SUPPORT

24/5 Hotline Support Service

+44 (0)20 3588 3841

Open a Support Ticket

support@netsparker.com

Integrating Netsparker Enterprise with the Jenkins Plugin

Jenkins is an automation server that enables software developers to build automation into their projects by supplying plugins. Jenkins functionality can be extended by using our new Netsparker Enterprise Scan Jenkins plugin.

This topic explains how to install and configure the new Netsparker Enterprise Scan Jenkins Plugin with Jenkins Freestyle Projects to enable our advanced integration functionality so that you can launch automated scans and view reports of vulnerabilities in Jenkins. You can also use our plugin with Jenkins Pipeline Projects, by adding the plugin script to your pipeline which is generated by the Integration Script Generator in the Jenkins Integration window.

For further information, see What Systems Does Netsparker Integrate With?.

Downloading and Installing the Netsparker Enterprise Scan Jenkins Plugin

The plugin is packaged into an .hpi file called netsparker-cloud-scan.hpi. This package has been tested and approved for Jenkins version 2.33+.

There are two ways to do this:

  • From the Plugin Manager in Jenkins
  • From Netsparker Enterprise

The first method is preferred, as it is simply easier to complete.

How to Install the Jenkins Plugin from the Plugin Manager
  1. Open Jenkins.

  1. From the main menu, click Manage Jenkins. The Manage Jenkins window is displayed.

  1. Click Manage Plugins. The Plugin Manager window is displayed.

  1. Click the Available tab.

  1. Update the Available plugins list by clicking Check Now.
  2. Then in the Filter box, enter 'netsparker'. From the filtered results, select the checkbox next to the Netsparker Enterprise Scan plugin and click Download now and install after restart.
  3. In order to use the plugin, restart Jenkins. To restart, from a browser, navigate to:
  • [jenkins_url]/safeRestart (restarts Jenkins after the current builds have completed)
  • [jenkins_url]/restart (forces a restart and builds will not wait to complete)
How to Download and Install the Jenkins Plugin from Netsparker Enterprise
  1. Log in to Netsparker Enterprise.
  2. From the main menu, click Integrations, then New Integrations.

  1. From the Continuous Integration Systems section, click Jenkins. The Jenkins Integration window is displayed.

  1. Click Download the plugin, and save the file to a location of your choice.
  2. Open Jenkins.

  1. From the main menu, click Manage Jenkins. The Manage Jenkins window is displayed.

  1. Click Manage Plugins. The Plugin Manager window is displayed.

  1. Click the Advanced tab.

  1. From the Upload Plugin section, click Choose File. The Open dialog box is displayed.

  1. Select the netsparker-cloud-scan.hpi file you downloaded previously, and click Open. The file is uploaded, and the focus of the window returns to the Advanced tab.

  1. In order to use the plugin, restart Jenkins. To restart, from a browser, navigate to:
  • [jenkins_url]/safeRestart (restarts Jenkins after the current builds have completed)
  • [jenkins_url]/restart (forces a restart and builds will not wait to complete)

Configuring the Jenkins Project

Each Jenkins project has its own build configuration. Each build configuration has its own build steps. The Netsparker Enterprise Scan must be added to a Jenkins project as a build step.

How to Configure the Jenkins Project
  1. Open Jenkins.

  1. From the main menu, click Manage Jenkins. The Manage Jenkins window is displayed.

  1. Click Configure System. The Configure System window is displayed.

  1. In the Netsparker Enterprise section, enter your Netsparker Enterprise Server URL and API Token, and click Test Connection to verify access to Netsparker Enterprise. Then, click Save.
  1. Navigate to the Jenkins Home page.

  1. Click the project you want to add to the Netsparker Enterprise Scan's build step. The Project window is displayed.

  1. From the menu, click Configure. The Configure window is displayed.
  2. Click the Build tab.

  1. From the Build section, click the Add build step dropdown, and select Netsparker Enterprise Scan. The Scan Settings panel is displayed.

  1. Complete the Scan Type, Website Deploy URL and Profile Name settings.
  2. Click Save.

Using Pipeline Script in the Pipeline Project

If you want to use Pipeline projects in Jenkins you should use this method.

  1. Log in to Netsparker Enterprise.
  2. From the main menu, click Integration, then New Integration.

  1. From the Continuous Integration Systems section, click Jenkins. The Jenkins Integration window is displayed.
  2. Click Use Integration Script.

  1. Select the Scan Type and Website.
  2. If a Scan Profile is needed, click Copy to clipboard () in the Pipeline Script field.

If you select the Override API Token for Jenkins Pipeline Script checkbox, make sure you add 'NETSPARKERAPITOKEN' into the Jenkins Pipeline project as a parameter.

Here is a sample Pipeline Script with Override API Token selected.

node{

    step([$class: 'NCScanBuilder', ncApiToken: '$NETSPARKERAPITOKEN', ncScanType: 'FullWithPrimaryProfile', ncWebsiteId: 'ed9f04a4-d530-43b5-f837-a88f03f0b886'])

}

  1. Navigate to your Pipeline project settings in Jenkins and paste your script in the script area. The ServerUrl and ApiToken will be used from the global settings.

Here is some sample code, wrapping your script with 'node':

node{

    step([$class: 'NCScanBuilder', ncScanType: 'FullWithPrimaryProfile', ncWebsiteId: 'ed9f04a4-d530-43b5-f837-a88f03f0b886'])

}

Using Build Fail in Pipeline Project

It is possible to configure a failure in the Jenkins build to stop the scan when a vulnerability severity is detected, for pipeline projects.

This can be configured using the ncSeverity and ncStopScan parameters.

  1. 'ncSeverity' : With this option, you choose which severity will fail this Jenkins build when found in a related scan. If you choose “DoNotFail”, the detected vulnerabilityThe options for ncSeverity are: does not affect your Jenkins build.
  • DoNotFail
  • Critical
  • Critical,High
  • Critical,High,Medium
  • Critical,High,Medium,Low
  1. 'ncStopScan': If you set this option to true, if the Jenkins build fails because of the ncSeverity choice, the related Netsparker scan will be cancelled.The options for ncStopScan are:
  • true
  • false

Viewing Netsparker Scan Results in Jenkins

When the build has been triggered, you can view the scan results in both Jenkins and Netsparker Enterprise.

For further information, see Scan Results Report.

How to View Netsparker Enterprise Reports in Jenkins
  1. Open Jenkins.

  1. From your project page, select a build from the Build History section. The Build Detail window is displayed.

  1. From the menu, click Netsparker Enterprise Report. The scan may take a while.
  1. When the scan has been completed, the scan results are displayed as illustrated.

Using Credentials

  1. Open Jenkins.
  2. From the main menu, click Credentials.

  1. Choose your configurations, then click Add Credentials.
  2. Complete the fields as follows:
  • Kind:                Username with password
  • Username:         https://www.netsparkercloud.com/(Server Url)
  • Password:        Netsparker Enterprise API Token
  • Description:        This description will be shown when the Credentials dropdown is selected when configuring the job. Entering something meaningful here will help to  distinguish this one from other credentials there.

Configuring the Jenkins Plugin to Support Multiple Netsparker Enterprise Users and Creating Folder Admin Permissions

Role-Based Strategy authorization  is used to allow different users to have access to different folders.

This section follows closely the steps described in Cloudbees' Role-Based Authorization Strategy: Limit folder access article, explaining how to create folder-based admin roles. The end goal is that User1 will have access to Folder1 and User2 will have access to Folder2. Each user will be able to access only their projects in their folders using Netsparker Enterprise tokens.

  • Netsparker Enterprise Jenkins Plugin handles required the plugins’ installations, so no extra steps are needed there.
  • Here is an example to show how user access can be restricted to specific jobs at both the folder and subfolder level.
  • We created a main folder (Folder1) that contains two different subfolders Folder1/FolderA and Folder1/FolderB.
  • We also created two Freestyle projects, 'job1' and 'job2' in the folders Folder1/FolderA/job1 and Folder1/FolderB/job2 respectively.
  • The main folder name is 'Folder1'.
  • The sub-folder names are 'Folder1/FolderA' and 'Folder1/FolderB'.

After completing the configuration steps, it is good practice to ensure that users have the correct access to the correct folders as described above.

This table lists and explains the role settings used in this example.

User

Role

Pattern

admin

admin

Folder1

Folder1View

Folder1

Folder1_FolderA_user

Folder1FolderA

Folder1/FolderA.*

Folder1_FolderB_user

Folder1FolderB

Folder1/FolderB.*

There are three steps involved in completing the configuration:

  • Configuring Authorization and Managing Roles
  • Assigning Roles
  • Creating Credentials for Users

Configuring Authorization and Managing Roles

First, you need to configure authorization and roles in Jenkins.

How to Configure Authorization and Manage Roles
  1. Open Jenkins.
  2. Navigate to Configure Global Security.

  1. From Authorization Strategy, select Role-Based Strategy. Click Save.
  2. Navigate to Manage Jenkins then Manage And Assign Roles. Click Manage Roles.

  1. Create the roles you need, and save them.

Assigning Roles

Next, you need to assign the correct roles in Jenkins.

How to Assign Roles in Jenkins
  1. To assign roles please navigate to Manage Jenkins, then Manage and Assign Roles, then Assign Roles.
  2. Set the roles as follows:
  • Global roles:
    • Folder1_user should have GlobalRead
    • Folder1FolderA_user should have GlobalRead
    • Folder1FolderB_user should have GlobalRead
  • Item roles:
    • Folder1_user should have Folder1
    • Folder1FolderA_user should have Folder1FolderA
    • Folder1FolderB_user should have Folder1FolderB

Creating Credentials for User1 and User2

Finally, you need to create credentials for each user.

How to Create Credentials for Users
  1. Open Jenkins.
  2. Navigate to Jenkins > Folder1 > FolderA.

  1. From the main menu, click Credentials.

  1. In the Credentials section, click Folder1 > FolderA.

  1. Click Global credentials (unrestricted),then Add Credentials.

  1. Complete the following fields:
  • Kind:                Username with password
  • Username:        https://www.netsparkercloud.com (Server Url)
  • Password:         User1’s Netsparker Enterprise Api Token
  • Description:        This description will be shown when the Credentials dropdown is selected when configuring the job. Entering something meaningful here will help to  distinguish this one from other credentials there.
  1. Click OK[n].

  1. Navigate to Jenkins > Folder1 > FolderB and repeat the steps for User2.

Configuring the Jenkins Plugin to Build Fail

In the Jenkins plugin there are 2 options:

  • Fail the build if scan contains: With this option, you choose which severity will fail this Jenkins build. If you choose “Do not fail the build”, the detected vulnerability will not affect your Jenkins build.
  • Stop the scan when build fails: With this option, if build fails because of your selections, the scan will be cancelled.

Netsparker

Dead accurate, fast & easy-to-use Web Application Security Scanner

GET A DEMO