Do A Maven Owasp Library Scan from A Restricted Network

When we talk about DevSecOps, we are talking about a continous integration and delivery but embedded with a security scanning along the way. And one of the best tool for doing a security scanning for your application library is OWASP dependency-check, and thankfully we can embed it to our application and run it thru pipeline by using a Maven plugin.

There is a downside tho, Owasp Maven plugin need to update its vulnerability database regularly online from NVD database which is perhaps not convenient for most enterprise environment where online network access is very-very limited.

But there is one workaround, we can use our repository such as Nexus or JFrog to host our NVD vulnerability database. The concept is pretty much we can see on below diagram,

There are two repository needed to build for fulfilling Maven Owasp requirement. One for java library, and another one for javascript.

Once done, we can check our Maven Owasp scan by using this command,

mvn org.owasp:dependency-check-maven:check -DfailBuildOnCVSS=8 \
 -DcveUrlModified=http://nexus.example.com/repository/nvd/feeds/json/cve/1.1/nvdcve-1.1-modified.json.gz \
 -DcveUrlBase=http://nexus.example.com/repository/nvd/feeds/json/cve/1.1/nvdcve-1.1-%d.json.gz \
 -DretireJsUrl=http://nexus.example.com/repository/retireJsUrl/jsrepository.json -DretireJsAnalyzerEnabled=false \ 
 -DossindexAnalyzerEnabled=false

If build is success, we can see that both our newly-created repository folder is now have multiple files there,

And if failed, we can see this error happen

And if you want to ignore Owasp scan result, you can change failBuildOnCVSS parameter to 11.

Google+

[Openshift] Adding a NodeSelector on the Fly

This is snippet code for adding a specific nodeselector to a rc (ReplicationConfig)

oc patch rc simple-helloworld -p '{"spec": {"template": {"spec": {"nodeSelector": {"infra": "my-infra-node"}}}}}' -n dev

The same code should work for other type, such as Deployment, or DeploymentConfig.

Google+

[Openshift] Changing revisionHistoryLimit on DeploymentConfig using OC Command

DeploymentConfig on Openshift, and Kubernetes, have revisionHistoryLimit variable which shows how many history a DeploymentConfig should keep. By default it stores 10 last version of application deployment, but sometimes we have to stores less number of revision for saving storage space. Therefore we need to create a hard limit for number of revisionHistoryLimit allowed.

We can change directly on deploymentconfig’s Yml file, but for you who allergic to Yaml (such as me), OC command is much more convenient. This is how i change existing deploymentconfig’s configuration by utilizing OC patch command

oc patch dc starter-v0 -p '{"spec":{"revisionHistoryLimit":2}}'

It will reduce number of revision to two version before,

And this is what happen when changed into one version,

oc patch dc starter-v0 -p '{"spec":{"revisionHistoryLimit":1}}'

Google+

How to Display How Many Images are Available on Our Openshift Image Registry

Openshift is a very convenient platform, not only it provides an enterprise kubernetes cluster, but also provide its own image registry bundled within it. So we can push images and deploy it to our namescpace within our cluster in a timely manner. But there are times when i need to count how many images are resides in my existing Openshift cluster. After googling quite some time, i found the solution and write it here.

First we need to check where is our Openshift image registry url,

C:\>oc project default
Already on project "default" on server "https://console.example.com:8443".

C:\>oc get route
NAME               HOST/PORT                                                PATH      SERVICES           PORT       TERMINATION   WILDCARD
docker-registry    docker-registry-default.apps.example.com              docker-registry    5000-tcp   reencrypt     None
registry-console   registry-console-default.apps.example.com             registry-console   <all>      passthrough   None

Next step is login to our oc cluster by using this command, and insert the right username and password.

oc login https://console.example.com:8443 

And see the oc login token

oc whoami -t

Use both username and token to do a simple curl to your docker registry url,

C:\>curl -X GET https://docker-registry-default.apps.example.com/v2/_catalog -k -u <my-username>:<my-token>

The result of that api contains list of images available on your Openshift’s Image Registry.

Google+

Creating a Simple Jenkinsfile Pipeline Script which Called Other Jenkinsfile from Git

Sometimes we want to update some part of our Jenkins job, but if i have like 50 jobs does it means that i have to change fifty pipeline script one by one?

The solution is actually pretty much straigh forward, i can extract most of jenkinsfile script and put it on Git so that i can change it dynamically. Here is my simple script which i put on my github page

stage('Build') {

	dir("../source") {
		
		sh "mvn -v"
		sh "mvn clean package -f pom.xml"
		
		sh "mkdir /tmp/app"
		
		def jarFile = sh(returnStdout: true, script: 'find target -maxdepth 1 -regextype posix-extended -regex ".+\\.(jar|war)\$" | head -n 1').trim()
		sh "cp ${jarFile} /tmp/app/app.jar"
		
		withCredentials([file(credentialsId:'Dockerfile', variable:'Dockerfile')]) {
			sh "cp ${Dockerfile} /tmp/app/Dockerfile"
		}
	}
}
stage('Deploy') {
	sh "oc new-build --name hello-world-3 --binary -n fuse-on-ocp-c8b3 || true"
	sh "oc start-build hello-world-3 --from-dir=/tmp/app/ -n fuse-on-ocp-c8b3 --follow --wait"
}

I put that Jenkins script on Github, https://github.com/edwin/jenkinsfile-example. And i call on the fly from my existing project pipeline script,

node('maven') {
	stage('Clone Pipeline') {
		sh "git config --global http.sslVerify false"
		sh "git clone https://github.com/edwin/jenkinsfile-example.git"
		
	}
	stage('Clone Code') {
	    sh "git config --global http.sslVerify false"
	    sh "git clone https://github.com/edwin/hello-world.git source"
	}
	stage('Start Run from Jenkinsfile on SCM') {
	    dir("jenkinsfile-example") {
		    load  'simple.jenkinsfile'
        }
	}
}

And this is the output result,

Google+