Commit b17174b4 authored by Paal Kvamme's avatar Paal Kvamme
Browse files

Build rules for CSQP - Veracode

Scanning in Veracode takes a significant amount of time, so it is not carried out for all builds due to limited resources.

1. All Python code is scanned.
2. All sources needed for the Windows build (scanning takes less time).
3. The results are not imported because the validation takes over an hour (time limit for job execution)
4. Since the check takes a lot of time and restarting at a time when the previous scan has not finished will result in an error I scheduled it for once a week.
5. Vulnerabilities found in the code will not affect the "success" of the job (failBuildOnPolicyFail parameter)
parent ec66dea0
name: 'OpenZGY-Veracode'
schedules:
- cron: "0 0 * * Fri"
displayName: Weekly midnight check
batch: true
branches:
include:
- master
steps:
- checkout: git://Colors/openzgy
- script: |
ls '$(Build.SourcesDirectory)'
displayName: 'list sources'
- bash: 'zip -rv OpenZGY.zip . -x "external/" ".git/"'
displayName: 'Zip Sources'
- task: DownloadPipelineArtifact@2
inputs:
source: specific
project: 'Colors'
pipeline: 'OpenZGY Windows' # 10319
preferTriggeringPipeline: false
runVersion: 'latestFromBranch'
runBranch: 'refs/heads/master'
path: '$(Build.SourcesDirectory)/bin'
displayName: 'Taking the latest Windows build'
- task: ArchiveFiles@2
inputs:
rootFolderOrFile: '$(Build.SourcesDirectory)/bin/OpenZGY-Windows/openzgy/build/deploy/native/x64/Debug/'
includeRootFolder: false
archiveType: 'zip'
archiveFile: '$(Build.SourcesDirectory)/OpenZGY-bin.zip'
replaceExistingArchive: true
verbose: true
displayName: 'Zip binaries'
- script: |
tree '$(Build.SourcesDirectory)'
displayName: 'List Downloaded Artifacts'
- task: Veracode@3
displayName: 'Veracode upload and scan python'
inputs:
AnalysisService: 'Veracode'
veracodeAppProfile: 'DELFI Seismic Interpretation'
version: 'openZGY#$(build.buildNumber)-commit#$(Build.SourceVersion)'
filepath: '$(Build.SourcesDirectory)/OpenZGY.zip'
sandboxName: 'OpenZGY-Python'
createSandBox: false
failTheBuildIfVeracodeScanDidNotInitiate: true
failBuildOnPolicyFail: false
importResults: false
- task: Veracode@3
displayName: 'Veracode upload and scan binaries'
inputs:
AnalysisService: 'Veracode'
veracodeAppProfile: 'DELFI Seismic Interpretation'
version: 'openZGY#$(build.buildNumber)-commit#$(Build.SourceVersion)'
filepath: '$(Build.SourcesDirectory)/OpenZGY-bin.zip'
sandboxName: 'OpenZGY-CPP'
createSandBox: false
failTheBuildIfVeracodeScanDidNotInitiate: true
failBuildOnPolicyFail: false
importResults: false
\ No newline at end of file
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment