Date: Fri, 29 Mar 2024 03:11:02 +0100 (CET) Message-ID: <2050183903.1318.1711678262387@localhost> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_1317_1784287476.1711678262386" ------=_Part_1317_1784287476.1711678262386 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
Below, explains how to include Ki= uwan if you use Microsoft TFS or Azure DevOps (formerly known as VSTS or Vi= sual Studio Team Services).
If you use Microsoft TFS or Azure= DevOps (Formerly known as VSTS or Visual Studio Team Services) to build yo= ur application, you can use this extension to include Kiuwan analyses as pa= rt of your build definitions.
Disclaimer - Support
This section provides information about how to get, install, set up, and= use the Kiuwan TFS Extension, and other relevant information.
Before installing the extension, make sure you have a Kiuwan account in = our cloud service or an on-premise installation of the Kiuwan platform.
The included build tasks work on T= FS Windows, Linux or MacOS agents and Azure DevOps private or hosted Window= s, Linux, and MacOS agents.
If there are any issues with the KLA installation or you need to remove = it to have a fresh install in the next task run, go to that directory and j= ust delete the KiuwanLocalAnalyzer folder found there. For hosted agents (that are provisioned dynamically), the= KLA is downloaded and installed every time a Kiuwan task runs.
Also, please, review and take in m= ind the Kiuwan Local Analyzer = Installation Requirements.
Follow these steps to get the Kiuwan Extension for Azure DevOps:
You get a service endpoint type and two build tasks. Below, find more de= tails:
To connect to the Kiuwan platform = from TFS/Azure DevOps. You can define a new service endpoint to the Kiuwan = platform by following these steps:
TFS 2015 Warning
<= /span>This task runs a Kiuwan baseline analysis as part of your build definiti= on. Choose the name of the application in Kiuwan you want to associate the = results to and select one of the three following options to use as Kiuwan a= pplication name:
Use this option to identify your analysis in Kiuwan, the build number is= automatically appended to the label you set here.
Check this option when Insights product is available for your organizati= on; if you want that Kiuwan Local Analyzer runs Insights analyses, and uplo= ad their results.
Uncheck this option if you do not want to upload the lines of code where= defects and/or vulnerabilities are found. Note that these lines of code ar= e essential for the proper functioning of certain features, such as the ins= pection of differences in results between analysis. If you disable it, thes= e features may not work properly.
Check this option if you want to use the functionality of the Kiuwan bui= lt-in code viewer, which allows you to see the full source code of your ana= lyses.
To improve the performance when running security analyses, you can skip = duplication of code detection, since it is not relevant for Security analys= es results.
If your project includes database code such as stored procedures for Ora= cle, SQL Server, or Informix, you have to select their type to analyze them= .
You can set the following advanced settings to control the analysis:
After a successful run of a build definition with a Kiuwan baseline task= , the results are immediately available in your Kiuwan account.
The results are automatically uploaded to your Kiuwan account in the clo= ud where you can see them and browse through the security vulnerabilities a= nd other relevant defects found in your applications.
You can also check the Kiuwan results directly in the Kiuwan tab of the = TFS/Azure Job results:
To use this task you need to have = the Life Cycle module in your Kiuwan account. It allows you to audit the de= liveries of your application's change requests. The task runs a Kiuwan deli= very analysis as part of your build definition. The results are automatical= ly uploaded to your Kiuwan account and the defined audit is run comparing t= he results with the latest existing application baseline. The OK or Not OK = (OK/NOK) audit result is what the task will return. You can decide if you w= ant to fail the build step or not based on the audit result.
The Kiuwan service connection, the= Kiuwan application name, the analysis label, the security analysis perform= ance, the database analysis, and advanced analysis settings behave the same= as in the baseline analysis task described and explained in the previous s= ection. Below, you can find more information on the delivery analysis of sp= ecific options:
This Change request name belongs t= o the change that we are analyzing. View the change request as the project = management object specifying the change requirements. The CR concept does n= ot belong to the life cycle itself, is a management concept.
By default, the placeholder is $(B=
uild.SourceBranchName). In many projects typically those that use Git as SC=
M, branch names are given according to the changes they contain.
By default, the delivery label is =
a combination of different Azure DevOps/TFS variables, considering the repo=
sitory type and the build triggers. Check this option to specify your custo=
m label.
Select if you want a complete delivery (all the code base including the = changes) or a partial delivery (just the changes)
When this option is checked the build task fails if the Kiuwan audit tha= t runs automatically after the analysis fails. Uncheck this option if you w= ant to run the analysis and the audit, but you do not want to break the bui= ld.
The Kiuwan change request status option allows you to tag the analysis, = In progress, when the changes have not been completed. Sel= ect Resolved when you consider that the changes have finis= hed.
Remember that the overall result of the audit is returned by the task an= d you can conditionally break your build.
Once the task runs you can immediately see the results in your Kiuwan ac= count. Including all the details of the audit and the defects and vulnerabi= lities that need to be fixed to pass it.
You can also check the Kiuwan results directly in the Kiuwan Aud= it tab of the TFS/Azure Job:
This section shows you the two options of how to set the debug variable = in Azure DevOps/TFS pipelines to get the debug information from the executi= on of the tasks.
To execute the= pipelines manually follow these steps:
To set = the variable for all the execution, follow these steps:
This section explains how to configure the TFS Azure plugin when a Proxy= Server is needed. Before this configuration, take into account the followi= ng requirements: You are using Azure DevOps in the cloud, the installed loc= al agent to run the pipelines are in LOCAL, and the internet access through= a proxy server is needed.
When you are using a Local Agent to execute the Azure DevOps pipelines, = you can see the agent from the Azure console listed under the Agent Pools s= creen, click the Default option:
The Default screen displays the Agents tab among others. You can review = more information about the selected agent like the Name, when was the Last = run, the Current status, the Agent Version, and the switch to Enable or Dis= able it. This is a hosted agent running in a physical or virtual machine in= Linux, Mac or Windows OS.
You can configure the agent by using the Run a self-hosted ag= ent behind a web proxy guide. Download the agent into a local folder an= d then configure it. If you are using a proxy server, execute the configura= tion command using the parameter to set the proxy:
.= \config.cmd --proxyurl 'http://${proxyhost}:${proxyport}' --proxyusername '= ${proxyusername}' --proxypassword '${proxypassword}'
Where the di= fferent placeholders are:
${proxyhost}: the Proxy host (e.g. proxy.kiuwan.com)
${proxyport}: the Proxy port (e.g. 3128)
${proxyusername}: your Proxy username for authentication= span>
${proxypassword}: your Proxy password for authentication= span>
As an exampl= e, here you can see a PowerShell with the command with all the parameters:<= /span>
When using an Agent in any of the pipelines, you must specify the type o= f agent.
The pipeline executes the Kiuwan analysis tasks in any agent available i= n the Default private agent pool, which refers to the Local Agent on Window= s. Check the image below.