├── .github
    ├── CODEOWNERS
    ├── dependabot.yml
    └── workflows
    │   └── jenkins-security-scan.yml
├── docs
    └── images
    │   ├── workflow.png
    │   ├── build_options.png
    │   ├── build_report.png
    │   ├── build_summary.png
    │   └── freestyle_build_step.png
├── src
    └── main
    │   ├── webapp
    │       ├── images
    │       │   └── anchore.png
    │       ├── help
    │       │   ├── help-Annotations.html
    │       │   ├── help-OverrideAEURL.html
    │       │   ├── help-OverrideAEAccount.html
    │       │   └── help-OverrideAECredentials.html
    │       ├── css
    │       │   └── anchore.css
    │       └── js
    │       │   └── renderOutput.js
    │   ├── resources
    │       ├── com
    │       │   └── anchore
    │       │   │   └── jenkins
    │       │   │       └── plugins
    │       │   │           └── anchore
    │       │   │               ├── AnchoreBuilder
    │       │   │                   ├── help-engineurl.html
    │       │   │                   ├── help-engineaccount.html
    │       │   │                   ├── help-enginepass.html
    │       │   │                   ├── help-engineuser.html
    │       │   │                   ├── help-anchoreioPass.html
    │       │   │                   ├── help-debug.html
    │       │   │                   ├── help-engineRetryInterval.html
    │       │   │                   ├── help-anchoreioUser.html
    │       │   │                   ├── help-engineRetries.html
    │       │   │                   ├── help-forceAnalyze.html
    │       │   │                   ├── help-bailOnFail.html
    │       │   │                   ├── help-bailOnPluginFail.html
    │       │   │                   ├── help-policyBundleId.html
    │       │   │                   ├── help-anchoreui.html
    │       │   │                   ├── help-autoSubscribeTagUpdates.html
    │       │   │                   ├── help-name.html
    │       │   │                   ├── help-excludeFromBaseImage.html
    │       │   │                   ├── global.jelly
    │       │   │                   └── config.jelly
    │       │   │               ├── Annotation
    │       │   │                   └── config.jelly
    │       │   │               ├── AnchoreAction
    │       │   │                   ├── summary.jelly
    │       │   │                   └── index.jelly
    │       │   │               └── AnchoreProjectAction
    │       │   │                   ├── detailGraph.jelly
    │       │   │                   ├── jobMain.jelly
    │       │   │                   └── floatingBox.jelly
    │       └── index.jelly
    │   └── java
    │       └── com
    │           └── anchore
    │               └── jenkins
    │                   └── plugins
    │                       └── anchore
    │                           ├── Util.java
    │                           ├── Annotation.java
    │                           ├── ConsoleLog.java
    │                           ├── BuildConfig.java
    │                           ├── AnchoreAction.java
    │                           ├── AnchoreProjectAction.java
    │                           ├── AnchoreBuilder.java
    │                           └── BuildWorker.java
├── .gitignore
├── Makefile
├── TESTING.md
├── pom.xml
├── README.md
└── LICENSE


/.github/CODEOWNERS:
--------------------------------------------------------------------------------
1 | * @bradleyjones
2 | 


--------------------------------------------------------------------------------
/docs/images/workflow.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jenkinsci/anchore-container-scanner-plugin/master/docs/images/workflow.png


--------------------------------------------------------------------------------
/docs/images/build_options.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jenkinsci/anchore-container-scanner-plugin/master/docs/images/build_options.png


--------------------------------------------------------------------------------
/docs/images/build_report.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jenkinsci/anchore-container-scanner-plugin/master/docs/images/build_report.png


--------------------------------------------------------------------------------
/docs/images/build_summary.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jenkinsci/anchore-container-scanner-plugin/master/docs/images/build_summary.png


--------------------------------------------------------------------------------
/src/main/webapp/images/anchore.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jenkinsci/anchore-container-scanner-plugin/master/src/main/webapp/images/anchore.png


--------------------------------------------------------------------------------
/docs/images/freestyle_build_step.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jenkinsci/anchore-container-scanner-plugin/master/docs/images/freestyle_build_step.png


--------------------------------------------------------------------------------
/src/main/resources/com/anchore/jenkins/plugins/anchore/AnchoreBuilder/help-engineurl.html:
--------------------------------------------------------------------------------
1 | <div>
2 | 
3 |   Anchore Enterprise URL
4 | 
5 | </div>
6 | 


--------------------------------------------------------------------------------
/src/main/resources/com/anchore/jenkins/plugins/anchore/AnchoreBuilder/help-engineaccount.html:
--------------------------------------------------------------------------------
1 | <div>
2 | 
3 |   Anchore Enterprise account
4 | 
5 | </div>
6 | 


--------------------------------------------------------------------------------
/src/main/resources/com/anchore/jenkins/plugins/anchore/AnchoreBuilder/help-enginepass.html:
--------------------------------------------------------------------------------
1 | <div>
2 | 
3 |   Password of the Anchore Enterprise user
4 | 
5 | </div>
6 | 


--------------------------------------------------------------------------------
/src/main/resources/com/anchore/jenkins/plugins/anchore/AnchoreBuilder/help-engineuser.html:
--------------------------------------------------------------------------------
1 | <div>
2 | 
3 |   Username of the Anchore Enterprise user
4 | 
5 | </div>
6 | 


--------------------------------------------------------------------------------
/src/main/webapp/help/help-Annotations.html:
--------------------------------------------------------------------------------
1 | <div>
2 | 
3 |   Annotations in key-value form to be associated with the image added to Anchore Enterprise
4 | 
5 | </div>
6 | 


--------------------------------------------------------------------------------
/src/main/resources/com/anchore/jenkins/plugins/anchore/AnchoreBuilder/help-anchoreioPass.html:
--------------------------------------------------------------------------------
1 | <div>
2 | 
3 |   Your password for the associated username on https://anchore.io
4 | 
5 | </div>
6 | 


--------------------------------------------------------------------------------
/src/main/resources/com/anchore/jenkins/plugins/anchore/AnchoreBuilder/help-debug.html:
--------------------------------------------------------------------------------
1 | <div>
2 | 
3 |   If selected, the plugin will output DEBUG level messages to console log.
4 | 
5 | </div>
6 | 


--------------------------------------------------------------------------------
/src/main/resources/com/anchore/jenkins/plugins/anchore/AnchoreBuilder/help-engineRetryInterval.html:
--------------------------------------------------------------------------------
1 | <div>
2 | 
3 |   Interval between polling attempts (in seconds) for the Anchore Enterprise.
4 | 
5 | </div>
6 | 


--------------------------------------------------------------------------------
/.github/dependabot.yml:
--------------------------------------------------------------------------------
 1 | version: 2
 2 | updates:
 3 |   - package-ecosystem: maven
 4 |     directory: "/"
 5 |     schedule:
 6 |       interval: "daily"
 7 |     open-pull-requests-limit: 10
 8 |     commit-message:
 9 |       prefix: "feat"
10 | 


--------------------------------------------------------------------------------
/src/main/resources/index.jelly:
--------------------------------------------------------------------------------
1 | <?jelly escape-by-default='true'?>
2 | <!--
3 |   This view is used to render the installed plugins page.
4 | -->
5 | <div>
6 |   This plugin provides container image scanning using Anchore Enterprise
7 | </div>
8 | 


--------------------------------------------------------------------------------
/src/main/resources/com/anchore/jenkins/plugins/anchore/AnchoreBuilder/help-anchoreioUser.html:
--------------------------------------------------------------------------------
1 | <div>
2 | 
3 |   Your username on https://anchore.io that has access to a custom policy bundle to sync with your local anchore installation
4 | 
5 | </div>
6 | 


--------------------------------------------------------------------------------
/src/main/webapp/help/help-OverrideAEURL.html:
--------------------------------------------------------------------------------
1 | <div>
2 | 
3 |   Override plugin's global settings for Anchore Enterprise URL. The override is applicable only to builds in this job and does not change
4 |   the plugin wide global settings.
5 | 
6 | </div>
7 | 


--------------------------------------------------------------------------------
/src/main/webapp/help/help-OverrideAEAccount.html:
--------------------------------------------------------------------------------
1 | <div>
2 | 
3 |   Override plugin's global settings for Anchore Enterprise account. The override is applicable only to builds in this job and does not change
4 |   the plugin wide global settings.
5 | 
6 | </div>
7 | 


--------------------------------------------------------------------------------
/src/main/webapp/help/help-OverrideAECredentials.html:
--------------------------------------------------------------------------------
1 | <div>
2 | 
3 |   Override plugin's global settings for Anchore Enterprise username and password. The override is applicable only to builds in this job and
4 |   does not change the global settings.
5 | 
6 | </div>
7 | 


--------------------------------------------------------------------------------
/src/main/resources/com/anchore/jenkins/plugins/anchore/AnchoreBuilder/help-engineRetries.html:
--------------------------------------------------------------------------------
1 | <div>
2 | 
3 |   Number of polling attempts to wait for the Anchore Enterprise operation to complete. Time between attempts is determined by the Retry Interval setting.
4 | 
5 | </div>
6 | 


--------------------------------------------------------------------------------
/src/main/resources/com/anchore/jenkins/plugins/anchore/AnchoreBuilder/help-forceAnalyze.html:
--------------------------------------------------------------------------------
1 | <div>
2 | 
3 |   If selected or set to 'true', the Anchore Container Image Scanner step will instruct Anchore Enterprise to force analyze the image.
4 |   Default value: 'false'
5 | 
6 | </div>
7 | 


--------------------------------------------------------------------------------
/src/main/resources/com/anchore/jenkins/plugins/anchore/AnchoreBuilder/help-bailOnFail.html:
--------------------------------------------------------------------------------
1 | <div>
2 | 
3 |   If selected or set to 'true', the Anchore Container Image Scanner step will cause the build to fail if the policy evaluation result
4 |   is FAIL. Default value: 'true'
5 | 
6 | </div>
7 | 


--------------------------------------------------------------------------------
/src/main/resources/com/anchore/jenkins/plugins/anchore/AnchoreBuilder/help-bailOnPluginFail.html:
--------------------------------------------------------------------------------
1 | <div>
2 | 
3 |   If selected or set to 'true', the Anchore Container Image Scanner step will cause the build to fail if the plugin encounters an
4 |   error. Default value: 'true'
5 | 
6 | </div>
7 | 


--------------------------------------------------------------------------------
/src/main/resources/com/anchore/jenkins/plugins/anchore/AnchoreBuilder/help-policyBundleId.html:
--------------------------------------------------------------------------------
1 | <div>
2 | 
3 |   ID of the policy bundle on Anchore Enterprise to be used for policy evaluations. If empty, the policy bundle marked active on
4 |   Anchore Enterprise will be used by default.
5 | 
6 | </div>
7 | 


--------------------------------------------------------------------------------
/src/main/resources/com/anchore/jenkins/plugins/anchore/AnchoreBuilder/help-anchoreui.html:
--------------------------------------------------------------------------------
1 | <div>
2 | 
3 |   Anchore Enterprise UI URL: The URL of the Anchore Enterprise dashboard. If this is set then links to the Anchore Enterprise UI will be displayed in the Anchore report seen within Jenkins.
4 | 
5 | </div>
6 | 


--------------------------------------------------------------------------------
/src/main/resources/com/anchore/jenkins/plugins/anchore/AnchoreBuilder/help-autoSubscribeTagUpdates.html:
--------------------------------------------------------------------------------
1 | <div>
2 | 
3 |   If selected or set to 'true', the Anchore Container Image Scanner step will instruct Anchore Enterprise to automatically begin watching
4 |   the added tag for updates from registry. Default value: 'true'
5 | 
6 | </div>
7 | 


--------------------------------------------------------------------------------
/src/main/resources/com/anchore/jenkins/plugins/anchore/Annotation/config.jelly:
--------------------------------------------------------------------------------
 1 | <?jelly escape-by-default='true'?>
 2 | <j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form">
 3 | 
 4 |   <f:entry title="Key" field="key">
 5 |     <f:textbox/>
 6 |   </f:entry>
 7 | 
 8 |   <f:entry title="Value" field="value">
 9 |     <f:textbox/>
10 |   </f:entry>
11 | 
12 | </j:jelly>
13 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | *.class
 2 | 
 3 | # Mobile Tools for Java (J2ME)
 4 | .mtj.tmp/
 5 | 
 6 | # Package Files #
 7 | *.jar
 8 | *.war
 9 | *.ear
10 | 
11 | # virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
12 | hs_err_pid*
13 | 
14 | # build stuff
15 | target/
16 | 
17 | # IDE
18 | .idea
19 | *.iml
20 | 
21 | # hpi:run data
22 | /work/
23 | 
24 | # OS
25 | .DS_Store
26 | 


--------------------------------------------------------------------------------
/src/main/webapp/css/anchore.css:
--------------------------------------------------------------------------------
 1 | table {
 2 |   border-collapse: collapse;
 3 |   width: 100%;
 4 | }
 5 | 
 6 | th, td {
 7 |   text-align: left;
 8 |   padding: 8px;
 9 |   transition: all 0.3s;
10 | }
11 | 
12 | tr:nth-child(even) {
13 |   background-color: #eaf2f3
14 | }
15 | 
16 | th {
17 |   background-color: #3c7fe2;;
18 |   color: #EEDC00;
19 | }
20 | 
21 | tr td:hover {
22 |   background: #5BC2E7;
23 |   color: #FFFFFF;
24 | }


--------------------------------------------------------------------------------
/src/main/resources/com/anchore/jenkins/plugins/anchore/AnchoreBuilder/help-name.html:
--------------------------------------------------------------------------------
1 | <div>
2 | 
3 |   Name of the file that contains a list of container images for anchore to analyze, evaluate policy, and run queries against. The
4 |   format for each line is "imageId /path/to/Dockerfile", where the Dockerfile is optional. This file must be made available (created by
5 |   a prior step) to Anchore Container Image Scanner plugin.
6 | 
7 | </div>
8 | 


--------------------------------------------------------------------------------
/src/main/resources/com/anchore/jenkins/plugins/anchore/AnchoreAction/summary.jelly:
--------------------------------------------------------------------------------
 1 | <?jelly escape-by-default='true'?>
 2 | <j:jelly xmlns:j="jelly:core" xmlns:d="jelly:define" xmlns:l="/lib/layout"
 3 |          xmlns:t="/lib/hudson" xmlns:f="/lib/form" xmlns:i="jelly:fmt">
 4 | 
 5 |     <t:summary href="anchore-results" icon="/plugin/anchore-container-scanner/images/anchore.png">
 6 |       <a href="anchore-results">Anchore Report (${it.gateStatus})</a>
 7 |     </t:summary>
 8 | 
 9 | </j:jelly>
10 | 


--------------------------------------------------------------------------------
/src/main/resources/com/anchore/jenkins/plugins/anchore/AnchoreProjectAction/detailGraph.jelly:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <?jelly escape-by-default='true'?>
 3 | <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form" xmlns:i="jelly:fmt">
 4 |   <l:layout title="Anchore trend chart">
 5 |     <st:include page="sidepanel.jelly" it="${it.job}" />
 6 |     <l:main-panel>
 7 |       <div>
 8 |         <img src="trendGraph/png?${request.queryString}" lazymap="trendGraph/map?rel=../&amp;${request.queryString}" alt="[Anchore trend chart]"/>
 9 |       </div>
10 |     </l:main-panel>
11 |   </l:layout>
12 | </j:jelly>
13 | 


--------------------------------------------------------------------------------
/.github/workflows/jenkins-security-scan.yml:
--------------------------------------------------------------------------------
 1 | name: Jenkins Security Scan
 2 | 
 3 | on:
 4 |   push:
 5 |     branches:
 6 |       - master
 7 |   pull_request:
 8 |     types: [ opened, synchronize, reopened ]
 9 |   workflow_dispatch:
10 | 
11 | permissions:
12 |   security-events: write
13 |   contents: read
14 |   actions: read
15 | 
16 | jobs:
17 |   security-scan:
18 |     uses: jenkins-infra/jenkins-security-scan/.github/workflows/jenkins-security-scan.yaml@v2
19 |     with:
20 |       java-cache: 'maven' # Optionally enable use of a build dependency cache. Specify 'maven' or 'gradle' as appropriate.
21 |       # java-version: 21 # Optionally specify what version of Java to set up for the build, or remove to use a recent default.
22 | 


--------------------------------------------------------------------------------
/src/main/resources/com/anchore/jenkins/plugins/anchore/AnchoreBuilder/help-excludeFromBaseImage.html:
--------------------------------------------------------------------------------
 1 | <div>
 2 | 
 3 |   If selected or set to 'true', any match in the Policy or Vulnerability results where Inherited From Base == true will be excluded from the final results tables. This will NOT affect the final policy evaluation status, but will remove inherited vulnerabilities from the final results.
 4 | 
 5 |   This is useful for filtering out inherited vulnerabilities from the final results, as they are not actionable for the image being scanned. However, it is important to note that inherited vulnerabilities are still important to understand the full risk profile of the image. 
 6 | 
 7 |   Default value: 'false'
 8 | 
 9 | </div>
10 | 


--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
 1 | .PHONY: build
 2 | build:  # Should be run in project root	- results go in `target/`
 3 | 	docker volume create --name maven-repo && \
 4 | 	docker run --rm -it \
 5 | 		-v maven-repo:/root/.m2 \
 6 | 		-v "${shell pwd}":/usr/src/mymaven \
 7 | 		-w /usr/src/mymaven \
 8 | 		maven:3.9.6-eclipse-temurin-17-focal \
 9 | 		mvn clean install
10 | 
11 | 
12 | .PHONY: run-jenkins
13 | run-jenkins:
14 | 	docker run -p 8080:8080 -p 50000:50000 --restart=on-failure -v jenkins_home:/var/jenkins_home jenkins/jenkins:lts-jdk17
15 | 
16 | 
17 | .PHONY: run-jenkins-oldest  # The minimum version supported by the project
18 | run-jenkins-oldest:
19 | 	docker run -p 8080:8080 -p 50000:50000 --restart=on-failure -v jenkins_home:/var/jenkins_home jenkins/jenkins:2.426.3-lts-jdk11
20 | 


--------------------------------------------------------------------------------
/src/main/resources/com/anchore/jenkins/plugins/anchore/AnchoreProjectAction/jobMain.jelly:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <?jelly escape-by-default='true'?>
 3 | <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:t="/lib/hudson">
 4 |     <table style="margin-top: 1em; margin-left: 1em;">
 5 |         <j:set var="ar" value="${it.job.lastCompletedBuild.getAction(it.class.classLoader.loadClass('com.anchore.jenkins.plugins.anchore.AnchoreAction'))}"/>
 6 |         <j:if test="${ar != null}">
 7 |         	<t:summary href="lastCompletedBuild/${ar.urlName}/" icon="/plugin/anchore-container-scanner/images/anchore.png">
 8 | 		    	<j:out value="Latest Anchore Report (${ar.gateStatus})" />
 9 | 		    </t:summary>
10 |         </j:if>
11 |     </table>
12 | </j:jelly>
13 | 


--------------------------------------------------------------------------------
/src/main/resources/com/anchore/jenkins/plugins/anchore/AnchoreProjectAction/floatingBox.jelly:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <?jelly escape-by-default='true'?>
 3 | <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form" xmlns:i="jelly:fmt">
 4 |   <j:set var="ar" value="${action.lastAnchoreAction}" />
 5 |   <j:if test="${ar.previousResult!=null}">
 6 |     <!-- at least two data points are required for a trend report -->
 7 |     <div align="right" style="position:relative; z-index:1;">
 8 |       <div class="test-trend-caption">
 9 |         Anchore Trend
10 |       </div>
11 |       <div>
12 |         <img src="anchore/trendGraph/png" lazymap="anchore/trendGraph/map" alt="[Anchore trend chart]"/>
13 |       </div>
14 |       <div style="text-align:right">
15 |         <a href="anchore/detailGraph?width=800&amp;height=600">Enlarge</a>
16 |       </div>
17 |     </div>
18 |   </j:if>
19 | </j:jelly>


--------------------------------------------------------------------------------
/src/main/java/com/anchore/jenkins/plugins/anchore/Util.java:
--------------------------------------------------------------------------------
 1 | package com.anchore.jenkins.plugins.anchore;
 2 | 
 3 | import com.google.common.base.Splitter;
 4 | import java.util.regex.Pattern;
 5 | 
 6 | public class Util {
 7 | 
 8 |   // This is probably the slowest way of formatting strings, should do for now but please figure out a better way
 9 |   public static final Splitter IMAGE_LIST_SPLITTER = Splitter.on(Pattern.compile("\\s+")).trimResults().omitEmptyStrings();
10 | 
11 |   public enum GATE_ACTION {STOP, WARN, GO, PASS, FAIL}
12 | 
13 |   public enum LOG_LEVEL {DEBUG, WARN, INFO, ERROR}
14 | 
15 |   public enum GATE_SUMMARY_COLUMN {Repo_Tag, Stop_Actions, Warn_Actions, Go_Actions, Final_Action, Stop_Action_Details}
16 | 
17 |   public enum API_VERSION {v1, v2}
18 | 
19 |   public static final API_VERSION GET_API_VERSION_FROM_URL(String engineUrl) {
20 |     if (engineUrl.endsWith("v2") || engineUrl.endsWith("v2/")){
21 |       return API_VERSION.v2;
22 |     }
23 |     return API_VERSION.v1;
24 |   }
25 | }
26 | 


--------------------------------------------------------------------------------
/src/main/java/com/anchore/jenkins/plugins/anchore/Annotation.java:
--------------------------------------------------------------------------------
 1 | package com.anchore.jenkins.plugins.anchore;
 2 | 
 3 | import hudson.Extension;
 4 | import hudson.model.AbstractDescribableImpl;
 5 | import hudson.model.Descriptor;
 6 | import java.io.Serializable;
 7 | import org.kohsuke.stapler.DataBoundConstructor;
 8 | 
 9 | /**
10 |  * Wrapper class for Anchore query
11 |  */
12 | public class Annotation extends AbstractDescribableImpl<Annotation> implements Serializable {
13 | 
14 |   private static final long serialVersionUID = 1L;
15 | 
16 |   private String key;
17 |   private String value;
18 | 
19 |   public String getKey() {
20 |     return key;
21 |   }
22 | 
23 |   public String getValue() {
24 |     return value;
25 |   }
26 | 
27 |   @DataBoundConstructor
28 |   public Annotation(String key, String value) {
29 |     this.key = key;
30 |     this.value = value;
31 |   }
32 | 
33 |   @Extension
34 |   public static class DescriptorImpl extends Descriptor<Annotation> {
35 | 
36 |     @Override
37 |     public String getDisplayName() {
38 |       return "Anchore Enterprise Image Annotation";
39 |     }
40 |   }
41 | }
42 | 


--------------------------------------------------------------------------------
/src/main/resources/com/anchore/jenkins/plugins/anchore/AnchoreBuilder/global.jelly:
--------------------------------------------------------------------------------
 1 | <?jelly escape-by-default='true'?>
 2 | <j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form">
 3 | 
 4 |   <f:section title="Anchore Container Image Scanner">
 5 | 
 6 |     <f:entry title="Anchore Enterprise URL" field="engineurl">
 7 |       <f:textbox name="engineurl" default="http://your_anchore_enterprise_host_ip:your_anchore_enterprise_port/v2"/>
 8 |     </f:entry>
 9 | 
10 |     <f:entry title="Anchore Enterprise UI URL" field="anchoreui">
11 |       <f:textbox name="anchoreui" default=""/>
12 |     </f:entry>
13 | 
14 |     <f:entry title="Anchore Enterprise Username" field="engineuser">
15 |       <f:textbox name="engineuser" default=""/>
16 |     </f:entry>
17 | 
18 |     <f:entry title="Anchore Enterprise Password" field="enginepass">
19 |       <f:password name="enginepass"/>
20 |     </f:entry>
21 | 
22 |     <f:entry title="Anchore Enterprise Account" field="engineaccount">
23 |       <f:textbox name="engineaccount" default=""/>
24 |     </f:entry>
25 | 
26 |     <f:entry title="Verify SSL" field="engineverify">
27 |       <f:checkbox name="engineverify" checked="${descriptor.engineverify}" default="${true}"/>
28 |     </f:entry>
29 | 
30 |     <f:entry title="Enable DEBUG logging" field="debug">
31 |       <f:checkbox name="debug" checked="${descriptor.debug}" default="${false}"/>
32 |     </f:entry>
33 | 
34 |   </f:section>
35 | 
36 | </j:jelly>
37 | 


--------------------------------------------------------------------------------
/src/main/java/com/anchore/jenkins/plugins/anchore/ConsoleLog.java:
--------------------------------------------------------------------------------
 1 | package com.anchore.jenkins.plugins.anchore;
 2 | 
 3 | import hudson.AbortException;
 4 | import java.io.PrintStream;
 5 | import java.util.Date;
 6 | import java.util.logging.Logger;
 7 | 
 8 | /**
 9 |  * Logging mechanism for outputting messages to Jenkins build console
10 |  */
11 | public class ConsoleLog {
12 | 
13 |   private static final Logger LOG = Logger.getLogger(ConsoleLog.class.getName());
14 |   private static final String LOG_FORMAT = "%1$tY-%1$tm-%1$tdT%1$tH:%1$tM:%1$tS.%1$tL %2$-6s %3$-15s %4$s";
15 | 
16 |   private String name;
17 |   private PrintStream logger;
18 |   private boolean enableDebug;
19 | 
20 |   public PrintStream getLogger() {
21 |     return logger;
22 |   }
23 | 
24 |   public boolean isEnableDebug() {
25 |     return enableDebug;
26 |   }
27 | 
28 |   public ConsoleLog(String name, PrintStream logger, boolean enableDebug) throws AbortException {
29 |     if (null != logger) {
30 |       this.name = name;
31 |       this.logger = logger;
32 |       this.enableDebug = enableDebug;
33 |     } else {
34 |       LOG.warning("Cannot instantiate console logger");
35 |       throw new AbortException("Cannot instantiate console logger");
36 |     }
37 |   }
38 | 
39 |   public void logDebug(String msg) {
40 |     if (enableDebug) {
41 |       logger.println(String.format(LOG_FORMAT, new Date(), "DEBUG", name, msg));
42 |     }
43 |   }
44 | 
45 |   public void logDebug(String msg, Throwable t) {
46 |     logDebug(msg);
47 |     if (null != t) {
48 |       t.printStackTrace(logger);
49 |     }
50 |   }
51 | 
52 |   public void logInfo(String msg) {
53 |     logger.println(String.format(LOG_FORMAT, new Date(), "INFO", name, msg));
54 |   }
55 | 
56 |   public void logWarn(String msg) {
57 |     logger.println(String.format(LOG_FORMAT, new Date(), "WARN", name, msg));
58 |   }
59 | 
60 |   public void logWarn(String msg, Throwable t) {
61 |     logWarn(msg);
62 |     if (null != t) {
63 |       t.printStackTrace(logger);
64 |     }
65 |   }
66 | 
67 |   public void logError(String msg) {
68 |     logger.println(String.format(LOG_FORMAT, new Date(), "ERROR", name, msg));
69 |   }
70 | 
71 |   public void logError(String msg, Throwable t) {
72 |     logError(msg);
73 |     if (null != t) {
74 |       t.printStackTrace(logger);
75 |     }
76 |   }
77 | }
78 | 


--------------------------------------------------------------------------------
/TESTING.md:
--------------------------------------------------------------------------------
 1 | # Local development testing
 2 | ## Deploying a test build
 3 | 
 4 | A build can be executed using the Makefile command `make build`
 5 | 
 6 | It is important you bump the version in `pom.xml` prior to starting a build.
 7 | 
 8 | The build will run some tests, linting and if all compliant will produce a `.hpi` file in `anchore-container-scanner-plugin/target/anchore-container-scanner.hpi`
 9 | 
10 | You can upload this .hpi file into Jenkins using the `Deploy Plugin` section in `Dashboard > Manage Jenkins > Plugins > Advanced settings`.
11 | 
12 | > ** You *must* restart Jenkins for the new plugin to take effect, every time any plugin is changed**
13 | 
14 | You should check that the Anchore Container Scanner plugin settings pane appears in the `Manage Jenkins > System` page. 
15 | Sometimes the plugin install borks and you need to uninstall it within Jenkins (restart Jenkins), rebuild it (`make build`) and re-install it (restart Jenkins).
16 | 
17 | ## Configuring the plugin within Jenkins
18 | 
19 | Run Anchore Enterprise locally so it is available on your machines localhost.
20 | 
21 | Within Jenkins go to `Manage Jenkins > System` and find the Anchore settings section.
22 | 
23 | For `Anchore Enterprise URL` enter `http://host.docker.internal:8228/v2`
24 | 
25 | Tick `Enable DEBUG logging` for testing as it helps troubleshooting.
26 | 
27 | 
28 | ## Setting up a test job
29 | 
30 | Each job can have its own Enterprise override configuration. This can be useful if A/B testing APIs or other systems within Enterprise.
31 | 
32 | From the Jenkins Dashboard click `New Item`, enter a name, then select `Freestyle project`.
33 | 
34 | The way the Anchore plugin works, is by reading a line of image tags from a file, and sending those to Enterprise for analysis. By default this file is called `anchore_images`.
35 | 
36 | This is usually populated by a real test workload, but we can mock it by adding a `Build step` of type `Execute Shell`. Then enter something like the following:
37 | 
38 | ```
39 | echo 'alpine:latest' > anchore_images
40 | echo 'node:5.5-slim' >> anchore_images
41 | ```
42 | 
43 | > These images must be pullable by Enterprise, so if they're private ensure you have registry credentials within Enterprise. Registry credentials within Enterprise will also help bypass the Docker pull rate limit.
44 | 
45 | Then add a `Build Step` of `Anchore Container Image Scanner`, here you can override any of the default settings, but usually the default config will be enough.
46 | 
47 | Save the new `Freestyle Job` and it will appear in the Dashboard. From here you can execute it by clicking `Build Now`
48 | 
49 | Anchore will gate the Job based on if the images passed the specified/default policy. Once a build is complete a new tab called `Anchore Report` will appear in the left hand menu.
50 | 


--------------------------------------------------------------------------------
/src/main/resources/com/anchore/jenkins/plugins/anchore/AnchoreBuilder/config.jelly:
--------------------------------------------------------------------------------
 1 | <?jelly escape-by-default='true'?>
 2 | <j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form" xmlns:c="/lib/credentials">
 3 | 
 4 |   <f:section title="Anchore Build Options">
 5 | 
 6 |     <f:entry title="Image list file" field="name">
 7 |       <f:textbox default="${descriptor.DEFAULT_NAME}"/>
 8 |     </f:entry>
 9 | 
10 |     <f:entry title="Fail build on policy evaluation FAIL result" field="bailOnFail">
11 |       <f:checkbox name="bailOnFail" checked="${instance.bailOnFail}" default="${descriptor.DEFAULT_BAIL_ON_FAIL}"/>
12 |     </f:entry>
13 | 
14 |     <f:entry title="Fail build on critical plugin error" field="bailOnPluginFail">
15 |       <f:checkbox name="bailOnPluginFail" checked="${instance.bailOnPluginFail}" default="${descriptor.DEFAULT_BAIL_ON_PLUGIN_FAIL}"/>
16 |     </f:entry>
17 | 
18 |     <f:entry title="Anchore Enterprise operation retries" field="engineRetries">
19 |       <f:textbox default="${descriptor.DEFAULT_ENGINE_RETRIES}"/>
20 |     </f:entry>
21 | 
22 |     <f:entry title="Anchore Enterprise operation retry interval" field="engineRetryInterval">
23 |       <f:textbox default="${descriptor.DEFAULT_ENGINE_RETRY_INTERVAL}"/>
24 |     </f:entry>
25 | 
26 |     <f:entry title="Anchore Enterprise policy bundle ID" field="policyBundleId">
27 |       <f:textbox default="${descriptor.DEFAULT_POLICY_BUNDLE_ID}"/>
28 |     </f:entry>
29 | 
30 |     <f:entry title="Anchore Enterprise image annotations" help="/plugin/anchore-container-scanner/help/help-Annotations.html">
31 |       <f:repeatableProperty field="annotations" noAddButton="false" add="Add annotation" default="${null}">
32 |         <f:entry>
33 |           <div align="right">
34 |             <f:repeatableDeleteButton/>
35 |           </div>
36 |         </f:entry>
37 |       </f:repeatableProperty>
38 |     </f:entry>
39 | 
40 |     <f:entry title="Anchore Enterprise auto-subscribe tag updates" field="autoSubscribeTagUpdates">
41 |       <f:checkbox name="autoSubscribeTagUpdates" checked="${instance.autoSubscribeTagUpdates}" default="${descriptor.DEFAULT_AUTOSUBSCRIBE_TAG_UPDATES}"/>
42 |     </f:entry>
43 | 
44 |     <f:entry title="Anchore Enterprise force image analysis" field="forceAnalyze">
45 |       <f:checkbox name="forceAnalyze" checked="${instance.forceAnalyze}" default="${descriptor.DEFAULT_FORCE_ANALYZE}"/>
46 |     </f:entry>
47 | 
48 |     <f:entry title="Exclude 'Inherited From Base' from results" field="excludeFromBaseImage">
49 |       <f:checkbox name="excludeFromBaseImage" checked="${instance.excludeFromBaseImage}" default="${descriptor.DEFAULT_EXCLUDE_FROM_BASE_IMAGE}"/>
50 |     </f:entry>
51 | 
52 |     <f:section title="Override Global Configuration">
53 |       <f:entry title="Anchore Enterprise URL" field="engineurl" help="/plugin/anchore-container-scanner/help/help-OverrideAEURL.html">
54 |         <f:textbox name="engineurl" default=""/>
55 |       </f:entry>
56 | 
57 |       <f:entry field="engineCredentialsId" title="Anchore Enterprise credentials"
58 |         help="/plugin/anchore-container-scanner/help/help-OverrideAECredentials.html">
59 |         <c:select/>
60 |       </f:entry>
61 | 
62 |       <f:entry title="Anchore Enterprise account" field="engineaccount" help="/plugin/anchore-container-scanner/help/help-OverrideAEAccount.html">
63 |         <f:textbox name="engineaccount" default=""/>
64 |       </f:entry>
65 | 
66 |       <f:entry title="Anchore Enterprise verify SSL" field="engineverify">
67 |         <f:checkbox name="engineverify" checked="${instance.engineverify}" default="${false}"/>
68 |       </f:entry>
69 |     </f:section>
70 | 
71 |   </f:section>
72 | </j:jelly>
73 | 


--------------------------------------------------------------------------------
/src/main/java/com/anchore/jenkins/plugins/anchore/BuildConfig.java:
--------------------------------------------------------------------------------
  1 | package com.anchore.jenkins.plugins.anchore;
  2 | 
  3 | 
  4 | import com.anchore.jenkins.plugins.anchore.Util.API_VERSION;
  5 | import java.util.List;
  6 | 
  7 | /**
  8 |  * Holder for all Anchore configuration - includes global and project level attributes. A convenience class for capturing a snapshot of
  9 |  * the config at the beginning of plugin execution and caching it for use during that specific execution
 10 |  */
 11 | public class BuildConfig {
 12 | 
 13 |   // Build configuration
 14 |   private String name;
 15 |   private String engineRetries;
 16 |   private String engineRetryInterval;
 17 |   private boolean bailOnFail;
 18 |   private boolean bailOnPluginFail;
 19 |   private String policyBundleId;
 20 |   private List<Annotation> annotations;
 21 |   private boolean autoSubscribeTagUpdates;
 22 |   private boolean forceAnalyze;
 23 |   private boolean excludeFromBaseImage;
 24 | 
 25 |   // Global configuration
 26 |   private boolean debug;
 27 |   private String anchoreui;
 28 |   private String engineurl;
 29 |   private String engineuser;
 30 |   private String enginepass;
 31 |   private String engineaccount;
 32 |   private boolean engineverify;
 33 |   private API_VERSION engineApiVersion;
 34 | 
 35 |   public BuildConfig(String name, String engineRetries, String engineRetryInterval, boolean bailOnFail, boolean bailOnPluginFail,
 36 |       String policyBundleId, List<Annotation> annotations, boolean autoSubscribeTagUpdates, boolean forceAnalyze, boolean excludeFromBaseImage,
 37 |       boolean debug, String anchoreui, String engineurl, String engineuser, String enginepass, String engineaccount, boolean engineverify) {
 38 |     this.name = name;
 39 |     this.engineRetries = engineRetries;
 40 |     this.engineRetryInterval = engineRetryInterval;
 41 |     this.bailOnFail = bailOnFail;
 42 |     this.bailOnPluginFail = bailOnPluginFail;
 43 |     this.policyBundleId = policyBundleId;
 44 |     this.annotations = annotations;
 45 |     this.autoSubscribeTagUpdates = autoSubscribeTagUpdates;
 46 |     this.forceAnalyze = forceAnalyze;
 47 |     this.excludeFromBaseImage = excludeFromBaseImage;
 48 |     this.debug = debug;
 49 |     this.anchoreui = anchoreui;
 50 |     this.engineurl = engineurl;
 51 |     this.engineuser = engineuser;
 52 |     this.enginepass = enginepass;
 53 |     this.engineaccount = engineaccount;
 54 |     this.engineverify = engineverify;
 55 |     this.engineApiVersion = Util.GET_API_VERSION_FROM_URL(engineurl);
 56 |   }
 57 | 
 58 |   public String getName() {
 59 |     return name;
 60 |   }
 61 | 
 62 |   public String getEngineRetries() {
 63 |     return engineRetries;
 64 |   }
 65 | 
 66 |   public String getEngineRetryInterval() {
 67 |     return engineRetryInterval;
 68 |   }
 69 | 
 70 |   public boolean getBailOnFail() {
 71 |     return bailOnFail;
 72 |   }
 73 | 
 74 |   public boolean getBailOnPluginFail() {
 75 |     return bailOnPluginFail;
 76 |   }
 77 | 
 78 |   public String getPolicyBundleId() {
 79 |     return policyBundleId;
 80 |   }
 81 | 
 82 |   public List<Annotation> getAnnotations() {
 83 |     return annotations;
 84 |   }
 85 | 
 86 |   public boolean getAutoSubscribeTagUpdates() {
 87 |     return autoSubscribeTagUpdates;
 88 |   }
 89 | 
 90 |   public boolean getForceAnalyze() {
 91 |     return forceAnalyze;
 92 |   }
 93 | 
 94 |   public boolean getExcludeFromBaseImage() {
 95 |     return excludeFromBaseImage;
 96 |   }
 97 | 
 98 |   public boolean getDebug() {
 99 |     return debug;
100 |   }
101 | 
102 |   public String getAnchoreui() {
103 |     return anchoreui;
104 |   }
105 | 
106 |   public String getEngineurl() {
107 |     return engineurl;
108 |   }
109 | 
110 |   public String getEngineuser() {
111 |     return engineuser;
112 |   }
113 | 
114 |   public String getEnginepass() {
115 |     return enginepass;
116 |   }
117 | 
118 |   public String getEngineaccount() {
119 |     return engineaccount;
120 |   }
121 | 
122 |   public boolean getEngineverify() {
123 |     return engineverify;
124 |   }
125 | 
126 |   public API_VERSION getEngineApiVersion() {
127 |     return engineApiVersion;
128 |   }
129 | 
130 |   public void print(ConsoleLog consoleLog) {
131 |     consoleLog.logInfo("[global] debug: " + String.valueOf(debug));
132 | 
133 |     // Global or build properties
134 |     consoleLog.logInfo("[build] engineurl: " + engineurl);
135 |     consoleLog.logInfo("[build] engineuser: " + engineuser);
136 |     consoleLog.logInfo("[build] enginepass: " + "****");
137 |     consoleLog.logInfo("[build] engineaccount: " + engineaccount);
138 |     consoleLog.logInfo("[build] engineverify: " + String.valueOf(engineverify));
139 | 
140 |     // Build properties
141 |     consoleLog.logInfo("[build] name: " + name);
142 |     consoleLog.logInfo("[build] engineRetries: " + engineRetries);
143 |     consoleLog.logInfo("[build] engineRetryInterval: " + engineRetryInterval);
144 |     consoleLog.logInfo("[build] policyBundleId: " + policyBundleId);
145 |     if (null != annotations && !annotations.isEmpty()) {
146 |       for (Annotation a : annotations) {
147 |         consoleLog.logInfo("[build] annotation: " + a.getKey() + "=" + a.getValue());
148 |       }
149 |     }
150 |     consoleLog.logInfo("[build] bailOnFail: " + bailOnFail);
151 |     consoleLog.logInfo("[build] bailOnPluginFail: " + bailOnPluginFail);
152 |   }
153 | }
154 | 


--------------------------------------------------------------------------------
/src/main/resources/com/anchore/jenkins/plugins/anchore/AnchoreAction/index.jelly:
--------------------------------------------------------------------------------
  1 | <?jelly escape-by-default='true'?>
  2 | <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
  3 |   <l:layout title="${it.pageTitle}" norefresh="true">
  4 |     <st:include it="${it.build}" page="sidepanel.jelly" />
  5 | 
  6 |     <l:main-panel>
  7 |       <j:choose>
  8 |         <j:when test="${!empty(it.gateOutputUrl)}">
  9 | 
 10 |           <link rel="stylesheet" type="text/css" href="${resURL}/plugin/anchore-container-scanner/css/bootstrap.min.css"/>
 11 |           <style type="text/css">
 12 |             .page-header {
 13 |               margin: 0;
 14 |               padding-bottom: 0;
 15 |               border-bottom: 0;
 16 |             }
 17 |             html {
 18 |               font-size: 16px;
 19 |             }
 20 |           </style>
 21 |           <link rel="stylesheet" type="text/css" href="${resURL}/plugin/anchore-container-scanner/css/dataTables.bootstrap.min.css"/>
 22 | 
 23 |           <script type="text/javascript" src="${resURL}/plugin/anchore-container-scanner/js/jquery.min.js"></script>
 24 |           <!-- To prevent conflicts with Jenkins prototype.js. Otherwise tabs go missing after moving to the next tab -->
 25 |           <script>
 26 |             jQuery.noConflict(); <!-- To prevent overwriting $ function -->
 27 |             var disablePrototypeJS = function (method, pluginsToDisable) {
 28 |               var handler = function (event) {
 29 |                 event.target[method] = undefined;
 30 |                 setTimeout(function () {
 31 |                   delete event.target[method];
 32 |                 }, 0);
 33 |               };
 34 |               pluginsToDisable.each(function (plugin) {
 35 |                 jQuery(window).on(method + '.bs.' + plugin, handler);
 36 |               });
 37 |             },
 38 |             pluginsToDisable = ['collapse', 'dropdown', 'modal', 'tooltip', 'popover', 'tab'];
 39 |             disablePrototypeJS('show', pluginsToDisable);
 40 |             disablePrototypeJS('hide', pluginsToDisable);
 41 |           </script>
 42 |           <script type="text/javascript" src="${resURL}/plugin/anchore-container-scanner/js/bootstrap.min.js"></script>
 43 |           <script type="text/javascript" src="${resURL}/plugin/anchore-container-scanner/js/jquery.dataTables.min.js"></script>
 44 |           <script type="text/javascript" src="${resURL}/plugin/anchore-container-scanner/js/dataTables.bootstrap.min.js"></script>
 45 |           <script type="text/javascript" src="${resURL}/plugin/anchore-container-scanner/js/renderOutput.js"></script>
 46 | 
 47 |           <div>
 48 | 
 49 |             <!-- Nav tabs -->
 50 |             <ul class="nav nav-pills" role="tablist" style="height: 50px;">
 51 |               <li role="presentation" class="active"><a href="#gates" aria-controls="gates" role="tab" data-toggle="tab">Policy</a></li>
 52 |               <j:set var="counter" value="0"/>
 53 |               <j:forEach var="e" items="${it.queryOutputUrls}">
 54 |                 <j:set var="counter" value="${counter + 1}"/>
 55 |                 <li role="presentation"><a href="#query${counter}" aria-controls="query${counter}" role="tab" data-toggle="tab">${e.key}</a></li>
 56 |               </j:forEach>
 57 |               <j:if test="${!empty(it.cveListingUrl)}">
 58 |                 <li role="presentation"><a href="#security" aria-controls="security" role="tab" data-toggle="tab">Security</a></li>
 59 |               </j:if>
 60 |             </ul>
 61 | 
 62 |             <!-- Tab panes -->
 63 |             <div class="tab-content">
 64 |               <div role="tabpanel" class="tab-pane active fade in" id="gates">
 65 |                 <j:if test="${!empty(it.gateSummary)}">
 66 |                   <h3 style="margin-bottom: 30px;">Anchore Policy Evaluation Summary</h3>
 67 |                   <style>#gates_summary_table_wrapper {float: left; width: 100%; margin-bottom: 50px;}</style>
 68 |                   <table id="gates_summary_table" class="table table-striped table-bordered dataTable no-footer" style="width: 100%;"></table>
 69 |                   <script type="text/javascript">
 70 |                     buildPolicyEvalSummaryTable("#gates_summary_table", ${it.gateSummary});
 71 |                   </script>
 72 |                 </j:if>
 73 | 
 74 |                 <h3 style="margin-bottom: 30px;">Anchore Policy Evaluation Report</h3>
 75 |                 <!-- <style>#gates_table_wrapper {width: 100%;}</style> -->
 76 |                 <style>#gates_table_wrapper {float: left; width: 100%; margin-bottom: 50px;}</style>
 77 |                 <table id="gates_table" class="table table-striped table-bordered dataTable no-footer" style="width: 100%;"></table>
 78 |                 <script type="text/javascript">
 79 |                   buildPolicyEvalTable("#gates_table", "${it.gateOutputUrl}");
 80 |                 </script>
 81 |               </div>
 82 |               <j:set var="counter" value="0"/>
 83 |               <j:forEach var="e" items="${it.queryOutputUrls}">
 84 |                 <j:set var="counter" value="${counter + 1}"/>
 85 |                 <div role="tabpanel" class="tab-pane fade" id="query${counter}">
 86 |                   <h3 style="margin-bottom: 30px;">Anchore Image Query Report (${e.key})</h3>
 87 |                   <style>#query${counter}_table_wrapper {float: left; width: 100%; margin-bottom: 50px;}</style>
 88 |                   <table id="query${counter}_table" class="table table-striped table-bordered dataTable no-footer" style="width: 100%;"></table>
 89 |                   <script type="text/javascript">
 90 |                     buildTableFromAnchoreOutput("#query${counter}_table", "${e.value}");
 91 |                   </script>
 92 |                 </div>
 93 |               </j:forEach>
 94 | 
 95 |               <j:if test="${!empty(it.cveListingUrl)}">
 96 |                 <div role="tabpanel" class="tab-pane fade" id="security">
 97 |                   <h3 style="margin-bottom: 30px;">Common Vulnerabilities and Exposures (CVE) List</h3>
 98 |                   <style>#security_table_wrapper {float: left; width: 100%; margin-bottom: 50px;}</style>
 99 |                   <table id="security_table" class="table table-striped table-bordered dataTable no-footer" style="width: 100%;"></table>
100 |                   <script type="text/javascript">
101 |                     buildSecurityTable("#security_table", "${it.cveListingUrl}");
102 |                   </script>
103 |                 </div>
104 |               </j:if>
105 |             </div>
106 |           </div>
107 |         </j:when>
108 | 
109 |         <j:otherwise>
110 |           <h3>Anchore Policy Evaluation Report</h3>
111 |           <iframe width="100%" height="300" frameborder="1" src="${it.gateReportUrl}"/>
112 |           <br></br>
113 | 
114 |           <j:forEach var="e" items="${it.queries}">
115 |             <h3>Anchore Image Query Report (${e.value})</h3>
116 |             <iframe width="100%" height="300" frameborder="1" src="${e.key}"/>
117 |             <br></br>
118 |           </j:forEach>
119 |         </j:otherwise>
120 | 
121 |       </j:choose>
122 |     </l:main-panel>
123 |   </l:layout>
124 | </j:jelly>
125 | 


--------------------------------------------------------------------------------
/src/main/java/com/anchore/jenkins/plugins/anchore/AnchoreAction.java:
--------------------------------------------------------------------------------
  1 | package com.anchore.jenkins.plugins.anchore;
  2 | 
  3 | import hudson.model.Action;
  4 | import hudson.model.Job;
  5 | import hudson.model.Run;
  6 | import java.util.Collection;
  7 | import java.util.Collections;
  8 | import java.util.HashMap;
  9 | import java.util.Map;
 10 | import java.util.Set;
 11 | import jenkins.model.Jenkins;
 12 | import jenkins.model.lazy.LazyBuildMixIn;
 13 | import jenkins.tasks.SimpleBuildStep;
 14 | import net.sf.json.JSONObject;
 15 | 
 16 | /**
 17 |  * Anchore plugin results for a given build are stored and subsequently retrieved from an instance of this class. Rendering/display of
 18 |  * the results is defined in the appropriate index and summary jelly files. This Jenkins Action is associated with a build (and not the
 19 |  * project which is one level up)
 20 |  */
 21 | public class AnchoreAction implements SimpleBuildStep.LastBuildAction {
 22 | 
 23 |   private Run<?, ?> build;
 24 |   private String gateStatus;
 25 |   private String gateOutputUrl;
 26 |   private Map<String, String> queryOutputUrls;
 27 |   private String gateSummary;
 28 |   private String cveListingUrl;
 29 |   private int stopActionCount;
 30 |   private int warnActionCount;
 31 |   private int goActionCount;
 32 | 
 33 |   // For backwards compatibility
 34 |   @Deprecated
 35 |   private String gateReportUrl;
 36 |   @Deprecated
 37 |   private Map<String, String> queries;
 38 | 
 39 | 
 40 |   public AnchoreAction(Run<?, ?> build, String gateStatus, final String jenkinsOutputDirName, String gateReport,
 41 |       Map<String, String> queryReports, String gateSummary, String cveListingFileName,
 42 |       int stopActionCount, int warnActionCount, int goActionCount) {
 43 |     this.build = build;
 44 |     this.gateStatus = gateStatus;
 45 |     this.stopActionCount = stopActionCount;
 46 |     this.warnActionCount = warnActionCount;
 47 |     this.goActionCount = goActionCount;
 48 |     this.gateOutputUrl = "../artifact/" + jenkinsOutputDirName + "/" + gateReport;
 49 | 
 50 |     this.queryOutputUrls = new HashMap<String, String>();
 51 |     for (Map.Entry<String, String> entry : queryReports.entrySet()) {
 52 |       String k = entry.getKey();
 53 |       String v = entry.getValue();
 54 |       String newv = "../artifact/" + jenkinsOutputDirName + "/" + v;
 55 |       this.queryOutputUrls.put(k, newv);
 56 |     }
 57 | 
 58 |     // original maps conversion method
 59 |     /*
 60 |     this.queryOutputUrls = Maps.transformValues(queryReports, new Function<String, String>() {
 61 | 
 62 |       @Override
 63 |       public String apply(@Nullable String queryOutput) {
 64 |         return "../artifact/" + jenkinsOutputDirName + "/" + queryOutput;
 65 |       }
 66 |     });
 67 |     */
 68 |     this.gateSummary = gateSummary;
 69 |     if (null != cveListingFileName && cveListingFileName.trim().length() > 0) {
 70 |       this.cveListingUrl = "../artifact/" + jenkinsOutputDirName + "/" + cveListingFileName;
 71 |     }
 72 |   }
 73 | 
 74 |   @Override
 75 |   public String getIconFileName() {
 76 |     return Jenkins.RESOURCE_PATH + "/plugin/anchore-container-scanner/images/anchore.png";
 77 |   }
 78 | 
 79 |   @Override
 80 |   public String getDisplayName() {
 81 |     return "Anchore Report (" + gateStatus + ")";
 82 |   }
 83 | 
 84 |   @Override
 85 |   public String getUrlName() {
 86 |     return "anchore-results";
 87 |   }
 88 | 
 89 |   public Run<?, ?> getBuild() {
 90 |     return this.build;
 91 |   }
 92 | 
 93 |   public String getGateStatus() {
 94 |     return gateStatus;
 95 |   }
 96 | 
 97 |   public String getGateOutputUrl() {
 98 |     return encodeURL(this.gateOutputUrl);
 99 |   }
100 | 
101 |   public Map<String, String> getQueryOutputUrls() {
102 |     // queryOutputUrls was a guava TransformedEntriesMap object in plugin version < 1.0.13 and is loaded as such. Plugin versions >=
103 |     // 1.0.13 changed the type definition and lose the transformer function required for reading the  map contents. This results in
104 |     // a failure to load the member. Transfer the contents from the underlying guava map to a native java map using the keys and
105 |     // some hacky guess work
106 | 
107 |     /* Find bugs does not like the instanceof check, falling back to try-catch approach
108 |     if (!(this.queryOutputUrls instanceof HashMap)) {
109 |       String base_path = this.gateOutputUrl.substring(0, this.gateOutputUrl.lastIndexOf('/'));
110 |       int query_num = 0;
111 |       Map<String, String> fixedQueryOutputUrls = new HashMap<>();
112 |       for (String key : this.queryOutputUrls.keySet()) {
113 |         fixedQueryOutputUrls.put(key, base_path + "/anchore_query_" + String.valueOf(++query_num) + ".json");
114 |       }
115 |       return fixedQueryOutputUrls;
116 |     }*/
117 | 
118 |     Map<String, String> fixedQueryOutputUrls = new HashMap<>();
119 |     try {
120 |       // Fetch values in the map to verify the underlying map is functional
121 |       if (null != this.queryOutputUrls) {
122 |         for (Map.Entry<String, String> entry : this.queryOutputUrls.entrySet()) {
123 |           fixedQueryOutputUrls.put(entry.getKey(), encodeURL(entry.getValue()));
124 |         }
125 |       }
126 |     } catch (Exception e) {
127 |       String base_path = encodeURL(this.gateOutputUrl.substring(0, this.gateOutputUrl.lastIndexOf('/')));
128 |       int query_num = 0;
129 |       for (String key : this.queryOutputUrls.keySet()) {
130 |         fixedQueryOutputUrls.put(key, base_path + "/anchore_query_" + String.valueOf(++query_num) + ".json");
131 |       }
132 |     }
133 |     return fixedQueryOutputUrls;
134 |   }
135 | 
136 |   public JSONObject getGateSummary() {
137 |     // gateSummary was a JSON object in plugin version <= 1.0.12. Jenkins does not handle this type change correctly post upgrade.
138 |     // Summary data from the previous versions is lost during deserialization due to the type change and plugin versions > 1.0.12
139 |     // won't be able to render the summary table only for builds that were executed using older versions of the plugin. This check
140 |     // is necessary to ensure plugin doesn't exception out in the process
141 |     if (null != this.gateSummary && this.gateSummary.trim().length() > 0) {
142 |       return JSONObject.fromObject(this.gateSummary);
143 |     } else {
144 |       return null;
145 |     }
146 |   }
147 | 
148 |   public String getCveListingUrl() {
149 |     return encodeURL(cveListingUrl);
150 |   }
151 | 
152 |   public String getGateReportUrl() {
153 |     return this.gateReportUrl;
154 |   }
155 | 
156 |   public Map<String, String> getQueries() {
157 |     return this.queries;
158 |   }
159 |   
160 |   public int getGoActionCount(){
161 |     return this.goActionCount;
162 |   }
163 |   
164 |   public int getStopActionCount(){
165 |     return this.stopActionCount;
166 |   }
167 |   
168 |   public int getWarnActionCount(){
169 |     return this.warnActionCount;
170 |   }
171 | 
172 |   @Override
173 |   public Collection<? extends Action> getProjectActions() {
174 |     Job<?,?> job = this.build.getParent();
175 |     return Collections.singleton(new AnchoreProjectAction(job));
176 |   }
177 | 
178 |   /**
179 |    * Gets the Anchore result of the previous build, if it's recorded, or null.
180 |    * @return the previous AnchoreAction
181 |    */
182 |   public AnchoreAction getPreviousResult() {
183 |     Run<?,?> b = this.build;
184 |     while(true) {
185 |       b = b.getPreviousBuild();
186 |       if (b == null) {
187 |         return null;
188 |       }
189 |       AnchoreAction r = b.getAction(AnchoreAction.class);
190 |       if (r != null) {
191 |         if (r == this) {
192 |           throw new IllegalStateException(this + " was attached to both " + b + " and " + this.build);
193 |         }
194 |         if (r.build.number != b.number) {
195 |           throw new IllegalStateException(r + " was attached to both " + b + " and " + r.build);
196 |         }
197 |         return r;
198 |       }
199 |     }
200 |   }
201 | 
202 |   private static String encodeURL(String s) {
203 |     if (s == null) {
204 |       return s;
205 |     }
206 |     return s.replaceAll("\"", "%22")
207 |             .replaceAll("\n", "%0A")
208 |             .replaceAll("\r", "");
209 |   }
210 | }
211 | 


--------------------------------------------------------------------------------
/pom.xml:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="UTF-8"?>
  2 | <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
  3 |   <modelVersion>4.0.0</modelVersion>
  4 | 
  5 |   <parent>
  6 |     <groupId>org.jenkins-ci.plugins</groupId>
  7 |     <artifactId>plugin</artifactId>
  8 |     <version>4.88</version>
  9 |     <relativePath />
 10 |   </parent>
 11 | 
 12 |   <artifactId>anchore-container-scanner</artifactId>
 13 |   <version>3.3.1-SNAPSHOT</version>
 14 |   <packaging>hpi</packaging>
 15 |   <name>Anchore Container Image Scanner Plugin</name>
 16 |   <description>Integrates Jenkins with the Anchore Image Scanner</description>
 17 | 
 18 |   <url>https://github.com/jenkinsci/anchore-container-scanner-plugin</url>
 19 | 
 20 |   <licenses>
 21 |     <license>
 22 |       <name>Apache 2 License</name>
 23 |       <url>http://opensource.org/licenses/Apache-2.0</url>
 24 |     </license>
 25 |   </licenses>
 26 | 
 27 |   <properties>
 28 |     <!-- Baseline Jenkins version you use to build the plugin. Users must have this version or newer to run. -->
 29 |     <jenkins.version>2.462.3</jenkins.version>
 30 |     <!-- Java Level to use. Java 8 required when using core >= 1.612 -->
 31 |     <java.level>8</java.level>
 32 |     <!-- Jenkins Test Harness version you use to test the plugin. -->
 33 |     <!-- For Jenkins version >= 1.580.1 use JTH 2.x or higher. -->
 34 |     <!-- Other properties you may want to use:
 35 |          ~ hpi-plugin.version: The HPI Maven Plugin version used by the plugin..
 36 |          ~ stapler-plugin.version: The Stapler Maven plugin version required by the plugin.
 37 |     -->
 38 |   </properties>
 39 | 
 40 |   <developers>
 41 |     <developer>
 42 |       <id>nurmi</id>
 43 |       <name>Daniel Nurmi</name>
 44 |       <email>nurmi@anchore.com</email>
 45 |     </developer>
 46 |     <developer>
 47 |       <id>swathigangisetty</id>
 48 |       <name>Swathi Gangisetty</name>
 49 |       <email>swathi@anchore.com</email>
 50 |     </developer>
 51 |   </developers>
 52 | 
 53 |   <scm>
 54 |     <connection>scm:git:git://github.com/jenkinsci/${project.artifactId}-plugin.git</connection>
 55 |     <developerConnection>scm:git:git@github.com:jenkinsci/${project.artifactId}-plugin.git</developerConnection>
 56 |     <url>http://github.com/jenkinsci/${project.artifactId}-plugin</url>
 57 |     <tag>anchore-container-scanner-3.1.1</tag>
 58 |   </scm>
 59 |   <!--
 60 |     <scm>
 61 |       <connection>scm:git:https://github.com/jenkinsci/${project.artifactId}-plugin.git</connection>
 62 |       <developerConnection>scm:git:https://git@github.com/jenkinsci/${project.artifactId}-plugin.git</developerConnection>
 63 |       <url>http://github.com/jenkinsci/${project.artifactId}-plugin</url>
 64 |       <tag>HEAD</tag>
 65 |     </scm>
 66 |   -->
 67 |   <repositories>
 68 |     <repository>
 69 |       <id>repo.jenkins-ci.org</id>
 70 |       <url>https://repo.jenkins-ci.org/public/</url>
 71 |     </repository>
 72 |   </repositories>
 73 |   <pluginRepositories>
 74 |     <pluginRepository>
 75 |       <id>repo.jenkins-ci.org</id>
 76 |       <url>https://repo.jenkins-ci.org/public/</url>
 77 |     </pluginRepository>
 78 |   </pluginRepositories>
 79 |   <!-- If you want to depend on other plugins -->
 80 |   <dependencies>
 81 |     <!--
 82 |     <dependency>
 83 |       <groupId>org.jenkins-ci.plugins</groupId>
 84 |       <artifactId>credentials</artifactId>
 85 |       <version>1.9.4</version>
 86 |     </dependency>
 87 |     -->
 88 |     <dependency>
 89 |       <groupId>org.jenkins-ci.plugins</groupId>
 90 |       <artifactId>structs</artifactId>
 91 |       <version>338.v848422169819</version>
 92 |     </dependency>
 93 |     <dependency>
 94 |       <groupId>org.apache.httpcomponents</groupId>
 95 |       <artifactId>httpclient</artifactId>
 96 |       <version>4.5.14</version>
 97 |     </dependency>
 98 |     <dependency>
 99 |       <groupId>org.jenkins-ci.plugins</groupId>
100 |       <artifactId>credentials</artifactId>
101 |       <version>1381.v2c3a_12074da_b_</version>
102 |     </dependency>
103 |   </dependencies>
104 | 
105 |   <!--
106 |                   <artifactItem>
107 |                     <groupId>org.apache.httpcomponents</groupId>
108 |                     <artifactId>httpclient</artifactId>
109 |                     <version>4.5.3</version>
110 |                   </artifactItem>
111 |                   <artifactItem>
112 |                     <groupId>org.apache.httpcomponents</groupId>
113 |                     <artifactId>httpcore</artifactId>
114 |                     <version>4.4.6</version>
115 |                   </artifactItem>
116 |   -->
117 | 
118 |   <build>
119 |     <plugins>
120 | 
121 |       <!-- download external resources like jQuery, jQuery UI, datatable etc. via webjars -->
122 |       <plugin>
123 |         <groupId>org.apache.maven.plugins</groupId>
124 |         <artifactId>maven-dependency-plugin</artifactId>
125 |         <executions>
126 |           <execution>
127 |             <id>download-webresources</id>
128 |             <phase>generate-resources</phase>
129 |             <goals>
130 |               <goal>unpack</goal>
131 |             </goals>
132 |             <configuration>
133 |               <artifactItems>
134 |                 <artifactItem>
135 |                   <groupId>org.webjars</groupId>
136 |                   <artifactId>jquery</artifactId>
137 |                   <version>1.12.4</version>
138 |                   <includes>**/jquery*.min.js</includes>
139 |                 </artifactItem>
140 |                 <artifactItem>
141 |                   <groupId>org.webjars</groupId>
142 |                   <artifactId>datatables</artifactId>
143 |                   <version>1.10.25</version>
144 |                   <includes>
145 |                     **/jquery.dataTables.min.js,**/dataTables.bootstrap.min.js,**/dataTables.bootstrap.min.css
146 |                   </includes>
147 |                 </artifactItem>
148 |                 <artifactItem>
149 |                   <groupId>org.webjars</groupId>
150 |                   <artifactId>bootstrap</artifactId>
151 |                   <version>3.4.1</version>
152 |                   <includes>**/bootstrap.min.css,**/bootstrap.min.js,**/fonts/*</includes>
153 |                 </artifactItem>
154 |               </artifactItems>
155 |               <outputDirectory>${project.build.directory}/webjars</outputDirectory>
156 |             </configuration>
157 |           </execution>
158 |         </executions>
159 |       </plugin>
160 | 
161 |       <!-- copy downloaded resources to target/external-resources -->
162 |       <plugin>
163 |         <groupId>org.apache.maven.plugins</groupId>
164 |         <artifactId>maven-resources-plugin</artifactId>
165 |         <executions>
166 |           <execution>
167 |             <id>copy-downloaded-resources</id>
168 |             <phase>generate-resources</phase>
169 |             <goals>
170 |               <goal>copy-resources</goal>
171 |             </goals>
172 |             <configuration>
173 |               <outputDirectory>${project.build.directory}/external-resources</outputDirectory>
174 |               <resources>
175 |                 <resource>
176 |                   <targetPath>js</targetPath>
177 |                   <directory>${project.build.directory}/webjars/META-INF/resources/webjars/jquery/1.12.4</directory>
178 |                 </resource>
179 |                 <resource>
180 |                   <directory>${project.build.directory}/webjars/META-INF/resources/webjars/datatables/1.10.25</directory>
181 |                 </resource>
182 |                 <resource>
183 |                   <directory>${project.build.directory}/webjars/META-INF/resources/webjars/bootstrap/3.4.1</directory>
184 |                 </resource>
185 |                 <!-- also copy existing resources to use them in the HPL for testing -->
186 |                 <resource>
187 |                   <directory>src/main/webapp</directory>
188 |                 </resource>
189 |               </resources>
190 |             </configuration>
191 |           </execution>
192 |         </executions>
193 |       </plugin>
194 | 
195 |       <!-- include downloaded resources in HPI -->
196 |       <plugin>
197 |         <groupId>org.jenkins-ci.tools</groupId>
198 |         <artifactId>maven-hpi-plugin</artifactId>
199 |         <configuration>
200 |           <minimumJavaVersion>8</minimumJavaVersion>
201 |           <webResources>
202 |             <webResource>
203 |               <directory>${project.build.directory}/external-resources</directory>
204 |               <filtering>false</filtering>
205 |             </webResource>
206 |           </webResources>
207 |           <!-- for testing -->
208 |           <warSourceDirectory>${project.build.directory}/external-resources</warSourceDirectory>
209 |         </configuration>
210 |       </plugin>
211 |     </plugins>
212 | 
213 |   </build>
214 | 
215 | </project>
216 | 


--------------------------------------------------------------------------------
/src/main/java/com/anchore/jenkins/plugins/anchore/AnchoreProjectAction.java:
--------------------------------------------------------------------------------
  1 | package com.anchore.jenkins.plugins.anchore;
  2 | 
  3 | import hudson.Functions;
  4 | import hudson.model.Action;
  5 | import hudson.model.Job;
  6 | import hudson.model.Run;
  7 | import hudson.util.Area;
  8 | import hudson.util.ColorPalette;
  9 | import hudson.util.DataSetBuilder;
 10 | import hudson.util.Graph;
 11 | import hudson.util.ShiftedCategoryAxis;
 12 | import hudson.util.StackedAreaRenderer2;
 13 | import hudson.util.ChartUtil.NumberOnlyBuildLabel;
 14 | import jenkins.model.Jenkins;
 15 | 
 16 | import org.jfree.chart.ChartFactory;
 17 | import org.jfree.chart.JFreeChart;
 18 | import org.jfree.chart.axis.CategoryAxis;
 19 | import org.jfree.chart.axis.CategoryLabelPositions;
 20 | import org.jfree.chart.axis.NumberAxis;
 21 | import org.jfree.chart.plot.CategoryPlot;
 22 | import org.jfree.chart.plot.PlotOrientation;
 23 | import org.jfree.chart.renderer.category.StackedAreaRenderer;
 24 | import org.jfree.data.category.CategoryDataset;
 25 | import org.jfree.ui.RectangleInsets;
 26 | import org.kohsuke.stapler.Stapler;
 27 | import org.kohsuke.stapler.StaplerRequest;
 28 | import org.kohsuke.stapler.StaplerResponse;
 29 | 
 30 | import javax.servlet.http.HttpServletResponse;
 31 | 
 32 | import java.awt.Color;
 33 | import java.io.IOException;
 34 | 
 35 | /**
 36 |  * Project action object which displays the trend report on the project top page.
 37 |  */
 38 | public class AnchoreProjectAction implements Action {
 39 |   private final static class AnchoreTrendGraph extends Graph {
 40 |     private static final int MAX_HISTORY_DEFAULT = 100;
 41 |     private AnchoreAction base;
 42 |     private String relPath;
 43 | 
 44 |     private static Area calcDefaultSize() {
 45 |       Area res = Functions.getScreenResolution();
 46 |       if(res!=null && res.width<=800)
 47 |         return new Area(250,100);
 48 |       else
 49 |         return new Area(500,200);
 50 |     }
 51 |     
 52 |     /**
 53 |      * Initialize the trend graph from a base AnchoreAction using a calculated default size.
 54 |      *
 55 |      * @param base the most recent AnchoreAction up to which the trend is shown
 56 |      * @param relPath URL rel path for tooltip URLs
 57 |      */
 58 |     protected AnchoreTrendGraph(AnchoreAction base, String relPath){
 59 |       this(base, calcDefaultSize(), relPath);
 60 |     }
 61 | 
 62 |     /**
 63 |      * Initialize the trend graph from a base AnchoreAction using a given default size.
 64 |      *
 65 |      * @param base the most recent AnchoreAction up to which the trend is shown
 66 |      * @param defaultSize graph's default size
 67 |      * @param relPath URL rel path for tooltip URLs
 68 |      */
 69 |     private AnchoreTrendGraph(AnchoreAction base, Area defaultSize, String relPath){
 70 |       super(base.getBuild().getTimestamp(), defaultSize.width, defaultSize.height);
 71 |       this.base = base;
 72 |       this.relPath = relPath;
 73 |     }
 74 | 
 75 |     private CategoryDataset buildDataSet() {
 76 |       DataSetBuilder<String, NumberOnlyBuildLabel> dsb = new DataSetBuilder<>();
 77 | 
 78 |       int cap = Integer.getInteger(AnchoreAction.class.getName() + ".anchore.trend.max", AnchoreTrendGraph.MAX_HISTORY_DEFAULT);
 79 |       int count = 0;
 80 |       for (AnchoreAction a = this.base; a != null; a = a.getPreviousResult()) {
 81 |         if (++count > cap) {
 82 |           break;
 83 |         }
 84 |         dsb.add(a.getGoActionCount(), "0_go", new NumberOnlyBuildLabel(a.getBuild()));
 85 |         dsb.add(a.getWarnActionCount(), "1_warn", new NumberOnlyBuildLabel(a.getBuild()));
 86 |         dsb.add(a.getStopActionCount(), "2_stop", new NumberOnlyBuildLabel(a.getBuild()));
 87 |       }
 88 |       return dsb.build();
 89 |     }
 90 |     
 91 |     @Override
 92 |     protected JFreeChart createGraph(){
 93 |       CategoryDataset dataset = buildDataSet();
 94 |       final JFreeChart chart = ChartFactory.createStackedAreaChart(
 95 |         null, // chart title
 96 |         null, // category axis label
 97 |         "count", // range axis label
 98 |         dataset,
 99 |         PlotOrientation.VERTICAL,
100 |         false, // include legend
101 |         true, // generate tooltips
102 |         false // generate urls
103 |       );
104 | 
105 |       chart.setBackgroundPaint(Color.white);
106 | 
107 |       final CategoryPlot plot = chart.getCategoryPlot();
108 | 
109 |       plot.setBackgroundPaint(Color.WHITE);
110 |       plot.setOutlinePaint(null);
111 |       plot.setForegroundAlpha(0.8f);
112 |       plot.setRangeGridlinesVisible(true);
113 |       plot.setRangeGridlinePaint(Color.BLACK);
114 | 
115 |       CategoryAxis domainAxis = new ShiftedCategoryAxis(null);
116 |       plot.setDomainAxis(domainAxis);
117 |       domainAxis.setCategoryLabelPositions(CategoryLabelPositions.UP_90);
118 |       domainAxis.setLowerMargin(0.0);
119 |       domainAxis.setUpperMargin(0.0);
120 |       domainAxis.setCategoryMargin(0.0);
121 | 
122 |       final NumberAxis rangeAxis = (NumberAxis) plot.getRangeAxis();
123 |       rangeAxis.setStandardTickUnits(NumberAxis.createIntegerTickUnits());
124 | 
125 |       StackedAreaRenderer ar = new StackedAreaRenderer2() {
126 |         @Override
127 |         public String generateURL(CategoryDataset data, int row, int column) {
128 |           NumberOnlyBuildLabel label = (NumberOnlyBuildLabel) data.getColumnKey(column);
129 |           return relPath + label.getRun().getNumber() + "/anchore-results/";
130 |         }
131 |     
132 |         @Override
133 |         public String generateToolTip(CategoryDataset data, int row, int column) {
134 |           NumberOnlyBuildLabel label = (NumberOnlyBuildLabel) data.getColumnKey(column);
135 |           AnchoreAction a = label.getRun().getAction(AnchoreAction.class);
136 |           switch (row) {
137 |             case 0:
138 |               return label.getRun().getDisplayName() + ": " + a.getGoActionCount() + " Go Actions";
139 |             case 1:
140 |               return label.getRun().getDisplayName() + ": " + a.getWarnActionCount() + " Warn Actions";
141 |             default:
142 |               return label.getRun().getDisplayName() + ": " + a.getStopActionCount() + " Stop Actions";
143 |           }
144 |         }
145 |       };
146 |       ar.setSeriesPaint(0, ColorPalette.BLUE); // Go
147 |       ar.setSeriesPaint(1, ColorPalette.YELLOW); // Warn
148 |       ar.setSeriesPaint(2, ColorPalette.RED); // Stop
149 |       plot.setRenderer(ar);
150 | 
151 |       plot.setInsets(new RectangleInsets(0, 0, 0, 5.0));
152 | 
153 |       return chart;
154 |     }
155 |   }
156 |   
157 |   /**
158 |    * Parent that owns this action.
159 |    */
160 |   public final Job<?,?> job;
161 | 
162 |   /**
163 |    * Create new AnchoreProjectAction instance.
164 |    *
165 |    * @param job instance of Jenkins Job
166 |    */
167 |   public AnchoreProjectAction(Job<?,?> job) {
168 |     this.job = job;
169 |   }
170 | 
171 |   @Override
172 |   public String getIconFileName() {
173 |     return Jenkins.RESOURCE_PATH + "/plugin/anchore-container-scanner/images/anchore.png";
174 |   }
175 | 
176 |   @Override
177 |   public String getDisplayName() {
178 |     return "Anchore Report";
179 |   }
180 | 
181 |   @Override
182 |   public String getUrlName() {
183 |     return "anchore";
184 |   }
185 |   
186 |   /**
187 |    * Redirects the index page to the last report.
188 |    *
189 |    * @param request Stapler request
190 |    * @param response Stapler response
191 |    * @throws IOException in case of an error
192 |    */
193 |   public void doIndex(final StaplerRequest request, final StaplerResponse response) throws IOException {
194 |     Run<?, ?> lastRun = this.job.getLastCompletedBuild();
195 |     if (lastRun != null) {
196 |       AnchoreAction a = lastRun.getAction(AnchoreAction.class);
197 |       if (a != null)
198 |         response.sendRedirect2(String.format("../%d/%s", lastRun.getNumber(), a.getUrlName()));
199 |     }
200 |   }
201 | 
202 |   /**
203 |    * @return the most current AnchoreAction of the associated job
204 |    */
205 |   public AnchoreAction getLastAnchoreAction() {
206 |     final Run<?,?> tb = this.job.getLastSuccessfulBuild();
207 | 
208 |     Run<?,?> b = this.job.getLastBuild();
209 |     while (b != null) {
210 |       AnchoreAction a = b.getAction(AnchoreAction.class);
211 |       if (a != null && (!b.isBuilding())) {
212 |         return a;
213 |       }
214 |       if (b == tb) {
215 |         // no Anchore result available
216 |         return null;
217 |       }
218 |       b = b.getPreviousBuild();
219 |     }
220 |     return null;
221 |   }
222 |   
223 |   private String getRelPath(StaplerRequest req) {
224 |       String relPath = req.getParameter("rel");
225 |       if (relPath == null) {
226 |         return "";
227 |       }
228 |       return relPath;
229 |   }
230 |   
231 |   /**
232 |    * Generates the Anchore trend graph
233 |    * @return graph object
234 |    */
235 |   public Graph getTrendGraph() {
236 |     final AnchoreAction a = getLastAnchoreAction();
237 |     if (a != null) {
238 |       return new AnchoreTrendGraph(a, getRelPath(Stapler.getCurrentRequest()));
239 |     }else{
240 |       Stapler.getCurrentResponse().setStatus(HttpServletResponse.SC_NOT_FOUND);
241 |       return null;
242 |     }
243 |   }
244 | }
245 | 


--------------------------------------------------------------------------------
/src/main/webapp/js/renderOutput.js:
--------------------------------------------------------------------------------
  1 | const actionLookup = {
  2 |   stop: 0,
  3 |   warn: 1,
  4 |   go: 2,
  5 | };
  6 | 
  7 | const severityLookup = {
  8 |   critical: 0,
  9 |   high: 1,
 10 |   medium: 2,
 11 |   low: 3,
 12 |   negligible: 4,
 13 |   unknown: 5
 14 | }
 15 | 
 16 | function gateAction(source, type, val) {
 17 |   source = escapeHtml(source);
 18 |   var classes = "";
 19 |   switch (source.toLowerCase()) {
 20 |     case 'stop': {
 21 |       classes = 'label-danger';
 22 |       break;
 23 |     }
 24 |     case 'go': {
 25 |       classes = 'label-success';
 26 |       break;
 27 |     }
 28 |     case 'warn': {
 29 |       classes = 'label-warning';
 30 |       break;
 31 |     }
 32 |   }
 33 |   return '<span class="label ' + classes + '">' + source.toUpperCase() + '</span>';
 34 | }
 35 | 
 36 | function severity(source, type, val) {
 37 |   source = escapeHtml(source);
 38 |   var classes = "label-default";
 39 |   switch (source.toLowerCase()) {
 40 |     case 'critical': {
 41 |       classes = 'label-danger';
 42 |       break;
 43 |     }
 44 |     case 'high': {
 45 |       classes = 'label-warning';
 46 |       break;
 47 |     }
 48 |     case 'medium': {
 49 |       classes = 'label-info';
 50 |       break;
 51 |     }
 52 |     case 'low': {
 53 |       classes = 'label-success';
 54 |       break;
 55 |     }
 56 |   }
 57 |   return '<span class="label ' + classes + '">' + source + '</span>';
 58 | }
 59 | 
 60 | function buildPolicyEvalTable(tableId, outputFile) {
 61 |   // This is the table that details all the specific vulnerabilities found
 62 |   jQuery.getJSON(outputFile, function (data) {
 63 |     var headers = [];
 64 |     var rows = [];
 65 | 
 66 |     jQuery.each(data, function (imageId, imageIdObj) {
 67 |       // Assume API v2 data
 68 |       var image_digest = imageIdObj.image_digest;
 69 |       var gate_results = imageIdObj.gate_results;
 70 |       var repo_tag =imageIdObj.repo_tag;
 71 | 
 72 |       headers = [
 73 |         {
 74 |           "title": "Image ID",
 75 |           "sTitle": "Image ID"
 76 |         },
 77 |         {
 78 |           "title": "Repo Tag",
 79 |           "sTitle": "Repo Tag"
 80 |         },
 81 |         {
 82 |           "title": "Trigger ID",
 83 |           "sTitle": "Trigger ID"
 84 |         },
 85 |         {
 86 |           "title": "Gate",
 87 |           "sTitle": "Gate"
 88 |         },
 89 |         {
 90 |           "title": "Trigger",
 91 |           "sTitle": "Trigger"
 92 |         },
 93 |         {
 94 |           "title": "Check Output",
 95 |           "sTitle": "Check Output"
 96 |         },
 97 |         {
 98 |           "title": "Gate Action",
 99 |           "sTitle": "Gate Action"
100 |         },
101 |         {
102 |           "title": "Allowlisted",
103 |           "sTitle": "Allowlisted"
104 |         },
105 |         {
106 |           "title": "Inherited From Base",
107 |           "sTitle": "Inherited From Base"
108 |         },
109 |         {
110 |           "title": "Policy ID",
111 |           "sTitle": "Policy ID"
112 |         },
113 |         {
114 |           "title": "Recommendation",
115 |           "sTitle": "Recommendation"
116 |         },
117 |         {
118 |           "title": "Rule ID",
119 |           "sTitle": "Rule ID"
120 |         }
121 |       ]
122 | 
123 |       gate_results.forEach((result) => {
124 |         rows.push([
125 |           image_digest.replace('sha256:', ''), 
126 |           repo_tag,
127 |           result.trigger_id,
128 |           result.gate,
129 |           result.trigger,
130 |           result.message,
131 |           result.action,
132 |           result.allowlisted,
133 |           result.inherited_from_base,
134 |           result.policy_id,
135 |           result.recommendation,
136 |           result.rule_id,
137 |           ]);
138 |       });
139 |     }
140 |   , function (error) {
141 |     console.log(error);
142 |   });
143 | 
144 |     jQuery(document).ready(function () {
145 |       jQuery(tableId).DataTable({
146 |         retrieve: true,
147 |         data: rows,
148 |         columns: headers,
149 |         order: [[6, 'asc']],
150 |         columnDefs: [
151 |           {
152 |             targets: [0, 2],
153 |             render: function (source, type, val) {
154 |               return '<span style="word-break: break-all;">' + renderCell(source) + '</span>';
155 |             }
156 |           },
157 |           {
158 |             targets: 1,
159 |             render: function (source, type, val) {
160 |               return '<span style="word-break: break-all;">' + renderAnchoreLink(source) + '</span>';
161 |             }
162 |           },
163 |           {
164 |             targets: [3, 4, 5, 7, 8],
165 |             render: renderCell
166 |           },
167 |           {
168 |             targets: 6,
169 |             render: gateAction
170 |           }
171 |         ]
172 |       });
173 |     });
174 |   });
175 | }
176 | 
177 | function buildTableFromAnchoreOutput(tableId, outputFile) {
178 |   jQuery.getJSON(outputFile, function (data) {
179 |     var headers = [];
180 |     var rows = [];
181 |     jQuery.each(data, function (imageId, imageIdObj) {
182 |       if (headers.length === 0) {
183 |         jQuery.each(imageIdObj.result.header, function (i, header) {
184 |           var headerObj = new Object();
185 |           headerObj.title = header.replace('_', ' ');
186 |           headers.push(headerObj);
187 |         });
188 |       }
189 |       jQuery.merge(rows, imageIdObj.result.rows);
190 |     });
191 | 
192 |     jQuery(document).ready(function () {
193 |       jQuery(tableId).DataTable({
194 |         retrieve: true,
195 |         data: rows,
196 |         columns: headers,
197 |         columnDefs: [
198 |           {
199 |             targets: [0, 1, 2, 3, 4, 5],
200 |             render: renderCell
201 |           },
202 |         ]
203 |       });
204 |     });
205 |   });
206 | }
207 | 
208 | function buildPolicyEvalSummaryTable(tableId, tableObj) {
209 |   // This is the first table shownn on the policy eval page
210 |   jQuery(document).ready(function () {
211 |     jQuery(tableId).DataTable({
212 |       retrieve: true,
213 |       data: tableObj.rows,
214 |       columns: tableObj.header,
215 |       order: [[4, 'asc']],
216 |       columnDefs: [
217 |         {
218 |           targets: 0,
219 |           render: renderAnchoreLink
220 |         },
221 |         {
222 |           targets: 1,
223 |           render: function (source, type, val) {
224 |             return '<span class="label label-danger">' + escapeHtml(source) + '</span>';
225 |           }
226 |         },
227 |         {
228 |           targets: 2,
229 |           render: function (source, type, val) {
230 |             return '<span class="label label-warning">' + escapeHtml(source) + '</span>';
231 |           }
232 |         },
233 |         {
234 |           targets: 3,
235 |           render: function (source, type, val) {
236 |             return '<span class="label label-success">' + escapeHtml(source) + '</span>';
237 |           }
238 |         },
239 |         {
240 |           targets: 4,
241 |           render: gateAction
242 |         },
243 | 		{
244 | 		  targets: 5,
245 | 		  render: renderCell
246 | 		}
247 |       ]
248 |     });
249 |   });
250 | }
251 | 
252 | function buildSecurityTable(tableId, outputFile) {
253 |   jQuery.getJSON(outputFile, function (tableObj) {
254 |     jQuery(document).ready(function () {
255 |       jQuery(tableId).DataTable({
256 |         retrieve: true,
257 |         data: tableObj.data,
258 |         columns: tableObj.columns,
259 |         order: [[2, 'asc'], [0, 'asc']],
260 |         columnDefs: [
261 |           {
262 |             targets: [0, 1, 3, 4],
263 |             render: renderCell
264 |           },
265 |           {
266 |             targets: 2,
267 |             render: severity
268 |           },
269 |           {
270 |             targets: 5,
271 |             render: renderLinkCell
272 |           }
273 |         ]
274 |       });
275 |     });
276 |   });
277 | }
278 | 
279 | const LINK_REGEX = /.*>(https?:\/\/)([^<]+)<.*/g;
280 | const URL_REGEX = /(https?:\/\/[^\s)'"<]+)/g;
281 | 
282 | function renderLinkCell(data) {
283 |   // originally links were embedded in some data, just extract the URL
284 |   if (LINK_REGEX.test(data)) {
285 |     data = data.replace(LINK_REGEX, "$1$2");
286 |   }
287 |   return renderCell(data);
288 | }
289 | 
290 | function renderAnchoreLink(data) {
291 |   if (typeof data == "string") {
292 |     data = escapeHtml(data)
293 | 	if (URL_REGEX.test(data)) {
294 | 		return data.replace(URL_REGEX, '<a href="$1">') + '</a>';
295 | 	} else {
296 | 		return data;
297 | 	}
298 |   }
299 |   else if (typeof data == "object") {
300 |     return !!data
301 |   }
302 |   return data;
303 | }
304 | 
305 | function renderCell(data) {
306 |   if (typeof data == "string") {
307 |     data = escapeHtml(data)
308 |     return data.replace(URL_REGEX, '<a href="$1">$1</a>');
309 |   }
310 |   else if (typeof data == "object") {
311 |     return !!data
312 |   }
313 |   return data;
314 | }
315 | 
316 | function escapeHtml(text) {
317 |   if (text === undefined || text === null) {
318 |     return "";
319 |   }
320 |   if (typeof text !== "string") {
321 |     return "" + text;
322 |   }
323 |   return text
324 |       .trim()
325 |       .replace(/&/g, "&amp;")
326 |       .replace(/</g, "&lt;")
327 |       .replace(/>/g, "&gt;")
328 |       .replace(/"/g, "&quot;")
329 |       .replace(/'/g, "&#039;");
330 | }
331 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Anchore Container Image Scanner Plugin
  2 | 
  3 | > Older versions of this plugin may not be safe to use. Please review the following warnings before using an older version:
  4 | >- [Password stored in plaintext](https://jenkins.io/security/advisory/2018-07-30/#SECURITY-1039)
  5 | >- [Credentials stored in plaintext](https://jenkins.io/security/advisory/2019-11-21/#SECURITY-1539)
  6 | 
  7 | > ANCHORE ENGINE USERS NOTICE
  8 | >- As of 2023, [Anchore Engine](https://github.com/anchore/anchore-engine) is no longer maintained. There will be no future versions released. Users are advised to use Syft and Grype.
  9 | >- Future versions of this Jenkins plugin _may_ break support for existing anchore-engine installations. No timeframe is scheduled.
 10 | 
 11 | ## Description
 12 | 
 13 | Anchore is a container inspection and analytics platform that enables operators to analyze, inspect, perform security scans, and evaluate custom policies against container images. The Anchore plugin can be used in a Pipeline job or added as a build step to a Freestyle job to automate the process of running an anchore analysis, evaluating custom anchore policies against images, and performing image anchore security scans. 
 14 | 
 15 | ## Anchore Jenkins Plugin
 16 | 
 17 | Anchore has been designed to plug seamlessly into the CI/CD workflow. A developer commits code into the source code management system. This change triggers Jenkins to start a build which creates a container image.
 18 | 
 19 | In the typical workflow this container image is then run through automated testing. If an image does not meet your organization’s requirements for security or compliance then it makes little sense to invest the time required to perform automated tests on the image, it would be better to “learn fast” by failing the build and returning the appropriate reports back to the developer to allow the issue to be addressed.
 20 | 
 21 | 
 22 | ![](docs/images/workflow.png)
 23 | 
 24 | ## Plugin Usage
 25 | 
 26 | The plugin uses Anchore to scan a container image. It interacts with your Anchore deployment via its API. The usage model generally conforms to the following flow:
 27 | 
 28 | 1. A Jenkins job will build a container image, and push the image to a registry that is pre-configured in your Anchore deployment (see pre-requisites below)
 29 | 2. The anchore build step will interact with your Anchore deployment by 'adding' the image (which instructs your Anchore deployment to pull the image from the registry), and then performing a policy evaluation check on the image. The build step can optionally be configured to fail the build if the policy evaluation results in a 'STOP' action.
 30 | 3. The plugin will store the resulting policy evaluation results with the job, for later inspection/review
 31 | 
 32 | The plugin can be used in Freestyle and Pipeline jobs.
 33 | 
 34 | ### Pre-Requisites
 35 | 
 36 | Before getting started
 37 | 
 38 | 1. Anchore must be installed within your environment, with its service API being accessible from all Jenkins workers. [Click here](https://docs.anchore.com/current/docs/deployment/) to get started with Anchore 
 39 | 2. A docker registry must exist and be configured within Anchore, as the plugin will be instructing your Anchore deployment to pull images from a registry.
 40 | 3. All authentication credentials/Anchore API endpoint information must be available as input to the plugin at configuration time.
 41 | 
 42 | Once the plugin is installed, configure the plugin to interact with 
 43 | Anchore in Jenkins global settings or at build time.
 44 | 
 45 | ## Installation
 46 | 
 47 | Anchore plugin is published in the Jenkins plugin registry. Follow [this guide](https://jenkins.io/doc/book/managing/plugins/#from-the-web-ui) and install *__Anchore Container Image Scanner Plugin__*
 48 | 
 49 | ## Configuration
 50 | 
 51 | Configuring the plugin in Jenkins global settings makes it available to any Jenkins build using the plugin. The plugin can also be configured at the build time which overrides the global settings if any. The build time overrides are applicable only to the specific build
 52 | 
 53 | For global settings, go to the __Manage Jenkins > Configure System__ view and look for _Anchore Container Image Scanner_ section
 54 | 
 55 | - Input _Anchore Enterprise URL_ to point to your Anchore installation  
 56 |   >Note: Ensure that the /v2 route is included in the URL *or* /v1 if using a pre v4.9 version of Enteprise.
 57 | - Input Anchore account username and password for _Anchore Enterprise Username_ and _Anchore Enterprise Password_ respectively 
 58 | - (Optional) If your Anchore deployment uses a user created certificate that is not signed by a standard certificate authority then select uncheck _Verify SSL_
 59 | - (Optional) For a verbose log of plugin execution check _Enable DEBUG logging_  
 60 | 
 61 | ## Adding Anchore Scanning to Jenkins Build
 62 | 
 63 | The Anchore plugin can be added a build step for a Freestyle or Pipeline
 64 | build. Typically the flow is as follows.
 65 | 
 66 | A Jenkins job will:
 67 | 
 68 | 1. Build a container image
 69 | 2. Push the image to a Docker Registry, typically a staging registry for QA
 70 | 3. Use Anchore plugin in a Pipeline job or add Anchore Container Image Scanner build step to a Freestyle job to instruct your Anchore deployment to analyze the image
 71 |     1. Anchore downloads (pulls) the image layers from the staging registry
 72 |     2. Anchore performs analysis on the image
 73 |     3. Anchore performs a policy evaluation on the image.
 74 | 4. The Anchore plugin polls the Anchore API for a user defined period until the analysis and policy evaluation is complete
 75 | 5. Based on user configuration, the Anchore plugin may fail the build in the case of a Policy violation or allow the built to continue with warnings.
 76 | 
 77 | When run, the Anchore plugin will look for a file named _anchore\_images_ in the project workspace. This file should contain the name(s) of containers to be scanned and optionally include the Dockerfile. 
 78 | 
 79 | ### Pipeline Reference
 80 | See [here](https://www.jenkins.io/doc/pipeline/steps/anchore-container-scanner/) for documentation on the plugin pipeline command.
 81 | 
 82 | ### Pipeline Examples
 83 |   >Note: These examples use scripted pipeline snippets, but the specific commands can also be used in declarative pipeline scripts.
 84 |   >
 85 |   >These examples take a single, publicly-available image tag ('debian:latest'), put it into a file, and send that file to Anchore for analysis with various analysis options specified.
 86 | 
 87 | This first example imagines a scenario where your team is just getting started with Anchore, and anticipates that the tool will find some issues that will need to be fixed. In order to not block the CI build until those issues have been fixed, the `bailOnFail` parameter has been temporarily set to `false`.
 88 | ```
 89 | node {
 90 |   def imageLine = 'debian:latest'
 91 |   writeFile file: 'anchore_images', text: imageLine
 92 |   anchore name: 'anchore_images', engineCredentialsId: 'my_credentials_id', bailOnFail: false
 93 | }
 94 | ```
 95 | 
 96 | Once the issues identified by the scan have been fixed that parameter should be set (or removed so it can default) to `true`. This will help prevent new security issues from being introduced.
 97 | ```
 98 | node {
 99 |   def imageLine = 'debian:latest'
100 |   writeFile file: 'anchore_images', text: imageLine
101 |   anchore name: 'anchore_images', engineCredentialsId: 'my_credentials_id'
102 | }
103 | ```
104 | 
105 | However, other teams within your organization are now starting to use anchore to analyze the images they are building. This has the potential to introduce many more images into the system, but you may want to be able to easily generate reports that only highlight the results of scans on your team's images. Annotations are a great way to do that! Using annotations, you can easily filter Anchore search results to only return data about the images you are concerned with.
106 | 
107 | To update your pipeline to include annotations on images your team is building, do the following.
108 | ```
109 | node {
110 |   def imageLine = 'debian:latest'
111 |   writeFile file: 'anchore_images', text: imageLine
112 |   anchore name: 'anchore_images', engineCredentialsId: 'my_credentials_id', annotations: [[key: 'image_owner', value: 'my_team']]
113 | }
114 | ```
115 | 
116 | As your organization's DevOps maturity progresses, you may find that you not only want to report on image scan data from different teams differently, you may also want to customize those scans to more closely control how the images you are developing are being scanned.
117 | 
118 | Information about how to customize policy bundles is available [here](https://docs.anchore.com/current/docs/overview/concepts/policy/bundles). To apply a specific policy bundle to your image scans, not the unique UUID of your policy and update your pipeline script as shown below.
119 | ```
120 | node {
121 |   def imageLine = 'debian:latest'
122 |   writeFile file: 'anchore_images', text: imageLine
123 |   anchore 'anchore_images', engineCredentialsId: 'my_credentials_id', annotations: [[key: 'my_key', value: 'my_value']], policyBundleId: 'myUUID'
124 | }
125 | ```
126 | 
127 | ### Freestyle 
128 | 
129 | In the example below an _Execute Shell_ build step is used to build and push a container image to a local registry.
130 | ```
131 | TAG=$(date "+%H%M%S%d%m%Y")
132 | IMAGENAME=build.example.com/myapp
133 | docker build -t $IMAGENAME:$TAG .
134 | docker push $IMAGENAME:$TAG
135 | ```
136 | 
137 | We will add a single line to create the _anchore\_images_ file that is read by the Anchore plugin
138 | 
139 | >Note: Multiple lines can be added if the build produces more than a single container image.
140 | 
141 | ```
142 | TAG=$(date "+%H%M%S%d%m%Y")
143 | IMAGENAME=build.example.com/myapp
144 | docker build -t $IMAGENAME:$TAG .
145 | docker push $IMAGENAME:$TAG
146 | 
147 | # Line added to create anchore_images file
148 | echo "$IMAGENAME:$TAG ${WORKSPACE}/Dockerfile " > anchore_images
149 | ```
150 | 
151 | After the image has been built and pushed to the staging registry the Anchore plugin should be invoked. 
152 | 
153 | Dropdown _Add build step_ and select the _Anchore Container Image Scanner_
154 | 
155 | ![](docs/images/freestyle_build_step.png)
156 | 
157 | A new build step labeled **Anchore Build Options** will appear in your job
158 | 
159 | ![](docs/images/build_options.png)
160 | 
161 | The plugin creates an Anchore Report directory that includes a JSON file with the results of the policy evaluation.
162 | 
163 | The status of the scan status is indicated in the build summary (GO = Pass, STOP = Fail, WARN=Warning)
164 | 
165 | ![](docs/images/build_summary.png)
166 | 
167 | Clicking on the Anchore Report link will render the vulnerabilities and policy evaluation in the Jenkins web UI
168 | 
169 | ![](docs/images/build_report.png)
170 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 | 
  2 |                                  Apache License
  3 |                            Version 2.0, January 2004
  4 |                         http://www.apache.org/licenses/
  5 | 
  6 |    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
  7 | 
  8 |    1. Definitions.
  9 | 
 10 |       "License" shall mean the terms and conditions for use, reproduction,
 11 |       and distribution as defined by Sections 1 through 9 of this document.
 12 | 
 13 |       "Licensor" shall mean the copyright owner or entity authorized by
 14 |       the copyright owner that is granting the License.
 15 | 
 16 |       "Legal Entity" shall mean the union of the acting entity and all
 17 |       other entities that control, are controlled by, or are under common
 18 |       control with that entity. For the purposes of this definition,
 19 |       "control" means (i) the power, direct or indirect, to cause the
 20 |       direction or management of such entity, whether by contract or
 21 |       otherwise, or (ii) ownership of fifty percent (50%) or more of the
 22 |       outstanding shares, or (iii) beneficial ownership of such entity.
 23 | 
 24 |       "You" (or "Your") shall mean an individual or Legal Entity
 25 |       exercising permissions granted by this License.
 26 | 
 27 |       "Source" form shall mean the preferred form for making modifications,
 28 |       including but not limited to software source code, documentation
 29 |       source, and configuration files.
 30 | 
 31 |       "Object" form shall mean any form resulting from mechanical
 32 |       transformation or translation of a Source form, including but
 33 |       not limited to compiled object code, generated documentation,
 34 |       and conversions to other media types.
 35 | 
 36 |       "Work" shall mean the work of authorship, whether in Source or
 37 |       Object form, made available under the License, as indicated by a
 38 |       copyright notice that is included in or attached to the work
 39 |       (an example is provided in the Appendix below).
 40 | 
 41 |       "Derivative Works" shall mean any work, whether in Source or Object
 42 |       form, that is based on (or derived from) the Work and for which the
 43 |       editorial revisions, annotations, elaborations, or other modifications
 44 |       represent, as a whole, an original work of authorship. For the purposes
 45 |       of this License, Derivative Works shall not include works that remain
 46 |       separable from, or merely link (or bind by name) to the interfaces of,
 47 |       the Work and Derivative Works thereof.
 48 | 
 49 |       "Contribution" shall mean any work of authorship, including
 50 |       the original version of the Work and any modifications or additions
 51 |       to that Work or Derivative Works thereof, that is intentionally
 52 |       submitted to Licensor for inclusion in the Work by the copyright owner
 53 |       or by an individual or Legal Entity authorized to submit on behalf of
 54 |       the copyright owner. For the purposes of this definition, "submitted"
 55 |       means any form of electronic, verbal, or written communication sent
 56 |       to the Licensor or its representatives, including but not limited to
 57 |       communication on electronic mailing lists, source code control systems,
 58 |       and issue tracking systems that are managed by, or on behalf of, the
 59 |       Licensor for the purpose of discussing and improving the Work, but
 60 |       excluding communication that is conspicuously marked or otherwise
 61 |       designated in writing by the copyright owner as "Not a Contribution."
 62 | 
 63 |       "Contributor" shall mean Licensor and any individual or Legal Entity
 64 |       on behalf of whom a Contribution has been received by Licensor and
 65 |       subsequently incorporated within the Work.
 66 | 
 67 |    2. Grant of Copyright License. Subject to the terms and conditions of
 68 |       this License, each Contributor hereby grants to You a perpetual,
 69 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 70 |       copyright license to reproduce, prepare Derivative Works of,
 71 |       publicly display, publicly perform, sublicense, and distribute the
 72 |       Work and such Derivative Works in Source or Object form.
 73 | 
 74 |    3. Grant of Patent License. Subject to the terms and conditions of
 75 |       this License, each Contributor hereby grants to You a perpetual,
 76 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 77 |       (except as stated in this section) patent license to make, have made,
 78 |       use, offer to sell, sell, import, and otherwise transfer the Work,
 79 |       where such license applies only to those patent claims licensable
 80 |       by such Contributor that are necessarily infringed by their
 81 |       Contribution(s) alone or by combination of their Contribution(s)
 82 |       with the Work to which such Contribution(s) was submitted. If You
 83 |       institute patent litigation against any entity (including a
 84 |       cross-claim or counterclaim in a lawsuit) alleging that the Work
 85 |       or a Contribution incorporated within the Work constitutes direct
 86 |       or contributory patent infringement, then any patent licenses
 87 |       granted to You under this License for that Work shall terminate
 88 |       as of the date such litigation is filed.
 89 | 
 90 |    4. Redistribution. You may reproduce and distribute copies of the
 91 |       Work or Derivative Works thereof in any medium, with or without
 92 |       modifications, and in Source or Object form, provided that You
 93 |       meet the following conditions:
 94 | 
 95 |       (a) You must give any other recipients of the Work or
 96 |           Derivative Works a copy of this License; and
 97 | 
 98 |       (b) You must cause any modified files to carry prominent notices
 99 |           stating that You changed the files; and
100 | 
101 |       (c) You must retain, in the Source form of any Derivative Works
102 |           that You distribute, all copyright, patent, trademark, and
103 |           attribution notices from the Source form of the Work,
104 |           excluding those notices that do not pertain to any part of
105 |           the Derivative Works; and
106 | 
107 |       (d) If the Work includes a "NOTICE" text file as part of its
108 |           distribution, then any Derivative Works that You distribute must
109 |           include a readable copy of the attribution notices contained
110 |           within such NOTICE file, excluding those notices that do not
111 |           pertain to any part of the Derivative Works, in at least one
112 |           of the following places: within a NOTICE text file distributed
113 |           as part of the Derivative Works; within the Source form or
114 |           documentation, if provided along with the Derivative Works; or,
115 |           within a display generated by the Derivative Works, if and
116 |           wherever such third-party notices normally appear. The contents
117 |           of the NOTICE file are for informational purposes only and
118 |           do not modify the License. You may add Your own attribution
119 |           notices within Derivative Works that You distribute, alongside
120 |           or as an addendum to the NOTICE text from the Work, provided
121 |           that such additional attribution notices cannot be construed
122 |           as modifying the License.
123 | 
124 |       You may add Your own copyright statement to Your modifications and
125 |       may provide additional or different license terms and conditions
126 |       for use, reproduction, or distribution of Your modifications, or
127 |       for any such Derivative Works as a whole, provided Your use,
128 |       reproduction, and distribution of the Work otherwise complies with
129 |       the conditions stated in this License.
130 | 
131 |    5. Submission of Contributions. Unless You explicitly state otherwise,
132 |       any Contribution intentionally submitted for inclusion in the Work
133 |       by You to the Licensor shall be under the terms and conditions of
134 |       this License, without any additional terms or conditions.
135 |       Notwithstanding the above, nothing herein shall supersede or modify
136 |       the terms of any separate license agreement you may have executed
137 |       with Licensor regarding such Contributions.
138 | 
139 |    6. Trademarks. This License does not grant permission to use the trade
140 |       names, trademarks, service marks, or product names of the Licensor,
141 |       except as required for reasonable and customary use in describing the
142 |       origin of the Work and reproducing the content of the NOTICE file.
143 | 
144 |    7. Disclaimer of Warranty. Unless required by applicable law or
145 |       agreed to in writing, Licensor provides the Work (and each
146 |       Contributor provides its Contributions) on an "AS IS" BASIS,
147 |       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
148 |       implied, including, without limitation, any warranties or conditions
149 |       of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
150 |       PARTICULAR PURPOSE. You are solely responsible for determining the
151 |       appropriateness of using or redistributing the Work and assume any
152 |       risks associated with Your exercise of permissions under this License.
153 | 
154 |    8. Limitation of Liability. In no event and under no legal theory,
155 |       whether in tort (including negligence), contract, or otherwise,
156 |       unless required by applicable law (such as deliberate and grossly
157 |       negligent acts) or agreed to in writing, shall any Contributor be
158 |       liable to You for damages, including any direct, indirect, special,
159 |       incidental, or consequential damages of any character arising as a
160 |       result of this License or out of the use or inability to use the
161 |       Work (including but not limited to damages for loss of goodwill,
162 |       work stoppage, computer failure or malfunction, or any and all
163 |       other commercial damages or losses), even if such Contributor
164 |       has been advised of the possibility of such damages.
165 | 
166 |    9. Accepting Warranty or Additional Liability. While redistributing
167 |       the Work or Derivative Works thereof, You may choose to offer,
168 |       and charge a fee for, acceptance of support, warranty, indemnity,
169 |       or other liability obligations and/or rights consistent with this
170 |       License. However, in accepting such obligations, You may act only
171 |       on Your own behalf and on Your sole responsibility, not on behalf
172 |       of any other Contributor, and only if You agree to indemnify,
173 |       defend, and hold each Contributor harmless for any liability
174 |       incurred by, or claims asserted against, such Contributor by reason
175 |       of your accepting any such warranty or additional liability.
176 | 
177 |    END OF TERMS AND CONDITIONS
178 | 
179 |    Copyright 2015-2016 Anchore, Inc.
180 | 
181 |    Licensed under the Apache License, Version 2.0 (the "License");
182 |    you may not use this file except in compliance with the License.
183 |    You may obtain a copy of the License at
184 | 
185 |        http://www.apache.org/licenses/LICENSE-2.0
186 | 
187 |    Unless required by applicable law or agreed to in writing, software
188 |    distributed under the License is distributed on an "AS IS" BASIS,
189 |    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
190 |    See the License for the specific language governing permissions and
191 |    limitations under the License.
192 | 


--------------------------------------------------------------------------------
/src/main/java/com/anchore/jenkins/plugins/anchore/AnchoreBuilder.java:
--------------------------------------------------------------------------------
  1 | package com.anchore.jenkins.plugins.anchore;
  2 | 
  3 | 
  4 | import com.anchore.jenkins.plugins.anchore.Util.GATE_ACTION;
  5 | import com.cloudbees.plugins.credentials.CredentialsMatchers;
  6 | import com.cloudbees.plugins.credentials.CredentialsProvider;
  7 | import com.cloudbees.plugins.credentials.common.StandardListBoxModel;
  8 | import com.cloudbees.plugins.credentials.common.StandardUsernamePasswordCredentials;
  9 | import com.cloudbees.plugins.credentials.domains.DomainRequirement;
 10 | import com.google.common.base.Strings;
 11 | import hudson.AbortException;
 12 | import hudson.Extension;
 13 | import hudson.FilePath;
 14 | import hudson.Launcher;
 15 | import hudson.model.AbstractProject;
 16 | import hudson.model.Run;
 17 | import hudson.model.TaskListener;
 18 | import hudson.security.ACL;
 19 | import hudson.tasks.BuildStepDescriptor;
 20 | import hudson.tasks.Builder;
 21 | import hudson.util.FormValidation;
 22 | import hudson.util.ListBoxModel;
 23 | import hudson.util.Secret;
 24 | import java.io.IOException;
 25 | import java.util.Collections;
 26 | import java.util.List;
 27 | import java.util.logging.Logger;
 28 | import javax.annotation.Nonnull;
 29 | import jenkins.model.Jenkins;
 30 | import jenkins.tasks.SimpleBuildStep;
 31 | import net.sf.json.JSONObject;
 32 | import org.jenkinsci.Symbol;
 33 | import org.kohsuke.stapler.DataBoundConstructor;
 34 | import org.kohsuke.stapler.DataBoundSetter;
 35 | import org.kohsuke.stapler.QueryParameter;
 36 | import org.kohsuke.stapler.StaplerRequest;
 37 | 
 38 | /**
 39 |  * <p>Anchore Plugin enables Jenkins users to scan container images, generate analysis, evaluate gate policy, and execute customizable
 40 |  * queries. The plugin can be used in a freestyle project as a step or invoked from a pipeline script</p>
 41 |  *
 42 |  * <p>Requirements:</p>
 43 |  *
 44 |  * <ol> <li>Jenkins installed and configured either as a single system, or with multiple configured jenkins worker nodes</li>
 45 |  *
 46 |  * <li>Each host on which jenkins jobs will run must have docker installed and the jenkins user (or whichever user you have configured
 47 |  * jenkins to run jobs as) must be allowed to interact with docker (either directly or via sudo)</li>
 48 |  *
 49 |  * <li>Each host on which jenkins jobs will run must have the latest anchore container image installed in the local docker host. To
 50 |  * install, run 'docker pull anchore/jenkins:latest' on each jenkins host to make the image available to the plugin. The plugin will
 51 |  * start an instance of the anchore/jenkins:latest docker container named 'jenkins_anchore' by default, on each host that runs a
 52 |  * jenkins job that includes an Anchore Container Image Scanner step.</li> </ol>
 53 |  */
 54 | public class AnchoreBuilder extends Builder implements SimpleBuildStep {
 55 | 
 56 |   //  Log handler for logging above INFO level events to jenkins log
 57 |   private static final Logger LOG = Logger.getLogger(AnchoreBuilder.class.getName());
 58 | 
 59 |   // Assigning the defaults here for pipeline builds
 60 |   private String name;
 61 |   private String engineRetries = DescriptorImpl.DEFAULT_ENGINE_RETRIES;
 62 |   private String engineRetryInterval = DescriptorImpl.DEFAULT_ENGINE_RETRY_INTERVAL;
 63 |   private boolean bailOnFail = DescriptorImpl.DEFAULT_BAIL_ON_FAIL;
 64 |   private boolean bailOnPluginFail = DescriptorImpl.DEFAULT_BAIL_ON_PLUGIN_FAIL;
 65 |   private String policyBundleId = DescriptorImpl.DEFAULT_POLICY_BUNDLE_ID;
 66 |   private List<Annotation> annotations;
 67 |   private boolean autoSubscribeTagUpdates = DescriptorImpl.DEFAULT_AUTOSUBSCRIBE_TAG_UPDATES;
 68 |   private boolean forceAnalyze = DescriptorImpl.DEFAULT_FORCE_ANALYZE;
 69 |   private boolean excludeFromBaseImage = DescriptorImpl.DEFAULT_EXCLUDE_FROM_BASE_IMAGE;
 70 | 
 71 |   // Override global config. Supported for anchore-enterprise mode config only
 72 |   private String anchoreui = DescriptorImpl.EMPTY_STRING;
 73 |   private String engineurl = DescriptorImpl.EMPTY_STRING;
 74 |   private String engineCredentialsId = DescriptorImpl.EMPTY_STRING;
 75 |   private String engineaccount = DescriptorImpl.EMPTY_STRING;
 76 |   private boolean engineverify = false;
 77 |   // More flags to indicate boolean override, ugh!
 78 |   private boolean isEngineverifyOverrride = false;
 79 | 
 80 |   // Getters are used by config.jelly
 81 |   public String getName() {
 82 |     return name;
 83 |   }
 84 | 
 85 |   public String getEngineRetries() {
 86 |     return engineRetries;
 87 |   }
 88 | 
 89 |   public String getEngineRetryInterval() {
 90 |     return engineRetryInterval;
 91 |   }
 92 | 
 93 |   public boolean getBailOnFail() {
 94 |     return bailOnFail;
 95 |   }
 96 | 
 97 |   public boolean getBailOnPluginFail() {
 98 |     return bailOnPluginFail;
 99 |   }
100 | 
101 |   public String getPolicyBundleId() {
102 |     return policyBundleId;
103 |   }
104 | 
105 |   public List<Annotation> getAnnotations() {
106 |     return annotations;
107 |   }
108 | 
109 |   public boolean getAutoSubscribeTagUpdates() {
110 |     return autoSubscribeTagUpdates;
111 |   }
112 | 
113 |   public boolean getForceAnalyze() {
114 |     return forceAnalyze;
115 |   }
116 | 
117 |   public boolean getExcludeFromBaseImage() {
118 |     return excludeFromBaseImage;
119 |   }
120 | 
121 |   public String getAnchoreui() {
122 |     return anchoreui;
123 |   }
124 | 
125 |   public String getEngineurl() {
126 |     return engineurl;
127 |   }
128 | 
129 |   public String getEngineCredentialsId() {
130 |     return engineCredentialsId;
131 |   }
132 | 
133 |   public String getEngineaccount() {
134 |     return engineaccount;
135 |   }
136 | 
137 |   public boolean getEngineverify() {
138 |     return engineverify;
139 |   }
140 | 
141 | 
142 |   @DataBoundSetter
143 |   public void setEngineRetries(String engineRetries) {
144 |     this.engineRetries = engineRetries;
145 |   }
146 | 
147 |   @DataBoundSetter
148 |   public void setEngineRetryInterval(String engineRetryInterval) {
149 |     this.engineRetryInterval = engineRetryInterval;
150 |   }
151 | 
152 |   @DataBoundSetter
153 |   public void setBailOnFail(boolean bailOnFail) {
154 |     this.bailOnFail = bailOnFail;
155 |   }
156 | 
157 |   @DataBoundSetter
158 |   public void setBailOnPluginFail(boolean bailOnPluginFail) {
159 |     this.bailOnPluginFail = bailOnPluginFail;
160 |   }
161 | 
162 |   @DataBoundSetter
163 |   public void setPolicyBundleId(String policyBundleId) {
164 |     this.policyBundleId = policyBundleId;
165 |   }
166 | 
167 |   @DataBoundSetter
168 |   public void setAnnotations(List<Annotation> annotations) {
169 |     this.annotations = annotations;
170 |   }
171 | 
172 |   @DataBoundSetter
173 |   public void setAutoSubscribeTagUpdates(boolean autoSubscribeTagUpdates) {
174 |     this.autoSubscribeTagUpdates = autoSubscribeTagUpdates;
175 |   }
176 | 
177 |   @DataBoundSetter
178 |   public void setForceAnalyze(boolean forceAnalyze) {
179 |     this.forceAnalyze = forceAnalyze;
180 |   }
181 | 
182 |   @DataBoundSetter
183 |   public void setExcludeFromBaseImage(boolean excludeFromBaseImage) {
184 |     this.excludeFromBaseImage = excludeFromBaseImage;
185 |   }
186 | 
187 |   @DataBoundSetter
188 |   public void setAnchoreui(String anchoreui) {
189 |     this.anchoreui = anchoreui;
190 |   }
191 | 
192 |   @DataBoundSetter
193 |   public void setEngineurl(String engineurl) {
194 |     this.engineurl = engineurl;
195 |   }
196 | 
197 |   @DataBoundSetter
198 |   public void setEngineCredentialsId(String engineCredentialsId) {
199 |     this.engineCredentialsId = engineCredentialsId;
200 |   }
201 | 
202 |   @DataBoundSetter
203 |   public void setEngineaccount(String engineaccount) {
204 |     this.engineaccount = engineaccount;
205 |   }
206 | 
207 |   @DataBoundSetter
208 |   public void setEngineverify(boolean engineverify) {
209 |     this.engineverify = engineverify;
210 |     this.isEngineverifyOverrride = true;
211 |   }
212 | 
213 |   // Fields in config.jelly must match the parameter names in the "DataBoundConstructor" or "DataBoundSetter"
214 |   @DataBoundConstructor
215 |   public AnchoreBuilder(String name) {
216 |     this.name = name;
217 |   }
218 | 
219 |   @Override
220 |   public void perform(@Nonnull Run<?, ?> run, @Nonnull FilePath workspace, @Nonnull Launcher launcher, @Nonnull TaskListener listener)
221 |       throws InterruptedException, IOException {
222 | 
223 |     LOG.warning(
224 |         "Starting Anchore Container Image Scanner step, project: " + run.getParent().getDisplayName() + ", job: " + run.getNumber());
225 | 
226 |     boolean failedByGate = false;
227 |     BuildConfig config = null;
228 |     BuildWorker worker = null;
229 |     DescriptorImpl globalConfig = getDescriptor();
230 |     ConsoleLog console = new ConsoleLog("AnchorePlugin", listener.getLogger(), globalConfig.getDebug());
231 | 
232 |     GATE_ACTION finalAction;
233 | 
234 |     try {
235 | 
236 |       /* Fetch Jenkins creds first, can't push this lower down the chain since it requires Jenkins instance object */
237 |       String engineuser = null;
238 |       String enginepass = null;
239 |       if (!Strings.isNullOrEmpty(engineCredentialsId)) {
240 |         console.logDebug("Found build override for anchore-enterprise credentials. Processing Jenkins credential ID ");
241 |         try {
242 |           StandardUsernamePasswordCredentials creds = CredentialsProvider
243 |               .findCredentialById(engineCredentialsId, StandardUsernamePasswordCredentials.class, run,
244 |                   Collections.<DomainRequirement>emptyList());
245 |           if (null != creds) {
246 |             engineuser = creds.getUsername();
247 |             enginepass = creds.getPassword().getPlainText();
248 |           } else {
249 |             throw new AbortException("Cannot find Jenkins credentials by ID: \'" + engineCredentialsId
250 |                 + "\'. Ensure credentials are defined in Jenkins before using them");
251 |           }
252 |         } catch (AbortException e) {
253 |           throw e;
254 |         } catch (Exception e) {
255 |           console.logError("Error looking up Jenkins credentials by ID: \'" + engineCredentialsId + "\'", e);
256 |           throw new AbortException("Error looking up Jenkins credentials by ID: \'" + engineCredentialsId);
257 |         }
258 |       }
259 | 
260 |       String anchoreui = globalConfig.getAnchoreui();
261 | 
262 |       /* Instantiate config and a new build worker */
263 |       config = new BuildConfig(name, engineRetries, engineRetryInterval, bailOnFail,
264 |           bailOnPluginFail, policyBundleId, annotations, autoSubscribeTagUpdates, forceAnalyze, excludeFromBaseImage, globalConfig.getDebug(), anchoreui,
265 |           // messy build time overrides, ugh!
266 |           !Strings.isNullOrEmpty(engineurl) ? engineurl : globalConfig.getEngineurl(),
267 |           !Strings.isNullOrEmpty(engineuser) ? engineuser : globalConfig.getEngineuser(),
268 |           !Strings.isNullOrEmpty(enginepass) ? enginepass : globalConfig.getEnginepass().getPlainText(),
269 |           !Strings.isNullOrEmpty(engineaccount) ? engineaccount : globalConfig.getEngineaccount(),
270 |           isEngineverifyOverrride ? engineverify : globalConfig.getEngineverify());
271 |       worker = new BuildWorker(run, workspace, launcher, listener, config);
272 | 
273 |       if (Strings.isNullOrEmpty(anchoreui)) {
274 |         console.logInfo("Anchore UI URL is not set. Links to Anchore UI will not be available");
275 |       }
276 |       
277 |       /* Log any build time overrides are at play */
278 |       if (!Strings.isNullOrEmpty(engineurl)) {
279 |         console.logInfo("Build override set for Anchore Engine URL");
280 |       }
281 |       if (!Strings.isNullOrEmpty(engineuser) && !Strings.isNullOrEmpty(enginepass)) {
282 |         console.logInfo("Build override set for Anchore Engine credentials");
283 |       }
284 |       if (!Strings.isNullOrEmpty(engineaccount)) {
285 |         console.logInfo("Build override set for Anchore Engine account");
286 |       }
287 |       if (isEngineverifyOverrride) {
288 |         console.logInfo("Build override set for Anchore Engine verify SSL");
289 |       }
290 | 
291 |       /* Run analysis */
292 |       worker.runAnalyzer();
293 | 
294 |       /* Run gates */
295 |       finalAction = worker.runGates();
296 | 
297 |       /* Run queries and continue even if it fails */
298 |       try {
299 |         worker.runQueries();
300 |       } catch (Exception e) {
301 |         console.logWarn("Recording failure to execute Anchore queries and moving on with plugin operation", e);
302 |       }
303 | 
304 |       /* Setup reports */
305 |       worker.setupBuildReports();
306 | 
307 |       /* Evaluate result of step based on gate action */
308 |       if (null != finalAction) {
309 |         if (config.getBailOnFail() && (GATE_ACTION.STOP.equals(finalAction) || GATE_ACTION.FAIL.equals(finalAction))) {
310 |           console.logWarn("Failing Anchore Container Image Scanner Plugin step due to final result " + finalAction);
311 |           failedByGate = true;
312 |           throw new AbortException("Failing Anchore Container Image Scanner Plugin step due to final result " + finalAction);
313 |         } else {
314 |           console.logInfo("Marking Anchore Container Image Scanner step as successful, final result " + finalAction);
315 |         }
316 |       } else {
317 |         console.logInfo("Marking Anchore Container Image Scanner step as successful, no final result");
318 |       }
319 | 
320 |     } catch (Exception e) {
321 |       if (failedByGate) {
322 |         throw e;
323 |       } else if ((null != config && config.getBailOnPluginFail()) || bailOnPluginFail) {
324 |         console.logError("Failing Anchore Container Image Scanner Plugin step due to errors in plugin execution", e);
325 |         if (e instanceof AbortException) {
326 |           throw e;
327 |         } else {
328 |           throw new AbortException("Failing Anchore Container Image Scanner Plugin step due to errors in plugin execution");
329 |         }
330 |       } else {
331 |         console.logWarn("Marking Anchore Container Image Scanner step as successful despite errors in plugin execution");
332 |       }
333 |     } finally {
334 |       // Wrap cleanup in try catch block to ensure this finally block does not throw an exception
335 |       if (null != worker) {
336 |         try {
337 |           worker.cleanup();
338 |         } catch (Exception e) {
339 |           console.logDebug("Failed to cleanup after the plugin, ignoring the errors", e);
340 |         }
341 |       }
342 |       console.logInfo("Completed Anchore Container Image Scanner step");
343 |       LOG.warning("Completed Anchore Container Image Scanner step, project: " + run.getParent().getDisplayName() + ", job: " + run
344 |           .getNumber());
345 |     }
346 |   }
347 | 
348 |   @Override
349 |   public DescriptorImpl getDescriptor() {
350 |     return (DescriptorImpl) super.getDescriptor();
351 |   }
352 | 
353 |   @Symbol("anchore") // For Jenkins pipeline workflow. This lets pipeline refer to step using the defined identifier
354 |   @Extension // This indicates to Jenkins that this is an implementation of an extension point.
355 |   public static final class DescriptorImpl extends BuildStepDescriptor<Builder> {
356 | 
357 |     // Default job level config that may be used both by config.jelly and an instance of AnchoreBuilder
358 |     public static final String DEFAULT_NAME = "anchore_images";
359 |     public static final String DEFAULT_ENGINE_RETRIES = "300";
360 |     public static final String DEFAULT_ENGINE_RETRY_INTERVAL = "5";
361 |     public static final boolean DEFAULT_BAIL_ON_FAIL = true;
362 |     public static final boolean DEFAULT_BAIL_ON_PLUGIN_FAIL = true;
363 |     public static final String DEFAULT_PLUGIN_MODE = "anchoreengine";
364 |     public static final String DEFAULT_POLICY_BUNDLE_ID = "";
365 |     public static final String EMPTY_STRING = "";
366 |     public static final boolean DEFAULT_AUTOSUBSCRIBE_TAG_UPDATES = true;
367 |     public static final boolean DEFAULT_FORCE_ANALYZE = false;
368 |     public static final boolean DEFAULT_EXCLUDE_FROM_BASE_IMAGE = false;
369 | 
370 |     // Global configuration
371 |     private boolean debug;
372 |     private String anchoreui;
373 |     private String engineurl;
374 |     private String engineuser;
375 |     private Secret enginepass;
376 |     private String engineaccount;
377 |     private boolean engineverify;
378 | 
379 |     // Upgrade case, you can never really remove these variables once they are introduced
380 |     @Deprecated
381 |     private boolean enabled;
382 | 
383 |     public void setDebug(boolean debug) {
384 |       this.debug = debug;
385 |     }
386 | 
387 |     @Deprecated
388 |     public void setEnabled(boolean enabled) {
389 |       this.enabled = enabled;
390 |     }
391 | 
392 |     public void setAnchoreui(String anchoreui) {
393 |       this.anchoreui = anchoreui;
394 |     }
395 | 
396 |     public void setEngineurl(String engineurl) {
397 |       this.engineurl = engineurl;
398 |     }
399 | 
400 |     public void setEngineuser(String engineuser) {
401 |       this.engineuser = engineuser;
402 |     }
403 | 
404 |     public void setEnginepass(Secret enginepass) {
405 |       this.enginepass = enginepass;
406 |     }
407 | 
408 |     public void setEngineaccount(String engineaccount) {
409 |       this.engineaccount = engineaccount;
410 |     }
411 | 
412 |     public void setEngineverify(boolean engineverify) {
413 |       this.engineverify = engineverify;
414 |     }
415 | 
416 |     public boolean getDebug() {
417 |       return debug;
418 |     }
419 | 
420 |     @Deprecated
421 |     public boolean getEnabled() {
422 |       return enabled;
423 |     }
424 | 
425 |     public String getAnchoreui() {
426 |       return anchoreui;
427 |     }
428 | 
429 |     public String getEngineurl() {
430 |       return engineurl;
431 |     }
432 | 
433 |     public String getEngineuser() {
434 |       return engineuser;
435 |     }
436 | 
437 |     public Secret getEnginepass() {
438 |       return enginepass;
439 |     }
440 | 
441 |     public String getEngineaccount() {
442 |       return engineaccount;
443 |     }
444 | 
445 |     public boolean getEngineverify() {
446 |       return engineverify;
447 |     }
448 | 
449 |     public DescriptorImpl() {
450 |       load();
451 |     }
452 | 
453 |     @Override
454 |     public boolean isApplicable(Class<? extends AbstractProject> aClass) {
455 |       return true;
456 |     }
457 | 
458 |     @Override
459 |     public String getDisplayName() {
460 |       return "Anchore Container Image Scanner";
461 |     }
462 | 
463 |     @Override
464 |     public boolean configure(StaplerRequest req, JSONObject formData) throws FormException {
465 |       req.bindJSON(this, formData); // Use stapler request to bind
466 |       save();
467 |       return true;
468 |     }
469 | 
470 |     /**
471 |      * Performs on-the-fly validation of the form field 'name' (Image list file)
472 |      *
473 |      * @param value This parameter receives the value that the user has typed in the 'Image list file' box
474 |      * @return Indicates the outcome of the validation. This is sent to the browser. <p> Note that returning {@link
475 |      * FormValidation#error(String)} does not prevent the form from being saved. It just means that a message will be displayed to the
476 |      * user
477 |      */
478 |     @SuppressWarnings("unused")
479 |     public FormValidation doCheckName(@QueryParameter String value) {
480 |       if (!Strings.isNullOrEmpty(value)) {
481 |         return FormValidation.ok();
482 |       } else {
483 |         return FormValidation.error("Please enter a valid file name");
484 |       }
485 |     }
486 | 
487 |     @SuppressWarnings("unused")
488 |     public ListBoxModel doFillEngineCredentialsIdItems(@QueryParameter String credentialsId) {
489 |       StandardListBoxModel result = new StandardListBoxModel();
490 | 
491 |       if (!Jenkins.getActiveInstance().hasPermission(Jenkins.ADMINISTER)) {
492 |         return result.includeCurrentValue(credentialsId);
493 |       }
494 | 
495 |       return result.includeEmptyValue()
496 |           .includeMatchingAs(ACL.SYSTEM, Jenkins.getActiveInstance(), StandardUsernamePasswordCredentials.class,
497 |               Collections.<DomainRequirement>emptyList(), CredentialsMatchers.always());
498 |     }
499 |   }
500 | }
501 | 
502 | 


--------------------------------------------------------------------------------
/src/main/java/com/anchore/jenkins/plugins/anchore/BuildWorker.java:
--------------------------------------------------------------------------------
   1 | package com.anchore.jenkins.plugins.anchore;
   2 | 
   3 | import com.anchore.jenkins.plugins.anchore.Util.API_VERSION;
   4 | import com.anchore.jenkins.plugins.anchore.Util.GATE_ACTION;
   5 | import com.anchore.jenkins.plugins.anchore.Util.GATE_SUMMARY_COLUMN;
   6 | import com.google.common.base.Strings;
   7 | import com.google.common.base.Joiner;
   8 | import hudson.AbortException;
   9 | import hudson.FilePath;
  10 | import hudson.Launcher;
  11 | import hudson.PluginWrapper;
  12 | import hudson.model.Run;
  13 | import hudson.model.TaskListener;
  14 | import hudson.tasks.ArtifactArchiver;
  15 | import java.io.BufferedReader;
  16 | import java.io.BufferedWriter;
  17 | import java.io.IOException;
  18 | import java.io.InputStreamReader;
  19 | import java.io.OutputStreamWriter;
  20 | import java.net.URLEncoder;
  21 | import java.nio.charset.StandardCharsets;
  22 | import java.util.ArrayList;
  23 | import java.util.Arrays;
  24 | import java.util.Iterator;
  25 | import java.util.LinkedHashMap;
  26 | import java.util.List;
  27 | import java.util.Map;
  28 | import java.util.logging.Logger;
  29 | import jenkins.model.Jenkins;
  30 | import net.sf.json.JSONArray;
  31 | import net.sf.json.JSONObject;
  32 | import net.sf.json.JSONSerializer;
  33 | 
  34 | import org.apache.commons.codec.binary.Base64;
  35 | import org.apache.http.Header;
  36 | import org.apache.http.auth.AuthScope;
  37 | import org.apache.http.auth.UsernamePasswordCredentials;
  38 | import org.apache.http.client.CredentialsProvider;
  39 | import org.apache.http.client.methods.CloseableHttpResponse;
  40 | import org.apache.http.client.methods.HttpGet;
  41 | import org.apache.http.client.methods.HttpPost;
  42 | import org.apache.http.client.protocol.HttpClientContext;
  43 | import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
  44 | import org.apache.http.conn.ssl.SSLContextBuilder;
  45 | import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
  46 | import org.apache.http.entity.StringEntity;
  47 | import org.apache.http.impl.client.BasicCredentialsProvider;
  48 | import org.apache.http.impl.client.CloseableHttpClient;
  49 | import org.apache.http.impl.client.HttpClients;
  50 | import org.apache.http.message.BasicHeader;
  51 | import org.apache.http.util.EntityUtils;
  52 | 
  53 | /**
  54 |  * A helper class to ensure concurrent jobs don't step on each other's toes. Anchore plugin instantiates a new instance of this class
  55 |  * for each individual job i.e. invocation of perform(). Global and project configuration at the time of execution is loaded into
  56 |  * worker instance via its constructor. That specific worker instance is responsible for the bulk of the plugin operations for a given
  57 |  * job.
  58 |  */
  59 | public class BuildWorker {
  60 | 
  61 |   private static final Logger LOG = Logger.getLogger(BuildWorker.class.getName());
  62 | 
  63 |   // TODO refactor
  64 |   private static final String GATES_OUTPUT_PREFIX = "anchore_gates";
  65 |   private static final String CVE_LISTING_PREFIX = "anchore_security";
  66 |   private static final String JENKINS_DIR_NAME= "AnchoreReport";
  67 |   private static final String JSON_FILE_EXTENSION = ".json";
  68 |   private static final String AE_VULNS_PREFIX = "anchoreengine-api-response-vulnerabilities-";
  69 |   private static final String AE_EVAL_PREFIX = "anchoreengine-api-response-evaluation-";
  70 | 
  71 |   // Private members
  72 |   Run<?, ?> build;
  73 |   FilePath workspace;
  74 |   Launcher launcher;
  75 |   TaskListener listener;
  76 |   BuildConfig config;
  77 | 
  78 | 
  79 |   /* Initialized by the constructor */
  80 |   private ConsoleLog console; // Log handler for logging to build console
  81 |   private boolean analyzed;
  82 | 
  83 |   // Initialized by Jenkins workspace prep
  84 |   private String buildId;
  85 |   private String jenkinsOutputDirName;
  86 |   private Map<String, String> queryOutputMap; // TODO rename
  87 |   private Map<String, String> input_image_dfile = new LinkedHashMap<>();
  88 |   private Map<String, String> input_image_imageDigest = new LinkedHashMap<>();
  89 |   private String gateOutputFileName;
  90 |   private GATE_ACTION finalAction;
  91 |   private JSONObject gateSummary;
  92 |   private int totalStopActionCount = 0;
  93 |   private int totalWarnActionCount = 0;
  94 |   private int totalGoActionCount = 0;
  95 |   private String cveListingFileName;
  96 | 
  97 |   public BuildWorker(Run<?, ?> build, FilePath workspace, Launcher launcher, TaskListener listener, BuildConfig config)
  98 |       throws AbortException {
  99 |     try {
 100 |       // Initialize build
 101 |       this.build = build;
 102 | 
 103 |       // Initialize workspace reference
 104 |       this.workspace = workspace;
 105 | 
 106 |       // Verify and initialize build listener
 107 |       if (null != listener) {
 108 |         this.listener = listener;
 109 |       } else {
 110 |         LOG.warning("Anchore Container Image Scanner plugin cannot initialize Jenkins task listener");
 111 |         throw new AbortException("Cannot initialize Jenkins task listener. Aborting step");
 112 |       }
 113 | 
 114 |       // Verify and initialize configuration
 115 |       if (null != config) {
 116 |         this.config = config;
 117 |       } else {
 118 |         LOG.warning("Anchore Container Image Scanner cannot find the required configuration");
 119 |         throw new AbortException(
 120 |             "Configuration for the plugin is invalid. Configure the plugin under Manage Jenkins->Configure System->Anchore "
 121 |                 + "Configuration first. Add the Anchore Container Image Scanner step in your project and retry");
 122 |       }
 123 | 
 124 |       // Initialize build logger to log output to consoleLog, use local logging methods only after this initializer completes
 125 |       console = new ConsoleLog("AnchoreWorker", this.listener.getLogger(), this.config.getDebug());
 126 | 
 127 |       console.logDebug("Initializing build worker");
 128 | 
 129 |       // Verify and initialize Jenkins launcher for executing processes
 130 |       // TODO is this necessary? Can't we use the launcher reference that was passed in
 131 |       this.launcher = workspace.createLauncher(listener);
 132 |       //      Node jenkinsNode = build.getBuiltOn();
 133 |       //      if (null != jenkinsNode) {
 134 |       //        this.launcher = jenkinsNode.createLauncher(listener);
 135 |       //        if (null == this.launcher) {
 136 |       //          console.logError("Cannot initialize Jenkins process executor");
 137 |       //          throw new AbortException("Cannot initialize Jenkins process executor. Aborting step");
 138 |       //        }
 139 |       //      } else {
 140 |       //        console.logError("Cannot access Jenkins node running the build");
 141 |       //        throw new AbortException("Cannot access Jenkins node running the build. Aborting step");
 142 |       //      }
 143 | 
 144 |       // Initialize analyzed flag to false to indicate that analysis step has not run
 145 |       this.analyzed = false;
 146 | 
 147 |       // Print versions and build configuration
 148 |       printConfig();
 149 | 
 150 |       // Check config
 151 |       checkConfig();
 152 | 
 153 |       // Initialize Jenkins workspace
 154 |       initializeJenkinsWorkspace();
 155 | 
 156 |       // Initialize Anchore workspace
 157 |       initializeAnchoreWorkspace();
 158 | 
 159 |       console.logDebug("Build worker initialized");
 160 |     } catch (Exception e) {
 161 |       try {
 162 |         if (console != null) {
 163 |           console.logError("Failed to initialize worker for plugin execution", e);
 164 |         }
 165 |         cleanJenkinsWorkspaceQuietly();
 166 |       } catch (Exception innere) {
 167 | 
 168 |       } finally {
 169 |         throw new AbortException("Failed to initialize worker for plugin execution, check logs for corrective action");
 170 |       }
 171 |     }
 172 |   }
 173 | 
 174 |   public void runAnalyzer() throws AbortException {
 175 |     runAnalyzerEngine();
 176 |   }
 177 | 
 178 |   private static CloseableHttpClient makeHttpClient(boolean verify, String account) {
 179 |     CloseableHttpClient httpclient = null;
 180 |     List<Header> headers = new ArrayList<>();
 181 |     if (!Strings.isNullOrEmpty(account)) {
 182 |       Header header = new BasicHeader("x-anchore-account", account);
 183 |       headers.add(header);
 184 |     }
 185 | 
 186 |     if (verify) {
 187 |       httpclient = HttpClients.custom().setDefaultHeaders(headers).build();
 188 |     } else {
 189 |       //SSLContextBuilder builder;
 190 | 
 191 |       //SSLConnectionSocketFactory sslsf=null;
 192 | 
 193 |       try {
 194 |         SSLContextBuilder builder = new SSLContextBuilder();
 195 |         builder.loadTrustMaterial(null, new TrustSelfSignedStrategy());
 196 |         SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(builder.build(),
 197 |             SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
 198 |         httpclient = HttpClients.custom().setSSLSocketFactory(sslsf).setDefaultHeaders(headers).build();
 199 |       } catch (Exception e) {
 200 |         System.out.println(e);
 201 |       }
 202 |     }
 203 |     return (httpclient);
 204 |   }
 205 | 
 206 |   private void runAnalyzerEngine() throws AbortException {
 207 |     String imageDigest = null;
 208 |     String username = config.getEngineuser();
 209 |     String password = config.getEnginepass();
 210 |     String account = config.getEngineaccount();
 211 |     boolean sslverify = config.getEngineverify();
 212 | 
 213 |     CredentialsProvider credsProvider = new BasicCredentialsProvider();
 214 |     credsProvider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials(username, password));
 215 |     HttpClientContext context = HttpClientContext.create();
 216 |     context.setCredentialsProvider(credsProvider);
 217 | 
 218 |     try {
 219 |       for (Map.Entry<String, String> entry : input_image_dfile.entrySet()) {
 220 |         String tag = entry.getKey();
 221 |         String dfile = entry.getValue();
 222 |         List<String> queryList = new ArrayList<>();
 223 |         String queryStr = null;
 224 | 
 225 |         console.logInfo("Submitting " + tag + " for analysis");
 226 | 
 227 |         try (CloseableHttpClient httpclient = makeHttpClient(sslverify, account)) {
 228 |           // Prep POST request
 229 |           String theurl = config.getEngineurl().replaceAll("/+$", "") + "/images";
 230 | 
 231 | 
 232 |           String should_auto_subscribe = config.getAutoSubscribeTagUpdates() ? "true" : "false";
 233 |           queryList.add("auto_subscribe=" + should_auto_subscribe);
 234 | 
 235 |           String should_force_image_add = config.getForceAnalyze() ? "true" : "false";
 236 |           queryList.add("force=" + should_force_image_add);
 237 | 
 238 |           if (!queryList.isEmpty()){
 239 |             queryStr = Joiner.on('&').skipNulls().join(queryList);
 240 |           }
 241 | 
 242 |           if (!Strings.isNullOrEmpty(queryStr)) {
 243 |             theurl += "?" + queryStr;
 244 |           }
 245 |           console.logDebug("Adding image using Enterprise API " + config.getEngineApiVersion());
 246 |           JSONObject jsonBody = new JSONObject();
 247 | 
 248 |           // Prep request body
 249 |           if (config.getEngineApiVersion() == API_VERSION.v1) {
 250 |             throw new AbortException("Requires Anchore Enterprise v2 API that can be found in Anchore Enterprise >= 4.9");
 251 |           } else {
 252 |             JSONObject jTag = new JSONObject();
 253 | 
 254 |             jTag.put("pull_string", tag);
 255 |             if (null != dfile) {
 256 |               jTag.put("dockerfile", dfile);
 257 |             }
 258 |         
 259 |             if (null != config.getAnnotations() && !config.getAnnotations().isEmpty()) {
 260 |               JSONObject annotations = new JSONObject();
 261 |               for (Annotation a : config.getAnnotations()) {
 262 |                 annotations.put(a.getKey(), a.getValue());
 263 |               }
 264 |               jsonBody.put("annotations", annotations);
 265 |             }
 266 | 
 267 |             JSONObject tagSource = new JSONObject();
 268 | 
 269 |             tagSource.put("tag", jTag);
 270 | 
 271 |             jsonBody.put("source", tagSource);
 272 |           }
 273 | 
 274 |           String body = jsonBody.toString();
 275 | 
 276 |           HttpPost httppost = new HttpPost(theurl);
 277 |           httppost.addHeader("Content-Type", "application/json");
 278 |           httppost.setEntity(new StringEntity(body));
 279 | 
 280 |           console.logDebug("anchore-enterprise add image URL: " + theurl);
 281 |           console.logDebug("anchore-enterprise add image payload: " + body);
 282 | 
 283 |           try (CloseableHttpResponse response = httpclient.execute(httppost, context)) {
 284 |             int statusCode = response.getStatusLine().getStatusCode();
 285 |             if (statusCode != 200) {
 286 |               String serverMessage = EntityUtils.toString(response.getEntity());
 287 |               console.logError(
 288 |                   "anchore-enterprise add image failed. URL: " + theurl + ", status: " + response.getStatusLine() + ", error: "
 289 |                       + serverMessage);
 290 |               throw new AbortException("Failed to analyze " + tag
 291 |                   + " due to error adding image to anchore-enterprise. Check above logs for errors from anchore-enterprise");
 292 |             } else {
 293 |               // Read the response body.
 294 |               String responseBody = EntityUtils.toString(response.getEntity());
 295 |               // TODO EntityUtils.consume(entity2);
 296 | 
 297 |               JSONObject respJson = JSONObject.fromObject(responseBody);
 298 |               imageDigest = JSONObject.fromObject(respJson).getString("image_digest");
 299 | 
 300 |               console.logInfo("Analysis request accepted, received image digest " + imageDigest);
 301 |               input_image_imageDigest.put(tag, imageDigest);
 302 |             }
 303 |           } catch (Throwable e) {
 304 |             throw e;
 305 |           }
 306 |         } catch (Throwable e) {
 307 |           throw e;
 308 |         }
 309 |       }
 310 |       analyzed = true;
 311 |     } catch (AbortException e) { // probably caught one of the thrown exceptions, let it pass through
 312 |       throw e;
 313 |     } catch (Exception e) { // caught unknown exception, log it and wrap its
 314 |       console.logError("Failed to add image(s) to anchore-enterprise due to an unexpected error", e);
 315 |       throw new AbortException(
 316 |           "Failed to add image(s) to anchore-enterprise due to an unexpected error. Please refer to above logs for more information");
 317 |     }
 318 |   }
 319 | 
 320 |   private void writeResponseToFile(Integer counter, FilePath jenkinsOutputDirFP, String responseBody) throws AbortException {
 321 |     // Write api response to a file as it is
 322 |     String jenkinsAEResponseFileName = AE_EVAL_PREFIX + (counter) + JSON_FILE_EXTENSION;
 323 |     FilePath jenkinsAEResponseFP = new FilePath(jenkinsOutputDirFP, jenkinsAEResponseFileName);
 324 | 
 325 |     try {
 326 |       console.logDebug("Writing anchore-enterprise policy evaluation response to " + jenkinsAEResponseFP.getRemote());
 327 |       try (BufferedWriter bw = new BufferedWriter(new OutputStreamWriter(jenkinsAEResponseFP.write(), StandardCharsets.UTF_8))) {
 328 |         bw.write(responseBody);
 329 |       }
 330 |     } catch (IOException | InterruptedException e) {
 331 |       console.logWarn("Failed to write anchore-enterprise policy evaluation response to " + jenkinsAEResponseFP.getRemote(), e);
 332 |       throw new AbortException("Failed to write anchore-enterprise policy evaluation response to " + jenkinsAEResponseFP.getRemote());
 333 |     }
 334 | 
 335 |   }
 336 | 
 337 |   public GATE_ACTION runGates() throws AbortException {
 338 |     if (config.getEngineApiVersion() == API_VERSION.v1) {
 339 | 	  throw new AbortException("Requires Anchore Enterprise v2 API that can be found in Anchore Enterprise >= 4.9");
 340 |     }
 341 |     console.logDebug("Using Enterprise API " + config.getEngineApiVersion());
 342 |     return runGatesEngineV2();
 343 |   }
 344 | 
 345 |   private GATE_ACTION runGatesEngineV2() throws AbortException {
 346 |     String username = config.getEngineuser();
 347 |     String password = config.getEnginepass();
 348 |     String account = config.getEngineaccount();
 349 |     String anchoreui = config.getAnchoreui();
 350 |     boolean sslverify = config.getEngineverify();
 351 | 
 352 |     CredentialsProvider credsProvider = new BasicCredentialsProvider();
 353 |     credsProvider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials(username, password));
 354 |     HttpClientContext context = HttpClientContext.create();
 355 |     context.setCredentialsProvider(credsProvider);
 356 | 
 357 |     //Credentials defaultcreds = new UsernamePasswordCredentials(username, password);
 358 |     FilePath jenkinsOutputDirFP = new FilePath(workspace, jenkinsOutputDirName);
 359 |     FilePath jenkinsGatesOutputFP = new FilePath(jenkinsOutputDirFP, gateOutputFileName);
 360 |     int counter = 0;
 361 | 
 362 |     finalAction = GATE_ACTION.PASS;
 363 |     if (analyzed) {
 364 |       try {
 365 |         JSONArray gate_results = new JSONArray();
 366 | 
 367 |         for (Map.Entry<String, String> entry : input_image_imageDigest.entrySet()) {
 368 |           String tag = entry.getKey();
 369 |           String imageDigest = entry.getValue();
 370 | 
 371 |           console.logInfo("Waiting for analysis of " + tag + ", polling status periodically");
 372 | 
 373 |           Boolean anchore_eval_status = false;
 374 |           String imageURL =
 375 |               config.getEngineurl().replaceAll("/+$", "") + "/images/" + imageDigest;
 376 | 
 377 |           int tryCount = 0;
 378 |           int maxCount = Integer.parseInt(config.getEngineRetries());
 379 |           int retryInterval = Integer.parseInt(config.getEngineRetryInterval());
 380 |           Boolean done = false;
 381 |           HttpGet httpgetCheckAnalysis = new HttpGet(imageURL);
 382 |           httpgetCheckAnalysis.addHeader("Content-Type", "application/json");
 383 |           int statusCode;
 384 |           String serverMessage = null;
 385 |           boolean sleep = false;
 386 |           JSONArray evaluations = null;
 387 | 
 388 |           do { // try this at least once regardless what the retry count is
 389 |             if (sleep) {
 390 |               console.logDebug("Snoozing before retrying anchore-enterprise get policy evaluation");
 391 |               Thread.sleep(1000 * retryInterval);
 392 |               sleep = false;
 393 |             }
 394 | 
 395 |             tryCount++;
 396 |             try (CloseableHttpClient httpclient = makeHttpClient(sslverify, account)) {
 397 |               console.logDebug("Attempting anchore-enterprise check for image analysis (" + tryCount + "/" + maxCount + ")");
 398 | 
 399 |               try (CloseableHttpResponse responseCheckAnalysis = httpclient.execute(httpgetCheckAnalysis, context)) {
 400 |                 statusCode = responseCheckAnalysis.getStatusLine().getStatusCode();
 401 | 
 402 |                 if (statusCode != 200) {
 403 |                   serverMessage = EntityUtils.toString(responseCheckAnalysis.getEntity());
 404 |                   console.logDebug(
 405 |                       "anchore-enterprise get analysis status failed. URL: " + imageURL + ", status: " + responseCheckAnalysis.getStatusLine()
 406 |                           + ", error: " + serverMessage);
 407 |                   sleep = true;
 408 |                 } else {
 409 |                   // Look for analyzed image before proceeding
 410 |                   String responseBodyCheckAnalysis = EntityUtils.toString(responseCheckAnalysis.getEntity());
 411 |                   JSONObject imageResponse = (JSONObject) JSONSerializer.toJSON(responseBodyCheckAnalysis);
 412 |                   String imageAnalysisStatus = imageResponse.getString("analysis_status");
 413 | 
 414 |                   if (imageAnalysisStatus.equals("analysis_failed")) {
 415 |                     console.logWarn("anchore-enterprise reporting analysis failed for " + imageDigest);
 416 |                     throw new AbortException("Analysis failed for " + imageDigest);
 417 |                   } else if (!imageAnalysisStatus.equals("analyzed")) {
 418 |                     console.logDebug("anchore-enterprise get analysis status: " + imageAnalysisStatus);
 419 |                     sleep = true;
 420 |                   } else {
 421 |                     String imageRegistry = imageResponse.getJSONArray("image_detail").getJSONObject(0).getString("registry");
 422 |                     String imageRepo = imageResponse.getJSONArray("image_detail").getJSONObject(0).getString("repo");
 423 |                     String imageTag = imageResponse.getJSONArray("image_detail").getJSONObject(0).getString("tag");
 424 | 
 425 |                     // Get the list of ancestors to determine base image
 426 |                     String ancestorsURL = imageURL + "/ancestors";
 427 |                     HttpGet httpgetAncestors = new HttpGet(ancestorsURL);
 428 |                     httpgetAncestors.addHeader("Content-Type", "application/json");
 429 |                     
 430 |                     try (CloseableHttpResponse responseAncestors = httpclient.execute(httpgetAncestors, context)) {
 431 |                       statusCode = responseAncestors.getStatusLine().getStatusCode();
 432 |                       if (statusCode != 200) {
 433 |                         serverMessage = EntityUtils.toString(responseAncestors.getEntity());
 434 |                         console.logDebug(
 435 |                             "anchore-enterprise get ancestors failed. URL: " + ancestorsURL + ", status: " + responseAncestors.getStatusLine()
 436 |                                 + ", error: " + serverMessage);
 437 |                         sleep = true;
 438 |                       } else {
 439 |                         // Get the base image from ancestors
 440 |                         String responseBodyAncestors = EntityUtils.toString(responseAncestors.getEntity());
 441 | 
 442 |                         String policyCheckURL = null;
 443 | 
 444 |                         JSONArray ancestors = (JSONArray) JSONSerializer.toJSON(responseBodyAncestors);
 445 |                         if (ancestors.size() < 1) {
 446 |                           console.logDebug("anchore-enterprise get ancestors response contains no records for image: " + ancestorsURL);
 447 |                           policyCheckURL =
 448 |                               config.getEngineurl().replaceAll("/+$", "") + "/images/" + imageDigest + "/check?tag=" + tag
 449 |                                   + "&detail=true";
 450 |                         } else {
 451 |                           String baseImageDigest = null;
 452 | 
 453 |                           // Get the chosen_base image from API
 454 |                           for (int i = 0; i < ancestors.size(); i++) {
 455 |                             JSONObject ancestor = ancestors.getJSONObject(i);
 456 |                             // If chosen_base_image key exists in the response, use it.
 457 |                             // This is required for compatibility with < Anchore Enterprise 5.7
 458 |                             if (ancestor.has("chosen_base_image")) {
 459 |                               if (ancestor.getBoolean("chosen_base_image")) {
 460 |                                 console.logDebug("found base image from API");
 461 |                                 baseImageDigest = ancestor.getString("image_digest");
 462 |                                 break;
 463 |                               }
 464 |                             }
 465 |                           }
 466 | 
 467 |                           // Get the last ancestor to determine the base image if no chosen_base image from API
 468 |                           // This is required for compatibility with < Anchore Enterprise 5.7
 469 |                           if (baseImageDigest == null) {
 470 |                             JSONObject lastAncestor = ancestors.getJSONObject(ancestors.size() - 1);
 471 |                             baseImageDigest = lastAncestor.getString("image_digest");
 472 |                           }
 473 | 
 474 |                           policyCheckURL =
 475 |                               config.getEngineurl().replaceAll("/+$", "") + "/images/" + imageDigest + "/check?tag=" + tag
 476 |                                   + "&detail=true&base_digest=" + baseImageDigest;
 477 |                         }
 478 | 
 479 |                         if (!Strings.isNullOrEmpty(config.getPolicyBundleId())) {
 480 |                           policyCheckURL += "&policy_id=" + config.getPolicyBundleId();
 481 |                         }
 482 |                         console.logDebug("anchore-enterprise get policy evaluation URL: " + policyCheckURL);
 483 | 
 484 |                         HttpGet httpgetPolicyCheck = new HttpGet(policyCheckURL);
 485 |                         httpgetPolicyCheck.addHeader("Content-Type", "application/json");
 486 | 
 487 |                         try (CloseableHttpResponse responsePolicyCheck = httpclient.execute(httpgetPolicyCheck, context)) {
 488 |                           statusCode = responsePolicyCheck.getStatusLine().getStatusCode();
 489 | 
 490 |                           if (statusCode != 200) {
 491 |                             serverMessage = EntityUtils.toString(responsePolicyCheck.getEntity());
 492 |                             console.logDebug(
 493 |                                 "anchore-enterprise get policy evaluation failed. URL: " + policyCheckURL + ", status: " + statusCode
 494 |                                     + ", error: " + serverMessage);
 495 |                             sleep = true;
 496 |                           } else {
 497 |                             // Read the response body.
 498 |                             String responseBodyPolicyCheck = EntityUtils.toString(responsePolicyCheck.getEntity());
 499 |                             
 500 |                             JSONObject topDocument = (JSONObject) JSONSerializer.toJSON(responseBodyPolicyCheck);
 501 |                             evaluations = topDocument.getJSONArray("evaluations");                  
 502 |                             JSONObject policyJsonObject = evaluations.getJSONObject(0);
 503 |                             JSONObject evaluationDetails = policyJsonObject.getJSONObject("details");
 504 |                             JSONArray evaluationFindings = evaluationDetails.getJSONArray("findings");
 505 |                             String gate_resulting_action = policyJsonObject.getString("final_action");
 506 |                             String gate_resulting_reason = policyJsonObject.getString("final_action_reason");
 507 |                             String gate_result_details = "";
 508 | 
 509 |                             if (evaluations.size() < 1) {
 510 |                               // try again until we get an eval
 511 |                               console
 512 |                                   .logDebug("anchore-enterprise get policy evaluation response contains no evaluations records. May snooze and retry");
 513 |                               sleep = true;
 514 |                             } else {
 515 |                               counter = counter + 1;
 516 | 
 517 |                               if (gate_resulting_action.equals("stop")) {
 518 |                                 if (gate_resulting_reason.equals("policy_evaluation")) {
 519 |                                   gate_result_details = "Policy evaluation failed";
 520 |                                 } else {
 521 |                                   // Catch all for other stop actions
 522 |                                   gate_result_details = "Failed due to " + gate_resulting_reason;
 523 |                                 }
 524 |                               }
 525 |   
 526 |                               // remove records where inherited_from_base is true
 527 |                               if (config.getExcludeFromBaseImage()) {
 528 |                                 for (Iterator<Object> it = evaluationFindings.iterator(); it.hasNext();) {
 529 |                                   JSONObject finding = (JSONObject) it.next();
 530 |                                   if (finding.getString("inherited_from_base").equals("true")) {
 531 |                                     it.remove();
 532 |                                   }
 533 |                                 }
 534 | 
 535 |                                 // Check for case where all findings are inherited from base image
 536 |                                 if ((evaluationFindings.size() == 0) && gate_resulting_action.equals("stop") && gate_resulting_reason.equals("policy_evaluation")) {
 537 |                                     console.logInfo("No findings to evaluate after excluding inherited_from_base. Failure is in base image.");
 538 |                                     gate_result_details = "Failure inherited from base image";
 539 |                                 }
 540 | 
 541 |                                 // convert back to a string of the whole response with the changes
 542 |                                 evaluationDetails.put("findings", evaluationFindings);
 543 |                                 policyJsonObject.put("details", evaluationDetails);
 544 |                                 evaluations.set(0, policyJsonObject);
 545 |                                 topDocument.put("evaluations", evaluations);
 546 |                                 responseBodyPolicyCheck = topDocument.toString();
 547 |                               }
 548 | 
 549 |                               writeResponseToFile(counter, jenkinsOutputDirFP, responseBodyPolicyCheck);
 550 | 
 551 |                               JSONObject gate_result = new JSONObject();
 552 | 
 553 |                               gate_result.put("image_digest", imageDigest);
 554 |                               if (!Strings.isNullOrEmpty(anchoreui)) {
 555 |                                 String encodedImageRegistry = URLEncoder.encode(imageRegistry, StandardCharsets.UTF_8.toString());
 556 |                                 String encodedImageRepo = URLEncoder.encode(imageRepo, StandardCharsets.UTF_8.toString());
 557 |                                 if (!Strings.isNullOrEmpty(account)) {
 558 |                                   gate_result.put("repo_tag", anchoreui.replaceAll("/+$", "")+"/"+account+"/artifacts/image/"+encodedImageRegistry+"/"+encodedImageRepo+"/"+imageTag+"/"+imageDigest+" "+topDocument.getString("evaluated_tag"));
 559 |                                 }
 560 |                                 else {
 561 |                                   gate_result.put("repo_tag", anchoreui.replaceAll("/+$", "")+"/artifacts/image/"+encodedImageRegistry+"/"+encodedImageRepo+"/"+imageTag+"/"+imageDigest+" "+topDocument.getString("evaluated_tag"));
 562 |                                 }
 563 |                               } else {
 564 |                                 gate_result.put("repo_tag", topDocument.getString("evaluated_tag"));
 565 |                               }
 566 |                               gate_result.put("final_action", gate_resulting_action);
 567 |                               gate_result.put("failure_details", gate_result_details);
 568 |                               gate_result.put("gate_results", evaluationFindings);
 569 | 
 570 |                               gate_results.add(gate_result);
 571 |                             
 572 |                               console.logDebug("anchore-enterprise get policy evaluation result: " + gate_resulting_action.toString());
 573 | 
 574 |                               // we actually got a real result
 575 |                               // this is the only way this gets flipped to true
 576 |                               anchore_eval_status = policyJsonObject.getString("status").equals("pass");
 577 |                               console.logDebug("anchore-enterprise get policy evaluation status: " + anchore_eval_status);
 578 | 
 579 |                               done = true;
 580 |                               console.logInfo("Completed analysis and processed policy evaluation result");
 581 |                             }
 582 |                           }
 583 |                         }
 584 |                       }
 585 |                     }
 586 |                   }
 587 |                 }
 588 |               } catch (Throwable e) {
 589 |                 throw e;
 590 |               }
 591 |             } catch (Throwable e) {
 592 |               throw e;
 593 |             }
 594 |           } while (!done && tryCount < maxCount);
 595 | 
 596 |           if (!done) {
 597 |             if (statusCode != 200) {
 598 |               console.logWarn(
 599 |                   "anchore-enterprise get policy evaluation failed. HTTP method: GET, URL: " + imageURL + ", status: " + statusCode
 600 |                       + ", error: " + serverMessage);
 601 |             }
 602 |             console.logWarn("Exhausted all attempts polling anchore-enterprise. Analysis is incomplete for " + imageDigest);
 603 |             throw new AbortException(
 604 |                 "Timed out waiting for anchore-enterprise analysis to complete (increasing engineRetries might help). Check above logs "
 605 |                     + "for errors from anchore-enterprise");
 606 |           } else {
 607 |             // only set to stop if an eval is successful and is reporting fail
 608 |             if (!anchore_eval_status) {
 609 |               finalAction = GATE_ACTION.FAIL;
 610 |             }
 611 |           }
 612 |         }
 613 | 
 614 |         try {
 615 |           console.logDebug("Writing policy evaluation result to " + jenkinsGatesOutputFP.getRemote());
 616 |           try (BufferedWriter bw = new BufferedWriter(new OutputStreamWriter(jenkinsGatesOutputFP.write(), StandardCharsets.UTF_8))) {
 617 |             bw.write(gate_results.toString());
 618 |           }
 619 |         } catch (IOException | InterruptedException e) {
 620 |           console.logWarn("Failed to write policy evaluation output to " + jenkinsGatesOutputFP.getRemote(), e);
 621 |           throw new AbortException("Failed to write policy evaluation output to " + jenkinsGatesOutputFP.getRemote());
 622 |         }
 623 | 
 624 |         generateGatesSummaryV2(gate_results);
 625 | 
 626 |         console.logInfo("Anchore Container Image Scanner Plugin step result - " + finalAction);
 627 |         return finalAction;
 628 |       } catch (AbortException e) { // probably caught one of the thrown exceptions, let it pass through
 629 |         throw e;
 630 |       } catch (Exception e) { // caught unknown exception, log it and wrap it
 631 |         console.logError("Failed to execute anchore-enterprise policy evaluation due to an unexpected error", e);
 632 |         throw new AbortException(
 633 |             "Failed to execute anchore-enterprise policy evaluation due to an unexpected error. Please refer to above logs for more "
 634 |                 + "information");
 635 |       }
 636 |     } else {
 637 |       console.logError(
 638 |           "Image(s) were not added to anchore-enterprise (or a prior attempt to add images may have failed). Re-submit image(s) to "
 639 |               + "anchore-enterprise before attempting policy evaluation");
 640 |       throw new AbortException("Submit image(s) to anchore-enterprise for analysis before attempting policy evaluation");
 641 |     }
 642 | 
 643 |   }
 644 | 
 645 |   private void runVulnerabilityListing() throws AbortException {
 646 |     if (analyzed) {
 647 |       String username = config.getEngineuser();
 648 |       String password = config.getEnginepass();
 649 |       String account = config.getEngineaccount();
 650 |       boolean sslverify = config.getEngineverify();
 651 | 
 652 |       FilePath jenkinsOutputDirFP = new FilePath(workspace, jenkinsOutputDirName);
 653 |       int counter = 0;
 654 | 
 655 |       CredentialsProvider credsProvider = new BasicCredentialsProvider();
 656 |       credsProvider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials(username, password));
 657 |       HttpClientContext context = HttpClientContext.create();
 658 |       context.setCredentialsProvider(credsProvider);
 659 | 
 660 |       try {
 661 |         JSONObject securityJson = new JSONObject();
 662 |         JSONArray columnsJson = new JSONArray();
 663 |         for (String column : Arrays.asList("Tag", "CVE ID", "Severity", "Vulnerability Package", "Fix Available", "Inherited From Base", "URL")) {
 664 |           JSONObject columnJson = new JSONObject();
 665 |           columnJson.put("title", column);
 666 |           columnsJson.add(columnJson);
 667 |         }
 668 |         JSONArray dataJson = new JSONArray();
 669 | 
 670 |         for (Map.Entry<String, String> entry : input_image_imageDigest.entrySet()) {
 671 |           String input = entry.getKey();
 672 |           String digest = entry.getValue();
 673 | 
 674 |           try (CloseableHttpClient httpclient = makeHttpClient(sslverify, account)) {
 675 |             String ancestorsURL = config.getEngineurl().replaceAll("/+$", "") + "/images/" + digest + "/ancestors";
 676 |             HttpGet httpgetAncestors = new HttpGet(ancestorsURL);
 677 |             httpgetAncestors.addHeader("Content-Type", "application/json");
 678 |             
 679 |             try (CloseableHttpResponse responseAncestors = httpclient.execute(httpgetAncestors, context)) {
 680 |               int statusCode = responseAncestors.getStatusLine().getStatusCode();
 681 |               if (statusCode != 200) {
 682 |                 String serverMessage = EntityUtils.toString(responseAncestors.getEntity());
 683 |                 console.logDebug(
 684 |                     "anchore-enterprise get ancestors failed. URL: " + ancestorsURL + ", status: " + responseAncestors.getStatusLine()
 685 |                         + ", error: " + serverMessage);
 686 |                 throw new AbortException("Failed to fetch vulnerability listing from anchore-enterprise");
 687 |               } else {
 688 |                 // Get the last ancestor to determine the base image
 689 |                 String responseBodyAncestors = EntityUtils.toString(responseAncestors.getEntity());
 690 | 
 691 |                 String vulnListURL = null;
 692 | 
 693 |                 JSONArray ancestors = (JSONArray) JSONSerializer.toJSON(responseBodyAncestors);
 694 |                 if (ancestors.size() < 1) {
 695 |                   console.logDebug("anchore-enterprise get ancestors response contains no records for image: " + ancestorsURL);
 696 |                   vulnListURL = config.getEngineurl().replaceAll("/+$", "") + "/images/" + digest + "/vuln/all";
 697 |                 } else {
 698 |                   String baseImageDigest = null;
 699 | 
 700 |                   // Get the chosen_base image from API
 701 |                   for (int i = 0; i < ancestors.size(); i++) {
 702 |                     JSONObject ancestor = ancestors.getJSONObject(i);
 703 |                     // If chosen_base_image key exists in the response, use it.
 704 |                     // This is required for compatibility with < Anchore Enterprise 5.7
 705 |                     if (ancestor.has("chosen_base_image")) {
 706 |                       if (ancestor.getBoolean("chosen_base_image")) {
 707 |                         console.logDebug("found base image from API");
 708 |                         baseImageDigest = ancestor.getString("image_digest");
 709 |                         break;
 710 |                       }
 711 |                     }
 712 |                   }
 713 | 
 714 |                   // Get the last ancestor to determine the base image if no chosen_base image from API
 715 |                   // This is required for compatibility with < Anchore Enterprise 5.7
 716 |                   if (baseImageDigest == null) {
 717 |                     JSONObject lastAncestor = ancestors.getJSONObject(ancestors.size() - 1);
 718 |                     baseImageDigest = lastAncestor.getString("image_digest");
 719 |                   }
 720 | 
 721 |                   vulnListURL = config.getEngineurl().replaceAll("/+$", "") + "/images/" + digest + "/vuln/all"
 722 |                           + "?base_digest=" + baseImageDigest;
 723 |                 }
 724 | 
 725 |                 console.logInfo("Querying vulnerability listing for " + input);
 726 |                 HttpGet httpget = new HttpGet(vulnListURL);
 727 |                 httpget.addHeader("Content-Type", "application/json");
 728 | 
 729 |                 console.logDebug("anchore-enterprise get vulnerability listing URL: " + vulnListURL);
 730 |                 try (CloseableHttpResponse response = httpclient.execute(httpget, context)) {
 731 |                   statusCode = response.getStatusLine().getStatusCode();
 732 |                   if (statusCode != 200) {
 733 |                     String serverMessage = EntityUtils.toString(response.getEntity());
 734 |                     console.logWarn(
 735 |                         "anchore-enterprise get vulnerability listing failed. URL: " + vulnListURL + ", status: " + response.getStatusLine()
 736 |                             + ", error: " + serverMessage);
 737 |                     throw new AbortException("Failed to fetch vulnerability listing from anchore-enterprise");
 738 |                   } else {
 739 |                     String responseBody = EntityUtils.toString(response.getEntity());
 740 |                     // Write api response to a file as it is
 741 |                     String jenkinsAEResponseFileName = AE_VULNS_PREFIX + (++counter) + JSON_FILE_EXTENSION;
 742 |                     FilePath jenkinsAEResponseFP = new FilePath(jenkinsOutputDirFP, jenkinsAEResponseFileName);
 743 |                     try {
 744 |                       console.logDebug("Writing anchore-enterprise vulnerabilities listing response to " + jenkinsAEResponseFP.getRemote());
 745 |                       try (BufferedWriter bw = new BufferedWriter(new OutputStreamWriter(jenkinsAEResponseFP.write(), StandardCharsets.UTF_8))) {
 746 |                         bw.write(responseBody);
 747 |                       }
 748 |                     } catch (IOException | InterruptedException e) {
 749 |                       console.logWarn("Failed to write anchore-enterprise vulnerabilities listing response to " + jenkinsAEResponseFP.getRemote(), e);
 750 |                       throw new AbortException("Failed to write anchore-enterprise vulnerabilities listing response to " + jenkinsAEResponseFP.getRemote());
 751 |                     }
 752 | 
 753 |                     JSONObject responseJson = JSONObject.fromObject(responseBody);
 754 |                     JSONArray vulList = responseJson.getJSONArray("vulnerabilities");
 755 |                     for (int i = 0; i < vulList.size(); i++) {
 756 |                       JSONObject vulnJson = vulList.getJSONObject(i);
 757 |                       JSONArray vulnArray = new JSONArray();
 758 |                       if (ancestors.size() < 1) {
 759 |                         vulnArray.addAll(Arrays
 760 |                             .asList(input, vulnJson.getString("vuln"), vulnJson.getString("severity"), vulnJson.getString("package"),
 761 |                                 vulnJson.getString("fix"), "false", vulnJson.getString("url")));
 762 |                       } else {
 763 |                         if (config.getExcludeFromBaseImage()) {
 764 |                           if (vulnJson.getString("inherited_from_base").equals("true")) {
 765 |                             continue;
 766 |                           } else {
 767 |                             vulnArray.addAll(Arrays
 768 |                                 .asList(input, vulnJson.getString("vuln"), vulnJson.getString("severity"), vulnJson.getString("package"),
 769 |                                     vulnJson.getString("fix"), vulnJson.getString("inherited_from_base"), vulnJson.getString("url")));
 770 |                           }
 771 |                           
 772 |                         } else {
 773 |                           vulnArray.addAll(Arrays
 774 |                               .asList(input, vulnJson.getString("vuln"), vulnJson.getString("severity"), vulnJson.getString("package"),
 775 |                                   vulnJson.getString("fix"), vulnJson.getString("inherited_from_base"), vulnJson.getString("url")));
 776 |                         }
 777 |                       }
 778 |                       dataJson.add(vulnArray);
 779 |                     }
 780 |                   }
 781 |                 } catch (Throwable t) {
 782 |                   throw t;
 783 |                 }
 784 |               }
 785 |             } catch (Throwable t) {
 786 |               throw t;
 787 |             }
 788 |           } catch (Throwable t) {
 789 |             throw t;
 790 |           }
 791 |         }
 792 |         securityJson.put("columns", columnsJson);
 793 |         securityJson.put("data", dataJson);
 794 | 
 795 |         cveListingFileName = CVE_LISTING_PREFIX + JSON_FILE_EXTENSION;
 796 |         FilePath jenkinsQueryOutputFP = new FilePath(jenkinsOutputDirFP, cveListingFileName);
 797 |         try {
 798 |           console.logDebug("Writing vulnerability listing result to " + jenkinsQueryOutputFP.getRemote());
 799 |           try (BufferedWriter bw = new BufferedWriter(new OutputStreamWriter(jenkinsQueryOutputFP.write(), StandardCharsets.UTF_8))) {
 800 |             bw.write(securityJson.toString());
 801 |           }
 802 |         } catch (IOException | InterruptedException e) {
 803 |           console.logWarn("Failed to write vulnerability listing to " + jenkinsQueryOutputFP.getRemote(), e);
 804 |           throw new AbortException("Failed to write vulnerability listing to " + jenkinsQueryOutputFP.getRemote());
 805 |         }
 806 |       } catch (AbortException e) { // probably caught one of the thrown exceptions, let it pass through
 807 |         throw e;
 808 |       } catch (Exception e) { // caught unknown exception, log it and wrap it
 809 |         console.logError("Failed to fetch vulnerability listing from anchore-enterprise due to an unexpected error", e);
 810 |         throw new AbortException(
 811 |             "Failed to fetch vulnerability listing from anchore-enterprise due to an unexpected error. Please refer to above logs for "
 812 |                 + "more information");
 813 |       }
 814 |     } else {
 815 |       console.logError(
 816 |           "Image(s) were not added to anchore-enterprise (or a prior attempt to add images may have failed). Re-submit image(s) to "
 817 |               + "anchore-enterprise before attempting vulnerability listing");
 818 |       throw new AbortException("Submit image(s) to anchore-enterprise for analysis before attempting vulnerability listing");
 819 |     }
 820 |   }
 821 | 
 822 |   private void generateGatesSummaryV2(JSONArray gatesJson) {
 823 |     console.logDebug("Summarizing policy evaluation results");
 824 | 
 825 |     if (gatesJson != null) {
 826 |       JSONArray summaryRows = new JSONArray();
 827 | 
 828 |       for (Object gateResult : gatesJson) {
 829 |         JSONArray evaluationFindingContent = JSONObject.fromObject(gateResult).getJSONArray("gate_results");
 830 |         String repoTag = JSONObject.fromObject(gateResult).getString("repo_tag");
 831 |         String imageDigest = JSONObject.fromObject(gateResult).getString("image_digest");
 832 |         String final_action = JSONObject.fromObject(gateResult).getString("final_action");
 833 |         String failure_details = JSONObject.fromObject(gateResult).getString("failure_details");
 834 |         int stop = 0, warn = 0, go = 0, stop_wl = 0, warn_wl = 0, go_wl = 0;
 835 | 
 836 |         for (Object finding : evaluationFindingContent) {
 837 |           if (null != finding) {
 838 | 
 839 |             JSONObject currentFinding = JSONObject.fromObject(finding);
 840 |             
 841 |             Boolean isAllowlisted = currentFinding.getBoolean("allowlisted");
 842 | 
 843 |             switch (currentFinding.getString("action").toLowerCase()) {
 844 |               case "stop":
 845 |                 stop++;
 846 |                 stop_wl = isAllowlisted ? ++stop_wl : stop_wl;
 847 |                 break;
 848 |               case "warn":
 849 |                 warn++;
 850 |                 warn_wl = isAllowlisted ? ++warn_wl : warn_wl;
 851 |                 break;
 852 |               case "go":
 853 |                 go++;
 854 |                 go_wl = isAllowlisted ? ++go_wl : go_wl;
 855 |                 break;
 856 |               default:
 857 |                 break;
 858 |             }
 859 |           }
 860 |         }
 861 | 
 862 |         totalStopActionCount += (stop - stop_wl);
 863 |         totalWarnActionCount += (warn - warn_wl);
 864 |         totalGoActionCount += (go - go_wl);
 865 |         
 866 |         if (!Strings.isNullOrEmpty(repoTag)) {
 867 |           console.logInfo("Policy evaluation summary for " + repoTag + " - stop: " + (stop - stop_wl) + " (+" + stop_wl
 868 |               + " allowlisted), warn: " + (warn - warn_wl) + " (+" + warn_wl + " allowlisted), go: " + (go - go_wl) + " (+"
 869 |               + go_wl + " allowlisted), final: " + final_action);
 870 | 
 871 |           JSONObject summaryRow = new JSONObject();
 872 |           summaryRow.put(GATE_SUMMARY_COLUMN.Repo_Tag.toString(), repoTag);
 873 |           summaryRow.put(GATE_SUMMARY_COLUMN.Stop_Actions.toString(), (stop - stop_wl));
 874 |           summaryRow.put(GATE_SUMMARY_COLUMN.Warn_Actions.toString(), (warn - warn_wl));
 875 |           summaryRow.put(GATE_SUMMARY_COLUMN.Go_Actions.toString(), (go - go_wl));
 876 |           summaryRow.put(GATE_SUMMARY_COLUMN.Final_Action.toString(), final_action);
 877 |           summaryRow.put(GATE_SUMMARY_COLUMN.Stop_Action_Details.toString(), failure_details);
 878 |           summaryRows.add(summaryRow);
 879 |         } else {
 880 |           console.logInfo("Policy evaluation summary for " + imageDigest + " - stop: " + (stop - stop_wl) + " (+" + stop_wl
 881 |               + " allowlisted), warn: " + (warn - warn_wl) + " (+" + warn_wl + " allowlisted), go: " + (go - go_wl) + " (+"
 882 |               + go_wl + " allowlisted), final: " + final_action);
 883 |           JSONObject summaryRow = new JSONObject();
 884 |           summaryRow.put(GATE_SUMMARY_COLUMN.Repo_Tag.toString(), repoTag.toString());
 885 |           summaryRow.put(GATE_SUMMARY_COLUMN.Stop_Actions.toString(), (stop - stop_wl));
 886 |           summaryRow.put(GATE_SUMMARY_COLUMN.Warn_Actions.toString(), (warn - warn_wl));
 887 |           summaryRow.put(GATE_SUMMARY_COLUMN.Go_Actions.toString(), (go - go_wl));
 888 |           summaryRow.put(GATE_SUMMARY_COLUMN.Final_Action.toString(), final_action);
 889 |           summaryRow.put(GATE_SUMMARY_COLUMN.Stop_Action_Details.toString(), failure_details);
 890 |           summaryRows.add(summaryRow);
 891 | 
 892 |           //console.logWarn("Repo_Tag element not found in gate output, skipping summary computation for " + imageKey);
 893 |           console.logWarn("Repo_Tag element not found in gate output, using imageDigest: " + imageDigest);
 894 |         }
 895 |       }
 896 |       gateSummary = new JSONObject();
 897 |       gateSummary.put("header", generateDataTablesColumnsForGateSummary());
 898 |       gateSummary.put("rows", summaryRows);
 899 |     } else { // could not load gates output to json object
 900 |       console.logWarn("Invalid input to generate gates summary");
 901 |     }
 902 |   }
 903 | 
 904 |   public void runQueries() throws AbortException {
 905 |     runVulnerabilityListing();
 906 |   }
 907 | 
 908 |   public void setupBuildReports() throws AbortException {
 909 |     try {
 910 |       // store anchore output json files using jenkins archiver (for remote storage as well)
 911 |       console.logDebug("Archiving results");
 912 |       //      FilePath buildWorkspaceFP = build.getWorkspace();
 913 |       //      if (null != buildWorkspaceFP) {
 914 |       ArtifactArchiver artifactArchiver = new ArtifactArchiver(jenkinsOutputDirName + "/");
 915 |       artifactArchiver.perform(build, workspace, launcher, listener);
 916 |       //      } else {
 917 |       //        console.logError("Unable to archive results due to an invalid reference to Jenkins build workspace");
 918 |       //        throw new AbortException("Unable to archive results due to an invalid reference to Jenkins build workspace");
 919 |       //      }
 920 | 
 921 |       // add the link in jenkins UI for anchore results
 922 |       console.logDebug("Setting up build results");
 923 | 
 924 |       
 925 |       if (finalAction != null) {
 926 |         build.addAction(new AnchoreAction(build, finalAction.toString(), jenkinsOutputDirName, gateOutputFileName, queryOutputMap,
 927 |             gateSummary.toString(), cveListingFileName, totalStopActionCount, totalWarnActionCount, totalGoActionCount));
 928 |       } else {
 929 |         build.addAction(new AnchoreAction(build, "", jenkinsOutputDirName, gateOutputFileName, queryOutputMap, gateSummary.toString(),
 930 |             cveListingFileName, totalStopActionCount, totalWarnActionCount, totalGoActionCount));
 931 |       }
 932 |       //    } catch (AbortException e) { // probably caught one of the thrown exceptions, let it pass through
 933 |       //      throw e;
 934 |     } catch (Exception e) { // caught unknown exception, log it and wrap it
 935 |       console.logError("Failed to setup build results due to an unexpected error", e);
 936 |       throw new AbortException(
 937 |           "Failed to setup build results due to an unexpected error. Please refer to above logs for more information");
 938 |     }
 939 |   }
 940 | 
 941 |   public void cleanup() {
 942 |     try {
 943 |       console.logDebug("Cleaning up build artifacts");
 944 |       int rc;
 945 | 
 946 |       // Clear Jenkins workspace
 947 |       if (!Strings.isNullOrEmpty(jenkinsOutputDirName)) {
 948 |         try {
 949 |           console.logDebug("Deleting Jenkins workspace " + jenkinsOutputDirName);
 950 |           cleanJenkinsWorkspaceQuietly();
 951 |           // FilePath jenkinsOutputDirFP = new FilePath(build.getWorkspace(), jenkinsOutputDirName);
 952 |           // jenkinsOutputDirFP.deleteRecursive();
 953 |         } catch (IOException | InterruptedException e) {
 954 |           console.logDebug("Unable to delete Jenkins workspace " + jenkinsOutputDirName, e);
 955 |         }
 956 |       }
 957 |     } catch (RuntimeException e) { // caught unknown exception, log it
 958 |       console.logDebug("Failed to clean up build artifacts due to an unexpected error", e);
 959 |     }
 960 |   }
 961 | 
 962 |   /**
 963 |    * Print versions info and configuration
 964 |    */
 965 |   private void printConfig() {
 966 |     console.logInfo("Jenkins version: " + Jenkins.VERSION);
 967 |     List<PluginWrapper> plugins;
 968 |     if (Jenkins.getActiveInstance() != null && Jenkins.getActiveInstance().getPluginManager() != null
 969 |         && (plugins = Jenkins.getActiveInstance().getPluginManager().getPlugins()) != null) {
 970 |       for (PluginWrapper plugin : plugins) {
 971 |         if (plugin.getShortName()
 972 |             .equals("anchore-container-scanner")) { // artifact ID of the plugin, TODO is there a better way to get this
 973 |           console.logInfo(plugin.getDisplayName() + " version: " + plugin.getVersion());
 974 |           break;
 975 |         }
 976 |       }
 977 |     }
 978 |     config.print(console);
 979 |   }
 980 | 
 981 |   /**
 982 |    * Checks for minimum required config for executing step
 983 |    */
 984 |   private void checkConfig() throws AbortException {
 985 |     if (Strings.isNullOrEmpty(config.getName())) {
 986 |       console.logError("Image list file not found");
 987 |       throw new AbortException(
 988 |           "Image list file not specified. Please provide a valid image list file name in the Anchore Container Image Scanner step "
 989 |               + "and try again");
 990 |     }
 991 | 
 992 |     try {
 993 |       if (!new FilePath(workspace, config.getName()).exists()) {
 994 |         console.logError("Cannot find image list file \"" + config.getName() + "\" under " + workspace);
 995 |         throw new AbortException("Cannot find image list file \'" + config.getName()
 996 |             + "\'. Please ensure that image list file is created prior to Anchore Container Image Scanner step");
 997 |       }
 998 |     } catch (AbortException e) {
 999 |       throw e;
1000 |     } catch (Exception e) {
1001 |       console.logWarn("Unable to access image list file \"" + config.getName() + "\" under " + workspace, e);
1002 |       throw new AbortException("Unable to access image list file " + config.getName()
1003 |           + ". Please ensure that image list file is created prior to Anchore Container Image Scanner step");
1004 |     }
1005 |   }
1006 | 
1007 |   private void initializeJenkinsWorkspace() throws AbortException {
1008 |     try {
1009 |       console.logDebug("Initializing Jenkins workspace");
1010 | 
1011 |       if (Strings.isNullOrEmpty(buildId = build.getParent().getDisplayName() + "_" + build.getNumber())) {
1012 |         console.logWarn("Unable to generate a unique identifier for this build due to invalid configuration");
1013 |         throw new AbortException("Unable to generate a unique identifier for this build due to invalid configuration");
1014 |       }
1015 | 
1016 |       // ArtifactArchiver.perform() cannot parse file paths with commas, which buildId will have in some cases, for
1017 |       // example if this is a matrix job. So replace any commas in it with underscores to separate the matrix values.
1018 |       jenkinsOutputDirName = JENKINS_DIR_NAME;
1019 |       FilePath jenkinsReportDir = new FilePath(workspace, jenkinsOutputDirName);
1020 | 
1021 |       // Create output directories
1022 |       if (!jenkinsReportDir.exists()) {
1023 |         console.logDebug("Creating workspace directory " + jenkinsOutputDirName);
1024 |         jenkinsReportDir.mkdirs();
1025 |       }
1026 | 
1027 |       queryOutputMap = new LinkedHashMap<>(); // maintain the ordering of queries
1028 |       gateOutputFileName = GATES_OUTPUT_PREFIX + JSON_FILE_EXTENSION;
1029 | 
1030 |     } catch (AbortException e) { // probably caught one of the thrown exceptions, let it pass through
1031 |       throw e;
1032 |     } catch (Exception e) { // caught unknown exception, log it and wrap it
1033 |       console.logWarn("Failed to initialize Jenkins workspace", e);
1034 |       throw new AbortException("Failed to initialize Jenkins workspace due to to an unexpected error");
1035 |     }
1036 |   }
1037 | 
1038 |   private void initializeAnchoreWorkspace() throws AbortException {
1039 |     initializeAnchoreWorkspaceEngine();
1040 |   }
1041 | 
1042 |   private void initializeAnchoreWorkspaceEngine() throws AbortException {
1043 |     try {
1044 |       console.logDebug("Initializing Anchore workspace (enginemode)");
1045 | 
1046 |       // get the input and store it in tag/dockerfile map
1047 |       FilePath inputImageFP = new FilePath(workspace, config.getName()); // Already checked in checkConfig()
1048 |       try (BufferedReader br = new BufferedReader(new InputStreamReader(inputImageFP.read(), StandardCharsets.UTF_8))) {
1049 |         String line;
1050 |         int count = 0;
1051 |         while ((line = br.readLine()) != null) {
1052 |           String imgId = null;
1053 |           String jenkinsDFile = null;
1054 |           String dfilecontents = null;
1055 |           Iterable<String> iterable = Util.IMAGE_LIST_SPLITTER.split(line);
1056 |           Iterator<String> partIterator;
1057 | 
1058 |           if (null != iterable && null != (partIterator = iterable.iterator()) && partIterator.hasNext()) {
1059 |             imgId = partIterator.next();
1060 | 
1061 |             if (partIterator.hasNext()) {
1062 |               jenkinsDFile = partIterator.next();
1063 | 
1064 |               StringBuilder b = new StringBuilder();
1065 |               FilePath myfp = new FilePath(workspace, jenkinsDFile);
1066 |               try (BufferedReader mybr = new BufferedReader(new InputStreamReader(myfp.read(), StandardCharsets.UTF_8))) {
1067 |                 String myline;
1068 |                 while ((myline = mybr.readLine()) != null) {
1069 |                   b.append(myline + '\n');
1070 |                 }
1071 |               }
1072 |               console.logDebug("Dockerfile contents: " + b.toString());
1073 |               byte[] encodedBytes = Base64.encodeBase64(b.toString().getBytes(StandardCharsets.UTF_8));
1074 |               dfilecontents = new String(encodedBytes, StandardCharsets.UTF_8);
1075 | 
1076 |             }
1077 |           }
1078 |           if (null != imgId) {
1079 |             console.logDebug("Image tag/digest: " + imgId);
1080 |             console.logDebug("Base64 encoded Dockerfile contents: " + dfilecontents);
1081 |             input_image_dfile.put(imgId, dfilecontents);
1082 |           }
1083 |         }
1084 |       }
1085 |     } catch (AbortException e) { // probably caught one of the thrown exceptions, let it pass through
1086 |       throw e;
1087 |     } catch (Exception e) { // caught unknown exception, console.log it and wrap it
1088 |       console.logError("Failed to initialize Anchore workspace due to an unexpected error", e);
1089 |       throw new AbortException(
1090 |           "Failed to initialize Anchore workspace due to an unexpected error. Please refer to above logs for more information");
1091 |     }
1092 |   }
1093 | 
1094 |   private JSONArray generateDataTablesColumnsForGateSummary() {
1095 |     JSONArray headers = new JSONArray();
1096 |     for (GATE_SUMMARY_COLUMN column : GATE_SUMMARY_COLUMN.values()) {
1097 |       JSONObject header = new JSONObject();
1098 |       header.put("data", column.toString());
1099 |       header.put("title", column.toString().replaceAll("_", " "));
1100 |       headers.add(header);
1101 |     }
1102 |     return headers;
1103 |   }
1104 | 
1105 |   private void cleanJenkinsWorkspaceQuietly() throws IOException, InterruptedException {
1106 |     FilePath jenkinsOutputDirFP = new FilePath(workspace, jenkinsOutputDirName);
1107 |     jenkinsOutputDirFP.deleteRecursive();
1108 |   }
1109 | }
1110 | 


--------------------------------------------------------------------------------