Procedure to set up projects for SonarCloud scan can be found from the links below
https://gerrit.akraino.org/r/gitweb?p=ci-management.git;a=blob;f=jjb/camunda_workflow/camunda_workflow.yaml;h=0be9fa76d0b0101402a69fd5b2e394dbb722257e;hb=HEAD
https://docs.releng.linuxfoundation.org/projects/global-jjb/en/latest/jjb/lf-maven-jobs.html#lf-infra-maven-sonarcloud
How to: Set up Sonarcloud scans for non-Java projects
SonarQube scan results can be accessed from https://sonarcloud.io/organizations/akraino-edge-stack/projects. You should be able to log in with your LFID credentials, the same as you would use for Gerrit or Jenkins.
Bug Severity in SonarQube and mapping to Akraino security requirements
SonarQube | Akraino |
---|---|
Blocker | Critical |
Critical | Important |
Major | Important |
Minor | Moderate |
Info | Low |
Vuls will be integrated with Validation Framework (Bluval User Guide)
Below are the list of tasks for the integration.
Install Vuls containers (https://vuls.io/docs/en/install-with-docker.html). Vuls containers can be found at: https://hub.docker.com/u/vuls/
Detailed instruction can be found at https://vuls.io/docs/en/tutorial-docker.html
cd /path/to/working/dir
mkdir go-cve-dictionary-log goval-dictionary-log gost-log
for i in `seq 2002 $(date +"%Y")`; do \ docker run --rm -it \ -v $PWD:/vuls \ -v $PWD/go-cve-dictionary-log:/var/log/vuls \ vuls/go-cve-dictionary fetchnvd -years $i; \ done
docker run --rm -it \ -v $PWD:/vuls \ -v $PWD/goval-dictionary-log:/var/log/vuls \ vuls/goval-dictionary fetch-redhat 5 6 7
docker run --rm -i \ -v $PWD:/vuls \ -v $PWD/goval-log:/var/log/gost \ vuls/gost fetch redhat
[servers]
[servers.c74]
host = "54.249.93.16"
port = "22"
user = "vuls-user"
keyPath = "/root/.ssh/id_rsa" # path to ssh private key in docker
Lynis requires to run on SUT (System Under Test). The overall test framework will the similar to that of Vuls. As to the Lynis installation, there are two options:
Considering the complexity of installing application on target system, it is recommended that option 1 is to be used.
For more information about Lynis, please check the link below:
https://cisofy.com/documentation/lynis/get-started/
yum install lynis
lynis audit system
After running, detailed test logs are stored in /var/log/lynis.log, information for each test includes:
In addition to log file, Lynis also creates a report and stores it in /var/log/lynis-report.dat. The report file contains the following information: