Merge pull request #2 from fortify-presales/python-migration

Python migration

README.md

@@ -15,8 +15,9 @@ You can the run the application locally using the following:
 python -m venv .venv
 .venv\Scripts\Activate.ps1      [Windows]
 .venv/Scripts/activate          [Linux/UNIX]
-pip install -r app\requirements.txt
-flask run
+pip install -r requirements.txt
+run.bat                         [Windows]
+ruh.sh                          [Linux/UNIX]
 ```
 
 The application should then be available at the URL `http://localhost:5000`. If it fails to start,
@@ -32,6 +33,39 @@ functional in this version of the app:
 
 These have been "enabled" because they all have potential security issues that can be found by Fortify.
 
+Deploy Application (Azure)
+--------------------------
+
+If you want to run the application in the cloud you can deploy it to Microsoft Azure along with its required
+infrastructure by using the Azure DevOps CLI.
+
+To create the required infrastructure and deploy the application you can execute the following (from a Windows command prompt):
+
+```
+az login
+az webapp up --runtime PYTHON:3.12 --location eastus --name _YOUR_APP_NAME__ --sku B1 --logs
+```
+
+Replace `eastus` with your own desired region and `B1` with desired app service plan.
+
+You will need to create a custom startup script for the application using the resource_group and app_name from above:
+
+```
+az webapp config set --resource-group _YOUR_RESOURCE_GROUP_ --name _YOUR_APP_NAME_ --startup-file startup.txt
+```
+
+You should now be able to navigate to the website and use the URL `http://your_website_name.azurewebsites.net/init-db`
+to populate the database.
+
+Remove Application and Infrastructure
+-------------------------------------
+
+To clean up all the resources you can execute the following (from a Windows command prompt):
+
+```
+az group delete --name [resource_group_created_from_above] --no-wait
+```
+
 ---
 
 Kevin A. Lee (kadraman) - [email protected]

app/__init__.py

@@ -1,6 +1,6 @@
 import os
 import random
-from flask import Flask, json, render_template, request, Response
+from flask import Flask, json, redirect, render_template, request, Response, url_for
 from docx import Document
 from werkzeug.utils import secure_filename
 
@@ -30,8 +30,10 @@ def create_app(test_config=None):
     except OSError:
         pass
 
+    # initial route
     @app.route('/')
     def index():
+        print("[index] Rendering home page.")
         return render_template('index.html')
 
     # register the database commands
@@ -51,10 +53,11 @@ def index():
     app.register_blueprint(products.bp)
     app.register_blueprint(insecure.bp)
 
-    # make url_for('index') == url_for('shop.index')
-    # in another app, you might define a separate main index here with
-    # app.route, while giving the blog blueprint a url_prefix, but for
-    # the tutorial the blog will be the main index
-    #app.add_url_rule("/", endpoint="index")
+    # initialize/reset all the product and user data
+    @app.route("/init-db")
+    def init_db():
+        print("[init_db] Initializing database.")
+        db.init_db()
+        return redirect(url_for("products.index"))
 
     return app

app/products.py

@@ -1,5 +1,5 @@
 import os
-from flask import Blueprint, send_file, send_from_directory
+from flask import Blueprint, Response, send_file, send_from_directory
 from flask import flash
 from flask import g
 from flask import redirect
@@ -9,11 +9,10 @@
 from werkzeug.exceptions import abort
 
 from .auth import login_required
-from .db import get_db
+from .db import get_db, init_db
 
 bp = Blueprint("products", __name__, url_prefix="/products")
 
-
 def get_product(id):
     """Get a product by id.
 

fortify/fod-scan.ps1

@@ -15,8 +15,8 @@ param (
 
 # Import local environment specific settings
 $EnvSettings = $(ConvertFrom-StringData -StringData (Get-Content ".\.env" | Where-Object {-not ($_.StartsWith('#'))} | Out-String))
-$AppName = $EnvSettings['APP_NAME']
-$AppVersion = $EnvSettings['APP_RELEASE_NAME']
+$AppName = $EnvSettings['FOD_APP_NAME']
+$AppVersion = $EnvSettings['FOD_APP_REL_NAME']
 $FoDApiUri = $EnvSettings['FOD_API_URI']
 $FoDClientId = $EnvSettings['FOD_CLIENT_ID']
 $FoDClientSecret = $EnvSettings['FOD_CLIENT_SECRET']

fortify/sample-commands.md

@@ -3,29 +3,16 @@ Fortify Local Scan
 
 ```
 sourceanalyzer -b fortifydemoapp -clean
-sourceanalyzer -b fortifydemoapp .\gradlew clean build
-sourceanalyzer -b fortifydemoapp -scan --scan-policy devops
+sourceanalyzer -b fortifydemoapp -python-path ".venv/Lib/site-packages/" -exclude ".venv" "app"
+sourceanalyzer -b fortifydemoapp -scan
 ```
 
-or
-
-```
-.\fortify-sast.ps1
-```
-
-
 Fortify ScanCentral SAST Scan
 ==============================
 
 ```
-scancentral package -o package.zip
-scancentral ...
-```
-
-or
-
-```
-.\fortify-scancentral-sast-ps1
+scancentral -url _YOUR_SCANCENTRAL_CTRL_UTL start -upload -uptoken _YOUR_SSC_AUTH_TOKEN_ -bt none --python-virtual-env .venv
+    -sp package.zip -application "FortifyDemoApp" -version "main" -email _YOUR_EMAIL_ -block -o -f "FortifyDemoApp.fpr"
 ```
 
 Fortify Command Line (fcli)
@@ -34,21 +21,21 @@ Fortify Command Line (fcli)
 FoD:
 
 ```
-fcli fod session login
 env | grep FCLI (Unix)
 dir env: (PowerShell)
-scancentral package
-fcli fod sast-scan start --release "APP:RELEASE" -f fortifypackage.zip --store curScan
+fcli fod session login
+scancentral package -o package.zip -bt none --python-virtual-env .venv
+fcli fod sast-scan start --release "FortifyDemoApp:main" -f package.zip --store curScan
 fcli fod sast-scan wait-for ::curScan::
 ```
 
 ScanCentral SAST:
 
 ```
-fcli sc-sast session login
 env | grep FCLI (Unix)
 dir env: (PowerShell)
-scancentral package
-fcli sc-sast scan start -p fortifypackage.zip --sensor-version 23.3 --store curScan
+fcli sc-sast session login
+scancentral package -o package.zip -bt none --python-virtual-env .venv
+fcli sc-sast scan start -p package.zip --sensor-version 23.3 --store curScan
 fcli sc-sast scan wait-for ::curScan::
 ```

fortify/sast-scan.ps1

@@ -15,8 +15,8 @@ param (
 
 # Import local environment specific settings
 $EnvSettings = $(ConvertFrom-StringData -StringData (Get-Content ".\.env" | Where-Object {-not ($_.StartsWith('#'))} | Out-String))
-$AppName = $EnvSettings['APP_NAME']
-$AppVersion = $EnvSettings['APP_RELEASE_NAME']
+$AppName = $EnvSettings['SSC_APP_NAME']
+$AppVersion = $EnvSettings['SSC_APP_VER_NAME']
 $SSCUrl = $EnvSettings['SSC_URL']
 $SSCAuthToken = $EnvSettings['SSC_AUTH_TOKEN'] # AnalysisUploadToken
 $JVMArgs = "-Xss256M"

fortify/scancentral-sast-scan.ps1

@@ -4,14 +4,13 @@
 
 # Import local environment specific settings
 $EnvSettings = $(ConvertFrom-StringData -StringData (Get-Content (Join-Path "." -ChildPath ".env") | Where-Object {-not ($_.StartsWith('#'))} | Out-String))
-$AppName = $EnvSettings['APP_NAME']
-$AppVersion = $EnvSettings['APP_RELEASE_NAME']
+$AppName = $EnvSettings['SSC_APP_NAME']
+$AppVersion = $EnvSettings['SSC_APP_VER_NAME']
 $SSCAuthToken = $EnvSettings['SSC_AUTH_TOKEN'] # AnalysisUploadToken
 $ScanCentralCtrlUrl = $EnvSettings['SCANCENTRAL_CTRL_URL']
 $ScanCentralPoolId = $EnvSettings['SCANCENTRAL_POOL_ID'] # Not yet used
 $ScanCentralEmail = $EnvSettings['SCANCENTRAL_EMAIL']
 
-$ScanSwitches = ""
 $BuildVersion = $(git log --format="%H" -n 1)
 $BuildLabel = "fortifydemoapp-cli"
 $ScanArgs = @(
@@ -38,7 +37,7 @@ if (Test-Path $PackageName) {
 
 # Package, upload and run the scan and import results into SSC
 Write-Host Invoking ScanCentral SAST ...
-& scancentral -url $ScanCentralCtrlUrl start -upload -uptoken $SSCAuthToken -bt gradle -bc "clean build -x test" -sp $PackageName `
+& scancentral -url $ScanCentralCtrlUrl start -upload -uptoken $SSCAuthToken -bt none --python-virtual-env .venv  -sp $PackageName `
     -application "$AppName" -version $AppVersion -email $ScanCentralEmail -block -o -f "$($AppName).fpr"  `
     -sargs "$($ScanArgs)"
 

startup.txt

@@ -0,0 +1 @@
+gunicorn --bind=0.0.0.0 --timeout 600 'app:create_app()'