Quick vs. deep scans¶
CI/CD jobs configured with Jenkins or Travis can be triggered in many different ways, e.g., on-commit or periodically, which decides about the frequency of scan jobs.
Quick scans (without reachability analysis): If scan jobs are expected to run very frequently, e.g., after every commit in the application's source code repository, it is preferable to only execute the
app analysis goal, which typically does not take more than a couple of minutes (at most). Such a quick scan detects the very same number of vulnerabilities than a deep scan, but does not collect any information about the reachability of vulnerable code.
mvn -Dvulas clean compile vulas:clean vulas:app
Deep scans (with reachability analysis): Scan jobs that run once a day or less can include analysis goals such as
t2c. The static analysis goals
t2c, in particular, can take a considerable amount of time until completion (up to several hours), depending on the complexity of the application project under analysis (number of modules, number of application constructs, etc.):
mvn -Dvulas clean compile vulas:clean vulas:app vulas:a2c vulas:prepare-vulas-agent package vulas:upload vulas:t2c
See here for more information on Eclipse Steady goals.
A typical Jenkins job configuration using the Eclipse Steady plugin for Maven comprises the following two build steps and one post-build action (see screenshot below):
- Build step for a quick scan or deep scan, depending on the expected run frequency.
- Build step
-Dvulas vulas:reportto create result reports (per default in folder
- Post-build action with HTML Publisher Plugin to copy the Html report created by
reportinto the Jenkins dashboard. As such, Eclipse Steady results can be consumed w/o the need to scroll through the verbose console output.
- The above assumes that the Eclipse Steady Maven profile is present in the project's
report goal should always be run in a separate Maven invocation.
Otherwise, in case of multi-module Maven projects,
report may throw a build exception before all of the modules have been analyzed.