### Note

Gradle is a build tool that utilizes build.gradle files to configure your applications. It's used to build, package, and test various types of applications.

## Clone a sample web application

The easiest way to set up a project is to clone our sample Gradle-based web application. This application has been migrated from Maven to Gradle and relies on MongoDB.

1. Install and set up the database path.

git clone https://github.com/Contrast-Security-OSS/Contrast-Sample-Gradle-Application
brew install mongodb
sudo mkdir -p /data/db
brew services start mongodb
2. An application is ready to run. Open the Contrast-Sample-Gradle-Application/build.gradle file. Scroll to find the contrastConfiguration extension. You can find all of the values in your personal keys except appName and serverName.

contrastConfiguration {
apiKey = "apiKey"
serviceKey = "serviceKey"
apiUrl = "apiUrl"
orgUuid = "orgUuid"
appName = "editLATER"
serverName = "editLATER"
}
3. Install the Contrast JAR file by calling the contrastInstall task. This installs the Contrast JAR in the project's build directory.

cd path/to/Contrast-Sample-Gradle-Application
gradle build -x test contrastInstall
4. Run the application with the Java agent. The server starts.

cd path/to/Contrast-Sample-Gradle-Application/build

5. Check that the application is running at localhost:8080 and that the application shows up in Contrast.

6. In Contrast, verify that the application with the appname specified in the command above shows up.

7. In the Contrast-Sample-Gradle-Application project's build.gradle, edit the contrastConfiguration to specify the appName and serverName specified as options with the Java agent in the previous step.

contrastConfiguration {
appName = "mytestapp"
serverName = "mytestserver"
}
8. Run the verification task at any time to check for vulnerabilities.

gradle build contrastVerify -x test

## Configure the plugin

Use these paramaters for the Gradle plugin to connect to Contrast and filter vulnerabilities. You can find many of them in your personal keys.

Parameter

Description

Contrast service key

Service Key

Contrast API key

API Key

Contrast API URL

API URL to Contrast

Contrast organization UUID

Organization UUID

Application name

Name of application you set with -Djava.standalone_app_name

This is used to filter for your application.

Minimum severity level

Minimum severity level to filter for (Note, Low, Medium, High, Critical)

This property is inclusive.

Server name

Name of server you set with -Dcontrast.server

Use app.contrastsecurity.com/Contrast/api if you are a hosted customer.

JAR path

Local path to the jar file if you don't want to download the agent again

### Note

Even if your build succeeds, the plugin will fail the overall build if a vulnerability is found at or above the severity level set in the configuration.

Here is a sample configuration for the Contrast Gradle plugin.

buildscript {
repositories {
maven {
}
}
dependencies {
}
}

apply plugin: "com.contrastsecurity.contrastplugin"
contrastConfiguration {
apiKey = "testApiKey"
serviceKey = "testServiceKey"
apiUrl = "https://www.app.contrastsecurity.com/Contrast/api"
orgUuid = "QWER-ASDF-ZXCV-ERTY"
appName = "Test Application"
serverName = "jenkins.slave1"
minSeverity = "Medium"
}

## Use the plugin

The plugin code can be viewed in our GitHub repository. Here you can review the two tasks added by the plugin, contrastInstall and contrastVerify, and how they work.

Description

contrastInstall

Installs a Contrast Java agent to your local project. The plugin edits the org.gradle.jvmargs property in the gradle.properties file to launch the JVM with the Contrast agent. An application version, by which the vulnerabilities are filtered in the contrastVerify task, is generated during this task. The plugin generates the application version in the following order:

• If your build is running in TravisCI, Contrast uses appName-$TRAVIS_BUILD_NUMBER. • If your build is running in CircleCI, Contrast uses appName-$CIRCLE_BUILD_NUM.

• If your build is running in neither TravisCI nor CircleCI, Contrast generates one in the format appName-yyyyMMddHHmm.

contrastVerify

Checks for new vulnerabilities in your web application.