I was delighted to integrate the static analysis, but at the time of writing, I didn’t have the means to process the output. However, I have found a tool to process it.
The Jenkins plugin “Warnings Next Generation” supports processing the sarif file and can process the entire log. Furthermore, it provides functionality to gather the results that we can include in our Slack messages.
Install Jenkins Plugin
- Go to the Manage Jenkins ⇾ Manage Plugins ⇾ ‘Available’ tab.
- Add the Warnings Next Generation Plugin:
Update Scripts
In the “Run Security Scan” stage, you can add the following at the end of the step:
recordIssues aggregatingResults: true, enabledForFailure: true, failOnError: true, skipPublishingChecks: true, tool: sarif(pattern: 'sast-report.sarif')
Then, in the post-processing “always” step, the entire log can be processed with:
always {
script {
recordIssues aggregatingResults: true, skipPublishingChecks: true, tool: msBuild()
}
}
Note: setting failOnError to true on the whole log may trigger a failure from a warning, changing the build result from pass to fail. Always runs before the “success”, “failure”, and “unstable” post-processing stages.
If you want to gather the output from processing the logs, you can use scanForIssues, such as:
String issues = ""
def analysisResults = scanForIssues tool: sarif(pattern: 'sast-report.sarif')
analysisResults.getIssues().each { issue ->
issues = issues + "* ${issue}\n"
}
The output of processing now appears with our test results and code coverage:
The msbuild warning happens to be the message:
NU1803: You are running the 'restore' operation with an 'HTTP' source...