Scanning with the CodeLogic SQL Agent (Docker)
The CodeLogic SQL Agent for Docker provides an easy way to integrate CodeLogic scanning into your build process.
Generate the Docker Image
- Click Admin and then select the Installers tab.
- Locate the SQL Agent Docker Image tile and click Generate.
- Enter your CodeLogic Server IP address or hostname.
- Enter the username and password for accessing the database.
- Enter a connection string. Do not include the username and password with the connection string.
- JDBC string for relational databases such as PostgreSQL, Oracle and MySql
- Mongo string for MongoDB
- Bolt string for Neo4j databases
- Optionally, enter a database name.
- Click Next.
-
Copy your code snippet from the Success! window.
Docker Options Examples
- --pull always - ensures that you will always get the newest image
- --env CODELOGIC_HOST="https://codelogic.com" - passes an environment variable representing the IP address or hostname of the CodeLogic Server
- --env AGENT_UUID="1f5d0bbc-0924-4c6f-828c-532627c33178" - passes an environment variable for the agent UUID
- --env AGENT_PASSWORD="AahlDFNbb0PyU378" - passes an environment variable for the agent password
- codelogic.com/codelogic_sql:latest - tells docker to download the sql agent codelogic_sql:latest from the CodeLogic Server
- See Docker Documentation for more docker options.
Tip
You can copy and paste the code snippet directly into your Jenkins file.
Run the Docker Image
-
Analyze a MongoDB database
Before running the docker image, ensure read permission on the database to be scanned.
Verify that
/etc/mongod.conf
is configured to authenticate:security: authorization: "enabled"
Ensure the credentials have read permissions on the database to be analyzed. For example, to analyze the
sample_mflix
database, thecodelogic_reader
user was created using this command:test> use admin switched to db admin admin> db.createUser({user: "codelogic_reader", pwd: "password1234", roles: [{role: "read", db: "sample_mflix"}]}) { ok: 1 }
This mongodb connection string authenticates with the user
codelogic_reader
, passwordpassword1234
and uses the option of including it in conenction string instead of the CLI. The username and password are authenticated against theadmin
database. It is used with the output above, from Generate the Docker Image, to analyze thesample_mflix
database.--connection-url "mongodb://codelogic_reader:password1234@myServer.myCompany.com:27017/sample_mflix?authSource=admin"
Combined with the output from Generate the Docker Image and including the credentials in the string instead of separately, the entire command line may look similar to this:
docker run --network=host --pull always --rm --interactive --tty \ --env CODELOGIC_HOST="http://myServer.myCompany.com" \ --env AGENT_UUID="6f396f98-9884-4530-ab3e-9a916885dcd0" \ --env AGENT_PASSWORD="qE15EVh4SyU3rfbJ" \ myServer.myCompany.com/codelogic_sql:latest analyze \ --application "sample_mflix_app" \ --scan-space-name "ss-Sample_mflix" \ --connection-url "mongodb://codelogic_reader:password1234@myServer.myCompany.com:27017/sample_mflix?authSource=admin"
-
Analyze a relational database
analyze -a yourApp -c jdbc:postgresql://localhost:5432/sampledb -u postgres_user -pwd postgres_pass
For more information, see Binary Scanning via Command Line (SQL).
View Scan Results
* Select the Search tab.
* Expand the application to view items and their dependencies.
Important
ScanSpaces should be unique to users or processes to avoid the inadvertent removal of previous scan sessions. The --expunge-scan-sessions
option removes all previous scan sessions with the same fingerprint, even if they were created by another user.
The fingerprint is a collection of parameters specified when scanning. In the example below, the Java agent fingerprint is these parameters:
--application
, --method-filter
, --path
, --scan-space-name
, and --type
.
For example, a Continuous Integration (CI) pipeline scan, perhaps in a Jenkinsfile, is initiated as part of a build whenever there is a code merge. These scans are stored by the CodeLogic Server in the Development ScanSpace.
The command in the Jenkinsfile is: analyze --application MyApplication --method-filter com.codelogic. --path /scan --type SCAN --scan-space-name Development
.
A developer runs the same analysis using the CLI using CLI options that result in the same fingerprint but with the --expunge-scan-sessions
option.
The developer's command is: analyze --application MyApplication --method-filter com.codelogic. --path /scan --type SCAN --scan-space-name Development --expunge-scan-sessions
.
Since the fingerprints match, all previous scans in the Development
ScanSpace on the CodeLogic server are removed.
This can be avoided by each user using their own ScanSpaces. A ScanSpace is created when the --scan-space-name
option is used, if it does not already exist.
Although a default ScanSpace is used if none is specified, always specifying a ScanSpace that is unique to a user is recommended.