《OpenShift 4.x HOL教程彙總》
說明:本文已經在OpenShift 4.8環境中驗證
此步将添加新的Task來實作通過sonarqube實作SAST。
-
可以參照下圖向“tasks-dev-pipeline”添加新的任務“code-analysis”,任務類型為“simple-maven”,其中在“GOALS”參數中指定了如何通路在OpenShift上運作的sonar服務。
Display name: code-analysis
GOALS: verify sonar:sonar -Dsonar.projectName=user1-openshift-tasks -Dsonar.projectKey=user1-openshift-tasks -Dsonar.host.url=http://sonarqube.devsecops.svc.cluster.local:9000
SETTINGS_PATH:configuration/cicd-settings-nexus3.xml
maven-repo: local-maven-repo
source: pipeline-source
OpenShift 4 - DevSecOps Workshop (6) - 為Pipeline增加SonarQube實作SAST - 或可使用以下指令向“tasks-dev-pipeline”添加新的任務。
$ export USER=$(oc whoami)
$ export CICD=${USER}-cicd
$ TASKS="$(oc get pipelines tasks-dev-pipeline -n ${CICD} -o yaml | yq r - 'spec.tasks' | yq p - 'spec.tasks')"
$ oc patch pipelines tasks-dev-pipeline -n ${CICD} --type=merge -p "$(cat << EOF
$TASKS
- name: code-analysis
taskRef:
kind: Task
name: simple-maven
params:
- name: GOALS
value: 'verify sonar:sonar -Dsonar.projectName=${USER}-openshift-tasks -Dsonar.projectKey=${USER}-openshift-tasks -Dsonar.host.url=http://sonarqube.devsecops.svc.cluster.local:9000'
- name: SETTINGS_PATH
value: configuration/cicd-settings-nexus3.xml
resources:
inputs:
- name: source
resource: pipeline-source
workspaces:
- name: maven-repo
workspace: local-maven-repo
runAfter:
- build-app
EOF
)"
- 使用指令運作測試“tasks-dev-pipeline”任務。
$ tkn pipeline start tasks-dev-pipeline -n ${CICD} --showlog \
--resource pipeline-source=tasks-source-code \
--workspace name=local-maven-repo,claimName=maven-repo-pvc
。。。
[code-analysis : mvn-goals] [INFO] CPD Executor Calculating CPD for 10 files
[code-analysis : mvn-goals] [INFO] CPD Executor CPD calculation finished (done) | time=101ms
[code-analysis : mvn-goals] [INFO] Analysis report generated in 596ms, dir size=1 MB
[code-analysis : mvn-goals] [INFO] Analysis report compressed in 227ms, zip size=418 KB
[code-analysis : mvn-goals] [INFO] Analysis report uploaded in 118ms
[code-analysis : mvn-goals] [INFO] ANALYSIS SUCCESSFUL, you can browse http://sonarqube.devsecops.svc.cluster.local:9000/dashboard?id=-openshift-tasks
[code-analysis : mvn-goals] [INFO] Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report
[code-analysis : mvn-goals] [INFO] More about the report processing at http://sonarqube.devsecops.svc.cluster.local:9000/api/ce/task?id=AXtOh8Xbqim3aGzTbamA
[code-analysis : mvn-goals] [INFO] Analysis total time: 1:09.925 s
[code-analysis : mvn-goals] [INFO] ------------------------------------------------------------------------
[code-analysis : mvn-goals] [INFO] BUILD SUCCESS
[code-analysis : mvn-goals] [INFO] ------------------------------------------------------------------------
[code-analysis : mvn-goals] [INFO] Total time: 02:38 min
[code-analysis : mvn-goals] [INFO] Finished at: 2021-08-16T10:35:27Z
[code-analysis : mvn-goals] [INFO] Final Memory: 56M/1670M
[code-analysis : mvn-goals] [INFO] ------------------------------------------------------------------------
- 用浏覽器通路sonarqube的控制台,用登入OpenShift控制台相同的使用者登陸,然後即可檢視掃描結果。
OpenShift 4 - DevSecOps Workshop (6) - 為Pipeline增加SonarQube實作SAST