Adding a Code Base
Click on "Add New Code Base" in the Application Overview screen , and the Codebase entry screen will open. (Please note that an application is currently limited to twenty (20) code bases; to add more code bases, please contact support@whitehatsec.com.)
Enter your code base name and URI type.
If your project resides in version control and Sentinel will support your version control type, we can check out your code directly from your version control; in that case, please select "Repository" as your URI type, and see "Adding a Repository Code Base" below for more information.
If your project does not reside in version control or Sentinel does not support your version control type, or if you are building a custom process through CI/CD to deliver assets to be scanned, please select "Archive" as your URI type and see "Adding a Source Code Archive Code Base" for more information.
(You can also use a Source Code Archive to provide code or assets directly to resolve dependencies or provide necessary configuration files.)
If you have enabled binary analysis and want to associate this application with a binary file, please see "Adding a Binary File" for more information.
Adding a Repository Code Base
If you are adding a repository URI, you will see the Repository URI entry screen.
Enter the path, management system, authentication type, and authentication information, and click on Submit.
Management systems currently supported in Sentinel and their appropriate syntaxes include:
-
Subversion
-
CVS
-
Perforce
-
Git
-
TFS
Each of these systems uses a different syntax (or syntaxes) for the URI path:
| Management System | Example |
|---|---|
SVN |
svn://some.domain.net[:port]/path/to/project |
SVN |
svn+ssh://some.domain.net/path/to/application |
SVN |
http[s]://some.domain.net[:port]/path/to/project |
CVS |
pserver://some.domain.net/path/[path]/project |
Perforce |
p4://some.domain.net:1666://path/to/project |
GIT |
git://some.domain.net:user-or-group/path/project.git:branch (read only) (port 9418 must be open) |
GIT |
Username and Password Authentication: http[s]://some.domain.net/project.git:branch (no path, common with "raw" git) |
GIT |
Certificate Authentication: git@some.domain.net:user-or-group/path/project.git:branch |
TFS |
http[s]://server:port/tfs/collection/$/path/[path]/project (port required) |
TFS |
http[s]://server:port/collection/$/path/[path]/project (port required) |
SFTP
Note: If your version control technology is not supported or if your application’s build requires dependencies that are not available from a repository accessible to your Sentinel appliance, you may use a source code archive codebase to provide additional code to be used in the scan. Please see Providing Additional Code for more information. For examples of adding an Archive code base, please see File Store Code Base Examples.
If you are entering a source code archive URI, you will see the Source Code Archive URI entry screen.
You will need to archive your code as, for example, rNNN.APPNAME.tar.gz, where NNN is your version number and APPNAME is your application name, and place the file(s) in a directory that can be accessed via a web server. The server must allow us to fetch a listing of the files in the directory (https://customer.com/arbitrarypath/).
Enter the path, authentication type, and authentication information; click on "Validate" to confirm that the repository connection is valid. When you are done, click on Submit.
Note that the path you need to enter may vary depending on exactly how you have set up the archive in question. If your application should be assessed from more than one URI, you will need to enter each code base separately.
Providing Additional Code
If your version control technology is not supported or if your application’s build requires dependencies that are not available from a repository accessible to your Sentinel appliance, you may use a source code archive codebase to provide additional code to be used in the scan. Gather all code and package it into a gzipped tarball or zip file. When naming your tarball, use the following naming convention:
r0.myappname.tar.gz
Place this file in an indexable folder on a web server the Sentinel appliance will be able to download from. If you need to update the contents of the tarball simply increment the initial number:
r1.myappname.tar.gz
Sentinel will download the tarball that has the highest release number (r0, r1, r2…) This makes it possible to automate the delivery of any code, whether or not it resides in a supported repository.
Note: If you cannot place the tarball in an indexable folder on a web server accessible to your Sentinel appliance, you have two options:
-
Provide a URI for direct download - e.g. http://some.domain.net/path/r0.myapp.tar.gz
-
Contact your customer service agent to discuss alternate methods of tarball delivery.
Adding a Binary File
Sentinel will allow you to enable binary analysis for a Source application, if desired. (See "Enabling Binary Analysis") If binary analysis has been enabled, you will see an option for a "Source code archive file" under "URI type" when you add a Source Code Archive. Select "Source code archive file" and upload your file. The file must be no more than 2GB in size, and supported file types include .jar, .ear, .war, .exe, and .dll.
You may rename the file on upload, but the file extension must be included in the name.
Validating the Codebase Connection
Once you have added a codebase, you can validate the codebase connection by clicking on "Validate Now" under "Codebase Connection Status" in the list of Codebases, or by clicking "Validate Codebase Connection" in the codebase dropdown. When you are creating an asset, you must validate the codebase connection or a pre-scan cannot be done. However, the asset can be created.