fix: Update GitLab schema version to 15.0.0 (fixes fortify#51)

feat: Add Debricked support for GitLab SCA Import (implements fortify#52 for GitLab)

FortifyVulnerabilityExporter-plugin-from-ssc/src/main/java/com/fortify/vulnexport/from/ssc/FromSSCVulnerabilityLoader.java

@@ -144,6 +144,8 @@ private void embed(SSCApplicationVersionsQueryBuilder qb, SSCEmbedConfig config)
 					embedCurrentScan(qb, config, "currentDynamicScanId", "WEBINSPECT"); return;
 				case "currentSonatypeScan":
 					embedCurrentScan(qb, config, "currentSonatypeScanId", "SONATYPE"); return;
+				case "currentDebrickedScan":
+					embedCurrentScan(qb, config, "currentDebrickedScanId", "DEBRICKED"); return;
 				}
 			}
 			qb.embed(config);

FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-fod-dast.yml

@@ -4,13 +4,20 @@ spring.config.activate.on-loader-plugin: fod
 json.gitlab.dast.filter.expr: vuln.scantype=='Dynamic'
 json.gitlab.dast.format:
   fields:
-    schema: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v14.0.0/dist/dast-report-format.json
-    version: 14.0.0
+    schema: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v15.0.0/dist/dast-report-format.json
+    version: 15.0.0
     scan:
       start_time: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", release.dynamicScanSummary?.startedDateTime?:'1970-01-01T00:00:00')]
       end_time: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", release.dynamicScanSummary?.completedDateTime?:'1970-01-01T00:00:00')]
       status: $[release.dynamicAnalysisStatusTypeId==2?'success':'failure']
       type: dast
+      analyzer:
+        id: FoD-DAST
+        name: Fortify on Demand
+        url: https://www.microfocus.com/en-us/products/application-security-testing/overview
+        version: WebInspect $[release.dynamicScanSummary?.scanToolVersion?:'version unknown']
+        vendor:
+          name: Fortify
       scanner:
         id: FoD-DAST
         name: Fortify on Demand

FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-fod-sast.yml

@@ -4,13 +4,20 @@ spring.config.activate.on-loader-plugin: fod
 json.gitlab.sast.filter.expr: vuln.scantype=='Static'
 json.gitlab.sast.format:
   fields:
-    schema: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v14.0.0/dist/sast-report-format.json
-    version: 14.0.0
+    schema: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v15.0.0/dist/sast-report-format.json
+    version: 15.0.0
     scan:
       start_time: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", release.staticScanSummary?.startedDateTime?:'1970-01-01T00:00:00')]
       end_time: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", release.staticScanSummary?.completedDateTime?:'1970-01-01T00:00:00')]
       status: $[release.staticAnalysisStatusTypeId==2?'success':'failure']
       type: sast
+      analyzer:
+        id: FoD-SAST
+        name: Fortify on Demand
+        url: https://www.microfocus.com/en-us/products/application-security-testing/overview
+        version: SCA $[release.staticScanSummary?.staticScanSummaryDetails?.engineVersion?:'version unknown']; Rulepack $[release.staticScanSummary?.staticScanSummaryDetails?.rulePackVersion?:'version unknown']
+        vendor:
+          name: Fortify
       scanner:
         id: FoD-SAST
         name: Fortify on Demand

FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-dast.yml

@@ -4,13 +4,20 @@ spring.config.activate.on-loader-plugin: ssc
 json.gitlab.dast.filter.expr: vuln.engineType=='WEBINSPECT'
 json.gitlab.dast.format:
   fields:
-    schema: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v14.0.0/dist/dast-report-format.json
-    version: 14.0.0
+    schema: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v15.0.0/dist/dast-report-format.json
+    version: 15.0.0
     scan:
       start_time: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", applicationVersion.currentDynamicScan?.uploadDate?:'1970-01-01T00:00:00')]
       end_time: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", applicationVersion.currentDynamicScan?.uploadDate?:'1970-01-01T00:00:00')]
       status: success
       type: dast
+      analyzer:
+        id: fortify-webinspect
+        name: Fortify WebInspect
+        url: https://www.microfocus.com/en-us/products/application-security-testing/overview
+        version: WebInspect $[applicationVersion.currentDynamicScan?.engineVersion?:'version unknown']
+        vendor:
+          name: Fortify
       scanner:
         id: fortify-webinspect
         name: Fortify WebInspect
@@ -39,7 +46,7 @@ json.gitlab.dast.format:
     cve: 'N/A'
     severity: $[vuln.friority]
     confidence: $[(vuln.friority matches "(Critical|Medium)") ? "High":"Low" ]
-    solution: $[#abbreviate(#htmlToText(vuln.details?.detail)+'\n\n'+#htmlToText(vuln.details?.recommendation), 7000)]
+    solution: $[#abbreviate(#htmlToText(vuln.details?.brief)+'\n\n'+#htmlToText(vuln.details?.recommendation), 7000)]
     scanner:
       id: fortify-webinspect
       name: Fortify WebInspect

FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-debricked.yml

@@ -0,0 +1,63 @@
+---
+spring.config.activate.on-loader-plugin: ssc
+
+json.gitlab.debricked.filter.expr: vuln.engineType=='DEBRICKED'
+json.gitlab.debricked.format:
+  fields:
+    schema: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v15.0.0/dist/dependency-scanning-report-format.json
+    version: 15.0.0
+    scan:
+      start_time: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", applicationVersion.currentDebrickedScan?.uploadDate?:'1970-01-01T00:00:00')]
+      end_time: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", applicationVersion.currentDebrickedScan?.uploadDate?:'1970-01-01T00:00:00')]
+      status: success
+      type: dependency_scanning
+      analyzer:
+        id: fortify-debricked
+        name: Fortify/Debricked
+        url: https://www.microfocus.com/en-us/products/application-security-testing/overview
+        version: Debricked Fortify Parser Plugin $[applicationVersion.currentDebrickedScan?.engineVersion?:'version unknown']
+        vendor:
+          name: Fortify+Debricked
+      scanner:
+        id: fortify-debricked
+        name: Fortify/Debricked
+        url: https://www.microfocus.com/en-us/products/application-security-testing/overview
+        version: Debricked Fortify Parser Plugin $[applicationVersion.currentDebrickedScan?.engineVersion?:'version unknown']
+        vendor: 
+          name: Fortify+Debricked
+    dependency_files: $[{}]
+    vulnerabilities: $[vulnerabilityMappers.vulnerability.get()]
+  vulnerabilityMappers.vulnerability.fields:
+    id: $[vuln.issueInstanceId]
+    category: dependency_scanning
+    name: $[vuln.issueName]
+    message: $[vuln.issueName]
+    description: $[#abbreviate(#htmlToText(vuln.details?.brief), 15000)]
+    cve: $[vuln.details?.customAttributes?.externalId]
+    severity: $[vuln.friority]
+    confidence: $[(vuln.friority matches "(Critical|Medium)") ? "High":"Low" ]
+    scanner:
+      id: fortify-debricked
+      name: Fortify/Debricked
+    identifiers:
+      - name:  "Instance id: $[vuln.issueInstanceId]"
+        type:  issueInstanceId
+        value: $[vuln.issueInstanceId]
+        url:   $[vuln.deepLink]
+    links:
+      - name: Additional issue details, including analysis trace, in Software Security Center
+        url:  $[vuln.deepLink]
+      - name: CWE URL
+        url:  $[vuln.details?.customAttributes?.externalUrl]
+    location:
+      file:           $[vuln.fullFileName]
+      dependency:
+        package:
+          name:  $[vuln.details?.customAttributes?.componentName]
+        version: $[vuln.details?.customAttributes?.componentVersion]
+
+
+
+
+
+

FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-sast.yml

@@ -4,20 +4,27 @@ spring.config.activate.on-loader-plugin: ssc
 json.gitlab.sast.filter.expr: vuln.engineType=='SCA'
 json.gitlab.sast.format:
   fields:
-    schema: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v14.0.0/dist/sast-report-format.json
-    version: 14.0.0
+    schema: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v15.0.0/dist/sast-report-format.json
+    version: 15.0.0
     scan:
       start_time: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", applicationVersion.currentStaticScan?.uploadDate?:'1970-01-01T00:00:00')]
       end_time: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", applicationVersion.currentStaticScan?.uploadDate?:'1970-01-01T00:00:00')]
       status: success
       type: sast
-      scanner:
+      analyzer:
         id: fortify-sca
         name: Fortify SCA
         url: https://www.microfocus.com/en-us/products/application-security-testing/overview
         version: SCA $[applicationVersion.currentStaticScan?.engineVersion?:'version unknown']
         vendor: 
           name: Fortify
+      scanner:
+        id: fortify-sca
+        name: Fortify SCA
+        url: https://www.microfocus.com/en-us/products/application-security-testing/overview
+        version: SCA $[applicationVersion.currentStaticScan?.engineVersion?:'version unknown']
+        vendor:
+          name: Fortify
     vulnerabilities: $[vulnerabilityMappers.vulnerability.get()]
   vulnerabilityMappers.vulnerability.fields:
     id: $[vuln.issueInstanceId]

FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-sonatype.yml

@@ -4,13 +4,20 @@ spring.config.activate.on-loader-plugin: ssc
 json.gitlab.sonatype.filter.expr: vuln.engineType=='SONATYPE'
 json.gitlab.sonatype.format:
   fields:
-    schema: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v14.0.0/dist/dependency-scanning-report-format.json
-    version: 14.0.0
+    schema: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v15.0.0/dist/dependency-scanning-report-format.json
+    version: 15.0.0
     scan:
       start_time: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", applicationVersion.currentSonatypeScan?.uploadDate?:'1970-01-01T00:00:00')]
       end_time: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", applicationVersion.currentSonatypeScan?.uploadDate?:'1970-01-01T00:00:00')]
       status: success
       type: dependency_scanning
+      analyzer:
+        id: fortify-sonatype
+        name: Fortify/Sonatype
+        url: https://www.microfocus.com/en-us/products/application-security-testing/overview
+        version: Sonatype Fortify Parser Plugin $[applicationVersion.currentSonatypeScan?.engineVersion?:'version unknown']
+        vendor:
+          name: Fortify+Sonatype
       scanner:
         id: fortify-sonatype
         name: Fortify/Sonatype

config/SSCToGitLabDebricked.yml

@@ -0,0 +1,22 @@
+# See FortifyVulnerabilityExporter documentation for SSC connection settings and application version selection
+
+export:
+  from: ssc
+  to: json.gitlab.debricked
+
+ssc:
+  version:
+    embed:
+      - subEntity: currentDebrickedScan
+        onError: LOG_INFO
+  vulnerability:
+    filterParam: ISSUE[11111111-1111-1111-1111-111111111151]:DEBRICKED   # Have SSC return only Debricked issues
+    embed:                                                              # Also load details as required for GitLab output
+      - subEntity: details                                                 
+
+export.dir: ${CI_PROJECT_DIR:${export.default.dir}}    # Unless overridden, use CI_PROJECT_DIR if defined, otherwise default export dir
+json.gitlab.debricked.output:
+  stdout: false                                        # Disabled by default to avoid vulnerability data being exposed through log files
+  pretty: true                                         # Useful for debugging, disable for optimal performance
+  file:   ${export.dir}/gl-fortify-depscan.json        # Output file
+