Aws content update

AWS/README.md

@@ -1,13 +1,12 @@
 # AWS Templates
-AWS templates will help onboard applications with application security integration. Fortify platform support AWS Codestar services so DevOps teams will be able to directly leverage these templates as part of pipeline automation. AWS CodeStar service supports Continious Delivery using their own defined YML files during build and release. 
-
+AWS templates will help onboard applications with application security integration. Fortify platform support AWS CodeBuild services so DevOps teams will be able to directly leverage these templates as part of pipeline automation. AWS CodeBuild service supports Continious Delivery using their own defined YML files during build and release. 
 
 1.	BuildSpec.yml : This template used to build and generate artifacts using AWS managed services. It depicts the CI process in DevSecOps framework.
 
 2.	AppSpec.yml : This template used to deploy the artifacts generated by the CI process. It depicts the CD process in DevSecOps framework.
 
 
-## Integrating Fortify with AWS CodeStar
+## Integrating Fortify with AWS CodeBuild
 Integrating Fortify with CI process is fairly simple pull and push switch using the templates given in the above folders.  Fortify can be integrated using below steps.
 
 1. Identify your Fortify solution (Fortify on-premises or Fortify on Demand)

AWS/SAST/DotNet_Sample/buildspec.yml

@@ -30,7 +30,7 @@ phases:
 #      - dotnet vstest AspNetCoreWebApplicationTest/bin/release/netcoreapp3.1/AspNetCoreWebApplicationTest.dll
   post_build:
     commands:
-      # Do not remove this statement. This command is required for AWS CodeStar projects.
+      # Do not remove this statement. This command is required for AWS CodeBuild projects.
       # Update the AWS Partition, AWS Region, account ID and project ID in the project ARN in template-configuration.json file so AWS CloudFormation can tag project resources.
       - sed -i.bak 's/\$PARTITION\$/'${PARTITION}'/g;s/\$AWS_REGION\$/'${AWS_REGION}'/g;s/\$ACCOUNT_ID\$/'${ACCOUNT_ID}'/g;s/\$PROJECT_ID\$/'${PROJECT_ID}'/g' template-configuration.json
       ###################################################

AWS/SAST/DotNet_Sample/fortify_sast_fod_template.bash

@@ -2,7 +2,7 @@
 
 # *** Configuration ***
 
-# Integrate Fortify On Demand Static AppSec Testing (SAST) into your AWS Codestar pipeline
+# Integrate Fortify On Demand Static AppSec Testing (SAST) into your AWS CodeBuild pipeline
 # Below Parameters must be defined in buildspec.yml
 	# FOD_TENANT
 	# FOD_USER	
@@ -13,8 +13,8 @@
 fod_url='https://ams.fortify.com'
 fod_api_url='https://api.ams.fortify.com/'
 fod_uploader_opts='-ep 2 -pp 0 -I 1 -apf'
-fod_notes="Triggered by AWS Codestar"
-scancentral_client_version='22.2.0'
+fod_notes="Triggered by AWS CodeBuild"
+scancentral_client_version='23.1.0'
 fod_uploader_version='5.4.0'
 fcli_version='v1.1.0'
 fcli_sha='5553766f0f771abdf27f4c6b6d38a34825a64aaa5d72cfd03c68d7e2f43a49a0'
@@ -52,7 +52,7 @@ fcli tool sc-client install $scancentral_client_version -d $scancentral_home
 fcli tool fodupload install $fod_uploader_version -d $fod_uploader_home
 
 # Generate Package for upload to Fortify on Demand
-zip -r package.zip .
+scancentral package -oss -o package.zip
 
 
 echo "INFO: start submitting scan"

AWS/SAST/DotNet_Sample/fortify_sast_scancentral_template.bash

@@ -1,5 +1,5 @@
 #!/bin/bash
-# Integrate Fortify ScanCentral Static AppSec Testing (SAST) into your AWS Codestar pipeline
+# Integrate Fortify ScanCentral Static AppSec Testing (SAST) into your AWS CodeBuild pipeline
 
 # *** Configuration ***
 
@@ -12,7 +12,7 @@ export FCLI_DEFAULT_SSC_URL=$FCLI_DEFAULT_SSC_URL
 ssc_app_version_id=$SSC_APP_VERSION_ID
 
 # Local variables (modify as needed)
-scancentral_client_version='22.2.0'
+scancentral_client_version='23.1.0'
 fcli_version='v1.1.0'
 fcli_sha='5553766f0f771abdf27f4c6b6d38a34825a64aaa5d72cfd03c68d7e2f43a49a0'
 
@@ -50,7 +50,7 @@ echo Setting connection with Fortify Platform
 fcli ssc session login
 fcli sc-sast session login
 
-scancentral package -bt none -o package.zip
+scancentral package -o package.zip
 
 fcli sc-sast scan start --appversion=$ssc_app_version_id --upload --sensor-version=$scancentral_client_version --package-file=package.zip --store='?'
 echo "INFO: Scan Submitted Successfully..."
@@ -60,4 +60,4 @@ fcli ssc appversion-vuln count --appversion=$SSC_APP_VERSION_ID
 
 echo Terminating connection with Fortify Platform
 fcli sc-sast session logout
-fcli ssc session logout
+fcli ssc session logout

AWS/SAST/Java_Sample/buildspec.yml

@@ -31,7 +31,7 @@ phases:
       - mvn package
   post_build:
     commands:
-      # Do not remove this statement. This command is required for AWS CodeStar projects.
+      # Do not remove this statement. This command is required for AWS CodeBuild projects.
       # Update the AWS Partition, AWS Region, account ID and project ID in the project ARN in template-configuration.json file so AWS CloudFormation can tag project resources.
       - sed -i.bak 's/\$PARTITION\$/'${PARTITION}'/g;s/\$AWS_REGION\$/'${AWS_REGION}'/g;s/\$ACCOUNT_ID\$/'${ACCOUNT_ID}'/g;s/\$PROJECT_ID\$/'${PROJECT_ID}'/g' template-configuration.json
       ###################################################

AWS/SAST/Java_Sample/fortify_sast_fod_template.bash

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 # *** Configuration ***
-# Integrate Fortify On Demand Static AppSec Testing (SAST) into your AWS Codestar pipeline
+# Integrate Fortify On Demand Static AppSec Testing (SAST) into your AWS CodeBuild pipeline
 # Below Parameters must be defined in buildspec.yml
 	# FOD_TENANT
 	# FOD_USER	
@@ -12,8 +12,8 @@
 fod_url='https://ams.fortify.com'
 fod_api_url='https://api.ams.fortify.com/'
 fod_uploader_opts='-ep 2 -pp 0 -I 1 -apf'
-fod_notes="Triggered by OCI DevOps"
-scancentral_client_version='22.2.0'
+fod_notes="Triggered by AWS CodeBuild"
+scancentral_client_version='23.1.0'
 fod_uploader_version='5.4.0'
 fcli_version='v1.1.0'
 fcli_sha='5553766f0f771abdf27f4c6b6d38a34825a64aaa5d72cfd03c68d7e2f43a49a0'
@@ -51,7 +51,7 @@ fcli tool sc-client install $scancentral_client_version -d $scancentral_home
 fcli tool fodupload install $fod_uploader_version -d $fod_uploader_home
 
 # Generate Java Package for upload to Fortify on Demand
-scancentral package -bt mvn -oss -o package.zip
+scancentral package -oss -o package.zip
 
 echo "INFO: start submitting scan"
 FoDUpload -z package.zip -aurl $fod_api_url -purl $fod_url -rid ${FOD_RELEASE_ID} -tc ${FOD_TENANT} -uc ${FOD_USER} ${FOD_PWD} $fod_uploader_opts -n "$fod_notes"

AWS/SAST/Java_Sample/fortify_sast_local_java_template.bash

@@ -12,12 +12,12 @@ app_version_id="<<APP_VERSION_ID>>"					# application version id from SSC
 pull_result_from_ssc=true
 
 #Parameters to configure installable
-fortify_install="Fortify_SCA_and_Apps_21.1.1_linux_x64.run" # installer file name, this may change based on version of installer. 
+fortify_install="Fortify_SCA_and_Apps_23.1.0_linux_x64.run" # installer file name, this may change based on version of installer. 
 fortify_license="fortify.license" 					#SAST license file name
 
 #Parameter for AWS S3 bucket
 s3_storage_required=true
-s3_bucket="<<S3 BUCKET URL>>" 					 #S3 bucket URL i.e. s3://aws-codestar-us-east-1********
+s3_bucket="<<S3 BUCKET URL>>" 					 #S3 bucket URL i.e. s3://aws-codebuild-us-east-1********
 #End of Parameters Section
 
 #Download required files, please ensure the URL is available
@@ -40,7 +40,7 @@ chmod +x "$fortify_install"
 # End of Download
 
 #Installation of SCA
-install_dir="/opt/Fortify/Fortify_SCA_and_Apps_21.1.1"
+install_dir="/opt/Fortify/Fortify_SCA_and_Apps_23.1.0"
 ./$fortify_install --fortify_license_path ./$fortify_license --mode unattended --installdir $install_dir/
 
 e=$?        # return code last command

AWS/SAST/Java_Sample/fortify_sast_scancentral_template.bash

@@ -1,5 +1,5 @@
 #!/bin/bash
-# Integrate Fortify ScanCentral Static AppSec Testing (SAST) into your AWS Codestar pipeline
+# Integrate Fortify ScanCentral Static AppSec Testing (SAST) into your AWS CodeBuild pipeline
 
 # *** Configuration ***
 # The following variables must be defined in buildspect.yml
@@ -11,7 +11,7 @@ export FCLI_DEFAULT_SSC_URL=$FCLI_DEFAULT_SSC_URL
 ssc_app_version_id=$SSC_APP_VERSION_ID
 
 # Local variables (modify as needed)
-scancentral_client_version='22.2.0'
+scancentral_client_version='23.1.0'
 fcli_version='v1.1.0'
 fcli_sha='5553766f0f771abdf27f4c6b6d38a34825a64aaa5d72cfd03c68d7e2f43a49a0'
 
@@ -49,7 +49,7 @@ echo Setting connection with Fortify Platform
 fcli ssc session login
 fcli sc-sast session login
 
-scancentral package -bt mvn -o package.zip
+scancentral package -o package.zip
 
 fcli sc-sast scan start --appversion=$ssc_app_version_id --upload --sensor-version=$scancentral_client_version --package-file=package.zip --store='?'
 echo "INFO: Scan Submitted Successfully..."
@@ -59,4 +59,4 @@ fcli ssc appversion-vuln count --appversion=$SSC_APP_VERSION_ID
 
 echo Terminating connection with Fortify Platform
 fcli sc-sast session logout
-fcli ssc session logout
+fcli ssc session logout

GCP/SAST/Java_Sample_With_FortifyCITools/cloudbuild_fortify_sast_fod.yaml

@@ -10,7 +10,7 @@
   args: 
     - -c
     - |
-       scancentral package -bt mvn -oss -o package.zip
+       scancentral package -oss -o package.zip
        FoDUpload -z package.zip -aurl $$FOD_API_URL -purl $$FOD_URL -rid $$FOD_RELEASE_ID -tc $$FOD_TENANT -uc $$FOD_USER $$FOD_PAT $$FOD_UPLOADER_OPTS -n "$$FOD_NOTES"
   secretEnv: ['FOD_RELEASE_ID', 'FOD_USER', 'FOD_PAT', 'FOD_TENANT'] 
   env:
@@ -28,4 +28,4 @@ availableSecrets:
   - versionName: projects/$PROJECT_ID/secrets/fod_pat/versions/latest
     env: 'FOD_PAT' 
   - versionName: projects/$PROJECT_ID/secrets/fod_tenant/versions/latest
-    env: 'FOD_TENANT' 
+    env: 'FOD_TENANT' 

GCP/SAST/Java_Sample_With_FortifyCITools/cloudbuild_fortify_sast_scancentral.yaml

@@ -32,5 +32,5 @@ steps:
   env:
     - 'FORTIFY_IP=${_PUBLIC_IP}'  
     - 'SSC_APP_VERSION_ID=${_SSC_APP_VERSION_ID}'
-    - 'SC_SAST_SENSOR_VERSION=22.2'
-  id: 'fortify-static-scan'
+    - 'SC_SAST_SENSOR_VERSION=23.1'
+  id: 'fortify-static-scan'

GCP/SAST/Python_Sample/cloudbuild.yaml

@@ -31,9 +31,9 @@ steps:
   secretEnv: ['FOD_RELEASE_ID', 'FOD_USER', 'FOD_PAT', 'FOD_TENANT', 'FCLI_DEFAULT_SC_SAST_CLIENT_AUTH_TOKEN', 'FCLI_DEFAULT_SSC_USER', 'FCLI_DEFAULT_SSC_PASSWORD', 'FCLI_DEFAULT_SSC_CI_TOKEN', 'FCLI_DEFAULT_SSC_URL'] 
   env:
     - 'SSC_APP_VERSION_ID=${_SSC_APP_VERSION_ID}'
-    - 'SC_SAST_SENSOR_VERSION=22.2'  
+    - 'SC_SAST_SENSOR_VERSION=23.1'  
     - 'FOD_URL=https://ams.fortify.com' 
     - 'FOD_API_URL=https://api.ams.fortify.com' 
     - 'FOD_UPLOADER_OPTS=-ep 2 -pp 0 -I 1 -apf' 
     - 'FOD_NOTES=Triggered by GCP Pipeline'     
-timeout: 2400s
+timeout: 2400s

GCP/SAST/Python_Sample/fortify_sast_fod_template.bash

@@ -13,7 +13,7 @@ fod_url='https://ams.fortify.com'
 fod_api_url='https://api.ams.fortify.com/'
 fod_uploader_opts='-ep 2 -pp 0 -I 1 -apf'
 fod_notes="Triggered by GCP CloudBuild"
-scancentral_client_version='22.2.0'
+scancentral_client_version='23.1.0'
 fod_uploader_version='5.4.0'
 fcli_version='v1.1.0'
 fcli_sha='5553766f0f771abdf27f4c6b6d38a34825a64aaa5d72cfd03c68d7e2f43a49a0'
@@ -49,10 +49,10 @@ fcli tool sc-client install $scancentral_client_version -d $scancentral_home
 fcli tool fodupload install $fod_uploader_version -d $fod_uploader_home
 
 # Generate Java Package for upload to Fortify on Demand
-scancentral package -o package.zip --build-tool none --python-requirements requirements.txt
+scancentral package -o package.zip --python-requirements requirements.txt
 
 echo "INFO: start submitting scan"
 FoDUpload -z package.zip -aurl $fod_api_url -purl $fod_url -rid ${FOD_RELEASE_ID} -tc ${FOD_TENANT} -uc ${FOD_USER} ${FOD_PWD} $fod_uploader_opts -n "$fod_notes"
 
 
-echo "INFO: Scan Submitted Successfully..."
+echo "INFO: Scan Submitted Successfully..."

GCP/SAST/Python_Sample/fortify_sast_scancentral_template.bash

@@ -11,7 +11,7 @@ export FCLI_DEFAULT_SSC_URL=$FCLI_DEFAULT_SSC_URL
 ssc_app_version_id=$SSC_APP_VERSION_ID
 
 # Local variables (modify as needed)
-scancentral_client_version='22.2.0'
+scancentral_client_version='23.1.0'
 fcli_version='v1.1.0'
 fcli_sha='5553766f0f771abdf27f4c6b6d38a34825a64aaa5d72cfd03c68d7e2f43a49a0'
 
@@ -49,7 +49,7 @@ echo Setting connection with Fortify Platform
 fcli ssc session login
 fcli sc-sast session login
 
-scancentral package -bt none -o package.zip --python-requirements requirements.txt
+scancentral package -o package.zip --python-requirements requirements.txt
 
 fcli sc-sast scan start --appversion=$ssc_app_version_id --upload --sensor-version=$scancentral_client_version --package-file=package.zip --store='?'
 echo "INFO: Scan Submitted Successfully..."
@@ -59,4 +59,4 @@ fcli ssc appversion-vuln count --appversion=$SSC_APP_VERSION_ID
 
 echo Terminating connection with Fortify Platform
 fcli sc-sast session logout
-fcli ssc session logout
+fcli ssc session logout

OCI/SAST/Java_App/fortify-sast-fod.bash

@@ -14,7 +14,7 @@ fod_url='https://ams.fortify.com'
 fod_api_url='https://api.ams.fortify.com/'
 fod_uploader_opts='-ep 2 -pp 0 -I 1 -apf'
 fod_notes="Triggered by OCI DevOps"
-scancentral_client_version='22.2.0'
+scancentral_client_version='23.1.0'
 fod_uploader_version='5.4.0'
 fcli_version='v1.1.0'
 fcli_sha='5553766f0f771abdf27f4c6b6d38a34825a64aaa5d72cfd03c68d7e2f43a49a0'
@@ -51,7 +51,7 @@ fcli tool sc-client install $scancentral_client_version -d $scancentral_home
 fcli tool fodupload install $fod_uploader_version -d $fod_uploader_home
 
 # Generate Java Package for upload to Fortify on Demand
-scancentral package -bt mvn -oss -o package.zip
+scancentral package -oss -o package.zip
 
 echo 'start submitting scan'
 FoDUpload -z package.zip -aurl $fod_api_url -purl $fod_url -rid ${FOD_RELEASE_ID} -tc ${FOD_TENANT} -uc ${FOD_USER} ${FOD_PWD} $fod_uploader_opts -n "$fod_notes"

OCI/SAST/Java_App/fortify_sast_scancentral.bash

@@ -12,7 +12,7 @@
 	# SSC_APP_VERSION_ID
 
 # Local variables (modify as needed)
-scancentral_client_version='22.2.0'
+scancentral_client_version='23.1.0'
 fcli_version='v1.1.0'
 fcli_sha='5553766f0f771abdf27f4c6b6d38a34825a64aaa5d72cfd03c68d7e2f43a49a0'
 
@@ -58,4 +58,4 @@ fcli ssc appversion-vuln count --appversion=${SSC_APP_VERSION_ID}
 
 echo Terminating connection with Fortify Platform
 fcli sc-sast session logout
-fcli ssc session logout
+fcli ssc session logout

README.md

@@ -13,7 +13,7 @@
 
 Modern software delivery is synonymous with DevSecOps, meanwhile Software portfolios are in the midst of Cloud Transformation spanning cloud native, to lift-and-shift, and everything in between.  Security must keep pace with the ‘everything-as-code’ era to transition from point of friction to enablement, without sacrificing quality.  Fortify offers end-to-end application security solutions with the flexibility of testing on-premises and on-demand to scale and cover the entire software development lifecycle. Fortify integrates into your existing development toolchain seamlessly, giving you the highest quality findings and remediation advice during every stage, creating more secure software. With Fortify, you don’t need to trade quality of results for speed.
 
-This project provides developers a collection of reference templates and implementations to enable seamless integration of Fortify tools with cloud native development. The entire project consist of pipeline as code and automated scripts to help integrate Foritfy in different public cloud providers such as Azure DevOps, AWS CodeStar, Google Cloud Platform and Oracle Cloud Infrastructure. In order to support developers and application security teams, we have created a templates which could help integrate Fortify static application security testing (SAST) and dynamic application security testing (DAST) into CI/CD pipelines faster and helps applications onboard faster.
+This project provides developers a collection of reference templates and implementations to enable seamless integration of Fortify tools with cloud native development. The entire project consist of pipeline as code and automated scripts to help integrate Foritfy in different public cloud providers such as Azure DevOps, AWS CodeBuild, Google Cloud Platform and Oracle Cloud Infrastructure. In order to support developers and application security teams, we have created a templates which could help integrate Fortify static application security testing (SAST) and dynamic application security testing (DAST) into CI/CD pipelines faster and helps applications onboard faster.
 
 <!-- END-INCLUDE:repo-intro.md -->