Gradle plugin

The Contrast Gradle plugin is used to integrate the Contrast.jar with your build. It's capable of authenticating to Contrast, downloading the latest Java agent and verifying your build.

Note

Gradle is a build tool that utilizes build.gradle files to configure your applications. It's used to build, package, and test various types of applications.

Clone a sample web application

The easiest way to set up a project is to clone our sample Gradle-based web application. This application has been migrated from Maven to Gradle and relies on MongoDB.

  1. Install and set up the database path.

    git clone https://github.com/Contrast-Security-OSS/Contrast-Sample-Gradle-Application
    brew install mongodb
    sudo mkdir -p /data/db
    brew services start mongodb
  2. An application is ready to run. Open the Contrast-Sample-Gradle-Application/build.gradle file. Scroll to find the contrastConfiguration extension. You can find all of the values in your personal keys except appName and serverName.

    contrastConfiguration {
        username = "username"
        apiKey = "apiKey"
        serviceKey = "serviceKey"
        apiUrl = "apiUrl"
        orgUuid = "orgUuid"
        appName = "editLATER"
        serverName = "editLATER"
    }
  3. Install the Contrast JAR file by calling the contrastInstall task. This installs the Contrast JAR in the project's build directory.

    cd path/to/Contrast-Sample-Gradle-Application
    gradle build -x test contrastInstall
  4. Run the application with the Java agent. The server starts.

    cd path/to/Contrast-Sample-Gradle-Application/build
    java -Dcontrast.agent.java.standalone_app_name=mytestapp -Dcontrast.server=mytestserver -jar libs/Contrast-Sample-Gradle-Application-0.0.1-SNAPSHOT.jar
    
  5. Check that the application is running at localhost:8080 and that the application shows up in Contrast.

  6. In Contrast, verify that the application with the appname specified in the command above shows up.

  7. In the Contrast-Sample-Gradle-Application project's build.gradle, edit the contrastConfiguration to specify the appName and serverName specified as options with the Java agent in the previous step.

    contrastConfiguration {
        username = "alreadySetup"
        apiKey = "alreadySetup"
        serviceKey = "alreadySetup"
        apiUrl = "alreadySetup"
        orgUuid = "alreadySetup"
        appName = "mytestapp"
        serverName = "mytestserver"
    }
  8. Run the verification task at any time to check for vulnerabilities.

    gradle build contrastVerify -x test

Use the plugin

The plugin code can be viewed in our GitHub repository. Here you can review the two tasks added by the plugin, contrastInstall and contrastVerify, and how they work.

The latest version of the plugin can be found on the Gradle plugin webpage.

Task

Description

contrastInstall

Installs a Contrast Java agent to your local project. The plugin edits the org.gradle.jvmargs property in the gradle.properties file to launch the JVM with the Contrast agent. An application version, by which the vulnerabilities are filtered in the contrastVerify task, is generated during this task. The plugin generates the application version in the following order:

  • If your build is running in TravisCI, Contrast uses appName-$TRAVIS_BUILD_NUMBER.

  • If your build is running in CircleCI, Contrast uses appName-$CIRCLE_BUILD_NUM.

  • If your build is running in neither TravisCI nor CircleCI, Contrast generates one in the format appName-yyyyMMddHHmm.

contrastVerify

Checks for new vulnerabilities in your web application.