Contrast Bamboo plugin

This plugin adds functionality to Bamboo so that you can configure profiles for connecting to Contrast and verify builds against vulnerability thresholds.

Install and configure

To install and configure the Bamboo plugin:

  1. Download the Contrast Bamboo plugin ( contrast-bamboo-plugin-#.#.#.jar) from the Bamboo Marketplace.

  2. Select Add-Ons from the top-left settings menu.

  3. Select Upload add-on.

  4. When prompted to upload a file, select contrast-bamboo-plugin-#.#.#-SNAPSHOT.jar.

  5. Verify you see the plugin under User-installed add-ons.

  6. Now that the plugin is installed, configure a profile for Contrast. Select Contrast Profiles under Add-Ons in the side navigation bar.

  7. In the Profile Configuration page, select New Profile and complete the form.

    Note

    If you are a hosted customer, you do not need to enter a Contrast URL.

  8. Select Test Connection to verify that your settings are correct. A success notification will appear when a connection is established.

Configure vulnerability thresholds

The Bamboo plugin can be added as a task to build jobs to check for vulnerability conditions that you configure. This checks Contrast for the number and type of vulnerabilities in the applications.

To add a task to a build job:

  1. Select Create a New Build Plan (you can also use an existing plan).

  2. Enter a project name, plan name and link to the repository host. The project key and plan key is auto-generated.

  3. Once you create the plan, add a task to the build process by selecting Add Task.

  4. In the window that appears, find the Contrast CI for Assess task and select it.

    The Tasks configuration page relies on a Contrast profile, as well as a server name, application name and a Passive parameter. The server name isn't required, but should correspond to a server name in Contrast if used. The application name must be on the designated server.

    If you select the Passive parameter, the plugin will query all vulnerabilities for the application (not just build-specific vulnerabilities). If you do this, you don't have to run the application with its integration tests before the Contrast post-build action in the Bamboo build.

  5. Next, define conditions for when to fail a build:

    • Threshold Count: The minimum number of findings required to fail the build.

    • Threshold Severity: The minimum severity at which to count a finding towards the threshold count.

    • Threshold Vulnerability Type: The type of finding required to count a finding towards a threshold count.

    Note

    Using the Any option means that any severity or vulnerability type is counted towards the maximum threshold count.

  6. Select Add New Threshold Condition to configure multiple conditions for each task.

  7. Select Save.

  8. Enable the build plan by selecting the checkbox in the bottom left.