Application Security Automation Part 4
Automated Static Code Analysis
Recap of Part 1-3
- Defined how the system will flow
- Installed components on 4 different virtual machines
- 1 Sensor, 1 SSC (DB on same machine), 1 Controller, 1 Client
- Configured components, so they can communicate with each other
Scanning
Components are configured, it is possible to scan code now. I will split this part into two parts. First one will be triggering the scan from command line and second one will be using Jenkins as a client.
1-Manual Client
I will use a sample vulnerable one block java code called EightBall.java which is included in Fortify’s samples. Also a token is required communication between components. It is possible to create a ScanCentralCtrlToken from SSC interface or with command line using fortifyclient.bat. I will use SSC interface.
As I explained before, I will complete translation aka build stage in client machine and complete the scan in Sensor machine.
sourceanalyzer -b <buildid> EightBall.java
Translation done and my scan is using build id “bid”. Now I will send the request to controller.
Scancentral.bat will send the scan request to controller and the request for uploading the result to SSC.
Important!
You need to have an application and a version to upload in SSC.
scancentral.bat -sscurl <sscurl> -ssctoken <token> start -upload --application <appname> --application-version <appversion> -b <buildid> -uptoken <token> -scan
As the output says, MBS (mobile build session), translated version of code, sent to controller for scanning. Controller will handle the request and forward it to an available sensor.
Recap, what we did
- Translated the source code manually
- Requested a scan from controller manually
- Extracted and sent the MBS to controller
- Sensor completed the scan
- Sensor sent the results to controller
- Controller uploaded the results to SSC
2-Jenkins as a Client
To request a scan from Jenkins, you need Jenkins-Fortify plugin. After installing the plugin, configure it which is explained below. CI Token is required for Jenkins -Fortify connection. Token creation process is explained at “Manuel Client” section. Order of configuration steps is important.
Manage Jenkins > Configure System
Jenkins is ready.
2.1-Freestyle Jenkins Project
Add Fortify Assessment as post build action.
There are three translation & scan combinations. I will use local translation & remote scan according to our architecture. You need to set a build id, source code of your application, application name and version name from SSC.
Run the Jenkins job.
As the Console Output says translation completed at Jenkins client and MBS is sent to controller. Controller will select an available sensor and the scan will be completed.
2.2 -Pipeline Jenkins Project
3 basic steps, cleaning the build id, translating locally and scanning with Scan Central. I won’ use optional parameters. Please mind the indentation.
node
{
stage('Fortify Clean')
{
fortifyClean addJVMOptions: '', buildID: 'bid3', logFile: '', maxHeap: ''
}
stage('Fortify Translate Local')
{
fortifyTranslate addJVMOptions: '', buildID: 'bid3', excludeList: '', logFile: '', maxHeap: '', projectScanType: fortifyJava(javaAddOptions: '', javaClasspath: '', javaSrcFiles: 'C:\\Eightball.java', javaVersion: '8')
} stage('Fortify Scan Remote')
{
fortifyRemoteScan buildID: 'bid3', uploadSSC: [appName: 'eightball_j_pipe', appVersion: 'test']
}
}
As the Console Output says translation completed at Jenkins client and MBS is sent to controller. Controller will select an available sensor and the scan will be completed.
Recap, what we did
- Jenkins translated the source code using Fortify
- Jenkins requested a scan from controller
- Jenkins extracted and sent the MBS to controller
- Sensor completed the scan
- Sensor sent the results to controller
- Controller uploaded the results to SSC
Organization of series
1- Introduction
2- Installation
4- Scanning (This post)