From c9565e3500b9c2498a525ef95f6ff9aeb5229ac3 Mon Sep 17 00:00:00 2001 From: kadraman Date: Tue, 31 Jan 2023 13:43:00 +0000 Subject: [PATCH] feat: Add Debricked support for GitLab SCA Import (implements #52 for GitLab) --- .../pluginConfig/json-gitlab-ssc-debricked.yml | 4 ++-- .../pluginConfig/json-gitlab-ssc-sonatype.yml | 4 ++-- README.md | 9 ++++++--- config/SSCToGitLab.yml | 10 +++++++--- config/SSCToGitLabDebricked.yml | 2 +- config/SSCToGitLabSonatype.yml | 2 +- 6 files changed, 19 insertions(+), 12 deletions(-) diff --git a/FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-debricked.yml b/FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-debricked.yml index eac3ae1..471018c 100644 --- a/FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-debricked.yml +++ b/FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-debricked.yml @@ -53,8 +53,8 @@ json.gitlab.debricked.format: file: $[vuln.fullFileName] dependency: package: - name: $[vuln.details?.customAttributes?.componentName] - version: $[vuln.details?.customAttributes?.componentVersion] + name: $[vuln.details?.customAttributes?.componentName > '' ? vuln.details?.customAttributes?.componentName :'Not Set'] + version: $[vuln.details?.customAttributes?.componentVersion > '' ? vuln.details?.customAttributes?.componentVersion :'Not Set' ] diff --git a/FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-sonatype.yml b/FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-sonatype.yml index 10d8dd7..f62bf47 100644 --- a/FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-sonatype.yml +++ b/FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-sonatype.yml @@ -52,8 +52,8 @@ json.gitlab.sonatype.format: location: file: $[vuln.fullFileName] dependency: - package.name: $[vuln.details?.customAttributes?.artifact] - version: $[vuln.details?.customAttributes?.version] + package.name: $[vuln.details?.customAttributes?.artifact > '' ? vuln.details?.customAttributes?.artifact :'Not Set'] + version: $[vuln.details?.customAttributes?.version > '' ? vuln.details?.customAttributes?.version :'Not Set'] diff --git a/README.md b/README.md index 22c4447..4ab7aa4 100644 --- a/README.md +++ b/README.md @@ -484,7 +484,7 @@ fortify_scanning: dast: gl-fortify-dast.json ``` -The configuration file `/config/FoDToGitLab.yml` used in this example outputs all available GitLab reports. Alternatively, you can use `/config/FoDToGitLabSAST.yml` or `/config/FoDToGitLabDAST.yml` to output only a SAST or DAST report respectively. Note that contrary to the [SSC implementation](#ssc-to-gitlab), outputting Sonatype/dependency scanning +The configuration file `/config/FoDToGitLab.yml` used in this example outputs all available GitLab reports. Alternatively, you can use `/config/FoDToGitLabSAST.yml` or `/config/FoDToGitLabDAST.yml` to output only a SAST or DAST report respectively. Note that contrary to the [SSC implementation](#ssc-to-gitlab), outputting Debricked or Sonatype dependency scanning results from FoD is not yet supported. As described in the [CI/CD Integration](#cicd-integration) section, you can optionally combine this with other Fortify tools to create a full workflow that scans your code and makes the results available on GitLab. @@ -510,10 +510,12 @@ fortify_scanning: reports: sast: gl-fortify-sast.json dast: gl-fortify-dast.json - dependency_scanning: gl-fortify-depscan.json + dependency_scanning: gl-fortify-debricked-depscan.json + # Or for Sonatype Nexus IQ use: gl-fortify-sonatype-depscan.json ``` -The configuration file `/config/SSCToGitLab.yml` used in this example outputs all available GitLab reports. Alternatively, you can use `/config/SSCToGitLabSAST.yml`, `/config/SSCToGitLabDAST.yml`, or `/config/SSCToGitLabSonatype.yml` to output only a SAST, DAST or Sonatype report respectively. +The configuration file `/config/SSCToGitLab.yml` used in this example outputs all available GitLab reports. Alternatively, you can use `/config/SSCToGitLabSAST.yml`, `/config/SSCToGitLabDAST.yml`, `/config/SSCToGitLabDebricked.yml` or `/config/SSCToGitLabSonatype.yml` +to output only a SAST, DAST, Debricked SCA or Sonatype SCA report respectively. As described in the [CI/CD Integration](#cicd-integration) section, you can optionally combine this with other Fortify tools to create a full workflow that scans your code and makes the results available on GitLab. @@ -596,6 +598,7 @@ At the moment of writing, DefectDojo supports GitLab SAST and GitLab Dependency * [Export FoD SAST results to a GitLab SAST report](#fod-to-gitlab) and import this report into DefectDojo * [Export SSC SAST results to a GitLab SAST report](#ssc-to-gitlab) and import this report into DefectDojo +* [Export SSC Debricked results to a GitLab Dependency Scanning report](#ssc-to-gitlab) and import this report into DefectDojo * [Export SSC Sonatype results to a GitLab Dependency Scanning report](#ssc-to-gitlab) and import this report into DefectDojo * [Export other FoD or SSC results to CSV format](#csv-export) and import the CSV file into DefectDojo diff --git a/config/SSCToGitLab.yml b/config/SSCToGitLab.yml index 5cfbc8e..e249d80 100644 --- a/config/SSCToGitLab.yml +++ b/config/SSCToGitLab.yml @@ -2,7 +2,7 @@ export: from: ssc - to: json.gitlab.sast, json.gitlab.dast, json.gitlab.sonatype + to: json.gitlab.sast, json.gitlab.dast, json.gitlab.sonatype, json.gitlab.debricked ssc: version: @@ -31,5 +31,9 @@ json.gitlab.dast.output: json.gitlab.sonatype.output: stdout: false # Disabled by default to avoid vulnerability data being exposed through log files pretty: true # Useful for debugging, disable for optimal performance - file: ${export.dir}/gl-fortify-depscan.json # Output file - \ No newline at end of file + file: ${export.dir}/gl-fortify-sonatype-depscan.json # Output file + +json.gitlab.debricked.output: + stdout: false # Disabled by default to avoid vulnerability data being exposed through log files + pretty: true # Useful for debugging, disable for optimal performance + file: ${export.dir}/gl-fortify-debricked-depscan.json # Output file \ No newline at end of file diff --git a/config/SSCToGitLabDebricked.yml b/config/SSCToGitLabDebricked.yml index fb2649b..db7c2c6 100644 --- a/config/SSCToGitLabDebricked.yml +++ b/config/SSCToGitLabDebricked.yml @@ -18,5 +18,5 @@ export.dir: ${CI_PROJECT_DIR:${export.default.dir}} # Unless overridden, use json.gitlab.debricked.output: stdout: false # Disabled by default to avoid vulnerability data being exposed through log files pretty: true # Useful for debugging, disable for optimal performance - file: ${export.dir}/gl-fortify-depscan.json # Output file + file: ${export.dir}/gl-fortify-debricked-depscan.json # Output file \ No newline at end of file diff --git a/config/SSCToGitLabSonatype.yml b/config/SSCToGitLabSonatype.yml index 830299d..93cefd8 100644 --- a/config/SSCToGitLabSonatype.yml +++ b/config/SSCToGitLabSonatype.yml @@ -18,5 +18,5 @@ export.dir: ${CI_PROJECT_DIR:${export.default.dir}} # Unless overridden, use json.gitlab.sonatype.output: stdout: false # Disabled by default to avoid vulnerability data being exposed through log files pretty: true # Useful for debugging, disable for optimal performance - file: ${export.dir}/gl-fortify-depscan.json # Output file + file: ${export.dir}/gl-fortify-sonatype-depscan.json # Output file \ No newline at end of file