- Updated the Jenkins Freestyle UI form to add checkboxes for scan tests (SAST, SBOM, CVE), and also added a method to retrieve those details for the Pipeline method, so users can choose which tests to run from the plugin.

Susenthiran28 · Susenthiran28 · commit 9c06b6532661 · 2025-12-03T15:45:35.000+05:30
diff --git a/src/main/java/io/jenkins/plugins/ApiService.java b/src/main/java/io/jenkins/plugins/ApiService.java
@@ -9,12 +9,13 @@
 import java.io.OutputStream;
 import java.net.HttpURLConnection;
 import java.net.URL;
+import java.util.List;
 
 public class ApiService {
 
-    public static boolean triggerScan(String token, String targetFile, EnvVars env, TaskListener listener) {
+    public static boolean triggerScan(String token, String targetFile, List<String> scanTypes, EnvVars env, TaskListener listener) {
         try {
-            URL url = new URL("https://devmiddleware.vigilnz.com/scan-targets/create");
+            URL url = new URL("http://localhost:8000/scan-targets/multi-scan");
 
             String branch = env.get("GIT_BRANCH");
             String repoUrl = env.get("GIT_URL");
@@ -27,28 +28,27 @@ public static boolean triggerScan(String token, String targetFile, EnvVars env,
             HttpURLConnection conn = (HttpURLConnection) url.openConnection();
 
             conn.setRequestMethod("POST");
-            conn.setRequestProperty("Cookie", "__stripe_mid=8049620b-fc23-4fa0-bef6-2f457e454c507c1186; express.sid=s%3ASI1hdS10BJDFcC8Uh56X2kAS_5s_DyCA.Wrv4dKq4xj9ANv4B0EcTVtlCD96CRCK42XjjrAT2FqQ; cf_clearance=UnXvGmt.bZ52lZ.FJ78KsgODIH4Rq6f2_ocM0R8dEnw-1764075148-1.2.1.1-N.oIfJmGZpOHjfT23xgSNnJOOrCttLWtkNAC.Zth32AjfpBCn4RfCKLlRBINS3ES1AfmTiK3Mj8JK8FD8D5z9cC.1hQQJSUYrLBEJ.502c6SCnQPcui_le_Q2cFvlONWOaUdXnQje.RJceuOu1jXk7cNTd272Uc7hlbI5j6mYFaiBqPlrXfi3NJwnrsNWWZnvMNZvTV9Eo2q4LfKVW2RMKp8L3L5b5A.bw.4JID7DjM");
+            conn.setRequestProperty("Cookie", token);
             conn.setRequestProperty("Content-Type", "application/json");
             conn.setDoOutput(true);
 
+            // Validate scan types
+            if (scanTypes == null || scanTypes.isEmpty()) {
+                listener.error("No scan types selected. At least one scan type is required.");
+                return false;
+            }
+
             JSONObject json = new JSONObject();
-            json.put("repositoryId", "69148c059c852f7dbff13d0c");
-            json.put("scanType", "cve");
-            json.put("repoName", "awesome-go");
-            json.put("gitRepoUrl", "https://github.com/avelino/awesome-go.git");
-            json.put("organization", "Go Projects");
-            json.put("language", "unknown");
-            json.put("status", "active");
+            // Send scan types as array
+            json.put("scanTypes", scanTypes);
+            json.put("project", repoUrl);
+            json.put("gitRepoUrl", repoUrl);
+            if (targetFile != null) json.put("targetFile", targetFile);
 
             String body = json.toString();
 
-            listener.getLogger().println("API URL: " + conn.getURL());
-            listener.getLogger().println("Method: " + conn.getRequestMethod());
-            listener.getLogger().println("Headers: Content-Type=" + conn.getRequestProperty("Content-Type"));
-            listener.getLogger().println("Cookies: " + conn.getRequestProperty("Cookie"));
             listener.getLogger().println("Request Body: " + body);
 
-            listener.getLogger().println("API Run : " + conn);
             try (OutputStream os = conn.getOutputStream()) {
                 os.write(body.getBytes());
             }
@@ -64,7 +64,7 @@ public static boolean triggerScan(String token, String targetFile, EnvVars env,
                 while ((line = reader.readLine()) != null) {
                     response.append(line);
                 }
-                listener.getLogger().println("API Response Body: " + response.toString());
+                listener.getLogger().println("API Response Body: " + response);
             }
 
             return responseCode == 200;
diff --git a/src/main/java/io/jenkins/plugins/PipelineStep.java b/src/main/java/io/jenkins/plugins/PipelineStep.java
@@ -9,17 +9,20 @@
 import org.jenkinsci.plugins.workflow.steps.StepExecution;
 import org.kohsuke.stapler.DataBoundConstructor;
 
+import java.util.List;
 import java.util.Set;
 
 public class PipelineStep extends Step {
 
     private final String token;
     private final String targetFile;
+    private final List<String> scanTypes;
 
     @DataBoundConstructor
-    public PipelineStep(String token, String targetFile) {
+    public PipelineStep(String token, String targetFile, List<String> scanTypes) {
         this.token = token;
         this.targetFile = targetFile;
+        this.scanTypes = scanTypes != null ? scanTypes : List.of();
     }
 
     public String getToken() {
@@ -30,6 +33,10 @@ public String getTargetFile() {
         return targetFile;
     }
 
+    public List<String> getScanTypes() {
+        return scanTypes != null ? scanTypes : List.of();
+    }
+
     @Override
     public StepExecution start(StepContext context) throws Exception {
         return new PipelineStepExecution(this, context);
diff --git a/src/main/java/io/jenkins/plugins/PipelineStepExecution.java b/src/main/java/io/jenkins/plugins/PipelineStepExecution.java
@@ -14,6 +14,7 @@
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
+import java.util.List;
 
 public class PipelineStepExecution extends StepExecution {
     private final transient PipelineStep step;
@@ -93,7 +94,17 @@ public boolean start() throws Exception {
             }
 
             String token = creds.getToken().getPlainText();
-            boolean result = ApiService.triggerScan(token, step.getTargetFile(), env, listener);
+            List<String> scanTypes = step.getScanTypes();
+            
+            // Validate at least one scan type is selected
+            if (scanTypes == null || scanTypes.isEmpty()) {
+                listener.error("Error: At least one scan type must be selected.");
+                getContext().onFailure(new AbortException("At least one scan type must be selected"));
+                return false;
+            }
+            
+            listener.getLogger().println("Selected Scan Types: " + String.join(", ", scanTypes));
+            boolean result = ApiService.triggerScan(token, step.getTargetFile(), scanTypes, env, listener);
 
             if (!result) {
                 listener.error("Scan failed");
diff --git a/src/main/java/io/jenkins/plugins/SecurityCheckBuilder.java b/src/main/java/io/jenkins/plugins/SecurityCheckBuilder.java
@@ -15,16 +15,21 @@
 import hudson.util.Secret;
 import org.kohsuke.stapler.AncestorInPath;
 import org.kohsuke.stapler.DataBoundConstructor;
+import org.kohsuke.stapler.DataBoundSetter;
 import org.kohsuke.stapler.QueryParameter;
 
 import java.io.IOException;
 import java.util.Collections;
+import java.util.List;
 
 // This file for Jenkins FreeStyle Job Method
 public class SecurityCheckBuilder extends Builder {
 
     private final Secret token;
     private final String targetFile;
+    private boolean cveScan;
+    private boolean sastScan;
+    private boolean sbomScan;
 
     @DataBoundConstructor
     public SecurityCheckBuilder(Secret token, String targetFile) {
@@ -40,17 +45,81 @@ public String getTargetFile() {
         return targetFile;
     }
 
+    public boolean isCveScan() {
+        return cveScan;
+    }
+
+    @DataBoundSetter
+    public void setCveScan(boolean cveScan) {
+        this.cveScan = cveScan;
+    }
+
+    public boolean isSastScan() {
+        return sastScan;
+    }
+
+    @DataBoundSetter
+    public void setSastScan(boolean sastScan) {
+        this.sastScan = sastScan;
+    }
+
+    public boolean isSbomScan() {
+        return sbomScan;
+    }
+
+    @DataBoundSetter
+    public void setSbomScan(boolean sbomScan) {
+        this.sbomScan = sbomScan;
+    }
+
+    public List<String> getScanTypes() {
+        List<String> types = new java.util.ArrayList<>();
+        if (cveScan) types.add("cve");
+        if (sastScan) types.add("sast");
+        if (sbomScan) types.add("sbom");
+        return types;
+    }
+
     // this function trigger when user click the build button
     @Override
     public boolean perform(AbstractBuild build, Launcher launcher, BuildListener listener) throws InterruptedException, IOException {
 
         EnvVars env = build.getEnvironment(listener);
         listener.getLogger().println("------ Freestyle Method ------");
 
-        String tokenText = token.getPlainText(); // actual value
+        // Build scan types list from checkboxes
+        List<String> scanTypes = getScanTypes();
+
+        // Validate at least one scan type is selected
+        if (scanTypes.isEmpty()) {
+            listener.error("Error: At least one scan type must be selected.");
+            return false;
+        }
+
+        // Get the credential ID from the Secret
+        String credentialId = token.getPlainText();
+        
+        // Look up the actual TokenCredentials object
+        TokenCredentials creds = CredentialsProvider.findCredentialById(
+            credentialId,
+            TokenCredentials.class,
+            build
+        );
+
+        if (creds == null) {
+            listener.error("Error: Vigilnz Token credential not found with ID: " + credentialId);
+            return false;
+        }
+
+        // Get the actual token value from the credential
+        String tokenText = creds.getToken().getPlainText();
+        
+        listener.getLogger().println("Credential ID: " + credentialId);
         listener.getLogger().println("Your Token from Plugin: " + tokenText);
         listener.getLogger().println("Your Target File : " + targetFile);
-        boolean result = ApiService.triggerScan(tokenText, targetFile, env, listener);
+        listener.getLogger().println("Selected Scan Types: " + String.join(", ", scanTypes));
+
+        boolean result = ApiService.triggerScan(tokenText, targetFile, scanTypes, env, listener);
 
         if (!result) {
             listener.error("Scan failed");
@@ -72,7 +141,7 @@ public ListBoxModel doFillTokenItems(@AncestorInPath Item project) {
             ListBoxModel items = new ListBoxModel();
 
             for (TokenCredentials c : CredentialsProvider.lookupCredentials(TokenCredentials.class, project, ACL.SYSTEM, Collections.emptyList())) {
-                String label = c.getTokenDescription();
+                String label = c.getTokenId().isEmpty() ? c.getTokenDescription() : c.getTokenId();
                 if (label == null || label.isEmpty()) {
                     label = c.getId();
                 }
@@ -93,6 +162,15 @@ public FormValidation doCheckToken(@QueryParameter Secret token) {
             }
             return FormValidation.ok();
         }
+
+        public FormValidation doCheckScanTypes(@QueryParameter boolean cveScan,
+                                               @QueryParameter boolean sastScan,
+                                               @QueryParameter boolean sbomScan) {
+            if (!cveScan && !sastScan && !sbomScan) {
+                return FormValidation.error("You must select at least one scan type.");
+            }
+            return FormValidation.ok();
+        }
     }
 
 }
diff --git a/src/main/java/io/jenkins/plugins/TokenCredentials.java b/src/main/java/io/jenkins/plugins/TokenCredentials.java
@@ -24,8 +24,11 @@ public TokenCredentials(
             Secret token
     ) {
         super(scope, tokenId, tokenDescription);
+        // If tokenId is null or empty, use empty string (Jenkins will handle ID generation)
+        // This prevents errors when updating credentials that were created without an ID
+        String idToUse = (tokenId == null || tokenId.trim().isEmpty()) ? "" : tokenId;
         this.token = token;
-        this.tokenId = tokenId;
+        this.tokenId = idToUse;
         this.tokenDescription = tokenDescription;
     }
 
@@ -34,6 +37,10 @@ public Secret getToken() {
     }
 
     public String getTokenId() {
+        // If tokenId was never set by user, return the actual Jenkins-generated ID
+        if (tokenId == null || tokenId.trim().isEmpty()) {
+            return getId();
+        }
         return tokenId;
     }
 
diff --git a/src/main/resources/io/jenkins/plugins/SecurityCheckBuilder/config.jelly b/src/main/resources/io/jenkins/plugins/SecurityCheckBuilder/config.jelly
@@ -5,21 +5,17 @@
         <c:select/>
     </f:entry>
 
-    <!-- Hidden area -->
-    <div id="tokenOptions" style="display:none; margin-top:10px;">
-        <f:entry title="Organisation">
-            <f:textbox name="organisation"/>
-        </f:entry>
-    </div>
-
+    <f:entry field="scanTypes" title="Scan Types" description="Select at least one scan type (required)">
+        <div style="display:flex;gap:20px;">
+            <f:checkbox field="cveScan" title="CVE Scan"/>
+            <f:checkbox field="sastScan" title="SAST Scan"/>
+            <f:checkbox field="sbomScan" title="SBOM Scan"/>
+        </div>
+    </f:entry>
+<!--    <f:entry title="Project" field="projectName">-->
+<!--        <f:textbox/>-->
+<!--    </f:entry>-->
     <f:entry title="Target File" field="targetFile">
         <f:textbox/>
     </f:entry>
-
-    <script>
-        function showTokenOptions() {
-        document.getElementById("tokenOptions").style.display = "block";
-        }
-    </script>
-
 </j:jelly>
diff --git a/src/main/resources/io/jenkins/plugins/SecurityCheckBuilder/help-scanTypes.html b/src/main/resources/io/jenkins/plugins/SecurityCheckBuilder/help-scanTypes.html
@@ -0,0 +1,17 @@
+<div>
+    Choose at least one scan type to analyze your project:
+    <br><br>
+    <li style="list-style:none;margin-left:10px;margin-bottom:5px;">
+        <b>CVE Scan</b> : Checks for known vulnerabilities in dependencies and libraries.
+    </li>
+    <li style="list-style:none;margin-left:10px;margin-bottom:5px;">
+        <b>SAST Scan</b> : Performs Static Application Security Testing to detect insecure code patterns.
+    </li>
+    <li style="list-style:none;margin-left:10px;">
+        <b>SBOM Scan</b> : Generates a Software Bill of Materials to identify components and track potential risks.
+    </li>
+    <br>
+    <li style="list-style:none;">
+        Selecting multiple scan types provides broader coverage and stronger security insights.
+    </li>
+</div>
diff --git a/src/main/resources/io/jenkins/plugins/TokenCredentials/config.jelly b/src/main/resources/io/jenkins/plugins/TokenCredentials/config.jelly
@@ -4,13 +4,21 @@
     <f:entry title="Token" field="token">
         <f:password/>
     </f:entry>
-    <f:entry title="ID" field="tokenId">
+    
+    <f:entry title="ID">
         <j:choose>
-            <j:when test="${instance != null and instance.tokenId != null}">
-                <f:readOnlyTextbox/>
+            <!-- Existing credential: show read-only with actual Jenkins ID -->
+            <j:when test="${instance != null}">
+                <!-- Get the actual ID to display and submit -->
+                <j:set var="idValue" value="${instance.tokenId != null and instance.tokenId != '' ? instance.tokenId : instance.id}"/>
+                <!-- Display as read-only -->
+                <f:readOnlyTextbox value="${idValue}"/>
+                <!-- Submit the actual ID as hidden field (not using field="tokenId" to avoid conflict) -->
+                <input type="hidden" name="tokenId" value="${idValue}"/>
             </j:when>
+            <!-- New credential: allow user to enter ID (optional) -->
             <j:otherwise>
-                <f:textbox/>
+                <f:textbox field="tokenId"/>
             </j:otherwise>
         </j:choose>
     </f:entry>
