Scanning Java Binaries in STO
This topic describes the recommended workflow for scanning Java binary (.jar, .class) files. For some scanners, such as SonarQube and Checkmarx, you need to add one or more Run steps to build your Java binaries before you run the scanner. You also need to set up the security step to specify the Java binaries you want to scan.
This workflow requires a Continuous Integration license in addition to an STO license.
The following steps describe the high-level workflow.
-
Set up your CI Build stage with the following:
-
The codebase with the Java code to compile.
-
A Run step with the commands to compile the .java source files to the binaries that you want to scan.
-
If your codebase is large, you might want to increase the memory and CPU resources reserved for your Run step.
-
To configure your Java runtime environment, go to Environment Attributes in the Run step and add a
JAVA_TOOL_ARGUMENTSsetting.Suppose you want to specify the heap size of your environment. You can add an attribute like this:
- Key =
JAVA_TOOL_OPTIONS - Value =
-Xmx2g -Xms1g
- Key =
-
-
If you want to store your binaries outside the local repo, go to the Build stage > Overview tab > Shared Paths and specify the folder -- for example,
java-binaries.The step should compile or copy the binaries to a folder that does not contain any source files.
-
-
Add these settings to the Security step that scans the binaries:
-
workspace= The folder with the Java binaries to scan.When a Harness pipeline clones a repo, the root folder is at
/harnesson the local container for the Run step. Thus if you compiled your binaries to<repo_root>/bin, then setworkspaceto/harness/bin. -
product_java_binaries(SonarQube scans only) = The Java binary or binaries to scan. To scan multiple binaries, use a comma-separated list such asmyservice.jar, subservice1.class, subservice2.class. -
JAVA_TOOL_OPTIONSYou can run the step with specific Java tool options. For example, you can add a setting to access an external Checkmarx server through a proxy.
-