Updating FoD GitHub Actions

.github/workflows/debricked.yml

@@ -20,7 +20,7 @@ env:
   PYTHON_VERSION: "3.12.4"
 
 jobs:
-  vulnerabilities-scan:
+  Debricked-SCA:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
@@ -42,6 +42,6 @@ jobs:
     - name: Run debricked scan
       shell: bash
       run: |
-        ./debricked scan -r "${DEFAULT_APP_NAME}" --access-token="${DEBRICKED_TOKEN}" -e "lib/**" --verbose .
+        ./debricked scan -r "${DEFAULT_APP_NAME}" --access-token="${DEBRICKED_TOKEN}" -e "lib/**" -e ".venv/**" --verbose .
       env:
         DEBRICKED_TOKEN: ${{ secrets.DEBRICKED_TOKEN }}

.github/workflows/fod.yml

@@ -0,0 +1,144 @@
+
+# Create GitHub Action Repository Variables for your version of the application:
+#   FOD_BASE_URL should be FoD BASE URL for your tenant (e.g. https://ams.fortify.com)
+#   FOD_API_URL should be FoD API URL for your tenant (e.g. https://api.ams,fortify.com)
+#   FOD_PARENT_RELEASE_NAME is the FoD release name corresponding to the parent branch of any newly created branch, this is typically "main" or "develop"
+# Create GitHub Action Secrets for your version of the application:
+#   FOD_CLIENT_ID should be an API Key obtained from your FoD tenant.
+#   FOD_CLIENT_SECRET should be the secret for the API Key obtained for your FoD tenant.
+# Helpful hints:
+#   API Key credentials can be obtained from your FoD tenant, under Administration -> Settings -> API
+#   It is recommended to create credentials with 'Security Lead' Role selected.
+#   "Automated Audit preference" should be configured for the release's Static Scan Settings.
+
+name: DevSecOps with Fortify on Demand
+
+on:
+  # Triggers the workflow on push or pull request events but only for the main or develop branches
+  push:
+    paths-ignore:
+      - '.github/**/**'
+      - 'bin/**'
+      - 'data/**'
+      - 'etc/**'
+      - 'tests/**'
+      - 'README.md'
+      - 'LICENSE'
+    branches:
+      - '**'        # matches every branch
+  pull_request:
+    branches: [ main, develop ]
+
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:       
+
+# Global environment variables
+env:
+  BUILD_TYPE: "Release"
+  DEFAULT_APP_NAME: "EightBallCpp"
+  PYTHON_VERSION: "3.12.4"
+
+jobs:
+
+  Build-And-Unit-Test:
+    # The type of runner that the job will run on
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          # Fetch at least the immediate parents so that if this is a pull request then we can checkout the head.
+          fetch-depth: 2
+      - name: Get Conan
+        uses: turtlebrowser/get-conan@main
+      - name: Create default profile
+        run: conan profile new default --detect
+      - name: Update profile
+        run: conan profile update settings.compiler.libcxx=libstdc++11 default
+      - name: Install dependencies
+        run: conan install . --output-folder=build --build=missing --settings=build_type=${{env.BUILD_TYPE}} -c tools.cmake.cmaketoolchain:generator=Ninja
+      - name: Configure CMake
+        run: cmake --preset conan-release
+      - name: Build
+        run: |
+          cd build
+          ls
+          cmake --build . --clean-first --config ${{env.BUILD_TYPE}} --verbose
+          ls
+
+  Quality-Gate:
+    runs-on: ubuntu-latest
+    if: ${{ always() }}
+    needs: [ Build-And-Unit-Test ]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          # Fetch at least the immediate parents so that if this is a pull request then we can checkout the head.
+          fetch-depth: 2
+      # TBD
+
+  FoD-SAST-Scan:
+    runs-on: ubuntu-latest
+    if: ${{ (github.event_name == 'push') || (github.event_name == 'pull_request') || (github.event.inputs.runFoDSASTScan == 'true') }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          # Fetch at least the immediate parents so that if this is a pull request then we can checkout the head.
+          fetch-depth: 2
+      - name: Fortify App and Release Name
+        id: fortify-app-and-rel-name
+        uses: fortify-presales/github-actions/fortify-app-and-release-name@main
+        with:
+          default_fortify_app_name: ${{ env.DEFAULT_APP_NAME }}
+          default_fortify_release_name: ${{ github.ref_name }}
+          app_name_postfix: ${{ vars.FORTIFY_APP_NAME_POSTFIX }}
+      # Uncomment below to debug FoD App/Release names   
+      #- name: Print App and Release Name
+      #  shell: bash
+      #  run: |
+      #    echo "FoD App Name: ${FOD_APP_NAME}"
+      #    echo "FoD Release Name: ${FOD_RELEASE_NAME}"
+      #  env:
+      #    FOD_APP_NAME: ${{ steps.fortify-app-and-rel-name.outputs.app_name }}
+      #    FOD_RELEASE_NAME: ${{ steps.fortify-app-and-rel-name.outputs.release_name }}          
+
+      # TBD 
+
+  Security-Gate:
+    runs-on: ubuntu-latest
+    if: ${{ always() }}
+    needs: [ FoD-SAST-Scan ]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          # Fetch at least the immediate parents so that if this is a pull request then we can checkout the head.
+          fetch-depth: 2
+      - name: Fortify App and Release Name
+        id: fortify-app-and-rel-name
+        uses: fortify-presales/github-actions/fortify-app-and-release-name@main
+        with:
+          default_fortify_app_name: ${{ env.DEFAULT_APP_NAME }}
+          default_fortify_release_name: ${{ github.ref_name }}
+          app_name_postfix: ${{ vars.FORTIFY_APP_NAME_POSTFIX }}
+      - name: Verify FoD Security Policy
+        uses: fortify-presales/github-actions/verify-fod-security-policy@main
+        with:
+          fod_api_url: ${{ vars.FOD_API_URL }}
+          fod_client_id: ${{ secrets.FOD_CLIENT_ID }}
+          fod_client_secret: ${{ secrets.FOD_CLIENT_SECRET }}
+          fod_app_name: ${{ steps.fortify-app-and-rel-name.outputs.app_name }}
+          fod_release_name: ${{ steps.fortify-app-and-rel-name.outputs.release_name }}
+
+  Release-To-Prod:
+    runs-on: ubuntu-latest
+    needs: [ Quality-Gate, Security-Gate ]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          # Fetch at least the immediate parents so that if this is a pull request then we can checkout the head.
+          fetch-depth: 2
+      # TBD

CMakeLists.txt

@@ -6,6 +6,8 @@ set(CMAKE_EXPORT_COMPILE_COMMANDS ON)
 find_package(ZLIB REQUIRED)
 find_package(pugixml REQUIRED)
 find_package(SQLite3 REQUIRED)
+find_package(http_parser REQUIRED)
+find_package(json-c REQUIRED)
 
 add_executable(${PROJECT_NAME} src/main.cpp
     src/Answer.h
@@ -16,3 +18,5 @@ target_include_directories(${PROJECT_NAME} PRIVATE ${EIGHTBALL_INCLUDE_DIRS})
 target_link_libraries(${PROJECT_NAME} ZLIB::ZLIB)
 target_link_libraries(${PROJECT_NAME} pugixml::pugixml)
 target_link_libraries(${PROJECT_NAME} SQLite::SQLite3)
+target_link_libraries(${PROJECT_NAME} http_parser::http_parser)
+target_link_libraries(${PROJECT_NAME} json-c::json-c)

README.md

@@ -9,7 +9,7 @@ Pre-requisites:
 The following software is required to be installed for this project.
 
  - Fortify Static Code Analyzer 24.2 or later
- - Debricked CLI (and Debricked Enterprise account)
+ - Debricked CLI (with Debricked Enterprise account)
  - Visual Studio Professional 2022 or later (for Windows build)
  - CMake >= 3.29.6
  - Ninja >= 1.12.1
@@ -27,7 +27,7 @@ Install Conan
 ```
 python -m venv .
 .\Scripts\Activate.ps1
-pip install conan
+pip install conan [--upgrade]
 conan profile detect --force
 ```
 
@@ -128,22 +128,15 @@ upload it to Fortify on Demand and start the scan as in the following:
 ```
 Compress-Archive -Path .\EightBallCpp.mbs -DestinationPath FoDPackage.zip -Force
 fcli fod session login [--url YOUR_FOD_URL --client-id YOUR_CLIENT_ID --client-secret YOUR_CLIENT_SECRET]
-fcli fod sast-scan start --release="EightBallCpp [KAL]:main" -f FoDPackage.zip --store curScan
+fcli fod sast-scan start --release="EightBallCpp:main" -f FoDPackage.zip --store curScan
 fcli fod sast-scan wait-for ::curScan::
 ```
 
 Debricked SCA Scan
 ==================
 
-Currently Debricked does not have any native support for Conan, however Conan can create CycloneDX SBOMs as in the following:
-
-Conan 2.x
-
-```
-conan config install https://github.com/conan-io/conan-extensions.git
-conan sbom:cyclonedx --format 1.4_json . > sbom.json
-debricked scan -r EightBallCpp -t $Env:DEBRICKED_TOKEN
-```
+Currently Debricked does not have any native support for Conan, however Conan can create CycloneDX SBOMs and these files
+can be scanned. To generate an SBOM and upload it to debricked you can carry out the following:
 
 Conan 1.4.x
 
@@ -154,6 +147,22 @@ pip install cyclonedx-conan
 cyclonedx-conan .\conanfile.txt > sbom.json
 debricked scan -r EightBallCpp -e "Lib\**" -t $Env:DEBRICKED_TOKEN
 ```
+
+Conan 2.x
+
+TBD
+
+The SBOM can also be scanned with Fortify on Demand (Debricked Integration) using the following:
+
+```
+Compress-Archive -Path .\sbom.json -DestinationPath FoDPackage.zip -Force
+fcli fod session login [--url YOUR_FOD_URL --client-id YOUR_CLIENT_ID --client-secret YOUR_CLIENT_SECRET]
+fcli fod oss-scan start --release="EightBallCpp:main" -f FoDPackage.zip --store curScan
+fcli fod oss-scan wait-for ::curScan::
+```
+
+There is also a GitHub Action [debricked.yml](.github/workflows/debricked.yml) included to carry this out automatically.
+
 ---
 
 Kevin Lee - [email protected]

conanfile.txt

@@ -2,6 +2,8 @@
 zlib/1.2.11
 pugixml/1.14
 sqlite3/3.42.0
+http_parser/2.9.2
+json-c/0.14
 
 [generators]
 CMakeDeps