Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / Solutions Architecture / 26 Jan 2021
GitLab / Solutions Architecture / 26 Jan 2021
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Breaking down the GitLab SAST Analyzer's Work

Description

Learn how GitLab executes SAST Scans and prepares output for GitLab to consume.

https://gitlab.com/poffey21/java-maven-multimodules/-/blob/f18027159450e20a3377665af4cc3aea70d874ba/.gitlab-ci.yml

A

Hi, my name is tim poffenburger and I am a solutions architect uh with git lab and wanted to talk about our static analysis. Security scanning wrapper that is used and the example that I'm going to talk through specific to java right now, but the the intent of our our static analysis scanning wrapper it. It is used. It works with a lot of different language, specific libraries and security plugins and what it um what it typically does is.

A

It builds the code and that code, that's being built, is usually uh going to be generating a set of binaries or bytecode objects, and then it's going to use that language, specific scanner and scan the actual code and the binaries and link vulnerabilities up between the binaries. What was built with the source code?

A

So that way you can have links within your source code out to the from from the results and then typically, that's going to be some scanner specific output as a security framework that there doesn't seem to be a set standard on what these scans should be producing.

A

So so, for example, the the java output that we're going to have is some xml. Then lastly, gitlab utilizes its analyzer to generate a json file that gitlab the product is allowed to consume, which will then drive our reports and dashboards and the merge request page as well.

A

Sometimes customers are going to come and they're going to want to do pre-compilation, so they're not actually going to want the analyzer to do that. Build process they're going to want the analyzer to just do the scanning and normalizing of that output.

A

The customer that I was working with recently actually didn't even want the analyzer to be in charge of scanning the code. They wanted to kick off the downstream plugin, the language specific scanner manually and then only have gitlab normalize that output.

A

So if you're just looking to to do a pre-compilation, you can actually set it up and you can have a build job and then the spot bugs for java. The sas job happen later and you can specify compile, is equal to false and then wait that way. It won't leverage maven to do that build process.

A

It is important to note that you'll have to make sure that your artifacts are being stored so that downstream spot bug. Sas job can pick those those binaries and um byte code.

A

In looking at the the spot bug sas job um as well as the the sas analyzer that is referenced here and the the sas job. What I was able to put together was this file here, and all this is going to do is this is going to leverage the sas job and it's going to override the spot, bugs sast and with four lines overriding the the original script.

A

I was able to update the path so that it has all the different locations where binaries are at for the executables of maven spot bugs the analyzer I'm going to kick off the maven package process, I'm going to kick off spot bugs, which is running the security plugins. It's going to take in all the necessary xml parameters or the include and exclusion files. It's going to also include the find sec bugs plug-in with a scanning effort of max, and then that's going to port all this stuff out to an xml file.

A

Specifically, what I'm actually doing here is I'm only going to pass in specific class files, so I wanted to only scan class files that were associated with a particular directory in this web folder and lastly, this uh this xml file will then be converted via the analyzer that gitlab owns and supports and has authored it themselves, and it's going to convert this into that json format, and this will then store this json format.

A

So gitlab can pick this up so the spotbox job you can actually see that does the package, it ran the scan and you can see the xml output from that scan and then, lastly, this analyzer conversion process.

A

Hopefully this was helpful. This was a fun exercise for me to go through take care.