//[Instructions] Documentation Secure Code Warrior Plugin for SCM-Manager

  • avatar

    [Instructions] Documentation Secure Code Warrior Plugin for SCM-Manager

    timo.hoppenheidt@cloudogu.com – 06. May 2021, 07:57 h

    The Secure Code Warrior plugin finds security related keywords (e.g. XSS) in pull requests and automatically adds learning resources (videos and links). With these resources, developers can learn how to fix the security issue right away and by themselves. The installation only requires a few manual steps, which are described in the first part of this guide. The second part shows you the use cases for the plugin.

    Prerequisites

    • You have a running instance of the SCM-Manager (Download SCM-Manager)
    • You have the latest version of scm-review-plugin installed on your SCM-Manager.


    Download Secure Code Warrior Plugin

    You can download the Secure Code Warrior plugin with your myCloudogu account for free.

    Register and download the plugin

    Installation

    To install the plugin for all installation sources you only have to copy the plugin into the plugin folder of your SCM-Manager. Depending on how you operate it (Linux / Windows / Docker) the path is slightly different.

    Docker

    1. Download the file from (files.cloudogu.com)
    2. Extract the contents of the downloaded file (scm-scw-plugin.smp)
    3. Copy the extracted folder into the plugins sources directory of your SCM-Manager:
      • docker cp /${DOWNLOAD_PATH}/scm-scw-plugin ${DOCKER_CONTAINER_NAME}:/var/lib/scm/plugins/scm-scw-plugin
    4. Restart SCM-Manager

    Linux / Unix or Windows

    1. Download the file from (files.cloudogu.com)
    2. Copy the file into the plugin directory of your SCM-Manager
      • ${SCM_ROOT}/work/scm/webapp/WEB-INF/plugins/scm-scw-plugin.smp
    3. Restart SCM-Manager

    And you are all done! If you have any questions or encounter any problems feel free to use this thread or contact us directly

    How to use the Secure Code Warrior Plugin

    After your SCM-Manager is running again, the plugin is ready to show you videos and additional information about security topics. There are two different ways you can use it:

    • mention security issue related keywords in the description of pull requests or
    • mention security issues as a reviewer of a pull request.

    Use in pull request descriptions

    If you know that your application is vulnerable to a certain security issue, you can create a pull request to address the issue. In the description you only have to mention the name of the vulnerability. As soon as the PR is created, it also contains a video, some details and a link to additional information about the issue.


    With all this information, every developer has everything they need to work on the issue.

    Use in pull request comments

    Another scenario is that a reviewer of a pull request finds or suspects a vulnerability and posts a comment in the pull request. Then the plugin provides the details in an additional comment.


    This way the developer gets all the information that is needed to address the issue so that the pull request can be accepted.

    Challenges

    To get a better understanding of the issue at hand, there is always a link to challenges right under the video and description for the security topic. It leads to challenges on the Secure Code Warrior website. They provide a hands-on example for a sample application.


    Available topics

    To determine which security issues are displayed, the plugin uses a list of keywords. Whenever a PR description or content of a comment matches one of the words, the corresponding information is shown. If keywords for more than one topic matches, several videos, details and links are displayed.

    Just to show you how many topics are covered, take a look at this:

    • Insecure Data Storage
    • Sensitive Data Storage
    • Server-side Request Forgery
    • Extraneous Functionality
    • Code Tampering
    • Client Code Quality
    • Improper Platform Usage
    • Lack of Binary Protections
    • Insufficient Transport Layer Protection
    • Client Side Injection
    • Broken Cryptography
    • Vulnerable Components
    • Insufficient Logging & Monitoring
    • Side Channel Vulnerability
    • Information Exposure
    • Unintended Data Leakage
    • Unvalidated Redirects & Forwards
    • Memory Corruption
    • Injection Flaws
    • File Upload Vulnerability
    • Denial of Service (DoS)
    • Insecure Authorization
    • Insecure Authentication
    • Improper Session Handling
    • Session Handling
    • Cross-site Request Forgery
    • Authentication
    • Security Misconfiguration
    • Insecure Cryptography
    • Business Logic
    • Cross-Site Scripting (XSS)
    • Access Control
  • Last change: 02. June 2021, 16:32 h