RIPS Integration into Jenkins CI with Pipeline Support


RIPS Jenkins Integration

Jenkins CI is one of the leading open source automation server and provides hundreds of plugins to support building, deploying and automating any project. It supports version control tools like Git, Subversion, Mercurial, Perforce, and can execute Apache Ant, Apache Maven and Gradle based projects as well as arbitrary shell scripts and Windows batch commands. RIPS supports the integration of security analysis into Jenkins since 2016 that helps to prevent that new security vulnerabilities are added to your build. Our new major release now also supports the new Pipeline feature and improves existing features.

Pipelines

The Pipeline approach is a more developer friendly method to define the build and test process of a project. It is as easy as placing a file named Jenkinsfile into your project which contains all the configuration. This is well known from other build tools like Docker or make and improves the CI process immensely:

  • Since the configuration is stored in version control, old builds can be recreated without additional work.
  • Changes to the build process can be made per-branch and will not disrupt development.
  • Configuration files can be easily copied and adopted for other projects.

The RIPS Jenkins plugin integrates seamlessly into this new workflow. You only need to insert a statement like shown in line nine into your build script. How to use and get the credentialId is described later in this article.

 1 2 3 4 5 6 7 8 91011
//Jenkinsfile

node {
  stage('Preparation') {
    //getting sources from git repository
    git 'https://github.com/ethicalhack3r/DVWA'
  }
  stage('Security Check') {
    ripsScan appId: 1615, credentialsId: '5d4cb838-3024-4c09-810d-0db62f9ea61d'
  }
}

There are a lot more optional parameters shown in the following listing. One of the most interesting ones is the threshold configuration shown in line ten to fifteen. Here you can trigger a build failure if your software has more issues than the declared number of the single severity levels.

Threshold examples:

  • threshold: [newIssues: 0, critical: 0] Build will fail on every new issue and every existing issue of critical severity.
  • threshold: [critical: 0, high: 10] Every new issue of severity critical or eleven and more issues of high severity will trigger a failure.

 1 2 3 4 5 6 7 8 910111213141516171819
ripsScan analysisDepth: 5, //default 5
         appId: 1615, //required
         credentialsId: '5d4cb838-3024-4c09-810d-0db62f9ea61d', //required
         customProfileId: 29, //default empty
         excludeNegativelyReviewed: true, //default true
         phpVersion: '7', //default 5.6.*
         resultOnError: 'UNSTABLE', //default ABORTED
         scanTimeout: 300, //default 300 (minutes)
         subdir: 'dvwa', //default empty
         threshold: [critical: 1, //default empty
                     high: 1,
                     low: 1,
                     medium: 1,
                     newIssues: 0, //"new" is a reserved keyword
                     resultOnHit: 'NOT_BUILD'], //default FAILURE
         uiUrl: 'https://saas.ripstech.com', //default
         url: 'https://api-2.ripstech.com', //default
         versionNamePattern: '#{number}' //default Build #{number}
 

The configuration file can easily be generated with the Pipeline Syntax Snippet Generator. Please keep in mind that only non default values will be displayed in the generated command. You can find a description of all configuration parameters in our knowledge base.

New Configuration Mask

Further, we added a new configuration mask (Figure 1) that is more intuitive and straight forward. It will be used in Freestyle Projects and for the Pipeline Syntax Snippet Generator. The URLs, the timeout and the result settings are configurable globally in the Jenkins system settings and do not have to be repeated for each Jenkins project.

Figure 1: RIPS Configuration Mask

Secure Password Storage

Passwords will be managed by the Jenkins Credentials Plugin that is a dependency of our plugin. Credentials can be added to your Jenkins instance per user or system wide, with restrictions to a specific domain. Another benefit of this variant is, that you do not have to add cleartext passwords in your Jenkinsfiles. The username password combination is referenced by an unique identifier. You can lookup this identifier on the credentials menu manually or use the RIPS configuration mask and select the right credential by username.

Improved Results

In the code snippet below you can find an example output of our new plugin version. Line two shows the globbing to create the ZIP file which fetches the supported file extensions directly from the API. Thereby newly supported filetypes will be automatically included in the next scan.

 1 2 3 4 5 6 7 8 9101112
Use RIPS API (https://api-2.ripstech.com): 2.14.5
Created zip file rips9169010792219059344.zip with glob: **/*.php,**/*.inc,**/*.phps,**/*.php3,**/*.php4,**/*.php5,**/*.phtml,**/*.tpl,**/*.cgi,**/*.module,**/*.ctp,**/*.twig
Upload ID: 18263
Scan ID: 9189
Scan Status: 0% (Scan in queue. This may take a few minutes)
Scan Status: 14% (Parsing Code)
Scan Status: 32% (Scanning code)
Scan Status: 42% (Scanning code)
Scan Status: 52% (Scanning code)
Scan Status: 100% (Done)
Issues: {CRITICAL=16, LOW=85, MEDIUM=14, NEW=0}
Threshold reached for: CRITICAL

The pipeline project look-and-feel shown in Figure 2 is adopted from the freestyle project. There is an additional stage view available if the required plugins were installed. It allows to quickly review and check all configured stages and can be used, for example, to only view the logs from the RIPS plugin.

Figure 2: Jenkins pipeline project with RIPS

An exceeded threshold is printed to the console log as shown before and additionally it is marked in our results widgets shown in the following figures.

Figure 3: Result widget with an exceeded threshold on the single build page

Figure 4: Result widget with no exceeded threshold on the project page

In addition to the result widgets, the plugin also displays a configuration widget. It shows an overview of the most important configuration options used in the currently viewed scan. This allows developers to properly review old results even when the configuration changed along the way.

Figure 5: Scan settings of a single run

Conclusion

In this post we presented some of the improved features of our RIPS integration for Jenkins CI. Our ready-to-use Jenkins plugin enables many different ways for the seamless integration of automated security analysis into your build process. The plugin can be used with the LTS as well as the latest release of Jenkins. For more information about this plugin please use our knowledge base article. You can also find a quick migration guide in the changelog.


Tags: malena ebert, ci, continuous integration, jenkins, pipeline, open source, plugin, api, user interface, scripting,

Author: Malena Ebert

System Integration Engineer

Malena has a Master's degree in IT security from the Ruhr-University Bochum and is a professional software engineer. She likes to become acquainted with new modern programming language concepts and always keeps the security aspect in mind.

Comments

comments powered by Disqus