Merge pull request #53 from kadraman/gitlab-debricked

feat!: Renamed SSC Sonatype -> GitLab output file, requiring users to use the new filename in their pipelines
fortify · Feb 2, 2023 · eadcd8c · eadcd8c
2 parents 6b6a27d + 796d05b
commit eadcd8c
Show file tree

Hide file tree

Showing 11 changed files with 150 additions and 22 deletions.
diff --git a/...in-from-ssc/src/main/java/com/fortify/vulnexport/from/ssc/FromSSCVulnerabilityLoader.java b/...in-from-ssc/src/main/java/com/fortify/vulnexport/from/ssc/FromSSCVulnerabilityLoader.java
@@ -144,6 +144,8 @@ private void embed(SSCApplicationVersionsQueryBuilder qb, SSCEmbedConfig config)
 					embedCurrentScan(qb, config, "currentDynamicScanId", "WEBINSPECT"); return;
 				case "currentSonatypeScan":
 					embedCurrentScan(qb, config, "currentSonatypeScanId", "SONATYPE"); return;
+				case "currentDebrickedScan":
+					embedCurrentScan(qb, config, "currentDebrickedScanId", "DEBRICKED"); return;
 				}
 			}
 			qb.embed(config);

diff --git a/...erabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-fod-dast.yml b/...erabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-fod-dast.yml
@@ -4,13 +4,20 @@ spring.config.activate.on-loader-plugin: fod
 json.gitlab.dast.filter.expr: vuln.scantype=='Dynamic'
 json.gitlab.dast.format:
   fields:
-    schema: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v14.0.0/dist/dast-report-format.json
-    version: 14.0.0
+    schema: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v15.0.0/dist/dast-report-format.json
+    version: 15.0.0
     scan:
       start_time: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", release.dynamicScanSummary?.startedDateTime?:'1970-01-01T00:00:00')]
       end_time: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", release.dynamicScanSummary?.completedDateTime?:'1970-01-01T00:00:00')]
       status: $[release.dynamicAnalysisStatusTypeId==2?'success':'failure']
       type: dast
+      analyzer:
+        id: FoD-DAST
+        name: Fortify on Demand
+        url: https://www.microfocus.com/en-us/products/application-security-testing/overview
+        version: WebInspect $[release.dynamicScanSummary?.scanToolVersion?:'version unknown']
+        vendor:
+          name: Fortify
       scanner:
         id: FoD-DAST
         name: Fortify on Demand

diff --git a/...erabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-fod-sast.yml b/...erabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-fod-sast.yml
@@ -4,13 +4,20 @@ spring.config.activate.on-loader-plugin: fod
 json.gitlab.sast.filter.expr: vuln.scantype=='Static'
 json.gitlab.sast.format:
   fields:
-    schema: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v14.0.0/dist/sast-report-format.json
-    version: 14.0.0
+    schema: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v15.0.0/dist/sast-report-format.json
+    version: 15.0.0
     scan:
       start_time: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", release.staticScanSummary?.startedDateTime?:'1970-01-01T00:00:00')]
       end_time: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", release.staticScanSummary?.completedDateTime?:'1970-01-01T00:00:00')]
       status: $[release.staticAnalysisStatusTypeId==2?'success':'failure']
       type: sast
+      analyzer:
+        id: FoD-SAST
+        name: Fortify on Demand
+        url: https://www.microfocus.com/en-us/products/application-security-testing/overview
+        version: SCA $[release.staticScanSummary?.staticScanSummaryDetails?.engineVersion?:'version unknown']; Rulepack $[release.staticScanSummary?.staticScanSummaryDetails?.rulePackVersion?:'version unknown']
+        vendor:
+          name: Fortify
       scanner:
         id: FoD-SAST
         name: Fortify on Demand

diff --git a/...erabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-dast.yml b/...erabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-dast.yml
@@ -4,13 +4,20 @@ spring.config.activate.on-loader-plugin: ssc
 json.gitlab.dast.filter.expr: vuln.engineType=='WEBINSPECT'
 json.gitlab.dast.format:
   fields:
-    schema: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v14.0.0/dist/dast-report-format.json
-    version: 14.0.0
+    schema: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v15.0.0/dist/dast-report-format.json
+    version: 15.0.0
     scan:
       start_time: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", applicationVersion.currentDynamicScan?.uploadDate?:'1970-01-01T00:00:00')]
       end_time: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", applicationVersion.currentDynamicScan?.uploadDate?:'1970-01-01T00:00:00')]
       status: success
       type: dast
+      analyzer:
+        id: fortify-webinspect
+        name: Fortify WebInspect
+        url: https://www.microfocus.com/en-us/products/application-security-testing/overview
+        version: WebInspect $[applicationVersion.currentDynamicScan?.engineVersion?:'version unknown']
+        vendor:
+          name: Fortify
       scanner:
         id: fortify-webinspect
         name: Fortify WebInspect
@@ -39,7 +46,7 @@ json.gitlab.dast.format:
     cve: 'N/A'
     severity: $[vuln.friority]
     confidence: $[(vuln.friority matches "(Critical|Medium)") ? "High":"Low" ]
-    solution: $[#abbreviate(#htmlToText(vuln.details?.detail)+'\n\n'+#htmlToText(vuln.details?.recommendation), 7000)]
+    solution: $[#abbreviate(#htmlToText(vuln.details?.brief)+'\n\n'+#htmlToText(vuln.details?.recommendation), 7000)]
     scanner:
       id: fortify-webinspect
       name: Fortify WebInspect

diff --git a/...lityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-debricked.yml b/...lityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-debricked.yml
@@ -0,0 +1,63 @@
+---
+spring.config.activate.on-loader-plugin: ssc
+
+json.gitlab.debricked.filter.expr: vuln.engineType=='DEBRICKED'
+json.gitlab.debricked.format:
+  fields:
+    schema: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v15.0.0/dist/dependency-scanning-report-format.json
+    version: 15.0.0
+    scan:
+      start_time: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", applicationVersion.currentDebrickedScan?.uploadDate?:'1970-01-01T00:00:00')]
+      end_time: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", applicationVersion.currentDebrickedScan?.uploadDate?:'1970-01-01T00:00:00')]
+      status: success
+      type: dependency_scanning
+      analyzer:
+        id: fortify-debricked
+        name: Fortify/Debricked
+        url: https://www.microfocus.com/en-us/products/application-security-testing/overview
+        version: Debricked Fortify Parser Plugin $[applicationVersion.currentDebrickedScan?.engineVersion?:'version unknown']
+        vendor:
+          name: Fortify+Debricked
+      scanner:
+        id: fortify-debricked
+        name: Fortify/Debricked
+        url: https://www.microfocus.com/en-us/products/application-security-testing/overview
+        version: Debricked Fortify Parser Plugin $[applicationVersion.currentDebrickedScan?.engineVersion?:'version unknown']
+        vendor: 
+          name: Fortify+Debricked
+    dependency_files: $[{}]
+    vulnerabilities: $[vulnerabilityMappers.vulnerability.get()]
+  vulnerabilityMappers.vulnerability.fields:
+    id: $[vuln.issueInstanceId]
+    category: dependency_scanning
+    name: $[vuln.issueName]
+    message: $[vuln.issueName]
+    description: $[#abbreviate(#htmlToText(vuln.details?.brief), 15000)]
+    cve: $[vuln.details?.customAttributes?.externalId]
+    severity: $[vuln.friority]
+    confidence: $[(vuln.friority matches "(Critical|Medium)") ? "High":"Low" ]
+    scanner:
+      id: fortify-debricked
+      name: Fortify/Debricked
+    identifiers:
+      - name:  "Instance id: $[vuln.issueInstanceId]"
+        type:  issueInstanceId
+        value: $[vuln.issueInstanceId]
+        url:   $[vuln.deepLink]
+    links:
+      - name: Additional issue details, including analysis trace, in Software Security Center
+        url:  $[vuln.deepLink]
+      - name: CWE URL
+        url:  $[vuln.details?.customAttributes?.externalUrl]
+    location:
+      file:           $[vuln.fullFileName]
+      dependency:
+        package:
+          name:  $[vuln.details?.customAttributes?.componentName > '' ? vuln.details?.customAttributes?.componentName :'Not Set']
+        version: $[vuln.details?.customAttributes?.componentVersion > '' ? vuln.details?.customAttributes?.componentVersion :'Not Set' ]
+
+
+
+
+
+
diff --git a/...erabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-sast.yml b/...erabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-sast.yml
@@ -4,20 +4,27 @@ spring.config.activate.on-loader-plugin: ssc
 json.gitlab.sast.filter.expr: vuln.engineType=='SCA'
 json.gitlab.sast.format:
   fields:
-    schema: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v14.0.0/dist/sast-report-format.json
-    version: 14.0.0
+    schema: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v15.0.0/dist/sast-report-format.json
+    version: 15.0.0
     scan:
       start_time: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", applicationVersion.currentStaticScan?.uploadDate?:'1970-01-01T00:00:00')]
       end_time: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", applicationVersion.currentStaticScan?.uploadDate?:'1970-01-01T00:00:00')]
       status: success
       type: sast
-      scanner:
+      analyzer:
         id: fortify-sca
         name: Fortify SCA
         url: https://www.microfocus.com/en-us/products/application-security-testing/overview
         version: SCA $[applicationVersion.currentStaticScan?.engineVersion?:'version unknown']
         vendor: 
           name: Fortify
+      scanner:
+        id: fortify-sca
+        name: Fortify SCA
+        url: https://www.microfocus.com/en-us/products/application-security-testing/overview
+        version: SCA $[applicationVersion.currentStaticScan?.engineVersion?:'version unknown']
+        vendor:
+          name: Fortify
     vulnerabilities: $[vulnerabilityMappers.vulnerability.get()]
   vulnerabilityMappers.vulnerability.fields:
     id: $[vuln.issueInstanceId]

diff --git a/...ilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-sonatype.yml b/...ilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-sonatype.yml
@@ -4,13 +4,20 @@ spring.config.activate.on-loader-plugin: ssc
 json.gitlab.sonatype.filter.expr: vuln.engineType=='SONATYPE'
 json.gitlab.sonatype.format:
   fields:
-    schema: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v14.0.0/dist/dependency-scanning-report-format.json
-    version: 14.0.0
+    schema: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v15.0.0/dist/dependency-scanning-report-format.json
+    version: 15.0.0
     scan:
       start_time: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", applicationVersion.currentSonatypeScan?.uploadDate?:'1970-01-01T00:00:00')]
       end_time: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", applicationVersion.currentSonatypeScan?.uploadDate?:'1970-01-01T00:00:00')]
       status: success
       type: dependency_scanning
+      analyzer:
+        id: fortify-sonatype
+        name: Fortify/Sonatype
+        url: https://www.microfocus.com/en-us/products/application-security-testing/overview
+        version: Sonatype Fortify Parser Plugin $[applicationVersion.currentSonatypeScan?.engineVersion?:'version unknown']
+        vendor:
+          name: Fortify+Sonatype
       scanner:
         id: fortify-sonatype
         name: Fortify/Sonatype
@@ -45,8 +52,8 @@ json.gitlab.sonatype.format:
     location:
       file:           $[vuln.fullFileName]
       dependency:
-        package.name: $[vuln.details?.customAttributes?.artifact]
-        version:      $[vuln.details?.customAttributes?.version]    
+        package.name: $[vuln.details?.customAttributes?.artifact > '' ? vuln.details?.customAttributes?.artifact :'Not Set']
+        version:      $[vuln.details?.customAttributes?.version > '' ? vuln.details?.customAttributes?.version :'Not Set']
 
 
 

diff --git a/config/SSCToGitLab.yml b/config/SSCToGitLab.yml
@@ -2,7 +2,7 @@
 
 export:
   from: ssc
-  to: json.gitlab.sast, json.gitlab.dast, json.gitlab.sonatype
+  to: json.gitlab.sast, json.gitlab.dast, json.gitlab.sonatype, json.gitlab.debricked
 
 ssc:
   version:
@@ -31,5 +31,9 @@ json.gitlab.dast.output:
 json.gitlab.sonatype.output:
   stdout: false                                        # Disabled by default to avoid vulnerability data being exposed through log files
   pretty: true                                         # Useful for debugging, disable for optimal performance
-  file:   ${export.dir}/gl-fortify-depscan.json        # Output file
-
+  file:   ${export.dir}/gl-fortify-sonatype-depscan.json  # Output file
+
+json.gitlab.debricked.output:
+  stdout: false                                        # Disabled by default to avoid vulnerability data being exposed through log files
+  pretty: true                                         # Useful for debugging, disable for optimal performance
+  file:   ${export.dir}/gl-fortify-debricked-depscan.json # Output file
diff --git a/config/SSCToGitLabDebricked.yml b/config/SSCToGitLabDebricked.yml
@@ -0,0 +1,22 @@
+# See FortifyVulnerabilityExporter documentation for SSC connection settings and application version selection
+
+export:
+  from: ssc
+  to: json.gitlab.debricked
+
+ssc:
+  version:
+    embed:
+      - subEntity: currentDebrickedScan
+        onError: LOG_INFO
+  vulnerability:
+    filterParam: ISSUE[11111111-1111-1111-1111-111111111151]:DEBRICKED   # Have SSC return only Debricked issues
+    embed:                                                              # Also load details as required for GitLab output
+      - subEntity: details                                                 
+
+export.dir: ${CI_PROJECT_DIR:${export.default.dir}}    # Unless overridden, use CI_PROJECT_DIR if defined, otherwise default export dir
+json.gitlab.debricked.output:
+  stdout: false                                        # Disabled by default to avoid vulnerability data being exposed through log files
+  pretty: true                                         # Useful for debugging, disable for optimal performance
+  file:   ${export.dir}/gl-fortify-debricked-depscan.json        # Output file
+
diff --git a/config/SSCToGitLabSonatype.yml b/config/SSCToGitLabSonatype.yml
@@ -18,5 +18,5 @@ export.dir: ${CI_PROJECT_DIR:${export.default.dir}}    # Unless overridden, use
 json.gitlab.sonatype.output:
   stdout: false                                        # Disabled by default to avoid vulnerability data being exposed through log files
   pretty: true                                         # Useful for debugging, disable for optimal performance
-  file:   ${export.dir}/gl-fortify-depscan.json        # Output file
+  file:   ${export.dir}/gl-fortify-sonatype-depscan.json  # Output file
 
diff --git a/doc-resources/repo-usage.md b/doc-resources/repo-usage.md
@@ -446,7 +446,7 @@ fortify_scanning:
       dast: gl-fortify-dast.json
 ```
 
-The configuration file `/config/FoDToGitLab.yml` used in this example outputs all available GitLab reports. Alternatively, you can use `/config/FoDToGitLabSAST.yml` or `/config/FoDToGitLabDAST.yml` to output only a SAST or DAST report respectively. Note that contrary to the [SSC implementation](#ssc-to-gitlab), outputting Sonatype/dependency scanning 
+The configuration file `/config/FoDToGitLab.yml` used in this example outputs all available GitLab reports. Alternatively, you can use `/config/FoDToGitLabSAST.yml` or `/config/FoDToGitLabDAST.yml` to output only a SAST or DAST report respectively. Note that contrary to the [SSC implementation](#ssc-to-gitlab), outputting Debricked or Sonatype dependency scanning 
 results from FoD is not yet supported.
 
 As described in the [CI/CD Integration](#cicd-integration) section, you can optionally combine this with other Fortify tools to create a full workflow that scans your code and makes the results available on GitLab.
@@ -471,11 +471,12 @@ fortify_scanning:
   artifacts:
     reports:
       sast: gl-fortify-sast.json
-      dast: gl-fortify-dast.json
-      dependency_scanning: gl-fortify-depscan.json
+      dependency_scanning: gl-fortify-debricked-depscan.json
+      # Or for Sonatype Nexus IQ use: gl-fortify-sonatype-depscan.json
 ```
 
-The configuration file `/config/SSCToGitLab.yml` used in this example outputs all available GitLab reports. Alternatively, you can use `/config/SSCToGitLabSAST.yml`, `/config/SSCToGitLabDAST.yml`, or `/config/SSCToGitLabSonatype.yml` to output only a SAST, DAST or Sonatype report respectively.
+The configuration file `/config/SSCToGitLab.yml` used in this example outputs all available GitLab reports. Alternatively, you can use `/config/SSCToGitLabSAST.yml`, `/config/SSCToGitLabDAST.yml`, `/config/SSCToGitLabDebricked.yml` or `/config/SSCToGitLabSonatype.yml`
+to output only a SAST, DAST, Debricked SCA or Sonatype SCA report respectively.
 
 As described in the [CI/CD Integration](#cicd-integration) section, you can optionally combine this with other Fortify tools to create a full workflow that scans your code and makes the results available on GitLab.
 
@@ -558,6 +559,7 @@ At the moment of writing, DefectDojo supports GitLab SAST and GitLab Dependency
 
 * [Export FoD SAST results to a GitLab SAST report](#fod-to-gitlab) and import this report into DefectDojo
 * [Export SSC SAST results to a GitLab SAST report](#ssc-to-gitlab) and import this report into DefectDojo
+* [Export SSC Debricked results to a GitLab Dependency Scanning report](#ssc-to-gitlab) and import this report into DefectDojo
 * [Export SSC Sonatype results to a GitLab Dependency Scanning report](#ssc-to-gitlab) and import this report into DefectDojo
 * [Export other FoD or SSC results to CSV format](#csv-export) and import the CSV file into DefectDojo