Integration Guide - WhiteSource/Jenkins (via Docker)

ZeroNorth Experts
,
1

This guide describes the set-up process for integrating Whitesource and Jenkins with the ZeroNorth platform . Integrating with ZeroNorth provides an automated and orchestrated scans of Jenkins build artifacts using Whitesource’s software composition analyzer to continuously manage exposure to open-source vulnerabilities.

Prerequisites

The steps described in this document assume that the following are in place:

  • Whitesource account with a valid license and credentials
  • ZeroNorth platform license and credentials
  • Jenkins server with docker pipeline plugin
  • Connectivity from your Jenkins build server to ZeroNorth

Set up Whitesource for automatic scans

Invoking Whitesource scans via your ZeroNorth account is accomplished by utilizing ZeroNorth’s Docker Integration image within the context of a Jenkins CI/CD framework. This Docker image contains the utilities and APIs to interact with ZeroNorth and has access all of the scanning tools you’d normally have via ZeroNorth’s web UI.

The procedure is as follows:

  1. A znADM user ensures that the whitesource-agent scenario is activated.
  2. As the Docker adminstrator, add your ZeroNorth credentials …[explain the rest here]
  3. Edit Jenkinsfile of the target Jenkins project to invoke ZeroNorth via the ZeroNorth Docker Integration image. You will also insert a .cybric.yml file into the matching code repository.
  4. Verify that ZeroNorth scan gets triggered. Examine the scan output.

Your new WhiteSource/Jenkins integration auto-generates a Policy in ZeroNorth upon first invocation. The following sections describe the above procedure in detail.

1) Activate the Whitesource Scenario

View Whitesource - Activate Scenario.

2) Add Your ZeroNorth Credentials into Your Jenkins Installation

To allow Jenkins to connect to ZeroNorth to automatically invoke the Whitesource scan, supply your ZeroNorth credentials to your Jenkins project. See the article Integration Guide - Jenkins for details. Be sure to record the ID you used for this credential as value of the ID field will be used in the next step.

3) Configure the Target Jenkins Project

Add a .cybric.yml file to the root location of your code repository with content similar to below (download link at the bottom of this article):
image

Edit the Jenkinsfile of your target project by adding the following lines of code that will trigger a call to ZeroNorth (download link at the bottom of this article):

image
image1237×592 32.5 KB

4) Test and Verify

With this new integration, each Jenkins build of your project will be followed immediately by:

  1. Pulling (if necessary) and instantiating the zeronorth/integration docker image.
  2. Uploading the result of the build from the ${WORKSPACE} to ZeroNorth.
  3. ZeroNorth then submits the uploaded build to Whitesource (because Whitesource is a fingerprint -based scanner, no code is actually sent to Whitesource).
  4. Whitesource scan results are then retrieved by ZeroNorth and displayed in the ZeroNorth dashboards.

Viewing Results

Go to znOPS > Policies . This dashboard is an inventory your Scan Policies and their current states:

image
image1247×604 158 KB

  1. Locate desired Policy in the Policies list pane in the lower right.
  2. Click on to see various Issues reports for a policy.
  3. Click on to see more options for a policy.
    image
    image1024×630 117 KB

You can also use the various dashboards in znHUB .

Using ZeroNorth’s security Orchestration and Automation platform:

  • Integrate with security and DevOps tools across the development lifecycle.

  • Achieve continuous security assurance from code to deployment to infrastructure.

  • Maintain full visibility of your application security posture.

  • Optimize your investment in Whitesource solutions.

  • Sample CYBRIC_YML file.txt

180 Bytes Download

942 Bytes Download