Changes for page Jenkins Shared Library

Last modified by Boris Folgmann on 2026/03/30 10:13

Manage
- Copy
Actions
- Export
- Print Preview
Viewers
- Source
- Children
- Content
- Comments
- Likes

From 2.3 to 2.2 From 11.5 to 11.4

From version 11.4

edited by Boris Folgmann
on 2026/03/30 10:09

Change comment: There is no comment for this version

To version 2.3

edited by Boris Folgmann
on 2025/07/09 16:13

Change comment: There is no comment for this version

Raw
Rendered

Summary

Page properties (1 modified, 0 added, 0 removed)
Attachments (0 modified, 0 added, 2 removed)
- 1762161476370-318.png
- 1762161531690-966.png

Details

Page properties

Content

@@ -6,7 +6,7 @@
  == Getting Started ==
--Since the Shared Library is globally configured on all Jenkins instances managed by DevOps-as-a-Service you just need to place the following very short Jenkinsfile in the root folder of your git repository to automatically build your maven, node or go project or simply build a container using a Dockerfile.
++Since the Shared Library is globally configured on all Jenkins instances managed by DevOps-as-a-Service you just need to place the following very short Jenkinsfile in the root folder of your git repository to automatically build your maven or node project or simply build a container using a Dockerfile.
  {{code}}
  @Library('sdcloud') _
@@ -21,35 +21,28 @@
  What the pipeline currently does is visualised in the following image which shows an example for a maven-based Java project.
--[[image:1762161531690-966.png||data-xwiki-image-style-border="true" height="247" width="1654"]]
++[[image:attach:image2022-5-17_17-51-43.png||height="250"]]
--1. **sdcPipeline **prints some valuable information about this shared Jenkinslib. Allocates a node (Jenkins Agent) to start executing the pipeline.
--1. **Checkout**: checking out the source code from git.
--1. **JDK**: If a pom.xml is found, your favorite JDK or the current default is selected .
--1. **Maven Build**: If a pom.xml is found, a maven build is done.
--1. If there's no pom.xml, but a package.json is found a nodejs build is done.
--1. If there is no pom.xml or package.json but a go.mod file, a go build is done.
++1. Checking out the source code from git.
++1. If a pom.xml is found your favorite JDK is selected, by default jdk11. Then a maven build is done.
++1. If there's no pom.xml but a package.json is found a nodejs build is done.
 . Then the following stages are executed in parallel
--11. **Analysis**: For maven projects the Java source code is checked by checkstyle, pmd and spotbugs. Furthermore the job output will be checked for any warnings generated by maven, javac or javadoc.
--If Python modules (.py files) exist in the git repository they will be analyzed using pylint and flake8. If pylint or flake8 are not available on the Jenkins agent the steps will be skipped. Python files that are generated or downloaded into the workspace will not be checked. The results will be displayed on the classical Jenkins build page after the build. For Go projects, the Go test tool is used to run all tests and produce a coverage output file for SonarQube. Additionally, the gotestsum tool is used to produce a report which is picked up by Jenkins.
--If SonarQube is configured fore this Jenkins instance, a **Sonar Scan** is performed on the agent and the result is pushed to SonarQube for further processing.
--11. **Security**:
--111. If it's not a feature or bugfix branch, a dependency check is done which checks if e.g. libraries are used which have known vulnerabilities. The results will be displayed in Jenkins after the build.
--111. If Dependency Track is enabled for the current project, an SBOM file is created and archived in the build. In addition it's pushed to Dependency Track. Jenkins will wait for DepTrack to process the SBOM and display information about found potential vulnerabilities in the build.
--11. **Docker**: this will also work for projects which are neither maven, nodejs or go. A Dockerfile is enough to trigger this part of the pipeline.
--111. **Build Container Image**: If a Dockerfile is found a docker image is built.
--111. **Test Container Image**: The image is started as an isolated container on the Jenkins agent. Any loglines written to stdout or stderr by the container will be displayed.A smoke test is performed which is a simple query for a valid answer on the exposed port of the container.
--111. **Push Container Image**: If the smoke test was successful the container image will be pushed to the image registry.
--For easy identification of the image 3 image tags are defined:
++11. Analysis: For maven projects the Java source code is checked by checkstyle, pmd and spotbugs. Furthermore the job output will be checked for any warnings generated by maven, javac or javadoc. If Python modules (.py files) exist in the git repository they will be analyzed using pylint and flake8. If pylint or flake8 are not available on the Jenkins agent the steps will be skipped. Python files that are generated or downloaded into the workspace will not be checked. The results will be displayed on the classical Jenkins build page after the build.
++11. Security: If it's not a feature or bugfix branch a dependency check is done which checks if e.g. libraries are used which have known vulnerabilities. The results will be displayed in Jenkins after the build.
++11. Docker: this will also work for projects which are neither maven or nodejs. A Dockerfile is enough to trigger this part of the pipeline.
++111. If a Dockerfile is found a docker image is built.
++111. The image is started as an isolated container on the Jenkins agent.
++111. Any loglines written to stdout or stderr by the container will be displayed.
++111. A smoke test is performed which is a simple query for a valid answer on the exposed port of the container.
++111. If the smoke test was successful and the build was not done for a pull request the docker image will be pushed to the docker registry.
++111. For easy identification of the image 3 image tags are defined:
 . BRANCH_NAME-BUILD_NUMBER (e.g. 'production-1014')
 . BRANCH_NAME-GIT_HASH (e.g. 'develop-8a7c4f2')
 . BRANCH_NAME-latest (e.g. 'feature-PKEY-42-latest')
 . (If BRANCH_NAME is defaultBranch the prefix 'BRANCH_NAME-' will not be included.)
--111. **Create Helm Chart**: When a chart/Chart.yaml is found and it's not a pull-request, a Helm Chart will be created and pushed to the Helm Chart repository.
--1. **Yamllint **will check all YAML files in the workspace for errors and warnings. This is done at this place since the Create Helm Chart stage modifies or creates YAML files which should be also checked before the pipeline proceeds.
--1. **Deploy application**: when depolyHelmChart is set to true the Helm chart will be deployed to the Kubernestes cluster and namespace of your choice. Not done in the example diagram.
--1. **Trivy Results**: if a container image was pushed to Harbor as the container registry, the results of the Trivy security scan are fetched from Harbor
--1. **Sonar Results**: finally the pipeline waits for the result of the Sonar Quality Gate to decide on the success of the build.
++111. When a chart/Chart.yaml is found and  it's not a pull request a Helm Chart will be created and pushed to the Helm Chart repository.
++1. Yamllint will check all YAML files in the workspace for errors and warnings. This is done at this place since the Create Helm Chart stage modifies or creates YAML files which should be also checked before the pipeline proceeds.
++1. When depolyHelmChart is set to true the Helm chart will be deployed to the Kubernestes cluster and namespace of your choice. Not done in the example diagram.
  == {{id name="pipeline_customization"/}}Pipeline Customization ==
@@ -132,16 +132,10 @@
  )))|(((
  'npm install && npm run build ~-~-prod'
  )))|(((
--npm command to execute for building Node.JS projects.
++npm command to execute for building Node.JS projects.
  )))
--|= |go|'go'|Golang version to use.
--Refers to a symbolic name of a go tool configuration in Jenkins.
--|= |goBuildCommand|(((
--'go build -o app cmd/server/main.go'
--)))|go build run. Should be overridden for your project.
--|= |goTestCommand|'gotestsum ~-~-format pkgname ~-~-junitfile report.xml ~-~- -failfast -race -coverprofile=coverage.out -tags=test ./...'|Runs gotestsum tool which in turn calls 'go test' for all packages in the project. Should be overridden for your project. The gotestsum tool is available out-of-the-box and produces a report file which is picked up by Jenkins automatically.
  |=(% rowspan="10" %)(((
--Container build
++Docker build
  )))|(((
  dockerBuildPath
  )))|(((
@@ -215,7 +215,7 @@
  Id of the Jenkins Credentials which have to be used to authenticate to the //pullDockerRegistry//.
  )))
  |=(% rowspan="7" %)(((
--Container test
++Docker container test
  )))|(((
  skipSmokeTest
  )))|(((
@@ -266,7 +266,7 @@
  Total time in seconds after which the container is expected to be up and running even if it's still writing loglines to stdout. After this time has passed the container will be queried for an answer.
  )))
  |=(% rowspan="2" %)(((
--Image push
++Docker push
  )))|(((
  pushDockerRegistry
  )))|(((
@@ -282,7 +282,7 @@
  Id of the Jenkins Credentials which have to be used to authenticate to the //pullDockerRegistry//.
  )))
  |=(% rowspan="6" %)(((
--Helm Chart
++Helm chart
  )))|(((
  helmChartPath
  )))|(((
@@ -318,11 +318,9 @@
  |(((
  helmRegistry
  )))|(((
--Helm registry of your DOaaS instance, which is usally 'https:~/~/registry-CUSTOMER.devops.t-systems.net/chartrepo/PROJECTKEY'
++Nexus registry of your DOaaS instance
  )))|(((
--Helm registry to which the packaged Helm chart is uploaded.
--
--
++Name of registry to which the packaged Helm chart is uploaded.
  )))
  |(((
  helmRegistryCredentialsId
@@ -329,12 +329,8 @@
  )))|(((
   'doaas-PROJECTKEY+jenkins-push-harbor' or 'PROJECTKEY-jenkins' (which were added to the credentials of your project folder in Jenkins when the project was set up by the DevOps Portal. While the first is added for Harbor, the second is added for Nexus OSS. That means that the library will automatically choose the best default for you. Please note that Harbor will be prefered, if both tools are used in the project.)
  )))|(((
--Id of the Jenkins Credentials which have to be used to authenticate to the Helm registry for accessing Helm charts.
++Id of the Jenkins Credentials which have to be used to authenticate to the Helm registry for acccessing Helm charts.
  )))
--|= |pullHelmRegistry|Helm registry of your DevOps-as-a-Service instance which is usually 'oci:~/~/registry-CUSTOMER.devops.t-systems.net/'|Helm registry from which dependencies referenced in your chart are pulled.
--|= |pullHelmRegistryCredentialsId|the value set by helmRegistryCredentialsId|Id of the Jenkins Credentials which have to be used to authenticate to the pull Helm registry for pulling Helm charts.
--|= |pushHelmRegistry|Defaults to the Helm registry of your DevOps-as-a-Service instance which is usally 'oci:~/~/registry-CUSTOMER.devops.t-systems.net/'|Helm registry to which your chart is pushed.
--|= |pushHelmRegistryCredentialsId|the value set by helmRegistryCredentialsId|Id of the Jenkins Credentials which have to be used to authenticate to the push Helm registry for pushing Helm charts.
  |=(% rowspan="4" %)(((
  Container image signature
  )))|(((
@@ -365,7 +365,7 @@
  )))|(((
  Id of the Jenkins Credentials for signers private keyfile.
  )))
--|=(% colspan="1" rowspan="8" %)(((
++|=(% colspan="1" rowspan="12" %)(((
  Static Source Code Analysis
  )))|(((
  checkstyleConfig
@@ -390,16 +390,42 @@
  )))|(((
   Name of a config file to use for yamllint. If not set a best-practice[[ relaxed configuration >>url:https://prd.sdc.t-systems.net/bitbucket/projects/DEVOPSAAS/repos/sdcloud-caas-jenkins-libs/browse/resources/com/tsystems/sdc/jenkinslib/yamllint.yml||shape="rect"]]is used which is different from the original yamllint[[ config>>url:https://yamllint.readthedocs.io/en/stable/configuration.html#default-configuration||shape="rect"]].
  )))
++|skipDependencyCheck|false|Set to true to skip the dependency-check.
  |(((
++dependencyCheckTool
++)))|(((
++'dependency-check'
++)))|(((
++Defines which named dependency-check tool should be used.
++)))
++|(((
++dependencyCheckArgs
++)))|(((
++'~-~-disableAssembly ~-~-nvdValidForHours 720'
++)))|(((
++Addtional arguments which are be passed to dependency-check. See [[Dependency>>url:https://jeremylong.github.io/DependencyCheck/dependency-check-cli/arguments.html||shape="rect"]][[ Check CLI Arguments>>url:https://jeremylong.github.io/DependencyCheck/dependency-check-cli/arguments.html||shape="rect"]] for more information.
++)))
++|(((
++dependencyCheckNvdApiKeyCredentialsId
++)))|(((
++'dependency-check-nvdapikey'
++)))|(((
++If you have your own NVD API Key, set it as a credential of type text in Jenkins. Then specify the credential id using this argument. It will be automatically passed to dependency-check. There will be no error if no credential is found. Just the NVD download will be slower. Please note, on DevOps-as-a-Service a shared NVD API Key is automatically supplied for the default credential id.
++)))
++|(((
  sonarQube
  )))|(((
--true for the defaultBranch and for pull-requests, if a SonarQube version is detected which supports scanning multiple branches
++true for the defaultBranch
--false for all other branches
++false for all other branches and pull-requests
  )))|(((
--Set this to true to force a SonarQube scan for the current branch. Usually this makes only sense if you explicitly want to scan feature and bugfix branches.
++Boolean which determines if SonarQube should be used if an installation is found.
--If not set or set to false, the default branch will be scanned automatically as well as pull-requests, if a SonarQube version is detected which supports scanning multiple branches. This is currently the case for SonarQube Developer and Enterprise editions. The free SonarQube Community edition supports just one branch.
++The default is the best choice for the free community edition of SonarQube, which supports just one branch.
++
++If you have the Developer or Enterprise edition consider setting sonarQube to true to cover all branches. For more information see [[SonarQube>>SonarQube.WebHome]].
++
++Set this to true to force a SonarQube scan for the current branch. Usually this makes only sense if you explicitly want to scan feature and bugfix branches. If not set or set to false, the default branch will be scanned automatically as well as pull-requests if a SonarQube version is detected which supports scanning multiple branches. This is currently the case for SonarQube Developer and Enterprise editions. The free SonarQube Community edition supports just one branch.
  )))
  |(((
  sonarScanMavenOpts
@@ -441,23 +441,6 @@
  |sonarQualityGate| |Sets the desired quality gate to use for the scan result in SonarQube.
  If not specified, the quality gate is not changed.
  As a default, SonarQube will use the quality gate "Sonar way" for new scan results.
--|=(% colspan="1" rowspan="5" %)Dependency Check|skipDependencyCheck|false|Set to true to skip the dependency-check.
--|dependencyCheckTool|'dependency-check'|Defines which named dependency-check tool should be used.
--|dependencyCheckMvnArgs|'-DassemblyAnalyzerEnabled=false'|Additional arguments which are be passed to dependency-check for maven projects.(((
--See [[Dependency Check Maven Configuration>>https://jeremylong.github.io/DependencyCheck/dependency-check-maven/configuration.html]] for more information.
--)))
--|dependencyCheckArgs|'~-~-disableAssembly'|Addtional arguments which are be passed to dependency-check. See [[Dependency>>url:https://jeremylong.github.io/DependencyCheck/dependency-check-cli/arguments.html||shape="rect"]][[ Check CLI Arguments>>url:https://jeremylong.github.io/DependencyCheck/dependency-check-cli/arguments.html||shape="rect"]] for more information.
--|dependencyCheckNvdApiKeyCredentialsId|'dependency-check-nvdapikey'|If you have your own NVD API Key, set it as a credential of type text in Jenkins. Then specify the credential id using this argument. It will be automatically passed to dependency-check. There will be no error if no credential is found. Just the NVD download will be slower. Please note, on DevOps-as-a-Service a shared NVD API Key is automatically supplied for the default credential id.
--|=(% colspan="1" rowspan="2" %)Dependency Track|depTrackCredentialsId|'PROJECTKEY-deptrack-projectcreator'|(((
--Id of the Jenkins Credential which has to be used to authenticate to Dependency Track for publishing the SBOM.
--)))
--|depTrackClassifier|'application'|The component type (e.g. application, library, firmware, ...) that should be set in the SBOM file.
--Will be later shown as classifier for the project in Dependency Track.
--See [[CycloneDX Metadata Component Type>>https://cyclonedx.org/docs/1.6/json/#metadata_component_type]] for supported values.
--|=(% colspan="1" rowspan="2" %)Trivy|trivySeverity|'High'|String which sets the minimum severity of Trivy findings that has to be reached to mark the Trivy Results stage as unstable.
--Possible values are: "None", "Unknown", "Negligible", "Low", "Medium", "High", "Critical".
--|trivyBuildResult|'SUCCESS'|String which sets the overall build result when the result of the Trivy scan reaches trivyServerity.
--Possible values are: "SUCCESS", "UNSTABLE" or "FAILURE"
  |=(% rowspan="7" %)(((
  Deployment
  )))|(((

1762161476370-318.png

Author

...	...	@@ -1,1 +1,0 @@
1		-xwiki:XWiki.borisfolgmannt-systemscom

Size

...	...	@@ -1,1 +1,0 @@
1		-79.4 KB

Content

1762161531690-966.png

Author

...	...	@@ -1,1 +1,0 @@
1		-xwiki:XWiki.borisfolgmannt-systemscom

Size

...	...	@@ -1,1 +1,0 @@
1		-82.3 KB

Content