CI 14674 - resubmit

.gitignore

@@ -0,0 +1,6 @@
+.env
+release/
+drone-nunit
+NOTES*
+output.json
+.vscode/

README.md

@@ -1 +1,222 @@
-# drone-veracode
+# drone-Veracode
+
+# Overview
+This plugin performs a Veracode Upload and Scan operation using the official Veracode Java API Wrapper. It supports file filtering, scanning options, policy evaluations, proxy support, and job failure handling logic.
+
+## Building
+
+Build the plugin binary:
+
+```text
+scripts/build.sh
+```
+
+Build the plugin image:
+
+```text
+docker build -t plugins/veracode -f docker/Dockerfile .
+```
+
+🚀 Testing
+You can run the plugin locally using:
+
+```
+docker run --rm \
+  -e PLUGIN_APPLICATION_NAME="My App" \
+  -e PLUGIN_CRITICALITY="VeryHigh" \
+  -e PLUGIN_SANDBOX_NAME="Integration" \
+  -e PLUGIN_TIMEOUT=10 \
+  -e PLUGIN_CREATE_PROFILE=true \
+  -e PLUGIN_TEAMS="SecurityTeam" \
+  -e PLUGIN_CREATE_SANDBOX=true \
+  -e PLUGIN_DEBUG=true \
+  -e PLUGIN_UPLOAD_INCLUDES_PATTERN="**/*.jar" \
+  -e PLUGIN_UPLOAD_EXCLUDES_PATTERN="**/test/**" \
+  -e PLUGIN_SCAN_INCLUDES_PATTERN="**/*.jar" \
+  -e PLUGIN_SCAN_EXCLUDES_PATTERN="**/test/**" \
+  -e PLUGIN_FILE_NAME_PATTERN="*.jar" \
+  -e PLUGIN_REPLACEMENT_PATTERN="*.zip" \
+  -e PLUGIN_SCAN_ALL_NON_FATAL_TOP_LEVEL_MODULES=true \
+  -e PLUGIN_INCLUDE_NEW_MODULES=true \
+  -e PLUGIN_P_HOST="proxy.example.com" \
+  -e PLUGIN_P_PORT="8080" \
+  -e PLUGIN_P_USER="proxyuser" \
+  -e PLUGIN_P_PASSWORD="proxypass" \
+  -e PLUGIN_VID="veracode_api_id" \
+  -e PLUGIN_VKEY="veracode_api_key" \
+  -e PLUGIN_DELETE_INCOMPLETE_SCAN=true \
+  -e PLUGIN_WAIT_FOR_SCAN=true \
+  -e PLUGIN_TIMEOUT_FAILS_JOB=true \
+  -e PLUGIN_UNSTABLE_BUILD=true \
+  -e PLUGIN_CAN_FAIL_JOB=true \
+  -e PLUGIN_USE_PROXY=true \
+  -e PLUGIN_VERSION="build-123" \
+  -e PLUGIN_LEVEL="info" \
+  -v $(pwd):/drone/src \
+  plugins/veracode
+```
+
+📦 Example Harness Step
+
+```
+- step:
+    identifier: veracode-scan
+    name: Veracode Static Scan
+    spec:
+      image: plugins/veracode
+      settings:
+        application_name: "My App"
+        criticality: "VeryHigh"
+        sandbox_name: "Integration"
+        timeout: 15
+        create_profile: true
+        create_sandbox: true
+        teams: "SecurityTeam"
+        debug: true
+        upload_includes_pattern: "**/*.jar"
+        upload_excludes_pattern: "**/test/**"
+        scan_includes_pattern: "**/*.jar"
+        scan_excludes_pattern: "**/test/**"
+        file_name_pattern: "*.jar"
+        replacement_pattern: "*.zip"
+        scan_all_non_fatal_top_level_modules: true
+        include_new_modules: true
+        p_host: "proxy.example.com"
+        p_port: "8080"
+        p_user: "proxyuser"
+        p_password: "proxypass"
+        vid: "veracode_api_id"
+        vkey: "veracode_api_key"
+        delete_incomplete_scan: true
+        wait_for_scan: true
+        timeout_fails_job: true
+        unstable_build: true
+        can_fail_job: true
+        use_proxy: true
+        version: "build-123"
+        level: "info"
+    timeout: '20m'
+    type: Plugin
+```
+
+# Plugin Settings
+
+- `PLUGIN_APPLICATION_NAME`
+Description: Name of the Veracode application to scan.
+Example: My Application
+
+- `PLUGIN_CRITICALITY`
+Description: Criticality of the application (VeryHigh, High, Medium, Low, etc.).
+Example: High
+
+- `PLUGIN_SANDBOX_NAME`
+Description: Optional sandbox name to use during the scan.
+Example: Integration Sandbox
+
+- `PLUGIN_TIMEOUT`
+Description: Maximum timeout in minutes for the scan to complete.
+Example: 15
+
+- `PLUGIN_CREATE_PROFILE`
+Description: If true, creates the application profile if it doesn't exist.
+Example: true
+
+- `PLUGIN_TEAMS`
+Description: Comma-separated list of teams to associate with the scan.
+Example: DevSecOps,QA
+
+- `PLUGIN_CREATE_SANDBOX`
+Description: If true, creates a sandbox if it does not exist.
+Example: true
+
+- `PLUGIN_DEBUG`
+Description: Enable debug-level logs.
+Example: true
+
+- `PLUGIN_UPLOAD_INCLUDES_PATTERN`
+Description: Comma-separated Ant-style file patterns to include for upload.
+Example: **/*.jar,**/*.war
+
+- `PLUGIN_UPLOAD_EXCLUDES_PATTERN`
+Description: Comma-separated Ant-style file patterns to exclude from upload.
+Example: **/test/**,**/docs/**
+
+- `PLUGIN_SCAN_INCLUDES_PATTERN`
+Description: Pattern to include specific modules during scan.
+Example: *.jar
+
+- `PLUGIN_SCAN_EXCLUDES_PATTERN`
+Description: Pattern to exclude specific modules from scan.
+Example: *-test.jar
+
+- `PLUGIN_FILE_NAME_PATTERN`
+Description: Pattern used for renaming files during upload.
+Example: *.jar
+
+- `PLUGIN_REPLACEMENT_PATTERN`
+Description: Pattern to replace file name strings (used with PLUGIN_FILE_NAME_PATTERN).
+Example: *.zip
+
+- `PLUGIN_SCAN_ALL_NON_FATAL_TOP_LEVEL_MODULES`
+Description: If true, scan all non-fatal top-level modules.
+Example: true
+
+- `PLUGIN_INCLUDE_NEW_MODULES`
+Description: If true, includes new modules found during the scan.
+Example: true
+
+- `PLUGIN_P_HOST`
+Description: Proxy host to use for outbound Veracode traffic.
+Example: proxy.example.com
+
+- `PLUGIN_P_PORT`
+Description: Proxy port to use.
+Example: 8080
+
+- `PLUGIN_P_USER`
+Description: Username for authenticating with the proxy.
+Example: proxyuser
+
+- `PLUGIN_P_PASSWORD`
+Description: Password for the proxy user.
+Example: proxypassword
+
+- `PLUGIN_VID`
+Description: Veracode API ID used for authentication.
+Example: abc123xyz
+
+- `PLUGIN_VKEY`
+Description: Veracode API Key used for authentication.
+Example: secret-api-key
+
+- `PLUGIN_DELETE_INCOMPLETE_SCAN`
+Description: If true, deletes any existing incomplete scan before starting a new one.
+Example: true
+
+- `PLUGIN_WAIT_FOR_SCAN`
+Description: If true, the plugin will wait until the scan finishes and retrieves the result.
+Example: true
+
+- `PLUGIN_TIMEOUT_FAILS_JOB`
+Description: If true, the job will fail if the scan times out.
+Example: true
+
+- `PLUGIN_UNSTABLE_BUILD`
+Description: If true, policy failures mark the build as unstable (exit code 2).
+Example: true
+
+- `PLUGIN_CAN_FAIL_JOB`
+Description: If true, scan failure will fail the job; if false, it only logs warnings.
+Example: true
+
+- `PLUGIN_USE_PROXY`
+Description: If true, enables proxy settings for the scan.
+Example: true
+
+- `PLUGIN_VERSION`
+Description: Version name to associate with the scan.
+Example: v1.0.0-build123
+
+- `PLUGIN_LEVEL`
+Description: Defines the plugin log level (debug, info, warn, etc.).
+Example: info

docker/Dockerfile

@@ -0,0 +1,28 @@
+# Step 1: Extract Veracode Java Wrapper from official image
+FROM veracode/api-wrapper-java:cmd as veracode-wrapper
+
+# Step 2: Base image for the plugin
+FROM alpine:3.20
+
+ENV GODEBUG netdns=go
+
+# Install Java and SSL certs
+RUN apk add --no-cache openjdk17 ca-certificates
+
+# Set working directory to match Veracode wrapper usage
+WORKDIR /home/luser
+
+# Create required .veracode folder
+RUN mkdir -p /home/luser/.veracode
+
+# Copy plugin binary from your release
+ADD release/linux/amd64/plugin /bin/plugin
+
+# Copy Veracode API Wrapper .jar from the first stage
+COPY --from=veracode-wrapper /opt/veracode/api-wrapper.jar /opt/veracode/api-wrapper.jar
+
+# Make plugin executable
+RUN chmod +x /bin/plugin
+
+# Entry point
+ENTRYPOINT ["/bin/plugin"]

docker/Dockerfile.linux.arm64

@@ -0,0 +1,28 @@
+# Step 1: Extract Veracode Java Wrapper from official image
+FROM veracode/api-wrapper-java:cmd as veracode-wrapper
+
+# Step 2: Base image for the plugin (ARM64 compatible)
+FROM alpine:3.20
+
+ENV GODEBUG netdns=go
+
+# Install Java and SSL certs
+RUN apk add --no-cache openjdk17 ca-certificates
+
+# Set working directory
+WORKDIR /home/luser
+
+# Create required .veracode folder
+RUN mkdir -p /home/luser/.veracode
+
+# Copy ARM64 plugin binary from release
+ADD release/linux/arm64/plugin /bin/plugin
+
+# Copy Veracode API Wrapper .jar
+COPY --from=veracode-wrapper /opt/veracode/api-wrapper.jar /opt/veracode/api-wrapper.jar
+
+# Make plugin executable
+RUN chmod +x /bin/plugin
+
+# Set entry point
+ENTRYPOINT ["/bin/plugin"]

docker/Dockerfile.windows

@@ -0,0 +1,31 @@
+# Use OpenJDK 17 on Windows Server Core
+FROM openjdk:17-jdk-windowsservercore-ltsc2022
+
+# Switch to ContainerAdministrator user (needed for setup)
+USER ContainerAdministrator
+
+# Set Go to use Go's own DNS resolver
+ENV GODEBUG=netdns=go
+
+# Create necessary folders
+RUN powershell -Command "New-Item -ItemType Directory -Path 'C:\\veracode' -Force"
+RUN powershell -Command "New-Item -ItemType Directory -Path 'C:\\opt\\veracode' -Force"
+RUN powershell -Command "New-Item -ItemType Directory -Path 'C:\\Users\\ContainerUser\\.veracode' -Force"
+
+# Download Veracode Java API Wrapper (from correct Maven Central URL) with forced TLS 1.2
+RUN powershell -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://repo1.maven.org/maven2/com/veracode/vosp/api/wrappers/vosp-api-wrappers-java/24.10.15.0/vosp-api-wrappers-java-24.10.15.0-dist.zip' -OutFile 'C:\\veracode\\api-wrapper.zip'"
+
+# Expand the downloaded Veracode zip
+RUN powershell -Command "Expand-Archive -Path 'C:\\veracode\\api-wrapper.zip' -DestinationPath 'C:\\veracode'"
+
+# Move VeracodeJavaAPI.jar to target /opt/veracode/api-wrapper.jar
+RUN powershell -Command "Copy-Item -Path (Get-ChildItem -Path 'C:\\veracode' -Recurse -Filter 'VeracodeJavaAPI.jar').FullName -Destination 'C:\\opt\\veracode\\api-wrapper.jar'"
+
+# Copy your Go plugin Windows executable
+ADD release/windows/amd64/plugin.exe C:/plugin.exe
+
+# Set working directory
+WORKDIR C:/
+
+# Set plugin executable as entrypoint
+ENTRYPOINT ["C:\\plugin.exe"]

docker/manifest.tmpl

@@ -0,0 +1,24 @@
+image: plugins/veracode:{{- if build.tag }}{{ trimPrefix "v" build.tag }}{{ else }}latest{{ end }}
+{{- if build.tags }}
+tags:
+{{- range build.tags }}
+  - {{ . }}
+{{- end }}
+{{- end }}
+manifests:
+  -
+    image: plugins/veracode:{{- if build.tag }}{{ trimPrefix "v" build.tag }}-{{ end }}linux-amd64
+    platform:
+      architecture: amd64
+      os: linux
+  -
+    image: plugins/veracode:{{- if build.tag }}{{ trimPrefix "v" build.tag }}-{{ end }}linux-arm64
+    platform:
+      variant: v8
+      architecture: arm64
+      os: linux
+  -
+    image: plugins/veracode:{{- if build.tag }}{{ trimPrefix "v" build.tag }}-{{ end }}windows-amd64
+    platform:
+      architecture: amd64
+      os: windows

go.mod

@@ -0,0 +1,21 @@
+module github.com/drone/drone-veracode
+
+go 1.23.1
+
+require (
+	github.com/google/go-cmp v0.6.0
+	github.com/kelseyhightower/envconfig v1.4.0
+	github.com/sirupsen/logrus v1.9.3
+)
+
+require (
+	github.com/georgeJobs/go-antpathmatcher v0.0.0-20231023102852-19d9ea929586 // indirect
+	gopkg.in/guregu/null.v3 v3.5.0 // indirect
+)
+
+require (
+	github.com/antfie/veracode-go-hmac-authentication v1.0.0
+	github.com/bmatcuk/doublestar/v4 v4.8.1
+	github.com/joho/godotenv v1.5.1
+	golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 // indirect
+)