|
| 1 | +--- |
| 2 | +lab: |
| 3 | + title: 'Lab 19: Implement Security and Compliance in an Azure DevOps pipeline' |
| 4 | + module: 'Module 19: Implementing Security in DevOps Projects' |
| 5 | +--- |
| 6 | + |
| 7 | +# Lab 19: Implement Security and Compliance in an Azure DevOps pipeline |
| 8 | +# Student lab manual |
| 9 | + |
| 10 | +## Lab overview |
| 11 | + |
| 12 | +In this lab, you will use **Mend Bolt (formerly WhiteSource)** to automatically detect vulnerable open source components, outdated libraries, and license compliance issues in your code. You will leverage WebGoat, an intentionally insecure web application, maintained by OWASP designed to illustrate common web application security issues. |
| 13 | + |
| 14 | +[Mend](https://www.mend.io/) is the leader in continuous open source software security and compliance management. WhiteSource integrates into your build process, irrespective of your programming languages, build tools, or development environments. It works automatically, continuously, and silently in the background, checking the security, licensing, and quality of your open source components against WhiteSource constantly-updated definitive database of open source repositories. |
| 15 | + |
| 16 | +Mend provides Mend Bolt, a lightweight open source security and management solution developed specifically for integration with Azure DevOps and Azure DevOps Server. Note that Mend Bolt works per project and does not offer real-time alert capabilities, which requires **Full platform**, generally recommended for larger development teams that want to automate their open source management throughout the entire software development lifecycle (from the repositories to post-deployment stages) and across all projects and products. |
| 17 | + |
| 18 | +Azure DevOps integration with Mend Bolt will enable you to: |
| 19 | + |
| 20 | +- Detect and remedy vulnerable open source components. |
| 21 | +- Generate comprehensive open source inventory reports per project or build. |
| 22 | +- Enforce open source license compliance, including dependencies’ licenses. |
| 23 | +- Identify outdated open source libraries with recommendations to update. |
| 24 | + |
| 25 | +## Objectives |
| 26 | + |
| 27 | +After you complete this lab, you will be able to: |
| 28 | + |
| 29 | +- Activate Mend Bolt |
| 30 | +- Run a build pipeline and review Mend security and compliance report |
| 31 | + |
| 32 | +## Lab duration |
| 33 | + |
| 34 | +- Estimated time: **45 minutes** |
| 35 | + |
| 36 | +## Instructions |
| 37 | + |
| 38 | +### Exercise 0: Configure the lab prerequisites |
| 39 | + |
| 40 | +In this exercise, you will set up the prerequisites for the lab, which consist of a new Azure DevOps project with a repository based on the [eShopOnWeb](https://dev.azure.com/unhueteb/_git/eshopweb-az400). |
| 41 | + |
| 42 | +#### Task 1: (skip if done) Create and configure the team project |
| 43 | + |
| 44 | +In this task, you will create an **eShopOnWeb** Azure DevOps project to be used by several labs. |
| 45 | + |
| 46 | +1. On your lab computer, in a browser window open your Azure DevOps organization. Click on **New Project**. Give your project the name **eShopOnWeb** and leave the other fields with defaults. Click on **Create**. |
| 47 | + |
| 48 | +  |
| 49 | + |
| 50 | +#### Task 2: (skip if done) Import eShopOnWeb Git Repository |
| 51 | + |
| 52 | +In this task you will import the eShopOnWeb Git repository that will be used by several labs. |
| 53 | + |
| 54 | +1. On your lab computer, in a browser window open your Azure DevOps organization and the previoulsy created **eShopOnWeb** project. Click on **Repos>Files** , **Import**. On the **Import a Git Repository** window, paste the following URL https://github.com/MicrosoftLearning/eShopOnWeb.git and click **Import**: |
| 55 | + |
| 56 | +  |
| 57 | + |
| 58 | +1. The repository is organized the following way: |
| 59 | + - **.ado** folder contains Azure DevOps YAML pipelines |
| 60 | + - **.devcontainer** folder container setup to develop using containers (either locally in VS Code or GitHub Codespaces) |
| 61 | + - **.azure** folder contains Bicep&ARM infrastructure as code templates used in some lab scenarios. |
| 62 | + - **.github** folder container YAML GitHub workflow definitions. |
| 63 | + - **src** folder contains the .NET 6 website used on the lab scenarios. |
| 64 | + |
| 65 | +### Exercise 1: Implement Security and Compliance in an Azure DevOps pipeline by using Mend Bolt |
| 66 | + |
| 67 | +In this exercise, leverage Mend Bolt to scan the project code for security vulnerabilities and licensing compliance issues, and view the resulting report. |
| 68 | + |
| 69 | +#### Task 1: Activate Mend Bolt extension |
| 70 | + |
| 71 | +In this task, you will activate WhiteSource Bolt in the newly generated Azure Devops project. |
| 72 | + |
| 73 | +1. On your lab computer, in the web browser window displaying the Azure DevOps portal with the **eShopOnWeb** project open, clikc on the marketplace icon > **Browse Marketplace**. |
| 74 | + |
| 75 | +  |
| 76 | + |
| 77 | +1. On the MarketPlace, search for **Mend Bolt (formerly WhiteSource)** and open it. Mend Bolt is the free version of the previously known Whitesource tool, which scans all your projects and detects open source components, their license and known vulnerabilities. |
| 78 | + |
| 79 | + > Warning: make sure you select the Mend **Bolt** option (the **free** one)! |
| 80 | +
|
| 81 | +1. On the **Mend Bolt (formerly WhiteSource)** page, clikc on **Get it for free**. |
| 82 | + |
| 83 | +  |
| 84 | + |
| 85 | +1. On the next page, select the desired Azure DevOps organization and **Install**. **Proceed to organization** once installed. |
| 86 | + |
| 87 | +1. In your Azure DevOps navigate to **Organization Settings** and select **Mend** under **Extensions**. Provide your Work Email (**your lab personal account**, e.g. using AZ400learner@outlook.com instead of student@microsoft.com ), Company Name and other details and click **Create Account** button to start using the Free version. |
| 88 | + |
| 89 | +  |
| 90 | + |
| 91 | + |
| 92 | +#### Task 2: Create and Trigger a build |
| 93 | + |
| 94 | +In this task, you will create and trigger a CI build pipeline within Azure DevOps project. You will use **Mend Bolt** extension to identify vulnerable OSS components present in this code. |
| 95 | + |
| 96 | +1. On your lab computer, from the **eShopOnWeb** Azure DevOps project, in the vertical menu bar on the left side, navigate to the **Pipelines>Pipelines** section, click **Create Pipeline** (or **New Pipeline**). |
| 97 | + |
| 98 | +1. On the **Where is your code?** window, select **Azure Repos Git (YAML)** and select the **eShopOnWeb** repository. |
| 99 | + |
| 100 | +1. On the **Configure** section, choose **Existing Azure Pipelines YAML file**. Provide the following path **/.ado/eshoponweb-ci-mend.yml** and click **Continue**. |
| 101 | + |
| 102 | +  |
| 103 | + |
| 104 | +1. Review the pipeline and click on **Run**. It will take a few minutes to run succesfully. |
| 105 | + > **Note**: The build may take a few minutes to complete. The build definition consists of the following tasks: |
| 106 | + - **DotnetCLI** task for restoring, building, testing and publishing the dotnet project. |
| 107 | + - **Whitesource** task (still keeps the old name), to run the Mend tool analysis of OSS libraries. |
| 108 | + - **Publish Artifacts** the agents running this pipeline will upload the published web project. |
| 109 | + |
| 110 | +1. While the pipeline is executing, lets **rename** it to identify it easier (as the project may be used for multiple labs). Go to **Pipelines/Pipelines** section in Azure DevOps project, click on the executing Pipeline name (it will get a default name), and look for **Rename/move** option on the elipsis icon. Rename it to **eshoponweb-ci-mend** and click **Save**. |
| 111 | + |
| 112 | +  |
| 113 | + |
| 114 | +1. Once the pipeline execution has finished, you can review the results. Open the latest execution for **eshoponweb-ci-mend** pipeline. The summary tab will show the logs of the execution, together with related details such as the repository version(commit) used, trigger type, published artifacts, test coverage, etc. |
| 115 | + |
| 116 | +1. On the **Mend Bolt** tab, you can review the OSS security analysis. It will show you details around the inventory used, vulnerabilities found (and how to solve them), and an interesting report around library related Licenses. Take some time to review the report. |
| 117 | + |
| 118 | +  |
| 119 | + |
| 120 | +## Review |
| 121 | + |
| 122 | +In this lab, you will use **Mend Bolt with Azure DevOps** to automatically detect vulnerable open source components, outdated libraries, and license compliance issues in your code. |
0 commit comments