├── src
    ├── main
    │   ├── webapp
    │   │   └── .keep
    │   ├── resources
    │   │   ├── org
    │   │   │   └── jenkinsci
    │   │   │   │   └── plugins
    │   │   │   │       └── burpscan
    │   │   │   │           ├── Messages.properties
    │   │   │   │           └── BurpScanRecorder
    │   │   │   │               ├── config.properties
    │   │   │   │               └── config.jelly
    │   │   └── index.jelly
    │   └── java
    │   │   └── org
    │   │       └── jenkinsci
    │   │           └── plugins
    │   │               └── burpscan
    │   │                   └── BurpScanRecorder.java
    └── test
    │   └── java
    │       └── org
    │           └── jenkinsci
    │               └── plugins
    │                   └── burpscan
    │                       └── BurpScanRecorderTest.java
├── .gitignore
├── README.md
└── pom.xml


/src/main/webapp/.keep:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | target/
2 | .idea/
3 | work/
4 | *.iml
5 | .DS_Store
6 | **/.DS_Store
7 | 


--------------------------------------------------------------------------------
/src/main/resources/org/jenkinsci/plugins/burpscan/Messages.properties:
--------------------------------------------------------------------------------
1 | BurpScanRecorder.description=Burp Scan
2 | 


--------------------------------------------------------------------------------
/src/main/resources/index.jelly:
--------------------------------------------------------------------------------
1 | <?jelly escape-by-default='true'?>
2 | <div>
3 |   Use Burp to scan a website and fail the build depending on issue severity/confidence.
4 | </div>
5 | 


--------------------------------------------------------------------------------
/src/test/java/org/jenkinsci/plugins/burpscan/BurpScanRecorderTest.java:
--------------------------------------------------------------------------------
 1 | package org.jenkinsci.plugins.burpscan;
 2 | 
 3 | import org.junit.Test;
 4 | 
 5 | public class BurpScanRecorderTest
 6 | {
 7 |     @Test
 8 |     public void name()
 9 |     {
10 |         // TODO: test
11 |     }
12 | }
13 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Burp Jenkins Scan Plugin
 2 | 
 3 | Jenkins plugin to scan websites using Burp and fail builds if issues are found.
 4 | 
 5 | * Easy configuration to use Burp API to scan fixed or ephemeral websites as part of a Jenkins project
 6 | * Configurable thresholds to filter issues to pass/fail builds
 7 | 
 8 | ### Building
 9 | ```bash
10 | $ mvn clean package
11 | ```
12 | Then the plugin file will be in `target/burp-scan.hpi`.


--------------------------------------------------------------------------------
/src/main/resources/org/jenkinsci/plugins/burpscan/BurpScanRecorder/config.properties:
--------------------------------------------------------------------------------
1 | ApiUrl=URL of Burp API
2 | ScanDefinitionJson=Scan definition in JSON format
3 | ScanDefinitionJsonDescription=Optional, in the format generated by the web service running on the Burp API endpoint
4 | SeverityThreshold=Lowest severity issue required to fail the build
5 | ConfidenceThreshold=Lowest confidence issue required to fail the build
6 | Timeout=Length of time in seconds to wait before giving up
7 | OutputJsonIssues=Output issues in JSON form (verbose)
8 | SelfSignedCertX509=Self-signed TLS certificate (public part)
9 | SelfSignedCertX509Description=Optional, in X509 base64-encoded format (often a .pem file)


--------------------------------------------------------------------------------
/pom.xml:
--------------------------------------------------------------------------------
 1 | <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
 2 |   <modelVersion>4.0.0</modelVersion>
 3 |   <parent>
 4 |     <groupId>org.jenkins-ci.plugins</groupId>
 5 |     <artifactId>plugin</artifactId>
 6 |     <version>3.8</version><!-- which version of Jenkins is this plugin built against? -->
 7 |   </parent>
 8 | 
 9 |   <groupId>net.portswigger.burp.jenkins.plugins</groupId>
10 |   <artifactId>burp-jenkins-integration</artifactId>
11 |   <version>1.0.7beta</version>
12 |   <packaging>hpi</packaging>
13 |   <name>Burp Scan</name>
14 |   <description>Fail the build if Burp finds issues in a website</description>
15 |   
16 |   <!-- get every artifact through repo.jenkins-ci.org, which proxies all the artifacts that we need -->
17 |   <repositories>
18 |     <repository>
19 |       <id>repo.jenkins-ci.org</id>
20 |       <url>https://repo.jenkins-ci.org/public/</url>
21 |     </repository>
22 |   </repositories>
23 | 
24 |   <pluginRepositories>
25 |     <pluginRepository>
26 |       <id>repo.jenkins-ci.org</id>
27 |       <url>https://repo.jenkins-ci.org/public/</url>
28 |     </pluginRepository>
29 |   </pluginRepositories>
30 | 
31 |   <dependencies>
32 |     <dependency>
33 |       <groupId>net.portswigger.burp.api.driver</groupId>
34 |       <artifactId>burp-ci-driver</artifactId>
35 |       <version>1.0.7beta</version>
36 |     </dependency>
37 |   </dependencies>
38 | 
39 |   <build>
40 |     <plugins>
41 |       <plugin>
42 |         <groupId>org.apache.maven.plugins</groupId>
43 |         <artifactId>maven-compiler-plugin</artifactId>
44 |         <version>3.7.0</version>
45 |         <configuration>
46 |           <source>1.8</source>
47 |           <target>1.8</target>
48 |         </configuration>
49 |       </plugin>
50 |     </plugins>
51 |   </build>
52 | 
53 |   <developers>
54 |     <developer>
55 |       <id>support</id>
56 |       <name>PortSwigger Support</name>
57 |       <email>support@portswigger.net</email>
58 |     </developer>
59 |   </developers>
60 | 
61 |     <properties>
62 |         <jenkins.version>2.7.3</jenkins.version>
63 |         <java.level>8</java.level>
64 |         <no-test-jar>false</no-test-jar>
65 |         <workflow.version>1.14.2</workflow.version>
66 |         <findbugs.failOnError>true</findbugs.failOnError>
67 |         <scm-api-plugin.version>2.0.8</scm-api-plugin.version>
68 |     </properties>
69 | 
70 | </project>
71 | 


--------------------------------------------------------------------------------
/src/main/resources/org/jenkinsci/plugins/burpscan/BurpScanRecorder/config.jelly:
--------------------------------------------------------------------------------
 1 | <?jelly escape-by-default='true'?>
 2 | <j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form">
 3 |     <f:entry title="${%ApiUrl}" field="apiUrl">
 4 |       <f:textbox default="http://burp-api-url:1337/api_key/"/>
 5 |     </f:entry>
 6 | 
 7 |     <f:entry title="${%ScanDefinitionJson}" field="scanDefinitionJson" description="${%ScanDefinitionJsonDescription}">
 8 |       <f:textarea />
 9 |     </f:entry>
10 | 
11 |     <f:entry name="severityThreshold" title="${%SeverityThreshold}" field="severityThreshold">
12 |         <select name="severityThreshold">
13 |             <option value="high" selected="${instance.severityThreshold.equals('high') ? 'true' : null}">High</option>
14 |             <option value="medium" selected="${(instance.severityThreshold == null || instance.severityThreshold.equals('medium')) ? 'true' : null}">Medium</option>
15 |             <option value="low" selected="${instance.severityThreshold.equals('low') ? 'true' : null}">Low</option>
16 |             <option value="info" selected="${instance.severityThreshold.equals('info') ? 'true' : null}">Information</option>
17 |             <option value="undefined" selected="${instance.severityThreshold.equals('undefined') ? 'true' : null}">Undefined</option>
18 |             <option value="false_positive" selected="${instance.severityThreshold.equals('false_positive') ? 'true' : null}">False Positive</option>
19 |         </select>
20 |     </f:entry>
21 | 
22 |     <f:entry name="confidenceThreshold" title="${%ConfidenceThreshold}" field="confidenceThreshold">
23 |         <select name="confidenceThreshold">
24 |             <option value="certain" selected="${instance.confidenceThreshold.equals('certain') ? 'true' : null}">Certain</option>
25 |             <option value="firm" selected="${instance.confidenceThreshold.equals('firm') ? 'true' : null}">Firm</option>
26 |             <option value="tentative" selected="${(instance.confidenceThreshold == null || instance.confidenceThreshold.equals('tentative')) ? 'true' : null}">Tentative</option>
27 |             <option value="undefined" selected="${instance.confidenceThreshold.equals('undefined') ? 'true' : null}">Undefined</option>
28 |         </select>
29 |     </f:entry>
30 | 
31 |     <f:entry title="${%Timeout}" field="timeout">
32 |       <f:textbox default="120"/>
33 |     </f:entry>
34 | 
35 |     <f:entry title="${%OutputJsonIssues}" field="outputJsonIssues">
36 |       <f:checkbox />
37 |     </f:entry>
38 | 
39 |     <f:entry title="${%SelfSignedCertX509}" field="selfSignedCertX509" description="${%SelfSignedCertX509Description}">
40 |       <f:textarea />
41 |     </f:entry>
42 | 
43 |     <i>Note that the dynamic input for this plugin is the content of the previous step's build output, specifically lines of the form "BURP_SCAN_URL = &lt;URL to scan&gt;"</i>
44 | </j:jelly>
45 | 


--------------------------------------------------------------------------------
/src/main/java/org/jenkinsci/plugins/burpscan/BurpScanRecorder.java:
--------------------------------------------------------------------------------
  1 | package org.jenkinsci.plugins.burpscan;
  2 | 
  3 | import com.google.common.base.Strings;
  4 | import hudson.Extension;
  5 | import hudson.Launcher;
  6 | import hudson.model.AbstractBuild;
  7 | import hudson.model.AbstractProject;
  8 | import hudson.model.BuildListener;
  9 | import hudson.tasks.BuildStepDescriptor;
 10 | import hudson.tasks.BuildStepMonitor;
 11 | import hudson.tasks.Builder;
 12 | import net.portswigger.burp.api.driver.BurpCiDriver;
 13 | import net.portswigger.burp.api.driver.BurpCiSourceConsumer;
 14 | import org.kohsuke.stapler.DataBoundConstructor;
 15 | 
 16 | import java.io.BufferedReader;
 17 | import java.io.FileReader;
 18 | import java.io.IOException;
 19 | import java.io.UncheckedIOException;
 20 | 
 21 | public class BurpScanRecorder extends Builder
 22 | {
 23 |     @Extension
 24 |     public static final BuildStepDescriptor<Builder> DESCRIPTOR = new BuildStepDescriptor<Builder>()
 25 |     {
 26 |         @Override
 27 |         public boolean isApplicable(Class<? extends AbstractProject> jobType)
 28 |         {
 29 |             return true;
 30 |         }
 31 | 
 32 |         @Override
 33 |         public String getDisplayName() {
 34 |             return "Burp scan";
 35 |         }
 36 |     };
 37 | 
 38 |     private final String apiUrl;
 39 |     private final String scanDefinitionJson;
 40 |     private final String severityThreshold;
 41 |     private final String confidenceThreshold;
 42 |     private final String timeout;
 43 |     private boolean outputJsonIssues;
 44 |     private final String selfSignedCertX509;
 45 | 
 46 |     @DataBoundConstructor
 47 |     public BurpScanRecorder(
 48 |             String apiUrl,
 49 |             String scanDefinitionJson,
 50 |             String severityThreshold,
 51 |             String confidenceThreshold,
 52 |             String timeout,
 53 |             boolean outputJsonIssues,
 54 |             String selfSignedCertX509
 55 |     ) {
 56 |         this.apiUrl = apiUrl;
 57 |         this.scanDefinitionJson = scanDefinitionJson;
 58 |         this.severityThreshold = severityThreshold;
 59 |         this.confidenceThreshold = confidenceThreshold;
 60 |         this.timeout = timeout;
 61 |         this.outputJsonIssues = outputJsonIssues;
 62 |         this.selfSignedCertX509 = selfSignedCertX509;
 63 |     }
 64 | 
 65 |     // getters for data-binding
 66 | 
 67 |     @SuppressWarnings("unused")
 68 |     public String getApiUrl()
 69 |     {
 70 |         return apiUrl;
 71 |     }
 72 | 
 73 |     @SuppressWarnings("unused")
 74 |     public String getScanDefinitionJson()
 75 |     {
 76 |         return scanDefinitionJson;
 77 |     }
 78 | 
 79 |     @SuppressWarnings("unused")
 80 |     public String getSeverityThreshold()
 81 |     {
 82 |         return severityThreshold;
 83 |     }
 84 | 
 85 |     @SuppressWarnings("unused")
 86 |     public String getConfidenceThreshold()
 87 |     {
 88 |         return confidenceThreshold;
 89 |     }
 90 | 
 91 |     @SuppressWarnings("unused")
 92 |     public String getTimeout()
 93 |     {
 94 |         return timeout;
 95 |     }
 96 | 
 97 |     @SuppressWarnings("unused")
 98 |     public boolean getOutputJsonIssues()
 99 |     {
100 |         return outputJsonIssues;
101 |     }
102 | 
103 |     @SuppressWarnings("unused")
104 |     public String getSelfSignedCertX509()
105 |     {
106 |         return selfSignedCertX509;
107 |     }
108 | 
109 |     @Override
110 |     public boolean perform(AbstractBuild<?, ?> build, Launcher launcher, BuildListener listener)
111 |     {
112 | //        listener.getLogger().println("DEBUG: apiUrl = " + apiUrl);
113 | //        listener.getLogger().println("DEBUG: scanDefinitionJson = " + scanDefinitionJson);
114 | //        listener.getLogger().println("DEBUG: severityThreshold = " + severityThreshold);
115 | //        listener.getLogger().println("DEBUG: confidenceThreshold = " + confidenceThreshold);
116 | //        listener.getLogger().println("DEBUG: timeout = " + timeout);
117 | //        listener.getLogger().println("DEBUG: outputJsonIssues = " + outputJsonIssues);
118 | 
119 |         BurpCiSourceConsumer burpCiSourceConsumer = BurpCiSourceConsumer.fromReader(logReader(build));
120 | 
121 |         try {
122 |             return new BurpCiDriver(
123 |                         apiUrl,
124 |                         scanDefinitionJson,
125 |                         burpCiSourceConsumer.getUrls(),
126 |                         severityThreshold,
127 |                         confidenceThreshold,
128 |                         timeout,
129 |                         burpCiSourceConsumer.getIgnores(),
130 |                         null,
131 |                         null,
132 |                         outputJsonIssues ? listener.getLogger()::println : null,
133 |                         selfSignedCertX509 == null || selfSignedCertX509.isEmpty() ? null : selfSignedCertX509) // TODO: in 1.0.7 nullOrEmpty is done in the driver
134 |                     .scan(listener.getLogger()::println)
135 |                     .success;
136 |         }
137 |         catch (IOException e)
138 |         {
139 |             throw new UncheckedIOException(e);
140 |         }
141 |         catch (InterruptedException e)
142 |         {
143 |             throw new RuntimeException(e);
144 |         }
145 |     }
146 | 
147 |     private static BufferedReader logReader(AbstractBuild<?, ?> build)
148 |     {
149 |         try
150 |         {
151 |             return new BufferedReader(new FileReader(build.getLogFile()));
152 |         }
153 |         catch (IOException e)
154 |         {
155 |             throw new UncheckedIOException(e);
156 |         }
157 |     }
158 | 
159 |     @Override
160 |     public BuildStepMonitor getRequiredMonitorService()
161 |     {
162 |         return BuildStepMonitor.NONE;
163 |     }
164 | 
165 |     @Override
166 |     public BuildStepDescriptor getDescriptor()
167 |     {
168 |         return DESCRIPTOR;
169 |     }
170 | }
171 | 


--------------------------------------------------------------------------------