Update Jenkinsfile

2025-10-20 12:32:04 +07:00 · 2025-10-20 12:32:04 +07:00 · 73e087a9f5
commit 73e087a9f5
parent 86f3f26e2a
1 changed files with 43 additions and 9 deletions
--- a/52
+++ b/52
@ -100,7 +100,7 @@ pipeline {
      agent any
      steps {
        sh '''
-          set -e
+          set -euo pipefail
          export PATH="$HOME/.dotnet:$PATH"

          echo "=== NuGet vulnerability audit ==="
@ -108,16 +108,50 @@ pipeline {
          dotnet list package --vulnerable || true

          echo "=== OWASP Dependency-Check (no Docker) ==="
+          rm -f depcheck.zip || true
+          rm -rf dependency-check || true
          mkdir -p depcheck
-          DC_VER=latest
-          # Grab the release (platform-independent zip)
-          curl -Ls -o depcheck.zip \
-            https://github.com/jeremylong/DependencyCheck/releases/${DC_VER}/download/dependency-check-${DC_VER}-release.zip || \
-          curl -Ls -o depcheck.zip \
-            https://github.com/jeremylong/DependencyCheck/releases/latest/download/dependency-check-release.zip
-          rm -rf dependency-check && mkdir dependency-check
+
+          API="https://api.github.com/repos/jeremylong/DependencyCheck/releases/latest"
+
+          # Try to resolve the proper asset download URL (the one that ends with -release.zip)
+          echo "Resolving Dependency-Check latest asset URL from GitHub API..."
+          ASSET_URL="$(curl -fsSL "$API" \
+            | jq -r '.assets[]?.browser_download_url | select(test("release\\.zip$"))' \
+            | head -n1 || true)"
+
+          # Fallback: build URL from tag_name (handles tags like vX.Y.Z)
+          if [ -z "${ASSET_URL:-}" ]; then
+            TAG="$(curl -fsSL "$API" | jq -r '.tag_name' || true)"
+            if [ -n "${TAG:-}" ]; then
+              VER="${TAG#v}"
+              ASSET_URL="https://github.com/jeremylong/DependencyCheck/releases/download/${TAG}/dependency-check-${VER}-release.zip"
+            fi
+          fi
+
+          if [ -z "${ASSET_URL:-}" ]; then
+            echo "ERROR: Could not resolve Dependency-Check release asset URL."
+            exit 9
+          fi
+
+          echo "Downloading: $ASSET_URL"
+          curl -fL --retry 3 --retry-all-errors -o depcheck.zip "$ASSET_URL"
+
+          # sanity check the zip (avoid half-downloaded HTML files)
+          file depcheck.zip || true
+          unzip -tq depcheck.zip || { echo "Downloaded file is not a valid ZIP"; exit 9; }
+
+          mkdir -p dependency-check
          unzip -q depcheck.zip -d dependency-check
-          DC_BIN=$(echo dependency-check/dependency-check*/bin/dependency-check.sh)
+
+          DC_BIN="$(echo dependency-check/dependency-check*/bin/dependency-check.sh)"
+          if [ ! -x "$DC_BIN" ]; then
+            echo "ERROR: dependency-check.sh not found under extracted folder"
+            ls -la dependency-check || true
+            exit 9
+          fi
+
+          # Run scan (no NVD update to keep CI fast)
          bash "$DC_BIN" \
            --format "HTML,XML" \
            --project "AS400_API_DOTNET" \