diff --git a/build_spec.yaml b/build_spec.yaml index cd93d304..d784fe81 100644 --- a/build_spec.yaml +++ b/build_spec.yaml @@ -6,14 +6,16 @@ shell: bash env: # these are local variables to the build config variables: + "JAVA_HOME" : "/usr/lib64/graalvm/graalvm-java17" # the value of a vaultVariable is the secret-id (in OCI ID format) stored in the OCI Vault service # you can then access the value of that secret in your build_spec.yaml commands vaultVariables: # Use below variables for FORTIFY ON DEMAND integration - FOD_TENANT: ocid1.vaultsecret.oc1.XXXXXXX # TENANT ID - FOD_USER: ocid1.vaultsecret.oc1.XXXXXXX # FOD USER KEY - FOD_PWD: ocid1.vaultsecret.oc1.XXXXXXX # FOD PAT - FOD_RELEASE_ID: ocid1.vaultsecret.oc1.XXXXXXX # FOD APPLICATION BASED RELEASE ID + FCLI_DEFAULT_FOD_TENANT: ocid1.vaultsecret.oc1.XXXXXXX # TENANT ID + FCLI_DEFAULT_FOD_USER: ocid1.vaultsecret.oc1.XXXXXXX # FOD USER KEY + FCLI_DEFAULT_FOD_PASSWORD: ocid1.vaultsecret.oc1.XXXXXXX # FOD PAT + FCLI_DEFAULT_FOD_URL: ocid.vaultsecret.oc1.XXXXXXX # FOD URL + FOD_RELEASE_ID: ocid1.vaultsecret.oc1.XXXXXXX # FOD APPLICATION BASED RELEASE ID # Use below variables for FORTIFY SCANCENTRAL integration FCLI_DEFAULT_SC_SAST_CLIENT_AUTH_TOKEN: ocid1.vaultsecret.oc1.XXXXXXX # SCANCENTRAL CLIENT AUTH TOKEN FOR HANDSHAKE FCLI_DEFAULT_SSC_USER: ocid1.vaultsecret.oc1.XXXXXXX # SSC USERNAME @@ -28,14 +30,18 @@ steps: name: "Install Prereqs" command: | java -version - yum install -y java-11-openjdk-devel - alternatives --display java - alternatives --set java /usr/lib/jvm/java-11-openjdk-11.0.18.0.10-1.el7_9.x86_64/bin/java - java -version + yum -y install graalvm-17-native-image + export PATH=$JAVA_HOME/bin:$PATH + #yum install -y java-11-openjdk-devel + #alternatives --display java + #alternatives --set java /usr/lib/jvm/java-11-openjdk-11.0.18.0.10-1.el7_9.x86_64/bin/java + java -version # install Maven - yum install maven + #yum install maven + mvn --version + onFailure: - type: Command timeoutInSeconds: 40 diff --git a/buildspec.yml b/buildspec.yml index 86cdab39..44353c3f 100644 --- a/buildspec.yml +++ b/buildspec.yml @@ -3,10 +3,11 @@ env: parameter-store: ############################################################### # INTEGRATE FORTIFY ON DEMAND # - FOD_RELEASE_ID: "/fod/releaseid" - FOD_TENANT: "/fod/tenant" - FOD_USER: "/fod/user" - FOD_PAT: "/fod/pat" + # FOD_RELEASE_ID_LOCAL: "/fod/releaseid" + # FCLI_DEFAULT_FOD_TENANT_LOCAL: "/fod/tenant" + # FCLI_DEFAULT_FOD_URL_LOCAL: "/fod/url" + # FCLI_DEFAULT_FOD_CLIENT_ID_LOCAL: "/fod/client_id" + # FCLI_DEFAULT_FOD_CLIENT_SECRET_LOCAL: "/fod/client_secret" ############################################################### # INTEGRATE FORTIFY SCANCENTRAL # FCLI_DEFAULT_SC_SAST_CLIENT_AUTH_TOKEN: "/fortify/client_auth_token" @@ -15,13 +16,14 @@ env: FCLI_DEFAULT_SSC_CI_TOKEN: "/fortify/ci_token" FCLI_DEFAULT_SSC_URL: "/fortify/ssc_url" SSC_APP_VERSION_ID: "/fortify/ssc_app_versionid" + SSC_IP_LOCAL: "/fortify/ssc_ip" phases: install: runtime-versions: - java: corretto11 + java: corretto17 commands: # Upgrade AWS CLI to the latest version - - pip install --upgrade awscli + #- pip install --upgrade awscli pre_build: commands: - mvn clean @@ -30,25 +32,19 @@ phases: - mvn -Pwar clean package post_build: commands: - # Do not remove this statement. This command is required for AWS CodeStar projects. - # Update the AWS Partition, AWS Region, account ID and project ID in the project ARN in template-configuration.json file so AWS CloudFormation can tag project resources. - - sed -i.bak 's/\$PARTITION\$/'${PARTITION}'/g;s/\$AWS_REGION\$/'${AWS_REGION}'/g;s/\$ACCOUNT_ID\$/'${ACCOUNT_ID}'/g;s/\$PROJECT_ID\$/'${PROJECT_ID}'/g' template-configuration.json ############################################################### # INTEGRATE FORTIFY SAST # # # # For FORTIFY ON DEMAND uncomment the next line # #- bash devops-integrations/aws/fortify-sast-fod.bash + #- bash devops-integrations/aws/fortify_sast_local_java_template.bash # # # For FORTIFY SCANCENTRAL uncomment the next line # - bash devops-integrations/aws/fortify_sast_scancentral.bash # # # # - ############################################################### + ############################################################### artifacts: files: - - 'appspec.yml' - - 'template.yml' - - 'scripts/*' - 'devops-integrations/aws/*' - 'target/iwa.war' - - 'template-configuration.json' diff --git a/cloudbuild.yaml b/cloudbuild.yaml index d8bbb194..5c5425e8 100644 --- a/cloudbuild.yaml +++ b/cloudbuild.yaml @@ -9,7 +9,7 @@ # - $$SSC_APP_VERSION_ID steps: -- name: maven:3.6.0-jdk-11-slim +- name: maven:3.9.7 entrypoint: 'mvn' args: ['-q', 'clean', 'package', '-DskipTests'] @@ -17,7 +17,7 @@ steps: args: ['build', '-t', 'gcr.io/$PROJECT_ID/iwa_java:latest', '-t', 'gcr.io/$PROJECT_ID/iwa_java:$COMMIT_SHA', '-t', 'gcr.io/$PROJECT_ID/iwa_java:$BUILD_ID', '.'] id: 'build-image-IWAJava' -- name: 'fortifydocker/fortify-ci-tools:3.14.0-jdk-11' +- name: 'fortifydocker/fortify-ci-tools:5.4.1-jdk-17' entrypoint: bash args: - -c @@ -27,10 +27,10 @@ steps: fcli sc-sast session login scancentral package -bt mvn -o package.zip - fcli sc-sast scan start --appversion=$$SSC_APP_VERSION_ID --upload --sensor-version=$$SC_SAST_SENSOR_VERSION --package-file=package.zip --store='?' + fcli sc-sast scan start --publish-to=$$SSC_APP_VERSION_ID --sensor-version=$$SC_SAST_SENSOR_VERSION --package-file=package.zip --store=Id - fcli sc-sast scan wait-for '?' --interval=30s - fcli ssc appversion-vuln count --appversion=$$SSC_APP_VERSION_ID + fcli sc-sast scan wait-for ::Id:: --interval=30s + fcli ssc issue count --appversion=$$SSC_APP_VERSION_ID echo Terminating connection with Fortify Platform fcli sc-sast session logout @@ -39,7 +39,7 @@ steps: env: - 'FORTIFY_IP=${_PUBLIC_IP}' - 'SSC_APP_VERSION_ID=${_SSC_APP_VERSION_ID}' - - 'SC_SAST_SENSOR_VERSION=22.2' + - 'SC_SAST_SENSOR_VERSION=24.2' id: 'fortify-static-scan' waitFor: ['build-image-IWAJava'] @@ -61,7 +61,7 @@ steps: - '--allow-unauthenticated' id: 'deploy-to-cloud-run' -- name: 'fortifydocker/fortify-ci-tools:3.14.0-jdk-11' +- name: 'fortifydocker/fortify-ci-tools:5.4.1-jdk-17' entrypoint: "bash" args: - "-c" @@ -70,7 +70,7 @@ steps: fcli ssc session login fcli sc-dast session login - fcli sc-dast scan start $$SC_DAST_SCAN_NAME --settings $$SC_DAST_CICD_IDENTIFIER + fcli sc-dast scan start --name=$$SC_DAST_SCAN_NAME --settings=$$SC_DAST_CICD_IDENTIFIER echo Terminating connection with Fortify Platform fcli sc-dast session logout diff --git a/devops-integrations/.circleci/config-fortify-dast-scancentral.yml b/devops-integrations/.circleci/config-fortify-dast-scancentral.yml index a82bba6b..afffdb2f 100644 --- a/devops-integrations/.circleci/config-fortify-dast-scancentral.yml +++ b/devops-integrations/.circleci/config-fortify-dast-scancentral.yml @@ -5,7 +5,7 @@ # - $FCLI_DEFAULT_SSC_PASSWORD # - $FCLI_DEFAULT_SSC_CI_TOKEN # - $FCLI_DEFAULT_SSC_URL -# - $SSC_APP_VERSION_ID +# - $SC_DAST_CICD_IDENTIFIER version: '2.1' jobs: deploy: @@ -15,6 +15,7 @@ jobs: - checkout - run: command: | + echo Deploying artifacts jf config add --url=$ARTIFACTORY_URL --user=$ARTIFACTORY_USER --password=$ARTIFACTORY_API_KEY --interactive=false jf rt u "(*).jar" example-repo-local/circleci/ --recursive=false @@ -24,7 +25,7 @@ jobs: SC_DAST_CICD_IDENTIFIER: "<>" working_directory: ~/circleci-iwajava-scancentral docker: - - image: fortifydocker/fortify-ci-tools:3.14.0-jdk-11 + - image: fortifydocker/fortify-ci-tools:5.4.1-jdk-17 steps: - checkout @@ -35,8 +36,8 @@ jobs: #Use --insecure switch when SSL certificates are self-generated fcli ssc session login fcli sc-dast session login - - fcli sc-dast scan start $SC_DAST_SCAN_NAME --settings $SC_DAST_CICD_IDENTIFIER + + fcli sc-dast scan start --name=$SC_DAST_SCAN_NAME --settings=$SC_DAST_CICD_IDENTIFIER echo Terminating connection with Fortify Platform fcli sc-dast session logout diff --git a/devops-integrations/.circleci/config-fortify-sast-fod.yml b/devops-integrations/.circleci/config-fortify-sast-fod.yml index 8efc0002..75371fa3 100644 --- a/devops-integrations/.circleci/config-fortify-sast-fod.yml +++ b/devops-integrations/.circleci/config-fortify-sast-fod.yml @@ -1,16 +1,16 @@ # Integrate Fortify on Demand Static AppSec Testing (SAST) into your Circle CI pipeline # Renaming this file to config.yml for leveraging the file directly otherwise copy scan job content # The following environment variables must be defined in CircleCI context before using this job -# - $FOD_RELEASE_ID -# - $FOD_USER -# - $FOD_PAT -# - $FOD_TENANT +# - $FCLI_DEFAULT_FOD_TENANT +# - $FCLI_DEFAULT_FOD_CLIENT_ID +# - $FCLI_DEFAULT_FOD_CLIENT_SECRET +# - $FCLI_DEFAULT_FOD_URL version: '2.1' jobs: build: working_directory: ~/circleci-iwajava docker: - - image: maven:3.8.6-openjdk-11 + - image: maven:3.8.7-openjdk-18 steps: - checkout @@ -33,21 +33,28 @@ jobs: scan: environment: - FOD_URL: "https://ams.fortify.com" - FOD_API_URL: "https://api.ams.fortify.com" - FOD_UPLOADER_OPTS: "-ep 2 -pp 0 -I 1 -apf" FOD_NOTES: "Triggered by CircleCI Pipeline" + FOD_RELEASE_ID: working_directory: ~/circleci-iwajava docker: - - image: fortifydocker/fortify-ci-tools:latest + - image: fortifydocker/fortify-ci-tools:5.4.1-jdk-17 steps: - checkout - run: command: | + echo Setting connection with Fortify Platform + #Use --insecure switch if the SSL certificate is self generated. + fcli fod session login + scancentral package -bt mvn -oss -o package.zip - FoDUpload -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid $FOD_RELEASE_ID -tc $FOD_TENANT -uc $FOD_USER $FOD_PAT $FOD_UPLOADER_OPTS -n "$FOD_NOTES" + fcli fod sast start --release=$FOD_RELEASE_ID --file=package.zip --remediation=NonRemediationScanOnly --notes=$FOD_NOTES --store=Id + + fcli fod sast wait-for ::Id:: --interval=30s + fcli fod issue list --release=$FOD_RELEASE_ID + + fcli fod session logout # Orchestrate job run sequence workflows: diff --git a/devops-integrations/.circleci/config-fortify-sast-scancentral.yml b/devops-integrations/.circleci/config-fortify-sast-scancentral.yml index b12ec08b..2b6e794e 100644 --- a/devops-integrations/.circleci/config-fortify-sast-scancentral.yml +++ b/devops-integrations/.circleci/config-fortify-sast-scancentral.yml @@ -12,7 +12,7 @@ jobs: build: working_directory: ~/circleci-iwajava-scancentral docker: - - image: maven:3.8.6-openjdk-11 + - image: maven:3.8.7-openjdk-18 steps: - checkout @@ -36,10 +36,10 @@ jobs: sast: environment: SSC_APP_VERSION_ID: "<<$$$$>>" - SC_SAST_SENSOR_VERSION: "22.2" + SC_SAST_SENSOR_VERSION: "24.2" working_directory: ~/circleci-iwajava-scancentral docker: - - image: fortifydocker/fortify-ci-tools:3.14.0-jdk-11 + - image: fortifydocker/fortify-ci-tools:5.4.1-jdk-17 steps: - checkout @@ -52,10 +52,10 @@ jobs: fcli sc-sast session login scancentral package -bt mvn -o package.zip - fcli sc-sast scan start --appversion=$SSC_APP_VERSION_ID --upload --sensor-version=$SC_SAST_SENSOR_VERSION --package-file=package.zip --store='?' + fcli sc-sast scan start --publish-to=$SSC_APP_VERSION_ID --sensor-version=$SC_SAST_SENSOR_VERSION --package-file=package.zip --store=Id - fcli sc-sast scan wait-for '?' --interval=30s - fcli ssc appversion-vuln count --appversion=$SSC_APP_VERSION_ID + fcli sc-sast scan wait-for ::Id:: --interval=30s + fcli ssc issue count --appversion=$SSC_APP_VERSION_ID echo Terminating connection with Fortify Platform fcli sc-sast session logout diff --git a/devops-integrations/.travisci/fortify-sast-fod.sh b/devops-integrations/.travisci/fortify-sast-fod.sh index e02fc241..97c01a33 100644 --- a/devops-integrations/.travisci/fortify-sast-fod.sh +++ b/devops-integrations/.travisci/fortify-sast-fod.sh @@ -4,63 +4,81 @@ # *** Configuration *** # The following environment variables must be defined in Repository settings -fod_tenant=$FOD_TENANT # TENANT ID -fod_user=$FOD_USER # FOD USER KEY -fod_pat=$FOD_PAT # FOD PAT -fod_release_id=$FOD_RELEASE_ID # FOD APPLICATION BASED RELEASE ID +export FCLI_DEFAULT_FOD_URL=$FCLI_DEFAULT_FOD_URL_LOCAL +export FCLI_DEFAULT_FOD_TENANT=$FCLI_DEFAULT_FOD_TENANT_LOCAL +export FCLI_DEFAULT_FOD_CLIENT_ID=$FCLI_DEFAULT_FOD_CLIENT_ID_LOCAL +export FCLI_DEFAULT_FOD_CLIENT_SECRET=$FCLI_DEFAULT_FOD_CLIENT_SECRET_LOCAL +FOD_RELEASE_ID=$FOD_RELEASE_ID_LOCAL # FOD APPLICATION BASED RELEASE ID # Local variables (modify as needed) -fod_url='https://ams.fortify.com' -fod_api_url='https://api.ams.fortify.com/' -fod_uploader_opts='-ep 2 -pp 0 -I 1 -apf' +FCLI_VERSION=v2.4.0 +FODUPLOAD_VERSION=5.4.1 +SCANCENTRAL_VERSION=24.2.0 +FCLI_URL=https://github.com/fortify-ps/fcli/releases/download/${FCLI_VERSION}/fcli-linux.tgz +FCLI_SIG_URL=${FCLI_URL}.rsa_sha256 +FORTIFY_TOOLS_DIR="/opt/fortify/tools" +FCLI_HOME=$FORTIFY_TOOLS_DIR/fcli +FODUPLOAD_HOME=$FORTIFY_TOOLS_DIR/FodUpload +SCANCENTRAL_HOME=$FORTIFY_TOOLS_DIR/ScanCentral fod_notes="Triggered by Travis CI" -fod_uploader_version='v5.4.0' -scancentral_client_version='22.1.2' -fti_version='v2.14.0' -fti_sha='d9ebd439c5b426a5ea207e6c1a17a466f79363ca5735fea1d7a4d8ef5807dc06' -# Local variables (DO NOT MODIFY) -fortify_tools_dir="/home/travis/.fortify/tools/FoDUploader/$fod_uploader_version" -fti_install='FortifyToolsInstaller.sh' -fod_util='FoDUpload.jar' +# *** Supported Functions *** +verifySig() { + local src sig + src="$1"; sig="$2" + openssl dgst -sha256 -verify <(echo "-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArij9U9yJVNc53oEMFWYp +NrXUG1UoRZseDh/p34q1uywD70RGKKWZvXIcUAZZwbZtCu4i0UzsrKRJeUwqanbc +woJvYanp6lc3DccXUN1w1Y0WOHOaBxiiK3B1TtEIH1cK/X+ZzazPG5nX7TSGh8Tp +/uxQzUFli2mDVLqaP62/fB9uJ2joX9Gtw8sZfuPGNMRoc8IdhjagbFkhFT7WCZnk +FH/4Co007lmXLAe12lQQqR/pOTeHJv1sfda1xaHtj4/Tcrq04Kx0ZmGAd5D9lA92 +8pdBbzoe/mI5/Sk+nIY3AHkLXB9YAaKJf//Wb1yiP1/hchtVkfXyIaGM+cVyn7AN +VQIDAQAB +-----END PUBLIC KEY-----") -signature "${sig}" "${src}" +} + +installFcli() { + local src sigSrc tgt tmpRoot tmpFile tmpDir + src="$1"; sigSrc="$2"; tgt="$3"; + tmpRoot=$(mktemp -d); tmpFile="$tmpRoot/archive.tmp"; tmpDir="$tmpRoot/extracted" + echo "Downloading file" + wget -O $tmpFile $src + echo "Verifying Signature..." + verifySig "$tmpFile" <(curl -fsSL -o - "$sigSrc") + echo "Unzipping: tar -zxf " + $tmpFile + " -C " + $tmpDir + mkdir $tmpDir + mkdir -p $tgt + + tar -zxf $tmpFile -C $tmpDir + mv $tmpDir/* $tgt + rm -rf $tmpRoot + find $tgt -type f +} # *** Execution *** -# Download Fortify Tools Installer -wget "https://raw.githubusercontent.com/fortify/FortifyToolsInstaller/$fti_version/FortifyToolsInstaller.sh" -e=$? # return code last command -if [ "${e}" -ne "0" ]; then - echo "ERROR: Failed to download Fortify Tools Installer - exit code ${e}" - exit 100 -fi +echo "Installing FCLI" +# Install FCLI +installFcli ${FCLI_URL} ${FCLI_SIG_URL} ${FCLI_HOME}/bin -# Set permission to execute Fortify Tools Installer and verify integrity -chmod +x "$fti_install" -sha256sum -c <(echo "$fti_sha $fti_install") -e=$? # return code last command -if [ "${e}" -ne "0" ]; then - echo "ERROR: Fortify Tool Installer hash does not match - exit code ${e}" - exit 100 -fi +export PATH=$FCLI_HOME/bin:$SCANCENTRAL_HOME/bin:${PATH} -# Download and install Fortify ScanCentral Client -FTI_TOOLS=sc:$scancentral_client_version source $fti_install -e=$? # return code last command -if [ "${e}" -ne "0" ]; then - echo "ERROR: Failed to download and install Fortify ScanCentral Client - exit code ${e}" - exit 100 -fi +fcli tool definitions update +fcli tool fod-uploader install -v ${FODUPLOAD_VERSION} -d ${FODUPLOAD_HOME} +fcli tool sc-client install -v ${SCANCENTRAL_VERSION} -d ${SCANCENTRAL_HOME} -# Download and install Fortify on Demand Uploader -FTI_TOOLS=fu:$fod_uploader_version source $fti_install -e=$? # return code last command -if [ "${e}" -ne "0" ]; then - echo "ERROR: Failed to download and install Fortify on Demand Uploader - exit code ${e}" - exit 100 -fi +echo Setting connection with Fortify Platform +#Use --insecure switch if the SSL certificate is self generated. +fcli fod session login -# Generate Java Package for upload to Fortify on Demand +echo "Scan starting.." scancentral package -bt mvn -oss -o package.zip +fcli fod sast start --release=$FOD_RELEASE_ID --file=package.zip --remediation=NonRemediationScanOnly --notes=$FOD_NOTES --store=Id + +fcli fod sast wait-for ::Id:: --interval=30s +fcli fod issue list --release=$FOD_RELEASE_ID + +fcli fod session logout +# *** Execution Completes *** -# Execute Fortify on Demand SAST scan -java -jar $fortify_tools_dir/$fod_util -z package.zip -aurl $fod_api_url -purl $fod_url -rid $fod_release_id -tc $fod_tenant -uc $fod_user $fod_pat $fod_uploader_opts -n "$fod_notes" +# *** EoF *** \ No newline at end of file diff --git a/devops-integrations/.travisci/fortify_sast_scancentral.sh b/devops-integrations/.travisci/fortify_sast_scancentral.sh index cad21a4a..c2a4f107 100644 --- a/devops-integrations/.travisci/fortify_sast_scancentral.sh +++ b/devops-integrations/.travisci/fortify_sast_scancentral.sh @@ -2,60 +2,91 @@ # Integrate Fortify ScanCentral Static AppSec Testing (SAST) into your Travis CI pipeline # *** Configuration *** - # The following environment variables must be defined in Repository settings export FCLI_DEFAULT_SC_SAST_CLIENT_AUTH_TOKEN=$FCLI_DEFAULT_SC_SAST_CLIENT_AUTH_TOKEN # SCANCENTRAL CLIENT AUTH TOKEN -export FCLI_DEFAULT_SSC_USER=$FCLI_DEFAULT_SSC_USER # SSC USER NAME -export FCLI_DEFAULT_SSC_PASSWORD=$FCLI_DEFAULT_SSC_PASSWORD # SSC PASSWORD -export FCLI_DEFAULT_SSC_CI_TOKEN=$FCLI_DEFAULT_SSC_CI_TOKEN # SSC CI TOKEN -export FCLI_DEFAULT_SSC_URL=$FCLI_DEFAULT_SSC_URL # SSC URL -ssc_app_version_id=$SSC_APP_VERSION_ID # SSC APPLICATION VERSION ID - -# Local variables (modify as needed) -scancentral_client_version='22.2.0' -fcli_version='v1.1.0' -fcli_sha='5553766f0f771abdf27f4c6b6d38a34825a64aaa5d72cfd03c68d7e2f43a49a0' - -# Local variables (DO NOT MODIFY) -fortify_tools_dir="/root/.fortify/tools" -scancentral_home=$fortify_tools_dir/ScanCentral -fcli_home=$fortify_tools_dir/fcli -fcli_install='fcli-linux.tgz' +export FCLI_DEFAULT_SSC_USER=$FCLI_DEFAULT_SSC_USER # SSC USER NAME +export FCLI_DEFAULT_SSC_PASSWORD=$FCLI_DEFAULT_SSC_PASSWORD # SSC PASSWORD +export FCLI_DEFAULT_SSC_CI_TOKEN=$FCLI_DEFAULT_SSC_CI_TOKEN # SSC CI TOKEN +export FCLI_DEFAULT_SSC_URL=$FCLI_DEFAULT_SSC_URL # SSC URL +ssc_app_version_id=$SSC_APP_VERSION_ID # SSC APPLICATION VERSION ID +ssc_ip=$SSC_IP_LOCAL + + +# Local variables +FCLI_VERSION=v2.4.0 +SCANCENTRAL_VERSION=24.2.0 +FCLI_URL=https://github.com/fortify-ps/fcli/releases/download/${FCLI_VERSION}/fcli-linux.tgz +FCLI_SIG_URL=${FCLI_URL}.rsa_sha256 +FORTIFY_TOOLS_DIR="/opt/fortify/tools" +FCLI_HOME=$FORTIFY_TOOLS_DIR/fcli +SCANCENTRAL_HOME=$FORTIFY_TOOLS_DIR/ScanCentral + +# *** Supported Functions *** +verifySig() { + local src sig + src="$1"; sig="$2" + openssl dgst -sha256 -verify <(echo "-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArij9U9yJVNc53oEMFWYp +NrXUG1UoRZseDh/p34q1uywD70RGKKWZvXIcUAZZwbZtCu4i0UzsrKRJeUwqanbc +woJvYanp6lc3DccXUN1w1Y0WOHOaBxiiK3B1TtEIH1cK/X+ZzazPG5nX7TSGh8Tp +/uxQzUFli2mDVLqaP62/fB9uJ2joX9Gtw8sZfuPGNMRoc8IdhjagbFkhFT7WCZnk +FH/4Co007lmXLAe12lQQqR/pOTeHJv1sfda1xaHtj4/Tcrq04Kx0ZmGAd5D9lA92 +8pdBbzoe/mI5/Sk+nIY3AHkLXB9YAaKJf//Wb1yiP1/hchtVkfXyIaGM+cVyn7AN +VQIDAQAB +-----END PUBLIC KEY-----") -signature "${sig}" "${src}" +} + +installFcli() { + local src sigSrc tgt tmpRoot tmpFile tmpDir + src="$1"; sigSrc="$2"; tgt="$3"; + tmpRoot=$(mktemp -d); tmpFile="$tmpRoot/archive.tmp"; tmpDir="$tmpRoot/extracted" + echo "Downloading file" + wget -O $tmpFile $src + echo "Verifying Signature..." + verifySig "$tmpFile" <(curl -fsSL -o - "$sigSrc") + echo "Unzipping: tar -zxf " + $tmpFile + " -C " + $tmpDir + mkdir $tmpDir + mkdir -p $tgt + + tar -zxf $tmpFile -C $tmpDir + mv $tmpDir/* $tgt + rm -rf $tmpRoot + find $tgt -type f +} # *** Execution *** -# Download Fortify CLI -wget "https://github.com/fortify-ps/fcli/releases/download/$fcli_version/fcli-linux.tgz" -e=$? # return code last command -if [ "${e}" -ne "0" ]; then - echo "ERROR: Failed to download Fortify CLI - exit code ${e}" - exit 100 -fi -# Verify integrity -sha256sum -c <(echo "$fcli_sha $fcli_install") -e=$? # return code last command -if [ "${e}" -ne "0" ]; then - echo "ERROR: Fortify CLI hash does not match - exit code ${e}" - exit 100 -fi - -mkdir -p $fcli_home/bin -tar -xvzf "$fcli_install" -C $fcli_home/bin -export PATH=$fcli_home/bin:$scancentral_home/bin:${PATH} - -fcli tool sc-client install $scancentral_client_version -d $scancentral_home +# Install FCLI +installFcli ${FCLI_URL} ${FCLI_SIG_URL} ${FCLI_HOME}/bin + +# Use when domain name not available in the public registry +#echo "setting domain..." +#echo ${ssc_ip} + " fortify.cyberxdemo.com" | tee -a /etc/hosts +#cat /etc/hosts + +#mkdir -p $fcli_home/bin +#tar -xvzf "$fcli_install" -C $fcli_home/bin +export PATH=$FCLI_HOME/bin:$SCANCENTRAL_HOME/bin:${PATH} + + +fcli tool definitions update +fcli tool sc-client install -v ${SCANCENTRAL_VERSION} -d ${SCANCENTRAL_HOME} echo Setting connection with Fortify Platform -# USE --INSECURE WHEN YOUR SSL CERTIFICATES ARE SELF GENERATED/UNTRUSTED +#Use --insecure switch if the SSL certificate is self generated. fcli ssc session login fcli sc-sast session login scancentral package -bt mvn -o package.zip -fcli sc-sast scan start --appversion=$ssc_app_version_id --upload --sensor-version=$scancentral_client_version --package-file=package.zip --store='?' -fcli sc-sast scan wait-for '?' --interval=30s -fcli ssc appversion-vuln count --appversion=$ssc_app_version_id +fcli sc-sast scan start --publish-to=$SSC_APP_VERSION_ID --sensor-version=$SCANCENTRAL_VERSION --package-file=package.zip --store=Id + +fcli sc-sast scan wait-for ::Id:: --interval=30s +fcli ssc issue count --appversion=$SSC_APP_VERSION_ID echo Terminating connection with Fortify Platform fcli sc-sast session logout -fcli ssc session logout \ No newline at end of file +fcli ssc session logout +# *** Execution Completes *** + +# *** EoF *** \ No newline at end of file diff --git a/devops-integrations/aws/fortify-sast-fod.bash b/devops-integrations/aws/fortify-sast-fod.bash index 7f37ce1e..f8a03a45 100644 --- a/devops-integrations/aws/fortify-sast-fod.bash +++ b/devops-integrations/aws/fortify-sast-fod.bash @@ -1,66 +1,81 @@ #!/bin/bash -# Integrate Fortify on Demand Static AppSec Testing (SAST) into your AWS Codestar pipeline - -# *** Configuration *** +# Integrate Fortify on Demand Static AppSec Testing (SAST) into your AWS Codebuild pipeline # The following environment variables must be defined -fod_tenant=$FOD_TENANT # TENANT ID -fod_user=$FOD_USER # FOD USER KEY -fod_pat=$FOD_PAT # FOD PAT -fod_release_id=$FOD_RELEASE_ID # FOD APPLICATION BASED RELEASE ID +export FCLI_DEFAULT_FOD_URL=$FCLI_DEFAULT_FOD_URL_LOCAL +export FCLI_DEFAULT_FOD_TENANT=$FCLI_DEFAULT_FOD_TENANT_LOCAL +export FCLI_DEFAULT_FOD_CLIENT_ID=$FCLI_DEFAULT_FOD_CLIENT_ID_LOCAL +export FCLI_DEFAULT_FOD_CLIENT_SECRET=$FCLI_DEFAULT_FOD_CLIENT_SECRET_LOCAL +FOD_RELEASE_ID=$FOD_RELEASE_ID_LOCAL # FOD APPLICATION BASED RELEASE ID # Local variables (modify as needed) -fod_url='https://ams.fortify.com' -fod_api_url='https://api.ams.fortify.com/' -fod_uploader_opts='-ep 2 -pp 0 -I 1 -apf' -fod_notes="Triggered by AWS Codestar" -fod_uploader_version='v5.4.0' -scancentral_client_version='22.1.2' -fti_version='v2.14.0' -fti_sha='d9ebd439c5b426a5ea207e6c1a17a466f79363ca5735fea1d7a4d8ef5807dc06' +FCLI_VERSION=v2.4.0 +FODUPLOAD_VERSION=5.4.1 +SCANCENTRAL_VERSION=24.2.0 +FCLI_URL=https://github.com/fortify-ps/fcli/releases/download/${FCLI_VERSION}/fcli-linux.tgz +FCLI_SIG_URL=${FCLI_URL}.rsa_sha256 +FORTIFY_TOOLS_DIR="/opt/fortify/tools" +FCLI_HOME=$FORTIFY_TOOLS_DIR/fcli +FODUPLOAD_HOME=$FORTIFY_TOOLS_DIR/FodUpload +SCANCENTRAL_HOME=$FORTIFY_TOOLS_DIR/ScanCentral +fod_notes="Triggered by AWS CodeBuild" -# Local variables (DO NOT MODIFY) -fortify_tools_dir="/root/.fortify/tools/FoDUploader/$fod_uploader_version" -fti_install='FortifyToolsInstaller.sh' -fod_util='FoDUpload.jar' +# *** Supported Functions *** +verifySig() { + local src sig + src="$1"; sig="$2" + openssl dgst -sha256 -verify <(echo "-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArij9U9yJVNc53oEMFWYp +NrXUG1UoRZseDh/p34q1uywD70RGKKWZvXIcUAZZwbZtCu4i0UzsrKRJeUwqanbc +woJvYanp6lc3DccXUN1w1Y0WOHOaBxiiK3B1TtEIH1cK/X+ZzazPG5nX7TSGh8Tp +/uxQzUFli2mDVLqaP62/fB9uJ2joX9Gtw8sZfuPGNMRoc8IdhjagbFkhFT7WCZnk +FH/4Co007lmXLAe12lQQqR/pOTeHJv1sfda1xaHtj4/Tcrq04Kx0ZmGAd5D9lA92 +8pdBbzoe/mI5/Sk+nIY3AHkLXB9YAaKJf//Wb1yiP1/hchtVkfXyIaGM+cVyn7AN +VQIDAQAB +-----END PUBLIC KEY-----") -signature "${sig}" "${src}" +} -# *** Execution *** +installFcli() { + local src sigSrc tgt tmpRoot tmpFile tmpDir + src="$1"; sigSrc="$2"; tgt="$3"; + tmpRoot=$(mktemp -d); tmpFile="$tmpRoot/archive.tmp"; tmpDir="$tmpRoot/extracted" + echo "Downloading file" + wget -O $tmpFile $src + echo "Verifying Signature..." + verifySig "$tmpFile" <(curl -fsSL -o - "$sigSrc") + echo "Unzipping: tar -zxf " + $tmpFile + " -C " + $tmpDir + mkdir $tmpDir + mkdir -p $tgt + + tar -zxf $tmpFile -C $tmpDir + mv $tmpDir/* $tgt + rm -rf $tmpRoot + find $tgt -type f +} -# Download Fortify Tools Installer -wget "https://raw.githubusercontent.com/fortify/FortifyToolsInstaller/$fti_version/FortifyToolsInstaller.sh" -e=$? # return code last command -if [ "${e}" -ne "0" ]; then - echo "ERROR: Failed to download Fortify Tools Installer - exit code ${e}" - exit 100 -fi +# *** Execution *** +echo "Installing FCLI" +# Install FCLI +installFcli ${FCLI_URL} ${FCLI_SIG_URL} ${FCLI_HOME}/bin -# Set permission to execute Fortify Tools Installer and verify integrity -chmod +x "$fti_install" -sha256sum -c <(echo "$fti_sha $fti_install") -e=$? # return code last command -if [ "${e}" -ne "0" ]; then - echo "ERROR: Fortify Tool Installer hash does not match - exit code ${e}" - exit 100 -fi +export PATH=$FCLI_HOME/bin:$SCANCENTRAL_HOME/bin:${PATH} -# Download and install Fortify ScanCentral Client -FTI_TOOLS=sc:$scancentral_client_version source $fti_install -e=$? # return code last command -if [ "${e}" -ne "0" ]; then - echo "ERROR: Failed to download and install Fortify ScanCentral Client - exit code ${e}" - exit 100 -fi +fcli tool definitions update +fcli tool fod-uploader install -v ${FODUPLOAD_VERSION} -d ${FODUPLOAD_HOME} +fcli tool sc-client install -v ${SCANCENTRAL_VERSION} -d ${SCANCENTRAL_HOME} -# Download and install Fortify on Demand Uploader -FTI_TOOLS=fu:$fod_uploader_version source $fti_install -e=$? # return code last command -if [ "${e}" -ne "0" ]; then - echo "ERROR: Failed to download and install Fortify on Demand Uploader - exit code ${e}" - exit 100 -fi +echo Setting connection with Fortify Platform +#Use --insecure switch if the SSL certificate is self generated. +fcli fod session login -# Generate Java Package for upload to Fortify on Demand +echo "Scan starting.." scancentral package -bt mvn -oss -o package.zip +fcli fod sast start --release=$FOD_RELEASE_ID --file=package.zip --remediation=NonRemediationScanOnly --notes=$FOD_NOTES --store=Id + +fcli fod sast wait-for ::Id:: --interval=30s +fcli fod issue list --release=$FOD_RELEASE_ID + +fcli fod session logout +# *** Execution Completes *** -# Execute Fortify on Demand SAST scan -java -jar $fortify_tools_dir/$fod_util -z package.zip -aurl $fod_api_url -purl $fod_url -rid $fod_release_id -tc $fod_tenant -uc $fod_user $fod_pat $fod_uploader_opts -n "$fod_notes" +# *** EoF *** \ No newline at end of file diff --git a/devops-integrations/aws/fortify_dast_scancentral.bash b/devops-integrations/aws/fortify_dast_scancentral.bash index 898ea3a9..282fa835 100644 --- a/devops-integrations/aws/fortify_dast_scancentral.bash +++ b/devops-integrations/aws/fortify_dast_scancentral.bash @@ -1,46 +1,74 @@ #!/bin/bash # Integrate Fortify ScanCentral Dynamic AppSec Testing (DAST) into your AWS Codestar pipeline +# The following environment variables must be defined in AWS Parameter Store before using this script +# - /fortify/ssc_user +# - /fortify/ssc_password +# - /fortify/ci_token +# - /fortify/ssc_url +# - $SC_DAST_CICD_IDENTIFIER FCLI_DEFAULT_SSC_USER=$(aws ssm get-parameters --region us-east-1 --names /fortify/ssc_user --query Parameters[0].Value) FCLI_DEFAULT_SSC_PASSWORD=$(aws ssm get-parameters --region us-east-1 --names /fortify/ssc_password --query Parameters[0].Value) FCLI_DEFAULT_SSC_CI_TOKEN=$(aws ssm get-parameters --region us-east-1 --names /fortify/ci_token --query Parameters[0].Value) FCLI_DEFAULT_SSC_URL=$(aws ssm get-parameters --region us-east-1 --names /fortify/ssc_url --query Parameters[0].Value) -SSC_APP_VERSION_ID=$(aws ssm get-parameters --region us-east-1 --names /fortify/ssc_app_versionid --query Parameters[0].Value) export FCLI_DEFAULT_SSC_USER=$FCLI_DEFAULT_SSC_USER export FCLI_DEFAULT_SSC_PASSWORD=$FCLI_DEFAULT_SSC_PASSWORD export FCLI_DEFAULT_SSC_CI_TOKEN=$FCLI_DEFAULT_SSC_CI_TOKEN export FCLI_DEFAULT_SSC_URL=$FCLI_DEFAULT_SSC_URL -export SSC_APP_VERSION_ID=$SSC_APP_VERSION_ID # Local variables (modify as needed) -SC_DAST_CICD_IDENTIFIER='1545cd48-20d2-494b-b0c6-77c26933a814' +FCLI_VERSION=v2.4.0 +SCANCENTRAL_VERSION=24.2.0 +FCLI_URL=https://github.com/fortify-ps/fcli/releases/download/${FCLI_VERSION}/fcli-linux.tgz +FCLI_SIG_URL=${FCLI_URL}.rsa_sha256 +FORTIFY_TOOLS_DIR="/opt/fortify/tools" +FCLI_HOME=$FORTIFY_TOOLS_DIR/fcli +SCANCENTRAL_HOME=$FORTIFY_TOOLS_DIR/ScanCentral +SC_DAST_CICD_IDENTIFIER='<<15xxxxx-2xxx-4xxx-xxxx-77xxxxxxx814>>' SC_DAST_SCAN_NAME='AWS_SCAN' -fcli_version='v1.1.0' -fcli_sha='5553766f0f771abdf27f4c6b6d38a34825a64aaa5d72cfd03c68d7e2f43a49a0' -# Local variables (DO NOT MODIFY) -fortify_tools_dir="/root/.fortify/tools" -fcli_home=$fortify_tools_dir/fcli -fcli_install='fcli-linux.tgz' +# *** Supported Functions *** +verifySig() { + local src sig + src="$1"; sig="$2" + openssl dgst -sha256 -verify <(echo "-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArij9U9yJVNc53oEMFWYp +NrXUG1UoRZseDh/p34q1uywD70RGKKWZvXIcUAZZwbZtCu4i0UzsrKRJeUwqanbc +woJvYanp6lc3DccXUN1w1Y0WOHOaBxiiK3B1TtEIH1cK/X+ZzazPG5nX7TSGh8Tp +/uxQzUFli2mDVLqaP62/fB9uJ2joX9Gtw8sZfuPGNMRoc8IdhjagbFkhFT7WCZnk +FH/4Co007lmXLAe12lQQqR/pOTeHJv1sfda1xaHtj4/Tcrq04Kx0ZmGAd5D9lA92 +8pdBbzoe/mI5/Sk+nIY3AHkLXB9YAaKJf//Wb1yiP1/hchtVkfXyIaGM+cVyn7AN +VQIDAQAB +-----END PUBLIC KEY-----") -signature "${sig}" "${src}" +} + +installFcli() { + local src sigSrc tgt tmpRoot tmpFile tmpDir + src="$1"; sigSrc="$2"; tgt="$3"; + tmpRoot=$(mktemp -d); tmpFile="$tmpRoot/archive.tmp"; tmpDir="$tmpRoot/extracted" + echo "Downloading file" + wget -O $tmpFile $src + echo "Verifying Signature..." + verifySig "$tmpFile" <(curl -fsSL -o - "$sigSrc") + echo "Unzipping: tar -zxf " + $tmpFile + " -C " + $tmpDir + mkdir $tmpDir + mkdir -p $tgt + + tar -zxf $tmpFile -C $tmpDir + mv $tmpDir/* $tgt + rm -rf $tmpRoot + find $tgt -type f +} # *** Execution *** +# Install FCLI +installFcli ${FCLI_URL} ${FCLI_SIG_URL} ${FCLI_HOME}/bin + +# Use when domain name not available in the public registry +#echo "setting domain..." +#echo ${ssc_ip} + " fortify.cyberxdemo.com" | tee -a /etc/hosts +#cat /etc/hosts -# Download Fortify CLI -wget "https://github.com/fortify-ps/fcli/releases/download/$fcli_version/fcli-linux.tgz" -e=$? # return code last command -if [ "${e}" -ne "0" ]; then - echo "ERROR: Failed to download Fortify CLI - exit code ${e}" - exit 100 -fi -# Verify integrity -sha256sum -c <(echo "$fcli_sha $fcli_install") -e=$? # return code last command -if [ "${e}" -ne "0" ]; then - echo "ERROR: Fortify CLI hash does not match - exit code ${e}" - exit 100 -fi -mkdir -p $fcli_home/bin -tar -xvzf "$fcli_install" -C $fcli_home/bin export PATH=$fcli_home/bin:${PATH} echo Setting connection with Fortify Platform @@ -52,4 +80,7 @@ fcli sc-dast scan start $SC_DAST_SCAN_NAME --settings $SC_DAST_CICD_IDENTIFIER echo Terminating connection with Fortify Platform fcli sc-dast session logout -fcli ssc session logout \ No newline at end of file +fcli ssc session logout +# *** Execution Completes *** + +# *** EoF *** \ No newline at end of file diff --git a/devops-integrations/aws/fortify_sast_scancentral.bash b/devops-integrations/aws/fortify_sast_scancentral.bash index 80eb7c47..daa69ebf 100644 --- a/devops-integrations/aws/fortify_sast_scancentral.bash +++ b/devops-integrations/aws/fortify_sast_scancentral.bash @@ -10,52 +10,82 @@ export FCLI_DEFAULT_SSC_PASSWORD=$FCLI_DEFAULT_SSC_PASSWORD export FCLI_DEFAULT_SSC_CI_TOKEN=$FCLI_DEFAULT_SSC_CI_TOKEN export FCLI_DEFAULT_SSC_URL=$FCLI_DEFAULT_SSC_URL ssc_app_version_id=$SSC_APP_VERSION_ID +ssc_ip=$SSC_IP_LOCAL # Local variables (modify as needed) -scancentral_client_version='22.2.0' -fcli_version='v1.1.0' -fcli_sha='5553766f0f771abdf27f4c6b6d38a34825a64aaa5d72cfd03c68d7e2f43a49a0' +FCLI_VERSION=v2.4.0 +SCANCENTRAL_VERSION=24.2.0 +FCLI_URL=https://github.com/fortify-ps/fcli/releases/download/${FCLI_VERSION}/fcli-linux.tgz +FCLI_SIG_URL=${FCLI_URL}.rsa_sha256 +FORTIFY_TOOLS_DIR="/opt/fortify/tools" +FCLI_HOME=$FORTIFY_TOOLS_DIR/fcli +SCANCENTRAL_HOME=$FORTIFY_TOOLS_DIR/ScanCentral -# Local variables (DO NOT MODIFY) -fortify_tools_dir="/root/.fortify/tools" -scancentral_home=$fortify_tools_dir/ScanCentral -fcli_home=$fortify_tools_dir/fcli -fcli_install='fcli-linux.tgz' +# *** Supported Functions *** +verifySig() { + local src sig + src="$1"; sig="$2" + openssl dgst -sha256 -verify <(echo "-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArij9U9yJVNc53oEMFWYp +NrXUG1UoRZseDh/p34q1uywD70RGKKWZvXIcUAZZwbZtCu4i0UzsrKRJeUwqanbc +woJvYanp6lc3DccXUN1w1Y0WOHOaBxiiK3B1TtEIH1cK/X+ZzazPG5nX7TSGh8Tp +/uxQzUFli2mDVLqaP62/fB9uJ2joX9Gtw8sZfuPGNMRoc8IdhjagbFkhFT7WCZnk +FH/4Co007lmXLAe12lQQqR/pOTeHJv1sfda1xaHtj4/Tcrq04Kx0ZmGAd5D9lA92 +8pdBbzoe/mI5/Sk+nIY3AHkLXB9YAaKJf//Wb1yiP1/hchtVkfXyIaGM+cVyn7AN +VQIDAQAB +-----END PUBLIC KEY-----") -signature "${sig}" "${src}" +} + +installFcli() { + local src sigSrc tgt tmpRoot tmpFile tmpDir + src="$1"; sigSrc="$2"; tgt="$3"; + tmpRoot=$(mktemp -d); tmpFile="$tmpRoot/archive.tmp"; tmpDir="$tmpRoot/extracted" + echo "Downloading file" + wget -O $tmpFile $src + echo "Verifying Signature..." + verifySig "$tmpFile" <(curl -fsSL -o - "$sigSrc") + echo "Unzipping: tar -zxf " + $tmpFile + " -C " + $tmpDir + mkdir $tmpDir + mkdir -p $tgt + + tar -zxf $tmpFile -C $tmpDir + mv $tmpDir/* $tgt + rm -rf $tmpRoot + find $tgt -type f +} # *** Execution *** +# Install FCLI +installFcli ${FCLI_URL} ${FCLI_SIG_URL} ${FCLI_HOME}/bin + +# Use when domain name not available in the public registry +#echo "setting domain..." +#echo ${ssc_ip} + " fortify.cyberxdemo.com" | tee -a /etc/hosts +#cat /etc/hosts + +#mkdir -p $fcli_home/bin +#tar -xvzf "$fcli_install" -C $fcli_home/bin +export PATH=$FCLI_HOME/bin:$SCANCENTRAL_HOME/bin:${PATH} -# Download Fortify CLI -wget "https://github.com/fortify-ps/fcli/releases/download/$fcli_version/fcli-linux.tgz" -e=$? # return code last command -if [ "${e}" -ne "0" ]; then - echo "ERROR: Failed to download Fortify CLI - exit code ${e}" - exit 100 -fi -# Verify integrity -sha256sum -c <(echo "$fcli_sha $fcli_install") -e=$? # return code last command -if [ "${e}" -ne "0" ]; then - echo "ERROR: Fortify CLI hash does not match - exit code ${e}" - exit 100 -fi - -mkdir -p $fcli_home/bin -tar -xvzf "$fcli_install" -C $fcli_home/bin -export PATH=$fcli_home/bin:$scancentral_home/bin:${PATH} - -fcli tool sc-client install $scancentral_client_version -d $scancentral_home + +fcli tool definitions update +fcli tool sc-client install -v ${SCANCENTRAL_VERSION} -d ${SCANCENTRAL_HOME} echo Setting connection with Fortify Platform -# USE --INSECURE WHEN YOUR SSL CERTIFICATES ARE SELF GENERATED/UNTRUSTED +#Use --insecure switch if the SSL certificate is self generated. fcli ssc session login fcli sc-sast session login scancentral package -bt mvn -o package.zip -fcli sc-sast scan start --appversion=$ssc_app_version_id --upload --sensor-version=$scancentral_client_version --package-file=package.zip --store='?' -fcli sc-sast scan wait-for '?' --interval=30s -fcli ssc appversion-vuln count --appversion=$SSC_APP_VERSION_ID +fcli sc-sast scan start --publish-to=$SSC_APP_VERSION_ID --sensor-version=$SCANCENTRAL_VERSION --package-file=package.zip --store=Id + +fcli sc-sast scan wait-for ::Id:: --interval=30s +fcli ssc issue count --appversion=$SSC_APP_VERSION_ID echo Terminating connection with Fortify Platform fcli sc-sast session logout -fcli ssc session logout \ No newline at end of file +fcli ssc session logout +# *** Execution Completes *** + +# *** EoF *** \ No newline at end of file diff --git a/devops-integrations/azure/azure-pipelines-fortify-dast-scancentral.yml b/devops-integrations/azure/azure-pipelines-fortify-dast-scancentral.yml index 0a458a5b..dd073552 100644 --- a/devops-integrations/azure/azure-pipelines-fortify-dast-scancentral.yml +++ b/devops-integrations/azure/azure-pipelines-fortify-dast-scancentral.yml @@ -6,7 +6,7 @@ # - $_FCLI_DEFAULT_SSC_USER # - $_FCLI_DEFAULT_SSC_PASSWORD # - $_FCLI_DEFAULT_SSC_URL -# - $_SSC_APP_VERSION_ID +# - $_FCLI_DEFAULT_SSC_CI_TOKEN # - $_SC_DAST_CICD_IDENTIFIER trigger: @@ -44,25 +44,22 @@ stages: pool: vmImage: 'ubuntu-latest' container: - image: fortifydocker/fortify-ci-tools:latest + image: fortifydocker/fortify-ci-tools:5.4.1-jdk-17 env: FCLI_DEFAULT_SSC_USER: $(_FCLI_DEFAULT_SSC_USER) FCLI_DEFAULT_SSC_PASSWORD: $(_FCLI_DEFAULT_SSC_PASSWORD) FCLI_DEFAULT_SSC_URL: $(_FCLI_DEFAULT_SSC_URL) - SSC_APP_VERSION_ID: $(_SSC_APP_VERSION_ID) SC_DAST_CICD_IDENTIFIER: $(_SC_DAST_CICD_IDENTIFIER) SC_DAST_SCAN_NAME: IWA_DAST_AZURE steps: - script: | echo Setting connection with Fortify Platform - fcli ssc session login --insecure - fcli sc-dast session login --insecure - fcli sc-dast scan start $SC_DAST_SCAN_NAME --settings $SC_DAST_CICD_IDENTIFIER --store '?' - - #DAST Scans usually takes longer, please uncomment accordingly - #fcli sc-dast scan wait-for '?' --interval=30s - #fcli ssc appversion-vuln count --appversion=$SSC_APP_VERSION_ID + #Use --insecure switch when SSL certificates are self-generated + fcli ssc session login + fcli sc-dast session login + + fcli sc-dast scan start --name=$SC_DAST_SCAN_NAME --settings=$SC_DAST_CICD_IDENTIFIER echo Terminating connection with Fortify Platform fcli sc-dast session logout diff --git a/devops-integrations/azure/azure-pipelines-fortify-sast-scancentral.yml b/devops-integrations/azure/azure-pipelines-fortify-sast-scancentral.yml index dcdb1880..5ede654e 100644 --- a/devops-integrations/azure/azure-pipelines-fortify-sast-scancentral.yml +++ b/devops-integrations/azure/azure-pipelines-fortify-sast-scancentral.yml @@ -22,7 +22,7 @@ stages: mavenPomFile: 'pom.xml' mavenOptions: '-Xmx3072m' javaHomeOption: 'JDKVersion' - jdkVersionOption: '1.11' + jdkVersionOption: '1.17' jdkArchitectureOption: 'x64' publishJUnitResults: true testResultsFiles: '**/surefire-reports/TEST-*.xml' @@ -34,7 +34,8 @@ stages: pool: vmImage: 'ubuntu-latest' container: - image: fortifydocker/fortify-ci-tools:latest + image: fortifydocker/fortify-ci-tools:5.4.1-jdk-17 + options: "--add-host=<>:x.x.x.x" env: FCLI_DEFAULT_SC_SAST_CLIENT_AUTH_TOKEN: $(_FCLI_DEFAULT_SC_SAST_CLIENT_AUTH_TOKEN) FCLI_DEFAULT_SSC_USER: $(_FCLI_DEFAULT_SSC_USER) @@ -42,20 +43,20 @@ stages: FCLI_DEFAULT_SSC_CI_TOKEN: $(_FCLI_DEFAULT_SSC_CI_TOKEN) FCLI_DEFAULT_SSC_URL: $(_FCLI_DEFAULT_SSC_URL) SSC_APP_VERSION_ID: $(_SSC_APP_VERSION_ID) - SC_SAST_SENSOR_VERSION: 22.2 + SC_SAST_SENSOR_VERSION: 24.2 steps: - script: | echo Setting connection with Fortify Platform - - fcli ssc session login --insecure - fcli sc-sast session login --insecure + echo $FORTIFY_SSC_IP fortify.cyberxdemo.com >> /etc/hosts + #Use --insecure switch if the SSL certificate is self generated. + fcli ssc session login + fcli sc-sast session login scancentral package -bt mvn -o package.zip - - fcli sc-sast scan start --appversion=$SSC_APP_VERSION_ID --upload --sensor-version=$SC_SAST_SENSOR_VERSION --package-file=package.zip --store='?' - fcli sc-sast scan wait-for '?' --interval=30s + fcli sc-sast scan start --publish-to=$SSC_APP_VERSION_ID --sensor-version=$SC_SAST_SENSOR_VERSION --package-file=package.zip --store=Id - fcli ssc appversion-vuln count --appversion=$SSC_APP_VERSION_ID + fcli sc-sast scan wait-for ::Id:: --interval=30s + fcli ssc issue count --appversion=$SSC_APP_VERSION_ID echo Terminating connection with Fortify Platform fcli sc-sast session logout diff --git a/devops-integrations/bitbucket/bitbucket-pipelines.yml b/devops-integrations/bitbucket/bitbucket-pipelines.yml index 49943767..37204c48 100644 --- a/devops-integrations/bitbucket/bitbucket-pipelines.yml +++ b/devops-integrations/bitbucket/bitbucket-pipelines.yml @@ -8,7 +8,7 @@ # - $FOD_PAT # - $FOD_TENANT -image: maven:3.6.3 +image: maven:3.9.7 pipelines: default: @@ -25,7 +25,7 @@ pipelines: - step: name: Fortify On Demand Scan script: - - pipe: fortifysoftware/fortify-scan:3.2.9-jdk-11 + - pipe: fortifysoftware/fortify-scan:5.4.1-jdk-17 variables: PACKAGE_OPTS: -bt mvn FOD_URL: https://ams.fortify.com diff --git a/devops-integrations/gcp/cloudbuild_fortify_dast_scancentral.yaml b/devops-integrations/gcp/cloudbuild_fortify_dast_scancentral.yaml index 0e8dcb25..880e27e8 100644 --- a/devops-integrations/gcp/cloudbuild_fortify_dast_scancentral.yaml +++ b/devops-integrations/gcp/cloudbuild_fortify_dast_scancentral.yaml @@ -27,7 +27,7 @@ steps: - '--allow-unauthenticated' id: 'deploy-to-cloud-run' -- name: 'fortifydocker/fortify-ci-tools:3.14.0-jdk-11' +- name: 'fortifydocker/fortify-ci-tools:5.4.1-jdk-17' entrypoint: "bash" args: - "-c" @@ -36,7 +36,7 @@ steps: fcli ssc session login fcli sc-dast session login - fcli sc-dast scan start $$SC_DAST_SCAN_NAME --settings $$SC_DAST_CICD_IDENTIFIER + fcli sc-dast scan start --name=$$SC_DAST_SCAN_NAME --settings=$$SC_DAST_CICD_IDENTIFIER echo Terminating connection with Fortify Platform fcli sc-dast session logout diff --git a/devops-integrations/gcp/cloudbuild_fortify_sast_fod.yaml b/devops-integrations/gcp/cloudbuild_fortify_sast_fod.yaml index e241f3be..834493ba 100644 --- a/devops-integrations/gcp/cloudbuild_fortify_sast_fod.yaml +++ b/devops-integrations/gcp/cloudbuild_fortify_sast_fod.yaml @@ -1,12 +1,13 @@ # Integrate Fortify on Demand Static AppSec Testing (SAST) into your Google Cloud Build pipeline # The following Google Cloud Build Secrets must be defined before using this job +# - $$FCLI_DEFAULT_FOD_URL +# - $$FCLI_DEFAULT_FOD_USER +# - $$FCLI_DEFAULT_FOD_PASSWORD +# - $$FCLI_DEFAULT_FOD_TENANT # - $$FOD_RELEASE_ID -# - $$FOD_USER -# - $$FOD_PAT -# - $$FOD_TENANT steps: -- name: maven:3.6.0-jdk-11-slim +- name: maven:3.9.7 entrypoint: 'mvn' args: ['clean', 'package', '-DskipTests'] @@ -14,28 +15,33 @@ steps: args: ['build', '-t', 'gcr.io/$PROJECT_ID/iwa_java:latest', '-t', 'gcr.io/$PROJECT_ID/iwa_java:$COMMIT_SHA', '-t', 'gcr.io/$PROJECT_ID/iwa_java:$BUILD_ID', '.'] id: 'build-image-IWAJava' -- name: 'fortifydocker/fortify-ci-tools:latest' +- name: 'fortifydocker/fortify-ci-tools:5.4.1-jdk-17' entrypoint: bash args: - -c - | + fcli fod session login + scancentral package -bt mvn -oss -o package.zip - FoDUpload -z package.zip -aurl $$FOD_API_URL -purl $$FOD_URL -rid $$FOD_RELEASE_ID -tc $$FOD_TENANT -uc $$FOD_USER $$FOD_PAT $$FOD_UPLOADER_OPTS -n "$$FOD_NOTES" - secretEnv: ['FOD_RELEASE_ID', 'FOD_USER', 'FOD_PAT', 'FOD_TENANT'] + + fcli fod sast start --release=$$FOD_RELEASE_ID --file=package.zip --remediation=NonRemediationScanOnly --notes="$$FOD_NOTES" --store=Id + fcli fod sast wait-for ::Id:: --interval=30s + + fcli fod issue list --release=$$FOD_RELEASE_ID + fcli fod session logout + secretEnv: ['FCLI_DEFAULT_FOD_URL', 'FCLI_DEFAULT_FOD_USER', 'FCLI_DEFAULT_FOD_PASSWORD', 'FCLI_DEFAULT_FOD_TENANT'] env: - - 'FOD_URL=https://ams.fortify.com' - - 'FOD_API_URL=https://api.ams.fortify.com' - - 'FOD_UPLOADER_OPTS=-ep 2 -pp 0 -I 1 -apf' + - 'FOD_RELEASE_ID=${_FOD_RELEASE_ID}' - 'FOD_NOTES=Triggered by GCP Pipeline' id: 'fortify-static-scan' waitFor: ['build-image-IWAJava'] availableSecrets: secretManager: - - versionName: projects/$PROJECT_ID/secrets/fod_release_id/versions/latest - env: 'FOD_RELEASE_ID' - - versionName: projects/$PROJECT_ID/secrets/fod_user/versions/latest - env: 'FOD_USER' - - versionName: projects/$PROJECT_ID/secrets/fod_pat/versions/latest - env: 'FOD_PAT' - - versionName: projects/$PROJECT_ID/secrets/fod_tenant/versions/latest - env: 'FOD_TENANT' \ No newline at end of file + - versionName: projects/$PROJECT_ID/secrets/FCLI_DEFAULT_FOD_URL/versions/latest + env: 'FCLI_DEFAULT_FOD_URL' + - versionName: projects/$PROJECT_ID/secrets/FCLI_DEFAULT_FOD_USER/versions/latest + env: 'FCLI_DEFAULT_FOD_USER' + - versionName: projects/$PROJECT_ID/secrets/FCLI_DEFAULT_FOD_PASSWORD/versions/latest + env: 'FCLI_DEFAULT_FOD_PASSWORD' + - versionName: projects/$PROJECT_ID/secrets/FCLI_DEFAULT_FOD_TENANT/versions/latest + env: 'FCLI_DEFAULT_FOD_TENANT' \ No newline at end of file diff --git a/devops-integrations/gcp/cloudbuild_fortify_sast_scancentral.yaml b/devops-integrations/gcp/cloudbuild_fortify_sast_scancentral.yaml index 809616c5..4acd2a1c 100644 --- a/devops-integrations/gcp/cloudbuild_fortify_sast_scancentral.yaml +++ b/devops-integrations/gcp/cloudbuild_fortify_sast_scancentral.yaml @@ -9,7 +9,7 @@ steps: -- name: maven:3.6.0-jdk-11-slim +- name: maven:3.9.7 entrypoint: 'mvn' args: ['-q', 'clean', 'package', '-DskipTests'] @@ -17,7 +17,7 @@ steps: args: ['build', '-t', 'gcr.io/$PROJECT_ID/iwa_java:latest', '-t', 'gcr.io/$PROJECT_ID/iwa_java:$COMMIT_SHA', '-t', 'gcr.io/$PROJECT_ID/iwa_java:$BUILD_ID', '.'] id: 'build-image-IWAJava' -- name: 'fortifydocker/fortify-ci-tools:3.14.0-jdk-11' +- name: 'fortifydocker/fortify-ci-tools:5.4.1-jdk-17' entrypoint: bash args: - -c @@ -27,10 +27,10 @@ steps: fcli sc-sast session login scancentral package -bt mvn -o package.zip - fcli sc-sast scan start --appversion=$$SSC_APP_VERSION_ID --upload --sensor-version=$$SC_SAST_SENSOR_VERSION --package-file=package.zip --store='?' - - fcli sc-sast scan wait-for '?' --interval=30s - fcli ssc appversion-vuln count --appversion=$$SSC_APP_VERSION_ID + fcli sc-sast scan start --publish-to=$$SSC_APP_VERSION_ID --sensor-version=$$SC_SAST_SENSOR_VERSION --package-file=package.zip --store=Id + + fcli sc-sast scan wait-for ::Id:: --interval=30s + fcli ssc issue count --appversion=$$SSC_APP_VERSION_ID echo Terminating connection with Fortify Platform fcli sc-sast session logout @@ -39,6 +39,18 @@ steps: env: - 'FORTIFY_IP=${_PUBLIC_IP}' - 'SSC_APP_VERSION_ID=${_SSC_APP_VERSION_ID}' - - 'SC_SAST_SENSOR_VERSION=22.2' + - 'SC_SAST_SENSOR_VERSION=24.2' +availableSecrets: + secretManager: + - versionName: projects/$PROJECT_ID/secrets/fcli_default_sc_sast_client_auth_token/versions/latest + env: 'FCLI_DEFAULT_SC_SAST_CLIENT_AUTH_TOKEN' + - versionName: projects/$PROJECT_ID/secrets/fcli_default_ssc_user/versions/latest + env: 'FCLI_DEFAULT_SSC_USER' + - versionName: projects/$PROJECT_ID/secrets/fcli_default_ssc_password/versions/latest + env: 'FCLI_DEFAULT_SSC_PASSWORD' + - versionName: projects/$PROJECT_ID/secrets/fcli_default_ssc_ci_token/versions/latest + env: 'FCLI_DEFAULT_SSC_CI_TOKEN' + - versionName: projects/$PROJECT_ID/secrets/fcli_default_ssc_url/versions/latest + env: 'FCLI_DEFAULT_SSC_URL' id: 'fortify-static-scan' waitFor: ['build-image-IWAJava'] diff --git a/devops-integrations/gitlab/debricked-sca.yml b/devops-integrations/gitlab/debricked-sca.yml index a1278366..98eb1ff1 100644 --- a/devops-integrations/gitlab/debricked-sca.yml +++ b/devops-integrations/gitlab/debricked-sca.yml @@ -4,10 +4,9 @@ debricked-sca: stage: test - image: - name: debricked/debricked-scan - entrypoint: ["/gitlab-ci.sh"] - script: echo "Debricked scan complete." + script: + - curl -L https://github.com/debricked/cli/releases/download/release-v2/cli_linux_x86_64.tar.gz | tar -xz debricked + - ./debricked scan needs: [build] variables: DEBRICKED_TOKEN: $DEBRICKED_TOKEN diff --git a/devops-integrations/gitlab/fortify-dast-scancentral.yml b/devops-integrations/gitlab/fortify-dast-scancentral.yml index fd1e58d6..a2df8d8a 100644 --- a/devops-integrations/gitlab/fortify-dast-scancentral.yml +++ b/devops-integrations/gitlab/fortify-dast-scancentral.yml @@ -7,20 +7,23 @@ # - $SC_DAST_SETTINGS fortify-dast: - image: fortifydocker/fortify-ci-tools:latest + image: fortifydocker/fortify-ci-tools:5.4.1-jdk-17 stage: test needs: [deploy] variables: SC_DAST_SCAN_NAME: "IWA-Java" + FCLI_DEFAULT_SSC_USER: $_FCLI_DEFAULT_SSC_USER + FCLI_DEFAULT_SSC_PASSWORD: $_FCLI_DEFAULT_SSC_PASSWORD + FCLI_DEFAULT_SSC_URL: $_FCLI_DEFAULT_SSC_URL + SC_DAST_CICD_IDENTIFIER: $_SC_DAST_CICD_IDENTIFIER + SSC_APP_VERSION_ID: $_SSC_APP_VERSION_ID script: - - fcli ssc session login - - fcli sc-dast session login - - - fcli sc-dast scan start $SC_DAST_SCAN_NAME --settings $SC_DAST_SETTINGS --store '?' - - fcli sc-dast scan wait-for '?' -i 30s - - - FortifyVulnerabilityExporter SSCToGitLabDAST --ssc.baseUrl=$FCLI_DEFAULT_SSC_URL --ssc.user="$FCLI_DEFAULT_SSC_USER" --ssc.password="$FCLI_DEFAULT_SSC_PASSWORD" --ssc.version.id=$SSC_AV_ID + - fcli ssc session login --insecure + - fcli sc-dast session login --insecure + - fcli sc-dast scan start --name=$SC_DAST_SCAN_NAME --settings=$SC_DAST_CICD_IDENTIFIER + - fcli ssc action run gitlab-dast-report --appversion=$SSC_APP_VERSION_ID --page-size=1000 + - fcli sc-dast session logout - fcli ssc session logout artifacts: diff --git a/devops-integrations/gitlab/fortify-sast-fod.yml b/devops-integrations/gitlab/fortify-sast-fod.yml index 6b710d5e..f72fd019 100644 --- a/devops-integrations/gitlab/fortify-sast-fod.yml +++ b/devops-integrations/gitlab/fortify-sast-fod.yml @@ -6,17 +6,23 @@ # - $FOD_TENANT fortify-sast: - image: fortifydocker/fortify-ci-tools:3-jdk-11 + image: fortifydocker/fortify-ci-tools:5.4.1-jdk-17 stage: test variables: - FOD_URL: "https://ams.fortify.com" - FOD_API_URL: "https://api.ams.fortify.com/" - FOD_UPLOADER_OPTS: "-ep 2 -pp 0 -I 1 -apf" + FCLI_DEFAULT_FOD_USER: $_FCLI_DEFAULT_FOD_USER + FCLI_DEFAULT_FOD_PASSWORD: $_FCLI_DEFAULT_FOD_PASSWORD + FCLI_DEFAULT_FOD_TENANT: $_FCLI_DEFAULT_FOD_TENANT + FCLI_DEFAULT_FOD_URL: $_FCLI_DEFAULT_FOD_URL + FOD_RELEASE_ID: $_FOD_RELEASE_ID FOD_NOTES: "Triggered by Gitlab Pipeline IID $CI_PIPELINE_IID: $CI_PIPELINE_URL" script: + - fcli fod session login - scancentral package -bt mvn -oss -o package.zip - - FoDUpload -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" $FOD_UPLOADER_OPTS -n "$FOD_NOTES" - - FortifyVulnerabilityExporter FoDToGitLabSAST --fod.baseUrl=$FOD_URL --fod.tenant="$FOD_TENANT" --fod.userName="$FOD_USER" --fod.password="$FOD_PAT" --fod.release.id=$FOD_RELEASE_ID + - fcli fod sast start --release=$FOD_RELEASE_ID --file=package.zip --remediation=NonRemediationScanOnly --notes="$FOD_NOTES" --store=Id + - 'fcli fod sast wait-for ::Id:: --interval=30s' + - fcli fod issue list --release=$FOD_RELEASE_ID + - fcli fod action run gitlab-sast-report --release=$FOD_RELEASE_ID + - fcli fod session logout allow_failure: true artifacts: reports: diff --git a/devops-integrations/gitlab/fortify-sast-scancentral.yml b/devops-integrations/gitlab/fortify-sast-scancentral.yml index 1e651fee..bad60dfa 100644 --- a/devops-integrations/gitlab/fortify-sast-scancentral.yml +++ b/devops-integrations/gitlab/fortify-sast-scancentral.yml @@ -1,28 +1,36 @@ # Integrate Fortify ScanCentral Static AppSec Testing (SAST) into your Gitlab CICD pipeline # The following Gitlab environment variables must be defined before using this job -# - $FCLI_DEFAULT_SC_SAST_CLIENT_AUTH_TOKEN -# - $FCLI_DEFAULT_SSC_CI_TOKEN -# - $FCLI_DEFAULT_SSC_URL -# - $FCLI_DEFAULT_SSC_USER -# - $FCLI_DEFAULT_SSC_PASSWORD -# - $SSC_AV_ID +# - $_FCLI_DEFAULT_SC_SAST_CLIENT_AUTH_TOKEN +# - $_FCLI_DEFAULT_SSC_CI_TOKEN +# - $_FCLI_DEFAULT_SSC_URL +# - $_FCLI_DEFAULT_SSC_USER +# - $_FCLI_DEFAULT_SSC_PASSWORD +# - $_SSC_APP_VERSION_ID fortify-sast: stage: test - image: fortifydocker/fortify-ci-tools:latest + image: fortifydocker/fortify-ci-tools:5.4.1-jdk-17 needs: [build] variables: - SC_SAST_SENSOR_VERSION: '22.2' + SC_SAST_SENSOR_VERSION: 24.2 + FCLI_DEFAULT_SC_SAST_CLIENT_AUTH_TOKEN: $_FCLI_DEFAULT_SC_SAST_CLIENT_AUTH_TOKEN + FCLI_DEFAULT_SSC_USER: $_FCLI_DEFAULT_SSC_USER + FCLI_DEFAULT_SSC_PASSWORD: $_FCLI_DEFAULT_SSC_PASSWORD + FCLI_DEFAULT_SSC_CI_TOKEN: $_FCLI_DEFAULT_SSC_CI_TOKEN + FCLI_DEFAULT_SSC_URL: $_FCLI_DEFAULT_SSC_URL + SSC_APP_VERSION_ID: $_SSC_APP_VERSION_ID script: - fcli ssc session login - fcli sc-sast session login - scancentral package -bt mvn -o package.zip - - fcli sc-sast scan start --package-file=package.zip --upload --sensor-version=$SC_SAST_SENSOR_VERSION --appversion=$SSC_AV_ID --store '?' + - fcli sc-sast scan start --publish-to=$SSC_APP_VERSION_ID --sensor-version=$SC_SAST_SENSOR_VERSION --package-file=package.zip --store=Id + + - 'fcli sc-sast scan wait-for ::Id:: --interval=30s' - - fcli sc-sast scan wait-for '?' --interval=30s - - - FortifyVulnerabilityExporter SSCToGitLabSAST --ssc.baseUrl=$FCLI_DEFAULT_SSC_URL --ssc.user="$FCLI_DEFAULT_SSC_USER" --ssc.password="$FCLI_DEFAULT_SSC_PASSWORD" --ssc.version.id=$SSC_AV_ID + - fcli ssc issue count --appversion=$SSC_APP_VERSION_ID + + - fcli ssc action run gitlab-sast-report --appversion=$SSC_APP_VERSION_ID --page-size=1000 - fcli sc-sast session logout - fcli ssc session logout diff --git a/devops-integrations/oci/fortify-sast-fod.bash b/devops-integrations/oci/fortify-sast-fod.bash index f6194dd8..889f2c2d 100644 --- a/devops-integrations/oci/fortify-sast-fod.bash +++ b/devops-integrations/oci/fortify-sast-fod.bash @@ -1,57 +1,84 @@ #!/bin/bash -# Integrate Fortify ScanCentral Static AppSec Testing (SAST) into your AWS Codestar pipeline +# Integrate Fortify ScanCentral Static AppSec Testing (SAST) into your OCI DevOps Project pipeline # *** Configuration *** # The following vault secrets must be defined - # FOD_TENANT - # FOD_USER - # FOD_PWD + # FCLI_DEFAULT_FOD_URL + # FCLI_DEFAULT_FOD_TENANT + # FCLI_DEFAULT_FOD_USER + # FCLI_DEFAULT_FOD_PASSWORD (PAT) # FOD_RELEASE_ID - + # Local variables (modify as needed) -fod_url='https://ams.fortify.com' -fod_api_url='https://api.ams.fortify.com/' -fod_uploader_opts='-ep 2 -pp 0 -I 1 -apf' -fod_notes="Triggered by OCI DevOps" -scancentral_client_version='22.2.0' -fod_uploader_version='5.4.0' -fcli_version='v1.1.0' -fcli_sha='5553766f0f771abdf27f4c6b6d38a34825a64aaa5d72cfd03c68d7e2f43a49a0' - -# Local variables (DO NOT MODIFY) -fortify_tools_dir="/root/.fortify/tools" -scancentral_home=$fortify_tools_dir/ScanCentral -fod_uploader_home=$fortify_tools_dir/foduploader -fcli_home=$fortify_tools_dir/fcli -fcli_install='fcli-linux.tgz' +FCLI_VERSION=v2.4.0 +FODUPLOAD_VERSION=5.4.1 +SCANCENTRAL_VERSION=24.2.0 +FCLI_URL=https://github.com/fortify-ps/fcli/releases/download/${FCLI_VERSION}/fcli-linux.tgz +FCLI_SIG_URL=${FCLI_URL}.rsa_sha256 +FORTIFY_TOOLS_DIR="/root/.fortify/tools" +FCLI_HOME=$FORTIFY_TOOLS_DIR/fcli +FODUPLOAD_HOME=$FORTIFY_TOOLS_DIR/FodUpload +SCANCENTRAL_HOME=$FORTIFY_TOOLS_DIR/ScanCentral +fod_notes="Triggered by OCI DevOps Projects" + +# *** Supported Functions *** +verifySig() { + local src sig + src="$1"; sig="$2" + openssl dgst -sha256 -verify <(echo "-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArij9U9yJVNc53oEMFWYp +NrXUG1UoRZseDh/p34q1uywD70RGKKWZvXIcUAZZwbZtCu4i0UzsrKRJeUwqanbc +woJvYanp6lc3DccXUN1w1Y0WOHOaBxiiK3B1TtEIH1cK/X+ZzazPG5nX7TSGh8Tp +/uxQzUFli2mDVLqaP62/fB9uJ2joX9Gtw8sZfuPGNMRoc8IdhjagbFkhFT7WCZnk +FH/4Co007lmXLAe12lQQqR/pOTeHJv1sfda1xaHtj4/Tcrq04Kx0ZmGAd5D9lA92 +8pdBbzoe/mI5/Sk+nIY3AHkLXB9YAaKJf//Wb1yiP1/hchtVkfXyIaGM+cVyn7AN +VQIDAQAB +-----END PUBLIC KEY-----") -signature "${sig}" "${src}" +} + +installFcli() { + local src sigSrc tgt tmpRoot tmpFile tmpDir + src="$1"; sigSrc="$2"; tgt="$3"; + tmpRoot=$(mktemp -d); tmpFile="$tmpRoot/archive.tmp"; tmpDir="$tmpRoot/extracted" + echo "Downloading file" + wget -O $tmpFile $src + echo "Verifying Signature..." + verifySig "$tmpFile" <(curl -fsSL -o - "$sigSrc") + echo "Unzipping: tar -zxf " + $tmpFile + " -C " + $tmpDir + mkdir $tmpDir + mkdir -p $tgt + + tar -zxf $tmpFile -C $tmpDir + mv $tmpDir/* $tgt + rm -rf $tmpRoot + find $tgt -type f +} + # *** Execution *** +echo "Installing FCLI" +# Install FCLI +installFcli ${FCLI_URL} ${FCLI_SIG_URL} ${FCLI_HOME}/bin + +fcli tool fod-uploader install -v ${FODUPLOAD_VERSION} -d ${FODUPLOAD_HOME} +fcli tool sc-client install -v ${SCANCENTRAL_VERSION} -d ${SCANCENTRAL_HOME} -# Download Fortify CLI -wget "https://github.com/fortify-ps/fcli/releases/download/$fcli_version/fcli-linux.tgz" -e=$? # return code last command -if [ "${e}" -ne "0" ]; then - echo "ERROR: Failed to download Fortify CLI - exit code ${e}" - exit 100 -fi -# Verify integrity -sha256sum -c <(echo "$fcli_sha $fcli_install") -e=$? # return code last command -if [ "${e}" -ne "0" ]; then - echo "ERROR: Fortify CLI hash does not match - exit code ${e}" - exit 100 -fi - -mkdir -p $fcli_home/bin -tar -xvzf "$fcli_install" -C $fcli_home/bin -export PATH=$fcli_home/bin:$fod_uploader_home/bin:$scancentral_home/bin:${PATH} - -fcli tool sc-client install $scancentral_client_version -d $scancentral_home -fcli tool fodupload install $fod_uploader_version -d $fod_uploader_home - -# Generate Java Package for upload to Fortify on Demand +export PATH=$FCLI_HOME/bin:$FODUPLOAD_HOME/bin:$SCANCENTRAL_HOME/bin:${PATH} + +echo Setting connection with Fortify Platform +#Use --insecure switch if the SSL certificate is self generated. +fcli fod session login + +echo "Scan starting.." scancentral package -bt mvn -oss -o package.zip +fcli fod sast start --release=$FOD_RELEASE_ID --file=package.zip --remediation=NonRemediationScanOnly --notes="$FOD_NOTES" --store=Id + +fcli fod sast wait-for ::Id:: --interval=30s + +fcli fod issue list --release=$FOD_RELEASE_ID + +fcli fod session logout +# *** Execution Completes *** -echo 'start submitting scan' -FoDUpload -z package.zip -aurl $fod_api_url -purl $fod_url -rid ${FOD_RELEASE_ID} -tc ${FOD_TENANT} -uc ${FOD_USER} ${FOD_PWD} $fod_uploader_opts -n "$fod_notes" +# *** EoF *** \ No newline at end of file diff --git a/devops-integrations/oci/fortify_sast_scancentral.bash b/devops-integrations/oci/fortify_sast_scancentral.bash index 31fe340c..556cdb21 100644 --- a/devops-integrations/oci/fortify_sast_scancentral.bash +++ b/devops-integrations/oci/fortify_sast_scancentral.bash @@ -1,5 +1,5 @@ #!/bin/bash -# Integrate Fortify ScanCentral Static AppSec Testing (SAST) into your AWS Codestar pipeline +# Integrate Fortify ScanCentral Static AppSec Testing (SAST) into your OCI DevOps Project pipeline # *** Configuration *** @@ -12,38 +12,61 @@ # SSC_APP_VERSION_ID # Local variables (modify as needed) -scancentral_client_version='22.2.0' -fcli_version='v1.1.0' -fcli_sha='5553766f0f771abdf27f4c6b6d38a34825a64aaa5d72cfd03c68d7e2f43a49a0' +FCLI_VERSION=v2.4.0 +SCANCENTRAL_VERSION=24.2.0 +FCLI_URL=https://github.com/fortify-ps/fcli/releases/download/${FCLI_VERSION}/fcli-linux.tgz +FCLI_SIG_URL=${FCLI_URL}.rsa_sha256 +FORTIFY_TOOLS_DIR="/root/.fortify/tools" +FCLI_HOME=$FORTIFY_TOOLS_DIR/fcli +SCANCENTRAL_HOME=$FORTIFY_TOOLS_DIR/ScanCentral +ssc_ip=x.x.x.x -# Local variables (DO NOT MODIFY) -fortify_tools_dir="/root/.fortify/tools" -scancentral_home=$fortify_tools_dir/ScanCentral -fcli_home=$fortify_tools_dir/fcli -fcli_install='fcli-linux.tgz' +# *** Supported Functions *** +verifySig() { + local src sig + src="$1"; sig="$2" + openssl dgst -sha256 -verify <(echo "-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArij9U9yJVNc53oEMFWYp +NrXUG1UoRZseDh/p34q1uywD70RGKKWZvXIcUAZZwbZtCu4i0UzsrKRJeUwqanbc +woJvYanp6lc3DccXUN1w1Y0WOHOaBxiiK3B1TtEIH1cK/X+ZzazPG5nX7TSGh8Tp +/uxQzUFli2mDVLqaP62/fB9uJ2joX9Gtw8sZfuPGNMRoc8IdhjagbFkhFT7WCZnk +FH/4Co007lmXLAe12lQQqR/pOTeHJv1sfda1xaHtj4/Tcrq04Kx0ZmGAd5D9lA92 +8pdBbzoe/mI5/Sk+nIY3AHkLXB9YAaKJf//Wb1yiP1/hchtVkfXyIaGM+cVyn7AN +VQIDAQAB +-----END PUBLIC KEY-----") -signature "${sig}" "${src}" +} + +installFcli() { + local src sigSrc tgt tmpRoot tmpFile tmpDir + src="$1"; sigSrc="$2"; tgt="$3"; + tmpRoot=$(mktemp -d); tmpFile="$tmpRoot/archive.tmp"; tmpDir="$tmpRoot/extracted" + echo "Downloading file" + wget -O $tmpFile $src + echo "Verifying Signature..." + verifySig "$tmpFile" <(curl -fsSL -o - "$sigSrc") + echo "Unzipping: tar -zxf " + $tmpFile + " -C " + $tmpDir + mkdir $tmpDir + mkdir -p $tgt + + tar -zxf $tmpFile -C $tmpDir + mv $tmpDir/* $tgt + rm -rf $tmpRoot + find $tgt -type f +} # *** Execution *** +# Install FCLI +installFcli ${FCLI_URL} ${FCLI_SIG_URL} ${FCLI_HOME}/bin + +# Use when ssc IP is not static +#echo "adding host entry..." +#echo ${ssc_ip} fortify.cyberxdemo.com >> /etc/hosts +#cat /etc/hosts + +fcli tool sc-client install -v ${SCANCENTRAL_VERSION} -d ${SCANCENTRAL_HOME} -# Download Fortify CLI -wget "https://github.com/fortify-ps/fcli/releases/download/$fcli_version/fcli-linux.tgz" -e=$? # return code last command -if [ "${e}" -ne "0" ]; then - echo "ERROR: Failed to download Fortify CLI - exit code ${e}" - exit 100 -fi -# Verify integrity -sha256sum -c <(echo "$fcli_sha $fcli_install") -e=$? # return code last command -if [ "${e}" -ne "0" ]; then - echo "ERROR: Fortify CLI hash does not match - exit code ${e}" - exit 100 -fi - -mkdir -p $fcli_home/bin -tar -xvzf "$fcli_install" -C $fcli_home/bin -export PATH=$fcli_home/bin:$scancentral_home/bin:${PATH} - -fcli tool sc-client install $scancentral_client_version -d $scancentral_home + +export PATH=$FCLI_HOME/bin:$SCANCENTRAL_HOME/bin:${PATH} echo Setting connection with Fortify Platform # USE --INSECURE WHEN YOUR SSL CERTIFICATES ARE SELF GENERATED/UNTRUSTED @@ -52,10 +75,13 @@ fcli sc-sast session login scancentral package -bt mvn -o package.zip -fcli sc-sast scan start --appversion=${SSC_APP_VERSION_ID} --upload --sensor-version=$scancentral_client_version --package-file=package.zip --store='?' -fcli sc-sast scan wait-for '?' --interval=30s -fcli ssc appversion-vuln count --appversion=${SSC_APP_VERSION_ID} +fcli sc-sast scan start --publish-to=$SSC_APP_VERSION_ID --sensor-version=$SCANCENTRAL_VERSION --package-file=package.zip --store=Id +fcli sc-sast scan wait-for ::Id:: --interval=30s +fcli ssc issue count --appversion=$SSC_APP_VERSION_ID echo Terminating connection with Fortify Platform fcli sc-sast session logout -fcli ssc session logout \ No newline at end of file +fcli ssc session logout +# *** Execution Completes *** + +# *** EoF *** \ No newline at end of file