IBM Static Scan on Travis Integration
The Static Scan is performed on ICP-Cert-Manager, and it is automated using Travis. ICP-Cert-Manager scans are performed using the -oso flag since the repository is written in GoLang. The automation makes use of both the SAClientUtil (ASoC's Static Analyzer Client Utility) and the AppScan API. The build is built on top of an Ubuntu 14.04 machine.
When a Travis build is kicked off, the build will:
- Download the SAClientUtil tool
- Download the project repository to be scanned
- Run the SAClientUtil tool on the project repository (generating an .irx file)
- Use the ASoC API to push the .irx file to the AppScan website (link)
- Start the static analysis scan on the file
- You have an account on AppScan already. If you need an account, see instructions here.
- You have obtained an API Key and a Secret from the AppScan website.
- The file types in your project are supported by the ASoC tool. Static analyzer supported types and open source supported types
- Your repository is connected to Travis.
In the Configfile, change
- APP_NAME - The name of your application on the AppScan site.
- PROJECT_NAME - The name of your github repository.
In the Travis Settings, add
- API_KEY - your API Key used to access the AppScan click here to get it
- SECRET - the secret that was generated when you generate the API Key above
- Add your github SSH key to the SSH Key section if your repository requires an ssh key to clone.
If you have an application on the AppScan site, get your Application ID from the UI for the API
- Go to https://appscan.ibmcloud.com/swagger/ui/index#!/Apps/Apps_GetApps and filter for your application.
- Copy the JSON response from the UI into the app.json file.
If you don't already have an application on the AppScan site
- In the .travis.yml file, BEFORE "make run-scan" in the script section, add: - make create-app
- Make sure to change the app name to what you want to name it in the Configfile (see above).
If you also want to do static analysis scanning rather than just open-source scanning
flag="-oso"where it says
make generate-irxfrom the .travis.yml file.
The file used to conduct a Travis build. It calls make scripts from the Makefile in this folder to run the scripts needed to create the scan.
These are all the scripts necessary to perform the static source code scanning. Everything from the prerequisites to the final push of the .irx file can be found here.
The variables/constants used within the Makefile.
A simple python file for obtaining one JSON field from a JSON file. It's limited to JSON objects and will only extract the first object in a JSON array.
- Kicking off the build will only start the static source code scan on AppScan, but will not update you of the results automatically. You must go to the AppScan website to view your scan.
- The automation will not be able to query for an existing application on the AppScan site. Due to this constraint, if you already have an application on the AppScan site, make sure you update the app.json file as specified above in the Adoption section.