Merge pull request #29 from fortify/cloud-dso-integration

Updated for AWS and GCP

devops-integrations/aws/buildspec.yml

@@ -0,0 +1,48 @@
+version: 0.2
+env:
+  variables:
+        FOD_RELEASE_ID: "XXXXX"
+  parameter-store:
+        FOD_BASEURL: "/fod/baseurl"
+        FOD_TENANT: "/fod/tenant"
+        FOD_USER: "/fod/user"   #Client ID
+        FOD_PWD: "/fod/pwd"     #Client Secret
+phases:
+  install:
+    runtime-versions:
+      java: corretto11
+    commands:
+      # Upgrade AWS CLI to the latest version
+      - pip install --upgrade awscli
+  pre_build:
+    commands:
+      - mvn clean
+  build:
+    commands:
+      - mvn -Pwar clean package
+      #- mvn package
+  post_build:
+    commands:
+      # Do not remove this statement. This command is required for AWS CodeStar projects.
+      # Update the AWS Partition, AWS Region, account ID and project ID in the project ARN in template-configuration.json file so AWS CloudFormation can tag project resources.
+      - sed -i.bak 's/\$PARTITION\$/'${PARTITION}'/g;s/\$AWS_REGION\$/'${AWS_REGION}'/g;s/\$ACCOUNT_ID\$/'${ACCOUNT_ID}'/g;s/\$PROJECT_ID\$/'${PROJECT_ID}'/g' template-configuration.json
+      ###################################################
+      #             INTEGRATE FORTIFY SAST              #
+      #                                                 #
+      # For FORTIFY ON DEMAND uncomment the next line   #
+      - bash fortify-sast-fod.bash
+      #                                                 #
+      # For FORTIFY SCANCENTRAL uncomment the next line #
+      #- bash fortify_sast_scancentral.bash             
+      #                                                 #
+      # For LOCAL FORTIFY SCA uncomment the next line   #
+      #- bash fortify_sast_local.bash
+      #                                                 #
+      ###################################################      
+artifacts:
+  files:
+    - 'appspec.yml'
+    - 'template.yml'
+    - 'scripts/*'
+    - 'target/iwa.war'
+    - 'template-configuration.json'

devops-integrations/aws/fortify-sast-fod.bash

@@ -0,0 +1,66 @@
+#!/bin/bash
+
+#Parameters Section
+
+#download the required tools installation script
+sha256_FTI='d9ebd439c5b426a5ea207e6c1a17a466f79363ca5735fea1d7a4d8ef5807dc06'
+fortify_tool_installer='https://raw.githubusercontent.com/fortify/FortifyToolsInstaller/v2.14.0/FortifyToolsInstaller.sh'  # BASE UTILITY DO NOT CHANGE
+
+fod_url=$FOD_BASEURL 												# Fortify On Demand URL 
+fod_api_url='https://api.'`echo "$fod_url" | awk -F/ '{print $3}'`	# Fortify On Demand API URL
+fortify_tools_dir='/root/.fortify/tools/FoDUploader/v5.4.0'			# Default installation directory
+fod_util='FoDUpload.jar'											# FoD Utility alias set into FTI Script [[DO NOT CHANGE]]
+
+#FOD Details to Upload Code
+fod_tenant=$FOD_TENANT 			# TENANT ID
+fod_user_key=$FOD_USER			# FOD USER KEY
+fod_pwd_secret=$FOD_PWD			# FOD PAT
+fod_release_id=$FOD_RELEASE_ID	# FOD APPLICATION BASED RELEASE ID
+
+#Parameters to configure installable
+fti_install='FortifyToolsInstaller.sh'
+
+#Download required files, please ensure the URL is available
+wget "$fortify_tool_installer" 
+e=$?        # return code last command
+if [ "${e}" -ne "0" ]; then
+	echo "ERROR: Can;t downloads the requierd files from server, can not continue - exit code ${e}"
+	exit 100
+fi
+# End of Download
+
+#persmission to execute
+chmod +x "$fti_install"
+sha256sum -c <(echo "$sha256_FTI $fti_install")
+e=$?        # return code last command
+if [ "${e}" -ne "0" ]; then
+	echo "ERROR: Hashes could not be matched, can not continue - exit code ${e}"
+	exit 100
+fi
+
+FTI_TOOLS=sc:22.1.2 source $fti_install
+e=$?        # return code last command
+if [ "${e}" -ne "0" ]; then
+	echo "ERROR: Can;t downloads the requierd files from server, can not continue - exit code ${e}"
+	exit 100
+fi
+
+#Execute the shell script to download and install fortify tools
+FTI_TOOLS=fu:v5.4.0 source $fti_install
+e=$?        # return code last command
+if [ "${e}" -ne "0" ]; then
+	echo "ERROR: Can;t downloads the requierd files from server, can not continue - exit code ${e}"
+	exit 100
+fi
+
+#Generate Java Package to upload in FoD
+scancentral package -o sourcecode.zip --build-tool mvn
+
+java -jar $fortify_tools_dir/$fod_util -ac $fod_user_key $fod_pwd_secret -rid $fod_release_id -purl $fod_url -aurl $fod_api_url -tc $fod_tenant -z sourcecode.zip -ep 2 -rp 2 -pp 2 
+e=$?        # return code last command
+if [ "${e}" -ne "0" ]; then
+	echo "ERROR: Fortify On Demand throws error, can not continue - exit code ${e}"
+	exit 100
+fi
+
+echo "INFO: Scan Submitted Successfully..."

devops-integrations/gcp/cloudbuild_fortify_sast_fod.yaml

@@ -0,0 +1,31 @@
+steps:
+- name: maven:3.6.0-jdk-11-slim
+  entrypoint: 'mvn'
+  args: ['clean', 'package', '-DskipTests']
+
+- name: 'gcr.io/cloud-builders/docker'
+  args: ['build', '-t', 'gcr.io/$PROJECT_ID/iwa_java:latest', '-t', 'gcr.io/$PROJECT_ID/iwa_java:$COMMIT_SHA', '-t', 'gcr.io/$PROJECT_ID/iwa_java:$BUILD_ID', '.']
+  id: 'build-image-IWAJava'
+
+- name: 'fortifydocker/fortify-ci-tools:latest'
+  entrypoint: bash
+  args: 
+    - -c
+    - |
+       fod_api_url='https://api.'`echo "$$FOD_BASEURL" | awk -F/ '{print $3}'`
+       scancentral package -o sourcecode.zip --build-tool mvn
+       java -jar /opt/Fortify/FodUpload/FoDUpload.jar -ac $$FOD_USER $$FOD_PWD -rid $$FOD_RELEASE_ID -purl $$FOD_BASEURL -aurl $fod_api_url -tc $$FOD_TENANT -z sourcecode.zip -ep 2 -rp 2 -pp 2 
+  secretEnv: ['FOD_USER', 'FOD_PWD', 'FOD_TENANT'] 
+  env:
+    - 'FOD_BASEURL=${_FOD_URL}' 
+    - 'FOD_RELEASE_ID=${_FOD_RELEASE_ID}' 
+  id: 'fortify-static-scan'
+  waitFor: ['build-image-IWAJava']
+availableSecrets:
+  secretManager:
+  - versionName: projects/$PROJECT_ID/secrets/fod_pwd/versions/1
+    env: 'FOD_PWD'
+  - versionName: projects/$PROJECT_ID/secrets/fod_user/versions/1
+    env: 'FOD_USER'
+  - versionName: projects/$PROJECT_ID/secrets/fod_tenant/versions/1
+    env: 'FOD_TENANT'