Vulnerability Management Rust repositories with cifiro and Jenkins

Continuous integrating rust repositories with Jenkins

Continuous integration with Jenkins and Firo Vulnerability Managemena for Rust repositories

Summary

This guide uses our open-source tool cifiro together with our API to search
for vulnerabilities in the imported programming libraries.
With the help of Jenkins we can easily integrate the power of our open(free) API
in to the development work flow with the help of Jenkins

Jenkins

Jenkins Vulnerability Management with firo
  • Step one

Head on over to watchers.firosolutions.com sign up and go to profile and grab your API key.

  • Step two

Head on over to your instance of Jenkins and in to the Jenkins web interface.
Once logged in install the plugin Free text Search
that will make it easy to
ask Jenkins to stop once a nasty decency is found lets create a new project
Manage Jenkins > Manage plugins > Available > Text Finder plugin

Jenkins Text Finder plugin
  • Step three

Now when that is done lets add a new project so New project > Freestyle project

Jenkins FreeStyle Project

Specify which repository you want to use.

  • Step four
Jenkins execute shell

For the configuration part we want to add:

Build > execute shell

export PATH="$HOME/.cargo/bin:$PATH"
wget https://raw.githubusercontent.com/firosolutions/cifiro/master/cifiro.py
python3.6 cifiro.py apikey=myapikeyhere &> out.meh
cat out.meh
cargo +nightly build --release

Note: in this example we build a test script with the unstable (+nightly) feature, remove this(+nightly) unless you build a nightly build

First we activate so we can call cargo from the regular shell.
Then we want get the cifiro script
We execute the cifiro.py with python3.6 and our API key then we output the result
in a text file and then we cat it to view it.
And then a regular cargo

  • Step five

Lets tell the Text Free search plugin to search throw the result

Add a Post-build Actions and select Jenkins Text Finder

Jenkins Post-build Actions Text Finder
Files:  out.meh
[X] Also search the console output
Regular expression: "description":\s"
[ ] Succeed if found
[X] Unstable if found
[X] Not build if found
  • final step

Done!

Give your self a pet on the shoulder!
If it finds a security vulnerability in one of your libraries it will fail the build.

Jenkins failed build

And if it does find anything the build succeeds:

Jenkins successfull build Jenkins Build Status

Extra notes: This can also been done with Node JS libraries.
Some people claims that it does not work without outputting to a file but if you have the latest version of Jenkins, it should be enough just to check in the box for “Also search the console output”.

For more ideas head over to our API documentation