Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 17 Next »


The Data Theorem Mobile App Security Plugin can be used to upload PreProd mobile binaries directly to Data Theorem for scanning during your CI/CD Jenkins pipeline.

Overview

The current version of Data Theorem's Jenkins plugin is available on the Jenkins Index at https://plugins.jenkins.io/datatheorem-mobile-app-security.

The plugin is a post-build action that :

  1. Retrieves the mobile app binary generated during the building steps.
  2. Calls the Data Theorem Upload API to upload the mobile app binary directly to Data Theorem for scanning.

Step By Step Guide


Add the plugin to your Jenkins

  • Open your Jenkins home page

  • Click on Manage Jenkins

  • Access to Manage Plugins

  • On the Available list, look for Send build to Data Theorem

  • Then click on Install

Update the plugin

  • Open your jenkins home page
  • Click on Manage Jenkins
  • Access to Manage Plugins
  • On the Updates list, look for Send build to Data Theorem
  • Then click on Download now and install after restart
  • Restart jenkins

Add your Upload API key to the Jenkins global configuration

Retrieve your Upload API key using the  Data Theorem portal at https://www.securetheorem.com/sdlc.

The Upload API Key will be in the “API Key” section.

Then, on the home page of your Jenkins instance, click on Credentials in the sidebar, and then navigate to System and click on Add credentials

You will be able to create a Secret text credentials:

  • Add your Upload API key to the secret field.

  • Add an ID to identify this key. For example: Data_Theorem_ApiKey

  • Add a description to explain the purpose of this key. This can be for example: "API Key to authenticate to the Data Theorem Upload API"


Add or update a Jenkins job

Go back to the home page of your Jenkins instance and open the configuration page of the job that is used as the CI/CD pipeline of your iOS or Android application:

From the configuration page you will have to modify multiple sections:

  • Build Environment: Unlock the "Binding" section to access the API Key from the credentials

  • Build: Add your building steps

  • Post-build action : Add your post-builds action including the Data Theorem plugin

Get access to your API Key

Use the Credential Binding Plugin to bind the API Key added in the previous step to an environment variable.

The environment variable must be called: DATA_THEOREM_UPLOAD_API_KEY.

Add your building steps

Build your sources using the Build section. You need to generate a valid .apk/.ipa package during this step.


Add your Data Theorem plugin to the job

The Data Theorem plugin can be added from the Add post-build action list

Configure the plugin by indicating the file name that will be generated on the Build To Upload field.This allows the plugin to retrieve the package and to upload it.

You can use a glob pattern to indicate variable parts of the build's file name (for example if the app's version number or build date is in the file name). The previously build file names will be automatically found from your archive folder or in the current workspace.

Examples of Glob Pattern:

app-*.apk : search for any apk starting with app- in workspace root directory
**/app-*.ipa : search for any ipa starting with app- in any sub directory of the workspace
{,**/}app-debug*.* : search for any file containing app-debug in root directory or in any sub directory of the workspace

Advanced section:

You can simulate what file would be sent without actually uploading it to Data Theorem, by checking Don't Upload Build in the advanced options. Only builds that needed be analyzed by Data Theorem's mobile app security services should be sent.

You can upload a mapping file using the Android Mapping File to have scan results deobfuscated.

  • This is not required for scans to be completed. However, once a mapping file has been uploaded once, all subsequent uploads will require the corresponding mapping file unless the requirement is disabled via the Results API v2.

Proxy Configuration section:

If needed you can configure the plugin to hit your company proxy on the advanced option of Post-Build Actions.
You will have to specify the hostname and the port of the targeted proxy. You can also add your authentication credentials and bypass the certificate validation if needed

Advanced section:

Proxy Configuration section:



Start a new build to test the plugin

You can test that the plugin is correctly configured by starting a new build and then access the last build result. If the plugin works you should get the following console output:



Alternative way: use the Data Theorem plugin inside a DSL pipeline

Since version 1.3.0, the jenkins plugin is compatible with DSL pipelines.
To send build using DSL pipelines, create a new job and then select Pipeline.

After the different builds stages add a new stage: Upload Build To Data Theorem. You will have to set an environment variable with your secret upload api key using the command withCredentials() from the credential binding plugin

Inside withCredentials() scope you should use the command sendBuildToDataTheorem with the parameters:

  • buildToUpload: Glob Pattern identifying the build you want to send to Data Theorem

  • mappingFileToUploadIf your Android application is obfuscated using Proguard, you can upload a mapping file to have scan results deobfuscated. This is not required for scans to be completed. However, once a mapping file has been uploaded once, all subsequent uploads will require the corresponding mapping file unless the requirement is disabled via the Results API v2.

  • dontUpload : If true, this will simulate what file would be sent without uploading it to Data Theorem
  • dataTheoremUploadApiKey: The upload api key environment variable
  • proxyHostname: If needed, the proxy hostname you need to hit when sending the application
  • proxyPort: If needed, the proxy port you need to hit when sending the application
  • proxyUsernameIf needed, the username you use to authenticate to the proxy
  • proxyPasswordIf needed, the password you use to authenticate to the proxy
  • proxyUnsecuredConnectionIf true, the plugin will bypass any SSL certificate validation

The plugin also support scripted pipeline integration, you will need to replace the DSL command with the following command:

[$class :'SendBuildToDataTheoremPublisher', buildToUpload: '**/*.apk', mappingFileToUpload: null, dontUpload: false, dataTheoremUploadApiKey: env.DATA_THEOREM_UPLOAD_API_KEY, proxyHostname: '', proxyPort: 0, proxyUsername: '', proxyPassword: '', proxyUnsecuredConnection: false]

Data Theorem DSL Pipeline example stage
stage('Upload Build To Data Theorem') {
   steps{
      withCredentials([string(credentialsId: 'dt_upload_key', variable: 'DATA_THEOREM_UPLOAD_API_KEY')]) 
          {
            sendBuildToDataTheorem buildToUpload: 'android*.apk',
            mappingFileToUpload: null,
            dontUpload: false, 
            dataTheoremUploadApiKey: env.DATA_THEOREM_UPLOAD_API_KEY, 
            proxyHostname: null,
            proxyPort: 0,
            proxyUsername: null,
            proxyPassword: null, 
            proxyUnsecuredConnection: true
           }
   		}
}
  • No labels