[Ramki] Update support for Dependency Track 4.0

Signed-off-by: Ramakrishnan Kandasamy <[email protected]>

Author: rmkanda

DEPENDENCY_TRACK.md

@@ -0,0 +1,56 @@
+# Installation Steps for Dependency Track
+
+- Setup helm repo
+
+  ```s
+  helm repo add evryfs-oss https://evryfs.github.io/helm-charts/
+
+  helm repo update
+  ```
+
+- Create a file with below contents - values.yaml
+
+  ```yaml
+  ingress:
+  enabled: true
+  tls:
+    enabled: false
+    secretName: ""
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    ## allow large bom.xml uploads:
+    nginx.ingress.kubernetes.io/proxy-body-size: 10m
+  host: minikube.local
+  ```
+
+- Install Dependendency Track helm chart with custom values.yaml
+
+  ```s
+  kubectl create ns dependency-track
+
+  helm upgrade dependency-track evryfs-oss/dependency-track --namespace dependency-track -f ./values.yaml
+  ```
+
+- Run command `minikube ip`
+  ```s
+  $ minikube ip
+  192.168.64.40
+  $
+  ```
+- Add a entry for in /etc/hosts file for the ip and ingress host name
+
+  ```s
+  sudo vi /etc/hosts
+  #Add the below line
+  192.168.64.40 minikube.local
+  ```
+
+  Note: Replace the ip with the actual minikube ip from above step.
+
+- Access Dependency track with below name.
+
+```s
+open http://minikube.local
+```
+
+Note: The default password for dependency track is admin/admin

Jenkinsfile

@@ -55,6 +55,7 @@ pipeline {
           post {
             always {
               archiveArtifacts allowEmptyArchive: true, artifacts: 'target/dependency-check-report.html', fingerprint: true, onlyIfSuccessful: true
+              // dependencyCheckPublisher pattern: 'report.xml'
             }
           }
         }
@@ -91,7 +92,7 @@ pipeline {
           }
           post {
             success {
-              dependencyTrackPublisher artifact: 'target/bom.xml', projectId: '9110e2e4-bc2e-47b7-9967-ade239b0edf5', synchronous: false
+              dependencyTrackPublisher projectName: 'sample-spring-app', projectVersion: '0.0.1', artifact: 'target/bom.xml', autoCreateProjects: true, synchronous: true
               archiveArtifacts allowEmptyArchive: true, artifacts: 'target/bom.xml', fingerprint: true, onlyIfSuccessful: true
             }
           }
@@ -100,7 +101,7 @@ pipeline {
     }
     stage('Package') {
       steps {
-        container('docker-cmds') {
+        container('docker-tools') {
           sh 'ls -al'
           sh 'docker build . -t sample-app'
         }
@@ -110,30 +111,22 @@ pipeline {
       parallel {
         stage('Image Scan') {
           steps {
-            container('docker-cmds') {
-              sh '''#!/bin/sh
-                    apk add --update-cache --upgrade curl rpm
-                    export TRIVY_VERSION="0.8.0"
-                    echo $TRIVY_VERSION
-                    wget https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz
-                    tar zxvf trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz
-                    mv trivy /usr/local/bin
-                    trivy --cache-dir /tmp/trivycache/ sample-app:latest
-                  '''
+            container('docker-tools') {
+              sh 'grype sample-app:latest'
               }
           }
         }
         stage('Image Hardening') {
           steps {
-            container('dockle') {
+            container('docker-tools') {
               sh 'dockle sample-app:latest'
             }
           }
         }
         stage('K8s Hardening') {
           steps {
-            container('docker-cmds') {
-              sh 'docker run -i kubesec/kubesec:512c5e0 scan /dev/stdin < pod.yaml'
+            container('docker-tools') {
+              sh 'kubesec scan pod.yaml'
             }
           }
         }
@@ -154,7 +147,7 @@ pipeline {
         }
         stage('DAST') {
           steps {
-            container('docker-cmds') {
+            container('docker-tools') {
               sh 'docker run -t owasp/zap2docker-stable zap-baseline.py -t https://www.zaproxy.org/ || exit 0'
             }
           }

README.md

@@ -4,26 +4,33 @@ Sample spring application with Jenkins pipeline script to demonstrate secure pip
 
 ## Pre Requesites
 
-- minikube v1.13.0 - [Refer here for installation](https://kubernetes.io/docs/tasks/tools/install-minikube/)
-- helm v3.3.1 - [Refer here for installation](https://helm.sh/docs/intro/install/)
+- minikube v1.18.1 - [Refer here for installation](https://kubernetes.io/docs/tasks/tools/install-minikube/)
+- helm v3.5.3 - [Refer here for installation](https://helm.sh/docs/intro/install/)
 
 ## Setup Setps
 
 ### Minikube setup
 
 - Setup minikube
   ```s
-  minikube start --nodes=1 --cpus=4 --memory 8192 --disk-size=35g --embed-certs=true
+  minikube start --nodes=1 --cpus=4 --memory 8192 --disk-size=35g --embed-certs=true --driver=hyperkit
   ```
 
 ### Jenkins setup
 
 - Stup Jenkins server
 
   ```s
-  helm repo add jenkinsci https://charts.jenkins.io
+  helm repo add jenkins https://charts.jenkins.io
   helm repo update
-  helm install jenkins jenkinsci/jenkins
+  helm install jenkins jenkins/jenkins
+  ```
+
+- Wait for the jenkins pod to start
+- Get admin user password of Jenkins
+
+  ```s
+    kubectl exec --namespace default -it svc/jenkins -c jenkins -- /bin/cat /run/secrets/chart-admin-password && echo
   ```
 
   **Note:** Make a note of the password
@@ -43,36 +50,17 @@ Sample spring application with Jenkins pipeline script to demonstrate secure pip
 
 ### Dependency Track setup
 
-- Setup Dependency Track server
-
-  ```s
-  helm repo add evryfs-oss https://evryfs.github.io/helm-charts/
-
-  helm repo update
-
-  kubectl create ns dependency-track
-
-  helm install dependency-track evryfs-oss/dependency-track --namespace dependency-track
-
-  kubectl port-forward svc/dependency-track 8081:80 -n dependency-track
-  open http://localhost:8081
-  ```
+- Refer [Dependency Track v4 Installation Guide](DEPENDENCY_TRACK.md)
 
   **Note:** dependency-track will take some time to start (~1hr on low end Mac)
 
 ### Link Jenkins and Dependency Track
 
-- Login to Dependency track -> Administration -> Access Management -> Teams -> Click on Automation -> Copy the API Keys
-
-- Login to Jenkins -> Manage Jenkins -> Configure System -> Scroll to bottom -> Configure the Dependency-Track URL and API key -> Save
-
-- Login to Dependency track -> Projects -> Create Project -> Fill Name and save -> Copy the UUID of the project from the URL
-
-- Update the UUID in the Jenkinsfile in the Depedency Track upload section
+- Login to Dependency track -> Administration -> Access Management -> Teams -> Click on Automation -> Copy the API Keys -> Also add the Permissions - PROJECT_CREATION_UPLOAD, POLICY_VIOLATION_ANALYSIS, VULNERABILITY_ANALYSIS
 
-Hint: URL (if you have followed the exact steps) http://dependency-track.dependency-track.svc.cluster.local
+- Login to Jenkins -> Manage Jenkins -> Configure System -> Scroll to bottom -> Configure the Dependency-Track URL and API key -> Also enable Auto Create Projects -> Test Connection -> Save
 
-**Note:** This UUID step is not required ideally, Projects will get created automatically - Looks like some open issue
+Hint: URL (if you have followed the exact steps) http://dependency-track-apiserver.dependency-track.svc.cluster.local
 
 ### New Jenkins Pipeline
 

build-agent.yaml

@@ -13,8 +13,8 @@ spec:
       volumeMounts:
         - name: m2
           mountPath: /root/.m2/
-    - name: docker-cmds
-      image: docker:stable-git
+    - name: docker-tools
+      image: rmkanda/docker-tools:latest
       command:
         - cat
       tty: true
@@ -33,14 +33,6 @@ spec:
       command:
         - cat
       tty: true
-    - name: dockle
-      image: rmkanda/dockle
-      command:
-        - cat
-      tty: true
-      volumeMounts:
-        - mountPath: /var/run
-          name: docker-sock
   volumes:
     - name: m2
       hostPath: