I know what you’re thinking…what happened to the 2016 release? Well, 2016 was an interesting year, and unfortunately we weren’t able to get out a mid-year release, and our Q4 release got pushed to Q1 of this year. But, finally, an updated version of SecureCI™ is here! So, what can you expect from this release?
First and foremost, we upgraded a bunch of our tools.
- Trac from 1.0.9 to 1.2
- SonarQube from 5.1.2 to 6.1
- Gitblit from 1.7.1 to 1.8.0
- OWASP ZAP from 2.4.2 to 2.5.0
- OpenSCAP from 1.2.6 to 1.2.11
- Git from 2.6.3 to 2.11.0
- Jenkins from 1.639 to 2.42
- Ant from 1.9.6 to 1.9.7
- Nexus from 2.11.4 to 3.2.0
- Selenium Server from 2.48.2 to 2.53.0
- Selenium Java Client from 2.48.2 to 2.53.1
- TestNG from 6.9.4 to 22.214.171.124
- Checkstyle from 6.13 to 7.2
- PMD from 5.4.0 to 5.5.2
- MySQL from 5.5.40 to 5.7
- Python from 2.7.5 to 2.7.12
- JDK from 1.8.0_40 to 1.8.0_101
- Ubuntu from 14.04 LTS to 16.04 LTS
I want to call out to a few of these upgrades, as many of them were more than just some small fixes.
Finally, we’re happy to integrate in Jenkins 2.X. From Jenkins themselves “Jenkins 2 brings Pipeline as code, a new setup experience and other UI improvements all while maintaining total backwards compatibility with existing Jenkins installations.” If you are looking to upgrade your server with this build, please note that while many plugins will work just fine, many have also become deprecated. Pipeline as code is fantastic, and you’ll soon see some future posts making reference to it.
SonarQube 6.X is much simpler to utilize than previous versions, removing the need to connect directly to a database. While it’s integration is already complete within SecureCI™, it’s interesting to note that SonarQube started using keys to authenticate with systems, overall making connections simpler. Similar to Jenkins, some plugins are no longer supported, but typically, that is because they’ve been integrated in. The UI is also much simpler to use (in my opinion).
We also pulled the trigger and upgraded Nexus to 3.X. This contains some of the biggest underlying changes. Nexus now stores all data in a database as a blob, instead of keeping the data on the file-system. Additionally, their API structure changed, allowing custom APIs to be written. This is more complicated and difficult than previous versions, however, allows much more flexibility and possibilities.
Nothing major changed with the OWASP ZAP upgrade, however, with the new stability of the tools, we decided to remove ratproxy from SecureCI. If you are still looking for this tool, drop a comment, and we can discuss how to integrate ratproxy back in.
Again, no major changes with the Trac upgrade, however, Agilo is no longer supported with the latest stable version. We made the decision to remove Agilo, and keep the latest Trac, due to the increased stability of the tool, it’s continued integration with other tools (even some future git integration), and Agilo’s general lack of use.
Last release delivered all of the tools installed, but there was a decent amount of user configuration required to get each tool to play properly together. This release we decided to simplify that. The Gitblit post-receive hooks are pre-configured to work with Jenkins, and more tools are now integrated into htpasswd, which we are still using to manage our users. Additionally, the firstrun script executed on launch now prompts you to create a CI user. While you can’t login as this user, you can use this user to connect from one tool to another, with the credentials stored in Gitblit, Jenkins and SonarQube.
Getting more into the security realm, YASCA was installed, and integrated into SonarQube, for additional code analysis.
Finally, we’re back to having a VMI available. Instead of just spinning up SecureCI™ in AWS, you can also download a VirtualBox image, to run it locally, or on some other hardware.
Last time we put out a release, there were a few bugs introduced. We were able to get them all fixed this time around. Additionally, we discovered an additional issue with updating the external/internal facing IP, which was also resolved.
For instructions on launching a version of SecureCI in AWS, refer to one of my older blog posts here.
So, as always, take this machine out for a spin, and see what it can do for you. If you already have a SecureCI™ box up, and are looking to upgrade it, reach out to us, and we can discuss options. Leave your thoughts/comments below, and enjoy the new box!