h2pcli v1.1.7

H2PCLI

1. Why H2P cli
2. Installation
3. Decrypt using h2pcli
4. Initiate scan using h2pcli
5. Get Scan Results

H2p cli is a cli tool for interacting with H2P backend, it is developed using mainly nodejs and can be easily installed using npm,

Please note that this tool is in the process of enhancements and improvements , Currently as of today(01/June/2021), it can be used to perform below steps,

1. Encryption: encrypt secrets like username, passwords, tokens etc
2. Decryption: decrypt secrets which are encrypted using h2pcli, this is currently only used internally from H2P team , to decrypt secrets during runtime during execution.
3. Trigger scan: h2pcli can be used to trigger scan
4. Get scan results: h2pcli can be used to get scan results and status

Why H2P cli H2P cli will make the process of interacting with H2P backend , initiate scans, get scan results etc, simple for end users,

Once installed h2pcli can be used in CI tool like jenkins or from laptop/desktops (currently tested on Linux and mac operating systems)

Dependencies and Installation

• Install nodejs if not already installed

• sudo yum install -y gcc-c++ make
• curl -sL https://rpm.nodesource.com/setup_14.x | sudo -E bash -
• sudo yum install -y nodejs

• Clone h2pcli repository from Bitbucket

• git clone https://gitserver.fairisaac.com:8443/scm/pf/h2pcli.git
• cd h2pcli/h2pcli/ # cd into subdirectory within main repo name h2pcli
• sudo npm install -g . # install h2p cli globally using npm
• h2pcli help # Test h2p cli installation(optional)
• h2pcli encrypt # Test h2pcli for encryption(optional)

you can find an example for h2pcli installation as a stage in jenkins pipeline here, https://gitserver.fairisaac.com:8443/projects/PF/repos/h2p-cli-testing/browse/Jenkinsfile?at=feature/HTP-624-cli-test#17

Please note that plan is to make h2pcli installable from npm directly in the near future, example: npm install h2pcli

1. Encrypt secret using h2pcli

   h2pcli encypt

• h2pcli encrypt secretpassword Input Arguments: 'encrypt', 'secretpassword' j5hjbUw3ghZ6lCeFW5y3jGwq8UTF1raxC8ftvISnE6dAYxnYFtgvFy+PH3qwrD8SFOro3DaE7GHh+YcO+x0hM5/y279Ag0WvwDTTxbI4TZXzIOmnBaDFAmty59eIS7p9jVqzgrk/ymO1K0b2qfnF2K9TkyPHPLjihIQazc9k0cBJFAH2qJarsyB8Wxt0UXW9EZkUMqqdUude/WW4dMX/BqWjQFi4OgTKZq1c9LtsPtogCHY0KF12Z7SLDKglmBQYlLzqO5Ou9xZGO51ijkNSB4/Tv2jjBXEmN4KQyxmu9X8uItDeX6oOrzqeoWF18Ws+bBgoMgbmIJmBffNY6++lAg==

2. Decrypt using h2pcli

(this is currently used only within H2P team)

#Download h2p private key for decryption from AWS SSM and save it under /root of the filesystem

• Download private key

• aws ssm get-parameter --name "/path/to/private/key/in/awsssm" --output text --query Parameter.Value --region=us-west-2 --with-decryption | base64 -d - > /root/H2P-privatekey.pem

• Decrypt using h2pcli

• h2pcli decrypt j5hjbUw3ghZ6lCeFW5y3jGwq8UTF1raxC8ftvISnE6dAYxnYFtgvFy+PH3qwrD8SFOro3DaE7GHh+YcO+x0hM5/y279Ag0WvwDTTxbI4TSLDKglmBQYlL=

3. Initiate scan using h2pcli

• scan requires input parameters as json file (absolute/relative path to json file as argument)

Example for blackduck scan , create json file to be passed as argument for scan,

`cat /home/ec2-user/scan.json

{ "repository": "h2pcli", "commit": "b0cca2f0ee6", "phase": "develop", "project": "pf", "blackduck": { "detect_project_name": "h2pcli", "detect_gradle_path": "./gradlew", "detect_yarn_prod_only": "true", "detect_npm_include_dev_dependencies": "false", "logging_level_com_synopsys_integration": "DEBUG", "detect_detector_search_continue": "true" }, "checkmarx": { "projectID": "H2P", "username": "checkmarx", "password": "password" } } `

• Execute Scan,

Execute scan from h2p cli

` h2pcli scan /home/ec2-user/blackduck.json (h2pcli scan ) Input Arguments: 'scan', '/home/ec2-user/bd1.json' Token: EdwmBQHj1dB8WerrgFLI6e42w3usq72V trigger blackduck scan

{ data: { createBlackduck: { result: '"Scan started"', result_tl: 'Scan started', __typename: 'Blackduck' } } } `

Please note that the token is generated and passed automatically to the scan , also you can see the Token as an output after scan is initiated (line3 in the above block)

4. Get Scan Results results requires token and commit as arguments Example below for "h2pcli result"

` h2pcli result EdwmBQHj1dB8WerrgFLI6e42w3usq72V 7daa327bb54 (h2pcli result )

Input Arguments: 'result', 'asdadasdasdasdasd', '7daa327bb54'

data: { getBlackduck: {

		result: '"{\\"operationalRiskProfile\\": {\\"counts\\": [{\\"countType\\": \\"HIGH\\", \\"count\\": 3}, {\\"countType\\": \\"MEDIUM\\", \\"count\\": 0}, {\\"countType\\": \\"LOW\\", \\"count\\": 3}, {\\"countType\\": \\"OK\\", \\"count\\": 1}, {\\"countType\\": \\"UNKNOWN\\", \\"count\\": 0}]}, \\"securityRiskProfile\\": {\\"counts\\": [{\\"countType\\": \\"CRITICAL\\", \\"count\\": 0}, {\\"countType\\": \\"HIGH\\", \\"count\\": 0}, {\\"countType\\": \\"MEDIUM\\", \\"count\\": 0}, {\\"countType\\": \\"LOW\\", \\"count\\": 0}, {\\"countType\\": \\"OK\\", \\"count\\": 7}, {\\"countType\\": \\"UNKNOWN\\", \\"count\\": 0}]}, \\"licenseRiskProfile\\": {\\"counts\\": [{\\"countType\\": \\"HIGH\\", \\"count\\": 0}, {\\"countType\\": \\"MEDIUM\\", \\"count\\": 0}, {\\"countType\\": \\"LOW\\", \\"count\\": 0}, {\\"countType\\": \\"OK\\", \\"count\\": 7}, {\\"countType\\": \\"UNKNOWN\\", \\"count\\": 0}]}}"',

		result_tl: 'RED',

		\_\ _typename: 'Blackduck'
	}
},
loading: false,
networkStatus: 7,
stale: false

} `