Page tree
Skip to end of metadata
Go to start of metadata

The RIPS Bamboo Plugin adds a new Bamboo task that scans PHP source code via your RIPS installation and shows the results in a new tab on the build results page. Bamboo is a software that provides continuous integration functionalities and is developed by Atlassian. You can find an extensive user documentation on how to install and setup Bamboo as well as third-party plugins here.

Plugin on the Marketplace

You can find out more about our Bamboo plugin in our blog post.

API Compatibility

PluginAPI
1.0 - 1.1>= 2.8
2.0 - 2.1>= 2.8

Download

VersionBamboo CompatibilityLink
1.1.15.14.0 - 6.2.3Download
2.2.25.15.0 - 6.6.2Download

Configuration

There are various configuration options available that are explained in more detail below. Options annotated with an * are required.

Server Settings

NameDescription
API URL*

URL of the RIPS API that should be used for scanning. Our SaaS API is available under https://api-2.ripstech.com. The connection can be checked using the Check API Connection button.

Username*Username of the RIPS account that should be used for scanning by Bamboo.

Password*

Password of the RIPS account that should be used for scanning by Bamboo. Changing the settings at a later time required re-entering of the password.
UI URLURL of the RIPS user interface of your installation or SaaS Solution (https://saas.ripstech.com). Although the value is optional, leaving it blank will remove the Open in RIPS button on the results page.

Scan Settings

NameDescription
Application ID*ID of the application under which the scans should be performed. The correctness (and existence) of the ID can be checked with the Check Application ID button. It will display if the application was found and also print the name of the application.
Version Prefix*A prefix of the resulting version name that will be shown in the RIPS user interface. The current build number and plan branch name will be attached to the version prefix.
Scan Timeout*A duration in seconds after which the scan will not be tracked anymore by Bamboo. This will result in a failure and no result information will be gathered. This parameter is only valid for Bamboo - the scan may still be active in the RIPS ecosystem.
PHP Version*The PHP Version that should be used for the analysis. It is possible to add wildcards to the version string, the following PHP Version is a valid input: "5.*.*".
Analysis Depth*High analysis depth requires more memory and scan time while a low analysis depth leads to better performance but can miss deeply nested vulnerabilities.

Code Settings

NameDescription
Working Directory

Sub-directory that should be analyzed. Leave blank to include all files and folders.

Store ArchiveStore the uploaded archive in your RIPS installation.
Remove code after scanDo not store the full source code but only a limit code summary.

Threshold Settings

Negatively reviewed issues are not counted in this section. Leaving a field blank skips the test.

NameDescription
Maximum of new issuesMaximum number of newly detected issues that are allowed in the build.
Maximum of critical issuesMaximum number of critical issues that are allowed in the build.
Maximum of high issuesMaximum number of high issues that are allowed in the build.
Maximum of medium issuesMaximum number of medium issues that are allowed in the build.
Maximum of low issuesMaximum number of low issues that are allowed in the build.
Add thresholds as tests

Add failed tests if the thresholds defined above are exceeded.

Add found issues as tests

Issues from failed thresholds will be added as failed tests.

Results

There are three kinds of result views that are explained in more detail below: Analysis Results, Aggregated Results, and Summary.

Analysis Results

The results are available from the RIPS tab on the build results page of an individual job. 


SectionDescription
1Scan results including the threshold settings. Breaking values are marked in bold and red.
2Details about the scan that was performed.
3Severity Distribution of all issues that are not negatively reviewed.
4Distribution of new / old issues of all issues that are not negatively reviewed.
5Comparison between the detected issues and the threshold values.

Aggregated Results

Each individual job in Bamboo can use the RIPS plugin to analze source code. We show all jobs that contain an analysis in the "RIPS Aggregated Results" tab on the summary page of each build. 

Summary

The summary shows the analysis results over time for each job of a plan and can be found as a tab on the plan details page.

Bamboo Bug

There is currently a bug with Bamboo that makes it impossible to switch jobs on the summary page (this is only relevant if you have multiple jobs configured with multiple RIPS analysis). To circumvent this you can manually enter the following URL:

/build/viewRipsBuildSummary.action?buildKey={jobKey}

  • No labels