calgaryscientific / veracode-gradle-plugin Goto Github PK

@nishtahir suggested adding the gradle wrapper to the plugin.

Need to take a quick look at the documentation to see if they recommend adding it to plugins.
If yes, we should add the wrapper for gradle 4.4 once it comes out.

VeracodeGetSandboxListTask constructor:
app_id = project.findProperty('app_id')

It is bad practice to force users of the plugin to use pre-defined globally-scoped properties. The defaults should only come from veracodeSetup {}, then it should be left up to the users how to get those values into their build.

The tasks should be getting their defaults from the veracodeSetup extension as well.

The plugin could get defaults from properties, but they should be scoped along the lines of:

com.calgaryscientific.veracode.appId
com.calgaryscientific.veracode.buildId
com.calgaryscientific.veracode.username

I added project properties, as shown, in gradle.properties:

app_id=******
sandbox_id=******
build_version=0.0.0-0-SNAPSHOT

Then, I added the dependencies to my classpath:

buildscript {
  dependencies {
    classpath 'com.veracode.vosp.api.wrappers:vosp-api-wrappers-java:17.11.4.9'
    classpath 'gradle.plugin.com.calgaryscientific.gradle:veracodePlugin:0.4.0'
  }
}

(Side note: Is it better to use Maven Central rather than manually downloading the Veracode jar?)

Then, I applied the plugin:

apply plugin: 'com.calgaryscientific.gradle.veracode'

Finally, I tried to execute the Sandbox Workflow task:

macdaddy123:phatproject nsaunders$ ./gradlew veracodeSandboxWorkflow
:veracodeSandboxWorkflow FAILED

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':veracodeSandboxWorkflow'.
> ERROR: Could not find a build for application=****** and sandbox=******
  See /Users/nsaunders/Projects/hg/projects/41st/phatproject/build/veracode/buildinfo-******-******-latest.xml for details!

* Try:
Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output.

BUILD FAILED

Total time: 9.764 secs
macdaddy123:phatproject nsaunders$ 

buildinfo---latest.xml:

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<error>Could not find a build for application=****** and sandbox=******</error>

What am I missing here?

It seems to me that a workflow task should take care of all of the details of creating/updating/deleting a build as needed, uploading artifacts, and triggering a scan. Is this assumption incorrect?

Your help and insight would be greatly appreciated. Thanks in advance!

Hi ,

Firstly this gradle plugin is awesome. We are able to achieve almost every thing by using this plugin . cheers for that .
I need a small help from you guys . Actually we are using the gradle task "veracodeBuildWorkflow ". I am getting the below output
[root@ip-10-12-168-81 sonar-testing]# gradle veracodeBuildWorkflow -Papp_id=XXXXXX -Pbuild_version=V5

Task :veracodeBuildWorkflow
Processing customerfacinguser.zip
customerfacinguser.zip=Uploaded

BUILD SUCCESSFUL in 11s
1 actionable task: 1 executed

So , as per logs the gradle command is executed successfully however veracode scanning is still running in the background .
Is there any option with which we can run this veracode scanning in the foreground and gradle command should not get exited successfully untill the veracode scan is completed or whole workflow gets completed..

plus , do we have any parameter or flag provided by veracode , which tells us the status of the veracode scan , so that we can take necessary action using that flag value.

Thanks

Hi there,

I have been using this awesome plugin to perform the veracode scan for our project in an automated way within our pipelines. Till the time it was working fine as expected, but it suddenly stops working for new veracode application which does not have any previous veracode scan build available. After debugging i found that veracodeBuildWorkflow task get the info about the last executed build with in the defined veracode application, to check if any scan is already running/in complete etc and then act accordingly, my understanding is correct in that?

After which i have started one scan within that new veracode application manually and once that gets completed, again i started veracode scan using veracodeBuildWorkflow task and it works like charm.

To address this issue, in case it does not find any previous build information, then it assumes that this is a new veracode application under which scan will get executed and start the scan.

Please help us to address this issue, let me know if any further information is required in this.

Thx