代码安全检查
- 需要安装SonarQube(版本6.7,安装了Findbugs插件)
- MySQL >=5.6,笔者安装的是MySQL 5.7版本
- Jenkins需要安装下列插件:
- SonarQube Scanner for Jenkins
- Sonar Quality Gates Plugin
注意点:
- Sonar需要配置"质量阈"
- Sonar需要配置"web回调接口"
- 具体script和declarative类型的pipeline代码请参见本文最后
依赖安全检查
- Jenkins需要安装以下插件
- Static Code Analysis Plug-ins
- OWASP_Dependency_Check
注意点:
- 关于搭建本地NVD镜像,这个是可以做到;如何使用本地镜像是个问题,不知道如何使用
- Doc只提到OWASP_Dependency_Check客户端可以使用本地镜像
查出的结果如下:
安全自动化
此部分目前暂时没有实现
- 目前有现成的security zap for pipeline插件(gradle)
- 且需要有现成的跑web自动化的代码
附件
- pipeline script
node { stage('Build') { echo 'Building....' checkout([$class: 'GitSCM', branches: [[name: '*/master']], doGenerateSubmoduleConfigurations: false, extensions: [], submoduleCfg: [], userRemoteConfigs: [[credentialsId: 'global_credentials', url: 'http://***/Test-myown.git']]]) sh "mvn -DskipTests clean install package sonar:sonar" def mvnHome = tool 'M3' def gitDefault = tool 'gitDefault' def jdkver = tool 'jdk8' def mysonar = tool 'SonarQube Scanner 6.7' echo "---${mvnHome}/bin/mvn---" echo "---${gitDefault}---" echo "---${jdkver}---" echo "---${mysonar}---" } stage('SonarQube analysis') { echo "starting codeAnalyze with SonarQube......" withSonarQubeEnv { sh 'mvn -DskipTests clean install package org.sonarsource.scanner.maven:sonar-maven-plugin:3.2:sonar' } } stage('Quality Gate') { timeout(3) { def qg = waitForQualityGate() echo "---before qg:${qg.status}---" if (qg.status != 'OK') { error "未通过Sonarqube的代码质量阈检查,请及时修改!failure: ${qg.status}" } echo "---after qg:${qg.status}---" } } stage('Dependency Check') { dependencyCheckAnalyzer datadir: '', hintsFile: '', includeCsvReports: false, includeHtmlReports: true, includeJsonReports: false, includeVulnReports: true, isAutoupdateDisabled: false, outdir: '', scanpath: '', skipOnScmChange: false, skipOnUpstreamChange: false, suppressionFile: '', zipExtensions: '' dependencyCheckPublisher canComputeNew: false, defaultEncoding: '', failedTotalHigh: '0', healthy: '', pattern: '', unHealthy: '' dependencyCheckUpdateOnly() // dependencyTrackPublisher()--shibai失败,youchucuo有出错tishi } }
- pipeline declaractive
node { stage('SCM') { git credentialsId: 'global_credentials', url: 'http://***/Test-myown.git' } stage('SonarQube analysis') { echo "starting codeAnalyze with SonarQube......" withSonarQubeEnv { sh 'mvn -DskipTests clean install package org.sonarsource.scanner.maven:sonar-maven-plugin:3.2:sonar' } } stage('Quality Gate') { timeout(3) { def qg = waitForQualityGate() echo "---before qg:${qg.status}---" if (qg.status != 'OK') { error "未通过Sonarqube的代码质量阈检查,请及时修改!failure: ${qg.status}" } echo "---after qg:${qg.status}---" } } }
参考: https://testerhome.com/topics/11326