Scanning Tools

Ruby Gems#

A few of the scanning tools used by Codeburner are installed automatically as gem dependencies of pipeline. Those tools are:

The rest of the tools need to be installed manually...


NodeSecurityProject#

NodeSecurityProject is distrubted as a node package. You'll need npm available to install it. Once you have npm, you can install NodeSecurityProject with:

npm install -g nsp

Make sure that the installed 'nsp' command is in the $PATH for Codeburner.


Retire.js#

Retire.js is another node package. It can be installed just like nsp:

npm install -g retire

Make sure that the installed 'retire' command is in the $PATH for Codeburner.


FindSecurityBugs#

Java#

The find-sec-bugs CLI requires a working installation of Java, and the compilation step from pipeline to generate bytecode requires maven. Please make sure that both the 'mvn' and 'java' commands are available in the $PATH for Codeburner.

Install#

You can download the latest release of findsecbugs-cli here: https://github.com/find-sec-bugs/find-sec-bugs/releases/latest

Once you've unpacked the release tarball, set the variable 'findsecbugs_path' to the location you unpacked it in config/app.yml:

findsecbugs_path: /path/to/findsecbugs/install

Note

Due to the requirement of having compiled bytecode available, pipeline currently supports scanning via find-sec-bugs only on maven projects with a valid pom.xml.


PMD#

Java#

As with FindSecurityBugs, PMD requires a working installation of java and the 'java' command available in the Codeburner $PATH. Unlike FindSecurityBugs, PMD doesn't require compiled bytecode so it should work on most any java project.

Install#

PMD can be downloaded here: https://github.com/pmd/pmd/releases/latest

Once you've unpacked the release tarball, set the variable 'pmd_path' to the location you unpacked it in config/app.yml:

pmd_path: /path/to/pmd/install

Checkmarx#

Checkmarx is a commercial static analysis tool. Since it requires a commercial license, the tasks for Checkmarx are not enabled by default in Codeburner. If you'd like to use Checkmarx with Codeburner, in addition to a commercial license, you'll need to download the CLI plugin here: https://www.checkmarx.com/plugins/.

Make sure the command 'runCxConsole.sh' from that download is in the $PATH available to Codeburner, and then set the checkmarx_* variables in config/app.yml:

checkmarx_server: my_checkmarx_server
checkmarx_user: my_checkmarx_user
checkmarx_password: my_checkmarx_password
checkmarx_log: my_checkmarx_logfile

Also, add '- Checkmarx' to the list of tasks under pipeline_options/tasks_for/ in config/app.yml:

  tasks_for:
    Ruby:
      - BundleAudit
      - Brakeman
      - Dawnscanner
      - Checkmarx
    JavaScript:
      - RetireJS
      - NodeSecurityProject
      - Checkmarx
    CoffeeScript:
      - RetireJS
      - NodeSecurityProject
    Java:
      - PMD
      - FindSecurityBugs
      - Checkmarx

Since Checkmarx does support a few languages not covered by the default open source tools, you can add those languages (as reported by GitHub API) to this list with a '- Checkmarx' item and they should be scanned with Checkmarx as well.