A lot of customers ask about running SourceClear from within a Docker container on their build node. Here is how to do it. Customize this to suit your exact needs. Throughout the blog I assume that you've got a project named myproject.

The steps to follow are:

  • Build an Ubuntu based Docker image containing your project's source code
  • Run the Docker image, which downloads and installs the latest SourceClear agent
  • Starts a SourceClear scan on the project folder

Required Files

Add the two following files to the root of your project:

Dockerfile

# Latest Ubuntu
FROM ubuntu

# Curl is required for grabbing the latest SourceClear Agent
RUN apt-get update
RUN apt-get install -y curl

# Mount the local folder for scanning purposes.
ADD . /src

srcclr.sh

This is just a simple script file to keep the command line looking neat and tidy when you execute the Docker container.

#!/bin/bash

cd /src && curl -sSL https://download.sourceclear.com/ci.sh | sh

Make sure it's executable

> chmod 755 srcclr.sh

Setting up the environment

The Agent API Key

Create a new Jenkins agent from your SourceClear organization, create an API key and add it as an environmental variable:

export SRCCLR_API_TOKEN=<insert token here>

This will get passed to the Docker container at runtime.

Build the container

Building the Docker container does several things:

  • Downloads the base Docker image (Ubuntu)
  • Installs Curl
  • Mounts the root project folder into /src on the container

Now build the container (from the root of the project):

docker build . -t srcclr_scan_myproject

Execute the containerized scan

docker run -e SRCCLR_API_TOKEN srcclr_scan_myproject /src/scan.sh

This will do several things:

-e SRCCLR_API_TOKEN will inject this environmental variable into the running container, along with its value. This supplies the SourceClear Agent with the required API key.

srcclr_scan_myproject tells docker to utilize the image we just built (which contains the latest source from myproject)

/src/scan/sh runs the scan script we created locally, which now resides in /src/ along with the project's source.

If you've set everything up, you should see output like:

$ docker run -e SRCCLR_API_TOKEN srcclr_scan_myproject /src/scan.sh

SourceClear scanning engine ready
Running the Gem scanner
Scanning completed
Found 0 lines of code
Matching libraries against the SourceClear Registry...
Matching complete

Summary Report
Scan ID                              7295d188-2073-449a-9068-90ac6c08f44f
Scan Date & Time                     Oct 04 2017 08:49PM UTC
Account type                         ENTERPRISE
Scan engine                          2.10.37 (latest 2.10.37)
Analysis time                        5 seconds
User                                 root
Project                              /src
Package Manager(s)                   Gem

Open-Source Libraries
Total Libraries                      168
Direct Libraries                     57
Transitive Libraries                 120
Vulnerable Libraries                 2
Third Party Code                     100%

Security
With Vulnerable Methods              0
High Risk Vulnerabilities            1
Medium Risk Vulnerabilities          5
Low Risk Vulnerabilities             0

Vulnerabilities - Public Data
CVE-2015-5147                        High Risk       Denial Of Service (DoS) And Stack-based Buffer Overflow      redcarpet 3.2.3

Vulnerabilities - Premium Data
NO-CVE                               Medium Risk     Heap-based Buffer Overflow Through Embedded C Dependency     nokogiri 1.8.0
NO-CVE                               Medium Risk     Denial Of Service (DoS) Through Memory Consumption           nokogiri 1.8.0
NO-CVE                               Medium Risk     Copy-Paste Vulnerability (CPV) Through Libxml2               nokogiri 1.8.0
NO-CVE                               Medium Risk     Copy-Paste Vulnerability (CPV) Through Libxml2               nokogiri 1.8.0
NO-CVE                               Medium Risk     Multiple Stack Overflows Through Embedded C Dependency       nokogiri 1.8.0

Licenses
Unique Library Licenses              8
Libraries Using GPL                  2
Libraries With No License            14

Full Report Details                  https://myorg.sourceclear.io/teams/855C9Z5/scans/2489804

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.

 

 

 

contact menu