Containerizing Find Security Bugs Security Tool

Introduction

FindSecBugs is used for static code analysis. It can be integrated as an IDE plugin, or its maven plugin can be added to the pom.xml file of a project source code. Here, a containerized FindSecBugs security scanner is created, so that a user only has to give the zip file or the GitHub URL of a project source code. Then the container scans the source code and provides access to a generated report through an API.

Note: This container is designed to be managed by Automation Manager API. Therefore, the “user” of this container will be Automation Manager API

Docker Image

The containerized FindSecBugs scanner exposes a micro service API to the outside applications. Scan can be initiated by calling the API providing GitHub URL or zip file of the project source code. Therefore, the dependencies required by the Docker image can be identified as below.

  1. Base image should be Ubuntu as some Linux commands are required to be executed
  2. The jar file of the micro service (this jar file is executed to start the micro service) is taken from a GitHub repository. Therefore git clone operation should be done, hence Git should be installed to the image
  3. In order to execute the jar file, Maven is required. Therefore, JDK and Maven should be installed to the image
  4. Maven is downloaded as wget, therefore wget is required
  5. JDK is downloaded as an archive file, therefore unzip is required

Let’s get into more details

Dockerfile of Static Scanner has following specifications

  • Base Image: Ubuntu 16.04
  • Install wget, git, unzip
  • Download and install Apache Maven 3.3.9
  • Download Java: jdk 1.8 by accepting license, install and configure symbolic links for java and javac executables
  • Clone Micro Service App — Static Scanner — FSB jar file from GitHub
  • Change work directory to the cloned repository
  • Define container startup command as to execute the jar file

By building the Dockerfile, docker image with following features is created

  • Ubuntu 16.04 environment, with wget, git, unzip, Java, Maven installed
  • Consist with Micro Service App — Static Scanner — FSB jar file, cloned from GitHub

By running the docker image with port mapping, a docker container with following features can be created

  • When container starts up, Micro Service App — Static Scanner — FSB jar file is executed and hosted in a predefined port. (Also the port can be manually set at the run time of the container)
  • Micro Service App — Static Scanner — FSB is a micro service application. Therefore, HTTP requests can be sent to extract a zip file or clone project source from Github and run FindSecBugs

FindSecBugs Micro Service

When a container starts up, this micro service is also started, providing an API to be called to run FindSecBugs scan.

Initiating a Scan

Automation Manager uploads a zip file of the project source code or gives GitHub URL of the project source code. (If a specific branch or tag to be cloned, user has to give the URL of the specific branch or tag).

  1. Validates the request
  2. If the project source code is given as a zip file, it is uploaded to the container and extracted
  3. If the GitHub URL of the project source code is given, it is cloned. If a specific branch or tag to be cloned, the specific URL for the branch or tag needs to be given. Also if it is a private repository, username and password should be given
  4. Then modifies the pom.xml file of the source code and adds FindSecBugs plugin.
  5. Builds the source code using Maven
  6. Since the FindSecBugs plugin is included in the pom.xml file, the source code is built with FindSecBugs plugin enabled. So that, after successfully completing the build, scan reports are generated
  7. When scanning a project with multiple pom.xml files (projects with separate modules), several reports with the same name are generated inside several target directories. Therefore, all the reports are renamed and moved to a new folder
  8. After completing each task, a notification is sent back to AM. (eg: file uploaded, file extracted, cloned etc.) Therefore when the report is ready, a notification is sent to AM
  9. This micro service provides an API to get the generated report. Hence Automation Manager can call the API and get the report

Activity Diagram for FindSecBugs Micro Service

--

--

--

Senior Software Engineer @Sysco LABS | Apache Committer and PMC Member @Apache Allura | Former Software Engineering Intern @WSO2 | CSE | UoM | SL

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

To create the image, crop and swap the images and combine the images to the OpenCV

Python — Common Errors and Methods :

Postman Beginners Guides

Mechanical and custom built keyboards

[C#] function implement with return value and parameters

Active Record Validations

Hamburger Menu on UITabBarController Swift

AWS DMS — Setup: Part 2

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Deshani Geethika

Deshani Geethika

Senior Software Engineer @Sysco LABS | Apache Committer and PMC Member @Apache Allura | Former Software Engineering Intern @WSO2 | CSE | UoM | SL

More from Medium

Create a project and an app in Openshift

Dockerizing a Mule Application

Check container vulnerability with Snyk in CI/CD pipeline using Jenkins

Google Cloud Platform Guide