From 253191c0095f9ca273bb5d447ca31f84b62a3e96 Mon Sep 17 00:00:00 2001 From: Rohit Baryha <72431329+rohitbaryha1@users.noreply.github.com> Date: Wed, 30 Nov 2022 20:00:05 +0530 Subject: [PATCH] Updated for AWS and GCP --- devops-integrations/aws/buildspec.yml | 48 ++++++++++++++ devops-integrations/aws/fortify-sast-fod.bash | 66 +++++++++++++++++++ .../gcp/cloudbuild_fortify_sast_fod.yaml | 31 +++++++++ 3 files changed, 145 insertions(+) create mode 100644 devops-integrations/aws/buildspec.yml create mode 100644 devops-integrations/aws/fortify-sast-fod.bash create mode 100644 devops-integrations/gcp/cloudbuild_fortify_sast_fod.yaml diff --git a/devops-integrations/aws/buildspec.yml b/devops-integrations/aws/buildspec.yml new file mode 100644 index 00000000..286059a1 --- /dev/null +++ b/devops-integrations/aws/buildspec.yml @@ -0,0 +1,48 @@ +version: 0.2 +env: + variables: + FOD_RELEASE_ID: "XXXXX" + parameter-store: + FOD_BASEURL: "/fod/baseurl" + FOD_TENANT: "/fod/tenant" + FOD_USER: "/fod/user" #Client ID + FOD_PWD: "/fod/pwd" #Client Secret +phases: + install: + runtime-versions: + java: corretto11 + commands: + # Upgrade AWS CLI to the latest version + - pip install --upgrade awscli + pre_build: + commands: + - mvn clean + build: + commands: + - mvn -Pwar clean package + #- mvn package + post_build: + commands: + # Do not remove this statement. This command is required for AWS CodeStar projects. + # Update the AWS Partition, AWS Region, account ID and project ID in the project ARN in template-configuration.json file so AWS CloudFormation can tag project resources. + - sed -i.bak 's/\$PARTITION\$/'${PARTITION}'/g;s/\$AWS_REGION\$/'${AWS_REGION}'/g;s/\$ACCOUNT_ID\$/'${ACCOUNT_ID}'/g;s/\$PROJECT_ID\$/'${PROJECT_ID}'/g' template-configuration.json + ################################################### + # INTEGRATE FORTIFY SAST # + # # + # For FORTIFY ON DEMAND uncomment the next line # + - bash fortify-sast-fod.bash + # # + # For FORTIFY SCANCENTRAL uncomment the next line # + #- bash fortify_sast_scancentral.bash + # # + # For LOCAL FORTIFY SCA uncomment the next line # + #- bash fortify_sast_local.bash + # # + ################################################### +artifacts: + files: + - 'appspec.yml' + - 'template.yml' + - 'scripts/*' + - 'target/iwa.war' + - 'template-configuration.json' diff --git a/devops-integrations/aws/fortify-sast-fod.bash b/devops-integrations/aws/fortify-sast-fod.bash new file mode 100644 index 00000000..e8412813 --- /dev/null +++ b/devops-integrations/aws/fortify-sast-fod.bash @@ -0,0 +1,66 @@ +#!/bin/bash + +#Parameters Section + +#download the required tools installation script +sha256_FTI='d9ebd439c5b426a5ea207e6c1a17a466f79363ca5735fea1d7a4d8ef5807dc06' +fortify_tool_installer='https://raw.githubusercontent.com/fortify/FortifyToolsInstaller/v2.14.0/FortifyToolsInstaller.sh' # BASE UTILITY DO NOT CHANGE + +fod_url=$FOD_BASEURL # Fortify On Demand URL +fod_api_url='https://api.'`echo "$fod_url" | awk -F/ '{print $3}'` # Fortify On Demand API URL +fortify_tools_dir='/root/.fortify/tools/FoDUploader/v5.4.0' # Default installation directory +fod_util='FoDUpload.jar' # FoD Utility alias set into FTI Script [[DO NOT CHANGE]] + +#FOD Details to Upload Code +fod_tenant=$FOD_TENANT # TENANT ID +fod_user_key=$FOD_USER # FOD USER KEY +fod_pwd_secret=$FOD_PWD # FOD PAT +fod_release_id=$FOD_RELEASE_ID # FOD APPLICATION BASED RELEASE ID + +#Parameters to configure installable +fti_install='FortifyToolsInstaller.sh' + +#Download required files, please ensure the URL is available +wget "$fortify_tool_installer" +e=$? # return code last command +if [ "${e}" -ne "0" ]; then + echo "ERROR: Can;t downloads the requierd files from server, can not continue - exit code ${e}" + exit 100 +fi +# End of Download + +#persmission to execute +chmod +x "$fti_install" +sha256sum -c <(echo "$sha256_FTI $fti_install") +e=$? # return code last command +if [ "${e}" -ne "0" ]; then + echo "ERROR: Hashes could not be matched, can not continue - exit code ${e}" + exit 100 +fi + +FTI_TOOLS=sc:22.1.2 source $fti_install +e=$? # return code last command +if [ "${e}" -ne "0" ]; then + echo "ERROR: Can;t downloads the requierd files from server, can not continue - exit code ${e}" + exit 100 +fi + +#Execute the shell script to download and install fortify tools +FTI_TOOLS=fu:v5.4.0 source $fti_install +e=$? # return code last command +if [ "${e}" -ne "0" ]; then + echo "ERROR: Can;t downloads the requierd files from server, can not continue - exit code ${e}" + exit 100 +fi + +#Generate Java Package to upload in FoD +scancentral package -o sourcecode.zip --build-tool mvn + +java -jar $fortify_tools_dir/$fod_util -ac $fod_user_key $fod_pwd_secret -rid $fod_release_id -purl $fod_url -aurl $fod_api_url -tc $fod_tenant -z sourcecode.zip -ep 2 -rp 2 -pp 2 +e=$? # return code last command +if [ "${e}" -ne "0" ]; then + echo "ERROR: Fortify On Demand throws error, can not continue - exit code ${e}" + exit 100 +fi + +echo "INFO: Scan Submitted Successfully..." \ No newline at end of file diff --git a/devops-integrations/gcp/cloudbuild_fortify_sast_fod.yaml b/devops-integrations/gcp/cloudbuild_fortify_sast_fod.yaml new file mode 100644 index 00000000..45bce049 --- /dev/null +++ b/devops-integrations/gcp/cloudbuild_fortify_sast_fod.yaml @@ -0,0 +1,31 @@ +steps: +- name: maven:3.6.0-jdk-11-slim + entrypoint: 'mvn' + args: ['clean', 'package', '-DskipTests'] + +- name: 'gcr.io/cloud-builders/docker' + args: ['build', '-t', 'gcr.io/$PROJECT_ID/iwa_java:latest', '-t', 'gcr.io/$PROJECT_ID/iwa_java:$COMMIT_SHA', '-t', 'gcr.io/$PROJECT_ID/iwa_java:$BUILD_ID', '.'] + id: 'build-image-IWAJava' + +- name: 'fortifydocker/fortify-ci-tools:latest' + entrypoint: bash + args: + - -c + - | + fod_api_url='https://api.'`echo "$$FOD_BASEURL" | awk -F/ '{print $3}'` + scancentral package -o sourcecode.zip --build-tool mvn + java -jar /opt/Fortify/FodUpload/FoDUpload.jar -ac $$FOD_USER $$FOD_PWD -rid $$FOD_RELEASE_ID -purl $$FOD_BASEURL -aurl $fod_api_url -tc $$FOD_TENANT -z sourcecode.zip -ep 2 -rp 2 -pp 2 + secretEnv: ['FOD_USER', 'FOD_PWD', 'FOD_TENANT'] + env: + - 'FOD_BASEURL=${_FOD_URL}' + - 'FOD_RELEASE_ID=${_FOD_RELEASE_ID}' + id: 'fortify-static-scan' + waitFor: ['build-image-IWAJava'] +availableSecrets: + secretManager: + - versionName: projects/$PROJECT_ID/secrets/fod_pwd/versions/1 + env: 'FOD_PWD' + - versionName: projects/$PROJECT_ID/secrets/fod_user/versions/1 + env: 'FOD_USER' + - versionName: projects/$PROJECT_ID/secrets/fod_tenant/versions/1 + env: 'FOD_TENANT' \ No newline at end of file