Bamboo

The RIPS Bamboo Plugin adds a new Bamboo task that scans PHP source code via your RIPS installation and shows the results in a new tab on the build results page. Bamboo is a software that provides continuous integration functionalities and is developed by Atlassian. You can find an extensive user documentation on how to install and setup Bamboo as well as third-party plugins here.

Plugin on the Marketplace

You can find out more about our Bamboo plugin in our blog post.

API Compatibility

Plugin RIPS
1.0 - 1.1 >= 2.8
2.0 - 2.1 >= 2.8
3.0 >= 3.0

Download

Version Bamboo Compatibility Link
1.1.1 5.14.0 - 6.2.3 Download
2.2.2 5.15.0 - 6.7.2 Download
3.0.0 5.15.0 - 6.7.2 Download

Configuration

There are various configuration options available that are explained in more detail below. Options annotated with an * are required.

Server Settings

Name Description
API URL*

URL of the RIPS API that should be used for scanning. Our SaaS API is available under https://api-3.ripstech.com. The connection can be checked using the Check API Connection button.

User Email* Email of the RIPS account that should be used for scanning by Bamboo.

Password*

Password of the RIPS account that should be used for scanning by Bamboo. Changing the settings at a later time required re-entering of the password.
UI URL URL of the RIPS user interface of your installation or SaaS Solution (https://saas.ripstech.com). Although the value is optional, leaving it blank will remove the Open in RIPS button on the results page.

Scan Settings

Name Description
Application* Application under which the scans should be performed. The application list can be refreshed with the Refresh Applications button below.
Version pattern* The version name that will be shown in the RIPS user interface. Its complete customizable by the use of placeholders, which will be replaced.
Scan Timeout* A duration in minutes after which the scan will not be tracked anymore by Bamboo. This will result in a failure and no result information will be gathered. This parameter is only valid for Bamboo - the scan may still be active in the RIPS ecosystem.
Analysis Depth* High analysis depth requires more memory and scan time while a low analysis depth leads to better performance but can miss deeply nested vulnerabilities.

Threshold Settings

Negatively reviewed issues are not counted in this section. Leaving a field blank skips the test.

Name Description
Maximum of new issues Maximum number of newly detected issues that are allowed in the build.
Maximum of critical issues Maximum number of critical issues that are allowed in the build.
Maximum of high issues Maximum number of high issues that are allowed in the build.
Maximum of medium issues Maximum number of medium issues that are allowed in the build.
Maximum of low issues Maximum number of low issues that are allowed in the build.
Add thresholds as tests

Add failed tests if the thresholds defined above are exceeded.

Add found issues as tests

Issues from failed thresholds will be added as failed tests.

Results

There are three kinds of result views that are explained in more detail below: Analysis Results, Aggregated Results, and Summary.

Analysis Results

The results are available from the RIPS tab on the build results page of an individual job. 

Section Description
1 Scan results including the threshold settings. Breaking values are marked in bold and red.
2 Details about the scan that was performed.
3 Severity Distribution of all issues that are not negatively reviewed.
4 Distribution of new / old issues of all issues that are not negatively reviewed.
5 Comparison between the detected issues and the threshold values.

Aggregated Results

Each individual job in Bamboo can use the RIPS plugin to analze source code. We show all jobs that contain an analysis in the "RIPS Aggregated Results" tab on the summary page of each build. 

Summary

The summary shows the analysis results over time for each job of a plan and can be found as a tab on the plan details page.

Bamboo Bug

There is currently a bug with Bamboo that makes it impossible to switch jobs on the summary page (this is only relevant if you have multiple jobs configured with multiple RIPS analysis). To circumvent this you can manually enter the following URL:

/build/viewRipsBuildSummary.action?buildKey={jobKey}