Skip to content

Commit

Permalink
Merge pull request #44 from fortify/fcli-upgrade
Browse files Browse the repository at this point in the history
Fcli upgrade to 2.4.0
  • Loading branch information
dylanbthomas authored Jun 28, 2024
2 parents aca4563 + 97925c5 commit f968ab6
Show file tree
Hide file tree
Showing 23 changed files with 628 additions and 408 deletions.
24 changes: 15 additions & 9 deletions build_spec.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,14 +6,16 @@ shell: bash
env:
# these are local variables to the build config
variables:
"JAVA_HOME" : "/usr/lib64/graalvm/graalvm-java17"
# the value of a vaultVariable is the secret-id (in OCI ID format) stored in the OCI Vault service
# you can then access the value of that secret in your build_spec.yaml commands
vaultVariables:
# Use below variables for FORTIFY ON DEMAND integration
FOD_TENANT: ocid1.vaultsecret.oc1.XXXXXXX # TENANT ID
FOD_USER: ocid1.vaultsecret.oc1.XXXXXXX # FOD USER KEY
FOD_PWD: ocid1.vaultsecret.oc1.XXXXXXX # FOD PAT
FOD_RELEASE_ID: ocid1.vaultsecret.oc1.XXXXXXX # FOD APPLICATION BASED RELEASE ID
FCLI_DEFAULT_FOD_TENANT: ocid1.vaultsecret.oc1.XXXXXXX # TENANT ID
FCLI_DEFAULT_FOD_USER: ocid1.vaultsecret.oc1.XXXXXXX # FOD USER KEY
FCLI_DEFAULT_FOD_PASSWORD: ocid1.vaultsecret.oc1.XXXXXXX # FOD PAT
FCLI_DEFAULT_FOD_URL: ocid.vaultsecret.oc1.XXXXXXX # FOD URL
FOD_RELEASE_ID: ocid1.vaultsecret.oc1.XXXXXXX # FOD APPLICATION BASED RELEASE ID
# Use below variables for FORTIFY SCANCENTRAL integration
FCLI_DEFAULT_SC_SAST_CLIENT_AUTH_TOKEN: ocid1.vaultsecret.oc1.XXXXXXX # SCANCENTRAL CLIENT AUTH TOKEN FOR HANDSHAKE
FCLI_DEFAULT_SSC_USER: ocid1.vaultsecret.oc1.XXXXXXX # SSC USERNAME
Expand All @@ -28,14 +30,18 @@ steps:
name: "Install Prereqs"
command: |
java -version
yum install -y java-11-openjdk-devel
alternatives --display java
alternatives --set java /usr/lib/jvm/java-11-openjdk-11.0.18.0.10-1.el7_9.x86_64/bin/java
java -version
yum -y install graalvm-17-native-image
export PATH=$JAVA_HOME/bin:$PATH
#yum install -y java-11-openjdk-devel
#alternatives --display java
#alternatives --set java /usr/lib/jvm/java-11-openjdk-11.0.18.0.10-1.el7_9.x86_64/bin/java
java -version
# install Maven
yum install maven
#yum install maven
mvn --version
onFailure:
- type: Command
timeoutInSeconds: 40
Expand Down
24 changes: 10 additions & 14 deletions buildspec.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,11 @@ env:
parameter-store:
###############################################################
# INTEGRATE FORTIFY ON DEMAND #
FOD_RELEASE_ID: "/fod/releaseid"
FOD_TENANT: "/fod/tenant"
FOD_USER: "/fod/user"
FOD_PAT: "/fod/pat"
# FOD_RELEASE_ID_LOCAL: "/fod/releaseid"
# FCLI_DEFAULT_FOD_TENANT_LOCAL: "/fod/tenant"
# FCLI_DEFAULT_FOD_URL_LOCAL: "/fod/url"
# FCLI_DEFAULT_FOD_CLIENT_ID_LOCAL: "/fod/client_id"
# FCLI_DEFAULT_FOD_CLIENT_SECRET_LOCAL: "/fod/client_secret"
###############################################################
# INTEGRATE FORTIFY SCANCENTRAL #
FCLI_DEFAULT_SC_SAST_CLIENT_AUTH_TOKEN: "/fortify/client_auth_token"
Expand All @@ -15,13 +16,14 @@ env:
FCLI_DEFAULT_SSC_CI_TOKEN: "/fortify/ci_token"
FCLI_DEFAULT_SSC_URL: "/fortify/ssc_url"
SSC_APP_VERSION_ID: "/fortify/ssc_app_versionid"
SSC_IP_LOCAL: "/fortify/ssc_ip"
phases:
install:
runtime-versions:
java: corretto11
java: corretto17
commands:
# Upgrade AWS CLI to the latest version
- pip install --upgrade awscli
#- pip install --upgrade awscli
pre_build:
commands:
- mvn clean
Expand All @@ -30,25 +32,19 @@ phases:
- mvn -Pwar clean package
post_build:
commands:
# Do not remove this statement. This command is required for AWS CodeStar projects.
# Update the AWS Partition, AWS Region, account ID and project ID in the project ARN in template-configuration.json file so AWS CloudFormation can tag project resources.
- sed -i.bak 's/\$PARTITION\$/'${PARTITION}'/g;s/\$AWS_REGION\$/'${AWS_REGION}'/g;s/\$ACCOUNT_ID\$/'${ACCOUNT_ID}'/g;s/\$PROJECT_ID\$/'${PROJECT_ID}'/g' template-configuration.json
###############################################################
# INTEGRATE FORTIFY SAST #
# #
# For FORTIFY ON DEMAND uncomment the next line #
#- bash devops-integrations/aws/fortify-sast-fod.bash
#- bash devops-integrations/aws/fortify_sast_local_java_template.bash
# #
# For FORTIFY SCANCENTRAL uncomment the next line #
- bash devops-integrations/aws/fortify_sast_scancentral.bash
# #
# #
###############################################################
###############################################################
artifacts:
files:
- 'appspec.yml'
- 'template.yml'
- 'scripts/*'
- 'devops-integrations/aws/*'
- 'target/iwa.war'
- 'template-configuration.json'
16 changes: 8 additions & 8 deletions cloudbuild.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,15 +9,15 @@
# - $$SSC_APP_VERSION_ID

steps:
- name: maven:3.6.0-jdk-11-slim
- name: maven:3.9.7
entrypoint: 'mvn'
args: ['-q', 'clean', 'package', '-DskipTests']

- name: 'gcr.io/cloud-builders/docker'
args: ['build', '-t', 'gcr.io/$PROJECT_ID/iwa_java:latest', '-t', 'gcr.io/$PROJECT_ID/iwa_java:$COMMIT_SHA', '-t', 'gcr.io/$PROJECT_ID/iwa_java:$BUILD_ID', '.']
id: 'build-image-IWAJava'

- name: 'fortifydocker/fortify-ci-tools:3.14.0-jdk-11'
- name: 'fortifydocker/fortify-ci-tools:5.4.1-jdk-17'
entrypoint: bash
args:
- -c
Expand All @@ -27,10 +27,10 @@ steps:
fcli sc-sast session login
scancentral package -bt mvn -o package.zip
fcli sc-sast scan start --appversion=$$SSC_APP_VERSION_ID --upload --sensor-version=$$SC_SAST_SENSOR_VERSION --package-file=package.zip --store='?'
fcli sc-sast scan start --publish-to=$$SSC_APP_VERSION_ID --sensor-version=$$SC_SAST_SENSOR_VERSION --package-file=package.zip --store=Id
fcli sc-sast scan wait-for '?' --interval=30s
fcli ssc appversion-vuln count --appversion=$$SSC_APP_VERSION_ID
fcli sc-sast scan wait-for ::Id:: --interval=30s
fcli ssc issue count --appversion=$$SSC_APP_VERSION_ID
echo Terminating connection with Fortify Platform
fcli sc-sast session logout
Expand All @@ -39,7 +39,7 @@ steps:
env:
- 'FORTIFY_IP=${_PUBLIC_IP}'
- 'SSC_APP_VERSION_ID=${_SSC_APP_VERSION_ID}'
- 'SC_SAST_SENSOR_VERSION=22.2'
- 'SC_SAST_SENSOR_VERSION=24.2'
id: 'fortify-static-scan'
waitFor: ['build-image-IWAJava']

Expand All @@ -61,7 +61,7 @@ steps:
- '--allow-unauthenticated'
id: 'deploy-to-cloud-run'

- name: 'fortifydocker/fortify-ci-tools:3.14.0-jdk-11'
- name: 'fortifydocker/fortify-ci-tools:5.4.1-jdk-17'
entrypoint: "bash"
args:
- "-c"
Expand All @@ -70,7 +70,7 @@ steps:
fcli ssc session login
fcli sc-dast session login
fcli sc-dast scan start $$SC_DAST_SCAN_NAME --settings $$SC_DAST_CICD_IDENTIFIER
fcli sc-dast scan start --name=$$SC_DAST_SCAN_NAME --settings=$$SC_DAST_CICD_IDENTIFIER
echo Terminating connection with Fortify Platform
fcli sc-dast session logout
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
# - $FCLI_DEFAULT_SSC_PASSWORD
# - $FCLI_DEFAULT_SSC_CI_TOKEN
# - $FCLI_DEFAULT_SSC_URL
# - $SSC_APP_VERSION_ID
# - $SC_DAST_CICD_IDENTIFIER
version: '2.1'
jobs:
deploy:
Expand All @@ -15,6 +15,7 @@ jobs:
- checkout
- run:
command: |
echo Deploying artifacts
jf config add --url=$ARTIFACTORY_URL --user=$ARTIFACTORY_USER --password=$ARTIFACTORY_API_KEY --interactive=false
jf rt u "(*).jar" example-repo-local/circleci/ --recursive=false
Expand All @@ -24,7 +25,7 @@ jobs:
SC_DAST_CICD_IDENTIFIER: "<<NNNNNNNNNNNNNNNN>>"
working_directory: ~/circleci-iwajava-scancentral
docker:
- image: fortifydocker/fortify-ci-tools:3.14.0-jdk-11
- image: fortifydocker/fortify-ci-tools:5.4.1-jdk-17

steps:
- checkout
Expand All @@ -35,8 +36,8 @@ jobs:
#Use --insecure switch when SSL certificates are self-generated
fcli ssc session login
fcli sc-dast session login
fcli sc-dast scan start $SC_DAST_SCAN_NAME --settings $SC_DAST_CICD_IDENTIFIER
fcli sc-dast scan start --name=$SC_DAST_SCAN_NAME --settings=$SC_DAST_CICD_IDENTIFIER
echo Terminating connection with Fortify Platform
fcli sc-dast session logout
Expand Down
27 changes: 17 additions & 10 deletions devops-integrations/.circleci/config-fortify-sast-fod.yml
Original file line number Diff line number Diff line change
@@ -1,16 +1,16 @@
# Integrate Fortify on Demand Static AppSec Testing (SAST) into your Circle CI pipeline
# Renaming this file to config.yml for leveraging the file directly otherwise copy scan job content
# The following environment variables must be defined in CircleCI context before using this job
# - $FOD_RELEASE_ID
# - $FOD_USER
# - $FOD_PAT
# - $FOD_TENANT
# - $FCLI_DEFAULT_FOD_TENANT
# - $FCLI_DEFAULT_FOD_CLIENT_ID
# - $FCLI_DEFAULT_FOD_CLIENT_SECRET
# - $FCLI_DEFAULT_FOD_URL
version: '2.1'
jobs:
build:
working_directory: ~/circleci-iwajava
docker:
- image: maven:3.8.6-openjdk-11
- image: maven:3.8.7-openjdk-18

steps:
- checkout
Expand All @@ -33,21 +33,28 @@ jobs:

scan:
environment:
FOD_URL: "https://ams.fortify.com"
FOD_API_URL: "https://api.ams.fortify.com"
FOD_UPLOADER_OPTS: "-ep 2 -pp 0 -I 1 -apf"
FOD_NOTES: "Triggered by CircleCI Pipeline"
FOD_RELEASE_ID: <NNNNNNNN>
working_directory: ~/circleci-iwajava
docker:
- image: fortifydocker/fortify-ci-tools:latest
- image: fortifydocker/fortify-ci-tools:5.4.1-jdk-17

steps:
- checkout

- run:
command: |
echo Setting connection with Fortify Platform
#Use --insecure switch if the SSL certificate is self generated.
fcli fod session login
scancentral package -bt mvn -oss -o package.zip
FoDUpload -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid $FOD_RELEASE_ID -tc $FOD_TENANT -uc $FOD_USER $FOD_PAT $FOD_UPLOADER_OPTS -n "$FOD_NOTES"
fcli fod sast start --release=$FOD_RELEASE_ID --file=package.zip --remediation=NonRemediationScanOnly --notes=$FOD_NOTES --store=Id
fcli fod sast wait-for ::Id:: --interval=30s
fcli fod issue list --release=$FOD_RELEASE_ID
fcli fod session logout
# Orchestrate job run sequence
workflows:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ jobs:
build:
working_directory: ~/circleci-iwajava-scancentral
docker:
- image: maven:3.8.6-openjdk-11
- image: maven:3.8.7-openjdk-18

steps:
- checkout
Expand All @@ -36,10 +36,10 @@ jobs:
sast:
environment:
SSC_APP_VERSION_ID: "<<$$$$>>"
SC_SAST_SENSOR_VERSION: "22.2"
SC_SAST_SENSOR_VERSION: "24.2"
working_directory: ~/circleci-iwajava-scancentral
docker:
- image: fortifydocker/fortify-ci-tools:3.14.0-jdk-11
- image: fortifydocker/fortify-ci-tools:5.4.1-jdk-17

steps:
- checkout
Expand All @@ -52,10 +52,10 @@ jobs:
fcli sc-sast session login
scancentral package -bt mvn -o package.zip
fcli sc-sast scan start --appversion=$SSC_APP_VERSION_ID --upload --sensor-version=$SC_SAST_SENSOR_VERSION --package-file=package.zip --store='?'
fcli sc-sast scan start --publish-to=$SSC_APP_VERSION_ID --sensor-version=$SC_SAST_SENSOR_VERSION --package-file=package.zip --store=Id
fcli sc-sast scan wait-for '?' --interval=30s
fcli ssc appversion-vuln count --appversion=$SSC_APP_VERSION_ID
fcli sc-sast scan wait-for ::Id:: --interval=30s
fcli ssc issue count --appversion=$SSC_APP_VERSION_ID
echo Terminating connection with Fortify Platform
fcli sc-sast session logout
Expand Down
Loading

0 comments on commit f968ab6

Please sign in to comment.