From dc377af68932c65dacaee87d2d1020b4f262930c Mon Sep 17 00:00:00 2001
From: donal <donalspring@gmail.com>
Date: Sun, 22 Apr 2018 22:41:53 +0200
Subject: [PATCH] WIP - adding scanners to build pipeline
---
exercises/5-non-functionals-strike-back/README.md | 128 +++++++++++++++++++++++++++++++++++++++++-
1 files changed, 123 insertions(+), 5 deletions(-)
diff --git a/exercises/5-non-functionals-strike-back/README.md b/exercises/5-non-functionals-strike-back/README.md
index d06c8e8..6ca0488 100644
--- a/exercises/5-non-functionals-strike-back/README.md
+++ b/exercises/5-non-functionals-strike-back/README.md
@@ -34,14 +34,131 @@
> This is a well structured guide with references to exact filenames and indications as to what should be done.
### Part 1 - Add Security scanning to the pipeline
-> _In this exercise the first of our non-functional testing is explored in the form of some security scanning_
+> _In this exercise the first of our non-functional testing is explored in the form of some security scanning. We will add the scans to our Jenkinsfile and have them run as new stages_
-2. Do thing using tool X.
-2. Insert blah into `file1.txt`
+2. Open the `todolist-fe` application's `Jenkinsfile` in your favourite editor. The file is stored in the root of the project.
+
+2. The file is layed out with a collection of stages that correspond to each part of our build as seen below. We will create a new stage to execute in parallel.
+
+
+2. Create a new Parallel Stage called `security scanning` underneath the `stage("e2e test") { }` section as shown below. The contents of the `e2e test` has been removed for simplicity.
+```groovy
+ stage("e2e test") {
+ // ... stuff in here ....
+ }
+ stage("security scanning") {
+ parallel {
+ stage('OWASP Scan') {
+
+ }
+ stage('Arachni Scan') {
+
+ }
+ }
+ }
```
-export SOME_THING=biscuits
+
+2. Let's start filling out the configuration for the OWASP Zap scan first. We will set the label to our slave created in previous exercise and a when condition of the mater or develop branch.
+```groovy
+stage('OWASP Scan') {
+ agent {
+ node {
+ label "jenkins-slave-zap"
+ }
+ }
+ when {
+ expression { GIT_BRANCH ==~ /(.*master|.*develop)/ }
+ }
+}
```
-2. Open console and navigate to `New Item` and click it 
+
+2. A command to run the tool by passing in the URL of the app we're going to test.
+```groovy
+stage('OWASP Scan') {
+ agent {
+ node {
+ label "jenkins-slave-zap"
+ }
+ }
+ when {
+ expression { GIT_BRANCH ==~ /(.*master|.*develop)/ }
+ }
+ steps {
+ sh '''
+ /zap/zap-baseline.py -r index.html -t ${E2E_TEST_ROUTE}
+ '''
+ }
+}
+```
+
+2. Finally add the reporting for Jenkins in `post` hook of our Declarative Pipeline. This is to report the findings of the scan in Jenkins as a HTML report.
+```groovy
+stage('OWASP Scan') {
+ agent {
+ node {
+ label "jenkins-slave-zap"
+ }
+ }
+ when {
+ expression { GIT_BRANCH ==~ /(.*master|.*develop)/ }
+ }
+ steps {
+ sh '''
+ /zap/zap-baseline.py -r index.html -t ${E2E_TEST_ROUTE}
+ exit $?
+ '''
+ }
+ post {
+ always {
+ // publish html
+ publishHTML target: [
+ allowMissing: false,
+ alwaysLinkToLastBuild: false,
+ keepAll: true,
+ reportDir: '/zap/wrk',
+ reportFiles: 'index.html',
+ reportName: 'Zap Branniscan'
+ ]
+ }
+ }
+}
+```
+
+2. Let's add our Arachni Scann to the second part of the parallel block. The main difference between these sections is Jenkins will report an XML report too for failing the build accordingly. Below is the snippet for the Arachni scanning.
+```groovy
+ stage('Arachni Scan') {
+ agent {
+ node {
+ label "jenkins-slave-arachni"
+ }
+ }
+ when {
+ expression { GIT_BRANCH ==~ /(.*master|.*develop)/ }
+ }
+ steps {
+ sh '''
+ /arachni/bin/arachni ${E2E_TEST_ROUTE} --report-save-path=arachni-report.afr
+ /arachni/bin/arachni_reporter arachni-report.afr --reporter=xunit:outfile=report.xml --reporter=html:outfile=web-report.zip
+ unzip web-report.zip -d arachni-web-report
+ '''
+ }
+ post {
+ always {
+ junit 'report.xml'
+ publishHTML target: [
+ allowMissing: false,
+ alwaysLinkToLastBuild: false,
+ keepAll: true,
+ reportDir: 'arachni-web-report',
+ reportFiles: 'index.html',
+ reportName: 'Arachni Web Crawl'
+ ]
+ }
+ }
+ }
+```
+
+2. With this config in place run a build on Jenkins. Once the Jobs have completed; navigate to
### Part 2 - Add Code Coverage & Linting to the pipeline
> _prefix of exercise and why we're doing it_
@@ -55,6 +172,7 @@
- Add Black Duck or other package scanning tooling for our NodeJS app
- Add Container Vulnerability scanning tooling to the pipeline
+ - Add security scanning tools to the API
## Additional Reading
> List of links or other reading that might be of use / reference for the exercise
--
Gitblit v1.9.3