feat: Add Debricked support for GitLab SCA Import (implements fortify#52

for GitLab)
kadraman · Jan 31, 2023 · c9565e3 · c9565e3
1 parent a2bfd34
commit c9565e3
Show file tree

Hide file tree

Showing 6 changed files with 19 additions and 12 deletions.
diff --git a/...lityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-debricked.yml b/...lityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-debricked.yml
@@ -53,8 +53,8 @@ json.gitlab.debricked.format:
       file:           $[vuln.fullFileName]
       dependency:
         package:
-          name:  $[vuln.details?.customAttributes?.componentName]
-        version: $[vuln.details?.customAttributes?.componentVersion]
+          name:  $[vuln.details?.customAttributes?.componentName > '' ? vuln.details?.customAttributes?.componentName :'Not Set']
+        version: $[vuln.details?.customAttributes?.componentVersion > '' ? vuln.details?.customAttributes?.componentVersion :'Not Set' ]
 
 
 

diff --git a/...ilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-sonatype.yml b/...ilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-sonatype.yml
@@ -52,8 +52,8 @@ json.gitlab.sonatype.format:
     location:
       file:           $[vuln.fullFileName]
       dependency:
-        package.name: $[vuln.details?.customAttributes?.artifact]
-        version:      $[vuln.details?.customAttributes?.version]    
+        package.name: $[vuln.details?.customAttributes?.artifact > '' ? vuln.details?.customAttributes?.artifact :'Not Set']
+        version:      $[vuln.details?.customAttributes?.version > '' ? vuln.details?.customAttributes?.version :'Not Set']
 
 
 

diff --git a/README.md b/README.md
@@ -484,7 +484,7 @@ fortify_scanning:
       dast: gl-fortify-dast.json
 ```
 
-The configuration file `/config/FoDToGitLab.yml` used in this example outputs all available GitLab reports. Alternatively, you can use `/config/FoDToGitLabSAST.yml` or `/config/FoDToGitLabDAST.yml` to output only a SAST or DAST report respectively. Note that contrary to the [SSC implementation](#ssc-to-gitlab), outputting Sonatype/dependency scanning 
+The configuration file `/config/FoDToGitLab.yml` used in this example outputs all available GitLab reports. Alternatively, you can use `/config/FoDToGitLabSAST.yml` or `/config/FoDToGitLabDAST.yml` to output only a SAST or DAST report respectively. Note that contrary to the [SSC implementation](#ssc-to-gitlab), outputting Debricked or Sonatype dependency scanning 
 results from FoD is not yet supported.
 
 As described in the [CI/CD Integration](#cicd-integration) section, you can optionally combine this with other Fortify tools to create a full workflow that scans your code and makes the results available on GitLab.
@@ -510,10 +510,12 @@ fortify_scanning:
     reports:
       sast: gl-fortify-sast.json
       dast: gl-fortify-dast.json
-      dependency_scanning: gl-fortify-depscan.json
+      dependency_scanning: gl-fortify-debricked-depscan.json
+      # Or for Sonatype Nexus IQ use: gl-fortify-sonatype-depscan.json
 ```
 
-The configuration file `/config/SSCToGitLab.yml` used in this example outputs all available GitLab reports. Alternatively, you can use `/config/SSCToGitLabSAST.yml`, `/config/SSCToGitLabDAST.yml`, or `/config/SSCToGitLabSonatype.yml` to output only a SAST, DAST or Sonatype report respectively.
+The configuration file `/config/SSCToGitLab.yml` used in this example outputs all available GitLab reports. Alternatively, you can use `/config/SSCToGitLabSAST.yml`, `/config/SSCToGitLabDAST.yml`, `/config/SSCToGitLabDebricked.yml` or `/config/SSCToGitLabSonatype.yml` 
+to output only a SAST, DAST, Debricked SCA or Sonatype SCA report respectively.
 
 As described in the [CI/CD Integration](#cicd-integration) section, you can optionally combine this with other Fortify tools to create a full workflow that scans your code and makes the results available on GitLab.
 
@@ -596,6 +598,7 @@ At the moment of writing, DefectDojo supports GitLab SAST and GitLab Dependency
 
 * [Export FoD SAST results to a GitLab SAST report](#fod-to-gitlab) and import this report into DefectDojo
 * [Export SSC SAST results to a GitLab SAST report](#ssc-to-gitlab) and import this report into DefectDojo
+* [Export SSC Debricked results to a GitLab Dependency Scanning report](#ssc-to-gitlab) and import this report into DefectDojo
 * [Export SSC Sonatype results to a GitLab Dependency Scanning report](#ssc-to-gitlab) and import this report into DefectDojo
 * [Export other FoD or SSC results to CSV format](#csv-export) and import the CSV file into DefectDojo
 

diff --git a/config/SSCToGitLab.yml b/config/SSCToGitLab.yml
@@ -2,7 +2,7 @@
 
 export:
   from: ssc
-  to: json.gitlab.sast, json.gitlab.dast, json.gitlab.sonatype
+  to: json.gitlab.sast, json.gitlab.dast, json.gitlab.sonatype, json.gitlab.debricked
 
 ssc:
   version:
@@ -31,5 +31,9 @@ json.gitlab.dast.output:
 json.gitlab.sonatype.output:
   stdout: false                                        # Disabled by default to avoid vulnerability data being exposed through log files
   pretty: true                                         # Useful for debugging, disable for optimal performance
-  file:   ${export.dir}/gl-fortify-depscan.json        # Output file
-
+  file:   ${export.dir}/gl-fortify-sonatype-depscan.json  # Output file
+
+json.gitlab.debricked.output:
+  stdout: false                                        # Disabled by default to avoid vulnerability data being exposed through log files
+  pretty: true                                         # Useful for debugging, disable for optimal performance
+  file:   ${export.dir}/gl-fortify-debricked-depscan.json # Output file
diff --git a/config/SSCToGitLabDebricked.yml b/config/SSCToGitLabDebricked.yml
@@ -18,5 +18,5 @@ export.dir: ${CI_PROJECT_DIR:${export.default.dir}}    # Unless overridden, use
 json.gitlab.debricked.output:
   stdout: false                                        # Disabled by default to avoid vulnerability data being exposed through log files
   pretty: true                                         # Useful for debugging, disable for optimal performance
-  file:   ${export.dir}/gl-fortify-depscan.json        # Output file
+  file:   ${export.dir}/gl-fortify-debricked-depscan.json        # Output file
 
diff --git a/config/SSCToGitLabSonatype.yml b/config/SSCToGitLabSonatype.yml
@@ -18,5 +18,5 @@ export.dir: ${CI_PROJECT_DIR:${export.default.dir}}    # Unless overridden, use
 json.gitlab.sonatype.output:
   stdout: false                                        # Disabled by default to avoid vulnerability data being exposed through log files
   pretty: true                                         # Useful for debugging, disable for optimal performance
-  file:   ${export.dir}/gl-fortify-depscan.json        # Output file
+  file:   ${export.dir}/gl-fortify-sonatype-depscan.json  # Output file