The official Meterian plugin for Jenkins.
This has not been published yet, but you can have a look at the code and snoop around. This plugin is expected to work in classic jobs and pipelines (Jenkinsfile) with the ability to include the analysis as part of your build process, as it should be.
The integration that we are building first, also in light that nobody did that before, is with Gerrit Code Review, where we with the help of Robot Comments we can leverage the automatic fixing ability of Meterian with the smooth review flow of Gerrit.
More to be written here after the plugin is launched :)
Build the project with the below command from inside the project root folder:
./bin/build.sh
Note: this runs the unit/integration tests which is part of the project and can take a bit of time.
Tests it runs:
Running InjectedTest:
Look in the target
folder for all the generate artifacts, you will find meterian-plugin.jar
among others.
Run the project with the below command from inside the project root folder:
./bin/run.sh
This kicks off a full-fledged Jenkins instance and can be access via http://0.0.0.0:8080/jenkins/ or http://localhost:8080/jenkins/ or http://127.0.0.1:8080/jenkins/.
One or more jobs can be executed via this console. When these jobs are executed, and depending on the type of job, the Meterian Jenkins plugin configured with each of the jobs is triggered and the respective actions are executed.
These are the two artifacts are created in the target
folder:
target/meterian-plugin.hpi
target/meterian-plugin.jar
The meterian-plugin.hpi
is the artifact that will be installed as a Jenkins plugin, via the Jenkins, see https://jenkins.io/doc/book/managing/plugins/.
In order to run the tests locally we would need the following two environment variables populated with valid values or else the tests will fail:
METERIAN_API_TOKEN
- this is generated via the Meterian dashboard (via https://www.meterian.com, you will need an account)METERIAN_GITHUB_USER
- this is the machine user account created by yourself (learn more about machine user creation at GitHub: developer guides | machine-users), follow the steps mentioned in the link (default: meterian-bot)METERIAN_GITHUB_EMAIL
- this is the email address associated with the machine user account created in the previous step (default: [email protected])METERIAN_GITHUB_TOKEN
- this is the personal token generated from the machine user account created by yourself (learn more about machine user creation at GitHub: developer guides | machine-users), follow the steps mentioned in the linkEnsure the above two environment variables are set via https://circleci.com/gh/[Your GitHub Org]/jenkins-plugin/edit#env-vars.
In addition you would also need to add the SSH key associated with the Machine User created above to the CircleCI SSH keychain, see how that is done via https://circleci.com/docs/2.0/gh-bb-integration/#creating-a-machine-user.
Note: in general the above might not be needed if your CI/CD environment contains the necessary permission to perform git push
related actions on the target repo you are analysing.
mvn test
mvn test -Dtest=MeterianClientTest
Builds a single branch using the Pipeline facility via the jenkinsfile
script.
Technical detail: flows through the MeterianPlugin
class and is handled by SimpleOrFreeStyleExecutor
.
Builds multiple branches concurrently, using the Pipeline facility via the jenkinsfile
script.
Technical detail: flows through the MeterianStep
class and is handled by StandardExecutor
.
Builds a single branch but does not give the facility to specific Jenkins config via the jenkinsfile
.
Technical detail: flows through the MeterianPlugin
class and is handled by SimpleOrFreeStyleExecutor
.
The below features can be used across the above Jenkins job types.
Default behaviour no client args required.
This option does the default task of scanning the project and reporting the vulnerabilities, if present, and recommended fixes but does not apply them.
Using the --autofix
client arg option (Go to Jenkins > Configure > Meterian for the field Client JVM args).
This option does the task of scanning the project and reporting the vulnerabilities, if present, and also applying the fix to the respective branch and creating a pull request to the repository.
Ensure your GitHub OAuth token to your Organisation and Repo has been added to the Meterian configuration settings under Jenkins > Configure > Meterian. Enter your GitHub OAuth meterianAPIToken in the field GitHub OAUTH token. If this field is empty or incorrect appropriate error messages are displayed in the Jenkins logger (console).
The below command should do it, provided the plugin has already downloaded the client:
java -jar ${HOME}/.meterian/meterian-cli.jar [meterian args]
[meterian args] - one or more args for additional features i.e. --interactive=false
or --autofix
On the first run, it will authorise you, so please ensure you have an account on https://www.meterian.com.
Note: the Meterian client is automatically downloaded by the plugin when it detects the absence of it and is saved in the ${HOME}/.meterian
folder.
See https://stackoverflow.com/questions/43690435/failure-to-find-org-jenkins-ci-pluginspluginpom2-11-in-https-repo-maven-apa on how to avoid the below warning message:
[WARNING] The POM for org.jenkins-ci.tools:maven-hpi-plugin:jar:2.7 is missing, no dependency information available
[WARNING] Failed to build parent project for io.jenkins.plugins:meterian-plugin:hpi:0.1-SNAPSHOT