Updating scripts

.gitignore

@@ -49,10 +49,11 @@ build
 # Fortify
 .fortify
 /vulnerabilities.txt
-/FortifyDemoApp.fpr
-/FortifyDemoApp.
-/FortifyDemoApp.mbs
+*.fpr
+*.mbs
+*.pdf
 package.zip
 
 # Misc
-bin
+debricked
+

README.md

@@ -36,16 +36,16 @@ to create a `.env` file in the root directory with contents similar to the follo
 
 ```
 AZURE_SUBSCRIPTION_ID=17d2722b-256e-47e5-84b8-5b01f509a42c
-AZURE_RESOURCE_GROUP=fortify-demo-rg
-AZURE_APP_NAME=fortify-demo-app
+AZURE_RESOURCE_GROUP=fortifydemorg
+AZURE_APP_NAME=fortifydemoapp
 AZURE_REGION=eastus
 ```
 
 Then you can run the following commands:
 
 ```
 az login [--tenant XXXX]
-az group create --name [YOUR_INITIALS]-fortify-demo-rg --location eastus
+az group create --name [YOUR_INITIALS]-fortifydemorg --location eastus
 gradlew azureWebAppDeploy
 ```
 
@@ -61,7 +61,42 @@ Remove Application and Infrastructure
 To clean up all the resources you can execute the following (from a Windows command prompt):
 
 ```
-az group delete --name [YOUR_INITIALS]-fortifydemo-rg
+az group delete --name [YOUR_INITIALS]-fortifydemorg
+```
+
+Run a Fortify scan:
+
+First clean up any existing data from a previous build and scan:
+
+```
+sourceanalyzer -b fortifydemoapp -clean
+```
+
+Next, translate the source files by prepending the sourceanalyzer command:
+
+```
+sourceanalyzer -b fortifydemoapp gradle build
+```
+
+Then, execute the scan on the translated files:
+
+```
+sourceanalyzer -b fortifydemoapp -scan -verbose -f fortifydemoapp.fpr
+```
+
+Finally, view the results in AuditWorkbench:
+
+```
+auditworkbench fortifydemoapp.fpr
+```
+
+You can also use ScanCentral by first creating a mobile build solution (mbs) and then uploading it:
+
+```
+sourceanalyzer -b fortifydemoapp.fpr -export-build-session fortifydemoapp.mbs
+scancentral -url $ScanCentralCtrlUrl start -upload -uptoken $SSCAuthToken `
+    -b fortifydemoapp.fpr -application FortifyDemoApp -version 1.0 -mbs fortifydemoapp.mbs `
+    -email $ScanCentralEmail -block -o -f fortifydemoapp.fpr
 ```
 
 ---

fcli-commands.txt

@@ -4,4 +4,13 @@ fcli fod release list
 # sourceanalyzer –debug –verbose –logfile translate.log -b fortifydemoapp 
 scancentral package -o package.zip
 fcli fod sast-scan start -f package.zip --store curScan
-fcli fod sast-scan wait-for ::curScan::
+fcli fod sast-scan wait-for ::curScan::
+
+
+fcli ssc session login
+dir env:
+fcli ssc appversion list
+fcli sc-sast session login
+scancentral package -o package.zip
+fcli sc-sast scan start -p .\package.zip --sensor-version 23.2 --store curScan
+fcli sc-sast scan wait-for ::curScan::

fortify-sast.ps1

@@ -8,22 +8,22 @@ param (
     [ValidateSet('classic','security','devops')]
     [string]$ScanPolicy = "classic",
     [Parameter(Mandatory=$false)]
-    [switch]$SkipPDF
+    [switch]$SkipPDF,
+    [Parameter(Mandatory=$false)]
+    [switch]$SkipSSC
 )
 
 # Import local environment specific settings
 $EnvSettings = $(ConvertFrom-StringData -StringData (Get-Content ".\.env" | Where-Object {-not ($_.StartsWith('#'))} | Out-String))
 $AppName = $EnvSettings['APP_NAME']
-$AppVersion = $EnvSettings['APP_VER_NAME']
-
-$JVMArgs = ""
-#$JVMArgs = "-Xss256M"
-$ScanSwitches = ""
-#$ScanSwitches = "-Dcom.fortify.sca.rules.enable_wi_correlation=true -Dcom.fortify.sca.Phase0HigherOrder.Languages=javascript,typescript -Dcom.fortify.sca.EnableDOMModeling=true -Dcom.fortify.sca.follow.imports=true -Dcom.fortify.sca.exclude.unimported.node.modules=true"
+$AppVersion = $EnvSettings['APP_RELEASE_NAME']
+$SSCUrl = $EnvSettings['SSC_URL']
+$SSCAuthToken = $EnvSettings['SSC_AUTH_TOKEN'] # AnalysisUploadToken
+$JVMArgs = "-Xss256M"
+#$ScanSwitches = "-Dcom.fortify.sca.rules.enable_wi_correlation=true"
+$ScanSwitches = "-Dcom.fortify.sca.rules.enable_wi_correlation=true -Dcom.fortify.sca.Phase0HigherOrder.Languages=javascript,typescript -Dcom.fortify.sca.EnableDOMModeling=true -Dcom.fortify.sca.follow.imports=true -Dcom.fortify.sca.exclude.unimported.node.modules=true"
 
-# Test we have Fortify installed successfully
 if ([string]::IsNullOrEmpty($AppName)) { throw "Application Name has not been set" }
-if ([string]::IsNullOrEmpty($AppVersion)) { throw "Application Version Name has not been set" }
 
 # Run the translation and scan
 
@@ -39,18 +39,29 @@ $ClassPath = Get-Content -Path $DependenciesFile
 
 Write-Host Running translation...
 & sourceanalyzer '-Dcom.fortify.sca.ProjectRoot=.fortify' $JVMArgs $ScanSwitches -b "$AppName" `
-    -jdk 11 -java-build-dir "build" -cp $ClassPath -debug -verbose `
+    -jdk 11 -java-build-dir "target/classes" -cp $ClassPath -debug -verbose `
     -exclude ".\src\main\resources\static\js\lib" -exclude ".\src\main\resources\static\css\lib" `
     -exclude ".\node_modules" -exclude "src/main/resources/schema.sql" -exclude "src/main/resources/data.sql" `
-    "src" "Dockerfile*" "*.bicep"
+    "src/main/java/**/*" "src/main/resources/**/*" "Dockerfile*"
 
 Write-Host Running scan...
 & sourceanalyzer '-Dcom.fortify.sca.ProjectRoot=.fortify' $JVMArgs $ScanSwitches -b "$AppName" `
-    -cp $ClassPath  -java-build-dir "build" -debug -verbose `
+    -cp $ClassPath  -java-build-dir "target/classes" -debug -verbose `
     -scan-policy $ScanPolicy `
     -build-project "$AppName" -build-version "$AppVersion" -build-label "SNAPSHOT" `
-    -scan 
-#    -f "$($AppName).fpr"
+    -scan -f "$($AppName).fpr"
+
+# summarise issue count by analyzer
+& fprutility -information -analyzerIssueCounts -project "$($AppName).fpr"
 
+if (-not $SkipPDF) {
+    Write-Host Generating PDF report...
+    & ReportGenerator '-Dcom.fortify.sca.ProjectRoot=.fortify' -user "Demo User" -format pdf -f "$($AppName).pdf" -source "$($AppName).fpr"
+}
+
+if (-not $SkipSSC) {
+    Write-Host Uploading results to SSC...
+    & fortifyclient uploadFPR -file "$($AppName).fpr" -url $SSCUrl -authtoken $SSCAuthToken -application "$AppName" -applicationVersion "$AppVersion"
+}
 
 Write-Host Done.

fortify-scancentral-sast.ps1

@@ -6,7 +6,7 @@
 $EnvSettings = $(ConvertFrom-StringData -StringData (Get-Content (Join-Path "." -ChildPath ".env") | Where-Object {-not ($_.StartsWith('#'))} | Out-String))
 $AppName = $EnvSettings['APP_NAME']
 $AppVersion = $EnvSettings['APP_RELEASE_NAME']
-$SSCAuthToken = $EnvSettings['SSC_AUTH_TOKEN'] # CIToken
+$SSCAuthToken = $EnvSettings['SSC_AUTH_TOKEN'] # AnalysisUploadToken
 $ScanCentralCtrlUrl = $EnvSettings['SCANCENTRAL_CTRL_URL']
 $ScanCentralPoolId = $EnvSettings['SCANCENTRAL_POOL_ID'] # Not yet used
 $ScanCentralEmail = $EnvSettings['SCANCENTRAL_EMAIL']