Black Duck's Integration Manager, Kaj Kandler, gave a talk at the 2015 Jenkins User Conference on the four enterprise-ready plugins for the automotive, banking, and telecommunications/OEM industries that he's helped to create at Black Duck. Learn about how to develop these types of plugins for the enterprise and how you can start using Black Duck's new free vulnerability Jenkins plugin!
4. Footer
#jenkinsconf
Black Duck’s First Plugin
• Written by a Sales Engineer
• Replace shell script steps (static analysis)
• Auto generation of projects (corresponding to jobs)
• Soon 10+ users, 4 with issues
• Number one issue, “slave support”
• Integration team improves
• Slave support
• Class loading issues
• Install tools on demand
• Soon 10% of customers
• Number one issue, “credentials saved in clear text”
@black_duck_sw
6. Footer
#jenkinsconf
Kaj Kandler
• Integration Manager @ Black Duck Software
• Architected/Co-Developed 5 plugins
• Used by banks, telecom, automotive
• Also responsible for
• 14 other integrations
• REST API to our Cloud KnowledgeBase
• Developed SDK/APIs for three products
@black_duck_sw
7. Footer
#jenkinsconf
Black Duck Software
• Discover open source software in source and
binaries
– Including dependencies
• Manage licenses
• Catalog applications – Open source used
• Request and review workflow
• Security risks
– Vulnerabilities
– Remediation workflow
@black_duck_sw
8. Footer
#jenkinsconf
Why do we care about Jenkins-CI?
• Threshold for code that matters
• Source and binaries are present
• Automation / Continuous
• Governance and control (STOP/GO)
• Our customers request Jenkins
– For all our products
@black_duck_sw
11. Footer
#jenkinsconf
Master / Slave / Job types
• Needs to support Master and Slave
• Needs to support all job types
– Maven jobs
– Free style jobs
• Minimal configuration
• Scripts or jobs to create jobs
@black_duck_sw
12. Footer
#jenkinsconf
Version Migration
• New versions need to support jobs with previous
version configuration
• If incompatible, plan a new plugin and offer flexible
migration via REST API
@black_duck_sw
13. Footer
#jenkinsconf
Scripting and Regression tests
• Write your own job generation scripts
– With REST support and a little tooling
– Sets of jobs that can be run in new versions of
Jenkins
– Sets of jobs that can be tested against new versions
of integrated systems
@black_duck_sw
16. Footer
#jenkinsconf
Credentials plugin
• Part of Jenkins standard, but a plugin
• Manages username/password and ssh keys
• Stores secure
• Define once use everywhere
• Authorization
• Job creator does not even need to know the
password
@black_duck_sw
24. Footer
#jenkinsconf
REST API
• REST is a convenient way to script jobs
• Use it to:
• Create new jobs from a list
• Cave a list of jobs as templates
• Batch update jobs
• Your plugin needs to support it!
@black_duck_sw
29. Footer
#jenkinsconf
UpdateSite Manager
• Not our plugin, open source
• Use it to build your internal update site
– Your plugins distributed in all your Jenkins instances
– No more install from file
• Fully integrated with “Manage Plugins”
– Checks for updates in all update sites
– All in the same list of available, installed, …
@black_duck_sw
33. Footer
#jenkinsconf
Private Update Site
• How much work is it?
• Jenkins
– Deploy to
– Artifactory (or Nexus)
•+ Indexing the repo
– File system
– Site generation script
– DONE!
– https://github.com/ikedam/backend-update-center2/wiki/How-to-create-
your-own-Jenkins-Update-Center
@black_duck_sw
38. Footer
#jenkinsconf
Dev: Using Open Source Components
• Does the component do the job?
• Is it well documented?
• Is the API cool?
• Is it the latest version?
• Is it memory efficient?
• Is it fast?
@black_duck_sw
39. Footer
#jenkinsconf
Manager: Using Open Source Components
• Does the component do the job?
• Do we like the license?
• Is the component secure?
• I have shipped, is it still secure?
• A vulnerability has been reported, am I affected?
@black_duck_sw
40. Footer
#jenkinsconf
Black Duck Vulnerability Report Plugin
• Capture all dependencies used
– Maven
– Gradle
• Check against the Black Duck KnowledgeBase
• Report licenses and vulnerability counts
– From the National Vulnerability Database (NVD)
@black_duck_sw