Jenkins plugin [enhancement]

[ericwb]

Hi

This is not a bug itself, its a enhancement on the tool. Im sorry if this is not the right place to raise this, but its the only point of contact i have with you

Im building a tool in python, and im using Jenkins to automate all the testing etc... It would be a great addition to have a bandit plugin that you can use in jenkins to run this scan automatically, and also, have the ability to set a quality gate, as, for example, break the build if you have any critical vulnerability

Thanks

[IvanAnishchuk]

I think (short-term) it should be simple enough to generate output in some format that warnings plugin can understand and (longer term) a custom parser should be added there. Would there be any advantages to having yet another plugin vs having support in warnings or some other universal one?

[IvanAnishchuk]

Also there's this: https://github.com/mewz/bandit-plugin- although I haven't tried it yet

[Plazmaz]

On a very basic level, bandit should output a non-zero status code on finding a rule. I'm sure you could write up a simple script to parse some of this out, but a system for a clearer display/status tracking in jenkins would be nice from a plugin perspective.

[cojoco]

With regards to this issue, just wanted to point out that the Warnings-NG plugin is out of beta, and they appear to be accepting pull requests to support new tools based on the README.

[tomasbjerre]

The Warnings plugin is using Violations Lib which means you can do:

bandit -r examples/ -f custom -o bandit.out --msg-template "{abspath}:{line}: {severity}: {test_id}: {msg}"

And use the CLANG parser in the Jenkins plugin.

There are more related tools (like commenting pull requests), also referenced from the README in Violations Lib.

[john-pastore]

The Warnings plugin is using Violations Lib which means you can do:

bandit -r examples/ -f custom -o bandit.out --msg-template "{abspath}:{line}: {severity}: {test_id}: {msg}"

And use the CLANG parser in the Jenkins plugin.

There are more related tools (like commenting pull requests), also referenced from the README in Violations Lib.

Your suggestion didn't work for me. It would log fine but the Warnings plugin wouldn't find any errors. What worked for me was to use the format you posted to log, and then use a custom groovy parser.

I used the regex:

(.+):(\d+): (\w+): (\D\d*): (.*)

And this was the mapping script I used.

import edu.hm.hafner.analysis.Severity

String message = matcher.group(5)
String category = matcher.group(3)
String type = matcher.group(4)

Severity severity
if (category.contains("M")) {
  severity = Severity.WARNING_NORMAL
} else if (category.contains("L"))  {
  severity = Severity.WARNING_LOW
} else {
  severity = Severity.WARNING_HIGH
}

return builder.setFileName(matcher.group(1))
         .setLineStart(Integer.parseInt(matcher.group(2)))
         .setCategory(category)
         .setMessage(message)
         .setSeverity(severity)
         .setType(type)
         .buildOptional()

[tomasbjerre]

If you open an issue in violations-lib and attach your log-file, I can have a look.