From efed87d81dbad506da8ec9536e3d8872d42b2399 Mon Sep 17 00:00:00 2001
From: Ruud Senden <8635138+rsenden@users.noreply.github.com>
Date: Fri, 21 Jun 2024 14:43:31 +0200
Subject: [PATCH] fix: Fix GitLab instructions (fixes #30)

---
 USAGE.md | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/USAGE.md b/USAGE.md
index 3c3706b..cbde5cf 100644
--- a/USAGE.md
+++ b/USAGE.md
@@ -428,9 +428,13 @@ The following sections describe how to use the `fortifydocker/fortify-vulnerabil
 The following example illustrates how to utilize the `fortify/fortify-vulnerability-exporter` 
 Docker image to integrate FortifyVulnerabilityExporter into a GitLab CI/CD pipeline for exporting vulnerability data from FoD to GitLab.
 
+Note that to avoid GitLab passing `sh` as an argument to FortifyVulnerabilityExporter (which will fail, as FortifyVulnerabilityExporter will interpret `sh` as the name of a configuration file), we need to override the image entrypoint and manually invoke the utility in the `script` section.
+
 ```
 fortify_scanning:
-  image: fortifydocker/fortify-vulnerability-exporter
+  image: 
+    name: fortifydocker/fortify-vulnerability-exporter
+    entrypoint: [""]
   variables:
     export_config: /config/FoDToGitLab.yml
     fod_baseUrl: https://ams.fortify.com
@@ -440,7 +444,7 @@ fortify_scanning:
     fod_release_name: MyApp:MyRelease
     # Or use fod_release_id: 1234
   script: 
-  - echo Script entry is required but not used
+  - java -DpopulateContainerDirs=true -cp "/app/classpath/*:app/libs/*" com.fortify.vulnexport.FortifyVulnerabilityExporter
   when: manual
   allow_failure: true
   artifacts:
@@ -458,9 +462,13 @@ As described in the [CI/CD Integration](#cicd-integration) section, you can opti
 
 The following example illustrates how to utilize the `fortify/fortify-vulnerability-exporter` Docker image to integrate FortifyVulnerabilityExporter into a GitLab CI/CD pipeline for exporting vulnerability data from SSC to GitLab.
 
+Note that to avoid GitLab passing `sh` as an argument to FortifyVulnerabilityExporter (which will fail, as FortifyVulnerabilityExporter will interpret `sh` as the name of a configuration file), we need to override the image entrypoint and manually invoke the utility in the `script` section.
+
 ```
 fortify_scanning:
-  image: fortifydocker/fortify-vulnerability-exporter
+  image: 
+    name: fortifydocker/fortify-vulnerability-exporter
+    entrypoint: [""]
   variables:
     export_config: /config/SSCToGitLab.yml
     ssc_baseUrl: ${SSC_BASE_URL}
@@ -468,7 +476,7 @@ fortify_scanning:
     ssc_version_name: MyApp:MyVersion
     # Or use ssc_version_id: 1234
   script: 
-  - echo Script entry is required but not used
+  - java -DpopulateContainerDirs=true -cp "/app/classpath/*:app/libs/*" com.fortify.vulnexport.FortifyVulnerabilityExporter
   when: manual
   allow_failure: true
   artifacts: