Travis CI x Kiuwan Integration



This is an integration between Travis and Kiuwan, there's a lot of moving objects to this - some declarative. What I've done is try to make the .travis.yml as simple as possible as this is the first time I personally know this has been done.

The process

In Travis, I told Travis to fetch the Local Analyzer, then went through Kiuwan's LA's documentation to make a command that checks the project. This project in particular is in TypeScript, below I'll share the .travis.yml file I've created:

language: java
install: skip

  - export APPNAME=$(basename $TRAVIS_BUILD_DIR)
  - export BRANCH=$(if [ "$TRAVIS_PULL_REQUEST" == "false" ]; then echo $TRAVIS_BRANCH; else echo $TRAVIS_PULL_REQUEST_BRANCH; fi)
  - echo "Fetching Kiuwan Local Analyzer"
  - wget -v
  - unzip -d $HOME/.
  - $HOME/KiuwanLocalAnalyzer/bin/ --user $kiuwan_user --pass $kiuwan_password -s $TRAVIS_BUILD_DIR -n $APPNAME -l $TRAVIS_BUILD_ID -c

This then sends this to Kiuwan, and from there I can access more insights about my project. In this project in particular I made this have a few vulnerabilities so Kiuwan would catch them. I also used environment variables from my account I registered from the Jelly service.

Bash Script

Michal Rybinski and I earlier in this day had a conversation about theoretical ways in this could work, where all attempts (at least on GitHub) have failed, so what I did was make a pretty standard .travis.yml make it declarative, I'm now working on a bash script where you can just run the following:

chmod u+x

We are changing the permission using chmod then running which takes all the steps I set the .travis.yml to do, and put that under the Travis script hook.

Invokation of Kiuwan

This is the first time this has been done on GitHub to my knowledge, there was some questions on the conditionals when running the A successful call to Jelly should look like this in the Travis build log:

Screen Shot 2021-12-02 at 1 57 48 PM

You'll then notice output of the Local Analyzer working:

Discovery: STARTED
Technologies discovered: html,javascript
Technologies that will be analyzed: html,javascript
Discovery: FINISHED
Preprocess: STARTED
Preprocess: FINISHED
Model retrieval: STARTED
Model downloaded from Kiuwan
Model retrieval: FINISHED
License check: STARTED
License check: FINISHED
Prepare analysis data: STARTED
Supported technologies in current model: html,javascript
Prepare analysis data: FINISHED
Prepare source code files for upload: STARTED
Prepare source code files for upload: FINISHED

Remember you can select VM size as well - this will affect (in my case) how deep the scan will go, in this particular use case though I just used baseline. Kiuwan will calculate the heap size, and collect the bill of materials (TypeScript, other dependencies):

bill-of-materials format: 
excludes: **/src/test/**,**/__MACOSX/**,**/*.min.js,**/*.Designer.vb,**/*.designer.vb,**/*Reference.vb,**/*Service.vb,**/*Silverlight.vb,**/*.Designer.cs,**/*.designer.cs,**/*Reference.cs,**/*Service.cs,**/*Silverlight.cs,**/.*,**/Pods/BuildHeaders/**/*.h,**/Pods/Headers/**/*.h,**/node_modules/**,**/bower_components/**,**/target/**,**/bin/**,**/obj/**,**/dist/**,**/lib/**
VM version: 11.0.2
VM settings:
    Stack Size: 2.00M
    Min. Heap Size: 128.00M
    Max. Heap Size: 1.00G
    Using VM: OpenJDK 64-Bit Server VM

As you can see my min heap size is 120MB, and my max is 1000MB (or a gigabyte). It also gives me some cursory information about the VM. I'm wondering if there's a way to get more verbose information about that particular VM?


This is a working example/demo of Kiuwan and Travis CI working together, although there's moving parts and I had to make the project more declarative using TypeScript instead of something like vanilla JavaScript I still was able with reading the Travis CI PRD provided by Michal Rybinski & Stan, make a simple integration between Travis and Kiuwan.


