From a2bfd3434813da60ddf7f9466696a3afaf5f6b2a Mon Sep 17 00:00:00 2001 From: kadraman Date: Fri, 27 Jan 2023 13:05:40 +0000 Subject: [PATCH 1/3] fix: Update GitLab schema version to 15.0.0 (fixes #51) feat: Add Debricked support for GitLab SCA Import (implements #52 for GitLab) --- .../from/ssc/FromSSCVulnerabilityLoader.java | 2 + .../pluginConfig/json-gitlab-fod-dast.yml | 11 +++- .../pluginConfig/json-gitlab-fod-sast.yml | 11 +++- .../pluginConfig/json-gitlab-ssc-dast.yml | 13 +++- .../json-gitlab-ssc-debricked.yml | 63 +++++++++++++++++++ .../pluginConfig/json-gitlab-ssc-sast.yml | 13 +++- .../pluginConfig/json-gitlab-ssc-sonatype.yml | 11 +++- config/SSCToGitLabDebricked.yml | 22 +++++++ 8 files changed, 134 insertions(+), 12 deletions(-) create mode 100644 FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-debricked.yml create mode 100644 config/SSCToGitLabDebricked.yml diff --git a/FortifyVulnerabilityExporter-plugin-from-ssc/src/main/java/com/fortify/vulnexport/from/ssc/FromSSCVulnerabilityLoader.java b/FortifyVulnerabilityExporter-plugin-from-ssc/src/main/java/com/fortify/vulnexport/from/ssc/FromSSCVulnerabilityLoader.java index d870374..6e86500 100644 --- a/FortifyVulnerabilityExporter-plugin-from-ssc/src/main/java/com/fortify/vulnexport/from/ssc/FromSSCVulnerabilityLoader.java +++ b/FortifyVulnerabilityExporter-plugin-from-ssc/src/main/java/com/fortify/vulnexport/from/ssc/FromSSCVulnerabilityLoader.java @@ -144,6 +144,8 @@ private void embed(SSCApplicationVersionsQueryBuilder qb, SSCEmbedConfig config) embedCurrentScan(qb, config, "currentDynamicScanId", "WEBINSPECT"); return; case "currentSonatypeScan": embedCurrentScan(qb, config, "currentSonatypeScanId", "SONATYPE"); return; + case "currentDebrickedScan": + embedCurrentScan(qb, config, "currentDebrickedScanId", "DEBRICKED"); return; } } qb.embed(config); diff --git a/FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-fod-dast.yml b/FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-fod-dast.yml index 3785348..3d56064 100644 --- a/FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-fod-dast.yml +++ b/FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-fod-dast.yml @@ -4,13 +4,20 @@ spring.config.activate.on-loader-plugin: fod json.gitlab.dast.filter.expr: vuln.scantype=='Dynamic' json.gitlab.dast.format: fields: - schema: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v14.0.0/dist/dast-report-format.json - version: 14.0.0 + schema: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v15.0.0/dist/dast-report-format.json + version: 15.0.0 scan: start_time: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", release.dynamicScanSummary?.startedDateTime?:'1970-01-01T00:00:00')] end_time: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", release.dynamicScanSummary?.completedDateTime?:'1970-01-01T00:00:00')] status: $[release.dynamicAnalysisStatusTypeId==2?'success':'failure'] type: dast + analyzer: + id: FoD-DAST + name: Fortify on Demand + url: https://www.microfocus.com/en-us/products/application-security-testing/overview + version: WebInspect $[release.dynamicScanSummary?.scanToolVersion?:'version unknown'] + vendor: + name: Fortify scanner: id: FoD-DAST name: Fortify on Demand diff --git a/FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-fod-sast.yml b/FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-fod-sast.yml index 5a2d812..7599d58 100644 --- a/FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-fod-sast.yml +++ b/FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-fod-sast.yml @@ -4,13 +4,20 @@ spring.config.activate.on-loader-plugin: fod json.gitlab.sast.filter.expr: vuln.scantype=='Static' json.gitlab.sast.format: fields: - schema: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v14.0.0/dist/sast-report-format.json - version: 14.0.0 + schema: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v15.0.0/dist/sast-report-format.json + version: 15.0.0 scan: start_time: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", release.staticScanSummary?.startedDateTime?:'1970-01-01T00:00:00')] end_time: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", release.staticScanSummary?.completedDateTime?:'1970-01-01T00:00:00')] status: $[release.staticAnalysisStatusTypeId==2?'success':'failure'] type: sast + analyzer: + id: FoD-SAST + name: Fortify on Demand + url: https://www.microfocus.com/en-us/products/application-security-testing/overview + version: SCA $[release.staticScanSummary?.staticScanSummaryDetails?.engineVersion?:'version unknown']; Rulepack $[release.staticScanSummary?.staticScanSummaryDetails?.rulePackVersion?:'version unknown'] + vendor: + name: Fortify scanner: id: FoD-SAST name: Fortify on Demand diff --git a/FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-dast.yml b/FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-dast.yml index 23742e7..f6b712d 100644 --- a/FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-dast.yml +++ b/FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-dast.yml @@ -4,13 +4,20 @@ spring.config.activate.on-loader-plugin: ssc json.gitlab.dast.filter.expr: vuln.engineType=='WEBINSPECT' json.gitlab.dast.format: fields: - schema: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v14.0.0/dist/dast-report-format.json - version: 14.0.0 + schema: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v15.0.0/dist/dast-report-format.json + version: 15.0.0 scan: start_time: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", applicationVersion.currentDynamicScan?.uploadDate?:'1970-01-01T00:00:00')] end_time: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", applicationVersion.currentDynamicScan?.uploadDate?:'1970-01-01T00:00:00')] status: success type: dast + analyzer: + id: fortify-webinspect + name: Fortify WebInspect + url: https://www.microfocus.com/en-us/products/application-security-testing/overview + version: WebInspect $[applicationVersion.currentDynamicScan?.engineVersion?:'version unknown'] + vendor: + name: Fortify scanner: id: fortify-webinspect name: Fortify WebInspect @@ -39,7 +46,7 @@ json.gitlab.dast.format: cve: 'N/A' severity: $[vuln.friority] confidence: $[(vuln.friority matches "(Critical|Medium)") ? "High":"Low" ] - solution: $[#abbreviate(#htmlToText(vuln.details?.detail)+'\n\n'+#htmlToText(vuln.details?.recommendation), 7000)] + solution: $[#abbreviate(#htmlToText(vuln.details?.brief)+'\n\n'+#htmlToText(vuln.details?.recommendation), 7000)] scanner: id: fortify-webinspect name: Fortify WebInspect diff --git a/FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-debricked.yml b/FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-debricked.yml new file mode 100644 index 0000000..eac3ae1 --- /dev/null +++ b/FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-debricked.yml @@ -0,0 +1,63 @@ +--- +spring.config.activate.on-loader-plugin: ssc + +json.gitlab.debricked.filter.expr: vuln.engineType=='DEBRICKED' +json.gitlab.debricked.format: + fields: + schema: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v15.0.0/dist/dependency-scanning-report-format.json + version: 15.0.0 + scan: + start_time: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", applicationVersion.currentDebrickedScan?.uploadDate?:'1970-01-01T00:00:00')] + end_time: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", applicationVersion.currentDebrickedScan?.uploadDate?:'1970-01-01T00:00:00')] + status: success + type: dependency_scanning + analyzer: + id: fortify-debricked + name: Fortify/Debricked + url: https://www.microfocus.com/en-us/products/application-security-testing/overview + version: Debricked Fortify Parser Plugin $[applicationVersion.currentDebrickedScan?.engineVersion?:'version unknown'] + vendor: + name: Fortify+Debricked + scanner: + id: fortify-debricked + name: Fortify/Debricked + url: https://www.microfocus.com/en-us/products/application-security-testing/overview + version: Debricked Fortify Parser Plugin $[applicationVersion.currentDebrickedScan?.engineVersion?:'version unknown'] + vendor: + name: Fortify+Debricked + dependency_files: $[{}] + vulnerabilities: $[vulnerabilityMappers.vulnerability.get()] + vulnerabilityMappers.vulnerability.fields: + id: $[vuln.issueInstanceId] + category: dependency_scanning + name: $[vuln.issueName] + message: $[vuln.issueName] + description: $[#abbreviate(#htmlToText(vuln.details?.brief), 15000)] + cve: $[vuln.details?.customAttributes?.externalId] + severity: $[vuln.friority] + confidence: $[(vuln.friority matches "(Critical|Medium)") ? "High":"Low" ] + scanner: + id: fortify-debricked + name: Fortify/Debricked + identifiers: + - name: "Instance id: $[vuln.issueInstanceId]" + type: issueInstanceId + value: $[vuln.issueInstanceId] + url: $[vuln.deepLink] + links: + - name: Additional issue details, including analysis trace, in Software Security Center + url: $[vuln.deepLink] + - name: CWE URL + url: $[vuln.details?.customAttributes?.externalUrl] + location: + file: $[vuln.fullFileName] + dependency: + package: + name: $[vuln.details?.customAttributes?.componentName] + version: $[vuln.details?.customAttributes?.componentVersion] + + + + + + \ No newline at end of file diff --git a/FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-sast.yml b/FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-sast.yml index c995300..c217644 100644 --- a/FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-sast.yml +++ b/FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-sast.yml @@ -4,20 +4,27 @@ spring.config.activate.on-loader-plugin: ssc json.gitlab.sast.filter.expr: vuln.engineType=='SCA' json.gitlab.sast.format: fields: - schema: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v14.0.0/dist/sast-report-format.json - version: 14.0.0 + schema: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v15.0.0/dist/sast-report-format.json + version: 15.0.0 scan: start_time: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", applicationVersion.currentStaticScan?.uploadDate?:'1970-01-01T00:00:00')] end_time: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", applicationVersion.currentStaticScan?.uploadDate?:'1970-01-01T00:00:00')] status: success type: sast - scanner: + analyzer: id: fortify-sca name: Fortify SCA url: https://www.microfocus.com/en-us/products/application-security-testing/overview version: SCA $[applicationVersion.currentStaticScan?.engineVersion?:'version unknown'] vendor: name: Fortify + scanner: + id: fortify-sca + name: Fortify SCA + url: https://www.microfocus.com/en-us/products/application-security-testing/overview + version: SCA $[applicationVersion.currentStaticScan?.engineVersion?:'version unknown'] + vendor: + name: Fortify vulnerabilities: $[vulnerabilityMappers.vulnerability.get()] vulnerabilityMappers.vulnerability.fields: id: $[vuln.issueInstanceId] diff --git a/FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-sonatype.yml b/FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-sonatype.yml index 8aaca5e..10d8dd7 100644 --- a/FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-sonatype.yml +++ b/FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-sonatype.yml @@ -4,13 +4,20 @@ spring.config.activate.on-loader-plugin: ssc json.gitlab.sonatype.filter.expr: vuln.engineType=='SONATYPE' json.gitlab.sonatype.format: fields: - schema: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v14.0.0/dist/dependency-scanning-report-format.json - version: 14.0.0 + schema: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v15.0.0/dist/dependency-scanning-report-format.json + version: 15.0.0 scan: start_time: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", applicationVersion.currentSonatypeScan?.uploadDate?:'1970-01-01T00:00:00')] end_time: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", applicationVersion.currentSonatypeScan?.uploadDate?:'1970-01-01T00:00:00')] status: success type: dependency_scanning + analyzer: + id: fortify-sonatype + name: Fortify/Sonatype + url: https://www.microfocus.com/en-us/products/application-security-testing/overview + version: Sonatype Fortify Parser Plugin $[applicationVersion.currentSonatypeScan?.engineVersion?:'version unknown'] + vendor: + name: Fortify+Sonatype scanner: id: fortify-sonatype name: Fortify/Sonatype diff --git a/config/SSCToGitLabDebricked.yml b/config/SSCToGitLabDebricked.yml new file mode 100644 index 0000000..fb2649b --- /dev/null +++ b/config/SSCToGitLabDebricked.yml @@ -0,0 +1,22 @@ +# See FortifyVulnerabilityExporter documentation for SSC connection settings and application version selection + +export: + from: ssc + to: json.gitlab.debricked + +ssc: + version: + embed: + - subEntity: currentDebrickedScan + onError: LOG_INFO + vulnerability: + filterParam: ISSUE[11111111-1111-1111-1111-111111111151]:DEBRICKED # Have SSC return only Debricked issues + embed: # Also load details as required for GitLab output + - subEntity: details + +export.dir: ${CI_PROJECT_DIR:${export.default.dir}} # Unless overridden, use CI_PROJECT_DIR if defined, otherwise default export dir +json.gitlab.debricked.output: + stdout: false # Disabled by default to avoid vulnerability data being exposed through log files + pretty: true # Useful for debugging, disable for optimal performance + file: ${export.dir}/gl-fortify-depscan.json # Output file + \ No newline at end of file From c9565e3500b9c2498a525ef95f6ff9aeb5229ac3 Mon Sep 17 00:00:00 2001 From: kadraman Date: Tue, 31 Jan 2023 13:43:00 +0000 Subject: [PATCH 2/3] feat: Add Debricked support for GitLab SCA Import (implements #52 for GitLab) --- .../pluginConfig/json-gitlab-ssc-debricked.yml | 4 ++-- .../pluginConfig/json-gitlab-ssc-sonatype.yml | 4 ++-- README.md | 9 ++++++--- config/SSCToGitLab.yml | 10 +++++++--- config/SSCToGitLabDebricked.yml | 2 +- config/SSCToGitLabSonatype.yml | 2 +- 6 files changed, 19 insertions(+), 12 deletions(-) diff --git a/FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-debricked.yml b/FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-debricked.yml index eac3ae1..471018c 100644 --- a/FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-debricked.yml +++ b/FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-debricked.yml @@ -53,8 +53,8 @@ json.gitlab.debricked.format: file: $[vuln.fullFileName] dependency: package: - name: $[vuln.details?.customAttributes?.componentName] - version: $[vuln.details?.customAttributes?.componentVersion] + name: $[vuln.details?.customAttributes?.componentName > '' ? vuln.details?.customAttributes?.componentName :'Not Set'] + version: $[vuln.details?.customAttributes?.componentVersion > '' ? vuln.details?.customAttributes?.componentVersion :'Not Set' ] diff --git a/FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-sonatype.yml b/FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-sonatype.yml index 10d8dd7..f62bf47 100644 --- a/FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-sonatype.yml +++ b/FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-sonatype.yml @@ -52,8 +52,8 @@ json.gitlab.sonatype.format: location: file: $[vuln.fullFileName] dependency: - package.name: $[vuln.details?.customAttributes?.artifact] - version: $[vuln.details?.customAttributes?.version] + package.name: $[vuln.details?.customAttributes?.artifact > '' ? vuln.details?.customAttributes?.artifact :'Not Set'] + version: $[vuln.details?.customAttributes?.version > '' ? vuln.details?.customAttributes?.version :'Not Set'] diff --git a/README.md b/README.md index 22c4447..4ab7aa4 100644 --- a/README.md +++ b/README.md @@ -484,7 +484,7 @@ fortify_scanning: dast: gl-fortify-dast.json ``` -The configuration file `/config/FoDToGitLab.yml` used in this example outputs all available GitLab reports. Alternatively, you can use `/config/FoDToGitLabSAST.yml` or `/config/FoDToGitLabDAST.yml` to output only a SAST or DAST report respectively. Note that contrary to the [SSC implementation](#ssc-to-gitlab), outputting Sonatype/dependency scanning +The configuration file `/config/FoDToGitLab.yml` used in this example outputs all available GitLab reports. Alternatively, you can use `/config/FoDToGitLabSAST.yml` or `/config/FoDToGitLabDAST.yml` to output only a SAST or DAST report respectively. Note that contrary to the [SSC implementation](#ssc-to-gitlab), outputting Debricked or Sonatype dependency scanning results from FoD is not yet supported. As described in the [CI/CD Integration](#cicd-integration) section, you can optionally combine this with other Fortify tools to create a full workflow that scans your code and makes the results available on GitLab. @@ -510,10 +510,12 @@ fortify_scanning: reports: sast: gl-fortify-sast.json dast: gl-fortify-dast.json - dependency_scanning: gl-fortify-depscan.json + dependency_scanning: gl-fortify-debricked-depscan.json + # Or for Sonatype Nexus IQ use: gl-fortify-sonatype-depscan.json ``` -The configuration file `/config/SSCToGitLab.yml` used in this example outputs all available GitLab reports. Alternatively, you can use `/config/SSCToGitLabSAST.yml`, `/config/SSCToGitLabDAST.yml`, or `/config/SSCToGitLabSonatype.yml` to output only a SAST, DAST or Sonatype report respectively. +The configuration file `/config/SSCToGitLab.yml` used in this example outputs all available GitLab reports. Alternatively, you can use `/config/SSCToGitLabSAST.yml`, `/config/SSCToGitLabDAST.yml`, `/config/SSCToGitLabDebricked.yml` or `/config/SSCToGitLabSonatype.yml` +to output only a SAST, DAST, Debricked SCA or Sonatype SCA report respectively. As described in the [CI/CD Integration](#cicd-integration) section, you can optionally combine this with other Fortify tools to create a full workflow that scans your code and makes the results available on GitLab. @@ -596,6 +598,7 @@ At the moment of writing, DefectDojo supports GitLab SAST and GitLab Dependency * [Export FoD SAST results to a GitLab SAST report](#fod-to-gitlab) and import this report into DefectDojo * [Export SSC SAST results to a GitLab SAST report](#ssc-to-gitlab) and import this report into DefectDojo +* [Export SSC Debricked results to a GitLab Dependency Scanning report](#ssc-to-gitlab) and import this report into DefectDojo * [Export SSC Sonatype results to a GitLab Dependency Scanning report](#ssc-to-gitlab) and import this report into DefectDojo * [Export other FoD or SSC results to CSV format](#csv-export) and import the CSV file into DefectDojo diff --git a/config/SSCToGitLab.yml b/config/SSCToGitLab.yml index 5cfbc8e..e249d80 100644 --- a/config/SSCToGitLab.yml +++ b/config/SSCToGitLab.yml @@ -2,7 +2,7 @@ export: from: ssc - to: json.gitlab.sast, json.gitlab.dast, json.gitlab.sonatype + to: json.gitlab.sast, json.gitlab.dast, json.gitlab.sonatype, json.gitlab.debricked ssc: version: @@ -31,5 +31,9 @@ json.gitlab.dast.output: json.gitlab.sonatype.output: stdout: false # Disabled by default to avoid vulnerability data being exposed through log files pretty: true # Useful for debugging, disable for optimal performance - file: ${export.dir}/gl-fortify-depscan.json # Output file - \ No newline at end of file + file: ${export.dir}/gl-fortify-sonatype-depscan.json # Output file + +json.gitlab.debricked.output: + stdout: false # Disabled by default to avoid vulnerability data being exposed through log files + pretty: true # Useful for debugging, disable for optimal performance + file: ${export.dir}/gl-fortify-debricked-depscan.json # Output file \ No newline at end of file diff --git a/config/SSCToGitLabDebricked.yml b/config/SSCToGitLabDebricked.yml index fb2649b..db7c2c6 100644 --- a/config/SSCToGitLabDebricked.yml +++ b/config/SSCToGitLabDebricked.yml @@ -18,5 +18,5 @@ export.dir: ${CI_PROJECT_DIR:${export.default.dir}} # Unless overridden, use json.gitlab.debricked.output: stdout: false # Disabled by default to avoid vulnerability data being exposed through log files pretty: true # Useful for debugging, disable for optimal performance - file: ${export.dir}/gl-fortify-depscan.json # Output file + file: ${export.dir}/gl-fortify-debricked-depscan.json # Output file \ No newline at end of file diff --git a/config/SSCToGitLabSonatype.yml b/config/SSCToGitLabSonatype.yml index 830299d..93cefd8 100644 --- a/config/SSCToGitLabSonatype.yml +++ b/config/SSCToGitLabSonatype.yml @@ -18,5 +18,5 @@ export.dir: ${CI_PROJECT_DIR:${export.default.dir}} # Unless overridden, use json.gitlab.sonatype.output: stdout: false # Disabled by default to avoid vulnerability data being exposed through log files pretty: true # Useful for debugging, disable for optimal performance - file: ${export.dir}/gl-fortify-depscan.json # Output file + file: ${export.dir}/gl-fortify-sonatype-depscan.json # Output file \ No newline at end of file From 796d05bf698967413ca2f7002e9a0ac20d12b688 Mon Sep 17 00:00:00 2001 From: kadraman Date: Tue, 31 Jan 2023 18:01:56 +0000 Subject: [PATCH 3/3] feat: Add Debricked support for GitLab SCA Import (implements #52 for GitLab) --- doc-resources/repo-usage.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/doc-resources/repo-usage.md b/doc-resources/repo-usage.md index 7ce731c..e6e32b9 100644 --- a/doc-resources/repo-usage.md +++ b/doc-resources/repo-usage.md @@ -446,7 +446,7 @@ fortify_scanning: dast: gl-fortify-dast.json ``` -The configuration file `/config/FoDToGitLab.yml` used in this example outputs all available GitLab reports. Alternatively, you can use `/config/FoDToGitLabSAST.yml` or `/config/FoDToGitLabDAST.yml` to output only a SAST or DAST report respectively. Note that contrary to the [SSC implementation](#ssc-to-gitlab), outputting Sonatype/dependency scanning +The configuration file `/config/FoDToGitLab.yml` used in this example outputs all available GitLab reports. Alternatively, you can use `/config/FoDToGitLabSAST.yml` or `/config/FoDToGitLabDAST.yml` to output only a SAST or DAST report respectively. Note that contrary to the [SSC implementation](#ssc-to-gitlab), outputting Debricked or Sonatype dependency scanning results from FoD is not yet supported. As described in the [CI/CD Integration](#cicd-integration) section, you can optionally combine this with other Fortify tools to create a full workflow that scans your code and makes the results available on GitLab. @@ -471,11 +471,12 @@ fortify_scanning: artifacts: reports: sast: gl-fortify-sast.json - dast: gl-fortify-dast.json - dependency_scanning: gl-fortify-depscan.json + dependency_scanning: gl-fortify-debricked-depscan.json + # Or for Sonatype Nexus IQ use: gl-fortify-sonatype-depscan.json ``` -The configuration file `/config/SSCToGitLab.yml` used in this example outputs all available GitLab reports. Alternatively, you can use `/config/SSCToGitLabSAST.yml`, `/config/SSCToGitLabDAST.yml`, or `/config/SSCToGitLabSonatype.yml` to output only a SAST, DAST or Sonatype report respectively. +The configuration file `/config/SSCToGitLab.yml` used in this example outputs all available GitLab reports. Alternatively, you can use `/config/SSCToGitLabSAST.yml`, `/config/SSCToGitLabDAST.yml`, `/config/SSCToGitLabDebricked.yml` or `/config/SSCToGitLabSonatype.yml` +to output only a SAST, DAST, Debricked SCA or Sonatype SCA report respectively. As described in the [CI/CD Integration](#cicd-integration) section, you can optionally combine this with other Fortify tools to create a full workflow that scans your code and makes the results available on GitLab. @@ -558,6 +559,7 @@ At the moment of writing, DefectDojo supports GitLab SAST and GitLab Dependency * [Export FoD SAST results to a GitLab SAST report](#fod-to-gitlab) and import this report into DefectDojo * [Export SSC SAST results to a GitLab SAST report](#ssc-to-gitlab) and import this report into DefectDojo +* [Export SSC Debricked results to a GitLab Dependency Scanning report](#ssc-to-gitlab) and import this report into DefectDojo * [Export SSC Sonatype results to a GitLab Dependency Scanning report](#ssc-to-gitlab) and import this report into DefectDojo * [Export other FoD or SSC results to CSV format](#csv-export) and import the CSV file into DefectDojo