Cadet 1st Class
Cadet 1st Class
5145 views

Does anyone know How to automate Web inspect workflow Scans?

Hi ,

Can anyone help me how to automate webinspect workflow scans?

Requirements are:

step 1: Start the scan by providing required workflow

step2:display the running status

step3: generate a pdf report

Can we write a single script with all the 3 steps included and run it through jenkins job?

if yes,how to do it?

please help me to find a solution for this requirement.

Thank you.

0 Likes
2 Replies
Micro Focus Expert
Micro Focus Expert

nareshe2011;

You did not specify whether you wanted to use the WebInspect CLI or WebInspect API for this automation.  The API lends itself better to remote calls by Jenkins than the CLI, if only because of network security rules.  Below I have tried to describe how to do both of these in Jenkins, but these are merely samples for you to build upon.  You may also wish to review our automation site at https://software.microfocus.com/en-us/products/webinspect-dynamic-analysis-dast/features?utm_campaign=00164298

Due to time, I am going to have to respond in two parts, this being the first......

 

 

For scanning via the WebInspect CLI, I merely put in a Build step "Execute Windows Batch Command".  To help the Jenkins job pause while the scan completed, I tried monitoring the status of the process.  You might find better ways to do this.  Also, this only worked because Jenkins was co-installed on my demo manchine with WebInspect.

+++++++++++++++++++++++++++++++

:DATEASFILENAME
set filenamevar=%date:~-4,4%%date:~-10,2%%date:~-7,2%

:WISCAN
rem Run WebInspect dynamic scan headless on live demo site - Standard scan Policy
"C:\Program Files\HP\HP WebInspect\wi.exe" -u "http://zero.webappsecurity.com" -ps 1 -s "C:\ProgramData\HP\HP WebInspect\Settings\zeroscansettingsforjenkins.xml" -am "C:\Program Files\HP\HP WebInspect\Samples\WebMacros\zero_login.webmacro" -ep " C:\Jenkins\webinspectscandumps\zero%filenamevar%.fpr"

:WAITLOOP
rem Wait on scan to complete
set "MyProcess=wi.exe"
echo "%MyProcess%"
tasklist /NH /FI "imagename eq %MyProcess%" 2>nul |find /i "%MyProcess%" >nul
IF NOT errorlevel 1 (echo The scan is still running...) ELSE (GOTO UPLOADSCAN)
GOTO WAITLOOP

:UPLOADSCAN
rem Upload the resulting FPR file into SSC Server
IF EXIST "C:\Jenkins\webinspectscandumps\zero%filenamevar%.fpr" (
fortifyclient -url http://FTFYSVR:8280/ssc -authtoken {I removed the token value shown here} uploadFPR -file "C:\Jenkins\wiscandumps\zero%filenamevar%.fpr" -application "Zero Demo Site" -applicationVersion "2.0 Zero"
)

:END

+++++++++++++++++++++++++++++++

 


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
0 Likes
Micro Focus Expert
Micro Focus Expert

For the second part of my response, I will discuss how to use the WebInspect API in a Jenkins job.  The API is better for use across a network (easier to secure), unless you are deploying Jenkins Agents on the remote workstations to help facilitate using the WI CLI.

From my particular demo system, I was advised to break the steps into discrete Build Steps, so that if the Job fails I can more easily locate the failure point.  Also, I had to add Jenkins plugins for using PowerShell, for HTTP Request, and for Fortify SSC connection.    There are probably dozens of ways to do this better than what i have here.

 

1. Sanity check:  made a HTTP Request (GET) to http://zero.webappsecurity.com.  Verifies the target is ready to be tested.

2. Check API access by listing the current scans - HTTP Request (GET) to http://ftfyclntw:8083/webinspect/scanner/scans  Accept Headers set to TEXT_HTML.

3. Run the scan - HTTP Request (POST) to http://ftfyclntw:8083/webinspect/scanner/scans  Accept Headers set to APPLICATION_JSON

           Request Body set to:

{
"settingsName": "Default",
"overrides": {
"scanName": "zero$BUILD_TAG",
"startUrls": [
"http://zero.webappsecurity.com"
],
"crawlAuditMode": "CrawlAndAudit",
"startOption": "Url"
}

4. Wait for scan to begin - Windows Powershell command = Start-Sleep -sec 120

5A. Grab the Scan_ID to use later - Windows PowerShell command = $json = Get-Content 'webinspect-scanid.json' | Out-String | ConvertFrom-Json
echo wi_scanid=$($json.ScanId) | Set-Content -Encoding ASCII -Path ".\webinspect-scanid.properties"

5B. Inject Environment Variables step = webinspect-scanid.properties

5C. Windows PowerShell = echo %wi_scanid%

6. Wait for scan to complete - HTTP Request (GET) to http://ftfyclntw:8083/webinspect/scanner/scans/$wi_scanid?action=waitForStatusChange   Accept Headers set to APLICATION_JSON.

7. Export the scan to the FPR format - HTTP Request (GET) to http://ftfyclntw:8083/webinspect/scanner/scans/$wi_scanid.fpr

8. Post-Build Step to upload scan to SSC Server - action type is the "Fortify Assessment"

           FPR Filename = $wi_scanid.fpr

           Fail Condition = left blank since this target will have vulns, or for a normal app perhaps "[fortify priority order]:critical [fortify priority order]:high"

           Application Name = Zero Demo App

           Application Version = 2.0 Zero

{Done}


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.