Workshop for the JFrog FreeTier - JVM - Vaadin
This module is the follow-up of the Basic - Module you will find here. In this Module here we will create a web-app based on Vaadin - Flow to demonstrate the security scan over different technologies.
You need an IDE that supports Java and maven. I am personally using IntelliJ and the screencasts are based on this IDE. The free version is perfect for this workshop. But you can use whatever IDE fits your needs.
To have IDE Support based on the Xray Plugin from JFrog, you need one of listed IDEs. The actual list is under the following URL https://www.jfrog.com/confluence/display/JFROG/IDE+Integration
You need Docker on your machine for some parts of this tutorial. It is possible to skip this element during the workshop.
This tutorial is based on Java version 11 or higher and maven. All JDK´s should fit, there are no special requirements that I am aware of. Maven is used in a version higher 3.3. Please make sure you have access to it. You can use the bundled maven version. The archive is inside the folder _data/maven and contains the maven version 3.6.3 as tar.gz file.
You can install the JDK for example with the OpenSource tool called Jabba
For the installtion of maven you can use brew on Linux/OSX with the command brew install maven
.
We are working with npm in the background to generate the UI based on Vaadin flow. For this, install the tools NPM / PNPM on your machine. For Linux and OSX you can do it for example with the command brew To delete the local npm cache, use the following command npm cache clean --force
brew install npm
brew install pnpm
The tutorial is planned to be done in approx 2h in total.
The BirdEyeView:
- Intro into the JFrog Platform
- Maven and the Webapp
- Vulnerabilities and how to visualize them
- Create the Docker Repositories
- using Artifactory as Docker Image Proxy
- Build the Docker Images for the WebApp (optional) * Bonus work - choose an OpenSource Project and bring it into a fresh new FreeTier
Short intro into the basic concepts of DevSecOps and how JFrog will provide support for it. If you want to get more informations checkout my Youtube channel
For example the Video about the Low Hanging Fruits Of DevSecOps
Lets start with the tutorial now! The plan is, to finish all steps in approx 2h. I will give you from time to time some additional links to videos to provide additional informations.
For this tutorial you can use the JFrog Platform based on the FreeTier offer. This you will find under the URL http://bit.ly/SvenYouTube. You do not need credit card informations for this and the FreeTier itself is not limited in time. If you want to see how to activate the FreeTier from JFrog, have a look at the following video on Youtube.
Short overview of the Platform
Clone the repository from Githb or download the sources if you don´t use git.
git clone https://github.com/Java-Workshops/JFrog-FreeTier-JVM-Vaadin.git
For this workshop we need some maven repositories. Start creating them and use the same names, please.
Create a local Maven Repos called maven-local-release and maven-local-snapshot The docu is here JFrog website
- add local repo maven-local-snapshots
- add local repo maven-local-release
Create the needed remote Maven Repositories:
- add remote repo maven-remote-mavencentral / https://repo1.maven.org/maven2/
- add remote repo maven-remote-apache / https://repo.maven.apache.org/maven2/
- add remote repo maven-remote-vaadin / https://maven.vaadin.com/vaadin-addons
Create virtual Maven Repos to aggregate the created repositories.
- add virtual repo maven-release
- add virtual repo maven-snapshots
Go to the file pom.xml and change it in the way that you are using your new created virtual maven repositories. Rename your local .m2/repository folder to a name like repository_backup and test your config with a mvn clean verify. Maven should load all dependencies from your new repository now.
To have access to these repositories you have two different solutions. a) you can give the right to consume all remote repositories to the user anonymous b) you cann add the credentials to your settings.xml inside the folder .m2
Create a generic repo called generic-local-maven. In this repo you will find the file inside the folder _data/maven/ called apache-maven-3.6.3-bin.tar.gz
Upload the file from your folder _data/_maven https://github.com/Java-Workshops/JFrog-FreeTier-JVM/blob/master/_data/_maven/apache-maven-3.6.3-bin.tar.gz Try to download one file with curl and verify that it is a valid archive.
We need NPM repositories for the webb app as well. Please, create the following repositories
- add remote repo npm-remote-npmjs https://registry.npmjs.org
- add virtual repo npm
- npm config set registry http://## your server name ##.jfrog.io/artifactory/api/npm/npm
- npm config set @vaadin:registry http://## your server name ##.jfrog.io/artifactory/api/npm/npm/
- npm config set @polymer:registry http://## your server name ##.jfrog.io/artifactory/api/npm/npm/
- npm config set @babel:registry http://## your server name ##.jfrog.io/artifactory/api/npm/npm/
- npm config set @webcomponents:registry http://## your server name ##.jfrog.io/artifactory/api/npm/npm/
- npm config set @types:registry http://## your server name ##.jfrog.io/artifactory/api/npm/npm/
- npm cache clean --force
- got to the set me up button and generate the following lines incl your credentials
- add this to the file ~/.npmrc -
_auth="## your hashed password"
email=## your email ##
always-auth=true
//## your server name ##.jfrog.io/artifactory/api/npm/npm/:_password="## your hashed password ##"
//## your server name ##.jfrog.io/artifactory/api/npm/npm/:username=## your username ##
//## your server name ##.jfrog.io/artifactory/api/npm/npm/:email=## your email ##
//## your server name ##.jfrog.io/artifactory/api/npm/npm/:always-auth=true
mvn clean verify
npm install
npm ls
This project can be used as a starting point to create your own Vaadin application. It has the necessary dependencies and files to help you get started. It requires Java 11 or newer and node.js 10.16 or newer.
To run the project, run mvn jetty:run
and open http://localhost:8080 in browser.
To update to the latest available Vaadin release, issue
mvn versions:update-properties
To maintain your Platform instance it is good to know that you have the functionality of a TrashCan. This is good to un-delete a file. On the other side it is good to clear the caches from time to time and make sure you are not hitting your limits soon.
For this, check inside the Administration Menu your current Storage usage. Delete the TrashCan and find out how to clear the cached content from a remote Repository.
In this section wwe want to scan our dependencies to learn more about vulnerabilities. The tool that we are using is Xray and integrated into the JFrog Platform. It is able to scan all elements that are in Artifactory. Binaries, Buildinfos and so on. Your task now: Install the JFrog IDE Plugin and connect to your FreeTier installation.
If you want to see it in action scanning a Vaadin webapp check out the following video.
Inside the JFrog Platform you can analyse your binaries as well. For this you need to create Rules, Policies and Watches. Your next task is:
- create a Rule called rule-catch-everything that will scan for all Vulnerabilities.
- based on this Rule, create a Policy called policy-overview that consumes the Rule called rule-catch-everything
- Now it is time to combine the Policy with your repositories. Call the Watch panic-watch The last step is to trigger the watch to see the results. For this start the re-calculation of the watch manually.
the official docu is here: Policies and Rules https://www.jfrog.com/confluence/display/JFROG/Creating+Xray+Policies+and+Rules Watches https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray+Watches of check out my short video:
Rules and Policies
Watches
Inside the JFrog Platform you can create AdHoc Vulnerabilities Reports. Create a Report called ad-hoc-panic-report, select the scope Repositories and choose all maven and docker repositories we created today. After this press the button Generate Report Select the report and export it as pdf. The official docu is here: https://www.jfrog.com/confluence/display/JFROG/Vulnerabilities+Report If you are to lazy to read, try my JFrog HowTo.
You have now all steps in your hand to build repositories, build your projects and scann for known vulnerabilities. You are able to run your project inside a DevSecOps environment.
Your next task is to choose a small OpenSource project and try to get it running inside a fresh new FreeTier instance. If your are done with this, share it with the OpenSource project owner. ;-)
Sven Ruppert has been coding Java since 1996 in industrial projects and is working as Developer Advocate for JFrog. He is Oracle Developer Champion, regularly speaking at Conferences worldwide and contributes to IT periodicals, as well as tech portals.
Over 15 years he was working as a consultant worldwide in industries like Automotive, Space, Insurance, Banking, UN and WorldBank he still enjoying his main topic DevSecOps, Mutation Testing of Web apps and Distributed UnitTesting besides his evergreen topics Core Java and Kotlin.
Since we are all a bit more home, I started with my Youtube channels and combined my hobby bushcrafting with my work. The result are Outdoor-style IT Videos ;-) I really would appreciate to have YOU as my new subscriber!
Youtube Channel - Sven Ruppert - English