It’s quite surprising that I received zero violations.
While having zero violations is a positive outcome, it hasn’t convinced my boss :(.
There is no ‘package-lock.json’ in my repository.
What did I miss in my CI process?
The following are my ‘ng build’ and ‘sca’ stages and scan output.
NgBuild:
only:
- master
image: xxx.com/base_image/ng-cli-karma
stage: NgBuild
script:
- npm cache clean --force
- npm install --save --save-exact
- ls -ltra
- ng build --configuration development
tags:
- k8s-runners
artifacts:
paths:
- ./package-lock.json
- ./package.json
- ./dist
when: always
expire_in: 1 days
sca:
only:
- master
image: xxxx.com/base_image/gitlab-nexus-iq-pipeline:latest
stage: sca
tags:
- k8s-runners
script:
- /sonatype/evaluate -i $CI_PROJECT_TITLE ./
allow_failure: true
artifacts:
paths:
- ./package-lock.json
- ./dist
when: always
expire_in: 1 days
$ /sonatype/evaluate -i $CI_PROJECT_TITLE ./
Commencing Nexus IQ policy evaluation...
[INFO] Validating IQ Server version https://sca.xxx.com...
Nov 13, 2023 2:50:00 AM java.util.prefs.FileSystemPreferences$1 run
INFO: Created user preferences directory.
[INFO] Validating application ID angular-ui with the IQ Server https://sca.xxx.com...
[INFO] Discovered commit hash 'b5c97517b9cf366bbb7f66f47a5296a5443da549' via environment variable CI_COMMIT_SHA
[INFO] Starting scan...
[INFO] Scan target: /builds/angular-ui/.
[INFO] Scan configuration properties:
[INFO] dirExcludes=**/.*, **/CVS
[INFO] dirIncludes=
[INFO] fileExcludes=
[INFO] fileIncludes=
[INFO] 2023-11-13T02:50:01.602Z Starting scanning target: /builds/angular-ui/.
[INFO] 2023-11-13T02:50:06.729Z Scanned 2767 files so far
ANTLR Tool version 4.5.2 used for code generation does not match the current runtime version 4.7.2ANTLR Runtime version 4.5.2 used for parser compilation does not match the current runtime version 4.7.2ANTLR Tool version 4.5.2 used for code generation does not match the current runtime version 4.7.2ANTLR Runtime version 4.5.2 used for parser compilation does not match the current runtime version 4.7.2ANTLR Tool version 4.5.2 used for code generation does not match the current runtime version 4.7.2ANTLR Runtime version 4.5.2 used for parser compilation does not match the current runtime version 4.7.2ANTLR Tool version 4.5.2 used for code generation does not match the current runtime version 4.7.2ANTLR Runtime version 4.5.2 used for parser compilation does not match the current runtime version 4.7.2[INFO] 2023-11-13T02:50:06.919Z Scanned 2768 total files
[INFO] Fingerprinting completed in 5 seconds for 0 archives, 2532 total files
[INFO] Discovered repository url 'https://gitlab.xxx.com/angular-ui' via environment variable CI_PROJECT_URL
[INFO] Waiting for policy evaluation to complete...
[INFO] Assigned scan ID xxxyyy
[INFO] Policy evaluation completed in 16 seconds.
[INFO]
[INFO]
[INFO]
[INFO]
[INFO] *********************************************************************************************
[INFO] Policy Action: None
[INFO] Stage: build
[INFO] Number of components affected: 0 critical, 0 severe, 0 moderate
[INFO] Number of open policy violations: 0 critical, 0 severe, 0 moderate
[INFO] Number of grandfathered policy violations: 0
[INFO] Number of components: 61
[INFO] The detailed report can be viewed online at https://sca.xxxyyy.com/angular-ui/report/xxxyyy
[INFO] *********************************************************************************************
[INFO] Processing policy evaluation results...
...Nexus IQ policy evaluation complete
Uploading artifacts for successful job
00:02
Uploading artifacts...
./package-lock.json: found 1 matching files and directories
./dist: found 1652 matching files and directories
Uploading artifacts as "archive" to coordinator... 201 Created id=000000 responseStatus=201 Created token=123456
Cleaning up project directory and file based variables
00:01
Job succeeded
