Dakar's Course 4 updates (#26)

Dakar updates on course 4

.gitignore

@@ -20,3 +20,4 @@ log-rest.log
 
 common/**/.jfrog**
 .DS_Store
+course-1/tf-init/tf-plan

README.md

@@ -28,6 +28,7 @@ export JFROG_ACCESS_TOKEN=<your_access_token>
 
 jf c add jfrog-saas --interactive=false --url=$JFROG_SAAS_URL --access-token=$JFROG_ACCESS_TOKEN
 jf c use jfrog-saas
+jf rt ping
 ```
 
 ### OPTIONAL - IDE

course-4/lab-1/README.md

@@ -10,35 +10,32 @@ Setup a curation process to protect your developers
 
 Repo type | Repo key | Environment | Comment
 ---|---|--- |---
-REMOTE | mavencentral-remote | DEV |
-VIRTUAL | <PROJECT_KEY>-maven  | DEV | include the above repo
-REMOTE | npmjs-remote | DEV |
-VIRTUAL | <PROJECT_KEY>-npm  | DEV | include the above repo
+REMOTE | <YOUR_NAME>-npmjs-remote | DEV |
+VIRTUAL | <YOUR_NAME>-npm  | DEV | include the above repo
 
 Clean your NPM cache by running `npm cache clean --force`
 
 ## Enable curation
 
 1. Ensure that Curation is enabled ("Administration" -> "Curation" -> "General" -> "Curation Service Activation").
-2. Under "Administration" -> "Curation" -> "Curated Repositories", click the "State" toggle next to `npmjs-remote`
+2. Under "Administration" -> "Curation" -> "Curated Repositories", click the "State" toggle next to `<YOUR_NAME>-npmjs-remote`
 
 ## Create a curation policy
 
 1. Switch to the "Application" sidebar, and navigate to "Curation" -> "Policies Management", and click "Create New Policy".
-   1. Policy Name: `malicious_packages`
-   2. Repositories: "Specific", and then select `npmjs-remote`.
+   1. Policy Name: `<YOUR_NAME>_malicious_packages`
+   2. Repositories: "Specific", and then select `<YOUR_NAME>-npmjs-remote`.
    3. Policy Condition: "Malicious package".
    4. Waivers: None (just click "Next").
    5. Actions: "Block". Also select "Notify by Email" and enter your email address.
    6. Click "Next", and then "Save Policy".
 
 ## Test the curation process
 
-1. On your own machine, using the command prompt, navigate to the [common NodeJS module](../../common/js).
-2. Configure your NPM client to download packages from your remote
-    1. Artifactory > virtual repositories > <PROJECT_KEY>-npm
+1. Configure your NPM client to download packages from your remote
+    1. Artifactory > virtual repositories > <YOUR_NAME>-npm
     2. Click on  `Setup Client` & follow the instruction
-    3. Make sure in your ~/.npmrc that the ```_authToken``` is specified and NOT ```_auth```
+    3. Make sure in your `~/.npmrc` that the ```_authToken``` is specified and NOT ```_auth```
 
     ```text
         //yann-sbx.jfrog.io/artifactory/api/npm/test-npm/:_authToken=cmVm*****
@@ -53,4 +50,4 @@ Clean your NPM cache by running `npm cache clean --force`
    npm install cors.js
    ```
 
-4. Navigate to "Curation" -> "Audit". You should see the blocked action there.
+4. Navigate to "Curation" -> "Audit". You should see the blocked action there(Update the time to past 7 days).

course-4/lab-2/README.md

@@ -8,18 +8,16 @@ Setup a security process to continuously scan your artifacts
 
 Repo type | Repo key | Environment | Comment
 ---|---|--- |---
-REMOTE | mavencentral-remote | DEV | enable Xray
-VIRTUAL | <PROJECT_KEY>-maven  | DEV | include the above repo
-REMOTE | npmjs-remote | DEV | enable Xray
+REMOTE | <YOUR_NAME>-npmjs-remote | DEV | enable Xray
 VIRTUAL | <PROJECT_KEY>-npm  | DEV | include the above repo
-LOCAL | green-docker-local  | DEV | 
+LOCAL | <YOUR_NAME>-docker-local  | DEV | 
 
 ## Index Artifactory resources via UI
 
 > Here is the [official documentation for Xray indexing](https://jfrog.com/help/r/jfrog-security-documentation/add-or-remove-resources-from-indexing)
 
 1. Go to Xray > Indexed resources > repositories
-2. Verify **mavencentral-remote** and **npmjs-remote** are indexed
+2. Verify **<YOUR_NAME>-mavencentral-remote** and **<YOUR_NAME>-npmjs-remote** are indexed
 3. Add a docker repository
 
 ## Create JFrog Xray Policies and Watches via UI
@@ -43,28 +41,36 @@ LOCAL | green-docker-local  | DEV |
 Examples
 
 ```bash
+# **UPDATE** the name within policy-api-def.json to prefix <YOUR_NAME>
 curl \
    -XPOST \
    -H "Authorization: Bearer $JFROG_ACCESS_TOKEN" \
    -H "Content-Type: application/json" \
-   -d @"../../demos/basics-security-xray/payload/policy-api-def.json" \
+   -d @"policy-api-def.json" \
 $JFROG_SAAS_URL/xray/api/v2/policies
 
+# **PLEASE UPDATE** within watch-api-def-docker.json **YOUR DATA**
 curl \
    -XPOST \
    -H "Authorization: Bearer $JFROG_ACCESS_TOKEN" \
    -H "Content-Type: application/json" \
-   -d @"../../demos/basics-security-xray/payload/watch-api-def-docker.json" \
+   -d @"watch-api-def-docker.json" \
 $JFROG_SAAS_URL/xray/api/v2/watches
 ```
 
 ## Scan artifacts
 
-1. Upload a docker image to the docker repository(you can build Dockerfile under /common/js)
-2. Enable block download on dependencies
+1. Go to `common/js` folder
+2. Build the Dockerfile
+   -  `docker build -t <IMAGE_ID> .`
+3. Use Set Up A Docker Client for your `<YOUR_NAME>-docker-local` --> Here is the [official documentation](https://jfrog.com/help/r/jfrog-artifactory-documentation/use-kubernetes-with-artifactory-cloud)
+   -  `docker tag <IMAGE_ID> train17187377940.jfrog.io/<YOUR_NAME>-docker-local/<DOCKER_IMAGE>:<DOCKER_TAG>`
+   -  `docker login -u <YOUR JFROG USERNAME> train17187377940.jfrog.io`
+4. Upload a docker image to your docker repository
+   -  `docker push train17187377940.jfrog.io/<YOUR_NAME>-docker-local/<DOCKER_IMAGE>:<DOCKER_TAG>`
 
 ## View scan results on the UI
 
-1. Go to Xray > Scan List
+1. Go to Xray > Scan List (If it does not appear, wait a minute)
 2. Browse the different sections on a artifacts with vulnerabilities
 3. Browse the violation view and ignore violations

course-4/lab-2/policy-api-def.json

@@ -0,0 +1,22 @@
+{
+    "name": "<UPDATE>",
+    "type": "security",
+    "author": "admin",
+    "rules": [
+        {
+            "name": "critical",
+            "priority": 1,
+            "actions": {
+                "block_download": {
+                    "unscanned": true,
+                    "active": true
+                }
+            },
+            "criteria": {
+                "fix_version_dependant": false,
+                "malicious_package": false,
+                "min_severity": "Critical"
+            }
+        }
+    ]
+}

course-4/lab-2/watch-api-def-docker.json

@@ -0,0 +1,23 @@
+{
+    "general_data": {
+        "name": "<UPDATE>",
+        "description": "This is a new watch created using API V2",
+        "active": true
+    },
+    "project_resources": {
+        "resources": [
+            {
+                "type": "repository",
+                "name": "<UPDATE>",
+                "bin_mgr_id": "default",
+                "repo_type": "local"
+            }
+        ]
+    },
+    "assigned_policies": [
+        {
+            "name": "<UPDATE>",
+            "type": "security"
+        }
+    ]
+}

course-4/lab-3/README.md

@@ -7,7 +7,7 @@
 
 ## JFrog Advanced Security capabilities
 
-Enable Contextual analysis on a docker repository
+Enable Contextual analysis on a docker repository (Administration -> Xray Settings -> Indexed Resources -> Configure)
 If you enable it on an already indexed repository, you'll have to enable the contextual analysis on demand per artifact.
 
 ## OPTIONAL - Configure the IDE plugin

course-4/lab-4/README.md

@@ -5,21 +5,21 @@
 * Understand how to use JFrog scans in your CI pipelines
 * Understand when to use JFrog scans in your CI pipelines
 
-## Audit / Dependency scan
+## Prerequisites
+* Create a policy with some criterias (like minimal High severity) - You can use policies that you have already created
+* Create a watch with the "CI" name, and include the policy you've created. Make sure to include repositories with data, like docker, npm from previous labs  
 
-1. In a terminal, run this commands :
+## Audit / Dependency scan
 
+1. In a terminal, go to `common/java`, and run these commands:
    ```bash
-
-   cd ../../common/java
-
    # scan dependencies before the build
    jf audit --watches CI --fail=false
 
    echo $?
    ```
 
-2. Create a shell script which reproduces the main steps of a simple CI pipeline:  
+2. Create a shell script which reproduces the main steps of a simple CI pipeline. You can reference secured-pipeline-example.sh script:
 
    1. pull dependencies
    2. scan dependencies
@@ -29,21 +29,20 @@
 
 ## On Demand scan
 
-1. In a terminal, run this commands :
+1. In a terminal, go to `common/java`, and run these commands:
 
    ```bash
-
-   cd ../../common/java
-
    # scan the result of the maven build
    mvn clean package
    jf scan target/*.war --watches CI --fail=false
 
    echo $?
-   
+   ```
+2. In a terminal, go to `common/js`, and run these commands:
+   ```bash
    # scan a docker image
-   docker build -t java-app:1.0.0
-   jf docker scan  java-app:1.0.0 --watches CI --fail=false
+   docker build -t js-app:1.0.0
+   jf docker scan  js-app:1.0.0 --watches CI --fail=false
    ```
 
-2. Update your shell script by scanning the artifact representing your application
+3. Update your shell script by scanning the artifact representing your application. You can reference secured-pipeline-example.sh script:

course-4/lab-4/secured-pipeline-example.sh

@@ -0,0 +1,49 @@
+#/bin/bash
+
+if [ ! -z "$1" ]; then
+    echo "[ERROR] No JFrog Project key  "    
+fi
+
+
+cd ../../common/java
+
+MY_PROJ_KEY=""
+MY_IMAGE="${JFROG_SAAS_DNS}/${MY_PROJ_KEY}-docker/java-app:1.0.0"
+
+echo "*****************************"
+echo "**** SCAN DEPENDENCIES"  
+echo "*****************************"
+
+# scan dependencies before the build
+jf audit --watches CI --fail=false
+
+echo "*****************************"
+echo "**** BUILD APP"  
+echo "*****************************"
+
+# build app
+mvn clean package deploy
+
+echo "*****************************"
+echo "**** CONTAINERIZE APP"  
+echo "*****************************"
+
+# containerize app
+docker build \
+    -t $MY_IMAGE \
+    --build-arg REGISTRY=${JFROG_SAAS_DNS} \
+    --build-arg DOCKER_REPO=${MY_PROJ_KEY}-docker \
+.
+
+echo "*****************************"
+echo "**** SCAN CONTAINER IMAGE"  
+echo "*****************************"
+
+# scan all the layers of the generated image (including the base image's layers)
+jf docker scan $MY_IMAGE --fail=false
+
+echo "*****************************"
+echo "**** PUSH IMAGE TO ARTIFACTORY"  
+echo "*****************************"
+
+docker push $MY_IMAGE

course-4/lab-5/README.md

@@ -7,16 +7,17 @@
 
 ## Generate and Publish a Build Info
 
-> Here is the [official documentation for generating Build Info per package manager](https://docs.jfrog-applications.jfrog.io/jfrog-applications/jfrog-cli/cli-for-jfrog-artifactory#package-managers-integration)
+> Here is the [official documentation for generating Build Info per package manager](https://docs.jfrog-applications.jfrog.io/jfrog-applications/jfrog-cli/cli-for-jfrog-artifactory/package-managers-integration)
 
 1. Update the script from Lab 4 and inject the JFrog CLI :
-   1. configuration
-   2. during Build and/or Upload (depending on the dev project type) to generate the Build Info
-   3. after the Build phase to collect info on the CI pipeline + publish the Build Info
+   1. Package manager configuration
+   2. During Build and/or Upload to generate the Build Info
+   3. After the Build phase to collect info on the CI pipeline + publish the Build Info
 
 ## Generate and Publish a Release Bundle V2
 
 > Here is the [official documentation for RBv2 API](https://jfrog.com/help/r/jfrog-rest-apis/release-lifecycle-management)
 
 1. Create a RBv2 from the previously pushed Build Info
-2. Create a RBv2 from artifacts path
+   - Do it manually from the UI
+   - (optional) Update the script from Lab 4 and inject the JFrog CLI creation of RBv2

course-4/lab-5/secured-pipeline-with-bom-example.sh

@@ -0,0 +1,70 @@
+#/bin/bash
+
+ cd ../../common/java
+
+MY_PROJ_KEY=""
+MY_IMAGE="${JFROG_SAAS_DNS}/${MY_PROJ_KEY}-docker/java-app:1.0.0"
+export JFROG_CLI_BUILD_NAME=${MY_PROJ_KEY}-app \
+        JFROG_CLI_BUILD_NUMBER=1 \
+        JFROG_CLI_BUILD_URL="https://myCI.com"
+# export JFROG_CLI_BUILD_PROJECT=${MY_PROJ_KEY}
+
+echo "*****************************"
+echo "**** CONFIG JFROG CLI"  
+echo "*****************************"
+
+jf mvnc \
+    --repo-deploy-releases   ${MY_PROJ_KEY}-maven \
+    --repo-deploy-snapshots  ${MY_PROJ_KEY}-maven \
+    --repo-resolve-releases  ${MY_PROJ_KEY}-maven \
+    --repo-resolve-snapshots ${MY_PROJ_KEY}-maven
+
+# result of the mvnc instruction
+#  cat .jfrog/projects/maven.yaml
+
+echo "*****************************"
+echo "**** SCAN DEPENDENCIES"  
+echo "*****************************"
+
+# scan dependencies before the build
+jf audit --watches CI --fail=false
+
+echo "*****************************"
+echo "**** BUILD APP"  
+echo "*****************************"
+
+# build app + deploy + generate Application Build Info
+jf mvn clean package deploy
+
+# publish Application Build Info
+jf bp 
+
+echo "*****************************"
+echo "**** CONTAINERIZE APP"  
+echo "*****************************"
+
+# containerize app
+docker build \
+    -t $MY_IMAGE \
+    --build-arg REGISTRY=${JFROG_SAAS_DNS} \
+    --build-arg DOCKER_REPO=${MY_PROJ_KEY}-docker \
+.
+
+echo "*****************************"
+echo "**** SCAN CONTAINER IMAGE"  
+echo "*****************************"
+
+# scan the layers of the base image
+jf docker scan $MY_IMAGE --fail=false
+
+echo "*****************************"
+echo "**** PUSH IMAGE TO ARTIFACTORY WITH BUILD INFO"  
+echo "*****************************"
+
+docker push $MY_IMAGE --build-name="${JFROG_CLI_BUILD_NAME}-container" --build-number=${JFROG_CLI_BUILD_NUMBER}
+
+# add application as a dependeny of the Container Build Info
+jf bad "./target/*.war" "${JFROG_CLI_BUILD_NAME}-container" ${JFROG_CLI_BUILD_NUMBER}
+
+# publish Container Build Info
+jf bp "${JFROG_CLI_BUILD_NAME}-container" ${JFROG_CLI_BUILD_NUMBER}