{"id":491,"date":"2016-06-28T17:20:05","date_gmt":"2016-06-28T17:20:05","guid":{"rendered":"http:\/\/blog.mozilla.org\/webqa\/?p=491"},"modified":"2016-06-28T17:20:05","modified_gmt":"2016-06-28T17:20:05","slug":"dockerized-owasp-zap-security-scanning-in-jenkins-part-two","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/fxtesteng\/2016\/06\/28\/dockerized-owasp-zap-security-scanning-in-jenkins-part-two\/","title":{"rendered":"Dockerized, OWASP-ZAP security scanning, in Jenkins, part two"},"content":{"rendered":"

Following up from my earlier blog post<\/a>, I was able to get a Dockerized ZAP-CLI up and running in a Jenkins instance!<\/p>\n

I\u2019ll break this down into five main parts, as follows:<\/p>\n

    \n
  1. \n
    Installing Jenkins<\/h5>\n<\/li>\n
  2. \n
    Installing Docker<\/h5>\n<\/li>\n
  3. \n
    Configuring and running ZAP-CLI within Jenkins<\/h5>\n<\/li>\n
  4. \n
    Configuring Docker further<\/h5>\n<\/li>\n
  5. \n
    Running the build<\/h5>\n<\/li>\n<\/ol>\n

    Installing Jenkins<\/strong><\/h1>\n

    I followed the directions from this page: https:\/\/wiki.jenkins-ci.org\/display\/JENKINS\/Installing+Jenkins+on+Red+Hat+distributions<\/a><\/p>\n

    Before I could use wget to grab the Jenkins install script, I had to get wget itself, like so:<\/p>\n

    $ sudo dnf install wget<\/code><\/pre>\n
    Next, it was just a matter of:<\/p>\n
    $ sudo wget -O \/etc\/yum.repos.d\/jenkins.repo http:\/\/pkg.jenkins-ci.org\/redhat-stable\/jenkins.repo<\/code><\/pre>\n
    Then:<\/p>\n
    $ sudo rpm --import https:\/\/jenkins-ci.org\/redhat\/jenkins-ci.org.key<\/code>\n$ sudo dnf install jenkins<\/code><\/pre>\n
    And now, even though Jenkins is installed, I also needed to install Java, which I did:<\/p>\n
    $ sudo dnf install java<\/code><\/pre>\n
    And, finally<\/p>\n
    $ sudo service jenkins start<\/code>\n$ sudo chkconfig jenkins on<\/code><\/pre>\n
    Installing Docker<\/strong><\/h1>\n
    From the official instructions on Docker’s Installation on Fedora page<\/a>, I chose the \u201cInstall with the script\u201d option.<\/p>\n
    $ sudo dnf update<\/code>\n\n$ curl -fsSl https:\/\/get.docker.com\/ | sh<\/code>\n\n$ sudo systemctl start docker<\/code>\n\n$ sudo docker run hello-world<\/code>\n\n$ sudo groupadd docker<\/code>\n$ sudo usermod -aG docker jenkins<\/code><\/pre>\n
    The following command enables Docker on system startup:<\/p>\n
    $ sudo systemctl enable docker<\/code><\/pre>\n
    Separately, now, both Jenkins and Docker (in that order) should be set up and ready. However, a few more installations of binaries and plugins are needed to make the two work together.<\/p>\n
    Configuring and running ZAP-CLI within Jenkins<\/strong><\/h1>\n
    To configure Jenkins to pull and run the docker-zap shell script<\/a>, let\u2019s do the following.<\/p>\n
      \n
    1. Load our Jenkins URL (with default :8080 port)<\/li>\n
    2. Click on New Item<\/li>\n
    3. In the \u201cItem name\u201d field, I\u2019ll choose \u201cdocker-zap-cli\u201d and choose \u201cFreestyle project\u201d<\/li>\n
    4. Oops! We know that we\u2019ll be using a GitHub (and thus, Git) project, so we\u2019ll need a Git\/GitHub binary\/executable, as well as its Jenkins plugins<\/li>\n
    5. OK, so from the command-line, let\u2019s do (from How to Install and Configure Git on Fedora 23<\/a>)\n
      $ dnf -y install git<\/code><\/pre>\n<\/li>\n
    6. Type\n
      which git<\/code><\/pre>\n
      to let us know where it installed to, successfully.\u00a0 That should be:<\/p>\n
      \/usr\/bin\/git<\/code><\/pre>\n<\/li>\n
    7. Now, let\u2019s go to \u201cManage Jenkins\u201d<\/li>\n
    8. Click on \u201cManage Plugins\u201d<\/li>\n
    9. Click on the \u201cAvailable\u201d tab<\/li>\n
    10. In the top-right\u2019s \u201cFilter\u201d textfield, let\u2019s type \u201cgit\u201d and see what it offers us<\/li>\n
    11. We need: Git client plugin, Git plugin, GitHub API Plugin, and the GitHub Authentication Plugin<\/li>\n
    12. Let\u2019s choose those, and then choose \u201cDownload now and install after restart,\u201d just to be safe<\/li>\n
    13. (There will be a full list of other dependencies which will also be installed, and that\u2019s expected.)<\/li>\n
    14. Let\u2019s make sure our Git binary installation works.\u00a0 Under the \/configure URL, in \u201cGit\u201d let\u2019s provide the \u201cPath to Git executable\u201d which, as we\u2019ve seen above, should be\n
      usr\/bin\/git<\/code><\/pre>\n<\/li>\n
    15. Now, let\u2019s go back to our \u201cdocker-zap-cli\u201d job in Jenkins, and choose \u201cConfigure\u201d<\/li>\n
    16. Under Source Code Management, now, we should see a \u201cGit\u201d option.\u00a0 Click on that and enter https:\/\/github.com\/stephendonner\/docker-zap.git<\/li>\n
    17. Scroll down to the \u201cBuild\u201d option, choose \u201cAdd build step\u201d and pick \u201cExecute shell\u201d<\/li>\n
    18. In the \u201cCommand\u201d textfield, let\u2019s put\n
      .\/run-docker.sh<\/code><\/pre>\n<\/li>\n
    19. Click \u201cSave\u201d<\/li>\n
    20. Now, let\u2019s click \u201cBuild Now\u201d<\/li>\n
    21. If you see any \u201cpermission denied\u201d errors, particularly with\n
      \/bin\/docker<\/code><\/pre>\n
      and can confirm with the SELinux audit log<\/a>, then try the following:<\/li>\n<\/ol>\n
      Disabling SELinux support<\/h5>\n
      I should note that, once I identified the SELinux-related issues with Docker in Fedora, I didn’t spend much time trying to fully understand how to make them work.  I do plan on returning to this in future work, as disabling SELinux is *NOT* recommended.<\/strong>  There’s an official FAQ here: https:\/\/fedoraproject.org\/wiki\/SELinux_FAQ<\/a>. (In fact, the Docker Daemon docs<\/a> reference the –selinux-enabled<\/strong> option.) However, to go about disabling SELinux on a test system, per RedHat’s docs<\/a>, we need to change<\/p>\n
      SELINUX=enforcing<\/code><\/pre>\n
      to read<\/p>\n
      SELINUX=disabled<\/code><\/pre>\n
      in<\/p>\n
      \/etc\/selinux\/config<\/code><\/pre>\n
      So do:<\/p>\n
      $ sudo vi \/etc\/selinux\/config<\/code><\/pre>\n
      and make the edit.<\/p>\n
      We need a logout\/restart, here, so let’s do:<\/p>\n
      $ systemctl stop jenkins.service<\/code>\n$ systemctl stop docker.service<\/code>\n$ shutdown -r now<\/code><\/pre>\n
      Configuring Docker further<\/strong><\/h1>\n
      Now, because we’re using a Fedora version which has systemd, we want to configure Docker using systemd<\/a>.<\/p>\n
      We want to put in the following:<\/p>\n
      $ sudo mkdir \/etc\/systemd\/system\/docker.service.d<\/code>\n$ sudo vi \/etc\/systemd\/system\/docker.service.d\/docker.conf<\/code><\/pre>\n
      EnvironmentFile=-\/etc\/sysconfig\/docker\nEnvironmentFile=-\/etc\/sysconfig\/docker-storage\nEnvironmentFile=-\/etc\/sysconfig\/docker-network\n$DOCKER_STORAGE_OPTIONS \\\n$DOCKER_NETWORK_OPTIONS \\\n$BLOCK_REGISTRY \\\n$INSECURE_REGISTRY\nExecStart=\nExecStart=\/usr\/bin\/dockerd -D -H tcp:\/\/127.0.0.1:2375<\/code><\/pre>\n
      Now we also want to make Docker available via that TCP port<\/a> we specified, 2375:<\/p>\n
      $ sudo vi \/etc\/systemd\/system\/docker-tcp.socket<\/code><\/pre>\n
      Put in the following:<\/p>\n
      [Unit]\nDescription=Docker Socket for the API\n\n[Socket]\nListenStream=2375\nBindIPv6Only=both\nService=docker.service\n\n[Install]\nWantedBy=sockets.target<\/code><\/pre>\n
      Now, let’s enable and start Docker’s binding to TCP:2375:<\/p>\n
      $ systemctl stop docker.service<\/code>\n$ systemctl enable docker-tcp.socket<\/code>\n$ systemctl start docker-tcp.socket<\/code>\n$ systemctl start docker.service<\/code><\/pre>\n
      (Here’s also a nice article<\/a> for more in-depth info on the above.)<\/p>\n
      Running the build<\/strong><\/h1>\n
      Now that we’ve installed and configured Jenkins, Docker, and Git and other necessary plugins, it’s time to build!<\/p>\n
        \n
      1. In Jenkins, for the docker-zap-cli job view, click on “Build” in the left<\/li>\n
      2. If all goes well, you should see something very close to the following:<\/li>\n<\/ol>\n
        GitHub-repo pulling...\n<\/code><\/pre>\n
        20:47:20 [INFO]            Accessing URL https:\/\/www.allizom.org\/en-US\/firefox\/\n20:47:34 [INFO]            Running spider...\n20:49:15 [INFO]            Running an active scan...\n<\/code><\/pre>\n
        6310 [ZAP-daemon] INFO org.zaproxy.zap.DaemonBootstrap  - ZAP is now listening on 127.0.0.1:2375\n43023 [Thread-9] INFO org.zaproxy.zap.extension.spider.SpiderThread  - Starting spidering scan on SpiderApi-0 at Tue Jun 28 20:47:34 UTC 2016\n43028 [Thread-9] INFO org.zaproxy.zap.spider.Spider  - Spider initializing...\n43055 [Thread-9] INFO org.zaproxy.zap.spider.Spider  - Starting spider...\n<\/pre>\n
        <\/code><\/p>\n
        105166 [pool-1-thread-2] INFO org.zaproxy.zap.spider.Spider  - Spidering process is complete. Shutting down...\n105174 [Thread-10] INFO org.zaproxy.zap.extension.spider.SpiderThread  - Spider scanning complete: true\n<\/pre>\n
        <\/code><\/p>\n
        20:49:35 155113 [Thread-12] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host https:\/\/www.allizom.org in 11.491s\n20:49:35 155115 [Thread-11] INFO org.parosproxy.paros.core.scanner.Scanner  - scanner completed in 11.532s\n20:49:35 c7017c8e9ca40054acf9e1a88dc36c14d1866419da6ca974efd61298b423c43f\n20:49:35 Finished: SUCCESS<\/code><\/pre>\n
        Here's a Pastebin entry<\/a> with the full output.<\/p>\n
        In fact, the output should very nearly match that in https:\/\/blog.mozilla.org\/webqa\/2016\/05\/11\/docker-owasp-zap-part-one\/<\/a> , since Docker is just executing the commands we've already set up.<\/p>\n
        I plan on continuing to work further in my GitHub repository<\/a>, so keep an eye on and\/or add to Issues<\/a>\/Pull Requests<\/a>!<\/p>\n
        I'd absolutely love more help and feedback on how to make this more useful; thanks!<\/p>\n","protected":false},"excerpt":{"rendered":"
        Following up from my earlier blog post, I was able to get a Dockerized ZAP-CLI up and running in a Jenkins instance! I\u2019ll break this down into five main parts, … Read more<\/a><\/p>\n","protected":false},"author":512,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[228,69],"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/fxtesteng\/wp-json\/wp\/v2\/posts\/491"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/fxtesteng\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/fxtesteng\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/fxtesteng\/wp-json\/wp\/v2\/users\/512"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/fxtesteng\/wp-json\/wp\/v2\/comments?post=491"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/fxtesteng\/wp-json\/wp\/v2\/posts\/491\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/fxtesteng\/wp-json\/wp\/v2\/media?parent=491"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/fxtesteng\/wp-json\/wp\/v2\/categories?post=491"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/fxtesteng\/wp-json\/wp\/v2\/tags?post=491"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}