Optionally do not set pipeline result as UNSTABLE/FAILED

Question

Optionally do not set pipeline result as UNSTABLE/FAILED

yunduz opened this issue 3 years ago · comments

Dependencies

N/A

Feature Request

Currently, when risks/vulnerabilities are found by Nexus IQ, Jenkins pipeline result is set to UNSTABLE/FAILED and there is no way to overwrite the result of the pipeline with a better value (SUCCESS). For our case, we don't treat found risks as something needing immediate attention, thus, we would like to keep our pipeline green even if Nexus IQ finds risks.

Note, the documentation says that The build result can also be overridden in a Pipeline., however, that's not the case (it can only be overridden to a worse state but not a better state).

jakubpawlowski · Answer 1 · Fri Sep 24 2021 23:02:29 GMT+0800 (China Standard Time)

Is there any update on this? I've tested with the latest version and the build status is set to FAILED even when I'm using:

options {
                catchError(buildResult: 'UNSTABLE')
            }

or when I wrap plug invocation with either catchError closure or try/catch as below

try {
                        nexusPolicyEvaluation failBuildOnNetworkError: false, iqApplication:"<appId>", iqStage: 'build', iqScanPatterns: [[scanPattern: '**/requirements.txt']]
                    } catch (err) {
                        echo err.message
                    }

The only way to have some control over the build status is to use cli jar instead of the plugin.

Could you either:

Add option to the plugin to set the build status in case of failure
Check why it doesn't quite work with built-in error handling mechanisms in Jenkins such as catchError.
?

pcarenza · Answer 2 · Tue Aug 02 2022 23:56:48 GMT+0800 (China Standard Time)

We're having the same dilemma/issue and it's preventing us from being able to use the nexus jenkins plugin step vs the cli when running our pipelines.

Eduard Tita · Answer 3 · Wed Aug 03 2022 23:10:29 GMT+0800 (China Standard Time)

The plugin is intended to work like this. I'll try to explain why it works the way it does.

In Nexus IQ, admins create policies for different security and legal risks. Those policy have, among other things, actions associated with them, which mean what the system should do when a policy check fails. Those action are: 'fail', 'warn', and 'no action'. The persons setting up those policies are usually considered the authority in what risks your organization wants to avoid, or is willing to accept.

The plugin evaluates all applicable policy for a project/application and potentially detects some policy violations. The policy violations determine the build result as:

If any of those violations are for policies for which the action is equal to 'fail', the build result is set to FAILURE, or
If any of those violations are for policies for which the action is equal to 'warn', the build result is set to UNSTABLE,
Otherwise the build result is set to SUCCESS.

The plugin is designed to enforce those constraints. If you want to change the build result for certain policy violations, the only way to do it is to change the policy actions in Nexus IQ.

Peter Lynch · Answer 4 · Thu Aug 04 2022 04:47:21 GMT+0800 (China Standard Time)

If you have a business use case for altering the existing behaviour, then please file a product idea so our product managers will be informed.

Sonatype registered support account contacts can go here to file an idea: https://ideas.sonatype.com