RedHatTraining/rht-labs-docs.git

donal

2018-04-23 8c2b86b04efd65b43daa64d8d3a1e1d3a9605837

commit \| author \| age
007b55	1	# The Non Functionals Strike back
5277ca	2	> In this exercise we explore the non-functional side of testing.
43f2f2	3	_____
D	4
	5	## Learning Outcomes
	6	As a learner you will be able to
007b55	7	- Create additional Jenkins stages to scan for security vulnerabilities in the Apps
D	8	- Assess test quiality by producing coveage reports as part of a build
	9	- Improve code readability with linting
	10	- Do some light performance testing to monitor throughput of APIs
43f2f2	11
D	12	## Tools and Frameworks
007b55	13	> Below is a collection of the frameworks that will be used in this lab
43f2f2	14
007b55	15	1. [eslint](https://eslint.org/) - ESLint is an open source JavaScript linting utility originally created by Nicholas C. Zakas in June 2013. Code linting is a type of static analysis that is frequently used to find problematic patterns or code that doesn’t adhere to certain style guidelines. There are code linters for most programming languages, and compilers sometimes incorporate linting into the compilation process.
43f2f2	16
D	17	## Big Picture
	18	This exercise begins cluster containing blah blah
	19
	20	_____
	21
	22	## 10,000 Ft View
007b55	23	> This lesson will use the Exerisise 4's Zap Slave and Arachni scanner to improve the pipeline. Linting will be included in the build and code coverage too.
43f2f2	24
007b55	25	2. Add a parallel stage after the e2e tests on the front end to run OWASP Zap and Arachni against the deployed apps.
43f2f2	26
007b55	27	2. Add Code Coverage reporing to the build for gaining greater insight into test improvements.
D	28
	29	2. Add `npm run lint:ci` to the Frontend and report the result using the Checkstyle Plugin in Jenkins.
	30
	31	2. Create a new Jenkins job to run some light performance testing against the API layer using the perf tests tasks.
43f2f2	32
D	33	## Step by Step Instructions
007b55	34	> This is a well structured guide with references to exact filenames and indications as to what should be done.
43f2f2	35
007b55	36	### Part 1 - Add Security scanning to the pipeline
dc377a	37	> _In this exercise the first of our non-functional testing is explored in the form of some security scanning. We will add the scans to our Jenkinsfile and have them run as new stages_
43f2f2	38
dc377a	39	2. Open the `todolist-fe` application's `Jenkinsfile` in your favourite editor. The file is stored in the root of the project.
D	40
	41	2. The file is layed out with a collection of stages that correspond to each part of our build as seen below. We will create a new stage to execute in parallel.
cd34aa	42	![stages](../images/exercise5/stages.png)
dc377a	43
D	44	2. Create a new Parallel Stage called `security scanning` underneath the `stage("e2e test") { }` section as shown below. The contents of the `e2e test` has been removed for simplicity.
	45	```groovy
	46	stage("e2e test") {
	47	// ... stuff in here ....
	48	}
	49	stage("security scanning") {
	50	parallel {
	51	stage('OWASP Scan') {
	52
	53	}
	54	stage('Arachni Scan') {
	55
	56	}
	57	}
	58	}
43f2f2	59	```
dc377a	60
D	61	2. Let's start filling out the configuration for the OWASP Zap scan first. We will set the label to our slave created in previous exercise and a when condition of the mater or develop branch.
	62	```groovy
	63	stage('OWASP Scan') {
	64	agent {
	65	node {
	66	label "jenkins-slave-zap"
	67	}
	68	}
	69	when {
	70	expression { GIT_BRANCH ==~ /(.master\|.develop)/ }
	71	}
	72	}
43f2f2	73	```
dc377a	74
D	75	2. A command to run the tool by passing in the URL of the app we're going to test.
	76	```groovy
	77	stage('OWASP Scan') {
	78	agent {
	79	node {
	80	label "jenkins-slave-zap"
	81	}
	82	}
	83	when {
	84	expression { GIT_BRANCH ==~ /(.master\|.develop)/ }
	85	}
	86	steps {
	87	sh '''
	88	/zap/zap-baseline.py -r index.html -t ${E2E_TEST_ROUTE}
	89	'''
	90	}
	91	}
	92	```
	93
	94	2. Finally add the reporting for Jenkins in `post` hook of our Declarative Pipeline. This is to report the findings of the scan in Jenkins as a HTML report.
	95	```groovy
	96	stage('OWASP Scan') {
	97	agent {
	98	node {
	99	label "jenkins-slave-zap"
	100	}
	101	}
	102	when {
	103	expression { GIT_BRANCH ==~ /(.master\|.develop)/ }
	104	}
	105	steps {
	106	sh '''
da9923	107	/zap/zap-baseline.py -r index.html -t http://${E2E_TEST_ROUTE}
dc377a	108	exit $?
D	109	'''
	110	}
	111	post {
	112	always {
	113	// publish html
	114	publishHTML target: [
	115	allowMissing: false,
	116	alwaysLinkToLastBuild: false,
	117	keepAll: true,
	118	reportDir: '/zap/wrk',
	119	reportFiles: 'index.html',
	120	reportName: 'Zap Branniscan'
	121	]
	122	}
	123	}
	124	}
	125	```
	126
	127	2. Let's add our Arachni Scann to the second part of the parallel block. The main difference between these sections is Jenkins will report an XML report too for failing the build accordingly. Below is the snippet for the Arachni scanning.
	128	```groovy
	129	stage('Arachni Scan') {
	130	agent {
	131	node {
	132	label "jenkins-slave-arachni"
	133	}
	134	}
	135	when {
	136	expression { GIT_BRANCH ==~ /(.master\|.develop)/ }
	137	}
	138	steps {
	139	sh '''
da9923	140	/arachni/bin/arachni http://${E2E_TEST_ROUTE} --report-save-path=arachni-report.afr
dc377a	141	/arachni/bin/arachni_reporter arachni-report.afr --reporter=xunit:outfile=report.xml --reporter=html:outfile=web-report.zip
D	142	unzip web-report.zip -d arachni-web-report
	143	'''
	144	}
	145	post {
	146	always {
	147	junit 'report.xml'
	148	publishHTML target: [
	149	allowMissing: false,
	150	alwaysLinkToLastBuild: false,
	151	keepAll: true,
	152	reportDir: 'arachni-web-report',
	153	reportFiles: 'index.html',
	154	reportName: 'Arachni Web Crawl'
	155	]
	156	}
	157	}
	158	}
	159	```
	160
7c2c91	161	2. With this config in place run a build on Jenkins. To do this; commit your code (from your terminal):
D	162	```bash
	163	$ git add .
	164	$ git commit -m "ADD - security scanning tools to pipeline"
	165	$ git push
	166	```
	167
	168	2. Once the Jobs have completed; navigate to the Jobs status and see the scores. You can find the graphs and test reports on overview of the Job. Explore the results!
cd34aa	169	![report-arachni](../images/exercise5/report-arachni.png)
D	170	![jenkins-arachni](../images/exercise5/jenkins-arachni.png)
	171
	172	<p class="tip">
	173	NOTE - your build may have failed but the reports should still be generated!
	174	</p>
43f2f2	175
007b55	176	### Part 2 - Add Code Coverage & Linting to the pipeline
dabc6f	177	> _Let's continue to enhance our pipeline with some non-functional testing. Static code analysis and testing coverage reports can provide a useful indicator on code quality and testing distribution_
43f2f2	178
dabc6f	179	3. Coverage reports are already being generated as part of the tests. We can have Jenkins produce a HTML report showing in detail where our testing is lacking. Open the `todolist-fe` in your favourite editor.
D	180
	181	3. Open the `Jenkinsfile` in the root of the project; move to the `stage("node-build"){ ... }` section. In the post section add a block for producing a `HTML` report as part of our builds.
	182	```groovy
	183	// Post can be used both on individual stages and for the entire build.
	184	post {
	185	always {
	186	archive "**"
	187	junit 'test-report.xml'
	188	// publish html
	189	publishHTML target: [
	190	allowMissing: false,
	191	alwaysLinkToLastBuild: false,
	192	keepAll: true,
	193	reportDir: 'reports/coverage',
	194	reportFiles: 'index.html',
	195	reportName: 'Code Coverage'
	196	]
	197	}
	198	```
	199
8c2b86	200	3. We will add a new step to our `stage("node-build"){ }` section to lint the Javascript code. After the `npm install`; add a command to run the linting.
dabc6f	201	```groovy
D	202	echo '### Install deps ###'
	203	sh 'npm install'
	204	echo '### Running linting ###'
	205	sh 'npm run lint:ci'
	206	```
	207
	208	3. Save the `Jenkinsfile` and commit it to trigger a build with some more enhancements.
	209	```bash
	210	$ git add .
	211	$ git commit -m "ADD - linting and coverage to the pipeline"
	212	$ git push
	213	```
	214
5277ca	215	3. To view the resulting graph; go to the job's build page and open the `Code Coverage` report from the nav bar on the side. Open the report to drill down into detail of where testing coverage could be improved!
D	216	![report-coverage](../images/exercise5/report-coverage.png)
	217	<p class="tip">
	218	NOTE - a good practice for teams is to try and increase the code coverage metrics over the life of a project. Teams will often start low and use practices such as retrospective to increase the quality at specific times.
	219	</p>
	220
dabc6f	221	3. (Optional Step) - Install the Checkstyle plugin; and add `checkstyle pattern: 'eslint-report.xml'` below the `publishHTML` block to add reporting to Jenkins!
D	222
5277ca	223	### Part 3 - Nightly light performance testing
D	224	> _In this exercise, we will execute the light performance tasks in our API to collect data about throughtput time in hopes if the API ever has some `Sam` quality code checked in, we will spot it_
dabc6f	225
5277ca	226	4. Create a new Item on Jenkins, `nightly-perf-test`
D	227
	228	4. Set the label for where this job can execute to the `jenkins-slave-npm` one used by the build jobs previously.
	229
	230	4. In the SCM section; set the project to use the `todolist-api` git project. Set the credentials accordingly.
	231
	232	4. Create a step to execute shell and add the following to it, replacting `<YOUR_NAME>` and `somedomain` as expected. We will just test the create and show API for the moment. We are grabbing the response code of the perf-rest to keep Jenkins running both shells steps and then exiting with whichever fails:
	233	```bash
	234	export E2E_TEST_ROUTE=todolist-api-<YOUR_NAME>-dev.apps.somedomain.com
	235	npm install
	236	set +e
	237	npm run perf-test:create
	238	rc1=$?
	239	npm run perf-test:show
	240	rc2=$?
	241	set -e
	242	exit $(($rc1 \| $rc2))
	243	```
	244
	245	4. On the Post Build actions section we will plot the data from the perf tests in Jenkins. Add a `Post-build Action > Plot Build Data`.
	246
	247	4. On the new dialog, name the Plot group eg `benchmark-tests` and add `create-api` as the Plot title. Set the Number of Builds to Include to a large number like `100`. Set the Data Series file to be `reports/server/perf/create-perf-score.csv` and mark the Load data from CSV checkbox. Apply those changes
	248	![jenkins-plot](../images/exercise5/jenkins-plot.png)
	249
	250	4. Hit `Add Plot` to add another. Fill out the information again but this time setting the Plot title to `show-api`. Keep the Plot group the same as before: `bench-tests`. Set the Data Series file to be `reports/server/perf/show-perf-score.csv` and mark the `Load data from CSV checkbox`. Save those changes and run the job (Job could take a while to execute!).
	251
	252	4. Run it a few times to start to generate the data points on the plot. The `bench-tests` plot is available on the job's homepage
	253	![result-plot](../images/exercise5/result-plot.png)
43f2f2	254
D	255	_____
	256
	257	## Extension Tasks
	258	> _Ideas for go-getters. Advanced topic for doers to get on with if they finish early. These will usually not have a solution and are provided for additional scope._
	259
dabc6f	260	- Enhance the `todolist-api` with the security scanning tools as you've done for the `todolist-api`
D	261	- Enhance the `todolist-api` with the coverage reporting as you've done for `todolist-api`
007b55	262	- Add Black Duck or other package scanning tooling for our NodeJS app
D	263	- Add Container Vulnerability scanning tooling to the pipeline
5277ca	264	- Add `Stryker` to create mutants and do additional non functional testing of the App
dabc6f	265	- Add the Checkstyle plugin to Jenkins for reporting scores
43f2f2	266
D	267	## Additional Reading
	268	> List of links or other reading that might be of use / reference for the exercise
	269
	270	## Slide links
	271	> link back to the deck for the supporting material