- attached build.log
How to verify that plugin is actually scanning the entire project
Issue #1
new
Dear Julius,
I am testing out your plugin on our BAMBOO server 6.5.1. I cannot figure out how to make it work. I added a task on one of our builds and kept the defaults hoping it would scan the jars for potential vulnerabilities against a DB. The project has a total of 55 jar files but the scan result are only showing 2 jars. See logs and screen shots.
What am I doing wrong? Any help is greatly appreciated
Thanks max
Comments (18)
-
reporter
-
reporter
- attached bamboo.logs
-
repo owner
Hi Massimo, try to enable archive analyzer aswell
-
reporter
Hi Julius, thanks for your reply. I tried that and the difference now is that it's looking at 2 different Jars. The logs are show that is found the jar file but the output on the page does not show that. I must be doing something wrong. Any help is greatly appreciated. I have uploaded some file that might help you spot what I am doing wrong.
thanks again
max
-
reporter
- attached 2018-06-25_06-57-33.png
-
reporter
- attached 2018-06-25_06-48-22.png
-
reporter
- attached 2018-06-25_06-52-46.png
-
reporter
- attached bamboo.logs
-
repo owner
Hi Massimo, as far as I remember the tests are generated only for files which contain some security issues. Not every file becomes a test. I will try to see what flag could you add to make things more verbose and see if files are checked
-
repo owner
Can you try to put in your bamboo the logging to debug for this package: org.valens
-
reporter
Hi Julius,
attached the log with debug
-
reporter
- attached debug-bamboo.logs
-
repo owner
Hi Massimo, looks like the files are scanned. Only the files with issues will be reported
-
reporter
Hey Julius,
Thanks for your quick reply. I guess I was expecting the jar file we are using to have some type of vulnerability so how would I simulate a vulnerability?
And I am still confused so please forgive if I am pestering you but why would the test result show:
2 tests in total < 1 second taken in total The following 2 tests have passed: -WebRoot-WEB-INF-lib-commons-digester-2-0-jar No Vulnerability History < 1 sec
-WebRoot-WEB-INF-lib-xml-apis-ext-1-3-04-jar No Vulnerability History < 1 secthanks again max
-
reporter
As follow on the test results in bamboo have 2 tabs "failed tests" and "successful test" so I guess I was expecting a list of all the jars that were tested but only 2 show up. Why is that?
max
-
reporter
- attached 2018-06-25_08-05-08.png
-
repo owner
Hi Massimo,
I actually removed the full list a while ago because it was crashing bamboo. Especially when scanning NodeJS projects it ends up at 100.000 test cases per build and makes your system very very slow.
I can make some sort of flag in a future release to add them for a run and to verify things work, but I really dont advise to run with that flag enabled on permanent basis :)
Julius
-
reporter
Hi Julius
I understand now the issue and yes 100K test cases would probably crash pretty much anything. The flag would be good just as a sanity check, but if you could also show a total count of jars that were tested that could give the user feedback and peace of mind, sort of like a consolidated view of what was done. Or maybe provide a max threshold and a user would be warned to use it responsibility. So if I set it to 100 then all my jar would be displayed because I only have about 56 jars in my project anyway
I am also wondering how does the plugin determine which jar file to show in the test result?
Thanks again for your quick response max
- Log in to comment
