Skip to content

Commit

Permalink
feat: FoD & SSC: Add aws-sast-report actions to enable integrating Fo…
Browse files Browse the repository at this point in the history 
…rtify results with AWS Security Hub (#559)
  • Loading branch information
@rohitbaryha1
rohitbaryha1 authored Sep 19, 2024
1 parent 312323e commit dc79095
Show file tree
Hide file tree
Showing 2 changed files with 240 additions and 0 deletions.
111 changes: 111 additions & 0 deletions fcli-core/fcli-fod/src/main/resources/com/fortify/cli/fod/actions/zip/aws-sast-report.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,111 @@
# yaml-language-server: $schema=https://fortify.github.io/fcli/schemas/action/fcli-action-schema-dev.json

author: Fortify
usage:
header: Generate a AWS Security Hub SAST report listing FoD SAST vulnerabilities.
description: |
This action generate a ASFF report to integrate AWS Security Hub, generated reports
then parsed by the lambda function, see: https://github.com/fortify/CloudDevSecOpsTemplates/
For information on how to create or update findings into AWS Security Hub, see
https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-update-types.html
parameters:
- name: file
cliAliases: f
description: "Optional report output file name (or 'stdout' / 'stderr'). Default value: aws-fortify-report.json"
required: false
defaultValue: aws-fortify-report.json
- name: release
cliAliases: rel
description: "Required release id or <appName>:[<microserviceName>:]<releaseName>"
type: release_single
- name: aws-region
description: 'Required AWS region. Default value: AWS_REGION environment variable.'
required: true
defaultValue: ${#env('AWS_REGION')}
- name: aws-account
description: 'Required AWS account id. Default value: AWS_ACCOUNT_ID environment variable.'
required: true
defaultValue: ${#env('AWS_ACCOUNT_ID')}

defaults:
requestTarget: fod

steps:
- progress: Loading static scan summary
- requests:
- name: staticScanSummary
uri: /api/v3/scans/${parameters.release.currentStaticScanId}/summary
if: ${parameters.release.currentStaticScanId!=null}
- progress: Processing issue data
- requests:
- name: issues
uri: /api/v3/releases/${parameters.release.releaseId}/vulnerabilities?limit=50
query:
filters: scantype:Static
pagingProgress:
postPageProcess: Processed ${totalIssueCount?:0} of ${issues_raw.totalCount} issues
forEach:
name: issue
embed:
- name: details
uri: /api/v3/releases/${parameters.release.releaseId}/vulnerabilities/${issue.vulnId}/details
- name: recommendations
uri: /api/v3/releases/${parameters.release.releaseId}/vulnerabilities/${issue.vulnId}/recommendations
do:
- append:
- name: vulnerabilities
valueTemplate: issues
- write:
- to: ${parameters['file']}
valueTemplate: report
- if: ${parameters.file!='stdout'}
to: stdout
value: |
Report written to ${parameters['report-file']}
valueTemplates:
- name: report
contents:
issues: ${vulnerabilities?:{}}

- name: issues
contents:
SchemaVersion: 2018-10-08
Id: ${parameters.release.releaseId}-${issue.id}
ProductArn: "arn:aws:securityhub:${parameters['aws-region']}:${parameters['aws-account']}:product/${parameters['aws-account']}/default"
GeneratorId: "arn:aws:securityhub:${parameters['aws-region']}:${parameters['aws-account']}:product/${parameters['aws-account']}/default"
ProductName: 'Fortify SAST'
CompanyName: OpenText
Types:
- Software and Configuration Checks/Vulnerabilities/CVE
CreatedAt: ${#formatDateTimewithZoneIdAsUTC("yyyy-MM-dd'T'HH:mm:ss'Z'",parameters.release.staticScanDate?:'1970-01-01T00:00:00Z',parameters.release.serverZoneId)}
UpdatedAt: ${#formatDateTimewithZoneIdAsUTC("yyyy-MM-dd'T'HH:mm:ss'Z'",parameters.release.staticScanSummary?.completedDateTime?:'1970-01-01T00:00:00Z',parameters.release.serverZoneId)}
Severity:
Label: ${(issue.severityString matches "(Critical|High|Medium|Low)") ? issue.severityString.toUpperCase():"LOW"}
Original: ${issue.severityString}
Title: ${issue.category}
Description: ${#abbreviate(#htmlToText(issue.details?.summary), 510)}
Remediation:
Recommendation:
Text: ${#abbreviate(#htmlToText(issue.recommendations?.recommendations), 510)}
Url: ${#fod.issueBrowserUrl(issue)}
ProductFields:
Product Name: 'Fortify SAST'
'aws/securityhub/CompanyName': OpenText
'aws/securityhub/ProductName': 'Fortify SAST'
Resources:
- Type: Application
Id: ${parameters.release.releaseId}-${issue.id}
Partition: aws
Region: ${parameters['aws-region']}
Details:
Other:
APPLICATION ID: ${parameters.release.applicationId+''}
APPLICATION NAME: ${parameters.release.applicationName}
RELEASE ID: ${parameters.release.releaseId+''}
RELEASE NAME: ${parameters.release.releaseName}
PRIMARY LOCATION: ${issue.primaryLocationFull}
LINE NUMBER: ${issue.lineNumber+''}
INSTANCE ID: ${issue.instanceId}
RecordState: ACTIVE
129 changes: 129 additions & 0 deletions fcli-core/fcli-ssc/src/main/resources/com/fortify/cli/ssc/actions/zip/aws-sast-report.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,129 @@
# yaml-language-server: $schema=https://fortify.github.io/fcli/schemas/action/fcli-action-schema-dev.json

author: Fortify
usage:
header: Generate a AWS Security Hub SAST report listing Fortify SSC SAST vulnerabilities.
description: |
This action generate a ASFF report to integrate AWS Security Hub, generated reports
then parsed by the lambda function, see: https://github.com/fortify/CloudDevSecOpsTemplates/
For information on how to create or update findings into AWS Security Hub, see
https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-update-types.html
defaults:
requestTarget: ssc

parameters:
- name: file
cliAliases: f
description: "Optional report output file name (or 'stdout' / 'stderr'). Default value: aws-fortify-report.json"
required: false
defaultValue: aws-fortify-report.json
- name: appversion
cliAliases: av
description: "Required application version id or <appName>:<versionName>"
type: appversion_single
- name: filterset
cliAliases: fs
description: "Filter set name or guid from which to load issue data. Default value: Default filter set for given application version"
required: false
type: filterset
- name: page-size
description: "Number of vulnerabilities to retrieve at a time. Higher numbers may reduce time required to build the report, at the cost of increased memory usage (on both fcli and SSC), and could potentially negatively affect overall SSC performance or result in read time-outs (see --socket-timeout option on fcli ssc session login command). Default value: 100"
required: false
defaultValue: "100"
- name: aws-region
description: 'Required AWS region. Default value: AWS_REGION environment variable.'
required: true
defaultValue: ${#env('AWS_REGION')}
- name: aws-account
description: 'Required AWS account id. Default value: AWS_ACCOUNT_ID environment variable.'
required: true
defaultValue: ${#env('AWS_ACCOUNT_ID')}

steps:
- progress: Loading latest static scan
- requests:
- name: artifacts
uri: /api/v1/projectVersions/${parameters.appversion.id}/artifacts
type: paged
query:
embed: scans
forEach:
name: artifact
breakIf: ${lastStaticScan!=null}
do:
- set:
- name: lastStaticScan
value: ${artifact._embed.scans?.^[type=='SCA']}
- progress: Processing issue data
- requests:
- name: issues
uri: /api/v1/projectVersions/${parameters.appversion.id}/issues
query:
filter: ISSUE[11111111-1111-1111-1111-111111111151]:SCA
filterset: ${parameters.filterset.guid}
limit: ${parameters['page-size']}
pagingProgress:
postPageProcess: Processed ${totalIssueCount?:0} of ${issues_raw.count} issues
forEach:
name: issue
embed:
- name: details
uri: /api/v1/issueDetails/${issue.id}
do:
- append:
- name: vulnerabilities
valueTemplate: issues
- write:
- to: ${parameters.file}
valueTemplate: aws-sast-report
- if: ${parameters.file!='stdout'}
to: stdout
value: |
Output written to ${parameters.file}
valueTemplates:
- name: aws-sast-report
contents:
issues: ${vulnerabilities?:{}}

- name: issues
contents:
SchemaVersion: 2018-10-08
id: ${parameters.appversion.id}-${issue.id}
ProductArn: "arn:aws:securityhub:${parameters['aws-region']}:${parameters['aws-account']}:product/${parameters['aws-account']}/default"
GeneratorId: "arn:aws:securityhub:${parameters['aws-region']}:${parameters['aws-account']}:product/${parameters['aws-account']}/default"
ProductName: 'Fortify SAST'
CompanyName: OpenText
Types:
- Software and Configuration Checks/Vulnerabilities/CVE
CreatedAt: ${#formatDateTime("yyyy-MM-dd'T'HH:mm:ss'Z'", lastStaticScan?.uploadDate?:'1970-01-01T00:00:00Z')}
UpdatedAt: ${#formatDateTime("yyyy-MM-dd'T'HH:mm:ss'Z'", lastStaticScan?.uploadDate?:'1970-01-01T00:00:00Z')}
Severity:
Label: ${(issue.friority matches "(Critical|High|Medium|Low)") ? issue.friority.toUpperCase():"LOW"}
Original: ${issue.friority}
Title: ${issue.issueName}
Description: ${#abbreviate(#htmlToText(issue.details?.brief), 510)}
Remediation:
Recommendation:
Text: ${#abbreviate(#htmlToText(issue.details?.recommendation), 510)}
Url: ${#ssc.appversionBrowserUrl(parameters.appversion)}
ProductFields:
Product Name: 'Fortify SAST'
'aws/securityhub/CompanyName': OpenText
'aws/securityhub/ProductName': 'Fortify SAST'
Resources:
- Type: Application
Id: ${parameters.appversion.id}-${issue.id}
Partition: aws
Region: ${parameters['aws-region']}
Details:
Other:
APPLICATION ID: ${parameters.appversion.project.id+''}
APPLICATION NAME: ${parameters.appversion.project.name}
APPLICATION VERSION ID: ${parameters.appversion.id+''}
APPLICATION VERSION NAME: ${parameters.appversion.name}
PRIMARY LOCATION: ${issue.fullFileName}
LINE NUMBER: ${issue.lineNumber+''}
INSTANCE ID: ${issue.issueInstanceId}
RecordState: ACTIVE

0 comments on commit dc79095

Please sign in to comment.