上一篇讲这玩意是去年年初的时候写的一些搭建历程,但是涉及到的一些具体细节并没有,这篇算是填坑把该说的都说完,按顺序讲下来吧
1.下载jenkins、fortify、dependency-check这三个软件/压缩包,这三个东西的是干什么的、作用是什么、哪里下载、安装教程和使用教程此处都不啰嗦了,进入正题吧。
fortify默认安装即可,dependency-check为压缩包解压后即可。
2.fortify默认显示、导出报告为英文,可修改
C:\Program File\HP_Fortify\HP_Fortify_SCA_and_Apps_4.40\Core\config\fortify.propertify 文件,将"com.fortify.locale=en"改为"com.fortify.locale=zh_CN"。
在导出报告的Generate legacy report页面也可以进一步修改、汉化相关内容,如我在默认报告格式的Executive Summary中,把Issues Overview的txt内容改为了“在$SCAN_DATE$,我们对$PROJECT_NAME$项目的源代码进行了审查。对$SCAN_SUMMARY$中可能导致潜在安全漏洞的缺陷进行扫描和审查。在本次分析中总结如下”;
你也可以修改C:\Program File\HP_Fortify\HP_Fortify_SCA_and_Apps_4.40\Core\config\report下的xml文档达到相同效果;
fortify中具体有哪些参数用法可以在\HP_Fortify_SCA_and_Apps_4.40\bin\目录下打开cmd,输入命令"sourceanalyzer.exe --help"查看帮助文档。
3.dependency-check解压即可用,首次使用需下载数据库,官网有帮助文档可以查看命令、参数。
4.jenkins默认安装后可根据需求安装插件,使用默认推荐的即可,本次工程主要需要git插件。
自行处理好git账号权限、jenkins账号、安全性等问题。jenkins可使用的参数等数据自行搜索。
5.此处使用的调用脚本为bat版本,因为bat特性的原因,将脚本分为三份。
jenkins-scan-part1.bat内容:
@echo off
F:
cd %WORKSPACE%
set rootdir=%WORKSPACE%
set reportdir=F:\scanReport_workspace\%JOB_BASE_NAME%
set logdir=%reportdir%\log
set project=%JOB_BASE_NAME%
set timestamp=%date:~0,4%%date:~5,2%%date:~8,2%
set language=UTF-8
set jdkversion=1.8
if not exist %reportdir% mkdir %reportdir%
if not exist %logdir% mkdir %logdir%
echo %timestamp%>%logdir%\record_this_timestamp.txt
echo %project%>%logdir%\record_this_project.txt
::0 , clean
sourceanalyzer -b %project% -clean
::1 , translate
cd %rootdir%
sourceanalyzer -b %project% . -cp .\**\*.jar -64 -Xmx4G -jdk %jdkversion% --logfile %logdir%\%project%-%BUILD_NUMBER%-%timestamp%_t.log -encoding %language%
::2 , scan
cd %rootdir%
set ts1=%date:~0,4%%date:~5,2%%date:~8,2%%time:~0,2%%time:~3,2%
echo %ts1% start scan
sourceanalyzer -b %project% -64 -Xmx4G -scan -f %reportdir%\%project%-%BUILD_NUMBER%-%timestamp%.fpr --logfile %logdir%\%project%-%BUILD_NUMBER%-%timestamp%_scan.log -encoding %language%
rem if not %BUILD_NUMBER%==1 set /p lastfpr=<%logdir%\record_this_fpr_name.txt
if exist %logdir%\record_this_fpr_name.txt set /p lastfpr=<%logdir%\record_this_fpr_name.txt
echo %project%-%BUILD_NUMBER%-%timestamp%.fpr > %logdir%\record_this_fpr_name.txt
set ts2=%date:~0,4%%date:~5,2%%date:~8,2%%time:~0,2%%time:~3,2%
echo %ts2% scan finished
::3 , FPRUtility ,mergefpr
cd %reportdir%
rem if not %BUILD_NUMBER%==1 FPRUtility.bat -merge -project %project%-%BUILD_NUMBER%-%timestamp%.fpr -source %lastfpr% -f %project%-%BUILD_NUMBER%-%timestamp%.fpr
if defined lastfpr (FPRUtility.bat -merge -project %project%-%BUILD_NUMBER%-%timestamp%.fpr -source %lastfpr% -f %project%-%BUILD_NUMBER%-%timestamp%.fpr)
F:
cd %WORKSPACE%
set rootdir=%WORKSPACE%
set reportdir=F:\scanReport_workspace\%JOB_BASE_NAME%
set logdir=%reportdir%\log
set project=%JOB_BASE_NAME%
set timestamp=%date:~0,4%%date:~5,2%%date:~8,2%
set language=UTF-8
set jdkversion=1.8
if not exist %reportdir% mkdir %reportdir%
if not exist %logdir% mkdir %logdir%
echo %timestamp%>%logdir%\record_this_timestamp.txt
echo %project%>%logdir%\record_this_project.txt
::0 , clean
sourceanalyzer -b %project% -clean
::1 , translate
cd %rootdir%
sourceanalyzer -b %project% . -cp .\**\*.jar -64 -Xmx4G -jdk %jdkversion% --logfile %logdir%\%project%-%BUILD_NUMBER%-%timestamp%_t.log -encoding %language%
::2 , scan
cd %rootdir%
set ts1=%date:~0,4%%date:~5,2%%date:~8,2%%time:~0,2%%time:~3,2%
echo %ts1% start scan
sourceanalyzer -b %project% -64 -Xmx4G -scan -f %reportdir%\%project%-%BUILD_NUMBER%-%timestamp%.fpr --logfile %logdir%\%project%-%BUILD_NUMBER%-%timestamp%_scan.log -encoding %language%
rem if not %BUILD_NUMBER%==1 set /p lastfpr=<%logdir%\record_this_fpr_name.txt
if exist %logdir%\record_this_fpr_name.txt set /p lastfpr=<%logdir%\record_this_fpr_name.txt
echo %project%-%BUILD_NUMBER%-%timestamp%.fpr > %logdir%\record_this_fpr_name.txt
set ts2=%date:~0,4%%date:~5,2%%date:~8,2%%time:~0,2%%time:~3,2%
echo %ts2% scan finished
::3 , FPRUtility ,mergefpr
cd %reportdir%
rem if not %BUILD_NUMBER%==1 FPRUtility.bat -merge -project %project%-%BUILD_NUMBER%-%timestamp%.fpr -source %lastfpr% -f %project%-%BUILD_NUMBER%-%timestamp%.fpr
if defined lastfpr (FPRUtility.bat -merge -project %project%-%BUILD_NUMBER%-%timestamp%.fpr -source %lastfpr% -f %project%-%BUILD_NUMBER%-%timestamp%.fpr)
jenkins-scan-part2.bat内容:
@echo off
F:
set reportdir=F:\scanReport_workspace\%JOB_BASE_NAME%
set logdir=%reportdir%\log
cd F:\scanReport_workspace\%JOB_BASE_NAME%
set /p timestamp=<%logdir%\record_this_timestamp.txt
set /p project=<%logdir%\record_this_project.txt
set xmltemplate=fortify_report.xml
::4 , reportgenerator
ReportGenerator.bat -format pdf -f %project%-%BUILD_NUMBER%-%timestamp%.pdf -source %project%-%BUILD_NUMBER%-%timestamp%.fpr -template %xmltemplate%
F:
set reportdir=F:\scanReport_workspace\%JOB_BASE_NAME%
set logdir=%reportdir%\log
cd F:\scanReport_workspace\%JOB_BASE_NAME%
set /p timestamp=<%logdir%\record_this_timestamp.txt
set /p project=<%logdir%\record_this_project.txt
set xmltemplate=fortify_report.xml
::4 , reportgenerator
ReportGenerator.bat -format pdf -f %project%-%BUILD_NUMBER%-%timestamp%.pdf -source %project%-%BUILD_NUMBER%-%timestamp%.fpr -template %xmltemplate%
jenkins-scan-part3.bat内容:
@echo off
F:
set reportdir=F:\scanReport_workspace\%JOB_BASE_NAME%
set logdir=%reportdir%\log
cd F:\scanReport_workspace\%JOB_BASE_NAME%
set /p timestamp=<%logdir%\record_this_timestamp.txt
set /p project=<%logdir%\record_this_project.txt
::5 , record
echo %project%-%BUILD_NUMBER%-%timestamp%.fpr>>F:\log.txt
del %logdir%\record_this_timestamp.txt
del %logdir%\record_this_project.txt
::6 , clean
sourceanalyzer -b %project% -clean
::7 , dependency check
F:\jenkins_script\dependency-check\bin\dependency-check.bat --project "%JOB_BASE_NAME%" --scan "%WORKSPACE%" --noupdate --out "F:\scanReport_workspace\%JOB_BASE_NAME%\%project%-%BUILD_NUMBER%-%timestamp%.html" --log "F:\scanReport_workspace\%JOB_BASE_NAME%\log\%project%-%BUILD_NUMBER%-%timestamp%-dependencycheck.log" --disableCentral
F:
set reportdir=F:\scanReport_workspace\%JOB_BASE_NAME%
set logdir=%reportdir%\log
cd F:\scanReport_workspace\%JOB_BASE_NAME%
set /p timestamp=<%logdir%\record_this_timestamp.txt
set /p project=<%logdir%\record_this_project.txt
::5 , record
echo %project%-%BUILD_NUMBER%-%timestamp%.fpr>>F:\log.txt
del %logdir%\record_this_timestamp.txt
del %logdir%\record_this_project.txt
::6 , clean
sourceanalyzer -b %project% -clean
::7 , dependency check
F:\jenkins_script\dependency-check\bin\dependency-check.bat --project "%JOB_BASE_NAME%" --scan "%WORKSPACE%" --noupdate --out "F:\scanReport_workspace\%JOB_BASE_NAME%\%project%-%BUILD_NUMBER%-%timestamp%.html" --log "F:\scanReport_workspace\%JOB_BASE_NAME%\log\%project%-%BUILD_NUMBER%-%timestamp%-dependencycheck.log" --disableCentral
6.此处脚本定义读取源码导出报告的相对、绝对路径,具体可根据实际需求更改目录。
使用时新建任务,选择“构建一个自由风格的软件项目”,源码管理填写好gitlab地址、账号、分支等信息,构建处分别执行jenkins-scan-part1/2/3.bat三个脚本的内容,构建后操作是否删除源码是否发送邮件等自行配置。
7.点击具体工程页面的“立即构建”即可开始审计啦,等待结果报告输出即可。
没有评论:
发表评论