You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

If you use Microsoft TFS or Visual Studio Team Services to build your application you can use this extension to include Kiuwan analyses as part of your build definitions.

How to get it

The extension is published in the Microsoft Visual Studio Marketplace. You can install it in your Visual Studio Team Services account directly from there, or download it to install it in your TFS server.

What you need to know before installing it

This extension works with the Kiuwan Application Security platform in the cloud. So you need a Kiuwan account to use it.

The included build tasks will work on TFS Windows, Linux or MacOS agents and VSTS private or hosted Windows, Linux and MacOS agents.

For private agents, you can download the Kiuwan Local Analyzer (KLA) from your Kiuwan account and pre-install it in the agent machines you want to use. Make sure you define the KIUWAN_HOME evironment variable pointing to the directory where you installed the KLA (i.e. C:\KiuwanLocalAnalyzer). If you don't pre-install the KLA, the first time you run a Kiuwan task the KLA will be downloaded and installed in the agent home directory that ran the Kiuwan build task. Next time the same agent runs a Kiuwan task it will use that installation.

For hosted agents (that are spawned dynamicaly), the KLA is downloaded and installed every time a Kiuwan task runs.

What you get with the extension

A service endpoint type and 2 build tasks. One to run Kiuwan baseline analyses to analyse your releases. And one to run Kiuwan delivery analyses for your change or pull requests.

New Service Endpoint type

To connect to the Kiuwan platform form TFS/VSTS. You can define a new service endpoint to the Kiuwan platform. You just need to select the Kiuwan Platform service connection type from the "New Service Endpoint" pulldown in the TFS/VSTS Services configuration tab.

Then you just configure a name for the Kiuwan connection and your Kiuwan account credentials to use to connect to Kiuwan.

Build Tasks

The extension adds 2 new build task to your TFS/VSTS Task Catalogue in the Build category. While editing a build definition, click "Add build step" to open the catalogue and look for the Kiuwan tasks.

Select the one you want to use and configure it.

Kiuwan credentials for your build tasks

In both build tasks, you have to select a Kiuwan connection previously configured in the project service endpoints configuration (see above). The credentials configured in the selected Kiuwan connection will be used to run the analysis.

For backward compatibility, if you don't configure the Kiuwan connection in the task, the build definition variables: KiuwanUser and KiuwanPasswd, will be use for credentials. These variables can be used as well to override the Kiuwan connection credentials. This can be useful if you want a particular build definition to run analyses with a different user.


Kiuwan Baseline Analysis Task 

This task will run a Kiuwan baseline analysis as part of your build definition. To make it work you first need to decide if you are using the credentials in the Kiuwan service endpoint or override them with variables as describe above. Next you have to decide what is going to be the name of the application in Kiuwan you want to associate the results to. There are 3 options

Kiuwan application name

  1. Use the TFS/VSTS Project name. THis is the default. We use the $(System.TeamProject) variable for the Kiuwan application name. If an application with the same name as the project doesn't exisit in Kiuwan it will be automatically created.

 

 

 

The results are automatically uploaded to your Kiuwan account in the cloud where you can see the results and browse through the security vulnerabilities and other relevant defects found in your applications.

Kiuwan Delivery Analysis

To use this task you need to have the Life Cycle module in your Kiuwan account. It allows you to audit the deliveries of you application's chenge requests. The task runs a Kiuwan delivery analysis as part of your build definition. The results are automatically uploaded to your Kiuwan account and the defined audit is ran comparing the reults with the latest existing application baseline. The OK or Not OK (OK/NOK) audit result is what the task will return, failing or not failing your build definition execution.


<img src="https://www.kiuwan.com/wp-content/uploads/2018/01/kiuwan-audit-results.png">

Kiuwan application selection

By default, we use the project name as the application name in Kiuwan the results are uploaded to. However, you can override this behavior in a task, picking the application from a list with the existing applications in your Kiuwan account (bear in mind than the application list in the combo depend on the permisions the Kiuwan user defined in the Kiuwan connection), or entering a new application name.

  • No labels