Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-72575

Failed quality gate does not prevent whole pipeline execution

XMLWordPrintable

    • Icon: Improvement Improvement
    • Resolution: Unresolved
    • Icon: Major Major
    • warnings-ng-plugin
    • Jenkins 2.426.2
      Warnings NG plugin 10.5.3

      While executing the recordIssues step with a defined quality gate to set stage and build results to "failed", it just sets status, but it doesn't prevent execution of the rest of the pipeline and I'm not sure if this is the expected behavior.

      In my case, I'm executing whole security checks before uploading built artifacts, and I would like to prevent this step execution for artifacts that do not meet specific security requirements (defined via quality gate). But even if the "Security scans" stage and even the whole build are set to "failed" due to the quality gate status, the next stages, including "Upload artifacts", are still executed.
       

      pipeline {
    agent {...}

    stages {
        stage("Earlier stages") {...}
        
        stage("Security scans") {
            makeSecurityScans()
            recordIssues tools: [...], qualityGates: [[threshold: 1, type: 'TOTAL_ERROR', unstable: false]]
        }

        stage("Upload artifacts") {
            uploadArtifacts()
        }
    }
}

        1. warnings-ng.PNG
          warnings-ng.PNG
          7 kB
        2. dependency-check-stage-view.PNG
          dependency-check-stage-view.PNG
          18 kB
        3. dependency-check.PNG
          dependency-check.PNG
          7 kB

          [JENKINS-72575] Failed quality gate does not prevent whole pipeline execution

          Łukasz Jackiewicz created issue -
          Ulli Hafner made changes -
          Link New: This issue duplicates JENKINS-72059 [ JENKINS-72059 ]
          Ulli Hafner made changes -
          Resolution New: Duplicate [ 3 ]
          Status Original: Open [ 1 ] New: Closed [ 6 ]
          Ulli Hafner made changes -
          Resolution Original: Duplicate [ 3 ]
          Status Original: Closed [ 6 ] New: Reopened [ 4 ]
          Ulli Hafner made changes -
          Issue Type Original: Bug [ 1 ] New: Improvement [ 4 ]
          Łukasz Jackiewicz made changes -
          Attachment New: dependency-check.PNG [ 61971 ]
          Łukasz Jackiewicz made changes -
          Attachment New: dependency-check-stage-view.PNG [ 61972 ]
          Łukasz Jackiewicz made changes -
          Attachment New: warnings-ng.PNG [ 61973 ]
          Łukasz Jackiewicz made changes -
          Comment [ Although this is still not the best solution, as a workaround it is also possible to add a post failure section and call the error step there:
          {code:java}
          stage("Security scans") {
              steps {
                  makeSecurityScans()
                  recordIssues tools: [...], qualityGates: [[threshold: 1, type: 'TOTAL_ERROR', unstable: false]]
              }
              post {
                  failure {
                      error("The project does not meet security rules.")
                  }
              }
          }
          {code}
          The problem here is, probably due to the design of the post failure section itself, that in addition to our error itself, an error stacktrace is thrown in the log, which may be confusing for end users. So I can't recommend it, but I'm sharing it as an alternative workaround. ]
          Ulli Hafner made changes -
          Assignee Original: Ulli Hafner [ drulli ]
          Ulli Hafner made changes -
          Labels New: help-wanted

            Unassigned Unassigned
            ljackiewicz Łukasz Jackiewicz
            Votes:
            2 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: