Scanning Tools
Ruby Gems#
A few of the scanning tools used by Codeburner are installed automatically as gem dependencies of pipeline. Those tools are:
The rest of the tools need to be installed manually...
NodeSecurityProject#
NodeSecurityProject is distrubted as a node package. You'll need npm available to install it. Once you have npm, you can install NodeSecurityProject with:
npm install -g nsp
Make sure that the installed 'nsp' command is in the $PATH for Codeburner.
Retire.js#
Retire.js is another node package. It can be installed just like nsp:
npm install -g retire
Make sure that the installed 'retire' command is in the $PATH for Codeburner.
FindSecurityBugs#
Java#
The find-sec-bugs CLI requires a working installation of Java, and the compilation step from pipeline to generate bytecode requires maven. Please make sure that both the 'mvn' and 'java' commands are available in the $PATH for Codeburner.
Install#
You can download the latest release of findsecbugs-cli here: https://github.com/find-sec-bugs/find-sec-bugs/releases/latest
Once you've unpacked the release tarball, set the variable 'findsecbugs_path' to the location you unpacked it in config/app.yml:
findsecbugs_path: /path/to/findsecbugs/install
Note
Due to the requirement of having compiled bytecode available, pipeline currently supports scanning via find-sec-bugs only on maven projects with a valid pom.xml.
PMD#
Java#
As with FindSecurityBugs, PMD requires a working installation of java and the 'java' command available in the Codeburner $PATH. Unlike FindSecurityBugs, PMD doesn't require compiled bytecode so it should work on most any java project.
Install#
PMD can be downloaded here: https://github.com/pmd/pmd/releases/latest
Once you've unpacked the release tarball, set the variable 'pmd_path' to the location you unpacked it in config/app.yml:
pmd_path: /path/to/pmd/install
Checkmarx#
Checkmarx is a commercial static analysis tool. Since it requires a commercial license, the tasks for Checkmarx are not enabled by default in Codeburner. If you'd like to use Checkmarx with Codeburner, in addition to a commercial license, you'll need to download the CLI plugin here: https://www.checkmarx.com/plugins/.
Make sure the command 'runCxConsole.sh' from that download is in the $PATH available to Codeburner, and then set the checkmarx_* variables in config/app.yml:
checkmarx_server: my_checkmarx_server
checkmarx_user: my_checkmarx_user
checkmarx_password: my_checkmarx_password
checkmarx_log: my_checkmarx_logfile
Also, add '- Checkmarx' to the list of tasks under pipeline_options/tasks_for/
tasks_for:
Ruby:
- BundleAudit
- Brakeman
- Dawnscanner
- Checkmarx
JavaScript:
- RetireJS
- NodeSecurityProject
- Checkmarx
CoffeeScript:
- RetireJS
- NodeSecurityProject
Java:
- PMD
- FindSecurityBugs
- Checkmarx
Since Checkmarx does support a few languages not covered by the default open source tools, you can add those languages (as reported by GitHub API) to this list with a '- Checkmarx' item and they should be scanned with Checkmarx as well.