- Author: Pedric Kng
- Updated: 22-Jul-21
This article describes the usage of CxSCA Resolver in a Jenkins declarative pipeline.
CxSCA is an on-premise package resolver to capture open source package in a project working in sync with the installed package managers, and sent the signatures/manifest to CxSCA cloud for analysis capability.
Additionally, CxSCA Resolver also provides capability to correlate with CxSAST to trace exploitable path from your proprietary source codes invoking vulnerable functions in open source packages. This helps in speedy triaging and prioritization of of CxSCA results.
- Jenkins declarative pipeline
- Installed package managers
- Existing CxSAST scan with imported queries
The sample Jenkinsfile includes 4 stages;
- Cleanup -- Clean-up workspace
- Checkout -- Checkout source from git repository
- Build -- Execute maven build
- CxSCA -- Download CxSCA resolver, and execute scans
CxSCA Resolver can also be dockerized as a base image for extension to include the relevant package managers, refer to dockerfile.
CxSCA Resolver [1]