Merge pull request #44 from fortify/fcli-upgrade

Fcli upgrade to 2.4.0

Author: dylanbthomas

build_spec.yaml

@@ -6,14 +6,16 @@ shell: bash
 env:
   # these are local variables to the build config
   variables:
+    "JAVA_HOME" : "/usr/lib64/graalvm/graalvm-java17"
   # the value of a vaultVariable is the secret-id (in OCI ID format) stored in the OCI Vault service
   # you can then access the value of that secret in your build_spec.yaml commands
   vaultVariables:
     # Use below variables for FORTIFY ON DEMAND integration
-    FOD_TENANT: ocid1.vaultsecret.oc1.XXXXXXX           # TENANT ID
-    FOD_USER: ocid1.vaultsecret.oc1.XXXXXXX			    # FOD USER KEY
-    FOD_PWD: ocid1.vaultsecret.oc1.XXXXXXX			    # FOD PAT
-    FOD_RELEASE_ID: ocid1.vaultsecret.oc1.XXXXXXX	    # FOD APPLICATION BASED RELEASE ID  
+    FCLI_DEFAULT_FOD_TENANT: ocid1.vaultsecret.oc1.XXXXXXX           # TENANT ID
+    FCLI_DEFAULT_FOD_USER: ocid1.vaultsecret.oc1.XXXXXXX			 # FOD USER KEY
+    FCLI_DEFAULT_FOD_PASSWORD: ocid1.vaultsecret.oc1.XXXXXXX		 # FOD PAT
+    FCLI_DEFAULT_FOD_URL: ocid.vaultsecret.oc1.XXXXXXX		         # FOD URL
+    FOD_RELEASE_ID: ocid1.vaultsecret.oc1.XXXXXXX	                 # FOD APPLICATION BASED RELEASE ID  
     # Use below variables for FORTIFY SCANCENTRAL integration
     FCLI_DEFAULT_SC_SAST_CLIENT_AUTH_TOKEN: ocid1.vaultsecret.oc1.XXXXXXX       # SCANCENTRAL CLIENT AUTH TOKEN FOR HANDSHAKE
     FCLI_DEFAULT_SSC_USER: ocid1.vaultsecret.oc1.XXXXXXX                        # SSC USERNAME
@@ -28,14 +30,18 @@ steps:
     name: "Install Prereqs"
     command: |
       java -version
-      yum install -y java-11-openjdk-devel
-      alternatives --display java
-      alternatives --set java /usr/lib/jvm/java-11-openjdk-11.0.18.0.10-1.el7_9.x86_64/bin/java
-      java -version
+      yum -y install graalvm-17-native-image
+      export PATH=$JAVA_HOME/bin:$PATH
       
+      #yum install -y java-11-openjdk-devel
+      #alternatives --display java
+      #alternatives --set java /usr/lib/jvm/java-11-openjdk-11.0.18.0.10-1.el7_9.x86_64/bin/java
+      java -version
       # install Maven
-      yum install maven
+      #yum install maven
+
       mvn --version
+      
     onFailure:
       - type: Command
         timeoutInSeconds: 40

buildspec.yml

@@ -3,10 +3,11 @@ env:
   parameter-store:
       ###############################################################
       #          INTEGRATE FORTIFY ON DEMAND                        #
-        FOD_RELEASE_ID: "/fod/releaseid"
-        FOD_TENANT: "/fod/tenant"
-        FOD_USER: "/fod/user"
-        FOD_PAT: "/fod/pat"  
+      #  FOD_RELEASE_ID_LOCAL: "/fod/releaseid"
+      #  FCLI_DEFAULT_FOD_TENANT_LOCAL: "/fod/tenant"
+      #  FCLI_DEFAULT_FOD_URL_LOCAL: "/fod/url"
+      #  FCLI_DEFAULT_FOD_CLIENT_ID_LOCAL: "/fod/client_id"
+      #  FCLI_DEFAULT_FOD_CLIENT_SECRET_LOCAL: "/fod/client_secret"  
       ###############################################################
       #           INTEGRATE FORTIFY SCANCENTRAL                     #
         FCLI_DEFAULT_SC_SAST_CLIENT_AUTH_TOKEN: "/fortify/client_auth_token"
@@ -15,13 +16,14 @@ env:
         FCLI_DEFAULT_SSC_CI_TOKEN: "/fortify/ci_token"
         FCLI_DEFAULT_SSC_URL: "/fortify/ssc_url"
         SSC_APP_VERSION_ID: "/fortify/ssc_app_versionid"
+        SSC_IP_LOCAL: "/fortify/ssc_ip"
 phases:
   install:
     runtime-versions:
-      java: corretto11
+      java: corretto17
     commands:
       # Upgrade AWS CLI to the latest version
-      - pip install --upgrade awscli
+      #- pip install --upgrade awscli
   pre_build:
     commands:
       - mvn clean
@@ -30,25 +32,19 @@ phases:
       - mvn -Pwar clean package
   post_build:
     commands:
-      # Do not remove this statement. This command is required for AWS CodeStar projects.
-      # Update the AWS Partition, AWS Region, account ID and project ID in the project ARN in template-configuration.json file so AWS CloudFormation can tag project resources.
-      - sed -i.bak 's/\$PARTITION\$/'${PARTITION}'/g;s/\$AWS_REGION\$/'${AWS_REGION}'/g;s/\$ACCOUNT_ID\$/'${ACCOUNT_ID}'/g;s/\$PROJECT_ID\$/'${PROJECT_ID}'/g' template-configuration.json
       ###############################################################
       #                 INTEGRATE FORTIFY SAST                      #
       #                                                             #
       # For FORTIFY ON DEMAND uncomment the next line               #
       #- bash devops-integrations/aws/fortify-sast-fod.bash
+      #- bash devops-integrations/aws/fortify_sast_local_java_template.bash
       #                                                             #
       # For FORTIFY SCANCENTRAL uncomment the next line             #
       - bash devops-integrations/aws/fortify_sast_scancentral.bash             
       #                                                             #
       #                                                             #
-      ###############################################################            
+      ###############################################################             
 artifacts:
   files:
-    - 'appspec.yml'
-    - 'template.yml'
-    - 'scripts/*'
     - 'devops-integrations/aws/*'
     - 'target/iwa.war'
-    - 'template-configuration.json'

cloudbuild.yaml

@@ -9,15 +9,15 @@
 #   - $$SSC_APP_VERSION_ID
 
 steps:
-- name: maven:3.6.0-jdk-11-slim
+- name: maven:3.9.7
   entrypoint: 'mvn'
   args: ['-q', 'clean', 'package', '-DskipTests']
 
 - name: 'gcr.io/cloud-builders/docker'
   args: ['build', '-t', 'gcr.io/$PROJECT_ID/iwa_java:latest', '-t', 'gcr.io/$PROJECT_ID/iwa_java:$COMMIT_SHA', '-t', 'gcr.io/$PROJECT_ID/iwa_java:$BUILD_ID', '.']
   id: 'build-image-IWAJava'
 
-- name: 'fortifydocker/fortify-ci-tools:3.14.0-jdk-11'
+- name: 'fortifydocker/fortify-ci-tools:5.4.1-jdk-17'
   entrypoint: bash
   args: 
     - -c
@@ -27,10 +27,10 @@ steps:
        fcli sc-sast session login
           
        scancentral package -bt mvn -o package.zip
-       fcli sc-sast scan start --appversion=$$SSC_APP_VERSION_ID --upload --sensor-version=$$SC_SAST_SENSOR_VERSION --package-file=package.zip --store='?'
+       fcli sc-sast scan start --publish-to=$$SSC_APP_VERSION_ID --sensor-version=$$SC_SAST_SENSOR_VERSION --package-file=package.zip --store=Id
 
-       fcli sc-sast scan wait-for '?' --interval=30s
-       fcli ssc appversion-vuln count --appversion=$$SSC_APP_VERSION_ID
+       fcli sc-sast scan wait-for ::Id:: --interval=30s
+       fcli ssc issue count --appversion=$$SSC_APP_VERSION_ID
 
        echo Terminating connection with Fortify Platform
        fcli sc-sast session logout
@@ -39,7 +39,7 @@ steps:
   env:
     - 'FORTIFY_IP=${_PUBLIC_IP}'  
     - 'SSC_APP_VERSION_ID=${_SSC_APP_VERSION_ID}'
-    - 'SC_SAST_SENSOR_VERSION=22.2'
+    - 'SC_SAST_SENSOR_VERSION=24.2'
   id: 'fortify-static-scan'
   waitFor: ['build-image-IWAJava']
 
@@ -61,7 +61,7 @@ steps:
   - '--allow-unauthenticated'
   id: 'deploy-to-cloud-run'
 
-- name: 'fortifydocker/fortify-ci-tools:3.14.0-jdk-11'
+- name: 'fortifydocker/fortify-ci-tools:5.4.1-jdk-17'
   entrypoint: "bash"
   args:
           - "-c"
@@ -70,7 +70,7 @@ steps:
               fcli ssc session login
               fcli sc-dast session login
               
-              fcli sc-dast scan start $$SC_DAST_SCAN_NAME --settings $$SC_DAST_CICD_IDENTIFIER
+              fcli sc-dast scan start --name=$$SC_DAST_SCAN_NAME --settings=$$SC_DAST_CICD_IDENTIFIER
               
               echo Terminating connection with Fortify Platform
               fcli sc-dast session logout

devops-integrations/.circleci/config-fortify-dast-scancentral.yml

@@ -5,7 +5,7 @@
 #   - $FCLI_DEFAULT_SSC_PASSWORD
 #   - $FCLI_DEFAULT_SSC_CI_TOKEN
 #   - $FCLI_DEFAULT_SSC_URL
-#   - $SSC_APP_VERSION_ID
+#   - $SC_DAST_CICD_IDENTIFIER
 version: '2.1'
 jobs:
   deploy:
@@ -15,6 +15,7 @@ jobs:
       - checkout
       - run: 
           command: |
+            echo Deploying artifacts
             jf config add --url=$ARTIFACTORY_URL --user=$ARTIFACTORY_USER --password=$ARTIFACTORY_API_KEY --interactive=false
             jf rt u "(*).jar" example-repo-local/circleci/ --recursive=false
 
@@ -24,7 +25,7 @@ jobs:
       SC_DAST_CICD_IDENTIFIER: "<<NNNNNNNNNNNNNNNN>>"
     working_directory: ~/circleci-iwajava-scancentral
     docker:
-      - image: fortifydocker/fortify-ci-tools:3.14.0-jdk-11
+      - image: fortifydocker/fortify-ci-tools:5.4.1-jdk-17
 
     steps:
       - checkout
@@ -35,8 +36,8 @@ jobs:
             #Use --insecure switch when SSL certificates are self-generated
             fcli ssc session login
             fcli sc-dast session login
-          
-            fcli sc-dast scan start $SC_DAST_SCAN_NAME --settings $SC_DAST_CICD_IDENTIFIER
+            
+            fcli sc-dast scan start --name=$SC_DAST_SCAN_NAME --settings=$SC_DAST_CICD_IDENTIFIER
 
             echo Terminating connection with Fortify Platform
             fcli sc-dast session logout

devops-integrations/.circleci/config-fortify-sast-fod.yml

@@ -1,16 +1,16 @@
 # Integrate Fortify on Demand Static AppSec Testing (SAST) into your Circle CI  pipeline
 # Renaming this file to config.yml for leveraging the file directly otherwise copy scan job content
 # The following environment variables must be defined in CircleCI context before using this job
-#   - $FOD_RELEASE_ID
-#   - $FOD_USER
-#   - $FOD_PAT
-#   - $FOD_TENANT
+#   - $FCLI_DEFAULT_FOD_TENANT
+#   - $FCLI_DEFAULT_FOD_CLIENT_ID
+#   - $FCLI_DEFAULT_FOD_CLIENT_SECRET
+#   - $FCLI_DEFAULT_FOD_URL
 version: '2.1'
 jobs:
   build:
     working_directory: ~/circleci-iwajava
     docker:
-      - image: maven:3.8.6-openjdk-11
+      - image: maven:3.8.7-openjdk-18
 
     steps:
       - checkout
@@ -33,21 +33,28 @@ jobs:
 
   scan:
     environment:
-      FOD_URL: "https://ams.fortify.com"
-      FOD_API_URL: "https://api.ams.fortify.com"
-      FOD_UPLOADER_OPTS: "-ep 2 -pp 0 -I 1 -apf"
       FOD_NOTES: "Triggered by CircleCI Pipeline"
+      FOD_RELEASE_ID: <NNNNNNNN>
     working_directory: ~/circleci-iwajava
     docker:
-      - image: fortifydocker/fortify-ci-tools:latest
+      - image: fortifydocker/fortify-ci-tools:5.4.1-jdk-17
 
     steps:
       - checkout
 
       - run: 
           command: |
+            echo Setting connection with Fortify Platform
+            #Use --insecure switch if the SSL certificate is self generated.
+            fcli fod session login
+
             scancentral package -bt mvn -oss -o package.zip
-            FoDUpload -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid $FOD_RELEASE_ID -tc $FOD_TENANT -uc $FOD_USER $FOD_PAT $FOD_UPLOADER_OPTS -n "$FOD_NOTES"
+            fcli fod sast start --release=$FOD_RELEASE_ID --file=package.zip --remediation=NonRemediationScanOnly --notes=$FOD_NOTES --store=Id
+
+            fcli fod sast wait-for ::Id:: --interval=30s
+            fcli fod issue list --release=$FOD_RELEASE_ID
+
+            fcli fod session logout
 
 # Orchestrate job run sequence
 workflows:

devops-integrations/.circleci/config-fortify-sast-scancentral.yml

@@ -12,7 +12,7 @@ jobs:
   build:
     working_directory: ~/circleci-iwajava-scancentral
     docker:
-      - image: maven:3.8.6-openjdk-11
+      - image: maven:3.8.7-openjdk-18
 
     steps:
       - checkout
@@ -36,10 +36,10 @@ jobs:
   sast:
     environment:
       SSC_APP_VERSION_ID: "<<$$$$>>"
-      SC_SAST_SENSOR_VERSION: "22.2"
+      SC_SAST_SENSOR_VERSION: "24.2"
     working_directory: ~/circleci-iwajava-scancentral
     docker:
-      - image: fortifydocker/fortify-ci-tools:3.14.0-jdk-11
+      - image: fortifydocker/fortify-ci-tools:5.4.1-jdk-17
 
     steps:
       - checkout
@@ -52,10 +52,10 @@ jobs:
             fcli sc-sast session login
           
             scancentral package -bt mvn -o package.zip
-            fcli sc-sast scan start --appversion=$SSC_APP_VERSION_ID --upload --sensor-version=$SC_SAST_SENSOR_VERSION --package-file=package.zip --store='?'
+            fcli sc-sast scan start --publish-to=$SSC_APP_VERSION_ID --sensor-version=$SC_SAST_SENSOR_VERSION --package-file=package.zip --store=Id
 
-            fcli sc-sast scan wait-for '?' --interval=30s
-            fcli ssc appversion-vuln count --appversion=$SSC_APP_VERSION_ID
+            fcli sc-sast scan wait-for ::Id:: --interval=30s
+            fcli ssc issue count --appversion=$SSC_APP_VERSION_ID
 
             echo Terminating connection with Fortify Platform
             fcli sc-sast session logout