Fail the release manager pipeline and create security vulnerability issues or move them to TODO state if already present

CHANGELOG.md

@@ -2,6 +2,7 @@
 
 ## Unreleased
 * Fail builds when aqua scan detects remotely exploitable security vulnerabilities with solutions ([#1147](https://github.com/opendevstack/ods-jenkins-shared-library/pull/1147))
+* Fail the release manager pipeline and create security vulnerability issues or move them to TODO state if already present ([#1151](https://github.com/opendevstack/ods-jenkins-shared-library/pull/1151))
 
 ### Added
 * In the release manager pipeline, use the default integration branch for component ([#1144](https://github.com/opendevstack/ods-jenkins-shared-library/pull/1144)) 

build.gradle

@@ -139,7 +139,7 @@ codenarc {
     toolVersion = '1.6'
     configFile = file('codenarc.groovy')
     maxPriority1Violations = 0
-    maxPriority2Violations = 1
+    maxPriority2Violations = 0
     maxPriority3Violations = 300
     reportFormat = 'html'
 }

src/org/ods/component/ScanWithAquaStage.groovy

@@ -106,6 +106,7 @@ class ScanWithAquaStage extends Stage {
             errorMessages += "<li>Error executing Aqua CLI</li>"
         }
         List actionableVulnerabilities = null
+        String nexusReportLink = null
         // If report exists
         if ([AquaService.AQUA_SUCCESS, AquaService.AQUA_POLICIES_ERROR].contains(returnCode)) {
             try {
@@ -121,7 +122,8 @@ class ScanWithAquaStage extends Stage {
                                   vulnerabilities.malware ?: 0]
 
                 URI reportUriNexus = archiveReportInNexus(reportFile, nexusRepository)
-                createBitbucketCodeInsightReport(url, nexusRepository ? reportUriNexus.toString() : null,
+                nexusReportLink = nexusRepository ? reportUriNexus.toString() : null
+                createBitbucketCodeInsightReport(url, nexusReportLink,
                     registry, imageRef, errorCodes.sum() as int, errorMessages, actionableVulnerabilities)
                 archiveReportInJenkins(!context.triggeredByOrchestrationPipeline, reportFile)
             } catch (err) {
@@ -135,16 +137,86 @@ class ScanWithAquaStage extends Stage {
         notifyAquaProblem(alertEmails, errorMessages)
 
         if (actionableVulnerabilities?.size() > 0) { // We need to mark the pipeline and delete the image
-            context.addArtifactURI('aquaCriticalVulnerability', 'true')
+            addAquaVulnerabilityObjectsToContext(actionableVulnerabilities, nexusReportLink)
             String response = openShift.deleteImage(context.getComponentId() + ":" + context.getShortGitCommit())
             logger.debug("Delete image response: " + response)
-            throw new AquaRemoteCriticalVulnerabilityWithSolutionException("Vulnerabilities found: " +
-                actionableVulnerabilities)
+            throw new AquaRemoteCriticalVulnerabilityWithSolutionException(
+                buildActionableMessageForAquaVulnerabilities(actionableVulnerabilities: actionableVulnerabilities,
+                    nexusReportLink: nexusReportLink, gitUrl: context.getGitUrl(), gitBranch: context.getGitBranch(),
+                    gitCommit: context.getGitCommit(), repoName: context.getRepoName()))
         }
 
         return
     }
 
+    private void addAquaVulnerabilityObjectsToContext(List actionableVulnerabilities, String nexusReportLink) {
+        context.addArtifactURI('aquaCriticalVulnerability', actionableVulnerabilities)
+        context.addArtifactURI('jiraComponentId', context.getComponentId())
+        context.addArtifactURI('gitUrl', context.getGitUrl())
+        context.addArtifactURI('gitBranch', context.getGitBranch())
+        context.addArtifactURI('repoName', context.getRepoName())
+        context.addArtifactURI('nexusReportLink', nexusReportLink)
+    }
+
+    private String buildActionableMessageForAquaVulnerabilities(Map args) {
+        StringBuilder message = new StringBuilder();
+        message.append("We detected remotely exploitable critical vulnerabilities in ${args.gitUrl} " +
+            "in branch \"${args.gitBranch}\". Due to their high severity, we must stop the delivery " +
+            "process until all vulnerabilities have been addressed. ")
+
+        message.append("\n\nThe following vulnerabilities were found:\n");
+        def count= 1;
+        for (def vulnerability : args.actionableVulnerabilities) {
+            message.append("\n${count}.    Vulnerability name: " + (vulnerability as Map).name as String)
+            message.append("\n${count}.1.  Description: " + (vulnerability as Map).description as String)
+            message.append("\n${count}.2.  Solution: " + (vulnerability as Map).solution as String)
+            message.append("\n")
+            count++
+        }
+        def openPRs = getOpenPRsForCommit(args.gitCommit as String, args.repoName as String)
+        if (openPRs.size() > 0) {
+            message.append("\nThis commit exists in the following open pull requests: ")
+            def cnt = 1
+            for (def pr : openPRs) {
+                message.append("\n${cnt}.    Pull request: " + (pr as Map).title as String)
+                message.append("\n${cnt}.1.  Link: " + (pr as Map).link as String)
+                message.append("\n")
+                cnt++
+            }
+        }
+        if (args.nexusReportLink != null) {
+            message.append("\nYou can find the complete security scan report here: ${args.nexusReportLink}.\n")
+        }
+        return message.toString()
+    }
+
+    private List getOpenPRsForCommit(String gitCommit, String repoName) {
+        def apiResponse = bitbucket.getPullRequestsForCommit(repoName, gitCommit)
+        def prs = []
+        try {
+            def js = steps.readJSON(text: apiResponse) as Map
+            prs = js['values']
+            if (prs == null) {
+                throw new RuntimeException('Field "values" of JSON response must not be empty!')
+            }
+        } catch (Exception ex) {
+            logger.warn "Could not understand API response. Error was: ${ex}"
+            return []
+        }
+        def response = []
+        for (def i = 0; i < (prs as List).size(); i++) {
+            Map pr = (prs as List)[i] as Map
+            if (!(pr.open as Boolean)) { // We only consider Open PRs
+                continue
+            }
+            response.add([
+                title: pr.title,
+                link: (((pr.links as Map).self as List)[0] as Map).href
+            ])
+        }
+        response
+    }
+
     private String getImageRef() {
         // take the image ref of the image that is being build in the image build stage
         Map<String, String> buildInfo =

src/org/ods/orchestration/BuildStage.groovy

@@ -16,6 +16,15 @@ class BuildStage extends Stage {
 
     public static final String JIRA_CUSTOM_PART = 'Follow the link below'
 
+    private static final String VULNERABILITY_NAME_PLACEHOLDER = "<CVE>"
+
+    private static final String SECURITY_VULNERABILITY_ISSUE_SUMMARY = "Remotely exploitable security " +
+        "vulnerability with solution detected by Aqua with name " + VULNERABILITY_NAME_PLACEHOLDER
+
+    private static final String SECURITY_VULNERABILITY_ISSUE_PRIORITY = "Highest"
+
+    private static final String JIRA_COMPONENT_TECHNOLOGY_PREFIX = 'Technology-'
+
     public final String STAGE_NAME = 'Build'
 
     BuildStage(def script, Project project, List<Set<Map>> repos, String startMROStageName) {
@@ -103,17 +112,140 @@ class BuildStage extends Stage {
                 logMessage += buildTailorMessage(failedReposCommaSeparated, LOG_CUSTOM_PART)
                 jiraMessage += buildTailorMessage(failedReposCommaSeparated, JIRA_CUSTOM_PART)
             }
+
+            def aquaCriticalVulnerabilityRepos = filterReposWithAquaCriticalVulnerability(repos)
+            if (aquaCriticalVulnerabilityRepos?.size() > 0) {
+                def securityVulnerabilityIssueKeys = createSecurityVulnerabilityIssues(aquaCriticalVulnerabilityRepos)
+                String aquaMessage = buildAquaSecurityVulnerabilityMessage(securityVulnerabilityIssueKeys)
+                logMessage += aquaMessage
+                jiraMessage += aquaMessage
+            }
+
             util.failBuild(logMessage)
-            // If we are not in Developer Preview or we have a Tailor failure raise an exception
-            if (!project.isWorkInProgress || tailorFailedRepos?.size() > 0) {
+            // If we are not in Developer Preview or we have a Tailor failure or a Aqua remotely exploitable
+            // vulnerability with solution found then raise an exception
+            if (!project.isWorkInProgress || tailorFailedRepos?.size() > 0
+                || aquaCriticalVulnerabilityRepos?.size() > 0) {
                 throw new IllegalStateException(jiraMessage)
             }
         }
-        def aquaCriticalVulnerabilityRepos = filterReposWithAquaCriticalVulnerability(repos)
-        if (aquaCriticalVulnerabilityRepos?.size() > 0) {
-            String aquaFiledMessage = "Aqua critical vulnerability with solution detected"
-            util.failBuild(aquaFiledMessage)
-            throw new IllegalStateException(aquaFiledMessage)
+    }
+
+    List createSecurityVulnerabilityIssues(List aquaCriticalVulnerabilityRepos) {
+        def securityVulnerabilityIssueKeys = [];
+        try {
+            for (def repo : aquaCriticalVulnerabilityRepos) {
+                def jiraComponentId = getJiraComponentId(repo)
+                for (def vulnerability : repo.data.openshift.aquaCriticalVulnerability) {
+                    def vulerabilityMap = vulnerability as Map
+                    def issueKey = createOrUpdateSecurityVulnerabilityIssue(
+                        vulerabilityMap.name,
+                        jiraComponentId,
+                        buildSecurityVulnerabilityIssueDescription(
+                            vulerabilityMap,
+                            repo.data.openshift.gitUrl,
+                            repo.data.openshift.gitBranch,
+                            repo.data.openshift.repoName,
+                            repo.data.openshift.nexusReportLink))
+                    securityVulnerabilityIssueKeys.add(issueKey)
+                }
+            }
+        } catch (JiraNotPresentException e) {
+            project.logger.warn(e.getMessage())
+            return []
+        }
+        return securityVulnerabilityIssueKeys
+    }
+
+    String createOrUpdateSecurityVulnerabilityIssue(String vulnerabilityName, String jiraComponentId,
+                                                    String description) {
+        if (!project.jiraUseCase || !project.jiraUseCase.jira) {
+            throw new JiraNotPresentException("JiraUseCase not present, cannot create security vulnerability issue.")
+        }
+
+        def issueSummary =  SECURITY_VULNERABILITY_ISSUE_SUMMARY.replace(VULNERABILITY_NAME_PLACEHOLDER,
+            vulnerabilityName)
+
+        def fixVersion = null
+        if (project.isVersioningEnabled) {
+            fixVersion = project.getVersionName()
+        }
+        def fullJiraComponentName = JIRA_COMPONENT_TECHNOLOGY_PREFIX + jiraComponentId
+
+        List securityVulnerabilityIssues = project?.jiraUseCase?.jira?.loadJiraSecurityVulnerabilityIssues(issueSummary,
+            fixVersion, fullJiraComponentName, project.jiraProjectKey)
+        if (securityVulnerabilityIssues?.size() >= 1) { // Transition the issue to "TO DO" state
+            transitionIssueToToDo(securityVulnerabilityIssues.get(0).id)
+            return (securityVulnerabilityIssues.get(0) as Map)?.key
+        } else { // Create the issue
+            return (createIssueTypeSecurityVulnerability(fixVersion, fullJiraComponentName,
+                SECURITY_VULNERABILITY_ISSUE_PRIORITY, projectKey: project.jiraProjectKey, summary: issueSummary,
+                description: description)
+                as Map)?.key
+        }
+    }
+
+    Map createIssueTypeSecurityVulnerability(Map args, String fixVersion = null, String component = null,
+                                             String priority = null) {
+        return project?.jiraUseCase?.jira?.createIssue(fixVersion, component, priority, summary: args.summary,
+            type: "Security Vulnerability", projectKey: args.projectKey, description: args.description)
+    }
+
+
+    void transitionIssueToToDo(String issueId) {
+        int maxAttemps = 10;
+        while (maxAttemps-- > 0) {
+            def possibleTransitions = project?.jiraUseCase?.jira?.getTransitions(issueId)
+            Map possibleTransitionsByName = possibleTransitions
+                .collectEntries { t -> [t.name.toString().toLowerCase(), t] }
+            if (possibleTransitionsByName.containsKey("confirm dor")) { // Issue is already in TO DO state
+                return
+            } else if (possibleTransitionsByName.containsKey("implement")) { // We need to transiton the issue
+                project?.jiraUseCase?.jira?.doTransition(issueId, possibleTransitionsByName.get("implement"))
+                continue
+            } else if (possibleTransitionsByName.containsKey("confirm dod")) { // We need to transiton the issue
+                project?.jiraUseCase?.jira?.doTransition(issueId, possibleTransitionsByName.get("confirm dod"))
+                continue
+            } else if (possibleTransitionsByName.containsKey("reopen")) { // We need just one transiton
+                project?.jiraUseCase?.jira?.doTransition(issueId, possibleTransitionsByName.get("reopen"))
+                return
+            } else {
+                throw new IllegalStateException("Unexpected issue transition states " +
+                    "found: ${possibleTransitionsByName.keySet()}")
+            }
+        }
+        throw new IllegalStateException("The issue could not be transitioned to TODO state.")
+    }
+
+    String buildSecurityVulnerabilityIssueDescription(Map vulnerability, String gitUrl, String gitBranch,
+                                                    String repoName, String nexusReportLink) {
+        StringBuilder message = new StringBuilder()
+        message.append("\nAqua security scan detected the remotely exploitable critical " +
+            "vulnerability with name *${vulnerability.name as String}* in repository *[${repoName}|${gitUrl}]* " +
+            "in branch *${gitBranch}*." )
+        message.append("\n\n*Description:* " + vulnerability.description as String)
+        message.append("\n\n*Solution:* " + vulnerability.solution as String)
+
+        if (nexusReportLink != null) {
+            message.append("\n\nYou can find the complete security scan report *[here|${nexusReportLink}]*.")
+        }
+
+        return message.toString()
+    }
+
+    String buildAquaSecurityVulnerabilityMessage(List securityVulnerabilityIssueKeys) {
+        if (securityVulnerabilityIssueKeys?.size() == 0) { // No issue created as Jira is not connected
+            return "\n\nRemotely exploitable critical vulnerabilities were detected (see above). " +
+                "Due to their high severity, we must stop the delivery process until all vulnerabilities " +
+                "have been addressed.\n"
+        } else if (securityVulnerabilityIssueKeys?.size() == 1) {
+            return "\n\nA remotely exploitable critical vulnerability was detected and documented in " +
+                "the following Jira issue: ${securityVulnerabilityIssueKeys[0]}. Due to their high " +
+                "severity, we must stop the delivery process until all vulnerabilities have been addressed.\n"
+        } else {
+            return "\n\nRemotely exploitable critical vulnerabilities were detected and documented in " +
+                "the following Jira issues: ${securityVulnerabilityIssueKeys.join(", ")}. Due to their high " +
+                "severity, we must stop the delivery process until all vulnerabilities have been addressed.\n"
         }
     }
 
@@ -153,6 +285,10 @@ class BuildStage extends Stage {
         return repos?.flatten()?.findAll { it -> it.data?.openshift?.aquaCriticalVulnerability }
     }
 
+    String getJiraComponentId(def repo) {
+        return repo.data?.openshift?.jiraComponentId
+    }
+
     String buildReposCommaSeparatedString(def tailorFailedRepos) {
         def reposCommaSeparatedString = tailorFailedRepos
             .collect { it -> "\"" + it.id + "\"" }

src/org/ods/orchestration/JiraNotPresentException.groovy

@@ -0,0 +1,8 @@
+package org.ods.orchestration
+
+class JiraNotPresentException extends Exception {
+
+    JiraNotPresentException(String message) {
+        super(message)
+    }
+}