Automating the boring stuff in development using ZAP and Jenkins : continuous Integration

The best part of programming is the always getting rid of some boring stuff. Building the application, Testing for the vulnerabilities manually using some tools and entering those finding in Jira one by one are some of the boring stuff all the developers like to avoid. Wouldn’t it be better if someone else can do this for us ? well, let’s try to automate these stuff using some mechanism.

Step 1 : Automatically triggering a build in Jenkins on a Git commit

It is possible to setup a Build Trigger in Jenkins, whenever there is a change in Git repository. We can do this in 2 ways.

Option 1 :Enabling Poll SCM and entering a cron expression

By using we can get Jenkins to poll the repository for changes every minute. It will poll the repository only if there is a change.

Using a cron environment to check the repository every minute is really an inefficient method. It is much better instead to do push-notification from the repository.

Option 2 :Triggering Jenkins builds from a git hook

When we install the Git Plugin for Jenkins we get an HTTP endpoint that can be used to trigger Jenkins to check a Git repository for changes and to schedule a build if it finds any, we can manually check it by entering the following URL, but we must enable Poll SCM in Jenkins build configuration to initiate the build.

curl http://yourserver/git/notifyCommit?url=<URL of the Git repository>[&branches=branch1[,branch2]*][&sha1=<commit ID>]

We can automatically trigger Jenkins build by setting up post-commit hook in the repository to poke Jenkins when a new push occurs.

  • Enable Poll SCM
  • Conf post-commit git hook

1 Go to the projectFolder/.git/hooks
2 Add a File called “post-commit”
3. Add the following script to that file

#!/bin/sh
curl http://yourserver/git/notifyCommit?url=<URL of the Git repository>[&branches=branch1[,branch2]*][&sha1=<commit ID>]

Note : If you don’t want to invoke the build for every commit, you can do it by customizing above script

where <URL of the Git repository>is the fully qualified URL you use when cloning this repository.

This will scan all the jobs that’s configured to check out the specified URL, and if they are also configured with polling, it’ll immediately trigger the polling

Step 2 : Building the job and automating the security tests using owasp Zed Attack Proxy(ZAP)

PS : If you haven’t already configured or used ZAP in Jenkins you can follow my previous post for a quick start on Automating Security Testing of web applications using OWASP Zed Attack Proxy in Jenkins

  1. Configure the build options

Here I’m using a maven web project for my testing purposes, so to deploy the web application, I should build the application and deploy it in a server.

2. Configure ZAProxy

3. Setting up the ZAProxy for the job

Do a manual build and check, If the building process execution succeeded, you will find the generated report in the workspace

Step 4 : Configuring Jira issue creator

Jenkins plugin for Jira issue creating is available with zaproxy. Since we have already installed zaproxy for the test automation, we don’t need to install any additional plugins inside Jenkins for this use.

1. Download the jiraIssueCreator plugin from here and add the file to path “/home/name/.ZAP/plugin/”

2. Configuring the jira credentials and the location

Manage jenkins -> Global tool Configuration -> zaproxy

3. Check and report Jira issues in the build configuration

Job-> configure ->Build -> Setup ->Click on Create Jira issues below the save session

The create Jira issues should be checked along with the priorities to be considered when exporting the issues.The filter issues URLs by resource type is optional.

References

[1] http://www.andyfrench.info/2015/03/automatically-triggering-jenkins-build.html
[2] https://wiki.jenkins-ci.org/display/JENKINS/Git+Plugin
[3] http://kohsuke.org/2011/12/01/polling-must-die-triggering-jenkins-builds-from-a-git-hook/
[4] https://medium.com/@PrakhashS/automating-security-testing-of-web-applications-using-owasp-zed-attack-proxy-in-jenkins-aa0f9eafdcba#.oysiaj8fm

Like what you read? Give Prakhash Sivakumar a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.