This project is designed to project a simple wrapper around the existing SourceClear command line in order to provide the ability to parse the results and output a configurable JUnit pass/fail test. This can then be used as part of a pipeline in order to verify source repositories and final deliverables.
- glide:
brew install glide
on macOS, check here for installation instructions on other platforms - srcclr:
- Linux: SourceClear should be installed via its rpm (it should check for that). The yum repo for that is:
[SourceClear]
name=SourceClear
baseurl=https://download.sourceclear.com/redhat/noarch/
enabled=1
gpgcheck=1
gpgkey=https://download.sourceclear.com/redhat/SRCCLR-GPG-KEY
- macOS: with homebrew -
brew install srcclr
Currently this project will build a jar-with-dependencies although this is primarily aimed at local testing only. It provides a simplified interface to SourceClear e.g.
Usage: SrcClrWrapper [-dehV] [--email-address=<emailAddress>]
[--email-server=<emailServer>] [-c=<product>]
[--processor=<processor>] [-t=<threshold>] [COMMAND]
Wrap SourceClear and invoke it.
--email-address=<emailAddress>[,<emailAddress>...]
Comma separated list of email addresses to notify. Domain portion of
first will be used as FROM address
--email-server=<emailServer>
SMTP Server to use to send notification email
-p, --product=<product> Product Name
-v, --product-version=<version> Version of the product
--memory Memory allocation for the forked process. If not set will default to the current VM size.
--package=<subpackage> CPE Subpackage Name
--trace Enables trace logging from SourceClear. Disables JSON output.
--log Directory path to output log file containing results. Defaults to 'target'. Set to empty to disable.
--json Directory path to output processed JSON as a file. Defaults to 'target'. Set to empty to disable.
-d, --debug Enable debug.
-e, --exception Throw exception on vulnerabilities found.
-h, --help Show this help message and exit.
--processor=<processor>
Processor to use to analyse SourceClear results. Default is
'cvss'
--profile=<profile> Profile for VeraCode scanning. Defaults to empty
(default profile).
-t, --threshold=<threshold>
Threshold on which exception is thrown. Only used with CVSS
Processor
-V Print version information and exit.
Usage: SrcClrWrapper scm [-dehV] [--ref=REF] --url=URL [-t=<threshold>]
Scan a SCM URL
--ref=REF the SCM reference (e.g. git sha, tag)
--url=URL the SCM url
-d, --debug Enable debug.
-e, --exception Throw exception on vulnerabilities found.
-h, --help Show this help message and exit.
-t, --threshold=<threshold>
Threshold on which exception is thrown.
-V Print version information and exit.
--maven-param Extra Maven parameters
Note : for the SCM --url
parameter both .
and file://
URLs are supported to scan the local filesystem.
Usage: SrcClrWrapper binary [-dehV] --name=NAME --url=URL
[-t=<threshold>]
Scan a remote binary
--url=URL the remote file url
-d, --debug Enable debug.
-e, --exception Throw exception on vulnerabilities found.
-h, --help Show this help message and exit.
-t, --threshold=<threshold>
Threshold on which exception is thrown.
-V Print version information and exit.
Its main use is to be ran inside Jenkins as a JUnit test suite e.g.
mvn -Dmaven.buildNumber.skip=true -Pjenkins clean test '-DargLine=-Dsourceclear="--product-version=1.0.0 -p=koji-build-finder scm --url=https://github.com/release-engineering/koji-build-finder.git --ref=koji-build-finder-1.0.0"'
- It supports reading a configuration from the command or from
$HOME/.srcclr/invoker.properties
. - It can send a notification email to a specified email address with a summary of any problems found.
- It can examine either the CVSS score returned from SourceClear or examine the CVE identifier and then query the results using the CPE (product name) against the Red Hat Security Data API ( https://access.redhat.com/labs/securitydataapi/ )
- Sample Jenkins jobs are provided in the
jenkins
directory.
Currently the code requires the product name and version to be passed in. It will assemble a CPE from that information. While we did consider using the CPE parser library but due to the fact we are not currently parsing or comparing CPEs the extra library isn't required.