Jenkins is a continuous integration (CI) application that can be used to build, deploy and run applications. The Contrast Jenkins Plugin is a tool for integrating Contrast with your Jenkins CI instance. You can use it to test your connection to Contrast and verify your build with threshold conditions.
You can view the plugin code in Jenkins' Github repository. In the Jenkins dashboard, go to Manage Jenkins in the left sidebar, and select the Configure System page to find the "Contrast TeamServer" profiles section.
Contrast API settings enable the plugin to connect to Contrast and query for results. The plugin leverages these result to authenticate to Contrast and make API calls in post-build actions. Among the following requirements, you'll need a unique profile name to identify your configuration and use it in a specific job.
When you add a Contrast profile, use the Test TeamServer Connection button to test your connection and make sure that all the fields are accurate. Contrast prompts you if the test is successful, or gives an error message if it fails.
Once a connection is made, complete the following fields for Contrast Vulnerability Threshold Conditions.
You can add as many rules as you like. The plugin fails on the first bad condition and tells you on which condition it failed.
Note: Even if your build succeeds, the plugin fails the overall build if the test finds a bad condition.
Complete the following fields for Post-Build Actions.
When you add a Pipeline step with the name
contrastVerification, it follows the same principles as the post-build action but in a newer format for Jenkins 2.0 improvements. Pipeline configuration:
contrastVerification applicationId: '1e6ad9c6-89d4-4f06-bdf6-92c569ec89de', count: 1, profile: 'new-profile', queryBy: 3, rule: 'cache-controls-missing', severity: 'High'
For the Jenkins plugin to get accurate information, you must add a unique identifier built from the Jenkins CI configuration as an agent property. The corresponding property for the Java agent is
The plugin can use either the unique identifier
appVersionTag or the
startDate to filter vulnerabilities and check conditions. You can change the format used by the plugin to create
appVersionTag or set the plugin to use
queryBy pipeline parameter. Three options are available:
queryByoption should match the
contrast.override.appversionparameter you pass to the Contrast Java agent when running your application. If you use the third option (
startDate), you aren't required to pass the
contrast.override.appversionparameter to the Java agent.
BUILD_NUMBER are available as a Jenkins environment properties.
This plugin adds functionality to Bamboo so that you can configure profiles for connecting to Contrast and verify builds against vulnerability thresholds.
The first step is to build the plugin. To begin, clone the plugin from our Github repository.
git clone https://github.com/Contrast-Security-OSS/contrast-bamboo-plugin.git cd contrast-bamboo-plugin mvn package
This builds the contrast-bamboo-plugin-#.#.#-SNAPSHOT.jar and the .obr file. You can find them both within the contrast-bamboo-plugin/target directory of the cloned project.
Once you've built the plugin, complete the following steps to upload it to your Bamboo instance.
When prompted to upload a file, select contrast-bamboo-plugin-#.#.#-SNAPSHOT.obr.
After uploading the plugin, you should see it appear under User-installed add-ons.
To use the plugin, you should configure a Contrast profile. To do this, complete the following steps.
Note: If you're a SaaS customer, you do not need to enter a Contrast URL.
A success notification will appear when a connection is established.
The plugin can be added as a task to build jobs to check for vulnerability conditions that you configure. This checks Contrast for the number of vulnerabilities in the applications as well as types of vulnerabilities.
To add a task to a build job, you must either create a new plan or use an existing build plan. For the purpose of these instructions, you'll walk through creating a new build plan.
The Tasks configuration screen relies on a Contrast profile, which you configured in the previous steps, as well as a server name, application name and a Passive parameter. The server name isn't required, but should correspond to a server name in Contrast if used. The application name must be on the designated server.
If you select the Passive parameter, the plugin will query all vulnerabilities, not only build-specific vulnerabilities, for the application. In this case, there is no need to run the application with its integration tests before the Contrast post-build action in the Bamboo build.
The next part of the task configuration is defining conditions for when to fail a build. This involves entering three pieces of data:
Note: Using the Any option means that any severity or vulnerability type is counted towards the maximum threshold count.
You can configure multiple conditions for each task by selecting the Add New Threshold Condition button.
To run your build for the first time, you'll need to select the Run button and then in the dropdown select the Run Plan option.
Once the build is finished, you can see if it passed or failed. To view the Contrast task details, look at the logs of the job to which the task is attached. In the following example, this is the default job. As you can see in the logs, the task only found two vulnerabilities that met your conditions, therefore the job passes.
You can also see charts of data from the task by clicking the Contrast Report tab. This presents the past 10 builds, and charts the severities over build numbers as well as the vulnerability types of build numbers.