Coveros StaffContinuous Integration, Development, Open Source, Project Management, SecureCI, Security, Software Tools, Testing1 comment

It’s that time of year, new year, new SecureCI release! 2015 ended well, with Coveros releasing a much more robust version of SecureCI. Not too many new features, but lots of bug fixes and some major upgrades of the application. This release focused on updating core components to latest release versions, correcting critical defects, and deprecating older unsupported components. A tighter focus was also spent on integrating tooling, including single sign-on between the tools, and certificate management.
We upgraded several tools

  • Trac to 1.0.9
  • GitBlit to 1.7.1
  • SonarQube to 5.1.2
  • Subversion to 1.9.2
  • Git to 2.6.3
  • OWASP Zap to 2.4.2
  • OpenSCAP to 1.2.6
  • Apache Maven to 3.3.9
  • Jenkins to 1.639
  • TestNG to 6.9.4
  • Selenium Server and Java Client to 2.48.2
  • Checkstyle to 6.13
  • PMD to 5.4.0
  • Oracle JDK to 1.8.0_40

Additionally, we fixed a prior bug with FindBugs’s installation and so were able to add the tool back in, now at version 3.0.1. Due to some additional installation issues with Tomcat, it was removed from this release, but know that it is at the top priority of getting fixed, and back into the next release, hopefully with a hotfix within the next two months.
There we also several bug fixes addressed, making SecureCI ultimately more user friendly.

  • User created on first-run now has password properly set
  • TOC Nav was hard to read in Agilo – Fixed the CSS
  • Initial git user is now an admin
  • Fixed incorrect Java version in Jenkins
  • GitBlit URL now updates on machine reboot
  • Jenkins now has user tied to htpasswd
  • Cleaned up the rogue /${dir} directory exists on the filesystem

And of course, we have our dreaded additional bugs still in the application. Luckily, we have workarounds or local fixes everyone can do for these, so we didn’t deem it critical to halt our release. Just as we plan to get Tomcat back into SecureCI as soon as possible, we plan on getting these bugs fixed with top priority.

  • Unable to connect to SonarQube via Jenkins due to httpd authentication
    • Workaround: Disable httpd authentication for SonarQube, or for certain urls in ssl.conf
    • Workaround: create jenkins user in htpasswd, have jenkins pass credentials with sonar url
  • Unable to push artifacts to Nexus through UI
    • Workaround: Use curl/maven instead of the UI
  • Ratproxy cannot be run by default user
    • Workaround: run with sudo
  • Cert not stored in Java keystore
    • Workaround: add it using the below steps
      keytool -list -v -keystore /usr/lib/jvm/java-8-oracle-amd64/jre/lib/security/cacerts -alias secureci
      sudo keytool -import -alias secureci -file /etc/apache2/ssl/secureci.crt -keystore /usr/lib/jvm/java-8-oracle-amd64/jre/lib/security/cacerts
      keytool -list -v -keystore /usr/lib/jvm/java-8-oracle-amd64/jre/lib/security/cacerts -alias secureci
  • JAVA_HOME not set for new users
    • Workaround: set it using the below steps
      echo "export JAVA_HOME=\"/usr/lib/jvm/java-8-oracle-amd64\"" >> /etc/profile
      echo "export PATH=$JAVA_HOME/bin:$PATH" >> /etc/profile
  • SVN commit fails due to improper file ownership
  • Workaround: Use the SVN user created in first-run instead of your user
  • Workaround: Add your user to the SVN user’s group
  • Workaround: All files and directories should be changed immediately after repository creation to be owned by the same user that is running apache (and the svn group)
    sudo chown -R www-data:svn /var/lib/svn/repos/[REPO]
  • SVN post-commit hook fails on commit
    • Workaround: Fix the broken link in the post-commit hook in /var/lib/svn/repos/secureci/hooks/post-commit. The argument to python at the bottom of the file needs to be changed to /var/lib/trac/contrib/trac-post-commit-hook
  • Jenkins unable to connect to Gitblit
    • Workaround: create jenkins user in htpasswd, have jenkins connect as user

    • Hopefully all of those workarounds won’t be necessary for you, as not all tools may even be used, especially SVN (who wants to use it when you have git?). Additionally, make sure that you run an update on the system once first spinning it up. The Java version is quickly dating itself, and more frequently security exploits are being found with non-up-to-date versions.
    sudo apt-get update
    sudo apt-get upgrade

    And remember, for running your own instance of SecureCI, just like the previous release, 3 options exist for hosting an instance. Coveros can provide suite support for hosting and managing SecureCI™ instances, including rolling updates and bug fixes into a production instance. If you don’t want to go with the new managed SecureCI™, this application is also conveniently packaged and available as an Amazon EC2 Machine Image (AMI) or as a downloadable virtual machine image (VMI) for a free turn-key solution that allows you to immediately begin leveraging the benefits of continuous integration.
    For instructions on launching a version of SecureCI in AWS, refer to one of my older blog posts here

    Coveros Staff

    Related Articles
    Don’t overlook insider threats—and more cybersecurity lessons
    New Coveros secure software supply chain management service powered by the Tidelift subscription
    The key to AppSec is early detection. Are you ready for a security checkup?

    One thought to “New SecureCI Release”

    Leave a comment

    Your email address will not be published. Required fields are marked *

    Theme: Illdy. Copyright Coveros © 2021. All Rights Reserved.

    X