From dc790950794c976c5242fc44fffd2ad5c0f1c081 Mon Sep 17 00:00:00 2001
From: Rohit Baryha <72431329+rohitbaryha1@users.noreply.github.com>
Date: Thu, 19 Sep 2024 19:09:22 +0530
Subject: [PATCH] feat: FoD & SSC: Add aws-sast-report actions to enable
 integrating Fortify results with AWS Security Hub (#559)

---
 .../cli/fod/actions/zip/aws-sast-report.yaml  | 111 +++++++++++++++
 .../cli/ssc/actions/zip/aws-sast-report.yaml  | 129 ++++++++++++++++++
 2 files changed, 240 insertions(+)
 create mode 100644 fcli-core/fcli-fod/src/main/resources/com/fortify/cli/fod/actions/zip/aws-sast-report.yaml
 create mode 100644 fcli-core/fcli-ssc/src/main/resources/com/fortify/cli/ssc/actions/zip/aws-sast-report.yaml

diff --git a/fcli-core/fcli-fod/src/main/resources/com/fortify/cli/fod/actions/zip/aws-sast-report.yaml b/fcli-core/fcli-fod/src/main/resources/com/fortify/cli/fod/actions/zip/aws-sast-report.yaml
new file mode 100644
index 0000000000..81cdb1640d
--- /dev/null
+++ b/fcli-core/fcli-fod/src/main/resources/com/fortify/cli/fod/actions/zip/aws-sast-report.yaml
@@ -0,0 +1,111 @@
+# yaml-language-server: $schema=https://fortify.github.io/fcli/schemas/action/fcli-action-schema-dev.json
+
+author: Fortify
+usage:
+  header: Generate a AWS Security Hub SAST report listing FoD SAST vulnerabilities. 
+  description: |
+    This action generate a ASFF report to integrate AWS Security Hub, generated reports 
+    then parsed by the lambda function, see: https://github.com/fortify/CloudDevSecOpsTemplates/
+    For information on how to create or update findings into AWS Security Hub, see 
+    https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-update-types.html
+
+parameters:
+  - name: file
+    cliAliases: f
+    description: "Optional report output file name (or 'stdout' / 'stderr'). Default value: aws-fortify-report.json"
+    required: false
+    defaultValue: aws-fortify-report.json
+  - name: release
+    cliAliases: rel
+    description: "Required release id or <appName>:[<microserviceName>:]<releaseName>"
+    type: release_single
+  - name: aws-region
+    description: 'Required AWS region. Default value: AWS_REGION environment variable.'
+    required: true
+    defaultValue: ${#env('AWS_REGION')}    
+  - name: aws-account
+    description: 'Required AWS account id. Default value: AWS_ACCOUNT_ID environment variable.'
+    required: true
+    defaultValue: ${#env('AWS_ACCOUNT_ID')}
+
+defaults:
+  requestTarget: fod
+
+steps:
+  - progress: Loading static scan summary
+  - requests:
+      - name: staticScanSummary
+        uri:  /api/v3/scans/${parameters.release.currentStaticScanId}/summary
+        if:   ${parameters.release.currentStaticScanId!=null}
+  - progress: Processing issue data
+  - requests:
+    - name: issues
+      uri: /api/v3/releases/${parameters.release.releaseId}/vulnerabilities?limit=50
+      query:
+        filters: scantype:Static
+      pagingProgress:
+        postPageProcess: Processed ${totalIssueCount?:0} of ${issues_raw.totalCount} issues
+      forEach:
+        name: issue
+        embed:
+          - name: details
+            uri: /api/v3/releases/${parameters.release.releaseId}/vulnerabilities/${issue.vulnId}/details
+          - name: recommendations
+            uri: /api/v3/releases/${parameters.release.releaseId}/vulnerabilities/${issue.vulnId}/recommendations
+        do:
+          - append:
+            - name: vulnerabilities
+              valueTemplate: issues
+  - write:
+    - to: ${parameters['file']}
+      valueTemplate: report
+    - if: ${parameters.file!='stdout'}
+      to: stdout
+      value: |
+        Report written to ${parameters['report-file']}
+
+valueTemplates:
+  - name: report
+    contents:
+      issues: ${vulnerabilities?:{}} 
+     
+  - name: issues
+    contents:
+      SchemaVersion: 2018-10-08
+      Id: ${parameters.release.releaseId}-${issue.id}
+      ProductArn: "arn:aws:securityhub:${parameters['aws-region']}:${parameters['aws-account']}:product/${parameters['aws-account']}/default"
+      GeneratorId: "arn:aws:securityhub:${parameters['aws-region']}:${parameters['aws-account']}:product/${parameters['aws-account']}/default"
+      ProductName: 'Fortify SAST'
+      CompanyName: OpenText
+      Types: 
+        - Software and Configuration Checks/Vulnerabilities/CVE
+      CreatedAt: ${#formatDateTimewithZoneIdAsUTC("yyyy-MM-dd'T'HH:mm:ss'Z'",parameters.release.staticScanDate?:'1970-01-01T00:00:00Z',parameters.release.serverZoneId)}
+      UpdatedAt: ${#formatDateTimewithZoneIdAsUTC("yyyy-MM-dd'T'HH:mm:ss'Z'",parameters.release.staticScanSummary?.completedDateTime?:'1970-01-01T00:00:00Z',parameters.release.serverZoneId)}
+      Severity: 
+        Label: ${(issue.severityString matches "(Critical|High|Medium|Low)") ? issue.severityString.toUpperCase():"LOW"}
+        Original: ${issue.severityString}
+      Title: ${issue.category}
+      Description: ${#abbreviate(#htmlToText(issue.details?.summary), 510)}
+      Remediation:
+        Recommendation:
+          Text: ${#abbreviate(#htmlToText(issue.recommendations?.recommendations), 510)}
+          Url: ${#fod.issueBrowserUrl(issue)}
+      ProductFields:
+        Product Name: 'Fortify SAST'
+        'aws/securityhub/CompanyName': OpenText
+        'aws/securityhub/ProductName': 'Fortify SAST'
+      Resources:
+        - Type: Application
+          Id: ${parameters.release.releaseId}-${issue.id}
+          Partition: aws
+          Region: ${parameters['aws-region']}
+          Details:
+            Other:
+                APPLICATION ID: ${parameters.release.applicationId+''}
+                APPLICATION NAME: ${parameters.release.applicationName}
+                RELEASE ID: ${parameters.release.releaseId+''}
+                RELEASE NAME: ${parameters.release.releaseName}
+                PRIMARY LOCATION: ${issue.primaryLocationFull}
+                LINE NUMBER: ${issue.lineNumber+''}
+                INSTANCE ID: ${issue.instanceId}
+      RecordState: ACTIVE
\ No newline at end of file
diff --git a/fcli-core/fcli-ssc/src/main/resources/com/fortify/cli/ssc/actions/zip/aws-sast-report.yaml b/fcli-core/fcli-ssc/src/main/resources/com/fortify/cli/ssc/actions/zip/aws-sast-report.yaml
new file mode 100644
index 0000000000..cc917311c3
--- /dev/null
+++ b/fcli-core/fcli-ssc/src/main/resources/com/fortify/cli/ssc/actions/zip/aws-sast-report.yaml
@@ -0,0 +1,129 @@
+# yaml-language-server: $schema=https://fortify.github.io/fcli/schemas/action/fcli-action-schema-dev.json
+
+author: Fortify
+usage:
+  header: Generate a AWS Security Hub SAST report listing Fortify SSC SAST vulnerabilities. 
+  description: |
+    This action generate a ASFF report to integrate AWS Security Hub, generated reports 
+    then parsed by the lambda function, see: https://github.com/fortify/CloudDevSecOpsTemplates/
+    For information on how to create or update findings into AWS Security Hub, see 
+    https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-update-types.html
+
+defaults:
+  requestTarget: ssc
+  
+parameters:
+  - name: file
+    cliAliases: f
+    description: "Optional report output file name (or 'stdout' / 'stderr'). Default value: aws-fortify-report.json"
+    required: false
+    defaultValue: aws-fortify-report.json
+  - name: appversion
+    cliAliases: av
+    description: "Required application version id or <appName>:<versionName>"
+    type: appversion_single
+  - name: filterset
+    cliAliases: fs
+    description: "Filter set name or guid from which to load issue data. Default value: Default filter set for given application version"
+    required: false
+    type: filterset    
+  - name: page-size
+    description: "Number of vulnerabilities to retrieve at a time. Higher numbers may reduce time required to build the report, at the cost of increased memory usage (on both fcli and SSC), and could potentially negatively affect overall SSC performance or result in read time-outs (see --socket-timeout option on fcli ssc session login command). Default value: 100"
+    required: false
+    defaultValue: "100"    
+  - name: aws-region
+    description: 'Required AWS region. Default value: AWS_REGION environment variable.'
+    required: true
+    defaultValue: ${#env('AWS_REGION')}    
+  - name: aws-account
+    description: 'Required AWS account id. Default value: AWS_ACCOUNT_ID environment variable.'
+    required: true
+    defaultValue: ${#env('AWS_ACCOUNT_ID')}
+
+steps:
+  - progress: Loading latest static scan
+  - requests:
+    - name: artifacts
+      uri:  /api/v1/projectVersions/${parameters.appversion.id}/artifacts
+      type: paged
+      query:
+        embed: scans
+      forEach:
+        name: artifact
+        breakIf: ${lastStaticScan!=null}
+        do:
+          - set:
+            - name: lastStaticScan
+              value: ${artifact._embed.scans?.^[type=='SCA']}
+  - progress: Processing issue data
+  - requests:
+    - name: issues
+      uri: /api/v1/projectVersions/${parameters.appversion.id}/issues
+      query:
+        filter: ISSUE[11111111-1111-1111-1111-111111111151]:SCA
+        filterset: ${parameters.filterset.guid}
+        limit: ${parameters['page-size']}
+      pagingProgress:
+        postPageProcess: Processed ${totalIssueCount?:0} of ${issues_raw.count} issues
+      forEach:
+        name: issue
+        embed:
+          - name: details
+            uri: /api/v1/issueDetails/${issue.id}
+        do:
+          - append:
+            - name: vulnerabilities
+              valueTemplate: issues
+  - write:
+    - to: ${parameters.file}
+      valueTemplate: aws-sast-report
+    - if: ${parameters.file!='stdout'}
+      to: stdout
+      value: |
+        Output written to ${parameters.file}
+
+valueTemplates:
+  - name: aws-sast-report
+    contents:
+      issues: ${vulnerabilities?:{}}
+      
+  - name: issues
+    contents:
+      SchemaVersion: 2018-10-08
+      id: ${parameters.appversion.id}-${issue.id}
+      ProductArn: "arn:aws:securityhub:${parameters['aws-region']}:${parameters['aws-account']}:product/${parameters['aws-account']}/default"
+      GeneratorId: "arn:aws:securityhub:${parameters['aws-region']}:${parameters['aws-account']}:product/${parameters['aws-account']}/default"
+      ProductName: 'Fortify SAST'
+      CompanyName: OpenText
+      Types: 
+        - Software and Configuration Checks/Vulnerabilities/CVE
+      CreatedAt: ${#formatDateTime("yyyy-MM-dd'T'HH:mm:ss'Z'", lastStaticScan?.uploadDate?:'1970-01-01T00:00:00Z')}
+      UpdatedAt: ${#formatDateTime("yyyy-MM-dd'T'HH:mm:ss'Z'", lastStaticScan?.uploadDate?:'1970-01-01T00:00:00Z')}
+      Severity: 
+        Label: ${(issue.friority matches "(Critical|High|Medium|Low)") ? issue.friority.toUpperCase():"LOW"}
+        Original: ${issue.friority}
+      Title: ${issue.issueName}
+      Description: ${#abbreviate(#htmlToText(issue.details?.brief), 510)}
+      Remediation:
+        Recommendation:
+          Text: ${#abbreviate(#htmlToText(issue.details?.recommendation), 510)}
+          Url: ${#ssc.appversionBrowserUrl(parameters.appversion)}
+      ProductFields:
+        Product Name: 'Fortify SAST'
+        'aws/securityhub/CompanyName': OpenText
+        'aws/securityhub/ProductName': 'Fortify SAST'
+      Resources:
+        - Type: Application
+          Id: ${parameters.appversion.id}-${issue.id}
+          Partition: aws
+          Region: ${parameters['aws-region']}
+          Details:
+            Other:
+                APPLICATION ID: ${parameters.appversion.project.id+''}
+                APPLICATION NAME: ${parameters.appversion.project.name}
+                APPLICATION VERSION ID: ${parameters.appversion.id+''}
+                APPLICATION VERSION NAME: ${parameters.appversion.name}
+                PRIMARY LOCATION:  ${issue.fullFileName}
+                LINE NUMBER: ${issue.lineNumber+''}
+                INSTANCE ID: ${issue.issueInstanceId}
+      RecordState: ACTIVE
\ No newline at end of file