Child pages
  • Contrast Continuous Application Security Plugin
Skip to end of metadata
Go to start of metadata

Plugin Information

View Contrast Continuous Application Security on the plugin site for more information.

About

This plugin verifies vulnerability conditions by checking a build's vulnerabilities found against configured filters. The plugin also graphs history of vulnerability detection found during each projects build.

This plugin supports a post build action and a step in the pipeline build process.

Use the Plugin

You can view the plugin code in Jenkins' Github repository. In the Jenkins dashboard, go to Manage Jenkins in the left sidebar, and select the Configure System page to find a new Contrast TeamServer profiles section.

Contrast API Settings

Contrast API settings enable the plugin to connect to Contrast and query for results. The plugin leverages these result to authenticate to Contrast and make API calls in post-build actions. Among the following requirements, you'll need a unique profile name to identify your configuration and use it in a specific job.

Parameter

DescriptionSince
Contrast UsernameUsername/email for your account in Contrast 
Contrast API KeyLog in to your Teamserver account and go to Your Account. Look under YOUR KEYS. 
Contrast Service KeyLog in to your Teamserver account and go to Your Account. Look under YOUR KEYS. 

Contrast URL

API URL to your Contrast instance
Use https://app.contrastsecurity.com/Contrast/api if you're a SaaS customer; all others use the URL of your Contrast UI (e.g., https://contrastserver/Contrast/api).
 
Organization UUIDOrganization UUID of the configured user found in Organization Settings 
ignoreContrastFindingsJenkins boolean build parameter. If set to true, builds will not be failed when Vulnerability Threshold Conditions are not met.2.3
Result of a vulnerable buildContrast TeamServer profile configuration parameter allowing to choose the result of a build that does not meet the Vulnerability Threshold Conditions.2.3

 

Test the connection

When you add a Contrast profile, use the validation button to test your connection and make sure that all the fields are accurate. Contrast prompts you if the test is successful or gives an error message if it fails.

Threshold conditions in a post-build action

  • Select a profile from the dropdown.
  • Add a count. The count is exclusive, so if you set a count for five, it fails on six or more vulnerabilities. This field is required.
  • Add a severity (Note, Low, Medium, High, or Critical). The plugin sets a filter in the API call for all vulnerabilities greater than or equal to this field.
  • Add a vulnerability type (rule name). If you specify a single rule for which to filter, the plugin checks for the number of vulnerabilities with the rule type and compares it to the count.

Severity and vulnerability types aren't required, but suggested, to narrow down your results.

You can add as many rules as you like. The plugin fails on the first bad condition and tells you on which condition it failed.

Note

Even if your build succeeds, the plugin fails the overall build if the test finds a bad condition.

Threshold conditions in a Pipeline step

When you add a Pipeline step with the name contrastVerification, it follows the same principles as the post-build action but in a newer format for Jenkins 2.0 improvements.

Pipeline configuration:

contrastVerification profile: 'Localhost', count: 10, rule: 'xss', severity: 'High'

Test for Vulnerabilities

In order for the Jenkins plugin to get accurate information, you must add a unique identifier built from the Jenkins CI configuration as an agent property. The corresponding property for the Java agent is contrast.override.appversion. For example, when starting an application with the Contrast Java agent, add the following property: "-Dcontrast.override.appversion=${version}". Also, the job name must match your application name or you must override your application name with another property to ensure that Contrast tests for the correct information. For example, when starting Contrast agent add the following property: "-Dcontrast.appname=${applicationName}".

The plugin uses the unique identifier ${JOB_NAME}-${BUILD_NUMBER} to filter vulnerabilities by "appVersionTags" vulnerability attribute. JOB_NAME and BUILD_NUMBER are available as Jenkins environment properties.

 

Write a comment…