From 46b2e6df5bd33ab0dd66817e7523ea43354cfac0 Mon Sep 17 00:00:00 2001
From: Denis Ungureanu <Denis.Ungureanu1@ness.com>
Date: Thu, 19 Mar 2020 18:26:55 +0200
Subject: [PATCH] ATS-468 : Add Veracode (SAST & SCA) scans to Transform
 Service Travis builds (#188)

  - add SCA & SAST
   - use wildcards to reference jars' locations - a single static scan will be triggered
   - use sandbox based on git branch
   - use maven plugin for source clear scans
   - filter logs
---
 .travis.yml                 | 15 +++++++++++++++
 _ci/sourceclear.sh          | 22 ++++++++++++++++++++++
 _ci/static_analysis.sh      | 25 +++++++++++++++++++++++++
 _ci/static_analysis_init.sh | 13 +++++++++++++
 4 files changed, 75 insertions(+)
 create mode 100644 _ci/sourceclear.sh
 create mode 100644 _ci/static_analysis.sh
 create mode 100644 _ci/static_analysis_init.sh

diff --git a/.travis.yml b/.travis.yml
index 86f29f4e..abe4fb2e 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -43,6 +43,21 @@ jobs:
       before_install: bash _ci/init.sh
       script: bash _ci/whitesource.sh
 
+    - name: "Source Clear Scan (SCA)"
+      stage: build
+      if: branch NOT IN (company_release)
+      before_install: bash _ci/init.sh
+      install: skip
+      script: travis_wait 30 bash _ci/sourceclear.sh
+
+    - name: "Static Analysis (SAST)"
+      stage: build
+      if: branch NOT IN (company_release) AND type != pull_request
+      before_install:
+      - bash _ci/static_analysis_init.sh
+      - bash _ci/init.sh
+      script: bash _ci/static_analysis.sh
+
     - name: "Release"
       stage: release
       if: commit_message ~= /\[trigger release\]/ AND branch ~= /^(master|SP\/.+|HF\/.+)$/
diff --git a/_ci/sourceclear.sh b/_ci/sourceclear.sh
new file mode 100644
index 00000000..5ad4a376
--- /dev/null
+++ b/_ci/sourceclear.sh
@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+
+echo "=========================== Starting SourceClear Script ==========================="
+PS4="\[\e[35m\]+ \[\e[m\]"
+set +e -v -x
+pushd "$(dirname "${BASH_SOURCE[0]}")/../"
+
+mvn -B -q clean install \
+    -DskipTests \
+    -Dmaven.javadoc.skip=true \
+    com.srcclr:srcclr-maven-plugin:scan \
+    -Dcom.srcclr.apiToken=$SRCCLR_API_TOKEN > scan.log
+
+SUCCESS=$?   # this will read exit code of the previous command
+
+cat scan.log | grep -e 'Full Report Details' -e 'Failed'
+
+popd
+set +vex
+echo "=========================== Finishing SourceClear Script =========================="
+
+exit ${SUCCESS}
\ No newline at end of file
diff --git a/_ci/static_analysis.sh b/_ci/static_analysis.sh
new file mode 100644
index 00000000..aaedddb2
--- /dev/null
+++ b/_ci/static_analysis.sh
@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+echo "=========================== Starting Static Analysis Script ==========================="
+PS4="\[\e[35m\]+ \[\e[m\]"
+set -vex
+pushd "$(dirname "${BASH_SOURCE[0]}")/../"
+
+# Run in a sandbox for every branch, run normally on master
+[ "${TRAVIS_BRANCH}" != "master" ] && RUN_IN_SANDBOX="-sandboxname Transformers" || RUN_IN_SANDBOX=""
+
+java -jar vosp-api-wrappers-java-$VERACODE_WRAPPER_VERSION.jar -vid $VERACODE_API_ID \
+     -vkey $VERACODE_API_KEY -action uploadandscan -appname "Transform Service" \
+     ${RUN_IN_SANDBOX} -createprofile false \
+     -filepath \
+     alfresco-transformer-base/target/alfresco-transformer-base-*.jar \
+     alfresco-docker-alfresco-pdf-renderer/target/alfresco-docker-alfresco-pdf-renderer-*.jar \
+     alfresco-docker-imagemagick/target/alfresco-docker-imagemagick-*.jar \
+     alfresco-docker-libreoffice/target/alfresco-docker-libreoffice-*.jar \
+     alfresco-docker-tika/target/alfresco-docker-tika-*.jar \
+     alfresco-docker-transform-misc/target/alfresco-docker-transform-misc-*.jar \
+     -version "$TRAVIS_JOB_ID - $TRAVIS_JOB_NUMBER" -scantimeout 3600
+
+popd
+set +vex
+echo "=========================== Finishing Static Analysis Script =========================="
\ No newline at end of file
diff --git a/_ci/static_analysis_init.sh b/_ci/static_analysis_init.sh
new file mode 100644
index 00000000..6f649ca2
--- /dev/null
+++ b/_ci/static_analysis_init.sh
@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+echo "=========================== Starting Static Analysis Init Script ==========================="
+PS4="\[\e[35m\]+ \[\e[m\]"
+set -vex
+pushd "$(dirname "${BASH_SOURCE[0]}")/../"
+
+wget https://repo1.maven.org/maven2/com/veracode/vosp/api/wrappers/vosp-api-wrappers-java/$VERACODE_WRAPPER_VERSION/vosp-api-wrappers-java-$VERACODE_WRAPPER_VERSION.jar
+sha1sum -c <<< "$VERACODE_WRAPPER_SHA1 vosp-api-wrappers-java-$VERACODE_WRAPPER_VERSION.jar"
+
+popd
+set +vex
+echo "=========================== Finishing Static Analysis Init Script =========================="
\ No newline at end of file