A Simple CI Need

Published Jul 28, 2017

I received a request from a client with the need to find MVN dependencies change on every code commit (and when a build gets triggered in Jenkins). And then zip those dependencies, be it jar/war, and copy them to a specific directory in a secure operational environment

The client already has a shell script, which did part of the job (which essentially was parsing the output of the MVN dependencies:list command), and using shell commands such as sed/awk was parsing out the delta (addtions as well deletions) and passing them as a list of distinct file names, which can be used to zip them all together and push to a specific directory in a secure operational environment.

The client apparently is working in a FinTech industry in the Big Apple and was appalled at the complete lack of systems/security perspective. When I broached the subject of secure repositories, static/dynamic code scanning, and other steps for providing a secure facility in the whole CI process from a dev/test/build env to a secure pre-prod and prod environments, the client was simply ignorant of the whole process and facilities available to them (most of them available as OSS).

The ideal solution would have been a secure repository that is used in a secure operational environment and a process through which all artifacts need to be passed before being allowed to be pushed to the 'secure' repository. That way, it removes the need to do scripted ways to push changes in dependencies. This process can easily introduce security vulnerabilities. If only relevant dependencies had to be maintained across all repositories, that could be easily done as a hook script to be run with Jenkins.

Add to that, I could not easily comprehend the non usage of code scanning tools and other allied facilities to create an easier and more robust way to maintain a secure operations CI process. These are the low hanging fruits that give the biggest bang for the buck.

What I ended up doing for that client was a hack job to say the least, using a scripting language. The satisfaction of the client and his complete lack of understanding of the value I was trying to provide (for free) still befuddles me.

Well, we all get slapped back to reality once in a while...don't we?

Discover and read more posts from Senthil M
get started