 So hello and welcome everyone. Can you all hear me? If someone can confirm in the chat section Perfect. Thank you so much So hello and welcome everyone to the first session of the privacy and data governance track Today we have Yousuf's hand to talk about a red hat snake and Jenkins a combo for reliable stack So our speaker Yousuf is our principal software engineer in red hats developer group And he has 14 years of experience in software development And he is one of the key contributors to the red hats project fabric eight analytics So I hope you all are same excited as I am to know about Red hats neck and Jenkins all right, so I will share the pre-recorded demo and the session by Yousuf and Hemant will also paste the YouTube link in the chat section in case if you face any issues if like Hoppin breaks for you while watching the session so you can directly go to that link But do remember to come back here to ask your questions to Yousuf All right So I'm going to share my screen Hello and welcome everybody, my name is Yousuf Zany and I'm a principal software engineer at red hat India and Today, I'll be talking about how red hat sneak and Jenkins have come together to give the users a Reliable stack So these are some of the points that we are going to cover today The first one is what are the major problems that the developers face on a day-to-day life? what's the probable solution why sneak and What's up with Jenkins like why we are talking about Jenkins over here? So let's take the first thing first Let's talk about the problems that the developers face on a day-to-day life Let's pick up which are all the prime major ones that they face The first one is how do developers choose a right dependency? So if you are following NPM or Pi Pi or Maven so you would know that on a daily basis there are thousands of new packages which are released Now how does a developer know which one which of these packages useful which one he should be using which he should not be using There are so many Available in the market. So which one to choose and which one not to choose This is one of the dilemma that they come across on a daily basis The second one now that you have a stack you have a manifest file containing lots of packages or dependencies Each of that package or dependency will have its own licensing terms and there can be chances where The developer might have included packages which are not compatible with each other or rather I'll say the licenses of which are not compatible with each other There might be outliers. There might be restrictions which might come which might come because of an Because of a package which is selected in the manifest file Having a weird type of license. So how does a user get to know about all these things? The third and one of the primary information that usually gets goes unnoticed is The security vulnerability What if the package or the version that the user has selected is having vulnerability associated it to it? How does one know about it? And the last one the package that the user has selected or the developer has selected to be a part of his stack How popular it is how well maintained that is? How does one get to know about it? So we have talked about the problems that we have. So what's the solution? Here is the solution that we have code ready dependency analytics From red hat partnered by snick. So snick provides the vulnerability information over here And what it does is all the four problems that I spoke of so These are addressed in a form of a report so We in this platform we scan your manifest file we get the details of your packages and then Do a lot of analysis in the behind the scenes and then come up with a comprehensive report Which addresses more or less all the problems that I spoke of earlier So what is it that we have in the report? Let's have a look So crda as a platform uses the information that we get from the developer's manifest file And then does it so on intelligent intelligent business logic behind the scenes and then comes up with this comprehensive report that is shown to the user So this Namely contains four major tabs and we'll go into details of each of the tab one by one So the first one here is the security issues And this information most of it is provided by snick And here we are the here red hat is partnered with snick where they provide us all the vulnerability information So it's not that snick is scanning your repository over here It says that they are providing the vulnerability information to us And then we use our own intelligent logic behind the scenes to Use that information use the information from your manifest file club it together and then come up with this Report in front of you So then comes the question why sneak so snick is the world leader when it comes to vulnerability database they have the Most number of vulnerability information and the most accurate ones And not only that they also create their own vulnerabilities from time to time and so what happened that The in the security vulnerability information, which is not even available publicly Is available to us via sneak which tells us that this is Probable vulnerability which might be coming up and that we can show it to the users So that we categorize in the commonly known vulnerabilities and vulnerabilities unique to sneak So those the two sections that you see over here So the ones that are publicly available you get to here you see here plus you get to see The information that is not even available publicly. So that's where sneak Comes in really handy and really helpful and comes up with a very good information about the security vulnerabilities So now let's go into the details of what this whole card has in for you So the first and foremost it tells us the total number of vulnerabilities that are found And it not only tells us the details about the direct Dependencies but also the transitive dependencies Which the user might not be even knowing that these are all the transitive packages which are available Or the vulnerabilities which are there attached to these transitive dependencies The second is the details about the vulnerabilities obviously it tells about the Uh Details of the publicly and the non-public which I already spoke of Now here is the information which is Really important It tells us the details of the current version that the user is using in the stack And the recommended non-vulnerable version that he should be upgrade to So that if he wants to get rid of all the vulnerabilities that are associated to that package And here you see the details about the severity of the vulnerability The cvss core the exploits all those details are shown over here And that's not all So there is a subsection over here where you can click and get to see all the details about the transitive dependencies So the details is nothing uh different from what you see over here It's just that uh under each direct dependency It has a list of all the transitive dependencies which are vulnerable and then it has the vulnerability information for them as well So going to the second card. This is the dependency details card So here you get to know about the details of your dependency So what all things are in store over here? Let's go one by one So first and foremost we tell which are all how what's the total number of Dependencies that we have analyzed And how many transitives did we analyze Along with your direct dependencies. That's the count that we show over here It doesn't show this is not saying that 23 are vulnerable This is just showing the total number of transitives that are present in your package Then over here we show what is the current version that the user is using and what's the latest version which is available in the market So if you want you can upgrade it to the latest version and use the latest one And then over here it tells about all the github statistics Which in a nutshell tells the user how popular this package is or how well maintained this package is By looking at this statistics Going to the third card, which is the licensing licensing details card So here we have all the information related to the licenses So what is the first one we After scanning all the packages Of the in the manifest file we come up with the suggested license for your For your project and in this case it says that after scanning all the dependencies It understands that the suggested License that we should be declaring for this particular project should be mit That's the suggestion that it gives The second thing it tells about the licensing conflicts So in case there are two or more packages, which is having some conflicts in the licenses Then that information will be shown over here And then there is an unknown licenses Which means that because see Which means that these licenses are not known to us in our system We don't know about these licenses because many a times it happens that user come up with their own Some weird names Or there can be new licenses coming up every now and then so we need some time to have those things Up in our system and then reflect it over here. So for all such licenses we mark it as unknown So that shows that we do not know about these and then we make sure that we Over the period of time we include them as well And then those Do not continue to be unknown anymore And the last one is the restrictive licenses. So licenses anyway have different different categories. So if most of the packages are really open And available Free to use and then there is some packages, which is very very restrictive. So such Such packages are called outliers or restrictive So those are again mentioned over here that there are some licenses Which are restrictive like say you have most of them with the aperture 2.0 or mit And then there you have one or two packages, which is having afro gpl Something like that. So then the one with afro gpl obviously is restrictive and It's going to change the entire license for your project. So that is mentioned over here that You have a restrictive license if you want you can use it if you don't want you can change it Now the last information is about the add-on tabs. So here we have our own ai Models which run and then comes up with a suggestion of the packages that can be added to your Dependencies as companions. So in this case, you are seeing that there it is giving a suggestion of four Dependencies, which should be added. So Let's see what all details it shows so It tells about the confidence score of each of the dependency Uh, this is again coming from the ai model. So how confident it is that this Dependency should be included in your manifest file. So we mentioned it by the confidence score So if the confidence score is very high, it means that Many many people are using it and our engine highly recommends that this should be there as part of your system or your part of a project and then along with the Confidence score and the package name. It also gives the latest information which is available in the market The GitHub statistics about the package so that you can you you can check how popular this is Which I already spoke of you can check all these details. Which tells you how popular it is among the different developers and then Obviously, this is just a suggestion that we are giving you. So we expect a suggestion Feedback from you as well. Did you like our suggestion? Did you did not like a suggestion? You can always give us a upvote or a downward So this is all that we have in the comprehensive stack report Wow, that was really detailed and comprehensive awesome, isn't it? So now that we know what are all the problems and now that we know that we have a solution The next question that comes to our mind is how do we use it? So there are a lot of ways how the platform can be used But as part of this Demo or this presentation we will be discussing about how it can be used in Jenkins as a Jenkins plugin So before I go to the demo, there are a few tree requests that I would assume that people already know or if you want to Work along with this and if you're watching this video on youtube probably you can pause here follow these steps and then continue So the assumption is like who was the Jenkins admin? He should have the crda cli installed in his system The admin should have generated the uuid by using the crda auth command The Jenkins should be installed in your system. That's a basic thing And then our plugin which is called the red hat code ready dependency analysis Plugin should be installed in that Jenkins instance So these are some of the prerequisites and the reason why I'm skipping these steps is because there's a constraint on the duration of the length of this video or the Or the presentation so I cannot go on doing all these things which takes a little bit of time In order to save the time. I'm just putting this as a steps So just go through these steps and then You are you are good to follow along from the next steps that I show And don't worry about all of this If you are not aware of where to find the crda cli if you are not aware how to install it and all I'll have all those links in the description And at the end of this slide, I'll have all of everything in place. So please do not worry about it Okay So assuming that you are done with the initial steps now, let's it's time to start the actual demo So once you're logged into the Jenkins portal The first thing is to create some credentials And for that you have to go to manage Jenkins Go to manage credentials And here you need to click to create a add credentials Now in the drop down that you have That you find over here in the kind you have to select the crda key So automatically it will give all the details that it requires to create the key So keep the scope as global and In the crda key field you click on This help key in order to understand what is it that is required So here we need the crda token Which you would have created as part of the initial step via the crd sli So let's just give some dummy value over here Just assuming that you have provided the crda key over here Now comes the part of the id and the description So id you there are two options like you you can either give your own id Or allow Jenkins to generate its own id So for the purpose of the demo, I'll put some id over here And the same I'll keep it in the description And if you click okay, and that's That's the credential that is created for you So that's the first step So once the credential setup is done, the next part is to start using this plugin As part of this demo, I'll show it by a build pipeline project Jenkins pipeline project And a Jenkins freestyle project So let's take the freestyle project first So once you click on this configure button If you scroll down under the build section, you will see a add a build step option And in that you need to select invoke crda analysis So as soon as you click on that, it will give you all the fields that are necessary for this plugin To run the important parts is the file path and the crda key So the file path obviously for the demo purpose I am keeping this file in a temporary location But in your case if you're running it in a full-fledged manner, obviously you'll have different different steps Like you'll first clone the repo then build the repo run some chx and all and then probably have this step So obviously you'll have a you'll have a different location. But yeah, let's keep it as it is Just for simplicity. So this is the location. Let's copy and paste here And if you remember just sometime back we created this Secret so This is the one which I already had earlier and this is the one that we created sometime back So let's select that. So now it says that All the mandatory fields are provided Now The third part is the crda CLI version. So here if you do not want to use the latest version Then you can actually specify a particular version that of that you want to use. So the Format is v Dot dot dot so you can give zero not two dot two over here If you wish to use this version if you do not Provide anything over here. It will take the default version And the last one is the contribution towards the usage statistics. So from here We take some consent from the user to collect some telemetry data We do not Store any user name email and all the stuff. It's just for us to understand like where this call is coming from How many packages did we scan? How many vulnerabilities did we report? Such type of information. So if you wish to provide or if you wish to allow us to check that data and Keep a trap of it Then you need to Check this button if you don't want then don't check this button So that's all that is required as part of this plugin step And if once you click save after that you can click on build Let's go to the console What if you see that it's saying that it has It has found that Zero two three was the version which was already installed So that is why it is ready to be used If this version was not present or if you would have wished for a different version to be used Then that installation would have happened first for that cli and then this analysis would have begun So once the analysis is done you get this information or this information in the text form in the logs And you get all these details about the vulnerabilities the packages that we scanned and all those stuff And along with that we get a link Via which you the user can see the comprehensive report that I was talking about earlier So in the logs you just see the vulnerability information because we feel that that is the most important one That we that the user is concerned about and that's why we provide that first Now along with that if you see here You see a icon red hat icon Which says crd stack report and if the user clicks on that the same information the same vulnerability information You can see it in a much more better View which is in the graphical format and then here you can see the exact details of how many direct Dependencies we scan how many transitive scan how many were found as vulnerable How many vulnerabilities did we find the the ones which were publicly available the ones which were unique to snake And along with that which is is the severity the low medium high and critical Once you're done with this you also have an option to see the report from here as well the same one the same link that I That was provided in the logs The same report can be accessed from here as well. You just need to click on it And then you see the entire report over here So which contains not only the security issues, but also the dependency details the licensing details And the add-ons feature So here under the vulnerabilities, you see the ones which are commonly available the ones which is unique to snake And yeah, one thing which I forgot to mention earlier was If once you start using this platform for the first time, obviously you will not be a registered snake user You'll be only a crda user So in such cases, there are some limitations that you will see in the vulnerabilities information That you won't see the exploits you won't see the vulnerabilities which are unique to snake But rest of the things you'll see the as it is If you want to see all the information, then you just need to register yourself with snake, which it which is totally free Of course, there's nothing that you need to That there's no money involved over here. You don't need to pay anything And once you register yourself with snake, you just need to provide the sneak token over here. It's a very simple step You just need to click go to the utm Follow the steps from there. So if you just click here, it will take you to the page Registration page Do follow the steps get the key and then Put it back over here and then click submit and it will show you as registered And as soon as you are registered, you will start seeing all the features like the Unique information and the exploits and the details and everything will come up So this is what you see In the crda Jenkins plugin and the report when you are trying to view it from the Freestyle project similar report will come up for the Jenkins pipeline also, but yeah, let's See how can that be done? So let's now check the pipeline In case of pipelines, there's a little bit of difference on how do we do the configuration So if you click on configure here, you will see that we usually use the pipeline scripts to Do the build So in this, this is the line which we are interested in. This is the one which is going to Actually call the crd analysis and these are the four parameters file crda key id CLI version and concentrometry Along with the values that we need to pass now This can be a little tedious because people might not remember the exact Exact parameters. They might have some typographical Errors that they can do while writing this So a better way to add this command here is by using the pipeline syntax So click on this pipeline syntax generator and go to crd analysis And here you will see that the options are there that what are all the fields that is mandatory And in this you fill out the details And then this select the crda key provide the cli version And the concentrometry and then click on the generate pipeline script So as soon as you click on this the command that needs to be passed will be generated And this can be copied and pasted here So that The proper value is sent and there is no Scope of any errors manual errors And then just click on save and click on build So let's go to the console and here also we see that The requirement required version is 0 to 3 And it is doing the analysis and this time I have selected pom.xml to show you the Maven part of it in the previous example We saw the package json And in this I wanted to show you the java part So once the analysis in this is completed It will show you the same similar type of results Which is the vulnerability information in the logs along with the url Which can be clicked to see the report And along with that There will be a UI representation of the same Where you can go in checking the details See the vulnerability and then On a click you can see the report as well So if you remember I had mentioned that Jenkins is not the only place where you can find us. There are a lot of other places So there are different stages in development life cycle So let's start with the first thing like the developer has just started writing the code He has just opened an IDE and he's you know started with the Manifest file or he's just adding some packages to start his project Maybe starting with the hello world itself. So he has to have some packages, right? So as soon as the first package or the first Dependency is added in the manifest file our plugin kicks in and then at that instant It tells the developer if he has any vulnerability associated with that package and if the user wants then he always have an option to Check out the comprehensive report at any point of time during his entire development cycle and he will get to see The detailed report as I showed earlier. So those plugins are available in vs code and IntelliJ Now, let's get to the next stage. The coding is done. We have committed the code So as soon as you commit the code, obviously, you will have some sort of a build pipeline Setup so there again, we have different options You can either use the Jenkins plugin in the way that I have already explained Or you can use the GitHub action or tecton whichever one You like you can pick anyone and then according to your requirements you can use either of them Now coming to the last part where the Even the commit is done now the image is created And now you're ready to Ship the image or you're ready to promote the image So if you are uploading the image to quay again, we have an option over there as soon as you upload the image to quay Our plugin will kick in and it will give you the details about the vulnerability and all And the same goes with the clear image scanner if you want to use you can use there as well Now, suppose if you are sort of a command line hero Who doesn't want to use any of these plugins who doesn't want these UI interfaces and all and You know, you are comfortable writing commands and all for so all for such people You also have our command line interface where after you type some commands, you'll get the your entire stack scanned And then you will get a link for the Detailed report which you can click on and see the report. Yeah, obviously the report will remain as a UI component You cannot have a command line interface for that But at least the execution part and all you can do it via the cli And then you do not have to Install any plugins and all if you want if you don't want to do that And as I promised earlier, these are all the relevant links Where you can find us where this about the details on the Jenkins plugins here the cli Vscode plugin intelligent plugin and if you want to play around I have also pasted this sample report link And you can click on it just to see how the report is get a firsthand field Anybody Whoever is watching this video can just use this link and then Play around with the report and have a look at it If you're watching this on youtube again, I repeat that all these links are available in the description Just go and check it out. Play around Check out all the features Give some feedback whether appreciative or if you do not like something Tell us about that and also let us know what are all the Other features that you will be interested in what are all the new things that you will be interested in Currently we are supporting golang, maven npm and python So if you want any other programming languages to be included in this platform, which are all the Languages that you would like Uh, please come in. Please let us know about all those things and then we'll make sure that we pick up the ones which The developers want the most And with that I'll come to the end of the presentation You guys are great. Thank you