ACS-2352: Added Veracode agent-based scanning integration.

.travis.yml

@@ -26,6 +26,8 @@ branches:
     - /^ACS-.*$/
 
 stages:
+  - name: Veracode Scan
+    if: branch = master
   - build and test
   - release
   - company_release
@@ -34,6 +36,11 @@ before_install: bash _ci/init.sh
 
 jobs:
   include:
+    - stage: Veracode Scan
+      name: "Veracode - Source Clear Scan (SCA)"
+      install: skip
+      script: travis_wait 30 bash _ci/source_clear.sh
+
     - stage: Build and Test
       name: "Core & Base Snapshot deployment" # This is to separate the snapshot deployment from the following jobs, to prevent duplication on nexus
       if: branch = master AND type != pull_request

_ci/source_clear.sh

@@ -9,10 +9,14 @@ mvn -B -q clean install \
     -DskipTests \
     -Dmaven.javadoc.skip=true \
     com.srcclr:srcclr-maven-plugin:scan \
-    -Dcom.srcclr.apiToken=$SRCCLR_API_TOKEN > scan.log
+    -Dcom.srcclr.apiToken=${SRCCLR_API_TOKEN} > scan.log
 
 SUCCESS=$?   # this will read exit code of the previous command
 
+if [ -z "$VERACODE_FAILS_BUILD" ] || [ "$VERACODE_FAILS_BUILD" = false ] ; then
+    SUCCESS=0
+fi
+
 cat scan.log | grep -e 'Full Report Details' -e 'Failed'
 
 popd

srcclr.yml

@@ -0,0 +1,3 @@
+# To avoid the provided dependencies we set the scope to runtime. See: https://docs.veracode.com/r/c_sc_scan_directives
+# runtime: to restrict the scan to compile and runtime dependencies.
+scope: runtime