Adding a Code Base

For information on editing an existing Code Base

Click on "Add New Code Base" in the Application Overview screen , and the Codebase entry screen will open. (Please note that an application is currently limited to twenty (20) code bases; to add more code bases, please contact support@whitehatsec.com.)

add a codebase screen

Enter your code base name and URI type.

If your project resides in version control and Sentinel will support your version control type, we can check out your code directly from your version control; in that case, please select "Repository" as your URI type, and see "Adding a Repository Code Base" below for more information.

If your project does not reside in version control or Sentinel does not support your version control type, or if you are building a custom process through CI/CD to deliver assets to be scanned, please select "Archive" as your URI type and see "Adding a Source Code Archive Code Base" for more information.

(You can also use a Source Code Archive to provide code or assets directly to resolve dependencies or provide necessary configuration files.)

If you have enabled binary analysis and want to associate this application with a binary file, please see "Adding a Binary File" for more information.

Adding a Repository Code Base

If you are adding a repository URI, you will see the Repository URI entry screen.

adding a repository code base screen

Enter the path, management system, authentication type, and authentication information, and click on Submit.

Management systems currently supported in Sentinel and their appropriate syntaxes include:

  • Subversion

  • CVS

  • Perforce

  • Git

  • TFS

Each of these systems uses a different syntax (or syntaxes) for the URI path:

Management System Example

SVN

svn://some.domain.net[:port]/path/to/project

SVN

svn+ssh://some.domain.net/path/to/application

SVN

http[s]://some.domain.net[:port]/path/to/project

CVS

pserver://some.domain.net/path/[path]/project

Perforce

p4://some.domain.net:1666://path/to/project

GIT

git://some.domain.net:user-or-group/path/project.git:branch (read only) (port 9418 must be open)

GIT

Username and Password Authentication:

http[s]://some.domain.net/project.git:branch (no path, common with "raw" git)
http[s]://some.domain.net:[port]/user-or-group/path/project.git:branch (common with git management systems like gitlab, github, etc.)

GIT

Certificate Authentication:

git@some.domain.net:user-or-group/path/project.git:branch
ssh://some.domain.net/user-or-group/path/project.git:branch

TFS

http[s]://server:port/tfs/collection/$/path/[path]/project (port required)

TFS

http[s]://server:port/collection/$/path/[path]/project (port required)

Adding a Source Code Archive Code Base

SFTP

Note: If your version control technology is not supported or if your application’s build requires dependencies that are not available from a repository accessible to your Sentinel appliance, you may use a source code archive codebase to provide additional code to be used in the scan. Please see Providing Additional Code for more information. For examples of adding an Archive code base, please see File Store Code Base Examples.

If you are entering a source code archive URI, you will see the Source Code Archive URI entry screen.

source code archive code base entry

You will need to archive your code as, for example, rNNN.APPNAME.tar.gz, where NNN is your version number and APPNAME is your application name, and place the file(s) in a directory that can be accessed via a web server. The server must allow us to fetch a listing of the files in the directory (https://customer.com/arbitrarypath/).

Enter the path, authentication type, and authentication information; click on "Validate" to confirm that the repository connection is valid. When you are done, click on Submit.

Note that the path you need to enter may vary depending on exactly how you have set up the archive in question. If your application should be assessed from more than one URI, you will need to enter each code base separately.

Providing Additional Code

If your version control technology is not supported or if your application’s build requires dependencies that are not available from a repository accessible to your Sentinel appliance, you may use a source code archive codebase to provide additional code to be used in the scan. Gather all code and package it into a gzipped tarball or zip file. When naming your tarball, use the following naming convention:

r0.myappname.tar.gz

Place this file in an indexable folder on a web server the Sentinel appliance will be able to download from. If you need to update the contents of the tarball simply increment the initial number:

r1.myappname.tar.gz

Sentinel will download the tarball that has the highest release number (r0, r1, r2…​) This makes it possible to automate the delivery of any code, whether or not it resides in a supported repository.

Note: If you cannot place the tarball in an indexable folder on a web server accessible to your Sentinel appliance, you have two options:

  1. Provide a URI for direct download - e.g. http://some.domain.net/path/r0.myapp.tar.gz

  2. Contact your customer service agent to discuss alternate methods of tarball delivery.

Adding a Binary File

Sentinel will allow you to enable binary analysis for a Source application, if desired. (See "Enabling Binary Analysis") If binary analysis has been enabled, you will see an option for a "Source code archive file" under "URI type" when you add a Source Code Archive. Select "Source code archive file" and upload your file. The file must be no more than 2GB in size, and supported file types include .jar, .ear, .war, .exe, and .dll.

You may rename the file on upload, but the file extension must be included in the name.

Validating the Codebase Connection

Once you have added a codebase, you can validate the codebase connection by clicking on "Validate Now" under "Codebase Connection Status" in the list of Codebases, or by clicking "Validate Codebase Connection" in the codebase dropdown. When you are creating an asset, you must validate the codebase connection or a pre-scan cannot be done. However, the asset can be created.