Excluding files/folders from Jenkins uploader
Closed this issue · 7 comments
I have successfully been able to upload my code base to the Fortify console and begin the static scan. Our code base however has a list of files/folders that we do not include on our regular scans when we upload code manually (using Eclipse plugin).
Is there a way in the Jenkins plugin to exclude certain files/folders from the zip file uploaded into the Fortify console for scanning?
You'll need to prune your build output in another post-build action before calling the uploader step. There was some discussion about #51, which is essentially a subset of this problem, but it was ultimately decided to not risk messing up a payload so that there would be more code coverage on the scan. There's no way for jenkins to know your project structure and layout (like eclipse does) as it's just building whatever you told it to.
Example Windows Batch Command Action:
rd /s /q %WORKSPACE%\SqlScripts
rd /s /q %WORKSPACE%\ThirdParty
rd /s /q %WORKSPACE%\tools
rd /s /q %WORKSPACE%\Utilities
rd /s /q %WORKSPACE%\node_modules
I suppose we could investigate some exclude glob options that you could configure per build instead of having to actually delete them.
I will try to implement something similar above. Thank you for your fast response and answer.
So I am able to zip up the files/folders I want the uploader to upload. I achieved this by created a shell script that runs the following.
cd /var/lib/jenkins/jobs/job-name/workspace/porject-name/src/main/java
zip -r /tmp/fodupload.zip com -x *folder/to/exclude/*
echo "Created HP Fortify target upload ZIP."
My question is, how do you tell the uploader to upload this specific zip file in the /tmp/fodupload.zip location?
The uploader zips up the current workspace. There's not going to be any support for custom defining zip files, because at that point you've done most of the work the plugin is doing for you in the first place. That's why the suggestion was the delete the things you don't want shipped before it packs it up. If you're going to build your own zip, you can quit using the plugin and use the Uploader Jar. This gives you more granular control at the cost of ease of use. They perform the same actions and call the same upload endpoints.
Different strokes for different folks on which is the right way for you. I prefer to just trim the workspace down to what I know needs uploaded. Other people prefer to build their own zip custom. That's too much work for me, I'd rather it all go and I'll just handle it once my scan is complete.
Let me know if this helps, and if you have questions about the uploader, feel free to open issues on its page as well.
This makes sense. What I did was create a new job that gets kicked off once the Java project is finished. It moves the needed files and folders into the current $WORSPACE. Since that workspace only includes the files and folders needed, the Fortify uploader can do the "zipping" of the workspace and upload it using the plugin as intended. Thanks again for help and fast responses.
Great. I don't know exactly what you're uploading. But to share how we do it a little bit, we just have a completely separate build that does our build + scan. Since you typically get better scan results when you compile in debug mode (at least in .NET due to the inclusion of the .pdb files) vs release like we would do for the actual deployment.