Running SourceClear in a Docker Container
A lot of customers ask about running SourceClear from within a Docker container on their build node. Here is how to do it. Customize this to suit your exact needs. Throughout the blog I assume that you've got a project named myproject.
The steps to follow are:
- Build an Ubuntu based Docker image containing your project's source code
- Run the Docker image, which downloads and installs the latest SourceClear agent
- Starts a SourceClear scan on the project folder
Required Files
Add the two following files to the root of your project:
Dockerfile
# Latest Ubuntu
FROM ubuntu
# Curl is required for grabbing the latest SourceClear Agent
RUN apt-get update
RUN apt-get install -y curl
# Mount the local folder for scanning purposes.
ADD . /src
srcclr.sh
This is just a simple script file to keep the command line looking neat and tidy when you execute the Docker container.
#!/bin/bash
cd /src && curl -sSL https://download.sourceclear.com/ci.sh | sh
Make sure it's executable
> chmod 755 srcclr.sh
Setting up the environment
The Agent API Key
Create a new Jenkins agent from your SourceClear organization, create an API key and add it as an environmental variable:
export SRCCLR_API_TOKEN=<insert token here>
This will get passed to the Docker container at runtime.
Build the container
Building the Docker container does several things:
- Downloads the base Docker image (Ubuntu)
- Installs Curl
- Mounts the root project folder into /src on the container
Now build the container (from the root of the project):
docker build . -t srcclr_scan_myproject
Execute the containerized scan
docker run -e SRCCLR_API_TOKEN srcclr_scan_myproject /src/scan.sh
This will do several things:
-e SRCCLR_API_TOKEN will inject this environmental variable into the running container, along with its value. This supplies the SourceClear Agent with the required API key.
srcclr_scan_myproject tells docker to utilize the image we just built (which contains the latest source from myproject)
/src/scan/sh runs the scan script we created locally, which now resides in /src/ along with the project's source.
If you've set everything up, you should see output like:
$ docker run -e SRCCLR_API_TOKEN srcclr_scan_myproject /src/scan.sh
SourceClear scanning engine ready
Running the Gem scanner
Scanning completed
Found 0 lines of code
Matching libraries against the SourceClear Registry...
Matching complete
Summary Report
Scan ID 7295d188-2073-449a-9068-90ac6c08f44f
Scan Date & Time Oct 04 2017 08:49PM UTC
Account type ENTERPRISE
Scan engine 2.10.37 (latest 2.10.37)
Analysis time 5 seconds
User root
Project /src
Package Manager(s) Gem
Open-Source Libraries
Total Libraries 168
Direct Libraries 57
Transitive Libraries 120
Vulnerable Libraries 2
Third Party Code 100%
Security
With Vulnerable Methods 0
High Risk Vulnerabilities 1
Medium Risk Vulnerabilities 5
Low Risk Vulnerabilities 0
Vulnerabilities - Public Data
CVE-2015-5147 High Risk Denial Of Service (DoS) And Stack-based Buffer Overflow redcarpet 3.2.3
Vulnerabilities - Premium Data
NO-CVE Medium Risk Heap-based Buffer Overflow Through Embedded C Dependency nokogiri 1.8.0
NO-CVE Medium Risk Denial Of Service (DoS) Through Memory Consumption nokogiri 1.8.0
NO-CVE Medium Risk Copy-Paste Vulnerability (CPV) Through Libxml2 nokogiri 1.8.0
NO-CVE Medium Risk Copy-Paste Vulnerability (CPV) Through Libxml2 nokogiri 1.8.0
NO-CVE Medium Risk Multiple Stack Overflows Through Embedded C Dependency nokogiri 1.8.0
Licenses
Unique Library Licenses 8
Libraries Using GPL 2
Libraries With No License 14
Full Report Details https://myorg.sourceclear.io/teams/855C9Z5/scans/2489804
Related Posts
