Quality Gate

The Jenkins Continuous Integration with AppSpider can be used to enforce a Quality Gate for your applications. Jenkins can scan an application after the build stage, and retrieve the results of the scan by calling the Get Vulnerabilities Summary and the Get Findings methods on the AppSpider REST API. The call to Get Vulnerabilities Summary returns an XML file with a summary of all the issues found in a scan. In this XML file, each vulnerability detected in a scan is provided, along with a score:

1
<ModuleId>81C9D7ED0E33447899D5CD20B978617B</ModuleId>
2
<AttackType>CSRF protection is missing</AttackType>
3
<AttackScore>1-Informational</AttackScore>
4
<AttackValue>N/A</AttackValue>
5
<CweId>352</CweId>

As well as scores for compliance requirements:

1
<CAPEC>62</CAPEC>
2
<DISSA_ASC>3585</DISSA_ASC>
3
<OWASP2007>5</OWASP2007>
4
<OWASP2010>5</OWASP2010>
5
<OWASP2013>8</OWASP2013>
6
<OVAL>0</OVAL>
7
<WASC>9</WASC>

This information can be parsed out and used to enforce a Quality gate, for example stopping a build or sending a notification if vulnerabilities of a specific type and/or criticality level are found in a scan. You can write custom Jenkins scripts to enforce the quality parameters used by your organization. For example, if you want to ensure that an application susceptible to SQL Injection attacks is never shipped, you can retrieve the list of vulnerability findings, and parse it to look for SQL Injection issues.