ATS-468 : Add Veracode (SAST & SCA) scans to Transform Service Travis builds (#188)

- add SCA & SAST
   - use wildcards to reference jars' locations - a single static scan will be triggered
   - use sandbox based on git branch
   - use maven plugin for source clear scans
   - filter logs

.travis.yml

@@ -43,6 +43,21 @@ jobs:
       before_install: bash _ci/init.sh
       script: bash _ci/whitesource.sh
 
+    - name: "Source Clear Scan (SCA)"
+      stage: build
+      if: branch NOT IN (company_release)
+      before_install: bash _ci/init.sh
+      install: skip
+      script: travis_wait 30 bash _ci/sourceclear.sh
+
+    - name: "Static Analysis (SAST)"
+      stage: build
+      if: branch NOT IN (company_release) AND type != pull_request
+      before_install:
+      - bash _ci/static_analysis_init.sh
+      - bash _ci/init.sh
+      script: bash _ci/static_analysis.sh
+
     - name: "Release"
       stage: release
       if: commit_message ~= /\[trigger release\]/ AND branch ~= /^(master|SP\/.+|HF\/.+)$/

_ci/sourceclear.sh

@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+
+echo "=========================== Starting SourceClear Script ==========================="
+PS4="\[\e[35m\]+ \[\e[m\]"
+set +e -v -x
+pushd "$(dirname "${BASH_SOURCE[0]}")/../"
+
+mvn -B -q clean install \
+    -DskipTests \
+    -Dmaven.javadoc.skip=true \
+    com.srcclr:srcclr-maven-plugin:scan \
+    -Dcom.srcclr.apiToken=$SRCCLR_API_TOKEN > scan.log
+
+SUCCESS=$?   # this will read exit code of the previous command
+
+cat scan.log | grep -e 'Full Report Details' -e 'Failed'
+
+popd
+set +vex
+echo "=========================== Finishing SourceClear Script =========================="
+
+exit ${SUCCESS}

_ci/static_analysis.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+echo "=========================== Starting Static Analysis Script ==========================="
+PS4="\[\e[35m\]+ \[\e[m\]"
+set -vex
+pushd "$(dirname "${BASH_SOURCE[0]}")/../"
+
+# Run in a sandbox for every branch, run normally on master
+[ "${TRAVIS_BRANCH}" != "master" ] && RUN_IN_SANDBOX="-sandboxname Transformers" || RUN_IN_SANDBOX=""
+
+java -jar vosp-api-wrappers-java-$VERACODE_WRAPPER_VERSION.jar -vid $VERACODE_API_ID \
+     -vkey $VERACODE_API_KEY -action uploadandscan -appname "Transform Service" \
+     ${RUN_IN_SANDBOX} -createprofile false \
+     -filepath \
+     alfresco-transformer-base/target/alfresco-transformer-base-*.jar \
+     alfresco-docker-alfresco-pdf-renderer/target/alfresco-docker-alfresco-pdf-renderer-*.jar \
+     alfresco-docker-imagemagick/target/alfresco-docker-imagemagick-*.jar \
+     alfresco-docker-libreoffice/target/alfresco-docker-libreoffice-*.jar \
+     alfresco-docker-tika/target/alfresco-docker-tika-*.jar \
+     alfresco-docker-transform-misc/target/alfresco-docker-transform-misc-*.jar \
+     -version "$TRAVIS_JOB_ID - $TRAVIS_JOB_NUMBER" -scantimeout 3600
+
+popd
+set +vex
+echo "=========================== Finishing Static Analysis Script =========================="

_ci/static_analysis_init.sh

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+echo "=========================== Starting Static Analysis Init Script ==========================="
+PS4="\[\e[35m\]+ \[\e[m\]"
+set -vex
+pushd "$(dirname "${BASH_SOURCE[0]}")/../"
+
+wget https://repo1.maven.org/maven2/com/veracode/vosp/api/wrappers/vosp-api-wrappers-java/$VERACODE_WRAPPER_VERSION/vosp-api-wrappers-java-$VERACODE_WRAPPER_VERSION.jar
+sha1sum -c <<< "$VERACODE_WRAPPER_SHA1 vosp-api-wrappers-java-$VERACODE_WRAPPER_VERSION.jar"
+
+popd
+set +vex
+echo "=========================== Finishing Static Analysis Init Script =========================="