Jenkins Demo: SAST/SCA

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
4 hours 39 minutes
Difficulty
Beginner
CEU/CPE
5
Video Transcription
00:00
that we've reached less than 4.5 where we're going to another Jenkins demo on static analysis and the software competition analysis. So we're gonna be another fun
00:10
lesson we're gonna add on to our pipeline.
00:15
So we're just gonna demonstrate Jenkins for the objectives and and kind of explain a little bit about sask sc a while I'm in there
00:23
and for the demo again. Here's the link to Dinkins io
00:27
their website on some of links to spot bugs like we've seen before in the AWAS dependency check.
00:34
Here we are back in Jenkins, and we're gonna take a look at this time we're doing that were in the development face. We're gonna look at adding static analysis
00:43
of the code,
00:44
so I already have a couple already built here, so it's going to the development.
00:48
You can see I've run this a couple times and just go and take a look at. So
00:53
we have the same billed as we did before I removed the deployment one. Just simplify it. So
00:59
we're still gonna build.
01:00
There's gonna be a new concept here check style, which I kind of mentioned about coding standards and writing good code so that it's it's easy to review. I'm gonna We're gonna add that we're going to do static analysis with fine bugs and PMD,
01:14
and then we're gonna do software composition analysis with the owasi
01:19
dependency check.
01:23
Just take a look at her the way the pipeline has changed. Now,
01:26
so you'll see had the same build stage like I mentioned, it's gonna be the same as previously.
01:33
What I've had here is this new check called check style, which is Ah, Maven has the ability to run this so again, some of this is a little complicated. It doesn't really matter if you need to understand the concepts.
01:46
You'll see the Czech style is gonna fail with 700 some findings. So the flexibility of Jenkins is you can add some desire on your exit criteria. So I have wrapped this in the catch here because I know it's gonna fail, and I just want to build everything to run just so he can see it.
02:04
You're able to you you're able to do checks like this and say, I know this is gonna fail or but I want to keep going. I want this not to stop the build. So I said
02:14
catch this error and that the bill will continue, but the stage will fail, so you'll see what that looks like.
02:21
And then some. Batou, um, Jenkins has a plug in. Now that's the Jenkins warning. Next generation it's able to take. See all the output coming in coming from the build are sorry for the different stages and format that and understand it.
02:37
It was very nice, so you can take it and it's it's really tuned for all these static analysis tools where you could just give it a things. Say, I want to record my issues and this tools check style, and it'll rapid and are pulled into the building. You'll see what that looks like
02:51
and to next. Is these static analysis
02:53
we can use again. Maven has the ability to run this tool called PMD, which we saw previously and and find bugs. It's actually it was previously called Find Bugs called spot Bugs. Now it doesn't really matter gets the same format, but that's what they still use.
03:07
And again, I know this one's going to fail because I already ran it. So I wrapped in a catch hair just so he could see it that the bill or the all the stages run
03:16
we'll see again. There's there's this method. It's already built him because of that warnings. Next generation plug in where I could to say record issues. I have find bugs. I've PMD and it'll pull it automatically for you. So there's no
03:29
there's no analysis. We have to go out and get a different file or anything told into the build.
03:34
And then last, is this up? The self recover a cup of this analysis. We're going to use the A wasp it dependency check. And I've done a little bit differently, just kind of want to show that you can run the tools manually and pull in the results separately. So it just one of running dependency check.
03:51
I say no update because it takes a really long time update, and I did it separately
03:57
and then I'm gonna scan.
03:59
Here is thief older. I know where the libraries are for this job, a Web app of the vulnerable Web lab.
04:05
So that's why I'm absolutely no check. And then again, you can set Kisum cart eerie here on the the exit and six started six success and except for the extra criteria, so I said, Make it unstable. If you see at least one critical, make it unstable. If you see at least one high, so anything more than that
04:23
and we'll get a build with with a different little icon,
04:28
however you're running a couple times, it's easy. Will just take a look at one of the build, since I don't have to wait for it
04:33
so you can see here would be built and you'll see a lot. Knew a lot of new items. So here's check stout. They saw it has 742 warnings.
04:42
Find bugs to found 32 p. M. D Town found 14.
04:46
And here's all the links over the left side as well,
04:47
and you could see dependency. Check is here as well, so this is nice. We can run all these tools and we can get the links right here, so we'll go through a couple of real quickly. It's there's a lot. It's a lot to look at.
04:59
Um, but you can look at it based on just the raw issues
05:03
I could see per per item what it is so like this one ad page, it's saying you have lines longer than 80 characters. This one has 91. It's it makes it hard to read when you have these long wrapping
05:15
lines,
05:16
they could look at it by type. So if you're interested, what the problems are,
05:20
you you can look at you do it by numbers,
05:25
uh, or by categories. You can see where the issues are and start working on it. That way.
05:30
An excellent to kind of look at real quickly is fine bugs.
05:33
So it looks the same way. That's the nice way by by using this next generation plug in,
05:42
um, I'll follow up just Teoh in the same way. So it's gonna look at it. Remember, from the, um, the idea spot bugs plug in. We found this one issue in the email checks job. So
05:57
if we want to drill down to this file,
05:59
let me take a look at security.
06:01
I see I have an issue here, and it's Thea sequel injection, just like we saw. So we're getting the same type of results, and it's not. And so if it wasn't fixed in there, this is what we would have seen and this is Ah, issue would have fixed so you can see why it's better if they just fix it
06:16
back with the, uh
06:18
during the developments that are waiting to this part.
06:23
PMD is is another static analysis. You'll see it access this similar way. Just has a different findings.
06:30
And last we'll take a look at this software composition analysis so you can see
06:34
Theo Wasp dependency check, which saw a screen capture of it. But you can see here it's embedded into our built, which is nice,
06:44
and so we could actually took you. Take a look at so here, saying we have several different libraries that are being brought in that are old versions that need to be updated. So this Commons collection
06:53
has a C V from 2017. It's a critical finding, so I could open it up
06:59
and actually read about it and get the actual description here. And it's also map to the seat of the EU as well, which is helpful.
07:06
What
07:09
you can see here, we can keep just toe kind of follow up. You can see our pipeline is getting built here. We've now added textile static analysis software competition analysis, and later on we'll start adding more to the pipeline.
07:21
So in the same way of done before, and I just kind of jump in and I have a question for you just so you start thinking about some of these topics,
07:30
so I detect third party libraries risk early. Why should why should we do it instead of, you know, maybe in the analysis portion said a waiting till a pen test or anything like that?
07:44
So part of the issue is that these libraries have interfaces and have methods that are cold,
07:49
and sometimes they get changed in future editions. So if you have an old version, you don't upgrade it, and then all your code is dependent on that. When you go to our at the further long yet the more likely is to change.
08:05
So you may have some major chains that require a lot of coding changes. Uh, maybe even even business impact that that there's a lot needs to be done. So finding these early and finding them in the development phase saves a lot of time and money,
08:20
along with any major changes that are that are required like you mentioned
08:26
so in this.
08:28
So that in this lesson we learned about static analysis on SDA and you saw in process, actually in the pipeline.
08:37
And next I'm gonna introduce the AWAS def sec. Ops maturity model is a good method of again looking at your what? What? You're Def sec ops pipes. Pipeline looks like where you want to be and, you know, kind of mapping out a plan.
Up Next