The connector-scan image is used to Scan Connector code for eligibility for approval on Boomi AtomSphere.
Image includes:
Note: You must be a Boomi Technology Partner or an internal Boomi Developer in order to use this image.
development and release.release.In order to use the automated scans, there are certain criteria that must be in place:
gradlew script is present)mvnw script is present)
mvn wrapper:wrappermvn wrapper:wrapper -Dmaven=3.3.9bitbucket-pipelines.yml file in the root directory of your repositoryThis image is intended to be used by internal Boomi Connector developers and Boomi Technology Partners developing Connectors. It should be used in Boomi's Bitbucket workspace, within automated CICD pipelines.
This image is intended to be used within your Bitbucket repository, with Bitbucket Pipelines CI tools.
bitbucket-pipelines.yml file: - step:
name: Connector Scan
script:
- pipe: docker://boomi/connector-scan:release
variables:
BOOMI_TOKEN: $BOOMI_TOKEN
services:
- docker
Note: The values that start with a
$are replacement variables in Bitbucket. They are used to obfuscate secrets and sensitive information.
You can adjust the configurations by passing one or more environment variables on the docker run command line
or the variables section of your Bitbucket Pipeline step.
| Variable | Requirement | Description |
|---|---|---|
| BOOMI_TOKEN | Required | Token provided by the Boomi Technology Partner program. Accessible in Bitbucket pipelines with $BOOMI_TOKEN. |
| SOURCES | Optional | Directory of the connector source code. Defaults to src/main directory (following typical conventions) |
| TEST_SOURCES | Optional | Directory of the connector test code. Defaults to src/test directory (following typical convention) |
| DEBUG | Optional | Set to true to print out additional DEBUG information during execution |
The Generated Scan reports are described below:
A failing scan with SonarQube indicates that there are major, critical, or blocker issues.
These need to be addressed in order to pass.
The quality report generated by Sonar flags code quality issues (code smell, complexity, test coverage, etc.) defined by
Boomi.The root level JSON schema is provided below:
{ "total": { "type": "integer", "description": "Number of quality issues found" }, "p": { "type": "integer" }, "ps": { "type": "integer" }, "paging": { "type": "object", "pageIndex": { "type": "integer" }, "pageSize": { "type": "integer" }, "total": { "type": "integer", "description": "Number of quality issues on this page" } }, "effortTotal": { "type": "integer" }, "issues": { "type": "array", "description": "List of issues that should be addressed" }, "components": { "type": "array", "items": {} }, "facets": { "type": "array", "description": "List of properties of the scan like severities and statuses of issues", "items": { "property": { "type": "string" }, "values": { "type": "array", "items": { "val": { "type": "string" }, "count": { "type": "integer" } } } } } }The important things to look at are the
issues.Although the quality metric is not enforced for Technology Partners, but we do recommend sticking to a standard of some kind.
The vulnerability report generated by Sonar shows problems that impact the application’s security that should be fixed immediately.
The root level JSON schema is provided below:
{ "total": { "type": "integer", "description": "Number of vulnerabilities found" }, "p": { "type": "integer" }, "ps": { "type": "integer" }, "paging": { "type": "object", "pageIndex": { "type": "integer" }, "pageSize": { "type": "integer" }, "total": { "type": "integer", "description": "Number of vulnerabilities on this page" } }, "effortTotal": { "type": "integer" }, "issues": { "type": "array", "description": "List of issues that should be addressed" }, "components": { "type": "array", "items": {} }, "facets": { "type": "array", "description": "List of properties of the scan like severities and statuses of issues", "items": { "property": { "type": "string" }, "values": { "type": "array", "items": { "val": { "type": "string" }, "count": { "type": "integer" } } } } } }The important things to look at are the
issues.
The hotspot report generated by Sonar highlights security-sensitive pieces of code that the developer needs to review.
The root level JSON schema is provided below:
{ "paging": { "pageIndex": { "type": "integer" }, "pageSize": { "type": "integer" }, "total": { "type": "integer" } }, "hotspots": { "type": "array", "description": "List of hotspots that were detected in the scan" }, "components": { "type": "array" } }The important things to look at are the
issues.
A failing scan with Snyk indicates that there are high or critical issues.
These need to be addressed in order to pass.
The security report generated by Snyk is a static code analysis report.
The root level JSON schema is provided below:
{ "$schema": { "type": "string" }, "version": { "type": "string" }, "runs": { "type": "array", "items": { "tool": { "driver": { "name": { "type": "string" }, "semanticVersion": { "type": "string" }, "version": { "type": "string" }, "rules": { "type": "array", "description": "Rules used in the scan" } } }, "results": { "type": "array", "description": "List of evaluations made by the tool" }, "properties": { "coverage": { "type": "array", "description": "Batches of files that were scanned" } } } } }Exhaustive schema can be found here.
The important things to look at are the
results:{ "runs": [ { "results": [] } ] }
The dependency report generated by Snyk will provide detailed information about security issues with your projects dependencies.
The root level JSON schema is provided below:
{ "ok": { "type": "boolean", "description": "Whether or not the scan passed a vulnerability check" }, "issues": { "type": "array", "description": "List of vulnerabilities and their severity levels" }, "issueCountBySeverity": { "type": "object", "description": "Shows number of issues detected for each severity level" }, "name": { "type": "string", "description": "Name of project in Snyk" }, "id": { "type": "string", "description": "Project identifier" }, "created": { "type": "string", "description": "Date/Time of analysis" }, "origin": { "type": "string" }, "type": { "type": "string", "description": "Project type (i.e. maven)" }, "readOnly": { "type": "boolean" }, "testFrequency": { "type": "string", "description": "How often this project is analyzed by Snyk (i.e. daily)" }, "totalDependencies": { "type": "integer", "description": "Number of dependencies found" }, "remoteRepoUrl": { "type": "string" }, "imageTag": { "type": "string" }, "hostName": { "type": "string" }, "lastTestedDate": { "type": "string" }, "browseUrl": { "type": "string", "description": "Snyk UI link for this project" }, "owner": { "type": "string" }, "importingUser": { "type": "object", "description": "Information about how this project was imported into Snyk" }, "isMonitored": { "type": "boolean", "description": "Whether this project is being continuously monitored by Snyk" }, "tags": { "type": "array" }, "attributes": { "type": "object" }, "remediation": { "type": "object", "description": "Suggested course of action to remedy issues" }, "branch": { "type": "string" }, "targetReference": { "type": "string" } }The important things to look at are the
issuesand theremediation.
docker pull boomi/connector-scan