SonarQube was fun while it lasted, while I used the embedded version. When it was time to get my production SonarQube on a separate server, it became a huge problem.
Firstly, Sonar had too many issues working on my AWS hosted Windows 2016 server. My DB, a SQL server, got it connected to SonarQube but Sonar expected it to be upgraded. It finally got upgraded and Sonar had issues with it because the Latin_General_CP1_CS_AS got changed after the update and it was no where to be found.
Resolving the DB:
I got another SQL server on AWS RDS and connected to that, I stopped the upgrade of that DB for the duration of setup.
SonarQube Version:
Sonar 6.3 Works!!! 6.5 - 6.7 had issues with SQL server.
Jenkins:
After all the drama with SonarQube, then came Jenkins. I thought it would be easier but it obviously wasn't. I got the necessary plugins installed, including Sonar Scanner. Now, the configuration is the issue.
With Jenkins, ensure you use JDK for ANT otherwise, Jenkins won't see it. Also, you need to reference Sonar Properties in the sonar scanner section of the Build configuration.
Important!! don't forget to get your Sonar Token from sonar Administration portal, you may choose version 5.2 in Jenkins configuration to enter username and password, but if you use anything higher, you require a token!
Wednesday 29 November 2017
Tuesday 21 November 2017
Huddle for some weeks
I've been working on installing SonarQube to use for secure code analysis.
Boy! I never knew SonarQube could be this easy and yet complicated. I'm still working on it.
What I've done so far:
I tried all these with SonarQube 6.3. 6.5 and 6.6
I got kicked out a lot of times with issues regarding IP address, firewall and Java. Now, enable port 9000, 9001 (if needed) and 1433 through your firewall. Trust me, sometimes, this can resolve a bunch of issues, it worked for me.
SonarQube 6.6 worked after installation but it had issues with some upgrade to the database, which I found out is synonymous for "upgrade SonarQube".
Boy! I never knew SonarQube could be this easy and yet complicated. I'm still working on it.
What I've done so far:
- Got windows server on AWS
- Setup an RDS for SQL server in AWS
- Installed, Java (JRE. JDK gave me serious trouble, so I stuck with just the JRE), Ant (needed for the plugin and I need in Sonar) and SonarQube.
- Downloaded sqljdbc_6.0
SonarQube issues:
Firstly, the database is very different for AWS when using RDS. Connecting to the database in the sonar.properties doesn't require localhost. You'll need the RDS connection string, which can be obtained from AWS or when you log into SQL server on the Amazon windows machine. (if you have questions regarding this, please comment and I'll respond as soon as I can).
Secondly, ensure your database was created properly! You can google SonarQube SQL server database and you'll find information of what's required in the "collation" properties.
Ensure you include Java JRE location in the wrapper properties, it should be at the top of the page, do not edit the other parts of it, it's strictly prohibited if you expect Sonar to work.
***********************************
I tried all these with SonarQube 6.3. 6.5 and 6.6
I got kicked out a lot of times with issues regarding IP address, firewall and Java. Now, enable port 9000, 9001 (if needed) and 1433 through your firewall. Trust me, sometimes, this can resolve a bunch of issues, it worked for me.
SonarQube 6.6 worked after installation but it had issues with some upgrade to the database, which I found out is synonymous for "upgrade SonarQube".
Friday 10 November 2017
Hello there... I'm still here
Yes, yes, I know!
Its been so long here. The craziness in this industry isn't funny. Some days I'm spent researching and configuring, other days are more analytical. Well, I'm still here and I've got this!
I'm installing Oracle on Ubuntu 😧😧😧
It has given me few sleepless nights because it keeps looking for a zipped directory! Well, I'm working on it and I'll try to share any tips. For now, I've got to run. Please don't quit on me, I'll be right back with more juice :)
Its been so long here. The craziness in this industry isn't funny. Some days I'm spent researching and configuring, other days are more analytical. Well, I'm still here and I've got this!
I'm installing Oracle on Ubuntu 😧😧😧
It has given me few sleepless nights because it keeps looking for a zipped directory! Well, I'm working on it and I'll try to share any tips. For now, I've got to run. Please don't quit on me, I'll be right back with more juice :)
Wednesday 13 September 2017
My next adventure
Prior to this post, I've been working on configuring an HSM for generating secure keys that are FIPS compliant, owing to the nature of my job and the calibre of clients the company has.
I'll update the information regarding the HSM, I've lost track of what I've done because I've been extremely busy fixing lots of bugs from security systems to program codes.
Today I'm working on moving files securely when a folder on one of our AWS servers has been updated. I'll need this file moved to another server in a different AWS location and a different machine. Technically, from Linux to Windows.
I got to know of a python package that could do this job, I'll need to write a script and run a cron job every week to ensure that no file is missed.
So my first and only hassle at present is with Paramiko package.
It's a bit weird on how to install in linux.
If you have similar issues visit: http://www.paramiko.org/installing.html
Afterwards, if you use centos, you should do this: yum install python-paramiko
And that's it, your script should run okay. Please comment on any ideas you may have encountered while trying out new things, I want to learn from you!
I'll update the information regarding the HSM, I've lost track of what I've done because I've been extremely busy fixing lots of bugs from security systems to program codes.
Today I'm working on moving files securely when a folder on one of our AWS servers has been updated. I'll need this file moved to another server in a different AWS location and a different machine. Technically, from Linux to Windows.
I got to know of a python package that could do this job, I'll need to write a script and run a cron job every week to ensure that no file is missed.
So my first and only hassle at present is with Paramiko package.
It's a bit weird on how to install in linux.
If you have similar issues visit: http://www.paramiko.org/installing.html
Afterwards, if you use centos, you should do this: yum install python-paramiko
And that's it, your script should run okay. Please comment on any ideas you may have encountered while trying out new things, I want to learn from you!
Monday 28 August 2017
Installing Force.com CLI
I have spent the better part of my morning, laying flat on my back, my head propped on my pillow, while I tried resolving the Salesforce logs issue.
The biggest hurdle was installing force.com cli on Fedora machine. There aren't a lot of help around the internet. It was a real struggle!!
I'm grateful to God that my morning can be very meaningful as I found a very useful article to help.
Step 1
Install node js on Fedora
yum install nodejs
Step 2
Install force cli using node js
npm install force-cli
The biggest hurdle was installing force.com cli on Fedora machine. There aren't a lot of help around the internet. It was a real struggle!!
I'm grateful to God that my morning can be very meaningful as I found a very useful article to help.
Step 1
Install node js on Fedora
yum install nodejs
Step 2
Install force cli using node js
npm install force-cli
("you may want to create the force directory in /usr/bin before going on with step 2")
Monday 14 August 2017
Before I leave work, I've got some progress to share
So, like you all know, I've been in this pond of Salesforce logs pull to S3. It has been an amazing and heartbreaking adventure.
So far, I've been able to get through using curl scripts and finally with python.
I found a helpful git script that I modified to mine, if you can find it, it's called ELF.
I successfully got Salesforce logs onto my VM, the next hurdle was to upload to S3. So far not much is automated (that's for another day).
I successfully got SF logs automated to S3 from my VM. I setup a cron job for this but I'm still working my way out with lambda function (I guess because it sounds way too mathematical I have slightly given up on it but I'll work hard to get a victory :) ).
That's my day in brief, after turning up at work way past midday. It's time to finally go home and get ready for tomorrow. A new day, fresh start, fresh tasks and more hurdles to accomplish great things!
So far, I've been able to get through using curl scripts and finally with python.
I found a helpful git script that I modified to mine, if you can find it, it's called ELF.
I successfully got Salesforce logs onto my VM, the next hurdle was to upload to S3. So far not much is automated (that's for another day).
I successfully got SF logs automated to S3 from my VM. I setup a cron job for this but I'm still working my way out with lambda function (I guess because it sounds way too mathematical I have slightly given up on it but I'll work hard to get a victory :) ).
That's my day in brief, after turning up at work way past midday. It's time to finally go home and get ready for tomorrow. A new day, fresh start, fresh tasks and more hurdles to accomplish great things!
Solution 1 - Problems I encountered in my quest 'moving logs to S3'
IMPORTANT!!!
This is a continuation of my previous post.
Installing Heroku in Kali:
This was my biggest hurdle. I couldn't get this installed in Kali Linux (I am still a novice in Cyber security - pen testing and R.E that's why I'm a researcher). I tried to find all the help I could get everywhere to get Heroku working.
Warning:
If you are doing this and you use mv /source /dest/lib.... don't do this!!! It doesn't install this way
You'll need to do this: /usr/local/lib/heroku/install
Helpful resource
This is a continuation of my previous post.
Installing Heroku in Kali:
This was my biggest hurdle. I couldn't get this installed in Kali Linux (I am still a novice in Cyber security - pen testing and R.E that's why I'm a researcher). I tried to find all the help I could get everywhere to get Heroku working.
Warning:
If you are doing this and you use mv /source /dest/lib.... don't do this!!! It doesn't install this way
You'll need to do this: /usr/local/lib/heroku/install
Helpful resource
Tuesday 8 August 2017
Ways to move Salesforce Monitoring logs from Shield to S3
In one of my previous posts, I did mention how I was struggling with the reality of moving logs from Salesforce shield to Amazon S3.
After so many attempts at Googling and random research coupled with disturbing my manager about my findings, I came across something quite useful, I think.
Solution 1:
Shield logs are in Heroku, so I created a Heroku account to move my logs there using a free plugin, then from the plugin to S3 (the plugin integrates nicely with S3). Heroku however has failed to work as it should but we are getting there.
Solution 2 from my Manager:
User cURL script, download the logs to the desktop and upload to S3 (I will try it if 1 doesn't work)
Solution 3:
I found that I could use Python script to pull it through to S3 directly but lambda function on AWS is a bit awry for me (maybe not the right word but that would do).
After so many attempts at Googling and random research coupled with disturbing my manager about my findings, I came across something quite useful, I think.
Solution 1:
Shield logs are in Heroku, so I created a Heroku account to move my logs there using a free plugin, then from the plugin to S3 (the plugin integrates nicely with S3). Heroku however has failed to work as it should but we are getting there.
Solution 2 from my Manager:
User cURL script, download the logs to the desktop and upload to S3 (I will try it if 1 doesn't work)
Solution 3:
I found that I could use Python script to pull it through to S3 directly but lambda function on AWS is a bit awry for me (maybe not the right word but that would do).
Friday 4 August 2017
My mistake with Salesforce
I never fully understood the consequences of refreshing your Salesforce sandbox or production.
I learnt that this week and tried everything under the sun to get away with it without affecting customers of my organisation.
Oh well, I learnt well. I found out that it is possible to discard a refresh only when the refresh has gone through (that long wait of panic!). Everything on the staging Sandbox remains the same, thank God!
For you to know:
I learnt that this week and tried everything under the sun to get away with it without affecting customers of my organisation.
Oh well, I learnt well. I found out that it is possible to discard a refresh only when the refresh has gone through (that long wait of panic!). Everything on the staging Sandbox remains the same, thank God!
For you to know:
If you don't already know, when the sandbox refresh is done --> Quickfind --> sandboxes --> discard
The discard option will be next to the activate option after the refresh has gone through. DO NOT ACTIVATE if you don't intend losing data especially if you do not intend copying information from your production to your staging or whatever sandbox.
Wednesday 2 August 2017
Dear dear Readers
I know it can be rather frustrating to return to a blog you read of similar interests, and it hasn't been updated, not a picture or a text.
I understand you dear reader, and I must give my utmost apology for this space of time when I've been unable to click on the "blogger" or bring myself to think of the phrases to explain my next "adventure".
This is my little note of apology and I hope you understand. Since I got my new role that has barely given me space for myself due to the job excitement, I have been incommunicado with you. I sincerely do apologise but I won't be too quick to add that it will never be repeated because I am human and we always make mistakes. Rather, I'll add that I will do my best to keep the experience here more up-to-date and well, exciting (I should hope). Having said that, I've been up to rather new and strange exciting tasks of late.
I am doing something quite different at the moment and I thought to share this because I do not know if I'll be able to keep my head above water. To save you from drowning in this sea of AWS and Salesforce, I had to quickly steal 10 minutes from my regular desk to my news desk.
So here:
I am working on moving Salesforce logs which is saved in an app termed EM WAVE to Amazon's S3 bucket.
As you may all have guessed, I'm pretty new to Amazon Web Services (A.K.A AWS). I took a dive in when the AWS Engineer bailed out on the organisation I work for. Well, not exactly but kind of. He wasn't very happy with his job and I could tell on my first week on the job. Anyway, fast-forward to this week, I have to create a lambda function to move the Wave logs to S3, apparently, I need a python script for this. "Where is my Python knowledge stored again?"
What I've done is, I'm trying it out with a test S3. I thought to install an app in my Salesforce Sandbox to try it out, that was so silly because Salesforce logs aren't stored in salesforce.com. I'm getting a little help from Salesforce website and another referred by Salesforce:
That's it so far. I'll update the blog about my big mistake with Salesforce, I promise.
Saturday 4 February 2017
How to know what needs to be known
I have a problem choosing what particular course to take online, or what experiment to do in relation to InfoSec because I studied Computing and Security and I just finished studying Information Systems security (I am not satisfied though because universities choose what to teach you)..
I decided to choose what I wish to learn but then the more vulnerabilities and threats I assess, the more I want to know indepth about that area of infosec, I can't!!
Thank you Information Security you are so broad!!!
How to decide what path to take
I asked me, "what excites you about Info Sec"? Managing vulnerabilities, watching threats, helping to block out threats and fix problems. That brought me to ---> Pen testing. (I have only a year of experience in vulnerability management and threat analysis).
Okay, great! there's so much to know in Pen testing where do I begin? ARM/x86, scripting in python, learning to use more tools like nmap?
I need help!!!!
Currently I am taking a course in py, (I know, this is my second attempt at scripting, first it was js and I got bored but python has got me captured).
I am also taking a course in Ethical hacking along side and I am interested in Comptia A+ to know more about networking and dodgy request coming through. Argh!!! too much at one time but I need to choose between eth hacking and comptia, please help if you are a pro in this or have overcome this decision making process.
Thank you kindly!
I decided to choose what I wish to learn but then the more vulnerabilities and threats I assess, the more I want to know indepth about that area of infosec, I can't!!
Thank you Information Security you are so broad!!!
How to decide what path to take
I asked me, "what excites you about Info Sec"? Managing vulnerabilities, watching threats, helping to block out threats and fix problems. That brought me to ---> Pen testing. (I have only a year of experience in vulnerability management and threat analysis).
Okay, great! there's so much to know in Pen testing where do I begin? ARM/x86, scripting in python, learning to use more tools like nmap?
I need help!!!!
Currently I am taking a course in py, (I know, this is my second attempt at scripting, first it was js and I got bored but python has got me captured).
I am also taking a course in Ethical hacking along side and I am interested in Comptia A+ to know more about networking and dodgy request coming through. Argh!!! too much at one time but I need to choose between eth hacking and comptia, please help if you are a pro in this or have overcome this decision making process.
Thank you kindly!
Sunday 29 January 2017
How time flies
Its been a while I was on here to keep you up-to-date with my experiments in IS security. I can tell you there hasn't been much done since my last post, the reason being that I have been swarmed up with work and I can't seem to get a breather.
This weekend, I am back on my course. I'm learning ethical hacking and afterwards reverse engineering.
I am also learning python along side but that's taking too long as the course is going through the first phases of programming (boring and I already know it) but I have to do it anyway because I can't skip!
I'll certainly keep you updated if anything new comes up.
The only new thing so far is the BEEF tool. (you can use this to hack a windows pc, that's how much I know at the moment).
Have a fun filled week doing what you love doing, hopefully that's something in IS security.
This weekend, I am back on my course. I'm learning ethical hacking and afterwards reverse engineering.
I am also learning python along side but that's taking too long as the course is going through the first phases of programming (boring and I already know it) but I have to do it anyway because I can't skip!
I'll certainly keep you updated if anything new comes up.
The only new thing so far is the BEEF tool. (you can use this to hack a windows pc, that's how much I know at the moment).
Have a fun filled week doing what you love doing, hopefully that's something in IS security.
Subscribe to:
Posts (Atom)