Click here to Skip to main content
13,764,577 members
Click here to Skip to main content
Add your own
alternative version

Tagged as

Stats

6.4K views
4 bookmarked
Posted 21 Jul 2015
Licenced CPOL

Jenkins Pipeline Step: Node Security Project

, 21 Jul 2015
Rate this:
Please Sign up or sign in to vote.
How to configure Jenkins to automatically check your Node.JS projects dependencies against the Node Security Project

At HP, we make heavy use of Node.JS, and Jenkins for our build pipelines. We are also a security business, so any steps we can take to secure our code we take.

Subsequently I wanted to add a build pipeline step which automatically validated our packages, and their child dependencies against the Node Security Project which is a public list of known vulnerabilities in Node.JS modules. If a vulnerability was found obviously, I wanted to break the build.

Prerequisites

This can all be achieved relatively easily in Jenkins by making use of the Compiler Warnings plugin, so make sure you have this installed in Jenkins before we start.

You will also need to have the NSP module installed on your build server, easily done with npm install -g nsp.

Setting Up the Plugin

First things first, we need to configure the compiler warnings plugin. Basically, all this plugin does is scan your build log and attempts to match on a given RegEx. To configure the plugin, head over to your Jenkins Configuration page and scroll down to the Compiler Warnings section.

You want to create a new type of warning here with the following information:

  • Name: Node Security Project Vulnerabilities
  • Link Name: Node Security Project
  • Trend Report Name: Detected Vulnerabilities
  • Regular Expression: ([\w+-]+)\s+([\w\.-@]+)\s+>= *([\w\.-@]+)\s+(.*)

The mapping script is the part that takes the result from your RegEx and creates a hudson.plugins.warnings.parser.Warning object which Jenkins can recognize. Set it like this:

import hudson.plugins.warnings.parser.Warning  
import hudson.plugins.analysis.util.model.Priority

String msg = "Vulnerability found in '" + matcher.group(1) + "', version '" + 
matcher.group(4) + "', patched in '" + matcher.group(3) + "'"

return new Warning('package.json', 0, "NSP Warning", 'VULN1', msg, Priority.HIGH);  

Example Log Message, to save you some time, here is an example output from the module:

Name     Installed  Patched  Vulnerable Dependency  
connect    2.7.5    >=2.8.1  nodesecurity-jobs > kue > express  
qs      0.6.6     >= 1.x  essis-management@1.0.319 > restler@3.2.2 > qs@0.6.6  

With all those bits in, your page should look like this:

Jenkins Configuration

Adding a Build Step

The next step is to add a build step to the project that you want to check, the screenshot below shows a configuration that will break the build if any vulnerabilities are detected.

The important settings here are:

  • Parser: Node Security Project Vulnerabilities
  • The 0 in the Priority High status threshold box
  • And the tick box in Compute New Warnings

That's It

At this point, if you run your job (and there are any detected vulnerabilities), you will see this in your build log:

10:14:22  => nsp audit-package  
10:14:33 Name  Installed  Patched  Vulnerable Dependency  
10:14:33 qs      0.6.6     >= 1.x  essis-management@1.0.338 > restler@3.2.2 > qs@0.6.6  

And your build will go red.

You will also get a nice little graph of your vulnerabilities over time:

Vuln Graph

 

And also, on the build page, you can view the report:

Vuln Report

 

I hope this article was of use. Please ask if you have any questions.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

Karl Stoney
Architect Hewlett Packard Enterprise Security Services
United Kingdom United Kingdom
Technical Architect for Hewlett-Packard Enterprise Security Service.

Please take the time to visit my site

You may also be interested in...

Pro

Comments and Discussions

 
-- There are no messages in this forum --
Permalink | Advertise | Privacy | Cookies | Terms of Use | Mobile
Web01-2016 | 2.8.181113.4 | Last Updated 21 Jul 2015
Article Copyright 2015 by Karl Stoney
Everything else Copyright © CodeProject, 1999-2018
Layout: fixed | fluid