Use Lucent Sky AVM with Azure Classic Pipelines

2024/1/18 |

This article describes how to integrate Lucent Sky AVM with Azure Classic Pipelines. By integrating Lucent Sky AVM with an application's continuous integration pipelines, developers can ensure that only code changes meeting the security standards are committed or deployed.

The Lucent Sky AVM CLI commands used in this article favor simplicity over scalability. For example, asynchronous methods such as BeginAnalyze might be more suitable than their synchronous counterparts when working with a large application. To learn about more advanced functionalities of the CLI, view the following article in the Lucent Sky Knowledge Base:
Lucent Sky AVM CLI reference

In this article, you will learn how to:

  • Prepare Lucent Sky AVM CLI for use in Azure Classic Pipelines.
  • Start a scan in Azure Classic Pipelines.
  • Download and evaluate a scan report in Azure Classic Pipelines.
  • Download the remediated source code and merge it to the repository.

At the end, you will be use Lucent Sky AVM in Azure Pipelines to start a scan, download and evaluate reports, and work with remediated source code in Azure Pipelines.

Prepare Lucent Sky AVM CLI for use in Azure Pipelines

Lucent Sky AVM CLI needs to be downloaded to the Azure Pipeline agent before it can be used. How the CLI is downloaded varies and depends on each organization's needs and requirements, and the CLI might already be present if using a self-hosted agent.

  1. Navigate to the Pipelines > Pipelines section of the Azure DevOps project and edit the pipeline with Azure Pipeline designer. Create a secret variable named ApiKey with the value of an API key to the Lucent Sky AVM server.

  2. In Azure Pipeline designer, add a new variable named ApplicationId with the value of the project's application ID in the variables section.

  3. In Azure Pipeline designer, navigate to the Tasks tab and locate an appropriate location to download the CLI, such as after the application build is completed.

  4. Add a PowerShell task to the pipeline to download the CLI setup file to $(System.DefaultWorkingDirectory)/tools/clear-cli.zip and extract its content to $(System.DefaultWorkingDirectory)/tools/clear-cli. Configure the task as follows:

    • Display name: Download CLI
    • Type: Inline
    • Script:

      Invoke-WebRequest -Uri 'https://lsky.co/clearcli' -OutFile '$(Agent.ToolsDirectory)/clear-cli.zip' Expand-Archive -Path '$(Agent.ToolsDirectory)/clear-cli.zip' -DestinationPath '$(Agent.ToolsDirectory/clear-cli' Remove-Item '$(Agent.ToolsDirectory)/clear-cli.zip'

    The URL https://lsky.co/clearcli points to the latest Lucent Sky AVM CLI. To pin the CLI to a specific version, append -version after the URL. For example, https://lsky.co/clearcli-2309.

  5. Add a PowerShell task after the previous task to configure the CLI to use a remote CLEAR Engine host at clear.contoso.com. Configure the task as follows:

    • Display name: Configure CLI
    • Type: Inline
    • Advanced > Working Directory: $(System.DefaultWorkingDirectory)/tools/clear-cli
    • Script:

        ./SkyAnalyzer.Interface.Console.exe --Interface config --Method set --Value "endpoint = clear.contoso.com:5759"
      

Start a scan in Azure Pipelines

  1. In Azure Pipeline designer, navigate to the Tasks tab and locate an appropriate location to start the scan, such as after the build artifacts are available.

  2. Add a PowerShell task to generate a random scan ID. Configure the task as follows:

    • Display name Generate scan ID
    • Type: Inline
    • Script:

        $scanId = New-Guid
        echo "##vso[task.setvariable variable=ScanId]$scanId"
      
  3. Add a PowerShell task after the previous task to create a scan under the application on Lucent Sky AVM server, and upload the build artifact for analysis. Configure the task as follows:

    • Display name: Create and start scan
    • Type: Inline
    • Advanced > Working Directory: $(System.DefaultWorkingDirectory)/tools/clear-cli
    • Script

        ./SkyAnalyzer.Interface.Console.exe --Key $(ApiKey) --Interface Scan --Method Create --ApplicationId $(ApplicationId) --ScanId $(ScanId)
        ./SkyAnalyzer.Interface.Console.exe --Key $(ApiKey) --Interface Scan --Method Analyze --ScanId $(ScanId) --SourceCodePath '$(Build.SourcesDirectory)/target/ContosoWeb.war'
      
  4. Add a PowerShell task after the previous task to check the scan result code to determine if the scan was completed successfully. Configure the task as follows:

    • Display name: Get scan result
    • Type: Inline
    • Advanced > Working Directory: $(System.DefaultWorkingDirectory)/tools/clear-cli
    • Script

        $scanResult = ./SkyAnalyzer.Interface.Console.exe --Key $(ApiKey) --Interface Scan --Method GetResult --ScanId $(ScanId)
        if ($scanResult -lt 0) { [Console]::Error.WriteLine("Scan failed ($scanResult)") }
      

Download and evaluate a scan report in Azure Pipelines

  1. In Azure Pipeline designer, navigate to the Tasks tab and locate an appropriate location to evaluate the scan report, such as after the scan is completed.

  2. Add a PowerShell task to generate and download the XML report of the scan. Configure the task as follows:

    • Display name: Download XML report
    • Type: Inline
    • Advanced > Working Directory: $(System.DefaultWorkingDirectory)/tools/clear-cli
    • Script

        ./SkyAnalyzer.Interface.Console.exe --Key $(ApiKey) --Interface Scan --Method Report --ScanId $(ScanId) --ReportPath "$(System.DefaultWorkingDirectory)/ScanResults/Xml-Report.zip" --ReportFormat xml
      
  3. Add an Extract files task after the previous task to extract the XML report. Configure the task as follows:

    • Display name: Extract XML report
    • Archive file patterns: $(System.DefaultWorkingDirectory)/ScanResults/Xml-Report.zip
    • Destination folder: $(System.DefaultWorkingDirectory)/ScanResults
    • Clean destination folder before extracting: false
  4. Add a PowerShell task after the previous task to query the XML report to evaluate if the scan has found any vulnerability with a priority score of 2 or higher. Configure the task as follows:

    • Display name: Query XML report
    • Type: Inline
    • Advanced > Working Directory: $(System.DefaultWorkingDirectory)/tools/clear-cli
    • Script

        $resultCount = ./SkyAnalyzer.Interface.Console.exe --Interface Query --Method Execute --QueryDataSource "$(System.DefaultWorkingDirectory)/ScanResults/Report.xml" --QueryStatement "SELECT COUNT(ID) FROM Results WHERE PRIORITY <= 2"
        echo "##vso[task.setvariable variable=ResultCount]$resultCount"
      
  5. Add a PowerShell task after the previous task to publish the build artifact as a pipeline artifact named war if no vulnerability with a priority score of 2 or higher was found. Configure the task as follows:

    • Display name: Query XML report
    • Type: Inline
    • Advanced > Working Directory: $(System.DefaultWorkingDirectory)/tools/clear-cli
    • Script

      $resultCount = ./SkyAnalyzer.Interface.Console.exe –Interface Query –Method Execute –QueryDataSource "$(System.DefaultWorkingDirectory)/ScanResults/Report.xml" –QueryStatement "SELECT COUNT(ID) FROM Results WHERE PRIORITY <= 2" echo "##vso[task.setvariable variable=ResultCount]$resultCount" ```

  6. Add a Publish Pipeline Artifacts task after the previous task to generate and download the HTML report when at least one vulnerability with a priority score of 2 or higher was found. Configure the task as follows:

    • Display name: Publish build artifact pipeline artifact
    • File or directory path: $(Build.SourcesDirectory)/target/ContosoWeb.war
    • Artifact: war
    • Artifact publish location: Azure Pipelines
    • Control Options > Run this task: Custom conditions
    • Control Options > Custom condition: eq(variables['ResultCount'], '0').
  7. Add a PowerShell task after the previous task to generate and download the HTML report when at least one vulnerability with a priority score of 2 or higher was found. Configure the task as follows:

    • Display name: Download HTML report
    • Type: Inline
    • Advanced > Working Directory: $(System.DefaultWorkingDirectory)/tools/clear-cli
    • Control Options > Run this task: Custom conditions
    • Control Options > Custom condition: ne(variables['ResultCount'], '0').
    • Script:

        ./SkyAnalyzer.Interface.Console.exe --Key $(ApiKey) --Interface Scan --Method Report --ScanId $(ScanId) --ReportPath "$(System.DefaultWorkingDirectory)/ScanResults/Html-Report.zip" --ReportFormat html
      
  8. Add an Extract files task after the previous task. Configure the task as follows:

    • Display name: Extract HTML report
    • Archive file patterns $(System.DefaultWorkingDirectory)/ScanResults/Html-Report.zip
    • Destination folder $(System.DefaultWorkingDirectory)/ScanResults
    • Clean destination folder before extracting: false
    • Control Options > Run this task: Custom conditions
    • Control Options > Custom condition: ne(variables['ResultCount'], '0')
  9. Add a Publish Pipeline Artifacts task after the previous task to publish the HTML report as a pipeline artifact named report when at least one vulnerability with a priority score of 2 or higher was found. Configure the task as follows:

    • Display name: Publish HTML report as pipeline artifact
    • File or directory path: $(System.DefaultWorkingDirectory)/ScanResults/Report.html
    • Artifact name: report
    • Artifact publish location: Azure Pipelines
    • Control Options > Run this task: Custom conditions
    • Control Options > Custom condition: ne(variables['ResultCount'], '0')

Download the remediated source code and merge it back to the repository

  1. In Azure Pipeline designer, navigate to the Tasks tab and locate an appropriate location to work with the remediated source code, such as after the pipeline failed security policy evaluation.

  2. Add a PowerShell task to the pipeline to generate and download the remediated source code when at least one vulnerability with a priority score of 2 or higher was found. Configure the task as follows:

    • Display name: Download remediated source code
    • Type: Inline
    • Advanced > Working Directory: $(System.DefaultWorkingDirectory)/tools/clear-cli
    • Control Options > Run this task: Custom conditions
    • Control Options > Custom condition: ne(variables['ResultCount'], '0').
    • Script:

        ./SkyAnalyzer.Interface.Console.exe --Key $(ApiKey) --Interface Scan --Method Remediate --ScanId $(ScanId) --RemediatedSourceCodePath "$(System.DefaultWorkingDirectory)/ScanResults/RemediatedSource.zip" --RemediationOption 0
      
  3. Add an Extract files task after the previous task to extract the remediated source code over the original source code when at least one vulnerability with a priority score of 2 or higher was found. Configure the task as follows:

    • Display name: Extract remediated source code
    • Archive file patterns $(System.DefaultWorkingDirectory)/ScanResults/RemediatedSource.zip
    • Destination folder $(Build.SourcesDirectory)
    • Clean destination folder before extracting: false
    • Control Options > Run this task: Custom conditions
    • Control Options > Custom condition: ne(variables['ResultCount'], '0')
  4. Add the necessary tasks to merge the remediated source code into the repository when at least one vulnerability with a priority score of 2 or higher was found.

  5. Add a PowerShell task to the pipeline to fail the pipeline when at least one vulnerability with a priority score of 2 or higher was found. Configure the task as follows:

    • Display name: Fail pipeline
    • Type: Inline
    • Advanced > Fail on Standard Error: true
    • Control Options > Run this task: Custom conditions
    • Control Options > Custom condition: ne(variables['ResultCount'], '0').
    • Script:

        [Console]::Error.WriteLine('This build did not pass the scan criteria.')