Updating scripts

.github/workflows/debricked.yml

@@ -28,7 +28,7 @@ on:
 
 # Global environment variables
 env:
-  DEFAULT_APP_NAME: "IWA"
+  DEFAULT_APP_NAME: "IWA-Java"
   GRADLE_VERSION: "7.3"
 
 jobs:

.github/workflows/fast.yml

@@ -20,7 +20,7 @@ on:
 
 # Global environment variables
 env:
-  DEFAULT_APP_NAME: "IWA"
+  DEFAULT_APP_NAME: "IWA-Java"
   DEFAULT_APP_URL: "https://iwa.onfortify.com"
   DEFAULT_PYTHON_VERSION: "3.12.3"
   DEFAULT_IMAGE_NAME: "fortifydocker/fortify-fast:24.2.ubuntu.2204"

.github/workflows/fod.yml

@@ -48,7 +48,7 @@ on:
 
 # Global environment variables
 env:
-  DEFAULT_APP_NAME: "IWA-PharmacyDirect"
+  DEFAULT_APP_NAME: "IWA-Java"
   BASE_DIR: "."
 
 jobs:

.github/workflows/scancentral.yml

@@ -44,7 +44,7 @@ on:
 
 # Global environment variables
 env:
-  DEFAULT_APP_NAME: "IWA"
+  DEFAULT_APP_NAME: "IWA-Java"
   GRADLE_VERSION: "7.3"
 
 jobs:

README.md

@@ -1,6 +1,6 @@
-[![DevSecOps with Fortify on Demand](https://github.com/fortify-presales/IWA/actions/workflows/fod.yml/badge.svg)](https://github.com/fortify-presales/IWA/actions/workflows/fod.yml)
+[![DevSecOps with Fortify on Demand](https://github.com/fortify-presales/IWA-Java/actions/workflows/fod.yml/badge.svg)](https://github.com/fortify-presales/-Java/actions/workflows/fod.yml)
 
-# IWA (Insecure Web App) Pharmacy Direct
+# IWA (Insecure Web App) Pharmacy Direct - Java edition
 
 #### Table of Contents
 
@@ -210,7 +210,7 @@ In order to use ScanCentral SAST you will need to have entries in the `.env` sim
 ```
 SSC_URL=http://localhost:8080/ssc
 SSC_AUTH_TOKEN=6b16aa46-35d7-4ea6-98c1-8b780851fb37
-SSC_APP_NAME=IWA
+SSC_APP_NAME=IWA-Java
 SSC_APP_VER_NAME=main
 SCANCENTRAL_CTRL_URL=http://localhost:8080/scancentral-ctrl
 SCANCENTRAL_CTRL_TOKEN=96846342-1349-4e36-b94f-11ed96b9a1e3
@@ -424,7 +424,7 @@ For integrations with other pipeline tools please see [https://github.com/fortif
 
 Please see the [Contribution Guide](CONTRIBUTING.md) for information on how to develop and contribute.
 
-If you have any problems, please consult [GitHub Issues](https://github.com/fortify-presales/IWAPharmacyDirect/issues) to see if it has already been discussed.
+If you have any problems, please consult [GitHub Issues](https://github.com/fortify-presales/IWA-Java/issues) to see if it has already been discussed.
 
 ## Licensing
 

bin/cleanup.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+
+# Import local environment specific settings
+ENV_FILE="${PWD}/.env"
+if [ ! -f $ENV_FILE ]; then
+    echo "An '.env' file was not found in ${PWD}"
+    exit 1
+fi
+source .env
+AppName=$SSC_APP_NAME
+ScanSwitches="-Dcom.fortify.sca.ProjectRoot=.fortify"
+
+if [ -z "${AppName}" ]; then
+    echo "Application Name has not been set in '.env'"; exit 1
+fi
+
+echo Removing files...
+sourceanalyzer $ScanSwitches -b "$AppName" -clean
+rm -rf .fortify
+rm -f "${AppName}.fpr"
+rm -f "${AppName}.pdf"
+rm -f "fod.zip"
+rm -f "*Package.zip"
+rm -rf ".debricked"
+rm -rf "instance"
+echo Done.

bin/init-letsencrypt.sh

@@ -5,7 +5,7 @@
 #  exit 1
 #fi
 
-domains=(iwa.onfortify.com)
+domains=(demoapp.onfortify.com)
 rsa_key_size=4096
 data_path="./data/certbot"
 email="" # Adding a valid address is strongly recommended

bin/sast-scan.sh

@@ -0,0 +1,84 @@
+#!/bin/bash
+#
+# Example script to perform Fortify Static Code Analysis
+#
+
+# Retrieve parameters
+SkipPDF=1
+SkipSSC=1
+while [[ "$#" -gt 0 ]]; do
+    case $1 in
+	    -p|--scan-policy) ScanPolicy="$2"; shift ;;
+        --create-pdf) SkipPDF=0 ;;
+	    --upload-to-ssc) SkipSSC=0 ;;
+        *) echo "Unknown parameter passed: $1"; exit 1 ;;
+    esac
+    shift
+done
+if [ -z "$ScanPolicy" ]; then
+    ScanPolicy="classic"
+fi
+echo "Using ScanPolicy: ${ScanPolicy}"
+if [ $SkipPDF -eq 1 ]; then
+    echo "... skipping PDF generation"
+fi
+if [ $SkipSSC -eq 1 ]; then
+    echo "... skipping upload to SSC"
+fi
+
+# Import local environment specific settings
+ENV_FILE="${PWD}/.env"
+if [ ! -f $ENV_FILE ]; then
+    echo "An '.env' file was not found in ${PWD}"
+    exit 1
+fi
+source .env
+AppName=$SSC_APP_NAME
+AppVersion=$SSC_APP_VER_NAME
+SSCUrl=$SSC_URL
+SSCAuthToken=$SSC_AUTH_TOKEN # AnalysisUploadToken
+JVMArgs="-Xss256M"
+ScanSwitches="-Dcom.fortify.sca.ProjectRoot=.fortify"
+
+if [ -z "${AppName}" ]; then
+    echo "Application Name has not been set in '.env'"; exit 1
+fi
+if [ -z "${AppVersion}" ]; then
+    echo "Application Version has not been set in '.env'"; exit 1
+fi
+
+#
+# Build application to create classpath file
+echo Creating Classpath file
+./gradlew clean build writeClasspath -x test
+ClassPath=$(<build/classpath.txt)
+
+# Run the translation and scan
+#
+echo Running translation...
+
+sourceanalyzer $ScanSwitches $JVMArgs -b "$AppName" -jdk 11 -java-build-dir "build/classes" -cp $ClassPath \
+    -exclude "./src/main/resources/static/js/lib" -exclude "./src/main/resources/static/css/lib" \
+    -exclude "./node_modules" -exclude "src/main/resources/schema.sql" -exclude "src/main/resources/data.sql" \
+    "src/iac/**/*" "src/main/java/**/*" "src/main/resources/**/*" "Dockerfile*"
+
+echo Running scan...
+sourceanalyzer $ScanSwitches $JVMArgs -b "$AppName" -debug -verbose \
+    -rules etc/sast-custom-rules/example-custom-rules.xml -filter etc/sast-filters/example-filter.txt \
+    -scan-policy $ScanPolicy -build-project "$AppName" -build-version "$AppVersion" -build-label "SNAPSHOT" \
+    -scan -f "${AppName}.fpr"
+
+# summarise issue count by analyzer
+FPRUtility -information -analyzerIssueCounts -project "${AppName}.fpr"
+
+if [ $SkipPDF -eq 0 ]; then
+    echo Generating PDF report...
+    ReportGenerator $ScanSwitches -user "Demo User" -format pdf -f "${AppName}.pdf" -source "${AppName}.fpr"
+fi
+
+if [ $SkipSSC -eq 0 ]; then
+    echo Uploading results to SSC...
+    fortifyclient uploadFPR -file "${AppName}.fpr" -url $SSCUrl -authtoken $SSCAuthToken -application "$AppName" -applicationVersion "$AppVersion"
+fi
+
+echo Done.