Chapter 2 : DevSecOps

DevSecOps is an extension of DevOps that integrates security into the entire software development process, specifically into CI/CD pipeline.

DevSecOps Tools

For Backend - Java Spring Boot

Code Coverage - Jacoco

Please refer to Code Coverage - Jacoco

SonarScanner - SonarQube

SonarQube SonarScanner Analysis is used for assessing code quality, analyze the code including

Static Code Analysis
Security Analysis

Covered earlier
Please refer to SonarScanner - SonarQube

Maven Dependency Analysis

Please refer to Maven Dependency Analysis

OWASP dependency check Maven

Note: 1st Run >20Min

Please see Jenkin pipeline OWASP dependency check stage in emapi\Jenkinsfile

Sonatype Lifecycle

Please refer to: EasyManage: Backend Templates
- Locate in generated code folder ...\resources\templates\backend\spring-java
- Readme DevSecOps: backend\spring-java\DevSecOps\README-DevSecOps.md
- Readme Sonatype Lifecycle: backend\spring-java\DevSecOps\sonatype\README-sonatype.md

Please see next section for a brief overview on Sonatype Nexus Scan.

• Sonatype Nexus Scan

Run Sonatype Nexus Scan with Nexus IQ Server in docker

Install/Setup and Run Nexus IQ Server in docker

docker run -d -p 8070:8070 -p 8071:8071 --name nexus-iq-server sonatype/nexus-iq-server

Login to http://localhost:8070/
- login: admin / admin123
- Once running, the IQ Server product license must be installed.

Run Sonatype Nexus Scan

Run the maven goal evaluate

mvn package com.sonatype.clm:clm-maven-plugin:evaluate -Dclm.additionalScopes=test,provided -Dclm.applicationId=emapi -Dclm.serverUrl=http://localhost:8070 -Dclm.username=admin -Dclm.password=admin123

Sample output of mvn `evaluate` e.g.

[INFO] --- clm-maven-plugin::evaluate (default-cli) @ line-comm-03 ---
[INFO] Starting scan...
...
[INFO] Evaluating policies on http://localhost:8070 ...
[ERROR] Sonatype IQ reports policy 'Security-Critical' failing for 
  component 'org.apache.logging.log4j:log4j-core:2.9.0' with hash '052f6548ae1688e126c2' due to 
    constraint 'Critical risk CVSS score': 
      Security Vulnerability Severity >= 9 because: Found security vulnerability CVE-2021-44228 with severity >= 9 (severity = 10.0)
[INFO] ------------------------------------------------------------------------
[INFO] Policy Action: Failure
[INFO] Number of components affected: 1 critical, 0 severe, 0 moderate
[INFO] Number of open policy violations: 2 critical, 0 severe, 1 moderate
[INFO] Number of grandfathered policy violations: 0
[INFO] Number of components evaluated: 5
[INFO] The detailed report can be viewed at: http://localhost:8070/ui/links/application/local-iq-app/report/755d19e970fd491ca2e23f21bea35d58
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
------------------------------------------------------------------------

View Result Of Sonatype Nexus Scan
- Please see details in output log:
  - Policy Action: None | Warn | Failure
  - The detailed report can be viewed at: Given Link

Chapter 2 : DevSecOps

DevSecOps Tools​

For Backend - Java Spring Boot​

Code Coverage - Jacoco​

SonarScanner - SonarQube​

Maven Dependency Analysis​

OWASP dependency check Maven​

Sonatype Lifecycle​

• Sonatype Nexus Scan​

Install/Setup and Run Nexus IQ Server in docker​

Run Sonatype Nexus Scan​