Usage of external static code analysis tools
Overview
In this article we show one of available code analysis tools ShiftLeft which provide comprehensive security analysis and give recommendations on how to fix found vulnerabilities. You can integrate this analysis in your pipeline or use manually, both protect final product from being hacked and will be very helpful to developers who are not so familiar with security part of application.
ShiftLeft consumes .jar files with binaries. So firstly, we need to build application and then, secondly, we need to merge generated .class files and generate .jar file. To do this, we need extend default build logic. Custom Ant target is the solution.
We provide an example of custom ant target which is helpful for extending OOTB ant tasks logic and supports shell script in xml manner. After defining your custom target it will be available as ant command to execute.
Tools
Defining ant target
Add custom ant target in ${your_ext_folder}/buildcallbacks.xml which will be available globally, our target for example:
<?xml version="1.0"?>
<project name="${ext_name}_buildcallbacks">
<!-- target and name which is used with ant command -->
<target name="mergeclasses">
<!-- local target variable -->
<property name="new.class" value="${path_to_dest_folder}"/>
<delete dir="${new.class}"/>
<mkdir dir="${new.class}"/>
<copy todir="${new.class}">
<fileset dir="../custom">
<!-- pattern to include required files -->
<include name="**/classes/**/*"/>
</fileset>
</copy>
<!-- determine place and name for jar and directories to include -->
<jar destfile="${place_&_name_for_jarfile}" basedir="${new.class}"/>
</target>
</project>
In the above configuration we created custom ant target which is used for copying all existing sources to new location and generate .jar file. Then you will be able to use this target from ${platformhome}:
ant *${custom_target_name}*
Refer to this manual for list of tasks and types available in targets.
ShiftLeft code analysis tool setup
- Download and give permissions:
curl https://cdn.shiftleft.io/download/sl > $HOME/sl && chmod a+rx $HOME/sl
- Move to directory which is in your $PATH:
sudo mv $HOME/sl /usr/local/bin/
Register account
token to be used next:
authenticate with above mentioned token:
sl auth --org "your-org" --token "your-token"
- Build app with ant and use our custom target to collect classes in jar file:
cd $HYBRIS_PLATFORM && ant clean all && ant mergeclasses
- Run analysis:
sl analyze --java --wait --app yourAppName path_to.jar
- Results: