RedHatTraining/rht-labs-docs.git

Merge pull request #195 from rht-labs/exercise5/linting-coverage

acammies

2018-04-23 4db502bc5bfa7a5f3fdbcf9a34ea72cde5bbffcb

commit \| author \| age
916556	1
064b38	2	# The Non-Functionals Strike back
5277ca	3	> In this exercise we explore the non-functional side of testing.
43f2f2	4	_____
D	5
	6	## Learning Outcomes
	7	As a learner you will be able to
007b55	8	- Create additional Jenkins stages to scan for security vulnerabilities in the Apps
064b38	9	- Assess test quality by producing coverage reports as part of a build
007b55	10	- Improve code readability with linting
D	11	- Do some light performance testing to monitor throughput of APIs
43f2f2	12
D	13	## Tools and Frameworks
007b55	14	> Below is a collection of the frameworks that will be used in this lab
43f2f2	15
007b55	16	1. [eslint](https://eslint.org/) - ESLint is an open source JavaScript linting utility originally created by Nicholas C. Zakas in June 2013. Code linting is a type of static analysis that is frequently used to find problematic patterns or code that doesn’t adhere to certain style guidelines. There are code linters for most programming languages, and compilers sometimes incorporate linting into the compilation process.
43f2f2	17
D	18	## Big Picture
	19	This exercise begins cluster containing blah blah
	20
	21	_____
	22
	23	## 10,000 Ft View
064b38	24	> This lesson will use the Exercise 4's Zap Slave and Arachni scanner to improve the pipeline. Linting will be included in the build and code coverage too.
43f2f2	25
007b55	26	2. Add a parallel stage after the e2e tests on the front end to run OWASP Zap and Arachni against the deployed apps.
43f2f2	27
007b55	28	2. Add Code Coverage reporing to the build for gaining greater insight into test improvements.
D	29
	30	2. Add `npm run lint:ci` to the Frontend and report the result using the Checkstyle Plugin in Jenkins.
	31
	32	2. Create a new Jenkins job to run some light performance testing against the API layer using the perf tests tasks.
43f2f2	33
D	34	## Step by Step Instructions
007b55	35	> This is a well structured guide with references to exact filenames and indications as to what should be done.
43f2f2	36
007b55	37	### Part 1 - Add Security scanning to the pipeline
dc377a	38	> _In this exercise the first of our non-functional testing is explored in the form of some security scanning. We will add the scans to our Jenkinsfile and have them run as new stages_
43f2f2	39
dc377a	40	2. Open the `todolist-fe` application's `Jenkinsfile` in your favourite editor. The file is stored in the root of the project.
D	41
	42	2. The file is layed out with a collection of stages that correspond to each part of our build as seen below. We will create a new stage to execute in parallel.
cd34aa	43	![stages](../images/exercise5/stages.png)
dc377a	44
064b38	45	2. Create a new Parallel Stage called `security scanning` underneath the `stage("e2e test") { }` section as shown below. The contents of the `e2e test` have been removed for simplicity.
dc377a	46	```groovy
D	47	stage("e2e test") {
	48	// ... stuff in here ....
	49	}
	50	stage("security scanning") {
	51	parallel {
	52	stage('OWASP Scan') {
	53
	54	}
	55	stage('Arachni Scan') {
	56
	57	}
	58	}
	59	}
43f2f2	60	```
dc377a	61
064b38	62	2. Let's start filling out the configuration for the OWASP Zap scan first. We will set the label to our slave created in previous exercise and a `when` condition of the master or develop branch.
dc377a	63	```groovy
D	64	stage('OWASP Scan') {
	65	agent {
	66	node {
	67	label "jenkins-slave-zap"
	68	}
	69	}
	70	when {
	71	expression { GIT_BRANCH ==~ /(.master\|.develop)/ }
	72	}
	73	}
43f2f2	74	```
dc377a	75
D	76	2. A command to run the tool by passing in the URL of the app we're going to test.
	77	```groovy
	78	stage('OWASP Scan') {
	79	agent {
	80	node {
	81	label "jenkins-slave-zap"
	82	}
	83	}
	84	when {
	85	expression { GIT_BRANCH ==~ /(.master\|.develop)/ }
	86	}
	87	steps {
	88	sh '''
	89	/zap/zap-baseline.py -r index.html -t ${E2E_TEST_ROUTE}
	90	'''
	91	}
	92	}
	93	```
	94
	95	2. Finally add the reporting for Jenkins in `post` hook of our Declarative Pipeline. This is to report the findings of the scan in Jenkins as a HTML report.
	96	```groovy
	97	stage('OWASP Scan') {
	98	agent {
	99	node {
	100	label "jenkins-slave-zap"
	101	}
	102	}
	103	when {
	104	expression { GIT_BRANCH ==~ /(.master\|.develop)/ }
	105	}
	106	steps {
	107	sh '''
da9923	108	/zap/zap-baseline.py -r index.html -t http://${E2E_TEST_ROUTE}
dc377a	109	exit $?
D	110	'''
	111	}
	112	post {
	113	always {
	114	// publish html
	115	publishHTML target: [
	116	allowMissing: false,
	117	alwaysLinkToLastBuild: false,
	118	keepAll: true,
	119	reportDir: '/zap/wrk',
	120	reportFiles: 'index.html',
	121	reportName: 'Zap Branniscan'
	122	]
	123	}
	124	}
	125	}
	126	```
	127
064b38	128	2. Let's add our Arachni Scan to the second part of the parallel block. The main difference between these sections is Jenkins will report an XML report too for failing the build accordingly. Below is the snippet for the Arachni scanning.
dc377a	129	```groovy
D	130	stage('Arachni Scan') {
	131	agent {
	132	node {
	133	label "jenkins-slave-arachni"
	134	}
	135	}
	136	when {
	137	expression { GIT_BRANCH ==~ /(.master\|.develop)/ }
	138	}
	139	steps {
	140	sh '''
da9923	141	/arachni/bin/arachni http://${E2E_TEST_ROUTE} --report-save-path=arachni-report.afr
dc377a	142	/arachni/bin/arachni_reporter arachni-report.afr --reporter=xunit:outfile=report.xml --reporter=html:outfile=web-report.zip
D	143	unzip web-report.zip -d arachni-web-report
	144	'''
	145	}
	146	post {
	147	always {
	148	junit 'report.xml'
	149	publishHTML target: [
	150	allowMissing: false,
	151	alwaysLinkToLastBuild: false,
	152	keepAll: true,
	153	reportDir: 'arachni-web-report',
	154	reportFiles: 'index.html',
	155	reportName: 'Arachni Web Crawl'
	156	]
	157	}
	158	}
	159	}
	160	```
	161
7c2c91	162	2. With this config in place run a build on Jenkins. To do this; commit your code (from your terminal):
D	163	```bash
	164	$ git add .
	165	$ git commit -m "ADD - security scanning tools to pipeline"
	166	$ git push
	167	```
	168
	169	2. Once the Jobs have completed; navigate to the Jobs status and see the scores. You can find the graphs and test reports on overview of the Job. Explore the results!
cd34aa	170	![report-arachni](../images/exercise5/report-arachni.png)
D	171	![jenkins-arachni](../images/exercise5/jenkins-arachni.png)
	172
	173	<p class="tip">
	174	NOTE - your build may have failed but the reports should still be generated!
	175	</p>
43f2f2	176
007b55	177	### Part 2 - Add Code Coverage & Linting to the pipeline
dabc6f	178	> _Let's continue to enhance our pipeline with some non-functional testing. Static code analysis and testing coverage reports can provide a useful indicator on code quality and testing distribution_
43f2f2	179
dabc6f	180	3. Coverage reports are already being generated as part of the tests. We can have Jenkins produce a HTML report showing in detail where our testing is lacking. Open the `todolist-fe` in your favourite editor.
D	181
	182	3. Open the `Jenkinsfile` in the root of the project; move to the `stage("node-build"){ ... }` section. In the post section add a block for producing a `HTML` report as part of our builds.
	183	```groovy
	184	// Post can be used both on individual stages and for the entire build.
	185	post {
	186	always {
	187	archive "**"
	188	junit 'test-report.xml'
	189	// publish html
	190	publishHTML target: [
	191	allowMissing: false,
	192	alwaysLinkToLastBuild: false,
	193	keepAll: true,
	194	reportDir: 'reports/coverage',
	195	reportFiles: 'index.html',
	196	reportName: 'Code Coverage'
	197	]
	198	}
	199	```
	200
8c2b86	201	3. We will add a new step to our `stage("node-build"){ }` section to lint the Javascript code. After the `npm install`; add a command to run the linting.
dabc6f	202	```groovy
D	203	echo '### Install deps ###'
	204	sh 'npm install'
	205	echo '### Running linting ###'
	206	sh 'npm run lint:ci'
	207	```
	208
	209	3. Save the `Jenkinsfile` and commit it to trigger a build with some more enhancements.
	210	```bash
	211	$ git add .
	212	$ git commit -m "ADD - linting and coverage to the pipeline"
	213	$ git push
	214	```
	215
5277ca	216	3. To view the resulting graph; go to the job's build page and open the `Code Coverage` report from the nav bar on the side. Open the report to drill down into detail of where testing coverage could be improved!
D	217	![report-coverage](../images/exercise5/report-coverage.png)
	218	<p class="tip">
	219	NOTE - a good practice for teams is to try and increase the code coverage metrics over the life of a project. Teams will often start low and use practices such as retrospective to increase the quality at specific times.
	220	</p>
	221
dabc6f	222	3. (Optional Step) - Install the Checkstyle plugin; and add `checkstyle pattern: 'eslint-report.xml'` below the `publishHTML` block to add reporting to Jenkins!
D	223
5277ca	224	### Part 3 - Nightly light performance testing
D	225	> _In this exercise, we will execute the light performance tasks in our API to collect data about throughtput time in hopes if the API ever has some `Sam` quality code checked in, we will spot it_
dabc6f	226
5277ca	227	4. Create a new Item on Jenkins, `nightly-perf-test`
D	228
	229	4. Set the label for where this job can execute to the `jenkins-slave-npm` one used by the build jobs previously.
	230
	231	4. In the SCM section; set the project to use the `todolist-api` git project. Set the credentials accordingly.
	232
964d34	233	4. Create a step to execute shell and add the following to it, replacing `<YOUR_NAME>` and `somedomain` as expected. We will just test the `create` and `show` API for the moment. We are grabbing the response code of the perf-test to keep Jenkins running both shells steps and then exiting with whichever fails:
5277ca	234	```bash
D	235	export E2E_TEST_ROUTE=todolist-api-<YOUR_NAME>-dev.apps.somedomain.com
	236	npm install
	237	set +e
	238	npm run perf-test:create
	239	rc1=$?
	240	npm run perf-test:show
	241	rc2=$?
	242	set -e
	243	exit $(($rc1 \| $rc2))
	244	```
	245
	246	4. On the Post Build actions section we will plot the data from the perf tests in Jenkins. Add a `Post-build Action > Plot Build Data`.
	247
964d34	248	4. On the new dialog, name the Plot group eg `benchmark-tests` and add `create-api` as the Plot title. Set the `Number of Builds to Include` to a large number like `100`. Set the Data Series file to be `reports/server/perf/create-perf-score.csv` and mark the Load data from CSV checkbox. Apply those changes
5277ca	249	![jenkins-plot](../images/exercise5/jenkins-plot.png)
D	250
	251	4. Hit `Add Plot` to add another. Fill out the information again but this time setting the Plot title to `show-api`. Keep the Plot group the same as before: `bench-tests`. Set the Data Series file to be `reports/server/perf/show-perf-score.csv` and mark the `Load data from CSV checkbox`. Save those changes and run the job (Job could take a while to execute!).
	252
	253	4. Run it a few times to start to generate the data points on the plot. The `bench-tests` plot is available on the job's homepage
	254	![result-plot](../images/exercise5/result-plot.png)
43f2f2	255
D	256	_____
	257
	258	## Extension Tasks
	259	> _Ideas for go-getters. Advanced topic for doers to get on with if they finish early. These will usually not have a solution and are provided for additional scope._
	260
dabc6f	261	- Enhance the `todolist-api` with the security scanning tools as you've done for the `todolist-api`
D	262	- Enhance the `todolist-api` with the coverage reporting as you've done for `todolist-api`
007b55	263	- Add Black Duck or other package scanning tooling for our NodeJS app
D	264	- Add Container Vulnerability scanning tooling to the pipeline
5277ca	265	- Add `Stryker` to create mutants and do additional non functional testing of the App
dabc6f	266	- Add the Checkstyle plugin to Jenkins for reporting scores
43f2f2	267
D	268	## Additional Reading
	269	> List of links or other reading that might be of use / reference for the exercise
	270
	271	## Slide links
	272	> link back to the deck for the supporting material