From a3266bd7ae7fa46d2072553de182d2af2e8ca33c Mon Sep 17 00:00:00 2001 From: Dylan Date: Fri, 22 Sep 2023 08:36:48 -0400 Subject: [PATCH 01/23] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 33529d0..3ca2298 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,7 @@ Modern software delivery is synonymous with DevSecOps, meanwhile Software portfolios are in the midst of Cloud Transformation spanning cloud native, to lift-and-shift, and everything in between. Security must keep pace with the ‘everything-as-code’ era to transition from point of friction to enablement, without sacrificing quality. Fortify offers end-to-end application security solutions with the flexibility of testing on-premises and on-demand to scale and cover the entire software development lifecycle. Fortify integrates into your existing development toolchain seamlessly, giving you the highest quality findings and remediation advice during every stage, creating more secure software. With Fortify, you don’t need to trade quality of results for speed. -This project provides developers a collection of reference templates and implementations to enable seamless integration of Fortify tools with cloud native development. The entire project consist of pipeline as code and automated scripts to help integrate Foritfy in different public cloud providers such as Azure DevOps, AWS CodeStar, Google Cloud Platform and Oracle Cloud Infrastructure. In order to support developers and application security teams, we have created a templates which could help integrate Fortify static application security testing (SAST) and dynamic application security testing (DAST) into CI/CD pipelines faster and helps applications onboard faster. +This project provides developers a collection of reference templates and implementations to enable seamless integration of Fortify tools with cloud native development. The entire project consist of pipeline as code and automated scripts to help integrate Foritfy in different public cloud providers such as Azure DevOps, AWS CodeBuild, Google Cloud Platform and Oracle Cloud Infrastructure. In order to support developers and application security teams, we have created a templates which could help integrate Fortify static application security testing (SAST) and dynamic application security testing (DAST) into CI/CD pipelines faster and helps applications onboard faster. From ab3101f24c67ef67a1216b7fd0a5748996ab35c6 Mon Sep 17 00:00:00 2001 From: Dylan Date: Fri, 22 Sep 2023 08:39:27 -0400 Subject: [PATCH 02/23] Update README.md --- AWS/README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/AWS/README.md b/AWS/README.md index a3f2531..d20cdc1 100644 --- a/AWS/README.md +++ b/AWS/README.md @@ -1,6 +1,5 @@ # AWS Templates -AWS templates will help onboard applications with application security integration. Fortify platform support AWS Codestar services so DevOps teams will be able to directly leverage these templates as part of pipeline automation. AWS CodeStar service supports Continious Delivery using their own defined YML files during build and release. - +AWS templates will help onboard applications with application security integration. Fortify platform support AWS CodeBuild services so DevOps teams will be able to directly leverage these templates as part of pipeline automation. AWS CodeBuild service supports Continious Delivery using their own defined YML files during build and release. 1. BuildSpec.yml : This template used to build and generate artifacts using AWS managed services. It depicts the CI process in DevSecOps framework. From 0f36c0a73da97090f453983313430dd4e35cefb4 Mon Sep 17 00:00:00 2001 From: Dylan Date: Fri, 22 Sep 2023 08:39:56 -0400 Subject: [PATCH 03/23] Update README.md --- AWS/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/AWS/README.md b/AWS/README.md index d20cdc1..b778bd0 100644 --- a/AWS/README.md +++ b/AWS/README.md @@ -6,7 +6,7 @@ AWS templates will help onboard applications with application security integrati 2. AppSpec.yml : This template used to deploy the artifacts generated by the CI process. It depicts the CD process in DevSecOps framework. -## Integrating Fortify with AWS CodeStar +## Integrating Fortify with AWS CodeBuild Integrating Fortify with CI process is fairly simple pull and push switch using the templates given in the above folders. Fortify can be integrated using below steps. 1. Identify your Fortify solution (Fortify on-premises or Fortify on Demand) From c49673b6fe8ce3101674bcce43e9df2d5f45e857 Mon Sep 17 00:00:00 2001 From: Dylan Date: Fri, 22 Sep 2023 08:43:29 -0400 Subject: [PATCH 04/23] Update fortify_sast_local_java_template.bash Update AWS nomenclature, SCA version --- AWS/SAST/Java_Sample/fortify_sast_local_java_template.bash | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/AWS/SAST/Java_Sample/fortify_sast_local_java_template.bash b/AWS/SAST/Java_Sample/fortify_sast_local_java_template.bash index 9777543..1246074 100644 --- a/AWS/SAST/Java_Sample/fortify_sast_local_java_template.bash +++ b/AWS/SAST/Java_Sample/fortify_sast_local_java_template.bash @@ -17,7 +17,7 @@ fortify_license="fortify.license" #SAST license file name #Parameter for AWS S3 bucket s3_storage_required=true -s3_bucket="<>" #S3 bucket URL i.e. s3://aws-codestar-us-east-1******** +s3_bucket="<>" #S3 bucket URL i.e. s3://aws-codebuild-us-east-1******** #End of Parameters Section #Download required files, please ensure the URL is available @@ -40,7 +40,7 @@ chmod +x "$fortify_install" # End of Download #Installation of SCA -install_dir="/opt/Fortify/Fortify_SCA_and_Apps_21.1.1" +install_dir="/opt/Fortify/Fortify_SCA_and_Apps_23.1.0" ./$fortify_install --fortify_license_path ./$fortify_license --mode unattended --installdir $install_dir/ e=$? # return code last command From a019bdfa383ac2af0487b82900efa800cb190cfb Mon Sep 17 00:00:00 2001 From: Dylan Date: Fri, 22 Sep 2023 08:44:07 -0400 Subject: [PATCH 05/23] Update fortify_sast_local_java_template.bash --- AWS/SAST/Java_Sample/fortify_sast_local_java_template.bash | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/AWS/SAST/Java_Sample/fortify_sast_local_java_template.bash b/AWS/SAST/Java_Sample/fortify_sast_local_java_template.bash index 1246074..e4864a2 100644 --- a/AWS/SAST/Java_Sample/fortify_sast_local_java_template.bash +++ b/AWS/SAST/Java_Sample/fortify_sast_local_java_template.bash @@ -12,7 +12,7 @@ app_version_id="<>" # application version id from SSC pull_result_from_ssc=true #Parameters to configure installable -fortify_install="Fortify_SCA_and_Apps_21.1.1_linux_x64.run" # installer file name, this may change based on version of installer. +fortify_install="Fortify_SCA_and_Apps_23.1.0_linux_x64.run" # installer file name, this may change based on version of installer. fortify_license="fortify.license" #SAST license file name #Parameter for AWS S3 bucket From d0dce0f4c4e3cfdafa3c49b49a1c7009611ce49d Mon Sep 17 00:00:00 2001 From: Dylan Date: Fri, 22 Sep 2023 08:45:08 -0400 Subject: [PATCH 06/23] Update fortify_sast_scancentral_template.bash --- AWS/SAST/Java_Sample/fortify_sast_scancentral_template.bash | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/AWS/SAST/Java_Sample/fortify_sast_scancentral_template.bash b/AWS/SAST/Java_Sample/fortify_sast_scancentral_template.bash index d2475e9..9ab3a4d 100644 --- a/AWS/SAST/Java_Sample/fortify_sast_scancentral_template.bash +++ b/AWS/SAST/Java_Sample/fortify_sast_scancentral_template.bash @@ -11,7 +11,7 @@ export FCLI_DEFAULT_SSC_URL=$FCLI_DEFAULT_SSC_URL ssc_app_version_id=$SSC_APP_VERSION_ID # Local variables (modify as needed) -scancentral_client_version='22.2.0' +scancentral_client_version='23.1.0' fcli_version='v1.1.0' fcli_sha='5553766f0f771abdf27f4c6b6d38a34825a64aaa5d72cfd03c68d7e2f43a49a0' @@ -49,7 +49,7 @@ echo Setting connection with Fortify Platform fcli ssc session login fcli sc-sast session login -scancentral package -bt mvn -o package.zip +scancentral package -o package.zip fcli sc-sast scan start --appversion=$ssc_app_version_id --upload --sensor-version=$scancentral_client_version --package-file=package.zip --store='?' echo "INFO: Scan Submitted Successfully..." @@ -59,4 +59,4 @@ fcli ssc appversion-vuln count --appversion=$SSC_APP_VERSION_ID echo Terminating connection with Fortify Platform fcli sc-sast session logout -fcli ssc session logout \ No newline at end of file +fcli ssc session logout From d4889871b528ac75f77310521fc1834c1ad97009 Mon Sep 17 00:00:00 2001 From: Dylan Date: Fri, 22 Sep 2023 08:45:52 -0400 Subject: [PATCH 07/23] Update fortify_sast_fod_template.bash --- AWS/SAST/Java_Sample/fortify_sast_fod_template.bash | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/AWS/SAST/Java_Sample/fortify_sast_fod_template.bash b/AWS/SAST/Java_Sample/fortify_sast_fod_template.bash index 5d095e0..68ba302 100644 --- a/AWS/SAST/Java_Sample/fortify_sast_fod_template.bash +++ b/AWS/SAST/Java_Sample/fortify_sast_fod_template.bash @@ -1,7 +1,7 @@ #!/bin/bash # *** Configuration *** -# Integrate Fortify On Demand Static AppSec Testing (SAST) into your AWS Codestar pipeline +# Integrate Fortify On Demand Static AppSec Testing (SAST) into your AWS CodeBuild pipeline # Below Parameters must be defined in buildspec.yml # FOD_TENANT # FOD_USER @@ -13,7 +13,7 @@ fod_url='https://ams.fortify.com' fod_api_url='https://api.ams.fortify.com/' fod_uploader_opts='-ep 2 -pp 0 -I 1 -apf' fod_notes="Triggered by OCI DevOps" -scancentral_client_version='22.2.0' +scancentral_client_version='23.1.0' fod_uploader_version='5.4.0' fcli_version='v1.1.0' fcli_sha='5553766f0f771abdf27f4c6b6d38a34825a64aaa5d72cfd03c68d7e2f43a49a0' From 315375d2bfd97b7301f118d19fd9b938f0d51ebd Mon Sep 17 00:00:00 2001 From: Dylan Date: Fri, 22 Sep 2023 08:46:16 -0400 Subject: [PATCH 08/23] Update fortify_sast_scancentral_template.bash --- AWS/SAST/Java_Sample/fortify_sast_scancentral_template.bash | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/AWS/SAST/Java_Sample/fortify_sast_scancentral_template.bash b/AWS/SAST/Java_Sample/fortify_sast_scancentral_template.bash index 9ab3a4d..916df95 100644 --- a/AWS/SAST/Java_Sample/fortify_sast_scancentral_template.bash +++ b/AWS/SAST/Java_Sample/fortify_sast_scancentral_template.bash @@ -1,5 +1,5 @@ #!/bin/bash -# Integrate Fortify ScanCentral Static AppSec Testing (SAST) into your AWS Codestar pipeline +# Integrate Fortify ScanCentral Static AppSec Testing (SAST) into your AWS CodeBuild pipeline # *** Configuration *** # The following variables must be defined in buildspect.yml From d01cf76fe6879d387a30f887f52081cc0e5d6b29 Mon Sep 17 00:00:00 2001 From: Dylan Date: Fri, 22 Sep 2023 08:46:48 -0400 Subject: [PATCH 09/23] Update buildspec.yml --- AWS/SAST/Java_Sample/buildspec.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/AWS/SAST/Java_Sample/buildspec.yml b/AWS/SAST/Java_Sample/buildspec.yml index 0526d6e..a3d2594 100644 --- a/AWS/SAST/Java_Sample/buildspec.yml +++ b/AWS/SAST/Java_Sample/buildspec.yml @@ -31,7 +31,7 @@ phases: - mvn package post_build: commands: - # Do not remove this statement. This command is required for AWS CodeStar projects. + # Do not remove this statement. This command is required for AWS CodeBuild projects. # Update the AWS Partition, AWS Region, account ID and project ID in the project ARN in template-configuration.json file so AWS CloudFormation can tag project resources. - sed -i.bak 's/\$PARTITION\$/'${PARTITION}'/g;s/\$AWS_REGION\$/'${AWS_REGION}'/g;s/\$ACCOUNT_ID\$/'${ACCOUNT_ID}'/g;s/\$PROJECT_ID\$/'${PROJECT_ID}'/g' template-configuration.json ################################################### From ade0b41d6dc60017af8b09342118979e99e6ccda Mon Sep 17 00:00:00 2001 From: Dylan Date: Fri, 22 Sep 2023 08:47:09 -0400 Subject: [PATCH 10/23] Update buildspec.yml --- AWS/SAST/DotNet_Sample/buildspec.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/AWS/SAST/DotNet_Sample/buildspec.yml b/AWS/SAST/DotNet_Sample/buildspec.yml index e34d558..4d37c33 100644 --- a/AWS/SAST/DotNet_Sample/buildspec.yml +++ b/AWS/SAST/DotNet_Sample/buildspec.yml @@ -30,7 +30,7 @@ phases: # - dotnet vstest AspNetCoreWebApplicationTest/bin/release/netcoreapp3.1/AspNetCoreWebApplicationTest.dll post_build: commands: - # Do not remove this statement. This command is required for AWS CodeStar projects. + # Do not remove this statement. This command is required for AWS CodeBuild projects. # Update the AWS Partition, AWS Region, account ID and project ID in the project ARN in template-configuration.json file so AWS CloudFormation can tag project resources. - sed -i.bak 's/\$PARTITION\$/'${PARTITION}'/g;s/\$AWS_REGION\$/'${AWS_REGION}'/g;s/\$ACCOUNT_ID\$/'${ACCOUNT_ID}'/g;s/\$PROJECT_ID\$/'${PROJECT_ID}'/g' template-configuration.json ################################################### From 6b2e022ea8a68cf54c4f92efe3053131c36c74a1 Mon Sep 17 00:00:00 2001 From: Dylan Date: Fri, 22 Sep 2023 08:49:44 -0400 Subject: [PATCH 11/23] Update fortify_sast_fod_template.bash --- AWS/SAST/DotNet_Sample/fortify_sast_fod_template.bash | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/AWS/SAST/DotNet_Sample/fortify_sast_fod_template.bash b/AWS/SAST/DotNet_Sample/fortify_sast_fod_template.bash index f575bb7..be9a4fb 100644 --- a/AWS/SAST/DotNet_Sample/fortify_sast_fod_template.bash +++ b/AWS/SAST/DotNet_Sample/fortify_sast_fod_template.bash @@ -2,7 +2,7 @@ # *** Configuration *** -# Integrate Fortify On Demand Static AppSec Testing (SAST) into your AWS Codestar pipeline +# Integrate Fortify On Demand Static AppSec Testing (SAST) into your AWS CodeBuild pipeline # Below Parameters must be defined in buildspec.yml # FOD_TENANT # FOD_USER @@ -13,8 +13,8 @@ fod_url='https://ams.fortify.com' fod_api_url='https://api.ams.fortify.com/' fod_uploader_opts='-ep 2 -pp 0 -I 1 -apf' -fod_notes="Triggered by AWS Codestar" -scancentral_client_version='22.2.0' +fod_notes="Triggered by AWS CodeBuild" +scancentral_client_version='23.1.0' fod_uploader_version='5.4.0' fcli_version='v1.1.0' fcli_sha='5553766f0f771abdf27f4c6b6d38a34825a64aaa5d72cfd03c68d7e2f43a49a0' @@ -52,7 +52,7 @@ fcli tool sc-client install $scancentral_client_version -d $scancentral_home fcli tool fodupload install $fod_uploader_version -d $fod_uploader_home # Generate Package for upload to Fortify on Demand -zip -r package.zip . +scancentral package -oss-o package.zip echo "INFO: start submitting scan" From ada8aff3ccb974647765a2795f9056fc7e2be40d Mon Sep 17 00:00:00 2001 From: Dylan Date: Fri, 22 Sep 2023 08:50:45 -0400 Subject: [PATCH 12/23] Update fortify_sast_scancentral_template.bash --- .../DotNet_Sample/fortify_sast_scancentral_template.bash | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/AWS/SAST/DotNet_Sample/fortify_sast_scancentral_template.bash b/AWS/SAST/DotNet_Sample/fortify_sast_scancentral_template.bash index 0c60a97..fed4fc0 100644 --- a/AWS/SAST/DotNet_Sample/fortify_sast_scancentral_template.bash +++ b/AWS/SAST/DotNet_Sample/fortify_sast_scancentral_template.bash @@ -1,5 +1,5 @@ #!/bin/bash -# Integrate Fortify ScanCentral Static AppSec Testing (SAST) into your AWS Codestar pipeline +# Integrate Fortify ScanCentral Static AppSec Testing (SAST) into your AWS CodeBuild pipeline # *** Configuration *** @@ -12,7 +12,7 @@ export FCLI_DEFAULT_SSC_URL=$FCLI_DEFAULT_SSC_URL ssc_app_version_id=$SSC_APP_VERSION_ID # Local variables (modify as needed) -scancentral_client_version='22.2.0' +scancentral_client_version='23.1.0' fcli_version='v1.1.0' fcli_sha='5553766f0f771abdf27f4c6b6d38a34825a64aaa5d72cfd03c68d7e2f43a49a0' @@ -50,7 +50,7 @@ echo Setting connection with Fortify Platform fcli ssc session login fcli sc-sast session login -scancentral package -bt none -o package.zip +scancentral package -o package.zip fcli sc-sast scan start --appversion=$ssc_app_version_id --upload --sensor-version=$scancentral_client_version --package-file=package.zip --store='?' echo "INFO: Scan Submitted Successfully..." @@ -60,4 +60,4 @@ fcli ssc appversion-vuln count --appversion=$SSC_APP_VERSION_ID echo Terminating connection with Fortify Platform fcli sc-sast session logout -fcli ssc session logout \ No newline at end of file +fcli ssc session logout From 80830af47809828bd6f5f4b39c14f99ff80906bc Mon Sep 17 00:00:00 2001 From: Dylan Date: Fri, 22 Sep 2023 08:51:33 -0400 Subject: [PATCH 13/23] Update fortify_sast_fod_template.bash --- AWS/SAST/Java_Sample/fortify_sast_fod_template.bash | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/AWS/SAST/Java_Sample/fortify_sast_fod_template.bash b/AWS/SAST/Java_Sample/fortify_sast_fod_template.bash index 68ba302..49fe825 100644 --- a/AWS/SAST/Java_Sample/fortify_sast_fod_template.bash +++ b/AWS/SAST/Java_Sample/fortify_sast_fod_template.bash @@ -12,7 +12,7 @@ fod_url='https://ams.fortify.com' fod_api_url='https://api.ams.fortify.com/' fod_uploader_opts='-ep 2 -pp 0 -I 1 -apf' -fod_notes="Triggered by OCI DevOps" +fod_notes="Triggered by AWS CodeBuild" scancentral_client_version='23.1.0' fod_uploader_version='5.4.0' fcli_version='v1.1.0' @@ -51,7 +51,7 @@ fcli tool sc-client install $scancentral_client_version -d $scancentral_home fcli tool fodupload install $fod_uploader_version -d $fod_uploader_home # Generate Java Package for upload to Fortify on Demand -scancentral package -bt mvn -oss -o package.zip +scancentral package -oss -o package.zip echo "INFO: start submitting scan" FoDUpload -z package.zip -aurl $fod_api_url -purl $fod_url -rid ${FOD_RELEASE_ID} -tc ${FOD_TENANT} -uc ${FOD_USER} ${FOD_PWD} $fod_uploader_opts -n "$fod_notes" From ebb0f6e6fe6361da4cb9827f181af736f12e9a46 Mon Sep 17 00:00:00 2001 From: Dylan Date: Fri, 22 Sep 2023 08:52:08 -0400 Subject: [PATCH 14/23] Update fortify_sast_fod_template.bash --- AWS/SAST/DotNet_Sample/fortify_sast_fod_template.bash | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/AWS/SAST/DotNet_Sample/fortify_sast_fod_template.bash b/AWS/SAST/DotNet_Sample/fortify_sast_fod_template.bash index be9a4fb..b1e0c85 100644 --- a/AWS/SAST/DotNet_Sample/fortify_sast_fod_template.bash +++ b/AWS/SAST/DotNet_Sample/fortify_sast_fod_template.bash @@ -52,7 +52,7 @@ fcli tool sc-client install $scancentral_client_version -d $scancentral_home fcli tool fodupload install $fod_uploader_version -d $fod_uploader_home # Generate Package for upload to Fortify on Demand -scancentral package -oss-o package.zip +scancentral package -oss -o package.zip echo "INFO: start submitting scan" From 9edbd1628bbd24006e50387b681b9a6566823bc7 Mon Sep 17 00:00:00 2001 From: Dylan Date: Fri, 22 Sep 2023 08:56:43 -0400 Subject: [PATCH 15/23] Update cloudbuild_fortify_sast_fod.yaml --- .../cloudbuild_fortify_sast_fod.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/GCP/SAST/Java_Sample_With_FortifyCITools/cloudbuild_fortify_sast_fod.yaml b/GCP/SAST/Java_Sample_With_FortifyCITools/cloudbuild_fortify_sast_fod.yaml index 7726409..bea6ef1 100644 --- a/GCP/SAST/Java_Sample_With_FortifyCITools/cloudbuild_fortify_sast_fod.yaml +++ b/GCP/SAST/Java_Sample_With_FortifyCITools/cloudbuild_fortify_sast_fod.yaml @@ -10,7 +10,7 @@ args: - -c - | - scancentral package -bt mvn -oss -o package.zip + scancentral package -oss -o package.zip FoDUpload -z package.zip -aurl $$FOD_API_URL -purl $$FOD_URL -rid $$FOD_RELEASE_ID -tc $$FOD_TENANT -uc $$FOD_USER $$FOD_PAT $$FOD_UPLOADER_OPTS -n "$$FOD_NOTES" secretEnv: ['FOD_RELEASE_ID', 'FOD_USER', 'FOD_PAT', 'FOD_TENANT'] env: @@ -28,4 +28,4 @@ availableSecrets: - versionName: projects/$PROJECT_ID/secrets/fod_pat/versions/latest env: 'FOD_PAT' - versionName: projects/$PROJECT_ID/secrets/fod_tenant/versions/latest - env: 'FOD_TENANT' \ No newline at end of file + env: 'FOD_TENANT' From c9c624af353a12c869a9925f617e96684a759fbc Mon Sep 17 00:00:00 2001 From: Dylan Date: Fri, 22 Sep 2023 08:57:20 -0400 Subject: [PATCH 16/23] Update cloudbuild_fortify_sast_scancentral.yaml --- .../cloudbuild_fortify_sast_scancentral.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/GCP/SAST/Java_Sample_With_FortifyCITools/cloudbuild_fortify_sast_scancentral.yaml b/GCP/SAST/Java_Sample_With_FortifyCITools/cloudbuild_fortify_sast_scancentral.yaml index d7abd7d..b0c90ff 100644 --- a/GCP/SAST/Java_Sample_With_FortifyCITools/cloudbuild_fortify_sast_scancentral.yaml +++ b/GCP/SAST/Java_Sample_With_FortifyCITools/cloudbuild_fortify_sast_scancentral.yaml @@ -32,5 +32,5 @@ steps: env: - 'FORTIFY_IP=${_PUBLIC_IP}' - 'SSC_APP_VERSION_ID=${_SSC_APP_VERSION_ID}' - - 'SC_SAST_SENSOR_VERSION=22.2' - id: 'fortify-static-scan' \ No newline at end of file + - 'SC_SAST_SENSOR_VERSION=23.1' + id: 'fortify-static-scan' From 61fa3cbb0c86012c20136c91ea049baf26816541 Mon Sep 17 00:00:00 2001 From: Dylan Date: Fri, 22 Sep 2023 08:58:27 -0400 Subject: [PATCH 17/23] Update fortify_sast_fod_template.bash --- GCP/SAST/Python_Sample/fortify_sast_fod_template.bash | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/GCP/SAST/Python_Sample/fortify_sast_fod_template.bash b/GCP/SAST/Python_Sample/fortify_sast_fod_template.bash index 9c39da1..7640e15 100644 --- a/GCP/SAST/Python_Sample/fortify_sast_fod_template.bash +++ b/GCP/SAST/Python_Sample/fortify_sast_fod_template.bash @@ -13,7 +13,7 @@ fod_url='https://ams.fortify.com' fod_api_url='https://api.ams.fortify.com/' fod_uploader_opts='-ep 2 -pp 0 -I 1 -apf' fod_notes="Triggered by GCP CloudBuild" -scancentral_client_version='22.2.0' +scancentral_client_version='23.1.0' fod_uploader_version='5.4.0' fcli_version='v1.1.0' fcli_sha='5553766f0f771abdf27f4c6b6d38a34825a64aaa5d72cfd03c68d7e2f43a49a0' @@ -55,4 +55,4 @@ echo "INFO: start submitting scan" FoDUpload -z package.zip -aurl $fod_api_url -purl $fod_url -rid ${FOD_RELEASE_ID} -tc ${FOD_TENANT} -uc ${FOD_USER} ${FOD_PWD} $fod_uploader_opts -n "$fod_notes" -echo "INFO: Scan Submitted Successfully..." \ No newline at end of file +echo "INFO: Scan Submitted Successfully..." From 78850513b4e18fd6abb4483d65b38534f767c2af Mon Sep 17 00:00:00 2001 From: Dylan Date: Fri, 22 Sep 2023 09:00:45 -0400 Subject: [PATCH 18/23] Update fortify_sast_fod_template.bash --- GCP/SAST/Python_Sample/fortify_sast_fod_template.bash | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/GCP/SAST/Python_Sample/fortify_sast_fod_template.bash b/GCP/SAST/Python_Sample/fortify_sast_fod_template.bash index 7640e15..4c8d2e3 100644 --- a/GCP/SAST/Python_Sample/fortify_sast_fod_template.bash +++ b/GCP/SAST/Python_Sample/fortify_sast_fod_template.bash @@ -49,7 +49,7 @@ fcli tool sc-client install $scancentral_client_version -d $scancentral_home fcli tool fodupload install $fod_uploader_version -d $fod_uploader_home # Generate Java Package for upload to Fortify on Demand -scancentral package -o package.zip --build-tool none --python-requirements requirements.txt +scancentral package -o package.zip -oss --python-requirements requirements.txt echo "INFO: start submitting scan" FoDUpload -z package.zip -aurl $fod_api_url -purl $fod_url -rid ${FOD_RELEASE_ID} -tc ${FOD_TENANT} -uc ${FOD_USER} ${FOD_PWD} $fod_uploader_opts -n "$fod_notes" From c90d34443b016b223782842b654380c1bd753b12 Mon Sep 17 00:00:00 2001 From: Dylan Date: Fri, 22 Sep 2023 09:01:03 -0400 Subject: [PATCH 19/23] Update cloudbuild.yaml --- GCP/SAST/Python_Sample/cloudbuild.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/GCP/SAST/Python_Sample/cloudbuild.yaml b/GCP/SAST/Python_Sample/cloudbuild.yaml index 279d434..60efb0d 100644 --- a/GCP/SAST/Python_Sample/cloudbuild.yaml +++ b/GCP/SAST/Python_Sample/cloudbuild.yaml @@ -31,9 +31,9 @@ steps: secretEnv: ['FOD_RELEASE_ID', 'FOD_USER', 'FOD_PAT', 'FOD_TENANT', 'FCLI_DEFAULT_SC_SAST_CLIENT_AUTH_TOKEN', 'FCLI_DEFAULT_SSC_USER', 'FCLI_DEFAULT_SSC_PASSWORD', 'FCLI_DEFAULT_SSC_CI_TOKEN', 'FCLI_DEFAULT_SSC_URL'] env: - 'SSC_APP_VERSION_ID=${_SSC_APP_VERSION_ID}' - - 'SC_SAST_SENSOR_VERSION=22.2' + - 'SC_SAST_SENSOR_VERSION=23.1' - 'FOD_URL=https://ams.fortify.com' - 'FOD_API_URL=https://api.ams.fortify.com' - 'FOD_UPLOADER_OPTS=-ep 2 -pp 0 -I 1 -apf' - 'FOD_NOTES=Triggered by GCP Pipeline' -timeout: 2400s \ No newline at end of file +timeout: 2400s From 0baaf03f67a401ffab024b0f6b811346c621f18d Mon Sep 17 00:00:00 2001 From: Dylan Date: Fri, 22 Sep 2023 09:01:53 -0400 Subject: [PATCH 20/23] Update fortify_sast_scancentral_template.bash --- .../Python_Sample/fortify_sast_scancentral_template.bash | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/GCP/SAST/Python_Sample/fortify_sast_scancentral_template.bash b/GCP/SAST/Python_Sample/fortify_sast_scancentral_template.bash index 02b01de..d54f8c3 100644 --- a/GCP/SAST/Python_Sample/fortify_sast_scancentral_template.bash +++ b/GCP/SAST/Python_Sample/fortify_sast_scancentral_template.bash @@ -11,7 +11,7 @@ export FCLI_DEFAULT_SSC_URL=$FCLI_DEFAULT_SSC_URL ssc_app_version_id=$SSC_APP_VERSION_ID # Local variables (modify as needed) -scancentral_client_version='22.2.0' +scancentral_client_version='23.1.0' fcli_version='v1.1.0' fcli_sha='5553766f0f771abdf27f4c6b6d38a34825a64aaa5d72cfd03c68d7e2f43a49a0' @@ -49,7 +49,7 @@ echo Setting connection with Fortify Platform fcli ssc session login fcli sc-sast session login -scancentral package -bt none -o package.zip --python-requirements requirements.txt +scancentral package -o package.zip --python-requirements requirements.txt fcli sc-sast scan start --appversion=$ssc_app_version_id --upload --sensor-version=$scancentral_client_version --package-file=package.zip --store='?' echo "INFO: Scan Submitted Successfully..." @@ -59,4 +59,4 @@ fcli ssc appversion-vuln count --appversion=$SSC_APP_VERSION_ID echo Terminating connection with Fortify Platform fcli sc-sast session logout -fcli ssc session logout \ No newline at end of file +fcli ssc session logout From f9854b8ef4b1e9cfe396766d6aa66a5caf8fb8db Mon Sep 17 00:00:00 2001 From: Dylan Date: Fri, 22 Sep 2023 09:02:38 -0400 Subject: [PATCH 21/23] Update fortify_sast_fod_template.bash --- GCP/SAST/Python_Sample/fortify_sast_fod_template.bash | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/GCP/SAST/Python_Sample/fortify_sast_fod_template.bash b/GCP/SAST/Python_Sample/fortify_sast_fod_template.bash index 4c8d2e3..158dc2b 100644 --- a/GCP/SAST/Python_Sample/fortify_sast_fod_template.bash +++ b/GCP/SAST/Python_Sample/fortify_sast_fod_template.bash @@ -49,7 +49,7 @@ fcli tool sc-client install $scancentral_client_version -d $scancentral_home fcli tool fodupload install $fod_uploader_version -d $fod_uploader_home # Generate Java Package for upload to Fortify on Demand -scancentral package -o package.zip -oss --python-requirements requirements.txt +scancentral package -o package.zip --python-requirements requirements.txt echo "INFO: start submitting scan" FoDUpload -z package.zip -aurl $fod_api_url -purl $fod_url -rid ${FOD_RELEASE_ID} -tc ${FOD_TENANT} -uc ${FOD_USER} ${FOD_PWD} $fod_uploader_opts -n "$fod_notes" From ffc8cba7c1aab3a0ec10142e7f2b9e5a0e98d2fd Mon Sep 17 00:00:00 2001 From: Dylan Date: Fri, 22 Sep 2023 09:03:25 -0400 Subject: [PATCH 22/23] Update fortify-sast-fod.bash --- OCI/SAST/Java_App/fortify-sast-fod.bash | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/OCI/SAST/Java_App/fortify-sast-fod.bash b/OCI/SAST/Java_App/fortify-sast-fod.bash index 0b8bb68..47eb33e 100644 --- a/OCI/SAST/Java_App/fortify-sast-fod.bash +++ b/OCI/SAST/Java_App/fortify-sast-fod.bash @@ -14,7 +14,7 @@ fod_url='https://ams.fortify.com' fod_api_url='https://api.ams.fortify.com/' fod_uploader_opts='-ep 2 -pp 0 -I 1 -apf' fod_notes="Triggered by OCI DevOps" -scancentral_client_version='22.2.0' +scancentral_client_version='23.1.0' fod_uploader_version='5.4.0' fcli_version='v1.1.0' fcli_sha='5553766f0f771abdf27f4c6b6d38a34825a64aaa5d72cfd03c68d7e2f43a49a0' @@ -51,7 +51,7 @@ fcli tool sc-client install $scancentral_client_version -d $scancentral_home fcli tool fodupload install $fod_uploader_version -d $fod_uploader_home # Generate Java Package for upload to Fortify on Demand -scancentral package -bt mvn -oss -o package.zip +scancentral package -oss -o package.zip echo 'start submitting scan' FoDUpload -z package.zip -aurl $fod_api_url -purl $fod_url -rid ${FOD_RELEASE_ID} -tc ${FOD_TENANT} -uc ${FOD_USER} ${FOD_PWD} $fod_uploader_opts -n "$fod_notes" From b358f1d2f953d556aeb2151fabffa94bf11bb585 Mon Sep 17 00:00:00 2001 From: Dylan Date: Fri, 22 Sep 2023 09:03:41 -0400 Subject: [PATCH 23/23] Update fortify_sast_scancentral.bash --- OCI/SAST/Java_App/fortify_sast_scancentral.bash | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/OCI/SAST/Java_App/fortify_sast_scancentral.bash b/OCI/SAST/Java_App/fortify_sast_scancentral.bash index e3899bd..9ebeea9 100644 --- a/OCI/SAST/Java_App/fortify_sast_scancentral.bash +++ b/OCI/SAST/Java_App/fortify_sast_scancentral.bash @@ -12,7 +12,7 @@ # SSC_APP_VERSION_ID # Local variables (modify as needed) -scancentral_client_version='22.2.0' +scancentral_client_version='23.1.0' fcli_version='v1.1.0' fcli_sha='5553766f0f771abdf27f4c6b6d38a34825a64aaa5d72cfd03c68d7e2f43a49a0' @@ -58,4 +58,4 @@ fcli ssc appversion-vuln count --appversion=${SSC_APP_VERSION_ID} echo Terminating connection with Fortify Platform fcli sc-sast session logout -fcli ssc session logout \ No newline at end of file +fcli ssc session logout