Integrating Acunetix with Jenkins

You can download Jenkins from https://jenkins.io/download/. Jenkins works on platforms such as Windows, Linux distributions, and in Docker containers. The rest of this document assumes that Jenkins version 2.401.3 was installed on Debian Linux using debian repository:

https://pgk.jenkins.io/debian-stable binary/

This document will describe how to:

  • Configure Jenkins to Integrate with Acunetix
  • Add an Acunetix Scan as a Build Step in a Jenkins Job

Configure Jenkins to Integrate with Acunetix

Obtain the Jenkins plugin file

Please contact Invicti support to provide access to the HPI file for uploading to your Jenkins installation.

Install the Acunetix Plugin for Jenkins

  • Open Jenkins using an administrator account.
  • From the main menu, select Manage Jenkins -> Manage Plugins.

  • From the Plugin Manager window, select the Advanced Settings option.
  • From the Deploy Plugin section, click the Choose File button.

  • Select the jenkins-plugin.hpi file you obtained previously, then click the Open button.
  • Select Deploy.

  • To use the plugin, restart Jenkins.

Step 2: Find the Certificate Store path where you will need to Install the Acunetix SSL Certificate into the Jenkins CA store

🔍 About Multiple JAVA Instances on the Jenkins Machine

Be aware that the JAVA instance that is running your Jenkins service bears no relation to any of the JDK instances defined in "Manage Jenkins => Global Tool Configuration". The JDK instances defined in the Global Tool Configuration are used by Jenkins during build processes.

The Certificate Store path and file will be JAV_HOME_FOLDER\lib\security\cacerts. The next step, therefore, is to identify the JAVA_HOME_FOLDER for the JAVA binary running your jenkins service – keep in mind that your machine may have several installations of different versions of JAVA.

Jenkins on Windows

  • First we need to understand which JAVA installation is running the Jenkins service. You can get this by examining the "jenkins.xml" file inside the Jenkins installation directory for the "executable" tag:

<executable>%BASE%\jre\bin\java</executable>

The %BASE% variable refers to the Jenkins installation directory. Typically this would be "C:\Program Files (x86)\Jenkins".

  • To find the "java.home" directory for the JAVA instance running the jenkins service, run the following command:

"C:\Program Files (x86)\Jenkins\jre\bin\java" -XshowSettings:properties -version 2>&1 | find "java.home"

... replacing the JAVA path with the appropriate value resulting from the "executable" tag in the "jenkins.xml" file. The output will show you the relevant "java.home" directory:

java.home = C:\Program Files (x86)\Jenkins\jre

  • Since the Certificate Store file in use is JAV_HOME_FOLDER\lib\security\cacerts, we now know that in this example the Certificate Store file in use is C:\Program Files (x86)\Jenkins\jre\lib\security\cacerts.

Jenkins on Linux

  • You first need to understand which JAVA binary is running your Jenkins service. From the command line, run the following:

ps -aux | grep jenkins

You should receive output showing all processes including "jenkins" in the name or path; something like this:

jenkins  11044  0.0  0.4  21156  9060 ?        Ss   13:42   0:00 /lib/systemd/systemd --user

jenkins  11045  0.0  0.1 106264  2620 ?        S    13:42   0:00 (sd-pam)

jenkins  11058  0.0  0.0   5712   160 ?        S    13:42   0:00 /usr/bin/daemon --name=jenkins --inherit --env=JENKINS_HOME=/var/lib/jenkins --output=/var/log/jenkins/jenkins.log --pidfile=/var/run/jenkins/jenkins.pid -- /bin/java -Djava.awt.headless=true -jar /usr/share/jenkins/jenkins.war --webroot=/var/cache/jenkins/war --httpPort=8080

jenkins  11059  3.1 14.0 2623256 287656 ?      Sl   13:42   0:22 /bin/java -Djava.awt.headless=true -jar /usr/share/jenkins/jenkins.war --webroot=/var/cache/jenkins/war --httpPort=8080

root     11194  0.0  0.0   6048   888 pts/0    S+   13:54   0:00 grep jenkins

In this case, we can see that the java executable is "/bin/java" (your system may show some different configuration) – but it's almost certainly a symlink to the real binary installed by the JDK or JRE package – or even possibly a chain of symlinks.

  • To find the "java.home" directory for the JAVA instance running the jenkins service, run the following command:

/bin/java -XshowSettings:properties -version 2>&1 | grep "java.home"

...replacing "/bin/java" with whatever was reported in the commands you ran as explained above. The output will show you the relevant "java.home" directory:

java.home = /usr/lib/jvm/java-11-openjdk-amd64

  • Since the Certificate Store file in use is JAV_HOME_FOLDER/lib/security/cacerts, we now know that in this example the Certificate Store file in use is /usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts.

Step 3: Installing the Certificate into your JAVA keystore

🔍 Notes about installing your Certificate into the JAVA keystore

  • Every installation of JAVA has a default password on the keystore of "changeit". It is typically unnecessary to change this, and this document will assume that you know your JAVA keystore password.
  • In all the examples listed here, you may need to adjust paths for the correct location of your JAVA keystore.

  1. Install the Certificate into your JAVA keystore:
  1. For Windows, run this from the command prompt:

C:\> keytool -import -trustcacerts -alias AcunetixCA -keystore "C:\Program Files (x86)\Jenkins\jre\lib\security\cacerts" -file C:\ProgramData\Acunetix\certs\ca.cer

  1. For Linux, run this from the command prompt:

[john@localhost] ~]$ keytool -import -trustcacerts -alias AcunetixCA -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.252.b09-2.el8_1.x86_64/jre/lib/security/cacerts -file /home/acunetix/.acunetix/data/certs/ca.cer

  1. Check that you have successfully installed the certificate:
  1. On Windows:

C:\> keytool -list -keystore "C:\Program Files\Java\jre1.8.0_251\lib\security\cacerts" -alias AcunetixCA

  1. On Linux:

[john@localhost] ~]$ keytool -list -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.252.b09-2.el8_1.x86_64/jre/lib/security/cacerts -alias AcunetixCA

If the certificate was successfully installed, you will see the AcunetixCA details, for example:

C:\> keytool -list -keystore "c:\Program Files\Java\jre1.8.0_251\lib\security\cacerts" -alias AcunetixCA

Enter keystore password:

AcunetixCA, 15 May 2020, trustedCertEntry,

Certificate fingerprint (SHA-256): E6:01:86:F3:43:33:97:25:71:B9:4E:BC:D9:08:30:AC:18:75:F6:9A:E6:D0:09:1D:D0:90:DF:2A:1D:8E:97:BA

C:\>

Step 4: Configuring Jenkins to Acunetix Integration

  • Open Jenkins using an administrator account
  • From the main menu, select Manage Jenkins -> System Configuration -> System

  • Scroll to the bottom of the page to get to the Acunetix Plugin configuration section.

  • The default API URL is valid for a setup with Acunetix and Jenkins installed on the same machine. Adjust the API URL value to the correct value if necessary.
  • The Acunetix CA certificate is issued on the host name selected during installation. For that reason, when configuring the Acunetix URL inside Jenkins, it is important to use the host name selected during installation. For more information, see the section entitled "Connection Issues - Notes & Troubleshooting" further on in this document.
  • If your Jenkins instance is deployed on a different host than your Acunetix instance, you need to make Acunetix reachable from hosts other than localhost
  • If you are using Acunetix Online, you should use https://online.acunetix.com/api/v1
  • Click on the "Add => Jenkins" button

  • In the Credentials Provider dialog:
  • Select the credentials domain where you wish to store your Acunetix API key
  • Set the Kind field to Secret Text
  • Set the Scope field to Global (Jenkins, nodes, items, all child items, etc)
  • Set the Secret field to the Acunetix API Key. To retrieve the Acunetix API Key, go to the Acunetix UI:
  • Go to your Profile page (you must be the administrator user), and scroll to the bottom
  • If you don't have an API Key yet, click on the "Generate New API Key" button
  • Click the "Copy" button to copy the API key to the clipboard
  • Go back to the Jenkins UI
  • Paste the API Key into the Secret field from the clipboard
  • Optionally, set the ID field to something like ExampleAPIKey
  • Optionally, set the Description to something like Example API Key
  • Click the Add button to complete this step
  • Click the Apply button to save the Acunetix API Key settings; it is important that you click Apply before you use the Test Connection button
  • Click the Test Connection button; you will see the message Connected Successfully

Connection Issues - Notes & Troubleshooting

Correct CA Certificate Configuration

The Acunetix CA certificate is issued on the host name selected during installation. For that reason, when configuring the Acunetix URL inside Jenkins, it is important to use the host name selected during installation. If you want to use the IP Address, you will need to generate the Acunetix CA certificate again on the IP address. This can be done by following this document: https://www.acunetix.com/blog/docs/acunetix-security-hardening-guide/

If you use a hostname instead of an IP or the other way around, Jenkins will respond with a "Connection refused" error. To further investigate the encountered issue, follow these instructions for your OS.

Windows

By default, you can find Jenkins logs in %JENKINS_HOME%\jenkins.out and %JENKINS_HOME%\jenkins.err, unless customized in %JENKINS_HOME%\jenkins.xml.

Linux

By default, you can find Jenkins logs in /var/log/jenkins/jenkins.log, unless customized in /etc/default/jenkins (for *.deb) or via /etc/sysconfig/jenkins (for *.rpm).

JAVA Certificate Store Error

If you encounter the following error:

Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

…you may need to recreate the cacert file which JAVA uses during SSL exchanges (this example assumes Jenkins installed on Debian 11):

  • sudo mv /etc/ssl/certs/java/cacerts /etc/ssl/certs/java/cacerts.disabled
  • echo -en "\xfe\xed\xfe\xed\x00\x00\x00\x02\x00\x00\x00\x00\xe2\x68\x6e\x45\xfb\x43\xdf\xa4\xd9\x92\xdd\x41\xce\xb6\xb2\x1c\x63\x30\xd7\x92" | sudo tee /etc/ssl/certs/java/cacerts >/dev/null
  • sudo /var/lib/dpkg/info/ca-certificates-java.postinst configure

Add your Jenkins Integration in Acunetix

You need to set up Acunetix to integrate with your Jenkins setup.

  • Click the Integrations option in the sidebar

  • Click the Create New button in the Jenkins panel

  • In the Basics panel:
  • Set your CI/CD Profile Name; this example uses Example Jenkins Project
  • Select your desired Scan Profile; this example uses SQL Injection
  • Set your desired preferences for:
  • Use incremental scan after first full scan
  • Stop scans on the target before starting a new scan
  • From the Generate Report dropdown, you can optionally select the type of report you wish to generate
  • You can also enable the option Save report in workspace to upload the report into Jenkins when the scan is completed

  • In the Build Fail Options panel:
  • If required, set your Fail build when conditions are met options; this will open up the Build Fail Conditions panel:
  • The Vulnerability Severity Conditions dropdown defines what is the lowest severity that will fail the build
  • Enable the checkbox labeled Fail the build if any vulnerability has Confidence = 100% if you wish to fail the build if the scan discovers any vulnerability that is considered
  • You can also optionally choose whether to fail the build if the scan rediscovers a vulnerability that has the Ignored or False Positive status
  • You can also choose to Stop the scan when build fails if you do not wish the scan to complete on failed builds
  • Click the Save and Finish button

Option 1 - Add an Acunetix Scan as a Build Step in a Jenkins Job

  • Navigate to the configuration of your project; in this example, the project is of type Freestyle Project
  • In the Build Steps section, select Acunetix from the Add build step drop-down

  • Set the Config Profile dropdown to your desired configuration profile
  • Select your desired Scan Target from the dropdown
  • Click the Save button at the bottom of the page

Build Step Results

When your build step has run:

  • Navigate to the Console Output section of your build

  • Click on the Scan Report Download link to download the report:

  • You can also see the report listed in your Jenkins workspace:

Option 2 - Add an Acunetix Scan as a Pipeline Script in a Jenkins Job

  • Navigate to your Integration Configuration in the Acunetix UI

  • Click the gear icon in the Jenkins panel

  • In the Pipeline Project Scripts tab:
  • Select your Target
  • Select your CI-CD Profile
  • Select any Override options if necessary
  • Click the Generate Script button to populate the Pipeline Script text box
  • Click the Copy button to copy the script to the clipboard
  • Navigate to the configuration of your project; in this example, the project is of type Pipeline
  • In the Pipeline section, select Pipeline script from the Definition drop-down
  • Set the Script to look like this:

node {

  step([$class: 'IEXBuildScanner', iexTargetId: '2270b6c4-59f8-4f01-a2c9-d8a90136c551', iexConfigProfileId: 'b9ba0e9a-ebb3-448e-b6c0-8f27e590c850', iexOverrideConfigProfile: true, iexSeverity: 'Critical,High', iexDoNotFail: false, iexConfirmed: false, iexIgnoreFalsePositive: false, iexIgnoreRiskAccepted: false])

}

  • Note that the step is included inside a node section.

Build Step Results

When your build step has run:

  • Navigate to the Console Output section of your build

  • Click on the Scan Report Download link to download the report:

 

« Back to the Acunetix Support Page