# Security configuration

Here we show how to setup and configure all features in order to get the most out of the security tool.

# Enable pull request support

For Debricked to generate pull requests on your behalf, you need to do some configuration based on the platform.

# Enable Vulnerable Functionality for your repository

Note

Vulnerable Functionality is currently in beta. Results may be less accurate than expected, and not all types of projects are yet supported.

To enable vulnerable functionality (currently only supported for Java), you must set up an integration using GitHub actions. Once you have set up GitHub actions you simply include the Vulnerable Functionality action before the scan action, to generate the files needed for analysis. Vulnerable Functionality and source code-less scans go perfect together. If you are going to set up vulnerable functionality analysis, we strongly recommend you also set up source code-less scans at the same time.

Vulnerable functionality supports all Java projects, regardless of what dependency management system you use. All we need is the compiled code for your project, and the libraries it uses. These files you must generate yourself, and then pass to the action. We will walk you through how to do this below.

If you are using Maven we are able to do some of this for you. Here is how to set up vulnerable functionality for a Maven project.

# Setting it up

name: Vulnerability scan

on: [push, pull_request]

jobs:
  vulnerabilities-scan:
    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v2
    - uses: debricked/vulnerable-functionality/java@v0
      with:
        path-to-compiled-files: 'path/to/my/compiled/files'
        path-to-library-files: 'path/to/my/library/files'
    - uses: debricked/actions/scan@v1
      env:
        DEBRICKED_TOKEN: ${{ secrets.DEBRICKED_TOKEN }}

'path/to/my/compiled/files' and 'path/to/my/library/files' need to be replaced with the respective paths, specific to your project. Also note that the vulnerable functionality action needs to be placed after the checkout step, but before the scan step.

A complete example could look like this:

name: Vulnerability scan

on: [push, pull_request]

jobs:
  vulnerabilities-scan:
    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v2
    - uses: actions/setup-java@v1
      with:
        java-version: '11'
    - run: mvn -B package dependency:copy-dependencies -DoutputDirectory=dependencies -DskipTests
    - uses: debricked/vulnerable-functionality/java@v0
      with:
        path-to-compiled-files: 'target/classes'
        path-to-library-files: 'dependencies'
    - uses: debricked/actions/scan@v1
      env:
        DEBRICKED_TOKEN: ${{ secrets.DEBRICKED_TOKEN }}

This configuration uses Maven to compile the project and copy the dependencies to a folder named dependencies. The path to the compiled files and the folder containing the dependencies is then passed to the vulnerable functionality action. Since you most likely already compile your project as part of your pipeline, you can simply pass the path to those files to the vulnerable functionality action.

If you use several modules your compiled files or dependencies might be spread over several folders. In this case include all folders, separated by commas, as below:

path-to-compiled-files: 'frontend/target/classes,backend/target/classes'
path-to-library-files: 'frontend/dependencies,backend/dependencies'

# Projects using Maven

If your project uses Maven we can reduce the amount of configuration you have to do by compiling the project and moving the dependencies to the correct place ourselves. If you already compile your project in your pipelines and want to avoid doing it an additional time, or our Maven scripts don't understand your setup, can you use the generic Java action. Otherwise, using the Maven action is easy.

name: Vulnerability scan

on: [push, pull_request]

jobs:
  vulnerabilities-scan:
    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v2
    - uses: debricked/vulnerable-functionality/java/maven@v0
    - uses: debricked/actions/scan@v1
      env:
        DEBRICKED_TOKEN: ${{ secrets.DEBRICKED_TOKEN }}
        UPLOAD_ALL_FILES: "true"

Please note that you need to add the Vulnerable Functionality step after the checkout step, but before the scan step.

By default, Vulnerable Functionality will assume your root pom.xml file is in the base repository directory, and that your compiled files wind up in the default directory, target/classes. If this is not the case you need to specify the paths you use, as shown below.

name: Vulnerability scan

on: [push, pull_request]

jobs:
  vulnerabilities-scan:
    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v2
    - uses: debricked/vulnerable-functionality/java/maven@v0
      with:
        root-pom-directory: 'path/to/directory/with/root/pom'
        path-to-compiled-files: 'path/where/compiled/files/wind/up'
    - uses: debricked/actions/scan@v1
      env:
        DEBRICKED_TOKEN: ${{ secrets.DEBRICKED_TOKEN }}
        UPLOAD_ALL_FILES: "true"

path-to-compiled-files can be one folder, or a comma-separated list of folders.