I tried multiple ways to do this but none worked for me. In the end, I ended up with the following step:
script:
- gradle build -x check
- wget https://github.com/snyk/snyk/releases/download/v1.464.0/snyk-linux
- chmod +x snyk-linux
- ./snyk-linux auth $SNYK_TOKEN
- ./snyk-linux test -d --all-projects --json-file-output=snyk-test-output.json
- cat snyk-test-output.json
- pipe: snyk/snyk-scan:0.4.6
variables:
SNYK_TOKEN: $SNYK_TOKEN
SNYK_TEST_JSON_INPUT: "snyk-test-output.json"
This, however, results in an error:
===== DEBUG INFORMATION START =====
gradle command: '/opt/atlassian/pipelines/agent/build/gradlew' snykResolvedDepsJson -q --build-file build.gradle --no-daemon -Dorg.gradle.parallel= -Dorg.gradle.console=plain -I /tmp/tmp-202-8XBM7uGB0V1d--init.gradle
[COULD NOT RUN gradle -v]
>>> command: '/opt/atlassian/pipelines/agent/build/gradlew' snykResolvedDepsJson -q --build-file build.gradle --no-daemon -Dorg.gradle.parallel= -Dorg.gradle.console=plain -I /tmp/tmp-202-8XBM7uGB0V1d--init.gradle
>>> exit code: 126
>>> stdout:
>>> stderr:
/bin/sh: 1: /opt/atlassian/pipelines/agent/build/gradlew: Permission denied
===== DEBUG INFORMATION END =====
When I run the same sequence of commands, all works fine:
- ./snyk-linux auth $SNYK_TOKEN
- ./snyk-linux test -d --all-projects --json-file-output=snyk-test-output.json
This is the link to my project: https://bitbucket.org/ig0rski/spring-boot-example/src/master/
Solved it. There were two problems. The first was that the wrapper was not executable. The second was that the wrapper was not set up properly (more info here: https://support.snyk.io/hc/en-us/articles/360007745957-Snyk-test-Could-not-find-or-load-main-class-org-gradle-wrapper-GradleWrapperMain).
The step configuration in the end is:
- step:
name: Snyk
script:
- wget https://github.com/snyk/snyk/releases/download/v1.466.0/snyk-linux
- chmod +x snyk-linux
- chmod +x gradlew
- gradle wrapper --gradle-version 6.8.3 --distribution-type all
- ./snyk-linux auth $SNYK_TOKEN
- ./snyk-linux test -d --all-projects --json-file-output=snyk-test-output.json
- pipe: snyk/snyk-scan:0.4.6
variables:
SNYK_TOKEN: $SNYK_TOKEN
SNYK_TEST_JSON_INPUT: "snyk-test-output.json"
Hi @Igorski ,
I've tried a similar solution as the one you've posted, for a Gradle project, but with some variations:
- step:
name: 'Deployment to Staging'
deployment: staging
script:
- ./gradlew build -x check
- nvm install 10.24.1
- npm -g config set user root
- npm install -g snyk
- snyk auth $SNYK_TOKEN
- snyk test --all-sub-projects --severity-threshold=high --json-file-output=snyk-test-output.json
after-script:
- pipe: snyk/snyk-scan:0.4.6
variables:
SNYK_TOKEN: $SNYK_TOKEN
SNYK_TEST_JSON_INPUT: "snyk-test-output.json"
In this case, the installation of Snyk CLI has been done via npm. And the other variation is that the Snyk is in the "after-script" section. When I've tried the Snyk pipe after the last snyk command, if the test found a vulnerability, the build stopped and the Sny pipe was not executed. So the report was not shown. But if the test has not found a vulnerability, the report was shown.
It was only when the Snky was configured in the "after-script" that the report is shown in both scenarios, when the test passes without vulnerabilities or when a vulnerability is found.
Have you seen this behaviour too? If not, what do you think is wrong in my apporach?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.