Scanning in an Azure DevOps Pipeline - Prioritize
This article describes how to run a Prioritize scan in an Azure DevOps Pipeline.
What is a Prioritize Scan?
Mend Prioritize scans assess the effectiveness of security vulnerabilities associated with open source components. Prioritize scans work by analyzing how the code interacts with open-source components, indicating if reported vulnerabilities are effectively referenced by such code – and if so – identifying where that happens.
Prioritize scans require extra steps in addition to what is required for a Unified Agent scan. This article will describe how to implement these steps within an Azure DevOps pipeline.
Getting Started - Prerequisites
Before adding a Prioritize scan to your Azure DevOps pipeline, make sure that you have the following required information:
Your Mend organization’s API key
Your Mend user key
The parameters required for running a Prioritize scan on your type of project. These parameters can be found in ‘Scanning Projects with Mend Prioritize’
In addition, confirm that the project you wish to scan can successfully be built in your pipeline prior to adding the Prioritize scanning steps.
Creating Your Pipeline
Complete steps 1-3 under ‘Creating a Pipeline Using YAML’ in the article ‘Microsoft Azure DevOps Services UA Integration’.
Modify the Mend configuration to enable Prioritize scanning. You will need to set all of the parameters to match the requirements described in ‘Scanning Projects with Mend Prioritize’.
If you have a Unified Agent configuration file in the repository that you are scanning, modify the parameters within that file.
If you do not have a configuration file in the repository that you are scanning, add the parameters to your YAML file as environment variables. For example:
CODEenv: WS_APIKEY: $(APIKEY) WS_USERKEY: $(USERKEY) WS_PRODUCTNAME: AZDO_$(System.TeamProject) WS_PROJECTNAME: $(Build.Repository.Name)_$(Build.SourceBranchName)_Prioritize WS_ENABLEIMPACTANALYSIS: true WS_REQUIREKNOWNSHA1: false WS_RESOLVEALLDEPENDENCIES: false WS_NUGET_RESOLVEDEPENDENCIES: true WS_NUGET_RUNPRESTEP: true WS_FILESYSTEMSCAN: false WS_GENERATEPROJECTDETAILSJSON: true WS_EXCLUDES: '**/build/** **/tests/**'
Add a CLI task in order to download the latest version of the Unified Agent to your local environment.
CODE- script: 'curl -LJO https://github.com/whitesource/unified-agent-distribution/releases/latest/download/wss-unified-agent.jar' displayName: 'Download the latest Unified Agent'Add a CLI task in order to run the Prioritize scan.
If using a configuration file to supply your parameters use the following configuration:
CODEjava -jar wss-unified-agent.jar -c wss-unified-agent.config -appPath /projectFolder/<binary target> -d /projectFolderIf you are using environment variables to supply your parameters use the following configuration:
CODEjava -jar wss-unified-agent.jar -appPath <path to binary target> -d /projectFolder
Note that you can use variables to set the location of your binary target within your pipeline. Below is an example for a Nuget project using a Linux pipeline:
CSPROJ=$(basename $(find ./src -type f -wholename "*.csproj") .csproj)
DLL=$(find ./ -type f -wholename "*/bin/Release/*/$CSPROJ.dll")
java -jar wss-unified-agent.jar -appPath <path to publish dll> -d /projectFolderExample YAML File for Windows Pipeline
Below is an example YAML file for a Prioritize Scan used to scan a Nuget project on a Windows pipeline.
trigger:
- release*
pool:
vmImage: 'windows-latest'
variables:
solution: '**/*.sln'
buildPlatform: 'Any CPU'
buildConfiguration: 'Release'
steps:
- task: NuGetToolInstaller@1
- task: NuGetCommand@2
inputs:
restoreSolution: '$(solution)'
- task: VSBuild@1
inputs:
solution: '$(solution)'
msbuildArgs: '/p:DeployOnBuild=true /p:WebPublishMethod=Package /p:PackageAsSingleFile=true /p:SkipInvalidConfigurations=true /p:DesktopBuildPackageLocation="$(build.artifactStagingDirectory)\WebApp.zip" /p:DeployIisAppPath="Default Web Site"'
platform: '$(buildPlatform)'
configuration: '$(buildConfiguration)'
- script: |
curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar
echo Unified Agent downloaded successfully
java -jar wss-unified-agent.jar -appPath <path to publish dll> -d ./
env:
WS_APIKEY: $(APIKEY)
WS_USERKEY: $(USERKEY)
WS_PRODUCTNAME: AZDO_$(System.TeamProject)
WS_PROJECTNAME: $(Build.Repository.Name)_$(Build.SourceBranchName)_Prioritize
WS_ENABLEIMPACTANALYSIS: true
WS_REQUIREKNOWNSHA1: false
WS_RESOLVEALLDEPENDENCIES: false
WS_NUGET_RESOLVEDEPENDENCIES: true
WS_NUGET_RUNPRESTEP: true
WS_FILESYSTEMSCAN: false
WS_GENERATEPROJECTDETAILSJSON: true
WS_EXCLUDES: '**/build/** **/tests/**'
displayName: 'Unified Agent Prioritize Scan'Example YAML File for Linux Pipeline
Below is an example YAML file for a Prioritize Scan used to scan a Nuget project on a Linux pipeline.
trigger:
- release*
pool:
vmImage: 'ubuntu-latest'
steps:
- task: DotNetCoreCLI@2
inputs:
command: 'run'
projects: 'build/build.csproj'
- script: |
curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar
echo Unified Agent downloaded successfully
CSPROJ=$(basename $(find ./src -type f -wholename "*.csproj") .csproj)
DLL=$(find ./ -type f -wholename "*/bin/Release/*/$CSPROJ.dll")
java -jar wss-unified-agent.jar -appPath $DLL -d ./src
env:
WS_APIKEY: $(APIKEY)
WS_USERKEY: $(USERKEY)
WS_PRODUCTNAME: AZDO_$(System.TeamProject)
WS_PROJECTNAME: $(Build.Repository.Name)_$(Build.SourceBranchName)_Prioritize
WS_ENABLEIMPACTANALYSIS: true
WS_REQUIREKNOWNSHA1: false
WS_RESOLVEALLDEPENDENCIES: false
WS_NUGET_RESOLVEDEPENDENCIES: true
WS_NUGET_RUNPRESTEP: true
WS_FILESYSTEMSCAN: false
WS_GENERATEPROJECTDETAILSJSON: true
WS_EXCLUDES: '**/build/** **/tests/**'
displayName: 'Unified Agent Prioritize Scan'