chore: Add fod-sast-scan action

fortify · Sep 25, 2023 · 4fe5630 · 4fe5630
1 parent 63ad4ea
commit 4fe5630
Show file tree

Hide file tree

Showing 20 changed files with 7,805 additions and 9 deletions.
diff --git a/.husky/pre-commit b/.husky/pre-commit
@@ -0,0 +1,5 @@
+#!/bin/sh
+. "$(dirname "$0")/_/husky.sh"
+
+(cd run && NODE_OPTIONS=--openssl-legacy-provider npm run build && git add dist/)
+(cd setup && NODE_OPTIONS=--openssl-legacy-provider npm run build && git add dist/)
diff --git a/action.yml b/action.yml
@@ -0,0 +1,20 @@
+name: 'TODO'
+description: 'TODO'
+author: 'Fortify'
+inputs:
+  test:
+    description: 'Test'
+    default: 'none'
+    required: false
+runs:
+  using: composite
+  steps:
+    - uses: fortify-ps/github-action/setup@main
+      with:
+        test: |
+          ${{inputs.test}}
+        
+branding:
+  icon: 'shield'
+  color: 'blue'
+
diff --git a/configure.sh b/configure.sh
@@ -0,0 +1,4 @@
+#! /bin/bash
+(cd run && npm install)
+(cd setup && npm install)
+git config --local core.hooksPath=.husky
diff --git a/developers.md b/developers.md
@@ -0,0 +1,4 @@
+# Information for developers
+
+## Husky
+After cloning this repository, please run ./configure.sh to install npm modules and configure git hooks.
diff --git a/fod-export/action.yml b/fod-export/action.yml
@@ -0,0 +1,37 @@
+name: 'Perform SAST scan'
+description: 'Perform a SAST scan on Fortify on Demand'
+author: 'Fortify'
+runs:
+  using: composite
+  steps:
+    - uses: fortify-ps/github-action/setup@main
+      with:
+        export-path: false
+        vuln-exporter: 2.0.3
+    - run: |
+        if [[ ${FOD_RELEASE} == ?(-)+([0-9]) ]]; then
+          RELEASE_OPT="--fod.release.id=${FOD_RELEASE}"
+        else
+          RELEASE_OPT="--fod.release.name=${FOD_RELEASE}"
+        fi
+        "${VULN_EXPORTER_CMD}" FoDToGitHub "--fod.baseUrl=${FOD_URL}" \
+          "--fod.tenant=${FOD_TENANT}" "--fod.user=${FOD_USER}" "--fod.password=${FOD_PASSWORD}" \
+          "--fod.clientID=${FOD_CLIENT_ID}" "--fod.clientSecret=${FOD_CLIENT_SECRET}"
+          "${RELEASE_OPT}"
+      shell: bash
+    # Uploaded the generated file containing Fortify vulnerabilities to GitHub.
+    - uses: github/codeql-action/upload-sarif@v1
+      with:
+        sarif_file: ./gh-fortify-sast.sarif
+
+    # Optionally store the generated file for troubleshooting purposes.
+    - uses: actions/upload-artifact@v2
+      if: always()
+      with:
+        name: sarif-files
+        path: ./gh-fortify-sast.sarif  
+
+branding:
+  icon: 'shield'
+  color: 'blue'
+
diff --git a/fod-login/action.yml b/fod-login/action.yml
@@ -0,0 +1,29 @@
+name: 'Run "fcli fod session login" command'
+description: 'Run "fcli fod session login" command based on environment variables'
+author: 'Fortify'
+runs:
+  using: composite
+  steps:
+    - uses: fortify-ps/github-action/setup@main
+      with:
+        export-path: false
+        fcli: dev_develop
+    - run: |
+        if [ -z "$FOD_URL" ]; then
+          echo "ERROR: FOD_URL environment variable must be set"; exit 1;
+        fi
+        if [ -n "${FOD_CLIENT_ID}" -a -n "${FOD_CLIENT_SECRET}" ]; then
+          echo '_FOD_LOGIN_OPTS=--url "${FOD_URL}" --client-id "${FOD_CLIENT_ID}" --client-secret "${FOD_CLIENT_SECRET}" ${EXTRA_FOD_LOGIN_OPTS}' >> $GITHUB_ENV
+        elif [ -n "${FOD_USER}" -a -n "${FOD_PASSWORD}" -a -n "${FOD_TENANT}" ]; then
+          echo '_FOD_LOGIN_OPTS=--url "${FOD_URL}" -t "${FOD_TENANT}" -u "${FOD_USER}" -p "${FOD_PASSWORD}" ${EXTRA_FOD_LOGIN_OPTS}' >> $GITHUB_ENV
+        else
+          echo "ERROR: Either FOD_CLIENT_ID and FOD_CLIENT_SECRET, or FOD_TENANT, FOD_USER and FOD_PASSWORD environment variables must be set"; exit 1;
+        fi
+      shell: bash
+    - uses: fortify-ps/github-action/run@main
+      with:
+        cmd: '"${FCLI_CMD}" fod session login ${_FOD_LOGIN_OPTS}'         
+branding:
+  icon: 'shield'
+  color: 'blue'
+
diff --git a/fod-sast-scan/action.yml b/fod-sast-scan/action.yml
@@ -0,0 +1,29 @@
+name: 'Perform SAST scan'
+description: 'Perform a SAST scan on Fortify on Demand'
+author: 'Fortify'
+runs:
+  using: composite
+  steps:
+    - uses: fortify-ps/github-action/setup@main
+      with:
+        export-path: false
+        fcli: dev_develop
+    - uses: fortify-ps/github-action/package@main
+    - uses: fortify-ps/github-action/fod-login@main
+    - uses: fortify-ps/github-action/run@main
+      with:
+        cmd: '"${FCLI_CMD}" fod scan start-sast "${FOD_RELEASE}" -f package.zip --store fod_scan ${EXTRA_FOD_SAST_OPTS}'
+    - uses: fortify-ps/github-action/run@main
+      if: env.DO_WAIT == 'true' || env.DO_EXPORT == 'true'
+      with:
+        cmd: '"${FCLI_CMD}" fod scan wait-for ::fod_scan::'
+    - uses: fortify-ps/github-action/run@main
+      with:
+        cmd: '"${FCLI_CMD}" fod session logout'       
+    - if: env.DO_EXPORT == 'true'
+      uses: fortify-ps/github-action/fod-export@main
+
+branding:
+  icon: 'shield'
+  color: 'blue'
+
diff --git a/run/.eslintrc.js b/run/.eslintrc.js
@@ -0,0 +1,33 @@
+module.exports = {
+    "env": {
+        "browser": true,
+        "es2021": true
+    },
+    "extends": [
+        "eslint:recommended",
+        "plugin:@typescript-eslint/recommended"
+    ],
+    "overrides": [
+        {
+            "env": {
+                "node": true
+            },
+            "files": [
+                ".eslintrc.{js,cjs}"
+            ],
+            "parserOptions": {
+                "sourceType": "script"
+            }
+        }
+    ],
+    "parser": "@typescript-eslint/parser",
+    "parserOptions": {
+        "ecmaVersion": "latest",
+        "sourceType": "module"
+    },
+    "plugins": [
+        "@typescript-eslint"
+    ],
+    "rules": {
+    }
+}
diff --git a/run/LICENSE b/run/LICENSE
@@ -0,0 +1,23 @@
+The MIT License (MIT)
+(c) Copyright 2020 Micro Focus or one of its affiliates
+
+Permission is hereby granted, free of charge, to any person obtaining a 
+copy of this software and associated documentation files (the 
+"Software"), to deal in the Software without restriction, including without 
+limitation the rights to use, copy, modify, merge, publish, distribute, 
+sublicense, and/or sell copies of the Software, and to permit persons to 
+whom the Software is furnished to do so, subject to the following 
+conditions:
+
+The above copyright notice and this permission notice shall be included 
+in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 
+KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 
+WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 
+PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 
+DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 
+CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 
+IN THE SOFTWARE.
diff --git a/run/action.yml b/run/action.yml
@@ -0,0 +1,14 @@
+name: 'Setup Fortify Tools'
+description: 'Run arbitrary commands; any ${<var>} references will be resolved as environment variables'
+author: 'Fortify'
+inputs:
+  cmd:
+    description: 'Command to run'
+    required: true
+runs:
+  using: node20
+  main: 'dist/index.js'
+branding:
+  icon: 'shield'
+  color: 'blue'
+