azure azure-devops continuous-integration azure-pipelines whitesource

How to Report Mend Policy Violations in Azure DevOps Pipeline Without Failing the Build?

I'm working with Azure DevOps and have integrated Mend (formerly WhiteSource) for security and compliance scanning in my pipeline. Currently, if a Mend policy violation is detected, the build fails, and the report is not generated in the Azure DevOps tab. I'm looking to modify this behavior so that the build indicates a policy violation but still generates and displays the Mend report in Azure DevOps.

Here's the relevant section of my pipeline configuration:

      - task: WhiteSource@21
        displayName: Run Mend Scanning on L&R API
        inputs:
          projectName: "$(Build.Repository.Name)"
          configuration: |
            resolveAllDependencies=false
            nuget.resolveDependencies=true
            nuget.resolvePackagesConfigFiles=false
            nuget.resolveCsProjFiles=true
            nuget.resolveNuspecFiles=true
            nuget.resolveAssetsFiles=false
            nuget.runPreStep=true
            nuget.preferredEnvironment=nuget
            nuget.preferredEnvironment=nuget
            checkPolicies=true
            forceCheckAllDependencies=true
            updateInventory=true
            forceUpdate=true
            forceUpdate.failBuildOnPolicyViolation=true
            scanComment=Azure DevOps pipeline build scan
            includes=**/*.dll **/*.cs **/*.nupkg

I have tried setting forceUpdate.failBuildOnPolicyViolation to false, which allows the build to complete and display the report, but then it doesn't indicate the policy violation with a build failure.

Is there a way to configure the pipeline so that it fails when Mend detects a policy violation, yet still ensures the report generation and its availability in the Azure DevOps tab?

Specifically, I'm looking for guidance on:

Adjusting the Mend task configuration for this requirement. Implementing a custom script to check Mend scan results and conditionally fail the build. Ensuring the Mend report is generated and accessible irrespective of the build outcome. Any examples or insights into achieving this in Azure DevOps would be greatly appreciated!

Solution

I've developed a workaround after not finding specific documentation for this scenario. I set forceUpdate.failBuildOnPolicyViolation to false to ensure the build completes, thus generating a report accessible in the Azure DevOps tab. Then, I use the policyRejectionSummary.json file generated by Mend to check for any policy violations. If violations are found, the build is failed, maintaining the report's availability.

Here's the modified pipeline script:

       - task: PublishBuildArtifacts@1
        inputs:
          PathtoPublish: '$(Build.SourcesDirectory)/whitesource'
          ArtifactName: 'WhiteSourceFolder'
          
      - task: PowerShell@2
        displayName: 'Check Policy Rejection Summary'
        inputs:
          targetType: 'inline'
          script: |
            $jsonPath = "$(Build.SourcesDirectory)/whitesource/policyRejectionSummary.json"
                          if (Test-Path $jsonPath) {
                              $jsonContent = Get-Content $jsonPath | ConvertFrom-Json
                              $rejectingPoliciesCount = $jsonContent.rejectingPolicies.Count
                              if ($rejectingPoliciesCount -ne 0) {
                                  Write-Host "Rejecting policies found in $jsonPath. Failing build."
                                  exit 1
                              } else {
                                  Write-Host "No rejecting policies found. Continuing build."
                              }
                          } else {
                              Write-Host "$jsonPath does not exist. Continuing build."
                          }
          failOnStderr: false
          errorActionPreference: stop