4 hours 39 minutes
there we are at less than three point to where I'm going to do a demo of Jenkins. Just toe. This is the standard Dev Ops one. I'm just gonna call and get that. It's just a very
simple two step process.
Soniya objectives again. Just going to demo it and then kind of explain some of the stages
says what the pipeline's gonna look like doesn't really matter what was running on, but it has to be running on a bun to Lennox Jenkins. Is the app running there want to do that? It doesn't really make that much difference. So within Jenkins, we're gonna create a pipeline that create that takes to Java. Source runs maven, which is the build program
creates a war file and just copies at the top cat. That's just
the most basic. It could be just again. This is just to start off so we can see what Jenkins look like. The basics before you start adding to come some of the complexities to it.
And here's the if you want to take a look here is that we're the Jink Jenkins website. I'm using the job of a vulnerable lab just the vulnerable app so we can do what we do. The static analysis and dynamic and all that.
We can get some good vulnerabilities.
Case. Let's start the demo here of Jenkins. I've got a couple pipelines are very great that we're gonna use to the class. He can ignore those. Um,
this is not gonna be a full demo of Jenkins. Everything. I just want to kind of get you understanding. So as we're going through, you can understand what's going on
so you can start off very easy with Jenkins. Credit Pipeline called Test right now.
Create a pipeline.
Okay, All running like that. There's lots of options, but we're just gonna do a very basic pipeline to give you the option here for
hello world, which is the standard.
You could see it if you're used to programming, see job things like that. You can see that they used to use the same format because its use is groovy.
So it's an open, curly bracket closed curly racket. That's what defines the object. And then it's all hierarchy based here. So,
uh, you have to define stages, Say I want do stages. There's only one stage here. It's called Hello.
And then here's the steps within the stage and all that is going to do is echo. Hello World.
So let's save that.
And it's ready. It's It's in the it's ready to run. So we do build now, and all it's gonna do is run that you'll see this is running right here.
And then this is the column for each one of the stages. There's only one define called Hello. So we can click on here to see the results.
Take out the console output. You see all this and then right here. Hello, world. All done Very easy.
You can keep builds. You can delete them.
Uh, just delete this one for now
I don't delete. It is Let's just configure.
So what's nice about about Jenkins is you can actually someone to do directory.
I'm gonna give the wrong
Uh, Joe, just so you can see the errors
when you do something wrong. So this is telling. So this is a hierarchy within the steps. Something
I won't execute everything within this directory. Just so it's easier. So as we're typing
and what you Since this is running on the lyrics machine. What's nice is you could say I want to run this command. So if you're familiar with Lennox, this is says list files.
Let's save this
and build it. And this one should fail just because you don't know. But I created the wrong directory. So you can see here. Is that red? Which means that it failed.
I can actually. So if I go in here Teoh, check the output.
access denied. It says this file. This directory does not exist.
I just want to show you what it looks like when a
gonna build fails. Let's go back in here.
I figure that
And this actually caught this.
Let's build it again.
What? Successfully like the council help at this time.
So you see ls ran and I got listed all the files within that folder.
Second it is. It's very easy. You just need to set up a pipeline in about a minute.
So there's the Dev Ops one that I've set up. It's almost exactly the same. Just slightly more complicated, but not much.
You'll see the same thing here stages. Do we think new you'll see here is I have a stage just like the other one called Build. But I've defined the second state. So this is how you set up the multiple stages and they will not. Each stage must must complete for the next 1 to 2 execute correctly.
So you see here same way at it. Steps on this build one said steps.
Uh, same directory.
I did UNIX command here. Call Print Working Directory Just so you can see where it's running in just its standard output
against, unless you don't have to understand. But there's a program called Maven and this is what you just what's used to build the Java program.
You can ignore this. It's just a
flag on putting in there just so there won't be any errors. Eso it says maven clean everything first, which means get rid of all the bike code. Everything built just we have a pristine just to source code and then run package, which means build it. So what's gonna dio is overrun maven against this job A vulnerable lab that we've been using old time
and create the war file in the war file is the
So if this completes correctly this stage of the build. It will move on to the next stage called Deliver.
You see, the format looks exactly the same. Steps, print, working directory. The only thing different here now is I've done. I'm doing UNIX copy.
This is where the war. I know this is where the war files built. So I'm gonna say copy this to my Tomcat folder
again. You don't have to understand exactly how it works. But within Tomcat, if you anything you a war file, you put it in a Web app shoulder. It'll automatically deploy, assuming you have it configured that way. So what it's doing is it's building to Java program and then putting it into the wooden into Tomcat.
It was a pretty easy build. You've seen this? Have one running previously. I just want to keep this.
And so I let this run.
No, I should go into the output. There will be a lot of junk on the stream screen just cause it's Java.
so we can scroll down here. He says, I'm building the war file. Here's the war.
Looks like it was successful,
and then so that stage was successful. So now we see it comes down all the down here. Print, working directory. That's just so I know I'm running and then copied the target vulnerable war into the Web APS folder. So that was successful
so I could see my pipeline was successful. The build was successful. That deliver was successful, says just the basics that we're going to use throughout the course. And I just wanted a standard to show you this What it looks like. The build. There's no security in here, but later on we'll start at it, adding the static analysis and all the other components.
So I have another one. These questions for you.
Can you divide up def sec ops into the stages or think about if you had to test it all different components. How would you break it up into individual steps where you would say, I want this security tested, Want run? And if it passes? I wanted to move on. If it doesn't pass that one at the stop,
So think about and like the coat source code analysis probably wanted T to stop there, and you would set so you can set certain factors. Say I only want X number of high zero critical is anything like that. You consent and say I did it can pass But I wanted to be flagged. And maybe you can move on
if the but is it if there's any
anything else within that stage, I went to fail. And then later on for the Web APP scan, you may say the same thing. This is the past criteria. This is the failed criteria. You may have something very strict and say I don't want any vulnerabilities at all.
And then you might want to do the third party analysis as well and again set some criteria for that on how many vulnerabilities and what level you're are acceptable to pass a build.
And then what order should we evaluate them in?
Probably so short analysis is gonna find the most so probably wanted hit those first and an enlightened low energy as you go on. And also make sure you're not missing anything as well. And then you do the third party libraries at the same time is a source code analysis.
You can do third party again when you the Web app is built because they may not be available. The actual libraries
or they may be part of the Web app or they went out
server itself and you know they may not be in for analysis. Still, it gets into later stages as well. So it just kind of start thinking about these topics before I start explaining them to you and just do you have an idea in your head? Maybe questions that could make him up?
This is our first real demo of Jenkins and got to see what it looks like and we'll be using. It's gonna be important concept because we'll be using it throughout the entire course.
Then the next module would take a look at metrics for evaluating death state cops.