Developer Tools

Deepfactor integrates seamlessly with the existing CI/CD tools and is highly customizable. To help you customize and improve your experience, we’ve completely open sourced these integration capabilities and developer tools.

You can find all of our developer tools and integration points on our GitHub page.

Here are some highlights from our developer tools:

Jenkins Plugin

This Jenkins plugin enables you to instrument Deepfactor into your applications as part of your build/CI pipeline.

Jenkins Pipeline Integration You can write Simple Pipeline files that incorporate the pipeline steps.

step([$class: 'DfJenkinsBuilder',
        dfImageToBeInstrumented: 'DockerImageUrl', 
        dfApp: AppName, 
        dfComponent: ComponentName, 
        dfInstrumentedImageName: '',
        dfSuffix: 'SuffixToDifferentiate'])

 

Jenkins Pipeline Build Status Build status, correctly displays Success/Failure while showcasing the sub steps it takes while running, build steps

Downloading Dockerfile : Success
getDfImageToBeInstrumented = ImageUrl
imageUnSealed = ImageUrl
imageSealed = ImageUrl
imageTag = ImageVersionTag
image id = DockerImageId
Success in Pushing Image

 

Architecture
Code is structured around

  • Jenkins Configuration Management
FormValidation.error(Messages.DfJenkinsBuilder_DescriptorImpl_errors_missingDfUserName());

 

  • Docker Management
imageId = dfDockerManager.build(
       imageUnSealed, imageSealed
       this.getDfApp(),
       this.getDfComponent(),
       sealerToken
       
DockerCmdExecFactory dockerCmdExecFactory = new JerseyDockerCmdExecFactory();
dockerClient = DockerClientBuilder.getInstance(config)
   .withDockerCmdExecFactory(dockerCmdExecFactory).build

 

  • JSON Parsing
dfParseManager.parseGetSealerToken(response);
         dataSealer = gson.fromJson(jsonString, DfParsingBeans.LoginResponseSealer.class).data;

 

  • Authenticated WebClient
String authToken = dfWebClient.getAuthToken();
sealerToken = dfWebClient.getSealerToken(authToken);

 

We’re also open sourcing two vulnerable applications that we created to test Deepfactor. You can use these applications to test Deepfactor in your own environment, too:

Goaty Finance

Goaty Finance is a stock ticker app written using node, postgres and redis. It contains multiple security vulnerabilities including:

  • CVE-2019-18276: A privilege escalation vulnerability with a CVSS score of 7.8 (highly likely to be exploited).
  • CVE-2019-10742: A denial of service vulnerability with a CVSS score of 7.5 (highly likely to be exploited).
  • CVE-2020-10029: A buffer overflow vulnerability with a CVSS score of 5.5 (medium likelihood of being exploited).
  • CVE-2020-1752: An arbitrary code execution vulnerability with a CVSS score of 7.0 (highly likely to be exploited).

Goaty Shop (E-commerce)

Goaty Shop is an e-commerce web site selling Star Wars themed items, written using Django and Python. It contains multiple security
vulnerabilities including:

  • CVE-2019-1010022 : A buffer overflow vulnerability with a CVSS score of 9.8 (critical – extremely likely to be exploited)
  • CVE-2010-4052 : A denial of service vulnerability.
  • CVE-2018-20796 : A buffer and heap overflow vulnerability with a CVSS score of 7.5 (highly likely to be exploited).
  • Information Disclosure – Suspicious Comments: Server sends responses that appear to contain suspicious comments which may
    help an attacker.
  • Timestamp Disclosure – Unix: Server timestamp is disclosed by the application/web server.

We’d love to get your pull requests and comments to improve these capabilities and vulnerable applications moving forward. Stay tuned for more developer tools on our GitHub repository soon!