Gradle plugin

The Contrast Gradle plugin is used to integrate the Contrast.jar with your build. It's capable of authenticating to Contrast, downloading the latest Java agent and verifying your build.

Note

Gradle is a build tool that utilizes build.gradle files to configure your applications. It's used to build, package, and test various types of applications.

Clone a sample web application

The easiest way to set up a project is to clone our sample Gradle-based web application. This application has been migrated from Maven to Gradle and relies on MongoDB.

Install and set up the database path.

git clone https://github.com/Contrast-Security-OSS/Contrast-Sample-Gradle-Application
brew install mongodb
sudo mkdir -p /data/db
brew services start mongodb

An application is ready to run. Open the Contrast-Sample-Gradle-Application/build.gradle file. Scroll to find the contrastConfiguration extension. You can find all of the values in your personal keys except appName and serverName.
```
contrastConfiguration {
    username = "username"
    apiKey = "apiKey"
    serviceKey = "serviceKey"
    apiUrl = "apiUrl"
    orgUuid = "orgUuid"
    appName = "editLATER"
    serverName = "editLATER"
}
```
Install the Contrast JAR file by calling the contrastInstall task. This installs the Contrast JAR in the project's build directory.
```
cd path/to/Contrast-Sample-Gradle-Application
gradle build -x test contrastInstall
```

Run the application with the Java agent. The server starts.

cd path/to/Contrast-Sample-Gradle-Application/build
java -Dcontrast.agent.java.standalone_app_name=mytestapp -Dcontrast.server=mytestserver -jar libs/Contrast-Sample-Gradle-Application-0.0.1-SNAPSHOT.jar

Check that the application is running at localhost:8080 and that the application shows up in Contrast.
In Contrast, verify that the application with the appname specified in the command above shows up.

In the Contrast-Sample-Gradle-Application project's build.gradle, edit the contrastConfiguration to specify the appName and serverName specified as options with the Java agent in the previous step.

contrastConfiguration {
    username = "alreadySetup"
    apiKey = "alreadySetup"
    serviceKey = "alreadySetup"
    apiUrl = "alreadySetup"
    orgUuid = "alreadySetup"
    appName = "mytestapp"
    serverName = "mytestserver"
}

Run the verification task at any time to check for vulnerabilities.
```
gradle build contrastVerify -x test
```

Configure the plugin

Use these paramaters for the Gradle plugin to connect to Contrast and filter vulnerabilities. You can find many of them in your personal keys.

Parameter	Description
Contrast username	Username/email for your user in Contrast
Contrast service key	Service Key
Contrast API key	API Key
Contrast API URL	API URL to Contrast
Contrast organization UUID	Organization UUID
Application name	Name of application you set with `-Djava.standalone_app_name` This is used to filter for your application.
Minimum severity level	Minimum severity level to filter for (Note, Low, Medium, High, Critical) This property is inclusive.
Server name	Name of server you set with `-Dcontrast.server` Use app.contrastsecurity.com/Contrast/api if you are a hosted customer.
JAR path	Local path to the jar file if you don't want to download the agent again

Note

Even if your build succeeds, the plugin will fail the overall build if a vulnerability is found at or above the severity level set in the configuration.

Here is a sample configuration for the Contrast Gradle plugin.

buildscript {
  repositories {
    maven {
      url "https://plugins.gradle.org/m2/"
    }
  }
  dependencies {
    classpath "gradle.plugin.com.contrastsecurity:ContrastGradlePlugin:1.1.1"
  }
}

apply plugin: "com.contrastsecurity.contrastplugin"
contrastConfiguration {
    username = "test_user"
    apiKey = "testApiKey"
    serviceKey = "testServiceKey"
    apiUrl = "https://www.app.contrastsecurity.com/Contrast/api"
    orgUuid = "QWER-ASDF-ZXCV-ERTY"
    appName = "Test Application"
    serverName = "jenkins.slave1"
    minSeverity = "Medium"
}

Use the plugin

The plugin code can be viewed in our GitHub repository. Here you can review the two tasks added by the plugin, contrastInstall and contrastVerify, and how they work.

The latest version of the plugin can be found on the Gradle plugin webpage.

Task	Description
`contrastInstall`	Installs a Contrast Java agent to your local project. The plugin edits the `org.gradle.jvmargs` property in the gradle.properties file to launch the JVM with the Contrast agent. An application version, by which the vulnerabilities are filtered in the `contrastVerify` task, is generated during this task. The plugin generates the application version in the following order: If your build is running in TravisCI, Contrast uses `appName-$TRAVIS_BUILD_NUMBER`. If your build is running in CircleCI, Contrast uses `appName-$CIRCLE_BUILD_NUM`. If your build is running in neither TravisCI nor CircleCI, Contrast generates one in the format `appName-yyyyMMddHHmm`.
`contrastVerify`	Checks for new vulnerabilities in your web application.

Task

Description

contrastInstall

Installs a Contrast Java agent to your local project. The plugin edits the org.gradle.jvmargs property in the gradle.properties file to launch the JVM with the Contrast agent. An application version, by which the vulnerabilities are filtered in the contrastVerify task, is generated during this task. The plugin generates the application version in the following order:

If your build is running in TravisCI, Contrast uses appName-$TRAVIS_BUILD_NUMBER.
If your build is running in CircleCI, Contrast uses appName-$CIRCLE_BUILD_NUM.
If your build is running in neither TravisCI nor CircleCI, Contrast generates one in the format appName-yyyyMMddHHmm.

contrastVerify

Checks for new vulnerabilities in your web application.

In this section:

Gradle plugin

Note

Clone a sample web application

Configure the plugin

Note

Use the plugin

Search results