I stole this example from an internal presentation (Stefan S.) where we were using ANT and Jenkins to run both SCA scans and WebInspect (CLI) scans. If desired, you could use the WebInspect desktop API instead of its CLI.
For WebInspect alone, add an "Execute Windows batch command" with this body:
rem Run WebInspect dynamic scan headless on live demo site
"C:\Program Files\HP\HP WebInspect\wi.exe" -u "http://zero.webappsecurity.com" -ps 1 -s "C:\Programdata\HP\HP WebInspect\Settings\77scansettingsforjenkins.xml" -am "C:\Program Files\HP\HP WebInspect\Samples\WebMacros\zero_login.webmacro" -ep ".\20170315zero.fpr"
rem Upload the resulting FPR file into SSC Server
fortifyclient -url http://FTFYSVR:8280/ssc -authtoken f29b41fd-5a4c-3436-07ea-b6065b81abbd uploadFPR -file "20170315zero.fpr" - application "Zero Demo Site" - applicationVersion "2.0 Zero"
An additional detail you may run into is WebInspect licensing. If running a WebInspect scan from Jenkins, the user account calling the WebInspect scan must be the same as the user who has activated the license in the WebInspect UI. This means that you may need to resort to running Jenkins as that same account, or using PSEXEC or RunAs options in the command to control the user account being used to issue the wi.exe command from Jenkins to the WebInspect workstation.
Sorry for that oversight.
I wanted to do WebInspect automated scans with Jenkins. Can you please help me in sharing detail process document.
When i go through the steps here, I didnt find "77scansettingsforjenkins.xml" installed under "C:\Programdata\HP\HP WebInspect\Settings" folder. Can you please clarify- is it a customized XML file? If so, please share the file to proceed further.
Thanks in adance!
I am following same approach for the Webinspect integration , I am giving the macro file using -macro file.
I want to know how the command take that macro(is just for login purpose), I have generated macro using workflow macros and I want my scan to take only the URLs which I have crawled in macro file.
My Query if we can initiate the workflow-driven scan using the command? means I don't want to scan hole page I want my command to scan only those pages in macro file.
and also one query on settings file, i am new to Webinspect so I want to know how to generate the setting file.
This query is not truly related to the Topic of scanning via Jenkins, but let me direct you tot he answers.
First off, the saved scan settings file refers to an XML file you save on your WebInspect hard drive when you customize the Default Scan Settings and choose to use Save As "custom scan configuration name). Provided you left this new XML file in the default location (or customized location, under the Edit menu > Application Settings > Directories panel), then when you are in the Scan Wizard, the Custom Scan Settings File will be shown and can be selected to overlay the Scan wizard fields with those saved entries. The ability to save/edit these configurations makes it very simple to then rescan or replicate the same scan.
Next, you want to have a limited-scope scan where the scanner only Crawls the pages you are interested in, i.e. the processes you have pre-recorded in your Workflow Macro. This is easily done by selecting the Workflow-Driven Scan option in the Scan wizard, but also switching the mode from Crawl-and-Audit to Audit-Only. Voila!, a small, agile security scan encompassing only what you recorded. You can Import more than one Workflow Macro into the Scan Wizard, so you do not have to re-record your Macro if you overlooked something, just add on more. Also note in the Import dialog that WebInspect can consume Workflow Macros from numerous sources: our own *.WebMacro file format (Web Macro Recorder, or Web Proxy), BURP Proxy captures, Selenium scripts, and most recently, HAR files. Also, if you install the Micro Focus UFT Client on the WebInspect machine, the dialog will also show UFT macros/scripts as an additional import option.
Separate from Workflow Macros, you will need to understand Login Macros. Sadly, both of these macro types use the same *.webmacro file name, but they cannot be used interchangeably. I would suggest adding something in their file name to remind oneself of whether it is a Login Macro ("login") or a Workflow Macro ("wf"). The Login Macro is recorded with the Login Macro Recorder tool ("LMR"), and the macro is used to maintain and regain session state (forms authentication) throughout the scan. The Login Macro recording process requires it identifies select Logout Condition(s), so that it understands what occurs as it is being logged out (302 to the Login page perhaps?) and when it needs to be re-run by the scanner. The Login Macro Recorder offers a bunch of additional useful features, including custom User-Agent settings, Pause-Delay and MFA configuration, Challenge-Response logons, Parameterized Credentials (one Macro, multiple accounts possible), et al.
For your automation needs, you will want to read up on the Auto-Generate feature for Login Macros, found in the Scan Wizard. The Auto-Gen feature permits you to only provide the login URI and the credentials, and WebInspect will do its best to dynamically record and create the Login Macro for you, on-the-fly. This is not always fool proof, but so very useful when it does work. And so you might only need to configure the Auto-Gen entries in your pipeline and not need to pre-record the Login Macro for your CICD jobs. Or perhaps you will have to record the Login Macro, but add it inside of your Saved Scan Setting file for late use.
For most automation needs today, the WebInspect Swagger-based REST API is used more often than its full-featured CLI (wi.exe), if only because the API is easier to utilize across the network. You should read up the Help Guides as well as the Swagger page (http://localhost:8083/webinspect/api - default configuration, see Guide for customizing this). You can script several actions from you pipeline. Below is one use case.
That file, "77scansettingsforjenkins.xml" was a Saved Scan Setting file I happened to have on my WebInspect machine/lab. You will want to generate your own settings file and replace the name in the command accordingly. The Directories panel under the Edit menu > Application Settings will inform you of the expected storage folder for saved scan settings. You can access/edit settings file by opening the Edit Menu > Default Scan Settings > Load Settings File, or from the Edit menu > Manage Scan Settings.
Thanks for the reply,
please confirm me the following
So using wi.exe we can not initiate the Workflow-Driven Scan, if use the login macro file or workflow file it will take it for the login purpose only, please correct me if I am wrong. (I have tried passing wf file with wi.exe and selected audit only mode as wf file has the crawled URLS still I can see difference in results).
And I have also tried with swagger API, I have written python script to initiate my scan which takes one payload file and initiates the scan but with that I was not able to initiate Workflow-Driven Scan . As you suggested in steps 8, 9 and 10 steps I want to achieve it through a script.
As I am very new to this please provide any links to write the script to initiate Workflow-Driven Scan.
My goal is to initiate Webinspect scan using Jenkins and to get the same vulnerability as manual.