-
Notifications
You must be signed in to change notification settings - Fork 17
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
dee92ad
commit cc42767
Showing
9 changed files
with
73 additions
and
522 deletions.
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
[package] | ||
name = "soos-sample-project" | ||
authors = ["SOOS <[email protected]>"] | ||
version = "1.0.1" | ||
edition = "2021" | ||
license = "MIT" | ||
license-file = "LICENSE" | ||
description = "SOOS ( https://soos.io ) is an independent software security company, located in Winooski, VT USA, building security software for your team. Used for testing purposes, this package is an example of a vulnerable package on a public registry." | ||
homepage = "https://soos.io/" | ||
repository = "https://github.com/soos-io/sample-project-rust" | ||
readme = "README.md" | ||
keywords = ["sample", "testing"] | ||
|
||
[dependencies] | ||
aac = "0.0.0" | ||
acc_reader = "2.0.0" | ||
pbkdf2 = { version = "0.13.0-pre.1" } | ||
core-nightly = "2015.1.7" | ||
protobuf = "2.5.0" |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
MIT License | ||
|
||
Copyright (c) 2023 SOOS LLC | ||
|
||
Permission is hereby granted, free of charge, to any person obtaining a copy | ||
of this software and associated documentation files (the "Software"), to deal | ||
in the Software without restriction, including without limitation the rights | ||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | ||
copies of the Software, and to permit persons to whom the Software is | ||
furnished to do so, subject to the following conditions: | ||
|
||
The above copyright notice and this permission notice shall be included in all | ||
copies or substantial portions of the Software. | ||
|
||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | ||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | ||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | ||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | ||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | ||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE | ||
SOFTWARE. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,117 +1,13 @@ | ||
# Sonatype Lifecycle CI Examples | ||
CI example builds and Sonatype Lifecycle analysis for different languages. | ||
# About SOOS | ||
|
||
Each of the examples are split into separate Git branches, so they can easily automatically be pulled into a CI multibranch build job, as explained below for Jenkins CI. | ||
SOOS is an independent software security company, located in Winooski, VT USA, building security software for your team. [SOOS, Software security, simplified](https://soos.io). | ||
|
||
|Language |Build System |Lifecycle Integration |Git Branch| | ||
|----------|---------------------|----------------------------------|:-----| | ||
|C++ |cmake |[Sonatype CLI][CLI] |[c++-cmake-opencv](../../tree/c++-cmake-opencv)| | ||
|Java |Gradle/Android Studio|[Sonatype CLI][CLI] |[java-android-gradle-LeafPic](../../tree/java-android-gradle-LeafPic)| | ||
|Java |Gradle/Android Studio|[Sonatype CLI][CLI] |[java-android-gradle-nextcloud](../../tree/java-android-gradle-nextcloud)| | ||
|Java |Maven |[Sonatype Jenkins Plugin][Jenkins]|[java-maven-struts2-rce](../../tree/java-maven-struts2-rce)| | ||
|Java |Maven |[Sonatype Jenkins Plugin][Jenkins]|[java-maven-webgoat](../../tree/java-maven-webgoat)| | ||
|Javascript|NPM |AuditJS |[javascript-auditjs-juiceshop](../../tree/javascript-auditjs-juiceshop)| | ||
|Javascript|NPM |[Sonatype Jenkins Plugin][Jenkins]|[javascript-npm-juiceshop](../../tree/javascript-npm-juiceshop)| | ||
|Javascript|NPM |[Sonatype Jenkins Plugin][Jenkins]|[javascript-npm-nodegoat](../../tree/javascript-npm-nodegoat)| | ||
|PHP |Composer |[Sonatype CLI][CLI] |[php-composer-symfony](../../tree/php-composer-symfony)| | ||
|Python |PIP |Jake |[python-jake-homeassistant](../../tree/python-jake-homeassistant)| | ||
|Python |PIP |[Sonatype Jenkins Plugin][Jenkins]|[python-pip-homeassistant](../../tree/python-pip-homeassistant)| | ||
|Rust |Rust |[Sonatype Jenkins Plugin][Jenkins]|[rust-rust-story](../../tree/rust-rust-story)| | ||
Use SOOS to scan your software for [vulnerabilities](https://app.soos.io/research/vulnerabilities) and [open source license](https://app.soos.io/research/licenses) issues with [SOOS Core SCA](https://soos.io/products/sca). [Generate and ingest SBOMs](https://soos.io/products/sbom-manager). [Export reports](https://kb.soos.io/help/soos-reports-for-export) to industry standards. Govern your open source dependencies. Run the [SOOS DAST vulnerability scanner](https://soos.io/products/dast) against your web apps or APIs. [Scan your Docker containers](https://soos.io/products/containers) for vulnerabilities. Check your source code for issues with [SAST Analysis](https://soos.io/products/sast). | ||
|
||
To make the builds repeatable and simple, this project include Jenkins Docker build nodes provided as Docker containers with a preconfigured build environment for each ecosystem; for example for Maven build example, the container [preconfigures Maven and Java](https://github.com/sonatype-nexus-community/nexus-ci-examples/blob/java-maven-struts2-rce/jenkins-node-maven/Dockerfile). The Dockerfile and supporting content are provided with each build example branch. | ||
[Demo SOOS](https://app.soos.io/demo) or [Register for a Free Trial](https://app.soos.io/register). | ||
|
||
## Usage instructions for Jenkins | ||
### Jenkins setup | ||
If you maintain an Open Source project, sign up for the Free as in Beer [SOOS Community Edition](https://soos.io/products/community-edition). | ||
|
||
You will need the Jenkins "Docker" and “Nexus Platform” plugins | ||
## sample-project-rust | ||
|
||
Jenkins -> Manage Jenkins -> Manage Plugins -> Available | ||
Type: “Nexus Platform” in the search box | ||
Select the Nexus Platform plugin, then “Install without restart” | ||
|
||
### Configure the Nexus Plugin | ||
Jenkins -> Manage Jenkins -> Configure System | ||
|
||
Scroll down to the Sonatype Nexus section | ||
|
||
“Add IQ Server” | ||
|
||
and add the IQ server configuration and cridentials, you can check the connection on this page. | ||
|
||
### Install the Docker Plugin | ||
Jenkins -> Manage Jenkins -> Manage Plugins -> Available | ||
Type: “Docker” in the search box | ||
Select the “Docker” plugin (not the Docker API plugin) | ||
|
||
Select “Download now and install after restart” | ||
Select the “Restart after download when no jobs are running” | ||
|
||
### Configure the Docker Cloud | ||
The groovy scipt on the project can automate the setup of the Docker plugin. | ||
Click on the set-up-cloud.groovy file | ||
Click the “raw” button near the top | ||
Copy the entire file | ||
|
||
Login to Jenkins: | ||
Jenkins -> Manage Jenkins -> Script Console (it’s under Tools and Actions) | ||
|
||
Paste the text/copy buffer into the window | ||
|
||
Search for 'IQserver' and change the IQ URL to match you system configuration (bear in mind that this is from within a docker build node, not from the Jenkins machine itself) | ||
For example if you use Docker Desktop and your IQ server is running on the same host as docker you would use: http://host.docker.internal:8070 | ||
You will also need to configure the location the system can use to reach your docker host. For a local Jenkins and Docker install the unix socket in the default config will work, for other systems, such as Jenkins within docker you will need to mount the socket as a volume or expose the API to http. | ||
|
||
|
||
### Jenkins Job Configuration | ||
Before configuring this, you need to create a GitHub token for Jenkins to access the GitHub repository with. Failure to do this will result in errors caused by hitting the GitHub API limits. | ||
|
||
### Create a GitHub “Token” | ||
Open http://www.github.com and “Signin”. You may need to provide your 2FA token using Google Authenticator. | ||
|
||
Click on your user icon in the upper right corner -> Settings | ||
|
||
At the bottom left -> Developer settings -> Personal access tokens | ||
|
||
[Generate new token] | ||
|
||
|
||
### Create the Jenkins job | ||
|
||
Jenkins -> Create a job | ||
|
||
Enter an item name: Nexus Example Builds | ||
|
||
Scroll to the bottom and select: Multibranch Pipeline. -> OK | ||
|
||
|
||
|
||
Display Name: Nexus Example Builds | ||
|
||
Branch Sources -> Add source -> GitHub | ||
|
||
Credentials: Add -> Jenkins | ||
|
||
Username: <username>@sonatype.com | ||
|
||
Password: Paste your token password | ||
|
||
ID: NexusExampleBuilds-GitHub | ||
|
||
Description: NexusExampleBuilds-GitHub | ||
|
||
[Add] | ||
|
||
Credentials: Select NexusExampleBuilds-GitHub | ||
|
||
Repository HTTPS URL: https://github.com/sonatype-nexus-community/nexus-ci-examples.git | ||
|
||
[Validate] | ||
|
||
Scroll to the bottom and select “Save” | ||
|
||
|
||
|
||
At this point – Builds for all the platforms/eco-systems will automatically kick off. | ||
|
||
[CLI]: https://help.sonatype.com/en/sonatype-iq-cli.html | ||
[Jenkins]: https://help.sonatype.com/en/sonatype-platform-plugin-for-jenkins.html | ||
This repository is an example of a vulnerable package on a public registry. It is used for testing purposes. |
This file was deleted.
Oops, something went wrong.
Oops, something went wrong.