATH}")/includes/pipeline-env.sh "${SCRIPT_PATH}" '../..' |
| 31 | +# Path to the root of the workspace |
| 32 | +# shellcheck disable=SC2046 |
| 33 | +WS_DIR=$(cd $(dirname -- "${SCRIPT_PATH}") ; cd ../.. ; pwd -P) |
23 | 34 |
|
24 | | -# Setup error handling using default settings (defined in includes/error_handlers.sh) |
25 | | -error_trap_setup |
| 35 | +on_error(){ |
| 36 | + CODE="${?}" && \ |
| 37 | + set +x && \ |
| 38 | + printf "[ERROR] Error(code=%s) occurred at %s:%s command: %s\n" \ |
| 39 | + "${CODE}" "${BASH_SOURCE[0]}" "${LINENO}" "${BASH_COMMAND}" |
| 40 | +} |
| 41 | +trap on_error ERR |
26 | 42 |
|
27 | | -readonly RESULT_FILE=$(mktemp -t XXXdependency-check-result) |
| 43 | +RESULT_FILE=$(mktemp -t XXXdependency-check-result) |
| 44 | +readonly RESULT_FILE |
28 | 45 |
|
29 | | -die() { cat ${RESULT_FILE} ; echo "Dependency report in ${WS_DIR}/target" ; echo "${1}" ; exit 1 ;} |
| 46 | +die() { cat "${RESULT_FILE}" ; echo "Dependency report in ${WS_DIR}/target" ; echo "${1}" ; exit 1 ;} |
30 | 47 |
|
31 | | -if [ -n "${JENKINS_HOME}" ] || [ "${GITHUB_ACTIONS}" = "true" ]; then |
| 48 | +if [ "${PIPELINE}" = "true" ] ; then |
32 | 49 | # If in pipeline do a priming build before scan |
33 | | - mvn ${MAVEN_ARGS} -f ${WS_DIR}/pom.xml clean install -DskipTests |
| 50 | + # shellcheck disable=SC2086 |
| 51 | + mvn ${MAVEN_ARGS} -f "${WS_DIR}"/pom.xml clean install -DskipTests |
| 52 | +fi |
| 53 | + |
| 54 | +# The Sonatype OSS Index analyzer requires authentication |
| 55 | +# See https://ossindex.sonatype.org/doc/auth-required |
| 56 | +# Set OSS_INDEX_USERNAME and OSS_INDEX_PASSWORD to authenticate. |
| 57 | +# Otherwise OSS Index analyzer will be disabled |
| 58 | +# And yes, this option uses a lower case i while Username and Password has an upper case I |
| 59 | +OSS_INDEX_OPTIONS="-DossindexAnalyzerEnabled=false" |
| 60 | +if [ -n "${OSS_INDEX_PASSWORD}" ] && [ -n "${OSS_INDEX_USERNAME}" ]; then |
| 61 | + OSS_INDEX_OPTIONS="-DossindexAnalyzerEnabled=true -DossIndexUsername=${OSS_INDEX_USERNAME} -DossIndexPassword=${OSS_INDEX_PASSWORD}" |
34 | 62 | fi |
35 | 63 |
|
36 | 64 | # Setting NVD_API_KEY is not required but improves behavior of NVD API throttling |
37 | 65 |
|
| 66 | +# shellcheck disable=SC2086 |
38 | 67 | mvn ${MAVEN_ARGS} -Dorg.slf4j.simpleLogger.defaultLogLevel=WARN org.owasp:dependency-check-maven:aggregate \ |
39 | | - -f ${WS_DIR}/pom.xml \ |
| 68 | + -f "${WS_DIR}"/pom.xml \ |
40 | 69 | -Dtop.parent.basedir="${WS_DIR}" \ |
41 | | - -Dnvd-api-key=${NVD_API_KEY} \ |
42 | | - > ${RESULT_FILE} || die "Error running the Maven command" |
| 70 | + -DnvdApiKey="${NVD_API_KEY}" \ |
| 71 | + ${OSS_INDEX_OPTIONS} \ |
| 72 | + > "${RESULT_FILE}" || die "Error running the Maven command" |
43 | 73 |
|
44 | | -grep -i "One or more dependencies were identified with known vulnerabilities" ${RESULT_FILE} \ |
| 74 | +grep -i "One or more dependencies were identified with known vulnerabilities" "${RESULT_FILE}" \ |
45 | 75 | && die "CVE SCAN ERROR" || echo "CVE SCAN OK" |
0 commit comments