Black Duck's Integration Manager, Kaj Kandler, gave a talk at the 2015 Jenkins User Conference on the four enterprise-ready plugins for the automotive, banking, and telecommunications/OEM industries that he's helped to create at Black Duck. Learn about how to develop these types of plugins for the enterprise and how you can start using Black Duck's new free vulnerability Jenkins plugin!

1. Jenkins World Tour 2015
San Jose, CA

2. Developing Enterprise Ready Plugins
By Kaj Kandler, Black Duck Software, Inc.

3. Footer
#jenkinsconf
Enterprise Ready

4. Footer
#jenkinsconf
Black Duck’s First Plugin
• Written by a Sales Engineer
• Replace shell script steps (static analysis)
• Auto generation of projects (corresponding to jobs)
• Soon 10+ users, 4 with issues
• Number one issue, “slave support”
• Integration team improves
• Slave support
• Class loading issues
• Install tools on demand
• Soon 10% of customers
• Number one issue, “credentials saved in clear text”
@black_duck_sw

5. Footer
#jenkinsconf
Agenda
• Enterprise Ready
• Credentials plugin
• Support REST API
• UpdateSites Manager Plugin
• Black Duck Free Security Vulnerability Plugin
@black_duck_sw

6. Footer
#jenkinsconf
Kaj Kandler
• Integration Manager @ Black Duck Software
• Architected/Co-Developed 5 plugins
• Used by banks, telecom, automotive
• Also responsible for
• 14 other integrations
• REST API to our Cloud KnowledgeBase
• Developed SDK/APIs for three products
@black_duck_sw

7. Footer
#jenkinsconf
Black Duck Software
• Discover open source software in source and
binaries
– Including dependencies
• Manage licenses
• Catalog applications – Open source used
• Request and review workflow
• Security risks
– Vulnerabilities
– Remediation workflow
@black_duck_sw

8. Footer
#jenkinsconf
Why do we care about Jenkins-CI?
• Threshold for code that matters
• Source and binaries are present
• Automation / Continuous
• Governance and control (STOP/GO)
• Our customers request Jenkins
– For all our products
@black_duck_sw

9. #jenkinsconf
Lessons learned

10. Footer
#jenkinsconf
It’s a big ship

11. Footer
#jenkinsconf
Master / Slave / Job types
• Needs to support Master and Slave
• Needs to support all job types
– Maven jobs
– Free style jobs
• Minimal configuration
• Scripts or jobs to create jobs
@black_duck_sw

12. Footer
#jenkinsconf
Version Migration
• New versions need to support jobs with previous
version configuration
• If incompatible, plan a new plugin and offer flexible
migration via REST API
@black_duck_sw

13. Footer
#jenkinsconf
Scripting and Regression tests
• Write your own job generation scripts
– With REST support and a little tooling
– Sets of jobs that can be run in new versions of
Jenkins
– Sets of jobs that can be tested against new versions
of integrated systems
@black_duck_sw

14. #jenkinsconf
Credentials plugin?
Why does it matter?

15. Footer
#jenkinsconf
Logically

16. Footer
#jenkinsconf
Credentials plugin
• Part of Jenkins standard, but a plugin
• Manages username/password and ssh keys
• Stores secure
• Define once use everywhere
• Authorization
• Job creator does not even need to know the
password
@black_duck_sw

17. Footer
#jenkinsconf
Good
@black_duck_sw

18. Footer
#jenkinsconf
Better
@black_duck_sw

19. Footer
#jenkinsconf
Better

20. Footer
#jenkinsconf
UI requirements
<j:jelly xmlns:j="jelly:core" xmlns:c="/lib/credentials” >
…
<f:entry title="${%Protex_Server}" field="protexServerId" >
<f:select />
</f:entry>
<f:entry title="${%Protex_Credentials}" field="protexPostCredentials" >
<c:select />
</f:entry>
…
@black_duck_sw

21. Footer
#jenkinsconf
Code requirements
protected UsernamePasswordCredentialsImpl getProtexUsernamePassword() {
UsernamePasswordCredentialsImpl credential = null;
AbstractProject<?, ?> nullProject = null;
List<StandardUsernamePasswordCredentials> credentials = CredentialsProvider.lookupCredentials(
StandardUsernamePasswordCredentials.class,
nullProject, ACL.SYSTEM,
Collections.<DomainRequirement> emptyList());
IdMatcher matcher = new IdMatcher(getProtexPostCredentials());
for (StandardCredentials c : credentials) {
if (matcher.matches(c)) {
if (c instanceof UsernamePasswordCredentialsImpl) {
credential = (UsernamePasswordCredentialsImpl) c;
}
}
}
return credential;
}
@black_duck_sw

22. #jenkinsconf
Support REST API
Why, and how to do it?

23. Footer
#jenkinsconf
Oh schit!!!

24. Footer
#jenkinsconf
REST API
• REST is a convenient way to script jobs
• Use it to:
• Create new jobs from a list
• Cave a list of jobs as templates
• Batch update jobs
• Your plugin needs to support it!
@black_duck_sw

25. Footer
#jenkinsconf
REST API - Code
@WebMethod(name = "config.xml")
public void doConfigDotXml(StaplerRequest req, StaplerResponse rsp)
throws IOException, TransformerException, hudson.model.Descriptor.FormException,
ParserConfigurationException, SAXException {
if (req.getMethod().equals("GET")) {
rsp.setContentType("application/xml");
IOUtils.copy(getConfigFile().getFile(), rsp.getOutputStream());
return;
}
if (req.getMethod().equals("POST")) {
updateByXml(new StreamSource(req.getReader()));
return;
}
rsp.sendError(javax.servlet.http.HttpServletResponse.SC_BAD_REQUEST);
}
public void updateByXml(Source source)
throws IOException, TransformerException, ParserConfigurationException, SAXException {
...
save();
}
@black_duck_sw

26. Footer
#jenkinsconf
Example Update
URL :
Example:
<com.example.CustomBuildWrapperDescriptor>
<com.example.ServerInfo>
<ServerName>Protex Test Url</ServerName>
<ServerUrl>http://qa-px-integration.blackducksoftware.com</ServerUrl>
<ServerTimeOut>300</ServerTimeOut>
<CredentialId>1675357d-3426-4960-8bf6-41a2ea877d52</CredentialId>
</com.example.ServerInfo>
</com.example.CustomBuildWrapperDescriptor>
@black_duck_sw

27. #jenkinsconf
UpdateSite Manager Plugin
Your private plugin market place

28. Footer
#jenkinsconf
This is what we are - warriors

29. Footer
#jenkinsconf
UpdateSite Manager
• Not our plugin, open source
• Use it to build your internal update site
– Your plugins distributed in all your Jenkins instances
– No more install from file
• Fully integrated with “Manage Plugins”
– Checks for updates in all update sites
– All in the same list of available, installed, …
@black_duck_sw

30. Footer
#jenkinsconf
UpdateSite Manager – Hands On
@black_duck_sw

31. Footer
#jenkinsconf
UpdateSite Manager – Hands On
@black_duck_sw

32. Footer
#jenkinsconf
UpdateSite Manager – Hands On
@black_duck_sw

33. Footer
#jenkinsconf
Private Update Site
• How much work is it?
• Jenkins
– Deploy to
– Artifactory (or Nexus)
•+ Indexing the repo
– File system
– Site generation script
– DONE!
– https://github.com/ikedam/backend-update-center2/wiki/How-to-create-
your-own-Jenkins-Update-Center
@black_duck_sw

34. Footer
#jenkinsconf
Update Site - Wiki
• Confluence (3.4.1)
• Macro to populate the download graph
–Info box
@black_duck_sw

35. Footer
#jenkinsconf
Thank You!
• Shout out to IKEDA Yasuyuki
• Thank you for a great plugin!
@black_duck_sw

36. #jenkinsconf
Free Security Offering
Heartbleed, Poodle, Bash Bug, Venom, …

37. Footer
#jenkinsconf
Do you mind a little advice?

38. Footer
#jenkinsconf
Dev: Using Open Source Components
• Does the component do the job?
• Is it well documented?
• Is the API cool?
• Is it the latest version?
• Is it memory efficient?
• Is it fast?
@black_duck_sw

39. Footer
#jenkinsconf
Manager: Using Open Source Components
• Does the component do the job?
• Do we like the license?
• Is the component secure?
• I have shipped, is it still secure?
• A vulnerability has been reported, am I affected?
@black_duck_sw

40. Footer
#jenkinsconf
Black Duck Vulnerability Report Plugin
• Capture all dependencies used
– Maven
– Gradle
• Check against the Black Duck KnowledgeBase
• Report licenses and vulnerability counts
– From the National Vulnerability Database (NVD)
@black_duck_sw

41. Footer
#jenkinsconf
Black Duck Free Security Plugin
Live Demo
@black_duck_sw

42. #jenkinsconf
Offline Demo
Backup

43. Footer
#jenkinsconf
Demo – Black Duck Vulnerability Report
@black_duck_sw

44. Footer
#jenkinsconf
Demo – Vulnerability Report

45. Footer
#jenkinsconf
Demo – Filter High
@black_duck_sw

46. Footer
#jenkinsconf
Demo – Export as CSV
@black_duck_sw

47. Footer
#jenkinsconf
Demo - Maven Job Type
@black_duck_sw

48. Footer
#jenkinsconf
Demo - Freestyle + Maven
@black_duck_sw

49. Footer
#jenkinsconf
Demo - Freestyle + Gradle
@black_duck_sw

50. Footer
#jenkinsconf
Demo – Console Maven
@black_duck_sw

51. Footer
#jenkinsconf
Demo – Console Gradle
@black_duck_sw

52. Footer
#jenkinsconf
Automate Vulnerability Report
• With every build !!
• Automatically
• Detect early  mitigate @ low cost
• FREE
http://www.blackducksoftware.com/vulnerability-plugin
@black_duck_sw

53. Footer
#jenkinsconf
Support Vulnerability Report
• With every build !!
• Automatically
• Detect early  mitigate @ low cost
• FREE
http://www.blackducksoftware.com/vulnerability-plugin
@black_duck_sw

54. Footer
#jenkinsconf
Be A Good Friend
Friends don’t let friends
ship software
with known security
vulnerabilities
@black_duck_sw

55. Footer
#jenkinsconf
Questions?

56. Footer
#jenkinsconf
BDS & Kaj Kandler
Twitter: @kajkandler @black_duck_sw
Google+
LinkedIn
kkandler@blackducksoftware.com
http://www.blackducksoftware.com/vulnerability-plugin
@black_duck_sw