diff --git a/AWS/README.md b/AWS/README.md index a3f2531..b778bd0 100644 --- a/AWS/README.md +++ b/AWS/README.md @@ -1,13 +1,12 @@ # AWS Templates -AWS templates will help onboard applications with application security integration. Fortify platform support AWS Codestar services so DevOps teams will be able to directly leverage these templates as part of pipeline automation. AWS CodeStar service supports Continious Delivery using their own defined YML files during build and release. - +AWS templates will help onboard applications with application security integration. Fortify platform support AWS CodeBuild services so DevOps teams will be able to directly leverage these templates as part of pipeline automation. AWS CodeBuild service supports Continious Delivery using their own defined YML files during build and release. 1. BuildSpec.yml : This template used to build and generate artifacts using AWS managed services. It depicts the CI process in DevSecOps framework. 2. AppSpec.yml : This template used to deploy the artifacts generated by the CI process. It depicts the CD process in DevSecOps framework. -## Integrating Fortify with AWS CodeStar +## Integrating Fortify with AWS CodeBuild Integrating Fortify with CI process is fairly simple pull and push switch using the templates given in the above folders. Fortify can be integrated using below steps. 1. Identify your Fortify solution (Fortify on-premises or Fortify on Demand) diff --git a/AWS/SAST/DotNet_Sample/buildspec.yml b/AWS/SAST/DotNet_Sample/buildspec.yml index e34d558..4d37c33 100644 --- a/AWS/SAST/DotNet_Sample/buildspec.yml +++ b/AWS/SAST/DotNet_Sample/buildspec.yml @@ -30,7 +30,7 @@ phases: # - dotnet vstest AspNetCoreWebApplicationTest/bin/release/netcoreapp3.1/AspNetCoreWebApplicationTest.dll post_build: commands: - # Do not remove this statement. This command is required for AWS CodeStar projects. + # Do not remove this statement. This command is required for AWS CodeBuild projects. # Update the AWS Partition, AWS Region, account ID and project ID in the project ARN in template-configuration.json file so AWS CloudFormation can tag project resources. - sed -i.bak 's/\$PARTITION\$/'${PARTITION}'/g;s/\$AWS_REGION\$/'${AWS_REGION}'/g;s/\$ACCOUNT_ID\$/'${ACCOUNT_ID}'/g;s/\$PROJECT_ID\$/'${PROJECT_ID}'/g' template-configuration.json ################################################### diff --git a/AWS/SAST/DotNet_Sample/fortify_sast_fod_template.bash b/AWS/SAST/DotNet_Sample/fortify_sast_fod_template.bash index f575bb7..b1e0c85 100644 --- a/AWS/SAST/DotNet_Sample/fortify_sast_fod_template.bash +++ b/AWS/SAST/DotNet_Sample/fortify_sast_fod_template.bash @@ -2,7 +2,7 @@ # *** Configuration *** -# Integrate Fortify On Demand Static AppSec Testing (SAST) into your AWS Codestar pipeline +# Integrate Fortify On Demand Static AppSec Testing (SAST) into your AWS CodeBuild pipeline # Below Parameters must be defined in buildspec.yml # FOD_TENANT # FOD_USER @@ -13,8 +13,8 @@ fod_url='https://ams.fortify.com' fod_api_url='https://api.ams.fortify.com/' fod_uploader_opts='-ep 2 -pp 0 -I 1 -apf' -fod_notes="Triggered by AWS Codestar" -scancentral_client_version='22.2.0' +fod_notes="Triggered by AWS CodeBuild" +scancentral_client_version='23.1.0' fod_uploader_version='5.4.0' fcli_version='v1.1.0' fcli_sha='5553766f0f771abdf27f4c6b6d38a34825a64aaa5d72cfd03c68d7e2f43a49a0' @@ -52,7 +52,7 @@ fcli tool sc-client install $scancentral_client_version -d $scancentral_home fcli tool fodupload install $fod_uploader_version -d $fod_uploader_home # Generate Package for upload to Fortify on Demand -zip -r package.zip . +scancentral package -oss -o package.zip echo "INFO: start submitting scan" diff --git a/AWS/SAST/DotNet_Sample/fortify_sast_scancentral_template.bash b/AWS/SAST/DotNet_Sample/fortify_sast_scancentral_template.bash index 0c60a97..fed4fc0 100644 --- a/AWS/SAST/DotNet_Sample/fortify_sast_scancentral_template.bash +++ b/AWS/SAST/DotNet_Sample/fortify_sast_scancentral_template.bash @@ -1,5 +1,5 @@ #!/bin/bash -# Integrate Fortify ScanCentral Static AppSec Testing (SAST) into your AWS Codestar pipeline +# Integrate Fortify ScanCentral Static AppSec Testing (SAST) into your AWS CodeBuild pipeline # *** Configuration *** @@ -12,7 +12,7 @@ export FCLI_DEFAULT_SSC_URL=$FCLI_DEFAULT_SSC_URL ssc_app_version_id=$SSC_APP_VERSION_ID # Local variables (modify as needed) -scancentral_client_version='22.2.0' +scancentral_client_version='23.1.0' fcli_version='v1.1.0' fcli_sha='5553766f0f771abdf27f4c6b6d38a34825a64aaa5d72cfd03c68d7e2f43a49a0' @@ -50,7 +50,7 @@ echo Setting connection with Fortify Platform fcli ssc session login fcli sc-sast session login -scancentral package -bt none -o package.zip +scancentral package -o package.zip fcli sc-sast scan start --appversion=$ssc_app_version_id --upload --sensor-version=$scancentral_client_version --package-file=package.zip --store='?' echo "INFO: Scan Submitted Successfully..." @@ -60,4 +60,4 @@ fcli ssc appversion-vuln count --appversion=$SSC_APP_VERSION_ID echo Terminating connection with Fortify Platform fcli sc-sast session logout -fcli ssc session logout \ No newline at end of file +fcli ssc session logout diff --git a/AWS/SAST/Java_Sample/buildspec.yml b/AWS/SAST/Java_Sample/buildspec.yml index 0526d6e..a3d2594 100644 --- a/AWS/SAST/Java_Sample/buildspec.yml +++ b/AWS/SAST/Java_Sample/buildspec.yml @@ -31,7 +31,7 @@ phases: - mvn package post_build: commands: - # Do not remove this statement. This command is required for AWS CodeStar projects. + # Do not remove this statement. This command is required for AWS CodeBuild projects. # Update the AWS Partition, AWS Region, account ID and project ID in the project ARN in template-configuration.json file so AWS CloudFormation can tag project resources. - sed -i.bak 's/\$PARTITION\$/'${PARTITION}'/g;s/\$AWS_REGION\$/'${AWS_REGION}'/g;s/\$ACCOUNT_ID\$/'${ACCOUNT_ID}'/g;s/\$PROJECT_ID\$/'${PROJECT_ID}'/g' template-configuration.json ################################################### diff --git a/AWS/SAST/Java_Sample/fortify_sast_fod_template.bash b/AWS/SAST/Java_Sample/fortify_sast_fod_template.bash index 5d095e0..49fe825 100644 --- a/AWS/SAST/Java_Sample/fortify_sast_fod_template.bash +++ b/AWS/SAST/Java_Sample/fortify_sast_fod_template.bash @@ -1,7 +1,7 @@ #!/bin/bash # *** Configuration *** -# Integrate Fortify On Demand Static AppSec Testing (SAST) into your AWS Codestar pipeline +# Integrate Fortify On Demand Static AppSec Testing (SAST) into your AWS CodeBuild pipeline # Below Parameters must be defined in buildspec.yml # FOD_TENANT # FOD_USER @@ -12,8 +12,8 @@ fod_url='https://ams.fortify.com' fod_api_url='https://api.ams.fortify.com/' fod_uploader_opts='-ep 2 -pp 0 -I 1 -apf' -fod_notes="Triggered by OCI DevOps" -scancentral_client_version='22.2.0' +fod_notes="Triggered by AWS CodeBuild" +scancentral_client_version='23.1.0' fod_uploader_version='5.4.0' fcli_version='v1.1.0' fcli_sha='5553766f0f771abdf27f4c6b6d38a34825a64aaa5d72cfd03c68d7e2f43a49a0' @@ -51,7 +51,7 @@ fcli tool sc-client install $scancentral_client_version -d $scancentral_home fcli tool fodupload install $fod_uploader_version -d $fod_uploader_home # Generate Java Package for upload to Fortify on Demand -scancentral package -bt mvn -oss -o package.zip +scancentral package -oss -o package.zip echo "INFO: start submitting scan" FoDUpload -z package.zip -aurl $fod_api_url -purl $fod_url -rid ${FOD_RELEASE_ID} -tc ${FOD_TENANT} -uc ${FOD_USER} ${FOD_PWD} $fod_uploader_opts -n "$fod_notes" diff --git a/AWS/SAST/Java_Sample/fortify_sast_local_java_template.bash b/AWS/SAST/Java_Sample/fortify_sast_local_java_template.bash index 9777543..e4864a2 100644 --- a/AWS/SAST/Java_Sample/fortify_sast_local_java_template.bash +++ b/AWS/SAST/Java_Sample/fortify_sast_local_java_template.bash @@ -12,12 +12,12 @@ app_version_id="<>" # application version id from SSC pull_result_from_ssc=true #Parameters to configure installable -fortify_install="Fortify_SCA_and_Apps_21.1.1_linux_x64.run" # installer file name, this may change based on version of installer. +fortify_install="Fortify_SCA_and_Apps_23.1.0_linux_x64.run" # installer file name, this may change based on version of installer. fortify_license="fortify.license" #SAST license file name #Parameter for AWS S3 bucket s3_storage_required=true -s3_bucket="<>" #S3 bucket URL i.e. s3://aws-codestar-us-east-1******** +s3_bucket="<>" #S3 bucket URL i.e. s3://aws-codebuild-us-east-1******** #End of Parameters Section #Download required files, please ensure the URL is available @@ -40,7 +40,7 @@ chmod +x "$fortify_install" # End of Download #Installation of SCA -install_dir="/opt/Fortify/Fortify_SCA_and_Apps_21.1.1" +install_dir="/opt/Fortify/Fortify_SCA_and_Apps_23.1.0" ./$fortify_install --fortify_license_path ./$fortify_license --mode unattended --installdir $install_dir/ e=$? # return code last command diff --git a/AWS/SAST/Java_Sample/fortify_sast_scancentral_template.bash b/AWS/SAST/Java_Sample/fortify_sast_scancentral_template.bash index d2475e9..916df95 100644 --- a/AWS/SAST/Java_Sample/fortify_sast_scancentral_template.bash +++ b/AWS/SAST/Java_Sample/fortify_sast_scancentral_template.bash @@ -1,5 +1,5 @@ #!/bin/bash -# Integrate Fortify ScanCentral Static AppSec Testing (SAST) into your AWS Codestar pipeline +# Integrate Fortify ScanCentral Static AppSec Testing (SAST) into your AWS CodeBuild pipeline # *** Configuration *** # The following variables must be defined in buildspect.yml @@ -11,7 +11,7 @@ export FCLI_DEFAULT_SSC_URL=$FCLI_DEFAULT_SSC_URL ssc_app_version_id=$SSC_APP_VERSION_ID # Local variables (modify as needed) -scancentral_client_version='22.2.0' +scancentral_client_version='23.1.0' fcli_version='v1.1.0' fcli_sha='5553766f0f771abdf27f4c6b6d38a34825a64aaa5d72cfd03c68d7e2f43a49a0' @@ -49,7 +49,7 @@ echo Setting connection with Fortify Platform fcli ssc session login fcli sc-sast session login -scancentral package -bt mvn -o package.zip +scancentral package -o package.zip fcli sc-sast scan start --appversion=$ssc_app_version_id --upload --sensor-version=$scancentral_client_version --package-file=package.zip --store='?' echo "INFO: Scan Submitted Successfully..." @@ -59,4 +59,4 @@ fcli ssc appversion-vuln count --appversion=$SSC_APP_VERSION_ID echo Terminating connection with Fortify Platform fcli sc-sast session logout -fcli ssc session logout \ No newline at end of file +fcli ssc session logout diff --git a/GCP/SAST/Java_Sample_With_FortifyCITools/cloudbuild_fortify_sast_fod.yaml b/GCP/SAST/Java_Sample_With_FortifyCITools/cloudbuild_fortify_sast_fod.yaml index 7726409..bea6ef1 100644 --- a/GCP/SAST/Java_Sample_With_FortifyCITools/cloudbuild_fortify_sast_fod.yaml +++ b/GCP/SAST/Java_Sample_With_FortifyCITools/cloudbuild_fortify_sast_fod.yaml @@ -10,7 +10,7 @@ args: - -c - | - scancentral package -bt mvn -oss -o package.zip + scancentral package -oss -o package.zip FoDUpload -z package.zip -aurl $$FOD_API_URL -purl $$FOD_URL -rid $$FOD_RELEASE_ID -tc $$FOD_TENANT -uc $$FOD_USER $$FOD_PAT $$FOD_UPLOADER_OPTS -n "$$FOD_NOTES" secretEnv: ['FOD_RELEASE_ID', 'FOD_USER', 'FOD_PAT', 'FOD_TENANT'] env: @@ -28,4 +28,4 @@ availableSecrets: - versionName: projects/$PROJECT_ID/secrets/fod_pat/versions/latest env: 'FOD_PAT' - versionName: projects/$PROJECT_ID/secrets/fod_tenant/versions/latest - env: 'FOD_TENANT' \ No newline at end of file + env: 'FOD_TENANT' diff --git a/GCP/SAST/Java_Sample_With_FortifyCITools/cloudbuild_fortify_sast_scancentral.yaml b/GCP/SAST/Java_Sample_With_FortifyCITools/cloudbuild_fortify_sast_scancentral.yaml index d7abd7d..b0c90ff 100644 --- a/GCP/SAST/Java_Sample_With_FortifyCITools/cloudbuild_fortify_sast_scancentral.yaml +++ b/GCP/SAST/Java_Sample_With_FortifyCITools/cloudbuild_fortify_sast_scancentral.yaml @@ -32,5 +32,5 @@ steps: env: - 'FORTIFY_IP=${_PUBLIC_IP}' - 'SSC_APP_VERSION_ID=${_SSC_APP_VERSION_ID}' - - 'SC_SAST_SENSOR_VERSION=22.2' - id: 'fortify-static-scan' \ No newline at end of file + - 'SC_SAST_SENSOR_VERSION=23.1' + id: 'fortify-static-scan' diff --git a/GCP/SAST/Python_Sample/cloudbuild.yaml b/GCP/SAST/Python_Sample/cloudbuild.yaml index 279d434..60efb0d 100644 --- a/GCP/SAST/Python_Sample/cloudbuild.yaml +++ b/GCP/SAST/Python_Sample/cloudbuild.yaml @@ -31,9 +31,9 @@ steps: secretEnv: ['FOD_RELEASE_ID', 'FOD_USER', 'FOD_PAT', 'FOD_TENANT', 'FCLI_DEFAULT_SC_SAST_CLIENT_AUTH_TOKEN', 'FCLI_DEFAULT_SSC_USER', 'FCLI_DEFAULT_SSC_PASSWORD', 'FCLI_DEFAULT_SSC_CI_TOKEN', 'FCLI_DEFAULT_SSC_URL'] env: - 'SSC_APP_VERSION_ID=${_SSC_APP_VERSION_ID}' - - 'SC_SAST_SENSOR_VERSION=22.2' + - 'SC_SAST_SENSOR_VERSION=23.1' - 'FOD_URL=https://ams.fortify.com' - 'FOD_API_URL=https://api.ams.fortify.com' - 'FOD_UPLOADER_OPTS=-ep 2 -pp 0 -I 1 -apf' - 'FOD_NOTES=Triggered by GCP Pipeline' -timeout: 2400s \ No newline at end of file +timeout: 2400s diff --git a/GCP/SAST/Python_Sample/fortify_sast_fod_template.bash b/GCP/SAST/Python_Sample/fortify_sast_fod_template.bash index 9c39da1..158dc2b 100644 --- a/GCP/SAST/Python_Sample/fortify_sast_fod_template.bash +++ b/GCP/SAST/Python_Sample/fortify_sast_fod_template.bash @@ -13,7 +13,7 @@ fod_url='https://ams.fortify.com' fod_api_url='https://api.ams.fortify.com/' fod_uploader_opts='-ep 2 -pp 0 -I 1 -apf' fod_notes="Triggered by GCP CloudBuild" -scancentral_client_version='22.2.0' +scancentral_client_version='23.1.0' fod_uploader_version='5.4.0' fcli_version='v1.1.0' fcli_sha='5553766f0f771abdf27f4c6b6d38a34825a64aaa5d72cfd03c68d7e2f43a49a0' @@ -49,10 +49,10 @@ fcli tool sc-client install $scancentral_client_version -d $scancentral_home fcli tool fodupload install $fod_uploader_version -d $fod_uploader_home # Generate Java Package for upload to Fortify on Demand -scancentral package -o package.zip --build-tool none --python-requirements requirements.txt +scancentral package -o package.zip --python-requirements requirements.txt echo "INFO: start submitting scan" FoDUpload -z package.zip -aurl $fod_api_url -purl $fod_url -rid ${FOD_RELEASE_ID} -tc ${FOD_TENANT} -uc ${FOD_USER} ${FOD_PWD} $fod_uploader_opts -n "$fod_notes" -echo "INFO: Scan Submitted Successfully..." \ No newline at end of file +echo "INFO: Scan Submitted Successfully..." diff --git a/GCP/SAST/Python_Sample/fortify_sast_scancentral_template.bash b/GCP/SAST/Python_Sample/fortify_sast_scancentral_template.bash index 02b01de..d54f8c3 100644 --- a/GCP/SAST/Python_Sample/fortify_sast_scancentral_template.bash +++ b/GCP/SAST/Python_Sample/fortify_sast_scancentral_template.bash @@ -11,7 +11,7 @@ export FCLI_DEFAULT_SSC_URL=$FCLI_DEFAULT_SSC_URL ssc_app_version_id=$SSC_APP_VERSION_ID # Local variables (modify as needed) -scancentral_client_version='22.2.0' +scancentral_client_version='23.1.0' fcli_version='v1.1.0' fcli_sha='5553766f0f771abdf27f4c6b6d38a34825a64aaa5d72cfd03c68d7e2f43a49a0' @@ -49,7 +49,7 @@ echo Setting connection with Fortify Platform fcli ssc session login fcli sc-sast session login -scancentral package -bt none -o package.zip --python-requirements requirements.txt +scancentral package -o package.zip --python-requirements requirements.txt fcli sc-sast scan start --appversion=$ssc_app_version_id --upload --sensor-version=$scancentral_client_version --package-file=package.zip --store='?' echo "INFO: Scan Submitted Successfully..." @@ -59,4 +59,4 @@ fcli ssc appversion-vuln count --appversion=$SSC_APP_VERSION_ID echo Terminating connection with Fortify Platform fcli sc-sast session logout -fcli ssc session logout \ No newline at end of file +fcli ssc session logout diff --git a/OCI/SAST/Java_App/fortify-sast-fod.bash b/OCI/SAST/Java_App/fortify-sast-fod.bash index 0b8bb68..47eb33e 100644 --- a/OCI/SAST/Java_App/fortify-sast-fod.bash +++ b/OCI/SAST/Java_App/fortify-sast-fod.bash @@ -14,7 +14,7 @@ fod_url='https://ams.fortify.com' fod_api_url='https://api.ams.fortify.com/' fod_uploader_opts='-ep 2 -pp 0 -I 1 -apf' fod_notes="Triggered by OCI DevOps" -scancentral_client_version='22.2.0' +scancentral_client_version='23.1.0' fod_uploader_version='5.4.0' fcli_version='v1.1.0' fcli_sha='5553766f0f771abdf27f4c6b6d38a34825a64aaa5d72cfd03c68d7e2f43a49a0' @@ -51,7 +51,7 @@ fcli tool sc-client install $scancentral_client_version -d $scancentral_home fcli tool fodupload install $fod_uploader_version -d $fod_uploader_home # Generate Java Package for upload to Fortify on Demand -scancentral package -bt mvn -oss -o package.zip +scancentral package -oss -o package.zip echo 'start submitting scan' FoDUpload -z package.zip -aurl $fod_api_url -purl $fod_url -rid ${FOD_RELEASE_ID} -tc ${FOD_TENANT} -uc ${FOD_USER} ${FOD_PWD} $fod_uploader_opts -n "$fod_notes" diff --git a/OCI/SAST/Java_App/fortify_sast_scancentral.bash b/OCI/SAST/Java_App/fortify_sast_scancentral.bash index e3899bd..9ebeea9 100644 --- a/OCI/SAST/Java_App/fortify_sast_scancentral.bash +++ b/OCI/SAST/Java_App/fortify_sast_scancentral.bash @@ -12,7 +12,7 @@ # SSC_APP_VERSION_ID # Local variables (modify as needed) -scancentral_client_version='22.2.0' +scancentral_client_version='23.1.0' fcli_version='v1.1.0' fcli_sha='5553766f0f771abdf27f4c6b6d38a34825a64aaa5d72cfd03c68d7e2f43a49a0' @@ -58,4 +58,4 @@ fcli ssc appversion-vuln count --appversion=${SSC_APP_VERSION_ID} echo Terminating connection with Fortify Platform fcli sc-sast session logout -fcli ssc session logout \ No newline at end of file +fcli ssc session logout diff --git a/README.md b/README.md index 33529d0..3ca2298 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,7 @@ Modern software delivery is synonymous with DevSecOps, meanwhile Software portfolios are in the midst of Cloud Transformation spanning cloud native, to lift-and-shift, and everything in between. Security must keep pace with the ‘everything-as-code’ era to transition from point of friction to enablement, without sacrificing quality. Fortify offers end-to-end application security solutions with the flexibility of testing on-premises and on-demand to scale and cover the entire software development lifecycle. Fortify integrates into your existing development toolchain seamlessly, giving you the highest quality findings and remediation advice during every stage, creating more secure software. With Fortify, you don’t need to trade quality of results for speed. -This project provides developers a collection of reference templates and implementations to enable seamless integration of Fortify tools with cloud native development. The entire project consist of pipeline as code and automated scripts to help integrate Foritfy in different public cloud providers such as Azure DevOps, AWS CodeStar, Google Cloud Platform and Oracle Cloud Infrastructure. In order to support developers and application security teams, we have created a templates which could help integrate Fortify static application security testing (SAST) and dynamic application security testing (DAST) into CI/CD pipelines faster and helps applications onboard faster. +This project provides developers a collection of reference templates and implementations to enable seamless integration of Fortify tools with cloud native development. The entire project consist of pipeline as code and automated scripts to help integrate Foritfy in different public cloud providers such as Azure DevOps, AWS CodeBuild, Google Cloud Platform and Oracle Cloud Infrastructure. In order to support developers and application security teams, we have created a templates which could help integrate Fortify static application security testing (SAST) and dynamic application security testing (DAST) into CI/CD pipelines faster and helps applications onboard faster.