Jenkins/vars/audit.groovy

// Pipeline de construction des images Docker des services Zéphir
def call() {
    pipeline {

        agent {
            label 'common'
        }

        parameters {
            string(
                name: 'targetUrl', 
                description: 'URL cible pour l\'audit'
            )
            string(
                name: 'basicAuthUsername', 
                description: "Nom d'utilisateur pour l'authentication 'Basic Auth' (si besoin)",
                defaultValue: ''
            )
            password(
                name: 'basicAuthPassword', 
                description: "Mot de passe pour l'authentication 'Basic Auth' (si besoin)",
                defaultValue: ''
            )
            string(
                name: 'basicAuthDomain', 
                description: "Nom de domaine pour l'authentication 'Basic Auth' (si besoin)",
                defaultValue: ''
            )
            string(
                name: 'authFormUrl', 
                description: "URL du formulaire d'authentication (si besoin)",
                defaultValue: ''
            )
            string(
                name: 'authFormUsername', 
                description: "Nom d'utilisateur du formulaire d'authentication (si besoin)",
                defaultValue: ''
            )
            password(
                name: 'authFormPassword', 
                description: "Mot de passe du formulaire d'authentication (si besoin)",
                defaultValue: ''
            )
            string(
                name: 'authFormCheckUrl', 
                description: "URL de vérification de la réussite de l'authentication (si besoin)",
                defaultValue: ''
            )
            string(
                name: 'authFormCheckString', 
                description: "Chaine de caractères à rechercher pour vérifier la réussite de l'authentication (si besoin)",
                defaultValue: ''
            )
            string(
                name: 'authFormUsernameField', 
                description: "Nom du champ 'nom utilisateur' du formulaire d'authentication (si besoin)",
                defaultValue: ''
            )
            string(
                name: 'authFormPasswordField', 
                description: "Nom du champ 'mot de passe' du formulaire d'authentication (si besoin)",
                defaultValue: ''
            )
            string(
                name: 'authFormDataFormat', 
                description: "Patron de formatage des données POST du formulaire d'authentification (si besoin). Exemple: username=%U&password=%P",
                defaultValue: ''
            )
            string(
                name: 'verbose', 
                description: "Mode verbeux",
                defaultValue: 'False'
            )
            string(
                name: 'auditTimeout', 
                description: "Délai maximum pour la réalisation de l'audit (en minutes)",
                defaultValue: '60'
            )
        }

        stages {

            stage("Check parameters") {
                steps {
                    script {
                        if (!params.targetUrl?.trim()) {
                            error("L'URL cible n'est pas définie !")
                        }
                    }
                }
            }

            stage("Run W3AF audit") {
                steps {
                    script {
                        def w3afImage = buildDockerImage()
                        def dockerArgs = """
                        -e W3AF_TARGET_URL='${params.targetUrl}'
                        -e W3AF_BASIC_AUTH_USERNAME='${params.basicAuthUsername}'
                        -e W3AF_BASIC_AUTH_PASSWORD='${params.basicAuthPassword}'
                        -e W3AF_BASIC_AUTH_DOMAIN='${params.basicAuthDomain}'
                        -e W3AF_AUTH_FORM_URL='${params.authFormUrl}'
                        -e W3AF_AUTH_FORM_USERNAME='${params.authFormUsername}'
                        -e W3AF_AUTH_FORM_PASSWORD='${params.authFormPassword}'
                        -e W3AF_AUTH_FORM_DATA_FORMAT='${params.authFormDataFormat}'
                        -e W3AF_AUTH_FORM_CHECK_URL='${params.authFormCheckUrl}'
                        -e W3AF_AUTH_FORM_CHECK_STRING='${params.authFormCheckString}'
                        -e W3AF_AUTH_FORM_USERNAME_FIELD='${params.authFormUsernameField}'
                        -e W3AF_AUTH_FORM_PASSWORD_FIELD='${params.authFormPasswordField}'
                        -e W3AF_VERBOSE='${params.verbose}'
                        """
                        timeout(params.auditTimeout.toInteger()) {
                            w3afImage.inside(dockerArgs) {
                                sh 'mkdir -p reports'
                                sh 'rm -f reports/*'
                                sh 'envtpl -o audit.w3af /home/w3af/w3af/audit.w3af.tmpl'
                                sh '/home/w3af/w3af/w3af_console -y -n -s audit.w3af'
                            }
                        }
                    }
                }
            }

            stage("Check discovered vulnerabilities") {
                steps {
                    script {
                        
                        def totalMediumVulnerabilities = sh(
                            script: "grep 'MEDIUM' reports/report.html | wc -l", 
                            returnStdout: true
                        ).toInteger()

                        def totalHighVulnerabilities = sh(
                            script: "grep 'HIGH' reports/report.html | wc -l", 
                            returnStdout: true
                        ).toInteger()

                        if (totalHighVulnerabilities == 0 && totalMediumVulnerabilities == 0) {
                            return
                        }

                        wrap([$class: 'BuildUser']) {
                            rocketSend (
                                avatar: 'https://jenkins.cadol.es/static/b5f67753/images/headshot.png',
                                message: """
                                Des vulnérabilités ont été trouvées lors de l'audit de l'URL `${params.targetUrl}`:
                                
                                - Criticité HAUTE: ${totalHighVulnerabilities} vulnérabilité(s) trouvée(s)
                                - Criticité MOYENNNE: ${totalMediumVulnerabilities} vulnérabilité(s) trouvée(s)

                                [Voir le job](${env.RUN_DISPLAY_URL})
                                
                                @${env.BUILD_USER_ID ? env.BUILD_USER_ID : 'here'}
                                """.stripIndent(),
                                rawMessage: true
                            )
                        }
                    }
                }
            }
        }

        post {
            always {
                publishHTML target: [
                    allowMissing: true,
                    alwaysLinkToLastBuild: false,
                    keepAll: true,
                    reportDir: 'reports',
                    reportFiles: 'report.html',
                    reportName: "Rapport d'audit"
                ]
            }
            failure {
                wrap([$class: 'BuildUser']) {
                    rocketSend (
                        avatar: 'https://jenkins.cadol.es/static/b5f67753/images/headshot.png',
                        message: """
                        Le test de sécurité pour `${params.targetUrl}` a échoué:
                        
                        [Voir le job](${env.RUN_DISPLAY_URL})
                        
                        @${env.BUILD_USER_ID ? env.BUILD_USER_ID : 'here'}
                        """.stripIndent(),
                        rawMessage: true
                    )
                }
            }
        }

    }
}

def buildDockerImage() {
    dir ('.w3af') {

        def resourceFiles = [
            'com/cadoles/w3af/audit.w3af.tmpl',
            'com/cadoles/w3af/Dockerfile',
            'com/cadoles/w3af/run-audit.sh'
        ];

        for (res in resourceFiles) {
            def fileContent = libraryResource res
            def fileName = res.substring(res.lastIndexOf("/")+1)
            writeFile file:fileName, text:fileContent
        }
        
        def safeJobName = URLDecoder.decode(env.JOB_NAME).toLowerCase().replace('/', '-').replace(' ', '-')
        def imageTag = "${safeJobName}-${env.BUILD_ID}"
        return docker.build("w3af:${imageTag}", ".")
    }
}
Web security audit base pipeline 2019-04-15 18:35:34 +02:00			`// Pipeline de construction des images Docker des services Zéphir`
			`def call() {`
			`pipeline {`

			`agent {`
			`label 'common'`
			`}`

			`parameters {`
			`string(`
w3af: fix targetUrl parameter 2019-12-26 13:47:24 +01:00			`name: 'targetUrl',`
fixup! Web security audit base pipeline 2019-04-15 20:50:20 +02:00			`description: 'URL cible pour l\'audit'`
			`)`
			`string(`
			`name: 'basicAuthUsername',`
fixup! Web security audit base pipeline 2019-04-29 17:41:07 +02:00			`description: "Nom d'utilisateur pour l'authentication 'Basic Auth' (si besoin)",`
			`defaultValue: ''`
fixup! Web security audit base pipeline 2019-04-15 20:50:20 +02:00			`)`
			`password(`
			`name: 'basicAuthPassword',`
fixup! Web security audit base pipeline 2019-04-29 17:41:07 +02:00			`description: "Mot de passe pour l'authentication 'Basic Auth' (si besoin)",`
			`defaultValue: ''`
fixup! Web security audit base pipeline 2019-04-15 20:50:20 +02:00			`)`
			`string(`
			`name: 'basicAuthDomain',`
fixup! Web security audit base pipeline 2019-04-29 17:41:07 +02:00			`description: "Nom de domaine pour l'authentication 'Basic Auth' (si besoin)",`
			`defaultValue: ''`
fixup! Web security audit base pipeline 2019-04-15 20:50:20 +02:00			`)`
			`string(`
			`name: 'authFormUrl',`
fixup! Web security audit base pipeline 2019-04-29 17:41:07 +02:00			`description: "URL du formulaire d'authentication (si besoin)",`
			`defaultValue: ''`
fixup! Web security audit base pipeline 2019-04-15 20:50:20 +02:00			`)`
			`string(`
			`name: 'authFormUsername',`
fixup! Web security audit base pipeline 2019-04-29 17:41:07 +02:00			`description: "Nom d'utilisateur du formulaire d'authentication (si besoin)",`
			`defaultValue: ''`
fixup! Web security audit base pipeline 2019-04-15 20:50:20 +02:00			`)`
			`password(`
			`name: 'authFormPassword',`
fixup! Web security audit base pipeline 2019-04-29 17:41:07 +02:00			`description: "Mot de passe du formulaire d'authentication (si besoin)",`
			`defaultValue: ''`
fixup! Web security audit base pipeline 2019-04-15 20:50:20 +02:00			`)`
			`string(`
			`name: 'authFormCheckUrl',`
fixup! Web security audit base pipeline 2019-04-29 17:41:07 +02:00			`description: "URL de vérification de la réussite de l'authentication (si besoin)",`
			`defaultValue: ''`
fixup! Web security audit base pipeline 2019-04-15 20:50:20 +02:00			`)`
			`string(`
			`name: 'authFormCheckString',`
fixup! Web security audit base pipeline 2019-04-29 17:41:07 +02:00			`description: "Chaine de caractères à rechercher pour vérifier la réussite de l'authentication (si besoin)",`
			`defaultValue: ''`
fixup! Web security audit base pipeline 2019-04-15 20:50:20 +02:00			`)`
fixup! Web security audit base pipeline 2019-04-15 21:02:07 +02:00			`string(`
			`name: 'authFormUsernameField',`
fixup! Web security audit base pipeline 2019-04-29 17:41:07 +02:00			`description: "Nom du champ 'nom utilisateur' du formulaire d'authentication (si besoin)",`
			`defaultValue: ''`
fixup! Web security audit base pipeline 2019-04-15 21:02:07 +02:00			`)`
			`string(`
			`name: 'authFormPasswordField',`
fixup! Web security audit base pipeline 2019-04-29 17:41:07 +02:00			`description: "Nom du champ 'mot de passe' du formulaire d'authentication (si besoin)",`
			`defaultValue: ''`
fixup! Web security audit base pipeline 2019-04-15 21:02:07 +02:00			`)`
fixup! Web security audit base pipeline 2019-04-15 20:50:20 +02:00			`string(`
			`name: 'authFormDataFormat',`
fixup! Web security audit base pipeline 2019-04-29 17:41:07 +02:00			`description: "Patron de formatage des données POST du formulaire d'authentification (si besoin). Exemple: username=%U&password=%P",`
			`defaultValue: ''`
Web security audit base pipeline 2019-04-15 18:35:34 +02:00			`)`
w3af: mode non verbeux par défaut 2019-12-26 14:47:58 +01:00			`string(`
			`name: 'verbose',`
			`description: "Mode verbeux",`
			`defaultValue: 'False'`
			`)`
Add timeout to web audit pipeline 2019-07-24 09:46:00 +02:00			`string(`
			`name: 'auditTimeout',`
			`description: "Délai maximum pour la réalisation de l'audit (en minutes)",`
			`defaultValue: '60'`
			`)`
Web security audit base pipeline 2019-04-15 18:35:34 +02:00			`}`

			`stages {`

			`stage("Check parameters") {`
			`steps {`
			`script {`
fixup! Web security audit base pipeline 2019-04-15 21:02:07 +02:00			`if (!params.targetUrl?.trim()) {`
fixup! Web security audit base pipeline 2019-04-15 20:50:20 +02:00			`error("L'URL cible n'est pas définie !")`
Web security audit base pipeline 2019-04-15 18:35:34 +02:00			`}`
			`}`
			`}`
			`}`

fixup! Web security audit base pipeline 2019-04-15 21:02:07 +02:00			`stage("Run W3AF audit") {`
Web security audit base pipeline 2019-04-15 18:35:34 +02:00			`steps {`
			`script {`
			`def w3afImage = buildDockerImage()`
			`def dockerArgs = """`
fixup! Web security audit base pipeline 2019-04-15 21:33:26 +02:00			`-e W3AF_TARGET_URL='${params.targetUrl}'`
fixup! Web security audit base pipeline 2019-04-15 20:50:20 +02:00			`-e W3AF_BASIC_AUTH_USERNAME='${params.basicAuthUsername}'`
			`-e W3AF_BASIC_AUTH_PASSWORD='${params.basicAuthPassword}'`
			`-e W3AF_BASIC_AUTH_DOMAIN='${params.basicAuthDomain}'`
			`-e W3AF_AUTH_FORM_URL='${params.authFormUrl}'`
			`-e W3AF_AUTH_FORM_USERNAME='${params.authFormUsername}'`
			`-e W3AF_AUTH_FORM_PASSWORD='${params.authFormPassword}'`
Ajout d'un pipeline Lighthouse + améliorations/corrections sur le pipeline d'audit W3AF 2019-12-24 12:54:32 +01:00			`-e W3AF_AUTH_FORM_DATA_FORMAT='${params.authFormDataFormat}'`
fixup! Web security audit base pipeline 2019-04-15 20:50:20 +02:00			`-e W3AF_AUTH_FORM_CHECK_URL='${params.authFormCheckUrl}'`
			`-e W3AF_AUTH_FORM_CHECK_STRING='${params.authFormCheckString}'`
fixup! Web security audit base pipeline 2019-04-15 21:02:07 +02:00			`-e W3AF_AUTH_FORM_USERNAME_FIELD='${params.authFormUsernameField}'`
			`-e W3AF_AUTH_FORM_PASSWORD_FIELD='${params.authFormPasswordField}'`
w3af: mode non verbeux par défaut 2019-12-26 14:47:58 +01:00			`-e W3AF_VERBOSE='${params.verbose}'`
Web security audit base pipeline 2019-04-15 18:35:34 +02:00			`"""`
Add timeout to web audit pipeline 2019-07-24 09:46:00 +02:00			`timeout(params.auditTimeout.toInteger()) {`
			`w3afImage.inside(dockerArgs) {`
			`sh 'mkdir -p reports'`
			`sh 'rm -f reports/*'`
			`sh 'envtpl -o audit.w3af /home/w3af/w3af/audit.w3af.tmpl'`
			`sh '/home/w3af/w3af/w3af_console -y -n -s audit.w3af'`
			`}`
Web security audit base pipeline 2019-04-15 18:35:34 +02:00			`}`
			`}`
			`}`
			`}`
fixup! Web security audit base pipeline 2019-04-29 16:46:17 +02:00
			`stage("Check discovered vulnerabilities") {`
			`steps {`
			`script {`

			`def totalMediumVulnerabilities = sh(`
fixup! Web security audit base pipeline 2019-04-29 16:58:53 +02:00			`script: "grep 'MEDIUM' reports/report.html \| wc -l",`
fixup! Web security audit base pipeline 2019-04-29 16:46:17 +02:00			`returnStdout: true`
			`).toInteger()`

			`def totalHighVulnerabilities = sh(`
fixup! Web security audit base pipeline 2019-04-29 16:58:53 +02:00			`script: "grep 'HIGH' reports/report.html \| wc -l",`
fixup! Web security audit base pipeline 2019-04-29 16:46:17 +02:00			`returnStdout: true`
			`).toInteger()`

			`if (totalHighVulnerabilities == 0 && totalMediumVulnerabilities == 0) {`
			`return`
			`}`

			`wrap([$class: 'BuildUser']) {`
			`rocketSend (`
			`avatar: 'https://jenkins.cadol.es/static/b5f67753/images/headshot.png',`
			`message: """`
			Des vulnérabilités ont été trouvées lors de l'audit de l'URL `${params.targetUrl}`:

			`- Criticité HAUTE: ${totalHighVulnerabilities} vulnérabilité(s) trouvée(s)`
			`- Criticité MOYENNNE: ${totalMediumVulnerabilities} vulnérabilité(s) trouvée(s)`

			`[Voir le job](${env.RUN_DISPLAY_URL})`

			`@${env.BUILD_USER_ID ? env.BUILD_USER_ID : 'here'}`
			`""".stripIndent(),`
			`rawMessage: true`
			`)`
			`}`
			`}`
			`}`
			`}`
Web security audit base pipeline 2019-04-15 18:35:34 +02:00			`}`

fixup! Web security audit base pipeline 2019-04-15 20:50:20 +02:00			`post {`
			`always {`
			`publishHTML target: [`
			`allowMissing: true,`
			`alwaysLinkToLastBuild: false,`
			`keepAll: true,`
			`reportDir: 'reports',`
			`reportFiles: 'report.html',`
			`reportName: "Rapport d'audit"`
			`]`
			`}`
fixup! Web security audit base pipeline 2019-04-29 16:46:17 +02:00			`failure {`
w3af: injection de BUILD_USER_ID en cas d'échec du pipeline 2019-12-26 13:50:00 +01:00			`wrap([$class: 'BuildUser']) {`
			`rocketSend (`
			`avatar: 'https://jenkins.cadol.es/static/b5f67753/images/headshot.png',`
			`message: """`
			Le test de sécurité pour `${params.targetUrl}` a échoué:

			`[Voir le job](${env.RUN_DISPLAY_URL})`

			`@${env.BUILD_USER_ID ? env.BUILD_USER_ID : 'here'}`
			`""".stripIndent(),`
			`rawMessage: true`
			`)`
			`}`
fixup! Web security audit base pipeline 2019-04-29 16:46:17 +02:00			`}`
fixup! Web security audit base pipeline 2019-04-15 20:50:20 +02:00			`}`
Web security audit base pipeline 2019-04-15 18:35:34 +02:00
			`}`
			`}`

			`def buildDockerImage() {`
			`dir ('.w3af') {`

Fix W3AF pipeline docker image build 2019-12-26 13:42:51 +01:00			`def resourceFiles = [`
			`'com/cadoles/w3af/audit.w3af.tmpl',`
			`'com/cadoles/w3af/Dockerfile',`
			`'com/cadoles/w3af/run-audit.sh'`
			`];`

			`for (res in resourceFiles) {`
			`def fileContent = libraryResource res`
			`def fileName = res.substring(res.lastIndexOf("/")+1)`
			`writeFile file:fileName, text:fileContent`
			`}`
Web security audit base pipeline 2019-04-15 18:35:34 +02:00
			`def safeJobName = URLDecoder.decode(env.JOB_NAME).toLowerCase().replace('/', '-').replace(' ', '-')`
			`def imageTag = "${safeJobName}-${env.BUILD_ID}"`
			`return docker.build("w3af:${imageTag}", ".")`
			`}`
			`}`