SonarCloud

Procedure to set up projects for SonarCloud scan can be found from the links below

Java Code

https://gerrit.akraino.org/r/gitweb?p=ci-management.git;a=blob;f=jjb/camunda_workflow/camunda_workflow.yaml;h=0be9fa76d0b0101402a69fd5b2e394dbb722257e;hb=HEAD

https://docs.releng.linuxfoundation.org/projects/global-jjb/en/latest/jjb/lf-maven-jobs.html#lf-infra-maven-sonarcloud

Non-Java Code

How to: Set up Sonarcloud scans for non-Java projects

Scan Result

SonarQube scan results can be accessed from https://sonarcloud.io/organizations/akraino-edge-stack/projects. You should be able to log in with your LFID credentials, the same as you would use for Gerrit or Jenkins.

Bug Severity in SonarQube and mapping to Akraino security requirements

SonarQube	Akraino
Blocker	Critical
Critical	Important
Major	Important
Minor	Moderate
Info	Low

Vuls

Vuls will be integrated with Validation Framework (Bluval User Guide)

Below are the list of tasks for the integration.

Installation

Install Vuls containers (https://vuls.io/docs/en/install-with-docker.html). Vuls containers can be found at: https://hub.docker.com/u/vuls/

Install go-cve-dictionary, run "docker pull vuls/go-cve-dictionary"
Install goval-dictionary, run "docker pull vuls/goval-dictionary"
Install gost, run "docker pull vuls/gost"
Install vuls, run "docker pull vuls/vuls"

Set up and run

Detailed instruction can be found at https://vuls.io/docs/en/tutorial-docker.html

Prepare log dir

$ cd /path/to/working/dir

$ mkdir go-cve-dictionary-log goval-dictionary-log gost-log

Fetch NVD

$ for i in `seq 2002 $(date +"%Y")`; do \ docker run --rm -it \ -v $PWD:/vuls \ -v $PWD/go-cve-dictionary-log:/var/log/vuls \ vuls/go-cve-dictionary fetchnvd -years $i; \ done

Fetch OVAL

$ docker run --rm -it \ -v $PWD:/vuls \ -v $PWD/goval-dictionary-log:/var/log/vuls \ vuls/goval-dictionary fetch-redhat 5 6 7

Fetch gost

$ docker run --rm -i \ -v $PWD:/vuls \ -v $PWD/goval-log:/var/log/gost \ vuls/gost fetch redhat

Config the SUT, configuration will be stored in config.toml
- SSH key generation & distribution: As Vuls connects to target server through SSH, and Vuls has to use SSH key-based authentication. There needs to be a way to generate SSH key pair, save the private key for Vuls container and dispatch the public key to target server. We probably don’t want to store the private key with the container image if the container image is public accessible.

[servers]

[servers.c74]

host = "54.249.93.16"

port = "22"

user = "vuls-user"

keyPath = "/root/.ssh/id_rsa" # path to ssh private key in docker

Start Vuls container to run tests
- $ docker run --rm -it \ -v ~/.ssh:/root/.ssh:ro \ -v $PWD:/vuls \ -v $PWD/vuls-log:/var/log/vuls \ -v /etc/localtime:/etc/localtime:ro \ -e "TZ=Asia/Tokyo" \ vuls/vuls scan \ -config=./config.toml
Write Bluval configuration file for security tests
Push test results to LF Nexus
- Todo: How to tell test success or fail
- Todo: Sample Test result
Show test results in Bluval UI

Lynis

Lynis requires to run on SUT (System Under Test). The overall test framework will the similar to that of Vuls. As to the Lynis installation, there are two options:

Lynis is pre-installed on SUT by project team.
Lynis is to be installed as part of test flow from Validation Framework.

Considering the complexity of installing application on target system, it is recommended that option 1 is to be used.

For more information about Lynis, please check the link below:

https://cisofy.com/documentation/lynis/get-started/

Install

yum install lynis

Run

lynis audit system

Report

After running, detailed test logs are stored in /var/log/lynis.log, information for each test includes:

Time of an action/event
Reason(s) why a test failed or was skipped
Output of (internal) tests
Suggestions about configuration options or how to fix/improve things
Threat/impact score

In addition to log file, Lynis also creates a report and stores it in /var/log/lynis-report.dat. The report file contains the following information:

Remarks = #<remark>
Section = [<section name>]
Option/value = <option name>=<value of option>

Jira tickets tracking integration with Bluval:

https://jira.akraino.org/secure/RapidBoard.jspa?rapidView=5&projectKey=VAL&view=detail&selectedIssue=VAL-79

https://jira.akraino.org/secure/RapidBoard.jspa?rapidView=5&projectKey=VAL&view=detail&selectedIssue=VAL-80