anupong/AS400_API_DOTNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2c5c9ea7d0
AS400_API_DOTNET/Jenkinsfile
Anupong Hompan 2c5c9ea7d0 JK
2025-10-21 12:32:06 +07:00

208 lines
6.0 KiB
Groovy
Raw Blame History

pipeline {
agent any
options {
ansiColor('xterm')
timestamps()
}
environment {
// ถ้าใช้ local bare repo
GIT_URL = 'file:///repos/AS400API.git'
// Path ติดตั้ง dotnet ชั่วคราวใน pipeline
DOTNET_ROOT = "${WORKSPACE}/.dotnet"
PATH = "${DOTNET_ROOT}:${PATH}"
// Dependency-Check cache
DC_DATA = "${JENKINS_HOME}/.dc-cache"
// SonarQube
SONARQUBE_INSTANCE = 'SonarQube'
SONAR_PROJECT_KEY = 'AS400API'
}
stages {
stage('Checkout') {
steps {
checkout([$class: 'GitSCM',
branches: [[name: '*/main']],
userRemoteConfigs: [[url: "${GIT_URL}"]]
])
}
}
stage('Install prerequisites') {
steps {
sh '''
set -euo pipefail
if command -v apt-get >/dev/null 2>&1; then
export DEBIAN_FRONTEND=noninteractive
apt-get update
apt-get install -y --no-install-recommends \
ca-certificates curl unzip jq git openjdk-21-jre-headless
# --- Install ICU runtime (Debian uses versioned package names) ---
if ! ldconfig -p | grep -qi libicu; then
PKG="$(apt-cache search '^libicu[0-9]+$' | awk '{print $1}' | head -n1 || true)"
if [ -n "$PKG" ]; then
echo "Installing ICU package: ${PKG}"
apt-get install -y --no-install-recommends "${PKG}"
else
echo "Falling back to libicu-dev..."
apt-get install -y --no-install-recommends libicu-dev
fi
fi
fi
# Install .NET SDK locally for the build user
mkdir -p "${WORKSPACE}/.dotnet"
curl -fsSL https://dot.net/v1/dotnet-install.sh -o dotnet-install.sh
bash dotnet-install.sh --channel 9.0 --install-dir "${WORKSPACE}/.dotnet"
export PATH="${WORKSPACE}/.dotnet:${PATH}"
dotnet --info
'''
}
}
stage('SCA (NuGet + OWASP)') {
steps {
sh '''
set -euo pipefail
echo "=== NuGet vulnerability audit ==="
dotnet restore
dotnet list package --vulnerable || true
echo "=== OWASP Dependency-Check ==="
rm -rf depcheck dependency-check
mkdir -p depcheck
API="https://api.github.com/repos/jeremylong/DependencyCheck/releases/latest"
echo "Resolving latest Dependency-Check..."
ASSET_URL=$(curl -fsSL "$API" | jq -r '.assets[]?.browser_download_url | select(test("release\\\\.zip$"))' | head -n1)
echo "Downloading: $ASSET_URL"
curl -fL --retry 3 --retry-all-errors -o depcheck.zip "$ASSET_URL"
unzip -oq depcheck.zip -d dependency-check
DC_BIN="dependency-check/dependency-check/bin/dependency-check.sh"
bash "$DC_BIN" --data "${DC_DATA}" --updateonly || true
bash "$DC_BIN" -f HTML -f XML \
--project "AS400API" \
--scan . \
--out depcheck \
--data "${DC_DATA}" \
--noupdate || true
'''
}
post {
always {
archiveArtifacts artifacts: 'depcheck/**', allowEmptyArchive: true
script {
try {
publishHTML(target: [
reportName: 'OWASP Dependency-Check',
reportDir: 'depcheck',
reportFiles: 'dependency-check-report.html',
keepAll: true,
alwaysLinkToLastBuild: true,
allowMissing: true
])
} catch (Throwable e) {
echo "Skipping HTML report publish: ${e.getClass().getSimpleName()}"
}
}
}
}
}
stage('SAST with SonarQube') {
steps {
withSonarQubeEnv("${SONARQUBE_INSTANCE}") {
sh '''
set -euo pipefail
echo "=== SAST with SonarQube ==="
dotnet tool update --global dotnet-sonarscanner
export PATH="$PATH:/root/.dotnet/tools"
dotnet sonarscanner begin \
/k:"${SONAR_PROJECT_KEY}" \
/d:sonar.host.url="$SONAR_HOST_URL" \
/d:sonar.login="$SONAR_AUTH_TOKEN" \
/d:sonar.exclusions="**/bin/**,**/obj/**" \
/d:sonar.test.exclusions="**/*.Tests/**"
dotnet clean -c Release
# สำคัญ: ปิด warnings-as-errors
dotnet build -c Release \
-p:TreatWarningsAsErrors=false\
-warnaserror
'''
}
}
post {
always {
sh 'dotnet sonarscanner end /d:sonar.login="$SONAR_AUTH_TOKEN" || true'
}
}
}
stage('Test + Coverage') {
steps {
sh '''
set -euo pipefail
dotnet build -c Debug
dotnet test \
--logger "junit;LogFileName=test-results.xml" \
--results-directory "TestResults" \
/p:CollectCoverage=true \
/p:CoverletOutput=coverage/ \
/p:CoverletOutputFormat=cobertura
mkdir -p coverage-report
COB=$(find . -type f -name "coverage.cobertura.xml" | head -n1 || true)
if [ -n "$COB" ]; then
cp "$COB" coverage-report/Cobertura.xml
fi
'''
}
post {
always {
junit allowEmptyResults: false, testResults: '**/TestResults/**/*.xml'
archiveArtifacts artifacts: 'coverage-report/**', allowEmptyArchive: true
}
}
}
stage('Build') {
steps {
sh '''
set -euo pipefail
dotnet publish -c Release -o out
'''
}
post {
success {
archiveArtifacts artifacts: 'out/**', allowEmptyArchive: false
}
}
}
stage('Quality Gate') {
steps {
timeout(time: 30, unit: 'MINUTES') {
waitForQualityGate abortPipeline: true
}
}
}
} // end stages
post {
always {
echo "Pipeline finished (status: ${currentBuild.currentResult})"
}
}
} // end pipeline
Reference in New Issue View Git Blame Copy Permalink