-
Notifications
You must be signed in to change notification settings - Fork 46
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #29 from fortify/cloud-dso-integration
Updated for AWS and GCP
- Loading branch information
Showing
3 changed files
with
145 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
version: 0.2 | ||
env: | ||
variables: | ||
FOD_RELEASE_ID: "XXXXX" | ||
parameter-store: | ||
FOD_BASEURL: "/fod/baseurl" | ||
FOD_TENANT: "/fod/tenant" | ||
FOD_USER: "/fod/user" #Client ID | ||
FOD_PWD: "/fod/pwd" #Client Secret | ||
phases: | ||
install: | ||
runtime-versions: | ||
java: corretto11 | ||
commands: | ||
# Upgrade AWS CLI to the latest version | ||
- pip install --upgrade awscli | ||
pre_build: | ||
commands: | ||
- mvn clean | ||
build: | ||
commands: | ||
- mvn -Pwar clean package | ||
#- mvn package | ||
post_build: | ||
commands: | ||
# Do not remove this statement. This command is required for AWS CodeStar projects. | ||
# Update the AWS Partition, AWS Region, account ID and project ID in the project ARN in template-configuration.json file so AWS CloudFormation can tag project resources. | ||
- sed -i.bak 's/\$PARTITION\$/'${PARTITION}'/g;s/\$AWS_REGION\$/'${AWS_REGION}'/g;s/\$ACCOUNT_ID\$/'${ACCOUNT_ID}'/g;s/\$PROJECT_ID\$/'${PROJECT_ID}'/g' template-configuration.json | ||
################################################### | ||
# INTEGRATE FORTIFY SAST # | ||
# # | ||
# For FORTIFY ON DEMAND uncomment the next line # | ||
- bash fortify-sast-fod.bash | ||
# # | ||
# For FORTIFY SCANCENTRAL uncomment the next line # | ||
#- bash fortify_sast_scancentral.bash | ||
# # | ||
# For LOCAL FORTIFY SCA uncomment the next line # | ||
#- bash fortify_sast_local.bash | ||
# # | ||
################################################### | ||
artifacts: | ||
files: | ||
- 'appspec.yml' | ||
- 'template.yml' | ||
- 'scripts/*' | ||
- 'target/iwa.war' | ||
- 'template-configuration.json' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
#!/bin/bash | ||
|
||
#Parameters Section | ||
|
||
#download the required tools installation script | ||
sha256_FTI='d9ebd439c5b426a5ea207e6c1a17a466f79363ca5735fea1d7a4d8ef5807dc06' | ||
fortify_tool_installer='https://raw.githubusercontent.com/fortify/FortifyToolsInstaller/v2.14.0/FortifyToolsInstaller.sh' # BASE UTILITY DO NOT CHANGE | ||
|
||
fod_url=$FOD_BASEURL # Fortify On Demand URL | ||
fod_api_url='https://api.'`echo "$fod_url" | awk -F/ '{print $3}'` # Fortify On Demand API URL | ||
fortify_tools_dir='/root/.fortify/tools/FoDUploader/v5.4.0' # Default installation directory | ||
fod_util='FoDUpload.jar' # FoD Utility alias set into FTI Script [[DO NOT CHANGE]] | ||
|
||
#FOD Details to Upload Code | ||
fod_tenant=$FOD_TENANT # TENANT ID | ||
fod_user_key=$FOD_USER # FOD USER KEY | ||
fod_pwd_secret=$FOD_PWD # FOD PAT | ||
fod_release_id=$FOD_RELEASE_ID # FOD APPLICATION BASED RELEASE ID | ||
|
||
#Parameters to configure installable | ||
fti_install='FortifyToolsInstaller.sh' | ||
|
||
#Download required files, please ensure the URL is available | ||
wget "$fortify_tool_installer" | ||
e=$? # return code last command | ||
if [ "${e}" -ne "0" ]; then | ||
echo "ERROR: Can;t downloads the requierd files from server, can not continue - exit code ${e}" | ||
exit 100 | ||
fi | ||
# End of Download | ||
|
||
#persmission to execute | ||
chmod +x "$fti_install" | ||
sha256sum -c <(echo "$sha256_FTI $fti_install") | ||
e=$? # return code last command | ||
if [ "${e}" -ne "0" ]; then | ||
echo "ERROR: Hashes could not be matched, can not continue - exit code ${e}" | ||
exit 100 | ||
fi | ||
|
||
FTI_TOOLS=sc:22.1.2 source $fti_install | ||
e=$? # return code last command | ||
if [ "${e}" -ne "0" ]; then | ||
echo "ERROR: Can;t downloads the requierd files from server, can not continue - exit code ${e}" | ||
exit 100 | ||
fi | ||
|
||
#Execute the shell script to download and install fortify tools | ||
FTI_TOOLS=fu:v5.4.0 source $fti_install | ||
e=$? # return code last command | ||
if [ "${e}" -ne "0" ]; then | ||
echo "ERROR: Can;t downloads the requierd files from server, can not continue - exit code ${e}" | ||
exit 100 | ||
fi | ||
|
||
#Generate Java Package to upload in FoD | ||
scancentral package -o sourcecode.zip --build-tool mvn | ||
|
||
java -jar $fortify_tools_dir/$fod_util -ac $fod_user_key $fod_pwd_secret -rid $fod_release_id -purl $fod_url -aurl $fod_api_url -tc $fod_tenant -z sourcecode.zip -ep 2 -rp 2 -pp 2 | ||
e=$? # return code last command | ||
if [ "${e}" -ne "0" ]; then | ||
echo "ERROR: Fortify On Demand throws error, can not continue - exit code ${e}" | ||
exit 100 | ||
fi | ||
|
||
echo "INFO: Scan Submitted Successfully..." |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
steps: | ||
- name: maven:3.6.0-jdk-11-slim | ||
entrypoint: 'mvn' | ||
args: ['clean', 'package', '-DskipTests'] | ||
|
||
- name: 'gcr.io/cloud-builders/docker' | ||
args: ['build', '-t', 'gcr.io/$PROJECT_ID/iwa_java:latest', '-t', 'gcr.io/$PROJECT_ID/iwa_java:$COMMIT_SHA', '-t', 'gcr.io/$PROJECT_ID/iwa_java:$BUILD_ID', '.'] | ||
id: 'build-image-IWAJava' | ||
|
||
- name: 'fortifydocker/fortify-ci-tools:latest' | ||
entrypoint: bash | ||
args: | ||
- -c | ||
- | | ||
fod_api_url='https://api.'`echo "$$FOD_BASEURL" | awk -F/ '{print $3}'` | ||
scancentral package -o sourcecode.zip --build-tool mvn | ||
java -jar /opt/Fortify/FodUpload/FoDUpload.jar -ac $$FOD_USER $$FOD_PWD -rid $$FOD_RELEASE_ID -purl $$FOD_BASEURL -aurl $fod_api_url -tc $$FOD_TENANT -z sourcecode.zip -ep 2 -rp 2 -pp 2 | ||
secretEnv: ['FOD_USER', 'FOD_PWD', 'FOD_TENANT'] | ||
env: | ||
- 'FOD_BASEURL=${_FOD_URL}' | ||
- 'FOD_RELEASE_ID=${_FOD_RELEASE_ID}' | ||
id: 'fortify-static-scan' | ||
waitFor: ['build-image-IWAJava'] | ||
availableSecrets: | ||
secretManager: | ||
- versionName: projects/$PROJECT_ID/secrets/fod_pwd/versions/1 | ||
env: 'FOD_PWD' | ||
- versionName: projects/$PROJECT_ID/secrets/fod_user/versions/1 | ||
env: 'FOD_USER' | ||
- versionName: projects/$PROJECT_ID/secrets/fod_tenant/versions/1 | ||
env: 'FOD_TENANT' |