Define vulnerability security controls for pipelines in Jenkins

You can use the contrastAgent pipeline step to download the Contrast agent, then instrument and exercise your application. You can use the contrastVerification pipeline step to verify your application and set parameters for a security control.

Download with contrastAgent

A pipeline step with the name contrastAgent downloads the latest Contrast agent.

Parameter

Required

Description

Examples

profile

Required

Contrast connection profile used to communicate with Contrast

MyConnection

outputDirectory

Required

This defines where to put the downloaded agent.

env.WORKSPACE

agentType

Required if applicationId is not defined.

Type of agent used to instrument the application (not case sensitive)

Options are: Java, .NET, .NET_Core, Node, Ruby, Python

Java

Here is an example of how to add a pipeline step with the name contrastAgent :

  • node{
      stage('Download Latest Contrast Agent'){
        contrastAgent profile:'MyConnection', outputDirectory: env.WORKSPACE, agentType: 'Java'
      }
    }

Verify application with contrastVerification

You can use a pipeline step with the name contrastVerification to verify whether an application is vulnerable.

Parameter

Required

Description

Examples

profile

Required

Use profile to specify the connection used to communicate with Contrast.

Contrast Connection

queryBy

Required

Use queryBy to filter build-related vulnerabilities. For options 1, 2 and 4, this value must match the contrast.override.appversion parameter that was passed to the Contrast agent when running your application.

Enter the option number for how you want to query vulnerabilities (defaults to 1):

  1. appVersionTag, format: applicationId-${BUILD_NUMBER}

  2. appVersionTag, format: applicationId-${JOB_NAME}-${BUILD_NUMBER}

  3. startDate (This is the build timestamp. It only looks at vulnerabilities discovered after the build starts.)

  4. APPVERSIONTAG (This is the job parameter or environment variable. Select this option if you want to specify your own text, then export APPVERSIONTAG as an environment property within your Jenkins job. Both JOB_NAME and BUILD_NUMBER are already available as Jenkins environment properties.)

1

applicationId

Required, if applicationName and agentType are not defined.

The ID of the application or application module you are trying to verify

cb3ea678-38c8-4487-ba94-692a117e7966

applicationName

Required, if applicationId is not defined

The name of the application you are trying to verify (not case sensitive)

MyApp

count

Optional

The total number of allowed vulnerabilities, defaults to 0

10

rule

Optional

Defaults to All

xss

severity

Optional

Defaults to All. Other options are Critical, High, Medium and Low.

High

appVersionTag

Optional

The value that was passed to the contrast.override.appversion parameter of the Contrast agent

v1.2.3

Here are some examples of how to add a pipeline step with the name contrastVerification :

  • Use queryBy startDate:

    contrastVerification applicationId: '1e6ad9c6-89d4-4f06-bdf6-92c569ec89de', count: 1, profile: 'new-profile', queryBy: 3, rule: 'cache-controls-missing', severity: 'High'
  • Use queryBy custom appVersionTag parameter:

    contrastVerification applicationId: '1e6ad9c6-89d4-4f06-bdf6-92c569ec89de', count: 1, profile: 'new-profile', queryBy: 4, appVersionTag: 'v1.2.3' rule: 'cache-controls-missing', severity: 'High'
  • Use applicationName and AgentType to define the application:

    contrastVerification applicationName: 'MyApp', agentType: 'Java', count: 1, profile: 'new-profile', queryBy: 3, rule: 'cache-controls-missing', severity: 'High'
  • Verify an application with a preset or overridden vulnerability security control.

    If you know that the vulnerability security control has been preset in Contrast, then you only need to define the profile and either the applicationId or (applicationName and agentType):

    contrastVerification applicationId: '35ae7b89-1c76-414b-b317-c444ce27608b', profile: 'ContrastConnection'