The The Data Theorem Mobile App Security Plugin can can be used to upload upload PreProd mobile mobile binaries directly to Data Theorem for scanning during your CI/CD Jenkins pipeline.
...
The current version of Data Theorem's Jenkins plugin is available on the Jenkins Index at below:
https://plugins.jenkins.io/datatheorem-mobile-app-security.
The plugin is a post-build action that performs the following actions:
Retrieves the mobile app binary generated during the building steps.
Calls the Data Theorem Upload API to upload
the mobile app binary directly the mobile app binary directly to Data Theorem for scanning.
Step By Step Guide
Add the plugin to your Jenkins |
look Then click jenkins Jenkins home page Click on Manage Jenkins Access to Manage Plugins On the Updates list,
|
look Then click jenkinsImage RemovedImage Added |
Add your Upload API key to the Jenkins global configurationRetrieve your Upload API |
key using key from the Data Theorem portal |
at sdlc.The Upload API Key will be in the “API Key” section.
Then, on the , click in , and then navigate and click able provided with the option to create a Secret text credentials: |
For example: . This can be for example: ""Image Removed
| Image Added |
Add or update a Jenkins job |
and open :From the configuration page, you will |
have be required to modify multiple sections: Build Environment: Unlock the "Binding" section to access the API Key from the credentials Build: Add your building steps Post-build action : Add your post-
|
builds action Image Removed
Image RemovedImage AddedImage Added |
Get access to your API Key (Credentials Binding)Use the Credential Binding Plugin to bind the API Key added in the previous step to an environment variable |
.The environment variable called: named as DATA_THEOREM_UPLOAD_API_KEY. |
Image RemovedImage Added |
Add your building stepsBuild your sources using the Build section. You will need to generate a valid .apk |
/or .ipa package during this step. |
Image Removed
| Image Added |
Add |
your Data the Data Theorem plugin to the jobThe Data Theorem plugin can be added from the Add post-build action list Configure the plugin by indicating the file name that will be generated on the Build To Upload field. This allows the plugin to discover and retrieve the package |
and to it.
You can use a glob pattern to indicate variable parts of the build's file name (for example, if the app's version number or build date is in the file name). The previously |
build file names generated artifacts will be automatically |
found discovered from your archive folder or in the current workspace. Examples of glob patterns: app-*.apk : search for any apk starting with app- in workspace root directory **/app-*.ipa : search for any ipa starting with app- in any sub directory of the workspace {,**/}app-debug*.* : search for any file containing app-debug in root directory or in any sub directory of the workspace
If the file is located at /Users/jenkins/project-workspace/dir1/dir2/app.apk, you should only specify the relative part i.e dir1/dir2/app.apk. This is because the plugin has access to the current Jenkins workspace only. Advanced SectionSimulating Uploads You can simulate what file would be sent without actually uploading it to Data Theorem |
, by checking the Don't Upload Build in the advanced options. |
Only builds that needed be analyzed Builds should be restricted to those that need analysis by Data Theorem's mobile app security services |
should be sent.If needed . The external id field can be set as a custom identifier for this app. Android Mapping Files You can upload a mapping file using the Android Mapping File option to have scan results deobfuscated. This is not required for scans to be completed. However, once a mapping file has been uploaded once, all subsequent uploads will require the corresponding mapping file unless the requirement is disabled via the Results API v2.
Proxy Configuration If needed, you can configure the plugin to |
hit go through your company proxy on the advanced option of Post-Build Actions. |
You will have to specify the hostname and the port of the targeted proxy. You can also add your authentication credentials and bypass the certificate validation if needed |
Image RemovedImage Removed | Image Added Advanced section: Image AddedProxy Configuration section: Image Added
|
Start a new build to test the pluginYou can test that the plugin is correctly configured by starting a new build and then access the last build result. If the plugin works you should get the following console output:
|
Image Removed
Image Added |
Image RemovedImage Added |
---|
Use
|
---|
Using the Data Theorem plugin inside a DSL |
pipeline (alternative way)Since pipelineAs an alternative since version 1.3.0, the |
jenkins Jenkins plugin is compatible with DSL pipelines. |
build builds using DSL pipelines |
,create and select "" differents stage : named as Upload Build To Data Theorem. You will |
have be required to set an environment variable with your secret upload api key using the |
command command withCredentials() from the |
credential binding pluginCredentials Binding Plugin
Inside the withCredentials() |
block you can scope, use the command sendBuildToDataTheorem with the following parameters: |
Pattern usto Data Theorem mappingFileToUpload: If your Android application is obfuscated using Proguard, you can upload a mapping file to have scan results deobfuscated. This is not required for scans to be completed. However, once a mapping file has been uploaded once, all subsequent uploads will require the corresponding mapping file unless the requirement is disabled via the Results API v2. dontUpload : If set to true, this will simulate what file would be sent without
|
actually uploading it to Data Theorem dataTheoremUploadApiKey: The upload api key environment variable proxyHostname: If needed, the proxy hostname you need to
|
hit sending application 0: hit If If the password If If true, the plugin will bypass any SSL certificate validation externalId: If set, the externalId field represents your organization's custom identifier for the app. releaseType: (optional, but strongly encouraged): This should be set to PRE_PROD or ENTERPRISE , depending on whether the app being uploaded is a pre-production app (or a "test" app) or an enteprise (internal) app (an internal-only production app that will not be published to one of the app stores). If the argument is omitted, then our backend will first try to match the build to any existing ENTERPRISE or PRE_PROD apps. If there is no matching app, then it will default to PRE_PROD .
Scripted Pipeline Integration The plugin |
also support supports scripted pipeline integration. To use this option, you |
will would need to replace the DSL command with the following command: [$class :'SendBuildToDataTheoremPublisher', buildToUpload: '**/*.apk', mappingFileToUpload: null, dontUpload: false, dataTheoremUploadApiKey: env.DATA_THEOREM_UPLOAD_API_KEY, proxyHostname: '', proxyPort: 0, proxyUsername: '', proxyPassword: '', proxyUnsecuredConnection: false] |
Code Block |
languagegroovy | theme | Confluence |
---|
title | Data Theorem DSL Pipeline example stage Code Block |
---|
| stage('Upload Build To Data Theorem') {
steps{
|
|
steps { withCredentials([string(credentialsId: 'dt_upload_key', variable: 'DATA_THEOREM_UPLOAD_API_KEY')]) |
|
{
{
sendBuildToDataTheorem buildToUpload: ' |
|
{,**/}**', apk',
mappingFileToUpload: null,
dontUpload: false,
dataTheoremUploadApiKey: env.DATA_THEOREM_UPLOAD_API_KEY, |
|
proxyHostname:'',
proxyHostname: null,
proxyPort: 0,
proxyUsername: |
|
'', '', proxyUnsecuredConnection: falsenull,
proxyUnsecuredConnection: true,
externalId: 'test_app'
}
}
|
|
}
}
|
Send Application Credentials to Data Theorem
As an optional step, credentials for your application can be supplied to Data Theorem using the plugin for better analysis coverage. If your application has a login page, Data Theorem can use specified credentials to analyze your application.
To send your applications credentials, fill the application credentials section provided by the plugin as follows: Username - the name to use to login to your application Password - the password to use to login to your application. This field is required if a username is provided. Comment - an optional comment indicating the purpose for the credentials.
| Image Added For DSL pipeline you should add the following parameters to sendBuildToDataTheorem Code Block |
---|
applicationCredentialUsername: "username",
applicationCredentialPassword: "password",
applicationCredentialComments: "comments" |
|
| |