Kiuwan Integration with Travis CI

Screen Shot 2021-12-10 at 1 33 28 PM

It’s finally here! The integration between Travis and Kiuwan. In this post I’ll give you all the details you need to try it yourself!

Usage

Be sure to make a Kiuwan account. Then set your environment variables in your .travis.yml, using either the Travis GUI or CLI, if you’re going to use the CLI run:

travis encrypt kiuwan_user=""
travis encrypt kiuwan_password=""

If the route you choose is by the Travis GUI, just name the env vars the following:

kiuwan_user
kiuwan_password

In Travis, I told Travis to fetch the Local Analyzer, then went through Kiuwan’s LA’s documentation to make a command that checks the project. This project in particular is in TypeScript, below I’ll share the .travis.yml file I’ve created:

language: java
install: skip

script:
  - echo $TRAVIS_BUILD_DIR
  - export APPNAME=$(basename $TRAVIS_BUILD_DIR)
  - export BRANCH=$(if [ "$TRAVIS_PULL_REQUEST" == "false" ]; then echo $TRAVIS_BRANCH; else echo $TRAVIS_PULL_REQUEST_BRANCH; fi)
  - echo "Fetching Kiuwan Local Analyzer"
  - wget -v https://www.kiuwan.com/pub/analyzer/KiuwanLocalAnalyzer.zip
  - unzip KiuwanLocalAnalyzer.zip -d $HOME/.
  - $HOME/KiuwanLocalAnalyzer/bin/agent.sh --user $kiuwan_user --pass $kiuwan_password -s $TRAVIS_BUILD_DIR -n $APPNAME -l $TRAVIS_BUILD_ID -c

This then sends this to Kiuwan, and from there I can access more insights about my project. In this project in particular I made this have a few vulnerabilities so Kiuwan would catch them. I also used environment variables from my account I registered from the Jelly service.

Invokation of Kiuwan

You can run the conditionals that fit your scanning needs, I recommend reading Kiuwan Local Analyzer CLI - Command Line Interface for a frame of reference. Some of the conditionals you can add in your .travis.yml that are different than mine are as follows:

-s, --sourcePath
Directory with code to analyze
 
-n, --softwareName
Name of the target application
 
-c, --create
Create software at kiuwan service if not exists
 
-l, --label
Label for the analysis
 
-m, --model-name

Kiuwan Local Analyzer

You’ll then notice output of the Local Analyzer working, and remember you can select VM size as well - this will affect (in my case) how deep the scan will go, in this particular use case though I just used baseline. Kiuwan will calculate the heap size, and collect the bill of materials (TypeScript, other dependencies):

Discovery: STARTED
Technologies discovered: html,javascript
Technologies that will be analyzed: html,javascript
Discovery: FINISHED
Preprocess: STARTED
Preprocess: FINISHED
Model retrieval: STARTED
Model downloaded from Kiuwan
Model retrieval: FINISHED
License check: STARTED
License check: FINISHED
Prepare analysis data: STARTED
Supported technologies in current model: html,javascript
Prepare analysis data: FINISHED
Prepare source code files for upload: STARTED
Prepare source code files for upload: FINISHED

bill-of-materials: 
bill-of-materials format: 
includes: 
excludes: **/src/test/**,**/__MACOSX/**,**/*.min.js,**/*.Designer.vb,**/*.designer.vb,**/*Reference.vb,**/*Service.vb,**/*Silverlight.vb,**/*.Designer.cs,**/*.designer.cs,**/*Reference.cs,**/*Service.cs,**/*Silverlight.cs,**/.*,**/Pods/BuildHeaders/**/*.h,**/Pods/Headers/**/*.h,**/node_modules/**,**/bower_components/**,**/target/**,**/bin/**,**/obj/**,**/dist/**,**/lib/**
configuration: 
VM version: 11.0.2
VM settings:
    Stack Size: 2.00M
    Min. Heap Size: 128.00M
    Max. Heap Size: 1.00G
    Using VM: OpenJDK 64-Bit Server VM  

You should then get an email by the Jelly service. You then can scan your project on a more granular level. Here’s the test project I created. Below you’ll see a screenshot of the Jelly service email I received after a successful scan:

Screen Shot 2021-12-10 at 1 49 35 PM

Then you’ll click the link within the email, and you’ll get to explore around the Kiuwan GUI:

Screen Shot 2021-12-10 at 1 50 05 PM

You then can check your project out on a more granular security level. With Kiuwan you’re that much more secure when deploying code with Travis.

Happy building!

As always, if you have any questions please email me at montana@travis-ci.org.