├── .github └── workflows │ ├── ci.yml │ ├── fod_scan.yml │ └── update-repo-docs.yml ├── .gitignore ├── CHANGELOG.md ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── FortifyVulnerabilityExporter-api ├── build.gradle └── src │ └── main │ └── java │ └── com │ └── fortify │ ├── util │ ├── config │ │ └── loader │ │ │ ├── IConfigLoader.java │ │ │ ├── IEnvironmentSupplier.java │ │ │ ├── IValidatorSupplier.java │ │ │ └── StandardConfigLoader.java │ ├── grouping │ │ └── Grouping.java │ └── spring │ │ ├── environment │ │ └── FortifyEnvironment.java │ │ └── expression │ │ ├── AbstractExpressionMap.java │ │ ├── AbstractExpressionMapEvaluator.java │ │ ├── ExpressionMapToJSONMapEvaluator.java │ │ ├── ExpressionMapToMapEvaluator.java │ │ ├── IExpressionMap.java │ │ ├── SimpleExpressionMap.java │ │ └── TemplateExpressionMap.java │ └── vulnexport │ └── api │ ├── config │ ├── ExportFromConfig.java │ └── ExportToConfig.java │ ├── filter │ ├── FilterConfig.java │ ├── FilterPredicate.java │ ├── IConfigWithFilter.java │ └── QueryBuilderFilterHelper.java │ └── vuln │ ├── IVulnerabilityAccessor.java │ ├── StandardVulnerabilityAccessor.java │ ├── consumer │ ├── CompositeVulnerabilityConsumer.java │ ├── IVulnerabilityConsumer.java │ ├── IVulnerabilityConsumerContext.java │ ├── IVulnerabilityConsumerFactory.java │ ├── StandardVulnerabilityConsumerContext.java │ └── active │ │ └── ActiveVulnerabilityConsumerFactory.java │ └── loader │ ├── CompositeVulnerabilityLoader.java │ ├── IVulnerabilityLoader.java │ ├── IVulnerabilityLoaderContext.java │ ├── IVulnerabilityLoaderFactory.java │ ├── StandardVulnerabilityLoaderContext.java │ └── active │ └── ActiveVulnerabilityLoaderFactory.java ├── FortifyVulnerabilityExporter-plugin-from-fod ├── build.gradle └── src │ └── main │ └── java │ └── com │ └── fortify │ └── vulnexport │ └── from │ └── fod │ ├── FromFoDVulnerabilityLoader.java │ ├── FromFoDVulnerabilityLoaderConfig.java │ └── FromFoDVulnerabilityLoaderFactory.java ├── FortifyVulnerabilityExporter-plugin-from-ssc ├── build.gradle └── src │ └── main │ └── java │ └── com │ └── fortify │ └── vulnexport │ └── from │ └── ssc │ ├── FromSSCVulnerabilityLoader.java │ ├── FromSSCVulnerabilityLoaderConfig.java │ └── FromSSCVulnerabilityLoaderFactory.java ├── FortifyVulnerabilityExporter-plugin-raw ├── build.gradle └── src │ └── main │ └── java │ └── com │ └── fortify │ └── vulnexport │ ├── from │ └── raw │ │ ├── FromRawVulnerabilityLoader.java │ │ ├── FromRawVulnerabilityLoaderConfig.java │ │ └── FromRawVulnerabilityLoaderFactory.java │ └── to │ └── raw │ ├── ToRawVulnerabilityConsumer.java │ ├── ToRawVulnerabilityConsumerConfig.java │ └── ToRawVulnerabilityConsumerFactory.java ├── FortifyVulnerabilityExporter-plugin-to-csv ├── build.gradle └── src │ └── main │ └── java │ └── com │ └── fortify │ └── vulnexport │ └── to │ └── csv │ ├── ToCsvVulnerabilityConsumer.java │ ├── ToCsvVulnerabilityConsumerConfig.java │ └── ToCsvVulnerabilityConsumerFactory.java ├── FortifyVulnerabilityExporter-plugin-to-json ├── build.gradle └── src │ └── main │ ├── java │ └── com │ │ └── fortify │ │ └── vulnexport │ │ └── to │ │ └── json │ │ ├── ToJsonVulnerabilityConsumer.java │ │ ├── ToJsonVulnerabilityConsumerConfig.java │ │ ├── ToJsonVulnerabilityConsumerFactory.java │ │ └── vuln │ │ ├── formatter │ │ ├── JsonFormatter.java │ │ └── JsonFormatterConfig.java │ │ └── mapper │ │ ├── VulnerabilityMapper.java │ │ └── VulnerabilityMapperConfig.java │ └── resources │ └── pluginConfig │ ├── json-aws-fod-sast.yml │ ├── json-aws-ssc-sast.yml │ ├── json-bitbucket-fod-sast.yml │ ├── json-bitbucket-ssc-sast.yml │ ├── json-github-fod-sast.yml │ ├── json-github-ssc-sast.yml │ ├── json-gitlab-fod-dast.yml │ ├── json-gitlab-fod-sast.yml │ ├── json-gitlab-ssc-dast.yml │ ├── json-gitlab-ssc-debricked.yml │ ├── json-gitlab-ssc-sast.yml │ ├── json-gitlab-ssc-sonatype.yml │ ├── json-raw-fod.yml │ ├── json-raw-ssc.yml │ ├── json-sonarqube-fod-sast.yml │ └── json-sonarqube-ssc-sast.yml ├── FortifyVulnerabilityExporter-spi-from ├── build.gradle └── src │ └── main │ └── java │ └── com │ └── fortify │ └── vulnexport │ └── spi │ └── source │ └── vuln │ └── loader │ ├── AbstractVulnerabilityLoader.java │ └── AbstractVulnerabilityLoaderFactory.java ├── FortifyVulnerabilityExporter-spi-to ├── build.gradle └── src │ └── main │ └── java │ └── com │ └── fortify │ └── vulnexport │ └── spi │ └── target │ └── vuln │ └── consumer │ ├── AbstractVulnerabilityConsumer.java │ ├── AbstractVulnerabilityConsumerFactory.java │ ├── FilteringConsumer.java │ └── to │ ├── file │ ├── AbstractToFileVulnerabilityConsumer.java │ ├── FileOutputConfig.java │ └── stream │ │ ├── AbstractToFileStreamVulnerabilityConsumer.java │ │ └── MultiOutputStreamFactory.java │ ├── json │ ├── AbstractToJsonVulnerabilityConsumer.java │ └── JsonOutputConfig.java │ └── output │ └── AbstractToOutputVulnerabilityConsumer.java ├── LICENSE.txt ├── README.md ├── USAGE.md ├── build.gradle ├── config ├── FoDToAWS.yml ├── FoDToBitBucket.yml ├── FoDToCSV.yml ├── FoDToGitHub.yml ├── FoDToGitLab.yml ├── FoDToGitLabDAST.yml ├── FoDToGitLabSAST.yml ├── FoDToJsonCustom.yml ├── FoDToJsonRaw.yml ├── FoDToSonarQube.yml ├── SSCToAWS.yml ├── SSCToBitBucket.yml ├── SSCToCSV.yml ├── SSCToGitHub.yml ├── SSCToGitLab.yml ├── SSCToGitLabDAST.yml ├── SSCToGitLabDebricked.yml ├── SSCToGitLabSAST.yml ├── SSCToGitLabSonatype.yml ├── SSCToJsonCustom.yml ├── SSCToJsonRaw.yml └── SSCToSonarQube.yml ├── doc-resources ├── repo-devinfo.md ├── repo-intro.md ├── repo-resources.md ├── repo-usage.md ├── template-values.md └── update-repo-docs.sh ├── fortify-scan.sh ├── gradle └── wrapper │ ├── gradle-wrapper.jar │ └── gradle-wrapper.properties ├── gradlew ├── gradlew.bat ├── settings.gradle ├── src └── main │ ├── java │ └── com │ │ └── fortify │ │ ├── util │ │ └── spring │ │ │ └── boot │ │ │ ├── container │ │ │ └── PopulateContainerDirs.java │ │ │ ├── env │ │ │ └── plugin │ │ │ │ └── PluginConfigEnvironmentPostProcessor.java │ │ │ └── scheduler │ │ │ ├── BasicSchedulableRunnerFactory.java │ │ │ ├── ISchedulableRunner.java │ │ │ ├── ISchedulableRunnerFactory.java │ │ │ └── RunOrSchedule.java │ │ └── vulnexport │ │ ├── FortifyVulnerabilityExporter.java │ │ ├── FortifyVulnerabilityExporterExpressionHelper.java │ │ ├── FortifyVulnerabilityExporterRunnerConfig.java │ │ └── FortifyVulnerabilityExporterRunnerFactory.java │ ├── jib │ ├── config │ │ └── .empty │ └── export │ │ └── .empty │ └── resources │ ├── META-INF │ └── spring.factories │ ├── application.yml │ ├── banner.txt │ └── loader.properties └── version.txt /.github/workflows/fod_scan.yml: -------------------------------------------------------------------------------- 1 | on: 2 | workflow_dispatch: 3 | push: 4 | branches: [main] 5 | 6 | name: FoD scan 7 | 8 | jobs: 9 | FoD-SAST-Scan-And-Import: 10 | runs-on: ubuntu-latest 11 | 12 | steps: 13 | - name: Check Out Source Code 14 | uses: actions/checkout@v2 15 | 16 | - name: Setup Java 17 | uses: actions/setup-java@v1 18 | with: 19 | java-version: 11 20 | 21 | - name: Download Fortify ScanCentral Client 22 | uses: fortify/gha-setup-scancentral-client@v1 23 | with: 24 | version: 21.2.0 25 | - name: Package Code + Dependencies 26 | run: scancentral package -bt gradle -o package.zip 27 | 28 | - name: Download Fortify on Demand Universal CI Tool 29 | uses: fortify/gha-setup-fod-uploader@v1 30 | - name: Perform SAST Scan 31 | run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl $FOD_AURL -purl $FOD_PURL -rid $FOD_RELEASE_ID -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" $FOD_UPLOADER_OPTS 32 | env: 33 | FOD_AURL: ${{ secrets.OSS_FOD_API_URL }} 34 | FOD_PURL: ${{ secrets.OSS_FOD_BASE_URL }} 35 | FOD_TENANT: ${{ secrets.OSS_FOD_TENANT }} 36 | FOD_USER: ${{ secrets.OSS_FOD_USER }} 37 | FOD_PAT: ${{ secrets.OSS_FOD_PAT }} 38 | FOD_RELEASE_ID: ${{ secrets.OSS_FOD_RELEASE_ID }} 39 | FOD_UPLOADER_OPTS: "-ep 2 -pp 0 -I 1 -apf" 40 | 41 | - name: Export results to GitHub-optimized SARIF 42 | uses: fortify/gha-export-vulnerabilities@v1 43 | with: 44 | fod_base_url: ${{ secrets.OSS_FOD_BASE_URL }} 45 | fod_tenant: ${{ secrets.OSS_FOD_TENANT }} 46 | fod_user: ${{ secrets.OSS_FOD_USER }} 47 | fod_password: ${{ secrets.OSS_FOD_PAT }} 48 | fod_release_id: ${{ secrets.OSS_FOD_RELEASE_ID }} 49 | 50 | - name: Import results to GitHub Security Code Scanning 51 | uses: github/codeql-action/upload-sarif@v1 52 | with: 53 | sarif_file: ./gh-fortify-sast.sarif -------------------------------------------------------------------------------- /.github/workflows/update-repo-docs.yml: -------------------------------------------------------------------------------- 1 | name: update-repo-docs 2 | 3 | on: 4 | workflow_dispatch: 5 | schedule: 6 | - cron: '5 4 * * *' 7 | push: 8 | branches: 9 | - main 10 | 11 | jobs: 12 | update-repo-docs: 13 | uses: fortify/shared-doc-resources/.github/workflows/update-repo-docs.yml@main -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *.csv 2 | *.json 3 | *.sarif 4 | 5 | HELP.md 6 | .gradle 7 | build/ 8 | !gradle/wrapper/gradle-wrapper.jar 9 | !**/src/main/** 10 | !**/src/test/** 11 | 12 | ### STS ### 13 | .apt_generated 14 | .classpath 15 | .factorypath 16 | .project 17 | .settings 18 | .springBeans 19 | .sts4-cache 20 | 21 | ### IntelliJ IDEA ### 22 | .idea 23 | *.iws 24 | *.iml 25 | *.ipr 26 | out/ 27 | 28 | ### NetBeans ### 29 | /nbproject/private/ 30 | /nbbuild/ 31 | /dist/ 32 | /nbdist/ 33 | /.nb-gradle/ 34 | 35 | ### VS Code ### 36 | .vscode/ 37 | bin/ 38 | 39 | ### Sample scans & logs ### 40 | samples/**/scans/** 41 | samples/**/logs/** 42 | 43 | *.fpr 44 | FortifyImportExportUtility-common/lombok.config FortifyImportExportUtility-common-from/lombok.config FortifyImportExportUtility-common-to/lombok.config FortifyImportExportUtility-from-fod-plugin/lombok.config FortifyImportExportUtility-from-mock-plugin/lombok.config FortifyImportExportUtility-from-ssc-plugin/lombok.config FortifyImportExportUtility-to-file-plugin/lombok.config FortifyImportExportUtility-to-mock-plugin/lombok.config 45 | lombok.config 46 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Contributor Covenant Code of Conduct 2 | 3 | ## Our Pledge 4 | We as contributors and maintainers pledge to make participation in our project and community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, religion, or sexual identity 5 | and orientation. We pledge to act and interact in ways that contribute to an open, welcoming, diverse, inclusive, and healthy community. 6 | 7 | ## Our Standards 8 | Examples of behavior that contributes to a positive environment for our community include: 9 | 10 | * Demonstrating empathy and kindness toward other people 11 | * Being respectful of differing opinions, viewpoints, and experiences 12 | * Giving and gracefully accepting constructive feedback 13 | * Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience 14 | * Focusing on what is best not just for us as individuals, but for the overall community 15 | 16 | Examples of unacceptable behavior include: 17 | 18 | * The use of sexualized language or imagery, and sexual attention or advances of any kind 19 | * Trolling, insulting or derogatory comments, and personal or political attacks 20 | * Public or private harassment 21 | * Publishing others’ private information, such as a physical or email address, without their explicit permission 22 | * Other conduct which could reasonably be considered inappropriate in a professional setting 23 | 24 | ## Enforcement Responsibilities 25 | Project maintainers are responsible for clarifying and enforcing our standards of acceptable behavior and will take appropriate and fair corrective action in response to any behavior that they deem inappropriate, threatening, offensive, 26 | or harmful. Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful. 27 | 28 | ## Scope 29 | This Code of Conduct applies within all community spaces, and also applies when an individual is officially representing the community in public spaces. Examples of representing our community include using an official e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. 30 | 31 | ## Enforcement 32 | Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to the project maintainers. All complaints will be reviewed and investigated promptly and fairly. The project maintainers are obligated to respect the privacy and security of the reporter of any incident. 33 | 34 | ## Attribution 35 | This Code of Conduct is adapted from the Contributor Covenant, version 2.0, available at https://www.contributor-covenant.org/version/2/0/code_of_conduct.html. Community Impact Guidelines were inspired by Mozilla’s code of conduct enforcement ladder. For answers to common questions about this code of conduct, see the FAQ at https://www.contributor-covenant.org/faq. Translations are available at https://www.contributor-covenant.org/translations. 36 | 37 | --- 38 | 39 | *[This document was auto-generated from CODE_OF_CONDUCT.template.md; do not edit by hand](https://github.com/fortify/shared-doc-resources/blob/main/USAGE.md)* 40 | -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-api/build.gradle: -------------------------------------------------------------------------------- 1 | plugins { 2 | id 'java-library' 3 | id "io.freefair.lombok" 4 | } 5 | 6 | description = 'FortifyVulnerabilityExporter API' 7 | 8 | dependencies { 9 | compileOnly('com.fortify.client.api:common-spring') { changing = true } 10 | compileOnly('com.fortify.client.api:common-rest') { changing = true } 11 | compileOnly 'org.springframework.boot:spring-boot' 12 | compileOnly 'commons-lang:commons-lang' 13 | compileOnly 'com.google.code.findbugs:jsr305' 14 | compileOnly 'javax.validation:validation-api' 15 | } 16 | -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-api/src/main/java/com/fortify/util/config/loader/IConfigLoader.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.util.config.loader; 26 | 27 | import org.springframework.core.env.ConfigurableEnvironment; 28 | 29 | /** 30 | * The {@link #loadConfig(String, Class)} method defined by this interface allows for 31 | * loading configuration data from a configured {@link ConfigurableEnvironment} instance. 32 | * 33 | * @author Ruud Senden 34 | * 35 | */ 36 | public interface IConfigLoader { 37 | 38 | /** 39 | * Load a configuration object of the given type from the given property 40 | * @param Configuration object type 41 | * @param propertyName from which to load configuration data 42 | * @param returnType specifies the configuration object class 43 | * @return Configuration object 44 | */ 45 | public C loadConfig(String propertyName, Class returnType); 46 | } -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-api/src/main/java/com/fortify/util/config/loader/IEnvironmentSupplier.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.util.config.loader; 26 | 27 | import org.springframework.core.env.ConfigurableEnvironment; 28 | 29 | /** 30 | * The {@link #getEnvironment()} method defined by this interface allows for 31 | * accessing a {@link ConfigurableEnvironment} instance. 32 | * 33 | * @author Ruud Senden 34 | * 35 | */ 36 | public interface IEnvironmentSupplier { 37 | /** 38 | * @return {@link ConfigurableEnvironment} instance 39 | */ 40 | public ConfigurableEnvironment getEnvironment(); 41 | } -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-api/src/main/java/com/fortify/util/config/loader/IValidatorSupplier.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.util.config.loader; 26 | 27 | import javax.validation.Validator; 28 | 29 | /** 30 | * The {@link #getValidator()} method defined by this interface allows for 31 | * accessing a {@link Validator} instance. 32 | * 33 | * @author Ruud Senden 34 | * 35 | */ 36 | public interface IValidatorSupplier { 37 | /** 38 | * @return {@link Validator} instance 39 | */ 40 | public Validator getValidator(); 41 | } -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-api/src/main/java/com/fortify/util/spring/expression/AbstractExpressionMapEvaluator.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.util.spring.expression; 26 | 27 | import java.util.Map; 28 | import java.util.function.Function; 29 | 30 | import lombok.RequiredArgsConstructor; 31 | 32 | /** 33 | * This abstract class provides functionality for mapping some input object to some output object by 34 | * evaluating expressions contained in the configured {@link IExpressionMap} instance. 35 | * 36 | * @author Ruud Senden 37 | * 38 | * @param Target type 39 | * @param Value type 40 | */ 41 | @RequiredArgsConstructor 42 | public abstract class AbstractExpressionMapEvaluator { 43 | private final IExpressionMap expressionMap; 44 | 45 | public final T evaluate(Object input) { 46 | T result = createEmptyResult(); 47 | Function valueMapper = expression->expressionMap.evaluateExpression(input, expression, getEvaluatedValueType()); 48 | for ( Map.Entry entry : expressionMap.entrySet() ) { 49 | String key = entry.getKey(); 50 | String expression = entry.getValue().trim(); 51 | if ( expressionMap.isIncluded(key, input)) { 52 | addToResult(result, key, valueMapper.apply(expression)); 53 | } 54 | } 55 | return result; 56 | } 57 | 58 | /** 59 | * Subclasses must implement this method to create a new (empty) result object 60 | * @return New result instance 61 | */ 62 | protected abstract T createEmptyResult(); 63 | 64 | /** 65 | * Subclasses must implement this method to return the value type to which expressions will be evaluated 66 | * @return Value type 67 | */ 68 | protected abstract Class getEvaluatedValueType(); 69 | 70 | /** 71 | * Subclasses must implement this method to add the evaluated value to the given result under the given property name 72 | * @param result to which the evaluated value is to be added 73 | * @param propertyName under which the evaluated value should be added 74 | * @param evaluatedValue to be added to the result 75 | */ 76 | protected abstract void addToResult(T result, String propertyName, V evaluatedValue); 77 | } 78 | -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-api/src/main/java/com/fortify/util/spring/expression/ExpressionMapToJSONMapEvaluator.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.util.spring.expression; 26 | 27 | import java.util.regex.Pattern; 28 | 29 | import com.fortify.util.rest.json.JSONMap; 30 | 31 | /** 32 | * {@link AbstractExpressionMapEvaluator} implementation that adds evaluated properties to 33 | * a {@link JSONMap}. 34 | * 35 | * @author Ruud Senden 36 | * 37 | */ 38 | public class ExpressionMapToJSONMapEvaluator extends AbstractExpressionMapEvaluator { 39 | private final Pattern arrayProperty = Pattern.compile("\\.(\\d+)\\."); 40 | private final String arrayPropertyReplacement = "[$1]."; 41 | 42 | public ExpressionMapToJSONMapEvaluator(IExpressionMap expressionMap) { 43 | super(expressionMap); 44 | } 45 | 46 | @Override 47 | protected JSONMap createEmptyResult() { 48 | return new JSONMap(); 49 | } 50 | 51 | @Override 52 | protected Class getEvaluatedValueType() { 53 | return Object.class; 54 | } 55 | 56 | @Override 57 | protected void addToResult(JSONMap result, String propertyName, Object evaluatedValue) { 58 | // Convert properties of the form a.b.0.c.d to property path a.b[0].c.d 59 | String propertyPath = arrayProperty.matcher(propertyName).replaceAll(arrayPropertyReplacement); 60 | result.putPath(propertyPath, evaluatedValue); 61 | } 62 | } 63 | -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-api/src/main/java/com/fortify/util/spring/expression/ExpressionMapToMapEvaluator.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.util.spring.expression; 26 | 27 | import java.util.LinkedHashMap; 28 | import java.util.Map; 29 | 30 | /** 31 | * {@link AbstractExpressionMapEvaluator} implementation that adds evaluated properties to 32 | * a {@link Map}. 33 | * 34 | * @author Ruud Senden 35 | * 36 | */ 37 | public class ExpressionMapToMapEvaluator extends AbstractExpressionMapEvaluator, Object> { 38 | public ExpressionMapToMapEvaluator(IExpressionMap expressionMap) { 39 | super(expressionMap); 40 | } 41 | 42 | @Override 43 | protected Map createEmptyResult() { 44 | return new LinkedHashMap<>(); 45 | } 46 | 47 | @Override 48 | protected Class getEvaluatedValueType() { 49 | return Object.class; 50 | } 51 | 52 | @Override 53 | protected void addToResult(Map result, String propertyName, Object evaluatedValue) { 54 | result.put(propertyName, evaluatedValue); 55 | } 56 | } 57 | -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-api/src/main/java/com/fortify/util/spring/expression/IExpressionMap.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.util.spring.expression; 26 | 27 | import java.util.Map; 28 | 29 | /** 30 | * This interface represents a {@link Map} containing property names and expressions, 31 | * adding methods for evaluating the expressions contained in this map, and for determining 32 | * whether a given property should be included in any evaluation results. 33 | * 34 | * Concrete implementations of this interface are commonly used for transforming data, 35 | * for example by evaluating a set of expressions on some JSON input object. 36 | * 37 | * @author Ruud Senden 38 | * 39 | */ 40 | public interface IExpressionMap extends Map { 41 | /** 42 | * Evaluate the given expression on the given input, returning the given return type. 43 | * @param Return type 44 | * @param input for evaluating the given expression 45 | * @param expression to be evaluated on the given input 46 | * @param returnType of the expression; conversion will be applied if needed 47 | * @return expression evaluation result 48 | */ 49 | public V evaluateExpression(Object input, String expression, Class returnType); 50 | 51 | /** 52 | * Based on the given input, determine whether the given propertyName should be included 53 | * in the results. 54 | * @param propertyName to be checked 55 | * @param input for which to check whether the key should be included 56 | * @return true if the key should be included, false otherwise 57 | */ 58 | public boolean isIncluded(String propertyName, Object input); 59 | } 60 | -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-api/src/main/java/com/fortify/util/spring/expression/SimpleExpressionMap.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.util.spring.expression; 26 | 27 | import com.fortify.util.spring.expression.helper.DefaultExpressionHelper; 28 | 29 | /** 30 | *

This {@link AbstractExpressionMap} implementation maps property names to 31 | * simple SpEL expressions. For each property name, a corresponding 32 | * [propertyName]__includeIf__ key may be present to specify a condition for 33 | * including the property name in any evaluation results.

34 | * 35 | * @author Ruud Senden 36 | * 37 | */ 38 | public class SimpleExpressionMap extends AbstractExpressionMap { 39 | private static final long serialVersionUID = 1L; 40 | 41 | @Override 42 | public V evaluateExpression(Object input, String expression, Class returnType) { 43 | return DefaultExpressionHelper.get().evaluateSimpleExpression(input, expression, returnType); 44 | } 45 | } 46 | -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-api/src/main/java/com/fortify/util/spring/expression/TemplateExpressionMap.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.util.spring.expression; 26 | 27 | import com.fortify.util.spring.expression.helper.DefaultExpressionHelper; 28 | 29 | /** 30 | *

This {@link AbstractExpressionMap} implementation maps property names to 31 | * SpEL template expressions. For each property name, a corresponding 32 | * [propertyName]__includeIf__ key may be present to specify a condition for 33 | * including the property name in any evaluation results. Note that these [propertyName]__includeIf__ 34 | * keys should use simple SpEL expressions, rather than template expressions.

35 | * 36 | * @author Ruud Senden 37 | * 38 | */ 39 | public class TemplateExpressionMap extends AbstractExpressionMap { 40 | private static final long serialVersionUID = 1L; 41 | 42 | @Override 43 | public V evaluateExpression(Object input, String expression, Class returnType) { 44 | return DefaultExpressionHelper.get().evaluateTemplateExpression(input, expression, returnType); 45 | } 46 | } 47 | -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-api/src/main/java/com/fortify/vulnexport/api/config/ExportFromConfig.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.vulnexport.api.config; 26 | 27 | import lombok.Data; 28 | 29 | /** 30 | * This configuration class defines the {@link #from} property used to specify which plugin 31 | * should be used to load vulnerability data from. 32 | * 33 | * @author Ruud Senden 34 | * 35 | */ 36 | @Data 37 | public class ExportFromConfig { 38 | /** 39 | * Specify which plugin to use to load vulnerability data from the source system, 40 | * for example 'fod' or 'ssc'. 41 | */ 42 | private String from; 43 | } 44 | -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-api/src/main/java/com/fortify/vulnexport/api/config/ExportToConfig.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.vulnexport.api.config; 26 | 27 | import java.util.List; 28 | 29 | import lombok.Data; 30 | 31 | /** 32 | * This configuration class defines the {@link #to} property used to specify which plugins 33 | * should be used to consume vulnerability data. 34 | * 35 | * @author Ruud Senden 36 | * 37 | */ 38 | @Data 39 | public class ExportToConfig { 40 | /** 41 | * Specify which plugins to use to consume vulnerability data from the source system, 42 | * together with an optional configuration name, for example `csv` or `json.raw`. 43 | */ 44 | private List to; 45 | } 46 | -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-api/src/main/java/com/fortify/vulnexport/api/filter/FilterConfig.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.vulnexport.api.filter; 26 | 27 | import java.util.List; 28 | 29 | import com.fortify.util.spring.expression.SimpleExpression; 30 | 31 | import lombok.Data; 32 | 33 | /** 34 | * This configuration class defines generic filtering criteria. 35 | * 36 | * @author Ruud Senden 37 | * 38 | */ 39 | @Data 40 | public class FilterConfig { 41 | /** 42 | * Configure a list of SpEL expressions to be used for filtering 43 | */ 44 | private List expressions; 45 | 46 | /** 47 | * Alias for {@link #setExpressions(List)} 48 | * @param expressions used for filtering 49 | */ 50 | public void setExpr(List expressions) { 51 | setExpressions(expressions); 52 | } 53 | } 54 | -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-api/src/main/java/com/fortify/vulnexport/api/filter/FilterPredicate.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.vulnexport.api.filter; 26 | 27 | import java.util.function.Predicate; 28 | 29 | import com.fortify.util.spring.expression.helper.DefaultExpressionHelper; 30 | 31 | import lombok.RequiredArgsConstructor; 32 | 33 | /** 34 | * This {@link Predicate} evaluates the filters defined in {@link FilterConfig}. 35 | * 36 | * @author Ruud Senden 37 | * 38 | */ 39 | @RequiredArgsConstructor 40 | public class FilterPredicate implements Predicate { 41 | private final FilterConfig config; 42 | 43 | /** 44 | * @return true if the configured {@link FilterConfig} is null, or if all expressions defined in the 45 | * {@link FilterConfig} instance evaluate to true for the given input, false if any expression 46 | * evaluates to false 47 | */ 48 | @Override 49 | public boolean test(Object t) { 50 | return config==null 51 | ? true 52 | : config.getExpressions().parallelStream().allMatch(e->DefaultExpressionHelper.get().evaluateExpression(t, e, Boolean.class)); 53 | } 54 | 55 | } 56 | -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-api/src/main/java/com/fortify/vulnexport/api/filter/IConfigWithFilter.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.vulnexport.api.filter; 26 | 27 | /** 28 | * Interface used for configuration classes to contain a {@link FilterConfig} instance 29 | * 30 | * @author Ruud Senden 31 | * 32 | */ 33 | public interface IConfigWithFilter { 34 | /** 35 | * @return The {@link FilterConfig} instance 36 | */ 37 | public FilterConfig getFilter(); 38 | } 39 | -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-api/src/main/java/com/fortify/vulnexport/api/filter/QueryBuilderFilterHelper.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.vulnexport.api.filter; 26 | 27 | import com.fortify.util.rest.query.AbstractRestConnectionQueryBuilder; 28 | 29 | /** 30 | * This helper class allows for configuring a given {@link AbstractRestConnectionQueryBuilder} instance 31 | * based on a given {@link FilterConfig} instance. 32 | * @author Ruud Senden 33 | * 34 | */ 35 | public class QueryBuilderFilterHelper { 36 | /** 37 | * Configure the given {@link AbstractRestConnectionQueryBuilder} to filter query results based on the 38 | * given {@link FilterConfig}. 39 | * 40 | * @param qb {@link AbstractRestConnectionQueryBuilder} to configure 41 | * @param filterConfig {@link FilterConfig} instance 42 | */ 43 | public static final void addFilter(AbstractRestConnectionQueryBuilder qb, FilterConfig filterConfig) { 44 | if ( filterConfig!=null ) { 45 | qb.preProcessor(new FilterPredicate(filterConfig)::test); 46 | } 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-api/src/main/java/com/fortify/vulnexport/api/vuln/IVulnerabilityAccessor.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.vulnexport.api.vuln; 26 | 27 | import java.util.Map; 28 | 29 | import com.fortify.util.rest.json.JSONMap; 30 | import com.fortify.vulnexport.api.vuln.consumer.IVulnerabilityConsumerContext; 31 | 32 | /** 33 | * Interface for accessing the current {@link IVulnerabilityConsumerContext} 34 | * and current vulnerability being processed. Apart from dedicated getters, 35 | * the current vulnerability and context objects can also be accessed through 36 | * the {@link Map} interface that {@link IVulnerabilityAccessor} extends from. 37 | * 38 | * @author Ruud Senden 39 | * 40 | */ 41 | public interface IVulnerabilityAccessor extends Map { 42 | public JSONMap getVuln(); 43 | public IVulnerabilityConsumerContext getConsumerContext(); 44 | } 45 | -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-api/src/main/java/com/fortify/vulnexport/api/vuln/consumer/CompositeVulnerabilityConsumer.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.vulnexport.api.vuln.consumer; 26 | 27 | import java.util.Collection; 28 | 29 | import com.fortify.vulnexport.api.vuln.IVulnerabilityAccessor; 30 | 31 | /** 32 | * This {@link IVulnerabilityConsumer} implementation delegates all {@link IVulnerabilityConsumer} 33 | * method calls to each of the {@link IVulnerabilityConsumer} instances contained in the 34 | * {@link IVulnerabilityConsumer} collection passed to the constructor of this {@link CompositeVulnerabilityConsumer} 35 | * instance. 36 | * 37 | * @author Ruud Senden 38 | * 39 | */ 40 | public final class CompositeVulnerabilityConsumer implements IVulnerabilityConsumer { 41 | private Collection vulnerabilityConsumers; 42 | 43 | public CompositeVulnerabilityConsumer(Collection vulnerabilityConsumers) { 44 | this.vulnerabilityConsumers = vulnerabilityConsumers; 45 | } 46 | 47 | @Override 48 | public void accept(IVulnerabilityAccessor input) { 49 | vulnerabilityConsumers.forEach(c->c.accept(input)); 50 | } 51 | 52 | @Override 53 | public void close() { 54 | // TODO What if one of the IVulnerabilityConsumer::close methods throws an exception? 55 | vulnerabilityConsumers.forEach(IVulnerabilityConsumer::close); 56 | } 57 | } 58 | -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-api/src/main/java/com/fortify/vulnexport/api/vuln/consumer/IVulnerabilityConsumer.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.vulnexport.api.vuln.consumer; 26 | 27 | import java.util.function.Consumer; 28 | 29 | import com.fortify.vulnexport.api.vuln.IVulnerabilityAccessor; 30 | 31 | /** 32 | * This interface allows for consuming vulnerabilities from some source system. 33 | * Instances of this interface are created by {@link IVulnerabilityConsumerFactory} 34 | * instances. The factory will usually pass the {@link IVulnerabilityConsumerContext} 35 | * provided by the source system to the constructor of the {@link IVulnerabilityConsumer} 36 | * implementation. The source system implementation will call the {@link #accept(IVulnerabilityAccessor)} 37 | * method for each individual vulnerability in a given context. Once all vulnerabilities in a 38 | * given context have been processed, the {@link #close()} method will be called by the source 39 | * system implementation. 40 | * 41 | * @author Ruud Senden 42 | * 43 | */ 44 | public interface IVulnerabilityConsumer extends Consumer, AutoCloseable { 45 | @Override 46 | public void close(); // Instances are not allowed to throw checked exceptions 47 | } 48 | -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-api/src/main/java/com/fortify/vulnexport/api/vuln/consumer/IVulnerabilityConsumerContext.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.vulnexport.api.vuln.consumer; 26 | 27 | import java.util.Map; 28 | 29 | import com.fortify.util.config.loader.IConfigLoader; 30 | import com.fortify.util.config.loader.IEnvironmentSupplier; 31 | import com.fortify.util.config.loader.IValidatorSupplier; 32 | import com.fortify.util.rest.json.JSONMap; 33 | import com.fortify.vulnexport.api.config.ExportToConfig; 34 | 35 | /** 36 | * This interface provides information about the context that a given 37 | * {@link IVulnerabilityConsumer} instance is running in. It provides 38 | * information and callback methods related to the current source system 39 | * implementation, together with configuration settings. 40 | * 41 | * @author Ruud Senden 42 | * 43 | */ 44 | public interface IVulnerabilityConsumerContext extends IConfigLoader, IEnvironmentSupplier, IValidatorSupplier { 45 | /** 46 | * This method returns the name of the plugin that is loading the vulnerabilities. 47 | * @return Vulnerability loader plugin name 48 | */ 49 | public String getVulnerabilityLoaderPluginName(); 50 | 51 | /** 52 | * Get the {@link ExportToConfig} instance describing which plugins and configuration names are configured to be active 53 | * @return {@link ExportToConfig} instance 54 | */ 55 | public ExportToConfig getExportToConfig(); 56 | 57 | /** 58 | * Get any context objects provided by the plugin that is loading the vulnerabilities. 59 | * @return {@link Map} containing context objects 60 | */ 61 | public Map getContextObjects(); 62 | } 63 | -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-api/src/main/java/com/fortify/vulnexport/api/vuln/consumer/IVulnerabilityConsumerFactory.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.vulnexport.api.vuln.consumer; 26 | 27 | /** 28 | * This factory interface is to be implemented by plugins that can consume vulnerability 29 | * data from some source system. Implementations are responsible for creating 30 | * corresponding {@link IVulnerabilityConsumer} instances. 31 | * 32 | * @author Ruud Senden 33 | * 34 | */ 35 | public interface IVulnerabilityConsumerFactory { 36 | /** 37 | * Based on the given {@link IVulnerabilityConsumerContext} and plugin configuration settings, this method 38 | * should check whether the vulnerability consumer is active. If the vulnerability consumer is active, this 39 | * method should return an appropriate {@link IVulnerabilityConsumer} implementation. If the vulnerability 40 | * consumer is not active in the given context, this method should return null. 41 | * 42 | * @param vulnerabilityConsumerContext {@link IVulnerabilityConsumerContext} instance 43 | * @return {@link IVulnerabilityConsumer} instance if vulnerability consumer is active in the given context, 44 | * or null if the vulnerability consumer is not active. 45 | */ 46 | public IVulnerabilityConsumer createVulnerabilityConsumer(IVulnerabilityConsumerContext vulnerabilityConsumerContext); 47 | } -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-api/src/main/java/com/fortify/vulnexport/api/vuln/consumer/active/ActiveVulnerabilityConsumerFactory.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.vulnexport.api.vuln.consumer.active; 26 | 27 | import java.util.Collection; 28 | import java.util.List; 29 | import java.util.Objects; 30 | import java.util.stream.Collectors; 31 | 32 | import org.springframework.beans.factory.annotation.Autowired; 33 | import org.springframework.stereotype.Component; 34 | 35 | import com.fortify.vulnexport.api.vuln.consumer.CompositeVulnerabilityConsumer; 36 | import com.fortify.vulnexport.api.vuln.consumer.IVulnerabilityConsumer; 37 | import com.fortify.vulnexport.api.vuln.consumer.IVulnerabilityConsumerContext; 38 | import com.fortify.vulnexport.api.vuln.consumer.IVulnerabilityConsumerFactory; 39 | 40 | /** 41 | * Based on the auto-wired collection of available {@link IVulnerabilityConsumerFactory}, the 42 | * {@link #createVulnerabilityConsumer(IVulnerabilityConsumerContext)} method provides access 43 | * to all active {@link IVulnerabilityConsumer} instances for a given {@link IVulnerabilityConsumerContext}, 44 | * embedded in a {@link CompositeVulnerabilityConsumer} instance. 45 | * 46 | * Note that this class itself doesn't implement the {@link IVulnerabilityConsumerFactory} interface, 47 | * otherwise the injection framework could potentially try to auto-wire this instance to its own collection 48 | * of available factories. 49 | * 50 | * @author Ruud Senden 51 | * 52 | */ 53 | @Component 54 | public final class ActiveVulnerabilityConsumerFactory { 55 | @Autowired private Collection availableVulnerabilityConsumerFactories; 56 | 57 | public IVulnerabilityConsumer createVulnerabilityConsumer(IVulnerabilityConsumerContext vulnerabilityConsumerContext) { 58 | List activeVulnerabilityLoaders = availableVulnerabilityConsumerFactories.stream() 59 | .map(f->f.createVulnerabilityConsumer(vulnerabilityConsumerContext)) 60 | .filter(Objects::nonNull) 61 | .collect(Collectors.toList()); 62 | return activeVulnerabilityLoaders.isEmpty() ? null : new CompositeVulnerabilityConsumer(activeVulnerabilityLoaders); 63 | } 64 | } 65 | -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-api/src/main/java/com/fortify/vulnexport/api/vuln/loader/CompositeVulnerabilityLoader.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.vulnexport.api.vuln.loader; 26 | 27 | import java.util.Collection; 28 | 29 | /** 30 | * This {@link IVulnerabilityLoader} implementation delegates all {@link IVulnerabilityLoader} 31 | * method calls to each of the {@link IVulnerabilityLoader} instances contained in the 32 | * {@link IVulnerabilityLoader} collection passed to the constructor of this {@link CompositeVulnerabilityLoader} 33 | * instance. 34 | * 35 | * @author Ruud Senden 36 | * 37 | */ 38 | public final class CompositeVulnerabilityLoader implements IVulnerabilityLoader { 39 | private Collection vulnerabilityLoaders; 40 | 41 | public CompositeVulnerabilityLoader(Collection vulnerabilityLoaders) { 42 | this.vulnerabilityLoaders = vulnerabilityLoaders; 43 | } 44 | 45 | @Override 46 | public void run() { 47 | vulnerabilityLoaders.forEach(IVulnerabilityLoader::run); 48 | } 49 | } 50 | -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-api/src/main/java/com/fortify/vulnexport/api/vuln/loader/IVulnerabilityLoaderContext.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.vulnexport.api.vuln.loader; 26 | 27 | import com.fortify.util.config.loader.IConfigLoader; 28 | import com.fortify.util.config.loader.IEnvironmentSupplier; 29 | import com.fortify.util.config.loader.IValidatorSupplier; 30 | import com.fortify.vulnexport.api.config.ExportFromConfig; 31 | import com.fortify.vulnexport.api.vuln.consumer.IVulnerabilityConsumer; 32 | import com.fortify.vulnexport.api.vuln.consumer.IVulnerabilityConsumerContext; 33 | 34 | /** 35 | * This interface provides information about the context that a given 36 | * {@link IVulnerabilityLoader} instance is running in. It provides 37 | * access to configuration settings and the {@link #createVulnerabilityConsumer(IVulnerabilityConsumerContext)} 38 | * method to create an {@link IVulnerabilityConsumer} instance used to process 39 | * the vulnerabilities. 40 | * 41 | * @author Ruud Senden 42 | * 43 | */ 44 | public interface IVulnerabilityLoaderContext extends IConfigLoader, IEnvironmentSupplier, IValidatorSupplier { 45 | /** 46 | * Create an {@link IVulnerabilityConsumer} instance for the given {@link IVulnerabilityConsumerContext}. 47 | * @param vulnerabilityConsumerContext that can be used for creating the {@link IVulnerabilityConsumer} instance 48 | * @return {@link IVulnerabilityConsumer} instance 49 | */ 50 | public IVulnerabilityConsumer createVulnerabilityConsumer(IVulnerabilityConsumerContext vulnerabilityConsumerContext); 51 | 52 | /** 53 | * Get the {@link ExportFromConfig} instance describing which plugin and configuration name is configured to be active 54 | * @return {@link ExportFromConfig} instance 55 | */ 56 | public ExportFromConfig getExportFromConfig(); 57 | } 58 | -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-api/src/main/java/com/fortify/vulnexport/api/vuln/loader/IVulnerabilityLoaderFactory.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.vulnexport.api.vuln.loader; 26 | 27 | import org.springframework.lang.Nullable; 28 | 29 | /** 30 | * This factory interface is to be implemented by plugins that can load vulnerability 31 | * data from some source system. Implementations are responsible for creating 32 | * corresponding {@link IVulnerabilityLoader} instances. 33 | * 34 | * @author Ruud Senden 35 | * 36 | */ 37 | public interface IVulnerabilityLoaderFactory { 38 | /** 39 | * Based on the given {@link IVulnerabilityLoaderContext} and plugin configuration settings, this method 40 | * should check whether the vulnerability loader is active. If the vulnerability loader is active, this 41 | * method should return an appropriate {@link IVulnerabilityLoader} implementation. If the vulnerability 42 | * loader is not active in the given context, this method should return null. 43 | * 44 | * @param vulnerabilityLoaderContext that can be used for creating the {@link IVulnerabilityLoader} instance 45 | * @return {@link IVulnerabilityLoader} instance if vulnerability loader is active in the given context, 46 | * or null if the vulnerability loader is not active. 47 | */ 48 | public @Nullable IVulnerabilityLoader createVulnerabilityLoader(IVulnerabilityLoaderContext vulnerabilityLoaderContext); 49 | } -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-api/src/main/java/com/fortify/vulnexport/api/vuln/loader/active/ActiveVulnerabilityLoaderFactory.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.vulnexport.api.vuln.loader.active; 26 | 27 | import java.util.Collection; 28 | import java.util.List; 29 | import java.util.Objects; 30 | import java.util.stream.Collectors; 31 | 32 | import org.springframework.beans.factory.annotation.Autowired; 33 | import org.springframework.stereotype.Component; 34 | 35 | import com.fortify.vulnexport.api.vuln.loader.CompositeVulnerabilityLoader; 36 | import com.fortify.vulnexport.api.vuln.loader.IVulnerabilityLoader; 37 | import com.fortify.vulnexport.api.vuln.loader.IVulnerabilityLoaderContext; 38 | import com.fortify.vulnexport.api.vuln.loader.IVulnerabilityLoaderFactory; 39 | 40 | /** 41 | * Based on the auto-wired collection of available {@link IVulnerabilityLoaderFactory}, the 42 | * {@link #createVulnerabilityLoader(IVulnerabilityLoaderContext)} method provides access 43 | * to all active {@link IVulnerabilityLoader} instances for a given {@link IVulnerabilityLoaderContext}, 44 | * embedded in a {@link CompositeVulnerabilityLoader} instance. 45 | * 46 | * Note that this class itself doesn't implement the {@link IVulnerabilityLoaderFactory} interface, 47 | * otherwise the injection framework could potentially try to auto-wire this instance to its own collection 48 | * of available factories. 49 | * 50 | * @author Ruud Senden 51 | * 52 | */ 53 | @Component 54 | public final class ActiveVulnerabilityLoaderFactory { 55 | @Autowired private Collection availableVulnerabilityLoaderFactories; 56 | 57 | public IVulnerabilityLoader createVulnerabilityLoader(IVulnerabilityLoaderContext vulnerabilityLoaderContext) { 58 | List activeVulnerabilityLoaders = availableVulnerabilityLoaderFactories.stream() 59 | .map(f->f.createVulnerabilityLoader(vulnerabilityLoaderContext)) 60 | .filter(Objects::nonNull) 61 | .collect(Collectors.toList()); 62 | if ( activeVulnerabilityLoaders.size()>1 ) { 63 | throw new IllegalStateException("Only one vulnerability loader may be active (currently active loaders: "+activeVulnerabilityLoaders+")"); 64 | } 65 | if ( activeVulnerabilityLoaders.isEmpty() ) { 66 | throw new IllegalStateException("No active vulnerability loaders configured"); 67 | } 68 | return activeVulnerabilityLoaders.get(0); 69 | } 70 | } 71 | -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-plugin-from-fod/build.gradle: -------------------------------------------------------------------------------- 1 | plugins { 2 | id 'java-library' 3 | id "io.freefair.lombok" 4 | } 5 | 6 | description = 'FortifyVulnerabilityExporter source implementation for FoD' 7 | 8 | dependencies { 9 | compileOnly project(':FortifyVulnerabilityExporter-api') 10 | compileOnly project(':FortifyVulnerabilityExporter-spi-from') 11 | compileOnly 'com.fortify.client.api:common-spring' 12 | compileOnly 'com.fortify.client.api:common-rest' 13 | compileOnly 'commons-lang:commons-lang' 14 | compileOnly 'org.slf4j:slf4j-api' 15 | compileOnly 'javax.validation:validation-api' 16 | compileOnly 'org.hibernate:hibernate-validator' 17 | implementation('com.fortify.client.api:client-api-fod') { changing = true; transitive = false } 18 | } 19 | -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-plugin-from-fod/src/main/java/com/fortify/vulnexport/from/fod/FromFoDVulnerabilityLoaderFactory.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.vulnexport.from.fod; 26 | 27 | import org.springframework.stereotype.Component; 28 | 29 | import com.fortify.vulnexport.api.vuln.loader.IVulnerabilityLoader; 30 | import com.fortify.vulnexport.api.vuln.loader.IVulnerabilityLoaderContext; 31 | import com.fortify.vulnexport.api.vuln.loader.IVulnerabilityLoaderFactory; 32 | import com.fortify.vulnexport.spi.source.vuln.loader.AbstractVulnerabilityLoaderFactory; 33 | 34 | /** 35 | * {@link IVulnerabilityLoaderFactory} implementation for creating {@link FromFoDVulnerabilityLoader} instances. 36 | * 37 | * @author Ruud Senden 38 | */ 39 | @Component 40 | public final class FromFoDVulnerabilityLoaderFactory extends AbstractVulnerabilityLoaderFactory { 41 | public static final String PLUGINNAME = "fod"; 42 | public FromFoDVulnerabilityLoaderFactory() { 43 | super(FromFoDVulnerabilityLoader.PLUGINNAME, FromFoDVulnerabilityLoaderConfig.class); 44 | } 45 | protected final IVulnerabilityLoader createVulnerabilityLoader(IVulnerabilityLoaderContext vulnerabilityLoaderContext, FromFoDVulnerabilityLoaderConfig config) { 46 | return new FromFoDVulnerabilityLoader(config, vulnerabilityLoaderContext); 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-plugin-from-ssc/build.gradle: -------------------------------------------------------------------------------- 1 | plugins { 2 | id 'java-library' 3 | id "io.freefair.lombok" 4 | } 5 | 6 | description = 'FortifyVulnerabilityExporter source implementation for SSC' 7 | 8 | dependencies { 9 | compileOnly project(':FortifyVulnerabilityExporter-api') 10 | compileOnly project(':FortifyVulnerabilityExporter-spi-from') 11 | compileOnly 'com.fortify.client.api:common-spring' 12 | compileOnly 'com.fortify.client.api:common-rest' 13 | compileOnly 'commons-lang:commons-lang' 14 | compileOnly 'org.slf4j:slf4j-api' 15 | compileOnly 'javax.validation:validation-api' 16 | compileOnly 'org.hibernate:hibernate-validator' 17 | implementation('com.fortify.client.api:client-api-ssc') { changing = true; transitive = false } 18 | } 19 | -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-plugin-from-ssc/src/main/java/com/fortify/vulnexport/from/ssc/FromSSCVulnerabilityLoaderFactory.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.vulnexport.from.ssc; 26 | 27 | import org.springframework.stereotype.Component; 28 | 29 | import com.fortify.vulnexport.api.vuln.loader.IVulnerabilityLoader; 30 | import com.fortify.vulnexport.api.vuln.loader.IVulnerabilityLoaderContext; 31 | import com.fortify.vulnexport.api.vuln.loader.IVulnerabilityLoaderFactory; 32 | import com.fortify.vulnexport.spi.source.vuln.loader.AbstractVulnerabilityLoaderFactory; 33 | 34 | /** 35 | * {@link IVulnerabilityLoaderFactory} implementation for creating {@link FromSSCVulnerabilityLoader} instances. 36 | * 37 | * @author Ruud Senden 38 | */ 39 | @Component 40 | public final class FromSSCVulnerabilityLoaderFactory extends AbstractVulnerabilityLoaderFactory { 41 | public static final String PLUGINNAME = "ssc"; 42 | public FromSSCVulnerabilityLoaderFactory() { 43 | super(FromSSCVulnerabilityLoader.PLUGINNAME, FromSSCVulnerabilityLoaderConfig.class); 44 | } 45 | protected final IVulnerabilityLoader createVulnerabilityLoader(IVulnerabilityLoaderContext vulnerabilityLoaderContext, FromSSCVulnerabilityLoaderConfig config) { 46 | return new FromSSCVulnerabilityLoader(config, vulnerabilityLoaderContext); 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-plugin-raw/build.gradle: -------------------------------------------------------------------------------- 1 | plugins { 2 | id 'java-library' 3 | id "io.freefair.lombok" 4 | } 5 | 6 | description = 'FortifyVulnerabilityExporter source implementation for raw data' 7 | 8 | dependencies { 9 | compileOnly project(':FortifyVulnerabilityExporter-api') 10 | compileOnly project(':FortifyVulnerabilityExporter-spi-from') 11 | compileOnly project(':FortifyVulnerabilityExporter-spi-to') 12 | compileOnly('com.fortify.client.api:common-rest') { changing = true } 13 | compileOnly 'org.slf4j:slf4j-api' 14 | compileOnly 'com.fasterxml.jackson.core:jackson-databind' 15 | } 16 | -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-plugin-raw/src/main/java/com/fortify/vulnexport/from/raw/FromRawVulnerabilityLoaderConfig.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.vulnexport.from.raw; 26 | 27 | import java.io.File; 28 | 29 | import lombok.Data; 30 | 31 | /** 32 | * Configuration class for {@link FromRawVulnerabilityLoader} 33 | * 34 | * @author Ruud Senden 35 | * 36 | */ 37 | @Data 38 | public class FromRawVulnerabilityLoaderConfig { 39 | private File input; 40 | } 41 | -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-plugin-raw/src/main/java/com/fortify/vulnexport/from/raw/FromRawVulnerabilityLoaderFactory.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.vulnexport.from.raw; 26 | 27 | import org.springframework.stereotype.Component; 28 | 29 | import com.fortify.vulnexport.api.vuln.loader.IVulnerabilityLoader; 30 | import com.fortify.vulnexport.api.vuln.loader.IVulnerabilityLoaderContext; 31 | import com.fortify.vulnexport.spi.source.vuln.loader.AbstractVulnerabilityLoaderFactory; 32 | 33 | /** 34 | * {@link AbstractVulnerabilityLoaderFactory} implementation for creating {@link FromRawVulnerabilityLoader} instances. 35 | * 36 | * @author Ruud Senden 37 | */ 38 | @Component 39 | public final class FromRawVulnerabilityLoaderFactory extends AbstractVulnerabilityLoaderFactory { 40 | public static final String PLUGINNAME = "raw"; 41 | public FromRawVulnerabilityLoaderFactory() { 42 | super(PLUGINNAME, FromRawVulnerabilityLoaderConfig.class); 43 | } 44 | protected final IVulnerabilityLoader createVulnerabilityLoader(IVulnerabilityLoaderContext vulnerabilityLoaderContext, FromRawVulnerabilityLoaderConfig config) { 45 | return new FromRawVulnerabilityLoader(vulnerabilityLoaderContext, config); 46 | } 47 | } 48 | -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-plugin-raw/src/main/java/com/fortify/vulnexport/to/raw/ToRawVulnerabilityConsumer.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.vulnexport.to.raw; 26 | 27 | import com.fortify.vulnexport.api.vuln.IVulnerabilityAccessor; 28 | import com.fortify.vulnexport.spi.target.vuln.consumer.to.file.stream.AbstractToFileStreamVulnerabilityConsumer; 29 | 30 | /** 31 | * {@link AbstractToFileStreamVulnerabilityConsumer} implementation that simply writes 32 | * each accepted {@link IVulnerabilityAccessor} to the output stream. 33 | * 34 | * @author Ruud Senden 35 | */ 36 | public class ToRawVulnerabilityConsumer extends AbstractToFileStreamVulnerabilityConsumer { 37 | public ToRawVulnerabilityConsumer(ToRawVulnerabilityConsumerConfig config) { 38 | super(config.getOutput()); 39 | } 40 | 41 | @Override 42 | protected void _accept(IVulnerabilityAccessor vulnAccessor) throws Exception { 43 | out().println(vulnAccessor); 44 | } 45 | } 46 | -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-plugin-raw/src/main/java/com/fortify/vulnexport/to/raw/ToRawVulnerabilityConsumerConfig.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.vulnexport.to.raw; 26 | 27 | import com.fortify.vulnexport.api.filter.FilterConfig; 28 | import com.fortify.vulnexport.api.filter.IConfigWithFilter; 29 | import com.fortify.vulnexport.spi.target.vuln.consumer.to.json.JsonOutputConfig; 30 | 31 | import lombok.Data; 32 | 33 | /** 34 | * Configuration class for {@link ToRawVulnerabilityConsumer} 35 | * 36 | * @author Ruud Senden 37 | */ 38 | @Data 39 | public class ToRawVulnerabilityConsumerConfig implements IConfigWithFilter { 40 | private FilterConfig filter; 41 | private final JsonOutputConfig output = new JsonOutputConfig(); 42 | } 43 | -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-plugin-raw/src/main/java/com/fortify/vulnexport/to/raw/ToRawVulnerabilityConsumerFactory.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.vulnexport.to.raw; 26 | 27 | import org.springframework.stereotype.Component; 28 | 29 | import com.fortify.vulnexport.api.vuln.consumer.IVulnerabilityConsumerContext; 30 | import com.fortify.vulnexport.spi.target.vuln.consumer.AbstractVulnerabilityConsumerFactory; 31 | 32 | /** 33 | * {@link AbstractVulnerabilityConsumerFactory} implementation for creating {@link ToRawVulnerabilityConsumer} instances. 34 | * 35 | * @author Ruud Senden 36 | */ 37 | @Component 38 | public class ToRawVulnerabilityConsumerFactory extends AbstractVulnerabilityConsumerFactory { 39 | public static final String PLUGINNAME = "raw"; 40 | public ToRawVulnerabilityConsumerFactory() { 41 | super(PLUGINNAME, ToRawVulnerabilityConsumerConfig.class); 42 | } 43 | @Override 44 | protected final ToRawVulnerabilityConsumer createVulnerabilityConsumer(IVulnerabilityConsumerContext context, ToRawVulnerabilityConsumerConfig config) { 45 | return new ToRawVulnerabilityConsumer(config); 46 | }; 47 | } 48 | -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-plugin-to-csv/build.gradle: -------------------------------------------------------------------------------- 1 | plugins { 2 | id 'java-library' 3 | id "io.freefair.lombok" 4 | } 5 | 6 | description = 'FortifyVulnerabilityExporter target implementation for CSV export' 7 | 8 | dependencies { 9 | compileOnly project(':FortifyVulnerabilityExporter-api') 10 | compileOnly project(':FortifyVulnerabilityExporter-spi-to') 11 | compileOnly('com.fortify.client.api:common-rest') { changing = true } 12 | compileOnly('com.fortify.client.api:common-spring') { changing = true } 13 | compileOnly 'org.slf4j:slf4j-api' 14 | compileOnly 'com.fasterxml.jackson.core:jackson-databind' 15 | implementation('com.fasterxml.jackson.dataformat:jackson-dataformat-csv:2.14.2') { transitive = false; } 16 | } 17 | -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-plugin-to-csv/src/main/java/com/fortify/vulnexport/to/csv/ToCsvVulnerabilityConsumerConfig.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.vulnexport.to.csv; 26 | 27 | import com.fortify.util.spring.expression.TemplateExpressionMap; 28 | import com.fortify.vulnexport.api.filter.FilterConfig; 29 | import com.fortify.vulnexport.api.filter.IConfigWithFilter; 30 | import com.fortify.vulnexport.spi.target.vuln.consumer.to.file.FileOutputConfig; 31 | 32 | import lombok.Data; 33 | import lombok.EqualsAndHashCode; 34 | import lombok.ToString; 35 | 36 | /** 37 | * Configuration data for {@link ToCsvVulnerabilityConsumer}, defining 38 | * configuration properties like filtering criteria, file output options 39 | * and the fields to be written to the CSV file. 40 | * 41 | * @author Ruud Senden 42 | */ 43 | @Data 44 | public class ToCsvVulnerabilityConsumerConfig implements IConfigWithFilter { 45 | private FilterConfig filter; 46 | private CsvOutputConfig output; 47 | private TemplateExpressionMap fields; 48 | 49 | /** 50 | * This class extends {@link FileOutputConfig} to add CSV-specific 51 | * properties like whether to write the CSV header or not. 52 | */ 53 | @Data @EqualsAndHashCode(callSuper=true) @ToString(callSuper=true) 54 | public static final class CsvOutputConfig extends FileOutputConfig { 55 | private boolean header; 56 | } 57 | } -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-plugin-to-csv/src/main/java/com/fortify/vulnexport/to/csv/ToCsvVulnerabilityConsumerFactory.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.vulnexport.to.csv; 26 | 27 | import org.springframework.stereotype.Component; 28 | 29 | import com.fortify.vulnexport.api.vuln.consumer.IVulnerabilityConsumerContext; 30 | import com.fortify.vulnexport.spi.target.vuln.consumer.AbstractVulnerabilityConsumerFactory; 31 | 32 | /** 33 | * {@link AbstractVulnerabilityConsumerFactory} implementation for creating {@link ToCsvVulnerabilityConsumer} instances. 34 | * 35 | * @author Ruud Senden 36 | */ 37 | @Component 38 | public class ToCsvVulnerabilityConsumerFactory extends AbstractVulnerabilityConsumerFactory { 39 | public static final String PLUGINNAME = "csv"; 40 | public ToCsvVulnerabilityConsumerFactory() { 41 | super(PLUGINNAME, ToCsvVulnerabilityConsumerConfig.class); 42 | } 43 | @Override 44 | protected final ToCsvVulnerabilityConsumer createVulnerabilityConsumer(IVulnerabilityConsumerContext context, ToCsvVulnerabilityConsumerConfig config) { 45 | return new ToCsvVulnerabilityConsumer(config); 46 | } 47 | } 48 | -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-plugin-to-json/build.gradle: -------------------------------------------------------------------------------- 1 | plugins { 2 | id 'java-library' 3 | id "io.freefair.lombok" 4 | } 5 | 6 | description = 'FortifyVulnerabilityExporter target implementation for configurable JSON export' 7 | 8 | dependencies { 9 | compileOnly project(':FortifyVulnerabilityExporter-api') 10 | compileOnly project(':FortifyVulnerabilityExporter-spi-to') 11 | compileOnly('com.fortify.client.api:common-rest') { changing = true } 12 | compileOnly('com.fortify.client.api:common-spring') { changing = true } 13 | compileOnly 'org.slf4j:slf4j-api' 14 | compileOnly 'com.fasterxml.jackson.core:jackson-core' 15 | compileOnly 'com.fasterxml.jackson.core:jackson-databind' 16 | compileOnly 'commons-collections:commons-collections' 17 | // Required for Java 8 date/time handling 18 | compileOnly 'com.fasterxml.jackson.datatype:jackson-datatype-jsr310' 19 | } 20 | -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-plugin-to-json/src/main/java/com/fortify/vulnexport/to/json/ToJsonVulnerabilityConsumer.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.vulnexport.to.json; 26 | 27 | import com.fortify.vulnexport.api.vuln.IVulnerabilityAccessor; 28 | import com.fortify.vulnexport.api.vuln.consumer.IVulnerabilityConsumerContext; 29 | import com.fortify.vulnexport.spi.target.vuln.consumer.to.json.AbstractToJsonVulnerabilityConsumer; 30 | import com.fortify.vulnexport.to.json.vuln.formatter.JsonFormatter; 31 | 32 | /** 33 | * This {@link AbstractToJsonVulnerabilityConsumer} implementation allows for exporting vulnerability data to JSON files. 34 | * 35 | * @author Ruud Senden 36 | */ 37 | public class ToJsonVulnerabilityConsumer extends AbstractToJsonVulnerabilityConsumer { 38 | private final JsonFormatter jsonFormatter; 39 | 40 | /** 41 | * @param context {@link IVulnerabilityConsumerContext} instance 42 | * @param config {@link ToJsonVulnerabilityConsumerConfig} instance specifying configuration options for this consumer 43 | */ 44 | public ToJsonVulnerabilityConsumer(IVulnerabilityConsumerContext context, ToJsonVulnerabilityConsumerConfig config) { 45 | super(config.getOutput()); 46 | this.jsonFormatter = new JsonFormatter(context, config.getFormat()); 47 | } 48 | 49 | /** 50 | * Pass the given {@link IVulnerabilityAccessor} to the configured {@link JsonFormatter} 51 | * to have it format vulnerability data as JSON. This will not yet write any output; output 52 | * is written in the {@link #beforeClose()} method. 53 | */ 54 | @Override 55 | public void _accept(IVulnerabilityAccessor vulnAccessor) { 56 | jsonFormatter.accept(vulnAccessor); 57 | } 58 | 59 | /** 60 | * Once all vulnerabilities have been processed, we write the formatted JSON output 61 | * to the output stream. 62 | */ 63 | @Override 64 | protected void beforeClose() throws Exception { 65 | jsonFormatter.write(out()); 66 | } 67 | } 68 | -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-plugin-to-json/src/main/java/com/fortify/vulnexport/to/json/ToJsonVulnerabilityConsumerConfig.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.vulnexport.to.json; 26 | 27 | import com.fortify.vulnexport.api.filter.FilterConfig; 28 | import com.fortify.vulnexport.api.filter.IConfigWithFilter; 29 | import com.fortify.vulnexport.spi.target.vuln.consumer.to.json.JsonOutputConfig; 30 | import com.fortify.vulnexport.to.json.vuln.formatter.JsonFormatterConfig; 31 | 32 | import lombok.Data; 33 | 34 | /** 35 | * Configuration data for {@link ToJsonVulnerabilityConsumer}, defining 36 | * configuration properties like filtering criteria, file output options 37 | * and JSON output format. 38 | * 39 | * @author Ruud Senden 40 | */ 41 | @Data 42 | public class ToJsonVulnerabilityConsumerConfig implements IConfigWithFilter { 43 | private FilterConfig filter; 44 | private JsonOutputConfig output; 45 | private JsonFormatterConfig format; 46 | } -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-plugin-to-json/src/main/java/com/fortify/vulnexport/to/json/ToJsonVulnerabilityConsumerFactory.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.vulnexport.to.json; 26 | 27 | import org.springframework.stereotype.Component; 28 | 29 | import com.fortify.vulnexport.api.vuln.consumer.IVulnerabilityConsumer; 30 | import com.fortify.vulnexport.api.vuln.consumer.IVulnerabilityConsumerContext; 31 | import com.fortify.vulnexport.spi.target.vuln.consumer.AbstractVulnerabilityConsumerFactory; 32 | 33 | /** 34 | * {@link AbstractVulnerabilityConsumerFactory} implementation for creating {@link ToJsonVulnerabilityConsumer} instances. 35 | * 36 | * @author Ruud Senden 37 | */ 38 | @Component 39 | public class ToJsonVulnerabilityConsumerFactory extends AbstractVulnerabilityConsumerFactory { 40 | public static final String PLUGINNAME = "json"; 41 | public ToJsonVulnerabilityConsumerFactory() { 42 | super(PLUGINNAME, ToJsonVulnerabilityConsumerConfig.class); 43 | } 44 | @Override 45 | protected final IVulnerabilityConsumer createVulnerabilityConsumer(IVulnerabilityConsumerContext context, ToJsonVulnerabilityConsumerConfig config) { 46 | return new ToJsonVulnerabilityConsumer(context, config); 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-plugin-to-json/src/main/java/com/fortify/vulnexport/to/json/vuln/formatter/JsonFormatterConfig.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.vulnexport.to.json.vuln.formatter; 26 | 27 | import java.util.Map; 28 | 29 | import com.fortify.util.spring.expression.TemplateExpressionMap; 30 | import com.fortify.vulnexport.to.json.vuln.mapper.VulnerabilityMapper; 31 | import com.fortify.vulnexport.to.json.vuln.mapper.VulnerabilityMapperConfig; 32 | 33 | import lombok.Data; 34 | 35 | /** 36 | * Configuration class for {@link JsonFormatter}, specifying JSON output format. 37 | * 38 | * @author Ruud Senden 39 | */ 40 | @Data 41 | public class JsonFormatterConfig { 42 | /** 43 | * Configure top-level JSON property names and corresponding value template expressions. 44 | * These expressions can reference context objects from the source system (like 45 | * FoD release or SSC application version), and vulnerability mappers as configured 46 | * through the {@link #vulnerabilityMappers} field. These expressions cannot reference 47 | * vulnerability data. 48 | */ 49 | private TemplateExpressionMap fields; 50 | 51 | /** 52 | * Configure {@link VulnerabilityMapperConfig} instances used to configure {@link VulnerabilityMapper} 53 | * instances. These instances can collect and format data from individual vulnerabilities. 54 | * The formatted data can then be used to build the top-level JSON document by referring 55 | * to these vulnerability mappers in the {@link #fields} property. 56 | */ 57 | private Map vulnerabilityMappers; 58 | } -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-plugin-to-json/src/main/java/com/fortify/vulnexport/to/json/vuln/mapper/VulnerabilityMapperConfig.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.vulnexport.to.json.vuln.mapper; 26 | 27 | import com.fortify.util.spring.expression.TemplateExpression; 28 | import com.fortify.util.spring.expression.TemplateExpressionMap; 29 | import com.fortify.vulnexport.api.vuln.IVulnerabilityAccessor; 30 | 31 | import lombok.Data; 32 | 33 | /** 34 | * Configuration class for {@link VulnerabilityMapper}, specifying how 35 | * individual vulnerabilities should be transformed into output JSON 36 | * format based on the following rules: 37 | *
    38 | *
  • The {@link #value} and {@link #fields} properties are mutually exclusive
    • 39 | *
  • The {@link #value} expression is evaluated on each {@link IVulnerabilityAccessor} to generate plain values
    • 40 | *
  • The {@link #fields} map generates a JSON object for each {@link IVulnerabilityAccessor}
    • 41 | *
  • If {@link #propertyName} is specified, the value generated by {@link #value} or {@link #fields} 42 | * will be added to the output JSON object, using the {@link #propertyName} expression evaluation 43 | * result as the JSON property name
    • 44 | *
  • If {@link #propertyName} is not specified, the value generated by {@link #value} or {@link #fields} 45 | * will be added to the output JSON array
    • 46 | *
47 | * 48 | * Please refer to the FoDToJsonCustom.yml and SSCToJsonCustom.yml sample configuration files 49 | * to get a better understanding of how these configuration properties work. 50 | * 51 | * @author Ruud Senden 52 | */ 53 | @Data 54 | public final class VulnerabilityMapperConfig { 55 | private TemplateExpression propertyName; 56 | private TemplateExpression value; 57 | private TemplateExpressionMap fields; 58 | } -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-aws-fod-sast.yml: -------------------------------------------------------------------------------- 1 | --- 2 | spring.config.activate.on-loader-plugin: fod 3 | 4 | json.awshub.sast.filter.expr: vuln.scantype=='Static' 5 | json.awshub.sast.format: 6 | fields: 7 | issues: $[vulnerabilityMappers.issue.get()] 8 | vulnerabilityMappers.issue.fields: 9 | SchemaVersion: 2018-10-08 10 | Id: $[vuln.releaseId]-$[vuln.id] 11 | ProductArn: '--' 12 | GeneratorId: '--' 13 | ProductName: 'Fortify SAST' 14 | CompanyName: OpenText 15 | Types: "[ 'Software and Configuration Checks/Vulnerabilities/CVE' ]" 16 | CreatedAt: $[#formatDateTimewithZoneIdAsUTC("yyyy-MM-dd'T'HH:mm:ss.SSSSSS'Z'", release.staticScanDate?:'1970-01-01T00:00:00', release.serverZoneId)] 17 | UpdatedAt: $[#formatDateTimewithZoneIdAsUTC("yyyy-MM-dd'T'HH:mm:ss.SSSSSS'Z'", release.staticScanSummary?.completedDateTime?:'1970-01-01T00:00:00', release.serverZoneId)] 18 | Severity: 19 | Original: $[vuln.severityString] 20 | Normalized: $[{Critical:10.0,High:8.9,Medium:6.9,Low:3.9}.get(vuln.severityString)+''] 21 | Title: $[vuln.category] 22 | Description: $[#abbreviate(#htmlToText(vuln.all_data.details.summary).replaceAll(" ", " "),510)] 23 | Remediation: 24 | Recommendation: 25 | Text: $[#abbreviate(#htmlToText(vuln.all_data.recommendations?.recommendations).replaceAll(" ", " "),510)] 26 | Url: $[vuln.deepLink] 27 | ProductFields: 28 | Product Name: 'Fortify SAST' 29 | Resources: 30 | Type: Application 31 | Id: $[vuln.releaseId]-$[vuln.id] 32 | Partition: aws 33 | Region: '--' 34 | details: 35 | Other: 36 | APPLICATION: '$[vuln.releaseId]' 37 | APPLICATION NAME: $[vuln.release.applicationName] 38 | APPLICATION VERSION: $[vuln.release.releaseName] 39 | PRIMARY LOCATION: $[vuln.primaryLocationFull] 40 | LINE NUMBER: '$[vuln.lineNumber==0?1:vuln.lineNumber]' 41 | INSTANCE ID: "$[vuln.instanceId]" 42 | RecordState: ACTIVE -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-aws-ssc-sast.yml: -------------------------------------------------------------------------------- 1 | --- 2 | spring.config.activate.on-loader-plugin: ssc 3 | 4 | json.awshub.sast.filter.expr: vuln.engineType=='SCA' 5 | json.awshub.sast.format: 6 | fields: 7 | issues: $[vulnerabilityMappers.vulnerability.get()] 8 | vulnerabilityMappers.vulnerability.fields: 9 | SchemaVersion: 2018-10-08 10 | Id: $[vuln.projectVersionId]-$[vuln.id] 11 | ProductArn: '--' 12 | GeneratorId: '--' 13 | ProductName: 'Fortify SAST' 14 | CompanyName: OpenText 15 | Types: "[ 'Software and Configuration Checks/Vulnerabilities/CVE' ]" 16 | CreatedAt: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", applicationVersion.currentStaticScan?.uploadDate?:'1970-01-01T00:00:00')] 17 | UpdatedAt: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", applicationVersion.currentStaticScan?.uploadDate?:'1970-01-01T00:00:00')] 18 | Severity: 19 | Original: $[vuln.friority] 20 | Normalized: $[{Critical:10.0,High:8.9,Medium:6.9,Low:3.9}.get(vuln.friority)+''] 21 | Title: $[vuln.issueName] 22 | Description: $[#abbreviate(#htmlToText(vuln.details?.brief).replaceAll(" ", " "),510)] 23 | Remediation: 24 | Recommendation: 25 | Text: $[#abbreviate(#htmlToText(vuln.details?.recommendation).replaceAll(" ", " "),510)] 26 | Url: $[vuln.deepLink] 27 | ProductFields: 28 | Product Name: 'Fortify SAST' 29 | Resources: 30 | Type: Application 31 | Id: $[vuln.projectVersionId]-$[vuln.id] 32 | Partition: aws 33 | Region: '--' 34 | details: 35 | Other: 36 | APPLICATION: '$[vuln.projectVersionId]' 37 | APPLICATION NAME: $[vuln.applicationVersion.project.name] 38 | APPLICATION VERSION: $[vuln.applicationVersion.name] 39 | PRIMARY LOCATION: $[vuln.fullFileName] 40 | LINE NUMBER: '$[vuln.lineNumber==0?1:vuln.lineNumber]' 41 | INSTANCE ID: "$[vuln.instanceId]" 42 | RecordState: ACTIVE 43 | vulnerabilityMappers.vulnerability.value: $[vuln] -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-bitbucket-fod-sast.yml: -------------------------------------------------------------------------------- 1 | --- 2 | spring.config.activate.on-loader-plugin: fod 3 | 4 | #json.bitbucket.sast.report.filter.expr: # Not needed as we don't process any vulnerabilities for the top-level report 5 | json.bitbucket.sast.report.format: 6 | fields: 7 | # uuid: 8 | title: Fortify Scan Report 9 | details: Fortify on Demand detected $[release.issueCount] $[release.issueCount==1 ? 'vulnerability':'vulnerabilities'] 10 | #external_id: 11 | reporter: Fortify on Demand 12 | link: $[release.deepLink] 13 | # remote_link_enabled: 14 | logo_url: https://bitbucket.org/workspaces/fortifysoftware/avatar 15 | report_type: SECURITY 16 | result: $[release.isPassed ? 'PASSED':'FAILED'] 17 | data: 18 | - type: DATE 19 | title: Last Static Scan # Apparently BB is very strict on how TZ is presented, so we always provide UTC date/time 20 | value: $[#formatDateTimewithZoneIdAsUTC("yyyy-MM-dd'T'HH:mm:ss.SSSSSS'Z'", release.staticScanDate?:'1970-01-01T00:00:00', release.serverZoneId)] 21 | - type: NUMBER 22 | title: Rating 23 | value: $[release.rating] 24 | - type: NUMBER 25 | title: Critical (SAST) 26 | value: $[release.staticCritical] 27 | - type: NUMBER 28 | title: Critical (Overall) 29 | value: $[release.critical] 30 | - type: NUMBER 31 | title: High (SAST) 32 | value: $[release.staticHigh] 33 | - type: NUMBER 34 | title: High (Overall) 35 | value: $[release.high] 36 | - type: NUMBER 37 | title: Medium (SAST) 38 | value: $[release.staticMedium] 39 | - type: NUMBER 40 | title: Medium (Overall) 41 | value: $[release.medium] 42 | - type: NUMBER 43 | title: Low (SAST) 44 | value: $[release.staticLow] 45 | - type: NUMBER 46 | title: Low (Overall) 47 | value: $[release.low] 48 | 49 | json.bitbucket.sast.annotations.filter.expr: vuln.scantype=='Static' 50 | json.bitbucket.sast.annotations.format: 51 | vulnerabilityMappers: 52 | annotations.fields: 53 | external_id: FTFY-$[vuln.id] 54 | # uuid: 55 | annotation_type: VULNERABILITY 56 | path: $[vuln.primaryLocationFull] 57 | line: $[vuln.lineNumber==0?1:vuln.lineNumber] 58 | summary: $[vuln.category] 59 | details: $[#htmlToText(vuln.details?.summary)] 60 | # result: PASSED|FAILED|SKIPPED|IGNORED 61 | severity: $[(vuln.severityString matches "(Critical|High|Medium|Low)") ? vuln.severityString.toUpperCase():"LOW"] 62 | link: $[vuln.deepLink] 63 | # created_on: 64 | # updated_on: -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-bitbucket-ssc-sast.yml: -------------------------------------------------------------------------------- 1 | --- 2 | spring.config.activate.on-loader-plugin: ssc 3 | 4 | #json.bitbucket.sast.report.filter.expr: # Not needed as we don't process any vulnerabilities for the top-level report 5 | json.bitbucket.sast.report.format: 6 | fields: 7 | # uuid: 8 | title: Fortify Scan Report 9 | details: Fortify detected $[vulnerabilityMappers.friority.get().size()] $[vulnerabilityMappers.friority.get().size()==1 ? 'vulnerability':'vulnerabilities'] 10 | #external_id: 11 | reporter: Fortify Static Code Analyzer $[applicationVersion.currentStaticScan?.engineVersion?:''] 12 | link: $[applicationVersion.deepLink] 13 | # remote_link_enabled: 14 | logo_url: https://bitbucket.org/workspaces/fortifysoftware/avatar 15 | report_type: SECURITY 16 | result: 'PASSED' 17 | data: 18 | - type: TEXT 19 | title: Application Version 20 | value: $[applicationVersion.project.name] - $[applicationVersion.name] 21 | - type: DATE 22 | title: Last Static Scan 23 | value: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss.SSSSSS'Z'", applicationVersion.currentStaticScan?.uploadDate?:'1970-01-01T00:00:00')] 24 | - type: NUMBER 25 | title: Critical (SAST) 26 | value: $[applicationVersion.issueCountsSCA.^[id=='Critical']?.visibleCount?:0] 27 | - type: NUMBER 28 | title: Critical (Overall) 29 | value: $[applicationVersion.issueCounts.^[id=='Critical']?.visibleCount?:0] 30 | - type: NUMBER 31 | title: High (SAST) 32 | value: $[applicationVersion.issueCountsSCA.^[id=='High']?.visibleCount?:0] 33 | - type: NUMBER 34 | title: High (Overall) 35 | value: $[applicationVersion.issueCounts.^[id=='High']?.visibleCount?:0] 36 | - type: NUMBER 37 | title: Medium (SAST) 38 | value: $[applicationVersion.issueCountsSCA.^[id=='Medium']?.visibleCount?:0] 39 | - type: NUMBER 40 | title: Medium (Overall) 41 | value: $[applicationVersion.issueCounts.^[id=='Medium']?.visibleCount?:0] 42 | - type: NUMBER 43 | title: Low (SAST) 44 | value: $[applicationVersion.issueCountsSCA.^[id=='Low']?.visibleCount?:0] 45 | - type: NUMBER 46 | title: Low (Overall) 47 | value: $[applicationVersion.issueCounts.^[id=='Low']?.visibleCount?:0] 48 | vulnerabilityMappers: 49 | friority.value: $[vuln.friority] 50 | 51 | json.bitbucket.sast.annotations.filter.expr: vuln.engineType=='SCA' 52 | json.bitbucket.sast.annotations.format: 53 | vulnerabilityMappers: 54 | annotations.fields: 55 | external_id: FTFY-$[vuln.id] 56 | # uuid: 57 | annotation_type: VULNERABILITY 58 | path: $[vuln.fullFileName] 59 | line: $[vuln.lineNumber==0?1:vuln.lineNumber] 60 | summary: $[vuln.issueName] 61 | details: $[vuln.details?.brief] 62 | # result: PASSED|FAILED|SKIPPED|IGNORED 63 | severity: $[vuln.friority.toUpperCase()] 64 | link: $[vuln.deepLink] 65 | # created_on: 66 | # updated_on: -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-github-fod-sast.yml: -------------------------------------------------------------------------------- 1 | --- 2 | spring.config.activate.on-loader-plugin: fod 3 | 4 | json.github.sast.filter.expr: vuln.scantype=='Static' 5 | json.github.sast.format: 6 | fields: 7 | "[$schema]": https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json 8 | version: '2.1.0' 9 | runs: 10 | - tool: 11 | driver: 12 | name: 'Fortify on Demand' 13 | version: SCA $[release.staticScanSummary?.staticScanSummaryDetails?.engineVersion?:'version unknown']; Rulepack $[release.staticScanSummary?.staticScanSummaryDetails?.rulePackVersion?:'version unknown'] 14 | rules: $[vulnerabilityMappers.rules.get()] 15 | results: $[#check(vulnerabilityMappers.result.get().size()>1000, "GitHub does not support importing more than 1000 vulnerabilities. Please clean the scan results or update vulnerability search criteria.")?vulnerabilityMappers.result.get():{}] 16 | vulnerabilityMappers: 17 | rules.fields: 18 | id: $[vuln.id+''] 19 | shortDescription.text: $[vuln.category] 20 | fullDescription.text: $[#htmlToText(vuln.details?.summary)] 21 | help: 22 | text: $[#htmlToText(vuln.details?.explanation)+'\n\n'+#htmlToText(vuln.recommendations?.recommendations)+"\n\nFor more information, see "+vuln.deepLink] 23 | properties: 24 | tags: $[{vuln.severityString}] 25 | precision: $[(vuln.severityString matches "(Critical|Medium)") ? "high":"low" ] 26 | security-severity: $[{Critical:10.0,High:8.9,Medium:6.9,Low:3.9}.get(vuln.severityString)+''] 27 | result.fields: 28 | ruleId: $[vuln.id+''] 29 | message: 30 | text: $[#htmlToText(vuln.details?.summary)] 31 | level: $[(vuln.severityString matches "(Critical|High)") ? "warning":"note" ] 32 | partialFingerprints: 33 | issueInstanceId: $[vuln.instanceId] 34 | locations: 35 | - physicalLocation: 36 | artifactLocation: 37 | uri: $[vuln.primaryLocationFull] 38 | region: 39 | startLine: $[vuln.lineNumber==0?1:vuln.lineNumber] 40 | endLine: $[vuln.lineNumber==0?1:vuln.lineNumber] 41 | startColumn: $[1] # Needs to be specified as an expression in order to end up as integer instead of string in JSON 42 | endColumn: $[80] 43 | codeFlows: |- 44 | $[ 45 | vuln.traces==null ? {} 46 | : 47 | {{ 48 | threadFlows: vuln.traces.![{ 49 | locations: traceEntries?.![{ 50 | location: { 51 | message: { 52 | text: #htmlToText(displayText).replaceAll(" ", " ") 53 | }, 54 | physicalLocation: { 55 | artifactLocation: { 56 | uri: location 57 | }, 58 | region: { 59 | startLine: lineNumber==0?1:lineNumber 60 | } 61 | } 62 | } 63 | }] 64 | }] 65 | }} 66 | ] 67 | -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-github-ssc-sast.yml: -------------------------------------------------------------------------------- 1 | # TODO: 2 | # - Add tool.driver.version 3 | 4 | --- 5 | spring.config.activate.on-loader-plugin: ssc 6 | 7 | json.github.sast.filter.expr: vuln.engineType=='SCA' 8 | json.github.sast.format: 9 | fields: 10 | "[$schema]": https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json 11 | version: '2.1.0' 12 | runs: 13 | - tool: 14 | driver: 15 | name: 'Fortify SCA' 16 | version: $[applicationVersion.currentStaticScan?.engineVersion?:'unknown'] 17 | rules: $[vulnerabilityMappers.rules.get()] 18 | results: $[#check(vulnerabilityMappers.result.get().size()>1000, "GitHub does not support importing more than 1000 vulnerabilities. Please clean the scan results or update vulnerability search criteria.")?vulnerabilityMappers.result.get():{}] 19 | vulnerabilityMappers: 20 | rules.fields: 21 | id: $[vuln.id+''] 22 | shortDescription.text: $[vuln.issueName] 23 | fullDescription.text: $[vuln.details?.brief] 24 | help: 25 | text: $[#htmlToText(vuln.details?.detail)+'\n\n'+#htmlToText(vuln.details?.recommendation)+"\n\nFor more information, see "+vuln.deepLink] 26 | properties: 27 | tags: $[{vuln.friority}] 28 | precision: $[(vuln.friority matches "(Critical|Medium)") ? "high":"low" ] 29 | security-severity: $[{Critical:10.0,High:8.9,Medium:6.9,Low:3.9}.get(vuln.friority)+''] 30 | result.fields: 31 | ruleId: $[vuln.id+''] 32 | message: 33 | text: $[vuln.details?.brief] 34 | level: $[(vuln.friority matches "(Critical|High)") ? "warning":"note" ] 35 | partialFingerprints: 36 | issueInstanceId: $[vuln.issueInstanceId] 37 | locations: 38 | - physicalLocation: 39 | artifactLocation: 40 | uri: $[vuln.fullFileName] 41 | region: 42 | startLine: $[vuln.lineNumber==0?1:vuln.lineNumber] 43 | endLine: $[vuln.lineNumber==0?1:vuln.lineNumber] 44 | startColumn: $[1] # Needs to be specified as an expression in order to end up as integer instead of string in JSON 45 | endColumn: $[80] 46 | codeFlows: |- 47 | $[ 48 | vuln.details?.traceNodes==null ? {} 49 | : 50 | {{ 51 | threadFlows: vuln.details?.traceNodes.![{ 52 | locations: #this.![{ 53 | location: { 54 | message: { 55 | text: text 56 | }, 57 | physicalLocation: { 58 | artifactLocation: { 59 | uri: fullPath 60 | }, 61 | region: { 62 | startLine: line==0?1:line 63 | } 64 | } 65 | } 66 | }] 67 | }] 68 | }} 69 | ] 70 | -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-fod-sast.yml: -------------------------------------------------------------------------------- 1 | --- 2 | spring.config.activate.on-loader-plugin: fod 3 | 4 | json.gitlab.sast.filter.expr: vuln.scantype=='Static' 5 | json.gitlab.sast.format: 6 | fields: 7 | schema: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v15.0.0/dist/sast-report-format.json 8 | version: 15.0.0 9 | scan: 10 | start_time: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", release.staticScanSummary?.startedDateTime?:'1970-01-01T00:00:00')] 11 | end_time: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", release.staticScanSummary?.completedDateTime?:'1970-01-01T00:00:00')] 12 | status: $[release.staticAnalysisStatusTypeId==2?'success':'failure'] 13 | type: sast 14 | analyzer: 15 | id: FoD-SAST 16 | name: Fortify on Demand 17 | url: https://www.microfocus.com/en-us/products/application-security-testing/overview 18 | version: SCA $[release.staticScanSummary?.staticScanSummaryDetails?.engineVersion?:'version unknown']; Rulepack $[release.staticScanSummary?.staticScanSummaryDetails?.rulePackVersion?:'version unknown'] 19 | vendor: 20 | name: Fortify 21 | scanner: 22 | id: FoD-SAST 23 | name: Fortify on Demand 24 | url: https://www.microfocus.com/en-us/products/application-security-testing/overview 25 | version: SCA $[release.staticScanSummary?.staticScanSummaryDetails?.engineVersion?:'version unknown']; Rulepack $[release.staticScanSummary?.staticScanSummaryDetails?.rulePackVersion?:'version unknown'] 26 | vendor: 27 | name: Fortify 28 | vulnerabilities: $[vulnerabilityMappers.vulnerability.get()] 29 | vulnerabilityMappers.vulnerability.fields: 30 | category: sast 31 | confidence: $[(vuln.severityString matches "(Critical|Medium)") ? "High":"Low" ] 32 | description: $[#abbreviate(#htmlToText(vuln.details?.summary), 15000)] 33 | id: $[vuln.vulnId] 34 | cve: 'N/A' 35 | identifiers: |- 36 | $[{ 37 | { 38 | name: "Instance id: "+vuln.instanceId, 39 | url: vuln.deepLink, 40 | type: "issueInstanceId", 41 | value: vuln.instanceId 42 | } 43 | }] 44 | location: 45 | file: $[vuln.primaryLocationFull] 46 | start_line: $[vuln.lineNumber] 47 | links: 48 | - name: Additional issue details, including analysis trace, in Fortify on Demand 49 | url: $[vuln.deepLink] 50 | message: $[vuln.category] 51 | name: $[vuln.category] 52 | scanner: 53 | id: FoD-SAST 54 | name: Fortify on Demand 55 | severity: $[vuln.severityString] 56 | solution: $[#abbreviate(#htmlToText(vuln.details?.explanation)+'\n\n'+#htmlToText(vuln.recommendations?.recommendations), 7000)] -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-dast.yml: -------------------------------------------------------------------------------- 1 | --- 2 | spring.config.activate.on-loader-plugin: ssc 3 | 4 | json.gitlab.dast.filter.expr: vuln.engineType=='WEBINSPECT' 5 | json.gitlab.dast.format: 6 | fields: 7 | schema: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v15.0.0/dist/dast-report-format.json 8 | version: 15.0.0 9 | scan: 10 | start_time: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", applicationVersion.currentDynamicScan?.uploadDate?:'1970-01-01T00:00:00')] 11 | end_time: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", applicationVersion.currentDynamicScan?.uploadDate?:'1970-01-01T00:00:00')] 12 | status: success 13 | type: dast 14 | analyzer: 15 | id: fortify-webinspect 16 | name: Fortify WebInspect 17 | url: https://www.microfocus.com/en-us/products/application-security-testing/overview 18 | version: WebInspect $[applicationVersion.currentDynamicScan?.engineVersion?:'version unknown'] 19 | vendor: 20 | name: Fortify 21 | scanner: 22 | id: fortify-webinspect 23 | name: Fortify WebInspect 24 | url: https://www.microfocus.com/en-us/products/application-security-testing/overview 25 | version: WebInspect $[applicationVersion.currentDynamicScan?.engineVersion?:'version unknown'] 26 | vendor: 27 | name: Fortify 28 | scanned_resources: $[{}] 29 | # scanned_resources: |- 30 | # $[ 31 | # release.siteTree==null ? {} 32 | # : release.siteTree.![{ 33 | # method: method, 34 | # url: scheme+'://'+host+':'+port+path, 35 | # type: 'url' 36 | # }] 37 | # ] 38 | vulnerabilities: $[vulnerabilityMappers.vulnerability.get()] 39 | # remediations: ... 40 | vulnerabilityMappers.vulnerability.fields: 41 | id: $[vuln.issueInstanceId] 42 | category: sast 43 | name: $[vuln.issueName] 44 | message: $[vuln.issueName] 45 | description: $[#abbreviate(#htmlToText(vuln.details?.brief), 15000)] 46 | cve: 'N/A' 47 | severity: $[vuln.friority] 48 | confidence: $[(vuln.friority matches "(Critical|Medium)") ? "High":"Low" ] 49 | solution: $[#abbreviate(#htmlToText(vuln.details?.brief)+'\n\n'+#htmlToText(vuln.details?.recommendation), 7000)] 50 | scanner: 51 | id: fortify-webinspect 52 | name: Fortify WebInspect 53 | identifiers: 54 | - name: "Instance id: $[vuln.issueInstanceId]" 55 | type: issueInstanceId 56 | value: $[vuln.issueInstanceId] 57 | url: $[vuln.deepLink] 58 | links: 59 | - name: Additional issue details, including analysis trace, in Software Security Center 60 | url: $[vuln.deepLink] 61 | - name: SecureCodeWarrior Training 62 | url: $[vuln.details?.appSecTrainingUrl] 63 | # evidence: # TODO 64 | # source: 65 | # id: 66 | # name: 67 | # url: 68 | # summary: 69 | # request: 70 | # headers: 71 | # - name: 72 | # value: 73 | # method: 74 | # url: 75 | # body: 76 | # response: 77 | # headers: 78 | # - name: 79 | # value: 80 | # reason_phrase: OK|Internal Server Error|... 81 | # status_code: 200|500|... 82 | # body: 83 | # supporting_messages: 84 | # - name: 85 | # request: ... 86 | # response: ... 87 | location: 88 | hostname: $[#uriPart(vuln.details.url, 'serverUrl')?:''] 89 | method: $[vuln.details.method?:''] 90 | param: $[vuln.details.attackPayload?:''] 91 | path: $[#uriPart(vuln.details.url, 'path')?:''] 92 | # assets: 93 | # - type: http_session|postman 94 | # name: 95 | # url: link to asset in build artifacts 96 | # discovered_at: 2020-01-28T03:26:02.956 97 | 98 | 99 | -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-debricked.yml: -------------------------------------------------------------------------------- 1 | --- 2 | spring.config.activate.on-loader-plugin: ssc 3 | 4 | json.gitlab.debricked.filter.expr: vuln.engineType=='DEBRICKED' 5 | json.gitlab.debricked.format: 6 | fields: 7 | schema: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v15.0.0/dist/dependency-scanning-report-format.json 8 | version: 15.0.0 9 | scan: 10 | start_time: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", applicationVersion.currentDebrickedScan?.uploadDate?:'1970-01-01T00:00:00')] 11 | end_time: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", applicationVersion.currentDebrickedScan?.uploadDate?:'1970-01-01T00:00:00')] 12 | status: success 13 | type: dependency_scanning 14 | analyzer: 15 | id: fortify-debricked 16 | name: Fortify/Debricked 17 | url: https://www.microfocus.com/en-us/products/application-security-testing/overview 18 | version: Debricked Fortify Parser Plugin $[applicationVersion.currentDebrickedScan?.engineVersion?:'version unknown'] 19 | vendor: 20 | name: Fortify+Debricked 21 | scanner: 22 | id: fortify-debricked 23 | name: Fortify/Debricked 24 | url: https://www.microfocus.com/en-us/products/application-security-testing/overview 25 | version: Debricked Fortify Parser Plugin $[applicationVersion.currentDebrickedScan?.engineVersion?:'version unknown'] 26 | vendor: 27 | name: Fortify+Debricked 28 | dependency_files: $[{}] 29 | vulnerabilities: $[vulnerabilityMappers.vulnerability.get()] 30 | vulnerabilityMappers.vulnerability.fields: 31 | id: $[vuln.issueInstanceId] 32 | category: dependency_scanning 33 | name: $[vuln.issueName] 34 | message: $[vuln.issueName] 35 | description: $[#abbreviate(#htmlToText(vuln.details?.brief), 15000)] 36 | cve: $[vuln.details?.customAttributes?.externalId] 37 | severity: $[vuln.friority] 38 | confidence: $[(vuln.friority matches "(Critical|Medium)") ? "High":"Low" ] 39 | scanner: 40 | id: fortify-debricked 41 | name: Fortify/Debricked 42 | identifiers: 43 | - name: "Instance id: $[vuln.issueInstanceId]" 44 | type: issueInstanceId 45 | value: $[vuln.issueInstanceId] 46 | url: $[vuln.deepLink] 47 | links: 48 | - name: Additional issue details, including analysis trace, in Software Security Center 49 | url: $[vuln.deepLink] 50 | - name: CWE URL 51 | url: $[vuln.details?.customAttributes?.externalUrl] 52 | location: 53 | file: $[vuln.fullFileName] 54 | dependency: 55 | package: 56 | name: $[vuln.details?.customAttributes?.componentName > '' ? vuln.details?.customAttributes?.componentName :'Not Set'] 57 | version: $[vuln.details?.customAttributes?.componentVersion > '' ? vuln.details?.customAttributes?.componentVersion :'Not Set' ] 58 | 59 | 60 | 61 | 62 | 63 | -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-sast.yml: -------------------------------------------------------------------------------- 1 | --- 2 | spring.config.activate.on-loader-plugin: ssc 3 | 4 | json.gitlab.sast.filter.expr: vuln.engineType=='SCA' 5 | json.gitlab.sast.format: 6 | fields: 7 | schema: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v15.0.0/dist/sast-report-format.json 8 | version: 15.0.0 9 | scan: 10 | start_time: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", applicationVersion.currentStaticScan?.uploadDate?:'1970-01-01T00:00:00')] 11 | end_time: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", applicationVersion.currentStaticScan?.uploadDate?:'1970-01-01T00:00:00')] 12 | status: success 13 | type: sast 14 | analyzer: 15 | id: fortify-sca 16 | name: Fortify SCA 17 | url: https://www.microfocus.com/en-us/products/application-security-testing/overview 18 | version: SCA $[applicationVersion.currentStaticScan?.engineVersion?:'version unknown'] 19 | vendor: 20 | name: Fortify 21 | scanner: 22 | id: fortify-sca 23 | name: Fortify SCA 24 | url: https://www.microfocus.com/en-us/products/application-security-testing/overview 25 | version: SCA $[applicationVersion.currentStaticScan?.engineVersion?:'version unknown'] 26 | vendor: 27 | name: Fortify 28 | vulnerabilities: $[vulnerabilityMappers.vulnerability.get()] 29 | vulnerabilityMappers.vulnerability.fields: 30 | id: $[vuln.issueInstanceId] 31 | category: sast 32 | name: $[vuln.issueName] 33 | message: $[vuln.issueName] 34 | description: $[#abbreviate(#htmlToText(vuln.details?.brief), 15000)] 35 | cve: 'N/A' 36 | severity: $[vuln.friority] 37 | confidence: $[(vuln.friority matches "(Critical|Medium)") ? "High":"Low" ] 38 | solution: $[#abbreviate(#htmlToText(vuln.details?.detail)+'\n\n'+#htmlToText(vuln.details?.recommendation), 7000)] 39 | scanner: 40 | id: fortify-sca 41 | name: Fortify SCA 42 | identifiers: 43 | - name: "Instance id: $[vuln.issueInstanceId]" 44 | type: issueInstanceId 45 | value: $[vuln.issueInstanceId] 46 | url: $[vuln.deepLink] 47 | links: 48 | - name: Additional issue details, including analysis trace, in Software Security Center 49 | url: $[vuln.deepLink] 50 | - name: SecureCodeWarrior Training 51 | url: $[vuln.details?.appSecTrainingUrl] 52 | location: 53 | file: $[vuln.fullFileName] 54 | start_line: $[vuln.lineNumber] 55 | 56 | 57 | 58 | 59 | -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-gitlab-ssc-sonatype.yml: -------------------------------------------------------------------------------- 1 | --- 2 | spring.config.activate.on-loader-plugin: ssc 3 | 4 | json.gitlab.sonatype.filter.expr: vuln.engineType=='SONATYPE' 5 | json.gitlab.sonatype.format: 6 | fields: 7 | schema: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v15.0.0/dist/dependency-scanning-report-format.json 8 | version: 15.0.0 9 | scan: 10 | start_time: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", applicationVersion.currentSonatypeScan?.uploadDate?:'1970-01-01T00:00:00')] 11 | end_time: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", applicationVersion.currentSonatypeScan?.uploadDate?:'1970-01-01T00:00:00')] 12 | status: success 13 | type: dependency_scanning 14 | analyzer: 15 | id: fortify-sonatype 16 | name: Fortify/Sonatype 17 | url: https://www.microfocus.com/en-us/products/application-security-testing/overview 18 | version: Sonatype Fortify Parser Plugin $[applicationVersion.currentSonatypeScan?.engineVersion?:'version unknown'] 19 | vendor: 20 | name: Fortify+Sonatype 21 | scanner: 22 | id: fortify-sonatype 23 | name: Fortify/Sonatype 24 | url: https://www.microfocus.com/en-us/products/application-security-testing/overview 25 | version: Sonatype Fortify Parser Plugin $[applicationVersion.currentSonatypeScan?.engineVersion?:'version unknown'] 26 | vendor: 27 | name: Fortify+Sonatype 28 | dependency_files: $[{}] 29 | vulnerabilities: $[vulnerabilityMappers.vulnerability.get()] 30 | vulnerabilityMappers.vulnerability.fields: 31 | id: $[vuln.issueInstanceId] 32 | category: dependency_scanning 33 | name: $[vuln.issueName] 34 | message: $[vuln.issueName] 35 | description: $[#abbreviate(#htmlToText(vuln.details?.brief), 15000)] 36 | cve: 'N/A' 37 | severity: $[vuln.friority] 38 | confidence: $[(vuln.friority matches "(Critical|Medium)") ? "High":"Low" ] 39 | scanner: 40 | id: fortify-sonatype 41 | name: Fortify/Sonaytype 42 | identifiers: 43 | - name: "Instance id: $[vuln.issueInstanceId]" 44 | type: issueInstanceId 45 | value: $[vuln.issueInstanceId] 46 | url: $[vuln.deepLink] 47 | links: 48 | - name: Additional issue details, including analysis trace, in Software Security Center 49 | url: $[vuln.deepLink] 50 | - name: CWE URL 51 | url: $[vuln.details?.customAttributes?.cweurl] 52 | location: 53 | file: $[vuln.fullFileName] 54 | dependency: 55 | package.name: $[vuln.details?.customAttributes?.artifact > '' ? vuln.details?.customAttributes?.artifact :'Not Set'] 56 | version: $[vuln.details?.customAttributes?.version > '' ? vuln.details?.customAttributes?.version :'Not Set'] 57 | 58 | 59 | 60 | 61 | 62 | -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-raw-fod.yml: -------------------------------------------------------------------------------- 1 | --- 2 | spring.config.activate.on-loader-plugin: fod 3 | 4 | json.raw.format: 5 | fields: 6 | release: $[release] 7 | vulnerabilities: $[vulnerabilityMappers.vulnerability.get()] 8 | vulnerabilityMappers.vulnerability.value: $[vuln] 9 | -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-raw-ssc.yml: -------------------------------------------------------------------------------- 1 | --- 2 | spring.config.activate.on-loader-plugin: ssc 3 | 4 | json.raw.format: 5 | fields: 6 | applicationVersion: $[applicationVersion] 7 | vulnerabilities: $[vulnerabilityMappers.vulnerability.get()] 8 | vulnerabilityMappers.vulnerability.value: $[vuln] 9 | -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-sonarqube-fod-sast.yml: -------------------------------------------------------------------------------- 1 | --- 2 | spring.config.activate.on-loader-plugin: fod 3 | 4 | json.sonarqube.sast.filter.expr: vuln.scantype=='Static' 5 | json.sonarqube.sast.format: 6 | fields: 7 | issues: $[vulnerabilityMappers.issue.get()] 8 | vulnerabilityMappers.issue.fields: 9 | engineId: FortifyOnDemand 10 | ruleId: $[vuln.category] 11 | severity: $[{'Critical':'CRITICAL','High':'MAJOR','Medium':'MINOR','Low':'INFO'}.get(vuln.severityString)] 12 | type: VULNERABILITY 13 | primaryLocation: 14 | message: $[vuln.category] - $[vuln.deepLink] 15 | filePath: ${json.sonarqube.sast.filePathPrefix}$[vuln.primaryLocationFull] 16 | textRange: 17 | startLine: $[vuln.lineNumber==0?1:vuln.lineNumber] 18 | # effortMinutes: 19 | # secondaryLocations: -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-sonarqube-ssc-sast.yml: -------------------------------------------------------------------------------- 1 | --- 2 | spring.config.activate.on-loader-plugin: ssc 3 | 4 | json.sonarqube.sast.filter.expr: vuln.engineType=='SCA' 5 | json.sonarqube.sast.format: 6 | fields: 7 | issues: $[vulnerabilityMappers.issue.get()] 8 | vulnerabilityMappers.issue.fields: 9 | engineId: FortifySCA 10 | ruleId: $[vuln.issueName] 11 | severity: $[{'Critical':'CRITICAL','High':'MAJOR','Medium':'MINOR','Low':'INFO'}.get(vuln.friority)] 12 | type: VULNERABILITY 13 | primaryLocation: 14 | message: $[vuln.issueName] - $[vuln.deepLink] 15 | filePath: ${json.sonarqube.sast.filePathPrefix}$[vuln.fullFileName] 16 | textRange: 17 | startLine: $[vuln.lineNumber==0?1:vuln.lineNumber] 18 | # effortMinutes: 19 | # secondaryLocations: -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-spi-from/build.gradle: -------------------------------------------------------------------------------- 1 | plugins { 2 | id 'java-library' 3 | id "io.freefair.lombok" 4 | } 5 | 6 | description = 'FortifyVulnerabilityExporter SPI for source system implementations' 7 | 8 | dependencies { 9 | compileOnly project(':FortifyVulnerabilityExporter-api') 10 | compileOnly('com.fortify.client.api:common-spring') { changing = true } 11 | compileOnly('com.fortify.client.api:common-rest') { changing = true } 12 | } 13 | -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-spi-from/src/main/java/com/fortify/vulnexport/spi/source/vuln/loader/AbstractVulnerabilityLoader.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.vulnexport.spi.source.vuln.loader; 26 | 27 | import com.fortify.vulnexport.api.vuln.loader.IVulnerabilityLoader; 28 | 29 | /** 30 | * Abstract base class for {@link IVulnerabilityLoader} implementations. At the moment 31 | * this class doesn't provide any functionality; it just exists to have a common hierarchy 32 | * for {@link IVulnerabilityLoader} implementations. 33 | * 34 | * @author Ruud Senden 35 | */ 36 | public abstract class AbstractVulnerabilityLoader implements IVulnerabilityLoader {} 37 | -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-spi-to/build.gradle: -------------------------------------------------------------------------------- 1 | plugins { 2 | id 'java-library' 3 | id "io.freefair.lombok" 4 | } 5 | 6 | description = 'FortifyVulnerabilityExporter SPI for target system implementations' 7 | 8 | dependencies { 9 | compileOnly project(':FortifyVulnerabilityExporter-api') 10 | compileOnly('com.fortify.client.api:common-spring') { changing = true } 11 | compileOnly('com.fortify.client.api:common-rest') { changing = true } 12 | compileOnly 'commons-lang:commons-lang' 13 | compileOnly 'org.slf4j:slf4j-api' 14 | compileOnly 'com.fasterxml.jackson.core:jackson-core' 15 | } 16 | -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-spi-to/src/main/java/com/fortify/vulnexport/spi/target/vuln/consumer/FilteringConsumer.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.vulnexport.spi.target.vuln.consumer; 26 | 27 | import java.util.function.Predicate; 28 | 29 | import com.fortify.vulnexport.api.filter.FilterConfig; 30 | import com.fortify.vulnexport.api.filter.FilterPredicate; 31 | import com.fortify.vulnexport.api.vuln.IVulnerabilityAccessor; 32 | import com.fortify.vulnexport.api.vuln.consumer.IVulnerabilityConsumer; 33 | 34 | /** 35 | * This {@link AbstractVulnerabilityConsumer} implementation wraps another {@link IVulnerabilityConsumer}, 36 | * pre-filtering its input based on the configured {@link FilterConfig}. 37 | * 38 | * @author Ruud Senden 39 | */ 40 | class FilteringConsumer extends AbstractVulnerabilityConsumer { 41 | private final Predicate predicate; 42 | private final IVulnerabilityConsumer target; 43 | 44 | /** 45 | * @param config {@link FilterConfig} instance defining filtering criteria 46 | * @param target {@link IVulnerabilityConsumer} to be wrapped and for which the input data should be filtered 47 | */ 48 | public FilteringConsumer(FilterConfig config, IVulnerabilityConsumer target) { 49 | this.predicate = new FilterPredicate(config); 50 | this.target = target; 51 | } 52 | 53 | /** 54 | * This method calls the {@link IVulnerabilityConsumer#accept(IVulnerabilityAccessor)} on the target 55 | * {@link IVulnerabilityConsumer} instance if the given {@link IVulnerabilityAccessor} matches the 56 | * filtering criteria in the {@link FilterConfig} configured through the constructor. 57 | */ 58 | @Override 59 | public void _accept(IVulnerabilityAccessor vulnAccessor) { 60 | if ( predicate.test(vulnAccessor) ) { 61 | target.accept(vulnAccessor); 62 | } 63 | } 64 | 65 | /** 66 | * This method calls the {@link IVulnerabilityConsumer#close()} method on the target 67 | * {@link IVulnerabilityConsumer} instance. 68 | */ 69 | @Override 70 | protected void _close() throws Exception { 71 | target.close(); 72 | } 73 | 74 | } 75 | -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-spi-to/src/main/java/com/fortify/vulnexport/spi/target/vuln/consumer/to/file/AbstractToFileVulnerabilityConsumer.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.vulnexport.spi.target.vuln.consumer.to.file; 26 | 27 | import org.slf4j.Logger; 28 | import org.slf4j.LoggerFactory; 29 | 30 | import com.fortify.vulnexport.api.vuln.consumer.IVulnerabilityConsumer; 31 | import com.fortify.vulnexport.spi.target.vuln.consumer.to.file.stream.AbstractToFileStreamVulnerabilityConsumer; 32 | import com.fortify.vulnexport.spi.target.vuln.consumer.to.output.AbstractToOutputVulnerabilityConsumer; 33 | 34 | import lombok.AccessLevel; 35 | import lombok.Getter; 36 | import lombok.RequiredArgsConstructor; 37 | 38 | /** 39 | * Abstract base implementation for {@link IVulnerabilityConsumer} implementations that write 40 | * vulnerability data to a file. 41 | * 42 | * @author Ruud Senden 43 | * 44 | * @param Output type 45 | * @param Configuration type 46 | */ 47 | @RequiredArgsConstructor 48 | public abstract class AbstractToFileVulnerabilityConsumer extends AbstractToOutputVulnerabilityConsumer { 49 | private static final Logger LOG = LoggerFactory.getLogger(AbstractToFileStreamVulnerabilityConsumer.class); 50 | @Getter(AccessLevel.PROTECTED) private final C outputConfig; 51 | 52 | /** 53 | * Log an informational message before opening the output 54 | */ 55 | @Override 56 | protected void beforeOpen() throws Exception { 57 | LOG.info("Opening output: {}", outputConfig); 58 | } 59 | 60 | /** 61 | * Log an informational message after closing the output 62 | */ 63 | @Override 64 | protected void afterClose() throws Exception { 65 | LOG.info("Finished writing output: {}", outputConfig); 66 | } 67 | 68 | } -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-spi-to/src/main/java/com/fortify/vulnexport/spi/target/vuln/consumer/to/file/FileOutputConfig.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.vulnexport.spi.target.vuln.consumer.to.file; 26 | 27 | import java.io.File; 28 | 29 | import lombok.Data; 30 | 31 | /** 32 | * Configuration for exporting vulnerability data to a file. 33 | * This includes properties like file name, whether intermediate 34 | * directories should be created, and whether output should 35 | * (also) be written to standard out or standard error. 36 | * 37 | * @author Ruud Senden 38 | */ 39 | @Data 40 | public class FileOutputConfig { 41 | private boolean mkdir = true; 42 | private boolean stdout = false; 43 | private boolean stderr = false; 44 | private File file; 45 | // TODO Add property to specify how to handle existing file; append, overwrite or fail 46 | 47 | // Work-around for https://github.com/spring-projects/spring-boot/issues/25566 48 | public void setFile(String file) { 49 | this.file = new File(file); 50 | } 51 | } -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-spi-to/src/main/java/com/fortify/vulnexport/spi/target/vuln/consumer/to/file/stream/AbstractToFileStreamVulnerabilityConsumer.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.vulnexport.spi.target.vuln.consumer.to.file.stream; 26 | 27 | import java.io.PrintStream; 28 | 29 | import com.fortify.vulnexport.spi.target.vuln.consumer.to.file.AbstractToFileVulnerabilityConsumer; 30 | import com.fortify.vulnexport.spi.target.vuln.consumer.to.file.FileOutputConfig; 31 | 32 | /** 33 | * This abstract class extends {@link AbstractToFileVulnerabilityConsumer}, using a 34 | * {@link PrintStream} created by {@link MultiOutputStreamFactory} as the output object. 35 | * 36 | * @author Ruud Senden 37 | */ 38 | public abstract class AbstractToFileStreamVulnerabilityConsumer extends AbstractToFileVulnerabilityConsumer { 39 | /** 40 | * @param outputConfig used to configure this {@link AbstractToFileStreamVulnerabilityConsumer} 41 | */ 42 | public AbstractToFileStreamVulnerabilityConsumer(FileOutputConfig outputConfig) { 43 | super(outputConfig); 44 | } 45 | 46 | /** 47 | * Create a {@link PrintStream} based on the configured {@link FileOutputConfig} 48 | */ 49 | @Override 50 | protected PrintStream createOut() throws Exception { 51 | return MultiOutputStreamFactory.createPrintStream(getOutputConfig()); 52 | } 53 | } 54 | -------------------------------------------------------------------------------- /FortifyVulnerabilityExporter-spi-to/src/main/java/com/fortify/vulnexport/spi/target/vuln/consumer/to/json/JsonOutputConfig.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.vulnexport.spi.target.vuln.consumer.to.json; 26 | 27 | import com.fasterxml.jackson.core.JsonEncoding; 28 | import com.fortify.vulnexport.spi.target.vuln.consumer.to.file.FileOutputConfig; 29 | 30 | import lombok.Data; 31 | import lombok.EqualsAndHashCode; 32 | import lombok.ToString; 33 | 34 | /** 35 | * This configuration class extends {@link FileOutputConfig} to add 36 | * some JSON-specific configuration properties, like the JSON output 37 | * encoding and whether to pretty-print the JSON output. 38 | * 39 | * @author Ruud Senden 40 | * 41 | */ 42 | @Data @EqualsAndHashCode(callSuper=true) @ToString(callSuper=true) 43 | public class JsonOutputConfig extends FileOutputConfig { 44 | private JsonEncoding encoding = JsonEncoding.UTF8; 45 | private boolean pretty = false; 46 | } 47 | -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright 2024 Open Text or one of its affiliates 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is furnished 10 | to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | 23 | --- 24 | 25 | This document was auto-generated from LICENSE.MIT.template.txt; do not edit by hand. 26 | See https://github.com/fortify/shared-doc-resources/blob/main/USAGE.md for details. 27 | -------------------------------------------------------------------------------- /config/FoDToAWS.yml: -------------------------------------------------------------------------------- 1 | # See FortifyVulnerabilityExporter documentation for FoD connection settings and release selection 2 | 3 | export: 4 | from: fod 5 | to: json.awshub.sast 6 | 7 | fod: 8 | release: 9 | embed: # Load static and dynamic scan summaries if available 10 | - propertyName: staticScanSummary 11 | uri: /api/v3/scans/{currentStaticScanId}/summary 12 | embedIf: currentStaticScanId!=null 13 | vulnerability: 14 | filterParam: scantype:Static # Have FoD return only static issues 15 | embed: # Load extra data, depending on what data you want to include in output 16 | - subEntity: all-data 17 | 18 | export.dir: ${CI_PROJECT_DIR:${export.default.dir}} # Unless overridden, use CI_PROJECT_DIR if defined, otherwise default export dir 19 | json.awshub.sast.output: 20 | stdout: false # Useful for debugging, disabled for optimal performance 21 | pretty: true # Useful for debugging, disable for optimal performance 22 | file: ${export.dir}/awshub-fortify-sast.json 23 | -------------------------------------------------------------------------------- /config/FoDToBitBucket.yml: -------------------------------------------------------------------------------- 1 | # See FortifyVulnerabilityExporter documentation for FoD connection settings and release selection 2 | 3 | export: 4 | from: fod 5 | to: json.bitbucket.sast.report, json.bitbucket.sast.annotations 6 | 7 | fod: 8 | vuln: 9 | filterParam: scantype:Static # Have FoD return only static issues 10 | embed: # Also load details as required for BitBucket output 11 | - subEntity: details 12 | 13 | export.dir: ${BITBUCKET_CLONE_DIR:${export.default.dir}} # Unless overridden, use BITBUCKET_WORKSPACE if defined, otherwise default export dir 14 | bitbucket.report.output: ${export.dir}/bb-fortify-report.json # Define default report output file location and name 15 | bitbucket.annotations.output: ${export.dir}/bb-fortify-annotations.json # Define default annotations output file location and name 16 | 17 | json.bitbucket.sast.report.output: 18 | stdout: false # Disabled by default to avoid vulnerability data being exposed through log files 19 | pretty: true # Useful for debugging, disable for optimal performance 20 | file: ${bitbucket.report.output} # Output file 21 | json.bitbucket.sast.annotations.output: 22 | stdout: false # Disabled by default to avoid vulnerability data being exposed through log files 23 | pretty: true # Useful for debugging, disable for optimal performance 24 | file: ${bitbucket.annotations.output} # Output file -------------------------------------------------------------------------------- /config/FoDToCSV.yml: -------------------------------------------------------------------------------- 1 | # See FortifyVulnerabilityExporter documentation for FoD connection settings and release selection 2 | 3 | export: 4 | from: fod 5 | to: csv 6 | 7 | #fod: 8 | # vulnerability: 9 | # embed: # Load extra data, depending on what data you want to include in output 10 | # - subEntity: details 11 | 12 | export.dir: ${export.default.dir} # Use default export directory (unless overridden) 13 | csv: 14 | output: 15 | stdout: false # Disabled by default to avoid vulnerability data being exposed through log files 16 | file: ${export.dir}/${release.applicationName}-${release.releaseName}.csv 17 | fields: 18 | source: Fortify on Demand 19 | scanType: $[vuln.scantype] 20 | id: $[vuln.id] 21 | issueInstanceId: $[vuln.instanceId] 22 | category: $[vuln.category] 23 | file: $[vuln.primaryLocationFull] 24 | line: $[vuln.lineNumber] -------------------------------------------------------------------------------- /config/FoDToGitHub.yml: -------------------------------------------------------------------------------- 1 | # See FortifyVulnerabilityExporter documentation for FoD connection settings and release selection 2 | 3 | export: 4 | from: fod 5 | to: json.github.sast 6 | 7 | fod: 8 | release: 9 | embed: # Load static scan summary as required for GitHub output 10 | - propertyName: staticScanSummary 11 | uri: /api/v3/scans/{currentStaticScanId}/summary 12 | vuln: 13 | filterParam: scantype:Static # Have FoD return only static issues 14 | embed: # Also load details as required for GitLab output 15 | - subEntity: details 16 | - subEntity: recommendations 17 | - subEntity: traces 18 | 19 | export.dir: ${GITHUB_WORKSPACE:${export.default.dir}} # Unless overridden, use GITHUB_WORKSPACE if defined, otherwise default export dir 20 | sarif.output: ${export.dir}/gh-fortify-sast.sarif # Define default output file location and name 21 | json.github.sast.output: 22 | stdout: false # Disabled by default to avoid vulnerability data being exposed through log files 23 | pretty: true # Useful for debugging, disable for optimal performance 24 | file: ${sarif.output} # Output file -------------------------------------------------------------------------------- /config/FoDToGitLab.yml: -------------------------------------------------------------------------------- 1 | export: 2 | from: fod 3 | to: json.gitlab.sast, json.gitlab.dast 4 | 5 | fod: 6 | scopes: view-apps, view-issues, view-reports 7 | release: 8 | embed: # Load static and dynamic scan details if available 9 | - propertyName: dynamicScanSummary 10 | uri: /api/v3/scans/{currentDynamicScanId}/summary 11 | embedIf: currentDynamicScanId!=null 12 | - propertyName: siteTree 13 | uri: /api/v3/scans/{currentDynamicScanId}/site-tree 14 | embedIf: currentDynamicScanId!=null 15 | onError: LOG_WARN # Site tree may not be available, so we just log a warning 16 | - propertyName: staticScanSummary 17 | uri: /api/v3/scans/{currentStaticScanId}/summary 18 | embedIf: currentStaticScanId!=null 19 | vulnerability: 20 | filterParam: scantype:Static|Dynamic # Have FoD return only static and dynamic issues 21 | embed: # Also load details, recommendations and request-response data as required for GitLab output 22 | - subEntity: details 23 | - subEntity: recommendations 24 | - subEntity: request-response 25 | embedIf: scantype=='Dynamic' 26 | 27 | export.dir: ${CI_PROJECT_DIR:${export.default.dir}} # Unless overridden, use CI_PROJECT_DIR if defined, otherwise default export dir 28 | json.gitlab.sast.output: 29 | stdout: false # Disabled by default to avoid vulnerability data being exposed through log files 30 | pretty: true # Useful for debugging, disable for optimal performance 31 | file: ${export.dir}/gl-fortify-sast.json # Output file 32 | 33 | json.gitlab.dast.output: 34 | stdout: false # Disabled by default to avoid vulnerability data being exposed through log files 35 | pretty: true # Useful for debugging, disable for optimal performance 36 | file: ${export.dir}/gl-fortify-dast.json # Output file 37 | -------------------------------------------------------------------------------- /config/FoDToGitLabDAST.yml: -------------------------------------------------------------------------------- 1 | export: 2 | from: fod 3 | to: json.gitlab.dast 4 | 5 | fod: 6 | scopes: view-apps, view-issues, view-reports 7 | release: 8 | embed: # Load dynamic scan summary as required for GitLab output 9 | - propertyName: dynamicScanSummary 10 | uri: /api/v3/scans/{currentDynamicScanId}/summary 11 | embedIf: currentDynamicScanId!=null 12 | - propertyName: siteTree 13 | uri: /api/v3/scans/{currentDynamicScanId}/site-tree 14 | embedIf: currentDynamicScanId!=null 15 | onError: LOG_WARN # Site tree may not be available, so we just log a warning 16 | 17 | vulnerability: 18 | filterParam: scantype:Dynamic # Have FoD return only dynamic issues 19 | embed: # Also load details and recommendations as required for GitLab output 20 | - subEntity: details 21 | - subEntity: recommendations 22 | - subEntity: request-response 23 | 24 | export.dir: ${CI_PROJECT_DIR:${export.default.dir}} # Unless overridden, use CI_PROJECT_DIR if defined, otherwise default export dir 25 | json.gitlab.dast.output: 26 | stdout: false # Disabled by default to avoid vulnerability data being exposed through log files 27 | pretty: true # Useful for debugging, disable for optimal performance 28 | file: ${export.dir}/gl-fortify-dast.json # Output file 29 | -------------------------------------------------------------------------------- /config/FoDToGitLabSAST.yml: -------------------------------------------------------------------------------- 1 | # See FortifyVulnerabilityExporter documentation for FoD connection settings and release selection 2 | 3 | export: 4 | from: fod 5 | to: json.gitlab.sast 6 | 7 | fod: 8 | release: 9 | embed: # Load static scan summary as required for GitLab output 10 | - propertyName: staticScanSummary 11 | uri: /api/v3/scans/{currentStaticScanId}/summary 12 | embedIf: currentStaticScanId!=null 13 | vulnerability: 14 | filterParam: scantype:Static # Have FoD return only static issues 15 | embed: # Also load details and recommendations as required for GitLab output 16 | - subEntity: details 17 | - subEntity: recommendations 18 | 19 | export.dir: ${CI_PROJECT_DIR:${export.default.dir}} # Unless overridden, use CI_PROJECT_DIR if defined, otherwise default export dir 20 | json.gitlab.sast.output: 21 | stdout: false # Disabled by default to avoid vulnerability data being exposed through log files 22 | pretty: true # Useful for debugging, disable for optimal performance 23 | file: ${export.dir}/gl-fortify-sast.json # Output file -------------------------------------------------------------------------------- /config/FoDToJsonCustom.yml: -------------------------------------------------------------------------------- 1 | # See FortifyVulnerabilityExporter documentation for FoD connection settings and release selection 2 | 3 | export: 4 | from: fod 5 | to: json.custom # You can use any name, as long as it starts with 'json' and there is a corresponding configuration entry 6 | 7 | fod: 8 | vulnerability: 9 | filterParam: severityString:Critical # Example to have FoD return only Critical issues 10 | embed: # Load extra data, depending on what data you want to include in output 11 | - subEntity: details 12 | 13 | export.dir: ${export.default.dir} # Use default export directory (unless overridden) 14 | json.custom: 15 | output: 16 | stdout: true # Useful for debugging, disable for optimal performance 17 | pretty: true # Useful for debugging, disable for optimal performance 18 | file: ${export.dir}/${release.applicationName}-${release.releaseName}.json # Output file 19 | format: 20 | fields: 21 | hello: there 22 | vulnerabilitiesArray: $[vulnerabilityMappers.vulnerability.get()] # Reference to vulnerabilityMapper defined below 23 | vulnerabilitiesById: $[vulnerabilityMappers.vulnerabilityById.get()] # Reference to vulnerabilityMapper defined below 24 | explanationsById: $[vulnerabilityMappers.explanationById.get()] # Reference to vulnerabilityMapper defined below 25 | vulnerabilityMappers: 26 | vulnerability: 27 | fields: 28 | id: $[vuln.instanceId] 29 | description: $[#htmlToText(vuln.details?.explanation)] 30 | release: $[release.applicationAndReleaseName] 31 | vulnerabilityById: 32 | propertyName: $[vuln.instanceId] 33 | fields: 34 | id: $[vuln.instanceId] 35 | description: $[#htmlToText(vuln.details?.explanation)] 36 | release: $[release.applicationAndReleaseName] 37 | explanationById: 38 | propertyName: $[vuln.instanceId] 39 | value: $[#htmlToText(vuln.details?.explanation)] 40 | 41 | -------------------------------------------------------------------------------- /config/FoDToJsonRaw.yml: -------------------------------------------------------------------------------- 1 | # See FortifyVulnerabilityExporter documentation for FoD connection settings and release selection 2 | 3 | export: 4 | from: fod 5 | to: json.raw 6 | 7 | fod: 8 | release: 9 | embed: # Load static and dynamic scan summaries if available 10 | - propertyName: dynamicScanSummary 11 | uri: /api/v3/scans/{currentDynamicScanId}/summary 12 | embedIf: currentDynamicScanId!=null 13 | - propertyName: staticScanSummary 14 | uri: /api/v3/scans/{currentStaticScanId}/summary 15 | embedIf: currentStaticScanId!=null 16 | vulnerability: 17 | embed: # Load extra data, depending on what data you want to include in output 18 | - subEntity: all-data 19 | 20 | json.raw.output: 21 | stdout: true # Useful for debugging, disable for optimal performance 22 | pretty: true # Useful for debugging, disable for optimal performance -------------------------------------------------------------------------------- /config/FoDToSonarQube.yml: -------------------------------------------------------------------------------- 1 | # See FortifyVulnerabilityExporter documentation for FoD connection settings and release selection 2 | 3 | export: 4 | from: fod 5 | to: json.sonarqube.sast 6 | 7 | fod: 8 | vulnerability: 9 | filterParam: scantype:Static # Have FoD return only static issues 10 | 11 | json.sonarqube.sast.filePathPrefix: # By default don't add any prefix to the path (used in json-sonarqube-fod-sast.yml) 12 | export.dir: ${export.default.dir} # Use default export directory (unless overridden) 13 | json.sonarqube.sast.output: 14 | stdout: false # Disabled by default to avoid vulnerability data being exposed through log files 15 | pretty: true # Useful for debugging, disable for optimal performance 16 | file: ${export.dir}/sq-fortify-sast.json # Output file -------------------------------------------------------------------------------- /config/SSCToAWS.yml: -------------------------------------------------------------------------------- 1 | # See FortifyVulnerabilityExporter documentation for SSC connection settings and application version selection 2 | 3 | export: 4 | from: ssc 5 | to: json.awshub.sast 6 | 7 | ssc: 8 | version: 9 | embed: # Load static and dynamic scan summaries if available 10 | - subEntity: currentStaticScan 11 | onError: LOG_INFO 12 | - propertyName: issueCountsSCA 13 | subEntity: issueGroups 14 | params: 15 | filter: ISSUE[11111111-1111-1111-1111-111111111151]:SCA 16 | groupingtype: 11111111-1111-1111-1111-111111111150 17 | - propertyName: issueCounts 18 | subEntity: issueGroups 19 | params: 20 | groupingtype: 11111111-1111-1111-1111-111111111150 21 | vulnerability: 22 | filterParam: ISSUE[11111111-1111-1111-1111-111111111151]:SCA # Have SSC return only SCA issues 23 | embed: # Also load details as required for GitHub output 24 | - subEntity: details 25 | 26 | export.dir: ${CI_PROJECT_DIR:${export.default.dir}} # Unless overridden, use CI_PROJECT_DIR if defined, otherwise default export dir 27 | json.awshub.sast.output: 28 | stdout: false # Useful for debugging, disabled for optimal performance 29 | pretty: true # Useful for debugging, disable for optimal performance 30 | file: ${export.dir}/awshub-fortify-sast.json 31 | -------------------------------------------------------------------------------- /config/SSCToBitBucket.yml: -------------------------------------------------------------------------------- 1 | # See FortifyVulnerabilityExporter documentation for SSC connection settings and application version selection 2 | 3 | export: 4 | from: ssc 5 | to: json.bitbucket.sast.report, json.bitbucket.sast.annotations 6 | 7 | ssc: 8 | version: 9 | embed: 10 | - subEntity: currentStaticScan 11 | onError: LOG_INFO 12 | - propertyName: issueCountsSCA 13 | subEntity: issueGroups 14 | params: 15 | filter: ISSUE[11111111-1111-1111-1111-111111111151]:SCA 16 | groupingtype: 11111111-1111-1111-1111-111111111150 17 | - propertyName: issueCounts 18 | subEntity: issueGroups 19 | params: 20 | groupingtype: 11111111-1111-1111-1111-111111111150 21 | vuln: 22 | filterParam: ISSUE[11111111-1111-1111-1111-111111111151]:SCA # Have SSC return only SCA issues 23 | embed: # Also load details as required for GitHub output 24 | - subEntity: details 25 | 26 | export.dir: ${BITBUCKET_WORKSPACE:${export.default.dir}} # Unless overridden, use BITBUCKET_WORKSPACE if defined, otherwise default export dir 27 | bitbucket.report.output: ${export.dir}/bb-fortify-report.json # Define default report output file location and name 28 | bitbucket.annotations.output: ${export.dir}/bb-fortify-annotations.json # Define default annotations output file location and name 29 | 30 | json.bitbucket.sast.report.output: 31 | stdout: false # Disabled by default to avoid vulnerability data being exposed through log files 32 | pretty: true # Useful for debugging, disable for optimal performance 33 | file: ${bitbucket.report.output} # Output file 34 | json.bitbucket.sast.annotations.output: 35 | stdout: false # Disabled by default to avoid vulnerability data being exposed through log files 36 | pretty: true # Useful for debugging, disable for optimal performance 37 | file: ${bitbucket.annotations.output} # Output file -------------------------------------------------------------------------------- /config/SSCToCSV.yml: -------------------------------------------------------------------------------- 1 | # See FortifyVulnerabilityExporter documentation for SSC connection settings and application version selection 2 | 3 | export: 4 | from: ssc 5 | to: csv 6 | 7 | # ssc: 8 | # vulnerability: 9 | # embed: # Load extra data, depending on what data you want to include in output 10 | # - subEntity: details 11 | 12 | export.dir: ${export.default.dir} # Use default export directory (unless overridden) 13 | csv: 14 | output: 15 | stdout: false # Disabled by default to avoid vulnerability data being exposed through log files 16 | file: ${export.dir}/${applicationVersion.project.name}-${applicationVersion.name}.csv # Output file 17 | fields: 18 | source: Fortify SSC 19 | engineType: $[vuln.engineType] 20 | id: $[vuln.id] 21 | issueInstanceId: $[vuln.issueInstanceId] 22 | category: $[vuln.issueName] 23 | file: $[vuln.fullFileName] 24 | line: $[vuln.lineNumber] -------------------------------------------------------------------------------- /config/SSCToGitHub.yml: -------------------------------------------------------------------------------- 1 | # See FortifyVulnerabilityExporter documentation for SSC connection settings and application version selection 2 | 3 | export: 4 | from: ssc 5 | to: json.github.sast 6 | 7 | ssc: 8 | version: 9 | embed: 10 | - subEntity: currentStaticScan 11 | onError: LOG_INFO 12 | vuln: 13 | filterParam: ISSUE[11111111-1111-1111-1111-111111111151]:SCA # Have SSC return only SCA issues 14 | embed: # Also load details as required for GitHub output 15 | - subEntity: details 16 | 17 | export.dir: ${GITHUB_WORKSPACE:${export.default.dir}} # Unless overridden, use GITHUB_WORKSPACE if defined, otherwise default export dir 18 | sarif.output: ${export.dir}/gh-fortify-sast.sarif # Define default output file location and name 19 | json.github.sast.output: 20 | stdout: false # Disabled by default to avoid vulnerability data being exposed through log files 21 | pretty: true # Useful for debugging, disable for optimal performance 22 | file: ${sarif.output} # Output file 23 | -------------------------------------------------------------------------------- /config/SSCToGitLab.yml: -------------------------------------------------------------------------------- 1 | # See FortifyVulnerabilityExporter documentation for SSC connection settings and application version selection 2 | 3 | export: 4 | from: ssc 5 | to: json.gitlab.sast, json.gitlab.dast, json.gitlab.sonatype, json.gitlab.debricked 6 | 7 | ssc: 8 | version: 9 | embed: 10 | - subEntity: currentStaticScan 11 | onError: LOG_INFO 12 | - subEntity: currentDynamicScan 13 | onError: LOG_INFO 14 | - subEntity: currentSonatypeScan 15 | onError: LOG_INFO 16 | vulnerability: 17 | embed: # Also load details as required for GitLab output 18 | - subEntity: details 19 | 20 | export.dir: ${CI_PROJECT_DIR:${export.default.dir}} # Unless overridden, use CI_PROJECT_DIR if defined, otherwise default export dir 21 | json.gitlab.sast.output: 22 | stdout: false # Disabled by default to avoid vulnerability data being exposed through log files 23 | pretty: true # Useful for debugging, disable for optimal performance 24 | file: ${export.dir}/gl-fortify-sast.json # Output file 25 | 26 | json.gitlab.dast.output: 27 | stdout: false # Disabled by default to avoid vulnerability data being exposed through log files 28 | pretty: true # Useful for debugging, disable for optimal performance 29 | file: ${export.dir}/gl-fortify-dast.json # Output file 30 | 31 | json.gitlab.sonatype.output: 32 | stdout: false # Disabled by default to avoid vulnerability data being exposed through log files 33 | pretty: true # Useful for debugging, disable for optimal performance 34 | file: ${export.dir}/gl-fortify-sonatype-depscan.json # Output file 35 | 36 | json.gitlab.debricked.output: 37 | stdout: false # Disabled by default to avoid vulnerability data being exposed through log files 38 | pretty: true # Useful for debugging, disable for optimal performance 39 | file: ${export.dir}/gl-fortify-debricked-depscan.json # Output file -------------------------------------------------------------------------------- /config/SSCToGitLabDAST.yml: -------------------------------------------------------------------------------- 1 | # See FortifyVulnerabilityExporter documentation for SSC connection settings and application version selection 2 | 3 | export: 4 | from: ssc 5 | to: json.gitlab.dast 6 | 7 | ssc: 8 | version: 9 | embed: 10 | - subEntity: currentDynamicScan 11 | onError: LOG_INFO 12 | vulnerability: 13 | filterParam: ISSUE[11111111-1111-1111-1111-111111111151]:WEBINSPECT # Have SSC return only SCA issues 14 | embed: # Also load details as required for GitLab output 15 | - subEntity: details 16 | 17 | export.dir: ${CI_PROJECT_DIR:${export.default.dir}} # Unless overridden, use CI_PROJECT_DIR if defined, otherwise default export dir 18 | json.gitlab.dast.output: 19 | stdout: false # Disabled by default to avoid vulnerability data being exposed through log files 20 | pretty: true # Useful for debugging, disable for optimal performance 21 | file: ${export.dir}/gl-fortify-dast.json # Output file -------------------------------------------------------------------------------- /config/SSCToGitLabDebricked.yml: -------------------------------------------------------------------------------- 1 | # See FortifyVulnerabilityExporter documentation for SSC connection settings and application version selection 2 | 3 | export: 4 | from: ssc 5 | to: json.gitlab.debricked 6 | 7 | ssc: 8 | version: 9 | embed: 10 | - subEntity: currentDebrickedScan 11 | onError: LOG_INFO 12 | vulnerability: 13 | filterParam: ISSUE[11111111-1111-1111-1111-111111111151]:DEBRICKED # Have SSC return only Debricked issues 14 | embed: # Also load details as required for GitLab output 15 | - subEntity: details 16 | 17 | export.dir: ${CI_PROJECT_DIR:${export.default.dir}} # Unless overridden, use CI_PROJECT_DIR if defined, otherwise default export dir 18 | json.gitlab.debricked.output: 19 | stdout: false # Disabled by default to avoid vulnerability data being exposed through log files 20 | pretty: true # Useful for debugging, disable for optimal performance 21 | file: ${export.dir}/gl-fortify-debricked-depscan.json # Output file 22 | -------------------------------------------------------------------------------- /config/SSCToGitLabSAST.yml: -------------------------------------------------------------------------------- 1 | # See FortifyVulnerabilityExporter documentation for SSC connection settings and application version selection 2 | 3 | export: 4 | from: ssc 5 | to: json.gitlab.sast 6 | 7 | ssc: 8 | version: 9 | embed: 10 | - subEntity: currentStaticScan 11 | onError: LOG_INFO 12 | vulnerability: 13 | filterParam: ISSUE[11111111-1111-1111-1111-111111111151]:SCA # Have SSC return only SCA issues 14 | embed: # Also load details as required for GitLab output 15 | - subEntity: details 16 | 17 | export.dir: ${CI_PROJECT_DIR:${export.default.dir}} # Unless overridden, use CI_PROJECT_DIR if defined, otherwise default export dir 18 | json.gitlab.sast.output: 19 | stdout: false # Disabled by default to avoid vulnerability data being exposed through log files 20 | pretty: true # Useful for debugging, disable for optimal performance 21 | file: ${export.dir}/gl-fortify-sast.json # Output file 22 | -------------------------------------------------------------------------------- /config/SSCToGitLabSonatype.yml: -------------------------------------------------------------------------------- 1 | # See FortifyVulnerabilityExporter documentation for SSC connection settings and application version selection 2 | 3 | export: 4 | from: ssc 5 | to: json.gitlab.sonatype 6 | 7 | ssc: 8 | version: 9 | embed: 10 | - subEntity: currentSonatypeScan 11 | onError: LOG_INFO 12 | vulnerability: 13 | filterParam: ISSUE[11111111-1111-1111-1111-111111111151]:SONATYPE # Have SSC return only Sonatype issues 14 | embed: # Also load details as required for GitLab output 15 | - subEntity: details 16 | 17 | export.dir: ${CI_PROJECT_DIR:${export.default.dir}} # Unless overridden, use CI_PROJECT_DIR if defined, otherwise default export dir 18 | json.gitlab.sonatype.output: 19 | stdout: false # Disabled by default to avoid vulnerability data being exposed through log files 20 | pretty: true # Useful for debugging, disable for optimal performance 21 | file: ${export.dir}/gl-fortify-sonatype-depscan.json # Output file 22 | -------------------------------------------------------------------------------- /config/SSCToJsonCustom.yml: -------------------------------------------------------------------------------- 1 | # See FortifyVulnerabilityExporter documentation for SSC connection settings and application version selection 2 | 3 | export: 4 | from: ssc 5 | to: json.custom # You can use any name, as long as it starts with 'json' and there is a corresponding configuration entry 6 | 7 | ssc: 8 | vulnerability: 9 | queryParam: analysis:exploitable # Example to have SSC only return issues marked as Exploitable 10 | embed: # Load extra data, depending on what data you want to include in output 11 | - subEntity: details 12 | 13 | export.dir: ${export.default.dir} # Use default export directory (unless overridden) 14 | json.custom: 15 | output: 16 | stdout: true # Useful for debugging, disable for optimal performance 17 | pretty: true # Useful for debugging, disable for optimal performance 18 | file: ${export.dir}/${applicationVersion.project.name}-${applicationVersion.name}.json # Output file 19 | format: 20 | fields: 21 | hello: there 22 | vulnerabilitiesArray: $[vulnerabilityMappers.vulnerability.get()] # Reference to vulnerabilityMapper defined below 23 | vulnerabilitiesById: $[vulnerabilityMappers.vulnerabilityById.get()] # Reference to vulnerabilityMapper defined below 24 | explanationsById: $[vulnerabilityMappers.explanationById.get()] # Reference to vulnerabilityMapper defined below 25 | vulnerabilityMappers: 26 | vulnerability: 27 | fields: 28 | id: $[vuln.issueInstanceId] 29 | description: $[vuln.details?.detail] 30 | applicationVersion: $[applicationVersion.applicationAndVersionName] 31 | vulnerabilityById: 32 | propertyName: $[vuln.issueInstanceId] 33 | fields: 34 | id: $[vuln.instanceId] 35 | description: $[vuln.details?.detail] 36 | applicationVersion: $[applicationVersion.applicationAndVersionName] 37 | explanationById: 38 | propertyName: $[vuln.issueInstanceId] 39 | value: $[vuln.details?.detail] 40 | 41 | -------------------------------------------------------------------------------- /config/SSCToJsonRaw.yml: -------------------------------------------------------------------------------- 1 | # See FortifyVulnerabilityExporter documentation for SSC connection settings and application version selection 2 | 3 | export: 4 | from: ssc 5 | to: json.raw 6 | 7 | ssc: 8 | version: 9 | embed: # Load extra data, depending on what data you want to include in output 10 | - subEntity: currentStaticScan 11 | onError: LOG_INFO 12 | - subEntity: currentDynamicScan 13 | onError: LOG_INFO 14 | vulnerability: 15 | embed: # Load extra data, depending on what data you want to include in output 16 | - subEntity: details 17 | 18 | json.raw.output: 19 | stdout: true # Useful for debugging, disable for optimal performance 20 | pretty: true # Useful for debugging, disable for optimal performance -------------------------------------------------------------------------------- /config/SSCToSonarQube.yml: -------------------------------------------------------------------------------- 1 | # See FortifyVulnerabilityExporter documentation for SSC connection settings and application version selection 2 | 3 | export: 4 | from: ssc 5 | to: json.sonarqube.sast 6 | 7 | ssc: 8 | vulnerability: 9 | filterParam: ISSUE[11111111-1111-1111-1111-111111111151]:SCA # Have SSC return only SCA issues 10 | 11 | json.sonarqube.sast.filePathPrefix: # By default don't add any prefix to the path (used in json-sonarqube-ssc-sast.yml) 12 | export.dir: ${export.default.dir} # Use default export directory (unless overridden) 13 | json.sonarqube.sast.output: 14 | stdout: false # Disabled by default to avoid vulnerability data being exposed through log files 15 | pretty: true # Useful for debugging, disable for optimal performance 16 | file: ${export.dir}/sq-fortify-sast.json # Output file 17 | -------------------------------------------------------------------------------- /doc-resources/repo-intro.md: -------------------------------------------------------------------------------- 1 | **Deprecation Notice:** With most of the FortifyVulnerabilityExporter functionality now having been integrated into [fcli 2.4.0 and above](https://github.com/fortify/fcli) (see the `fcli ssc action` and `fcli fod action` commands), FortifyVulnerabilityExporter will be deprecated by the end of 2024. Please start migrating any FortifyVulnerabilityExporter-based functionality like pipeline integrations to use fcli instead. If you encounter any fcli limitations that prevent you from migrating, please raise an issue on the [fcli issue tracker](https://github.com/fortify/fcli/issues). 2 | 3 | FortifyVulnerabilityExporter allows for exporting vulnerabilities from Fortify on Demand and Fortify Software Security Center to the following third-party products and output formats: 4 | 5 | * [GitHub Integration](USAGE.md#github-integration) 6 | * [GitLab Integration](USAGE.md#gitlab-integration) 7 | * [BitBucket Integration](USAGE.md#bitbucket-integration) 8 | * [DefectDojo Integration](USAGE.md#defectdojo-integration) 9 | * [SonarQube Integration](USAGE.md#sonarqube-integration) 10 | * [CSV Export](USAGE.md#csv-export) 11 | * [JSON Export](USAGE.md#json-export) 12 | 13 | Please review the information in the following sections before integrating FortifyVulnerabilityExporter into your SDLC: 14 | 15 | * [Raw or Audited Results](USAGE.md#raw-or-audited-results) 16 | * [Generic Usage](USAGE.md#generic-usage) 17 | * [CI/CD Integration](USAGE.md#cicd-integration) -------------------------------------------------------------------------------- /doc-resources/repo-resources.md: -------------------------------------------------------------------------------- 1 | * **Usage**: [USAGE.md](USAGE.md) 2 | * **Downloads**: https://github.com/fortify/FortifyVulnerabilityExporter/releases 3 | * _Development releases may be unstable or non-functional. The `*-thirdparty.zip` file is for informational purposes only and does not need to be downloaded._ 4 | * **Docker images**: https://hub.docker.com/repository/docker/fortifydocker/fortify-vulnerability-exporter 5 | * `latest` and `stable` tags point to the latest production release 6 | * `vX.Y.Z` and `X.Y.Z` tags point to the given patch release 7 | * `vX.Y` and `X.Y` tags point to the latest patch release of the given minor release 8 | * `vX` and `X` tags point to the latest minor and patch release of the given major release 9 | * `dev_` tags point to the latest development release for a given branch 10 | * `latest_rc` tag points to the latest development release on the main branch 11 | * **Source code**: https://github.com/fortify/FortifyVulnerabilityExporter 12 | * **Automated builds**: https://github.com/fortify/FortifyVulnerabilityExporter/actions 13 | {{include:resources/nocomments.li.contrib-conduct-licence.md}} 14 | -------------------------------------------------------------------------------- /doc-resources/template-values.md: -------------------------------------------------------------------------------- 1 | # repo-title 2 | FortifyVulnerabilityExporter 3 | 4 | # repo-url 5 | https://github.com/fortify/FortifyVulnerabilityExporter -------------------------------------------------------------------------------- /doc-resources/update-repo-docs.sh: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | source <(curl -s https://raw.githubusercontent.com/fortify/shared-doc-resources/main/scripts/update-doc-resources.sh) 3 | -------------------------------------------------------------------------------- /fortify-scan.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Set scan options 4 | # Modular scan doesn't work properly yet, so for now we just add the fortify-client-api build model 5 | # Note that either approach requires fortify-client-api to be translated/scanned on the same machine 6 | # before running this script. 7 | #scanOpts="-include-modules fortify-client-api -scan" 8 | scanOpts="-b fortify-client-api -scan" 9 | 10 | # Load and execute actual scan script from GitHub 11 | curl -s https://raw.githubusercontent.com/fortify-ps/gradle-helpers/1.0/fortify-scan.sh | bash -s - ${scanOpts} -------------------------------------------------------------------------------- /gradle/wrapper/gradle-wrapper.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fortify/FortifyVulnerabilityExporter/c5e56109ff6a799e5ee7ab9336c35c921cd779cb/gradle/wrapper/gradle-wrapper.jar -------------------------------------------------------------------------------- /gradle/wrapper/gradle-wrapper.properties: -------------------------------------------------------------------------------- 1 | distributionBase=GRADLE_USER_HOME 2 | distributionPath=wrapper/dists 3 | distributionUrl=https\://services.gradle.org/distributions/gradle-8.0.2-bin.zip 4 | networkTimeout=10000 5 | zipStoreBase=GRADLE_USER_HOME 6 | zipStorePath=wrapper/dists 7 | -------------------------------------------------------------------------------- /gradlew.bat: -------------------------------------------------------------------------------- 1 | @rem 2 | @rem Copyright 2015 the original author or authors. 3 | @rem 4 | @rem Licensed under the Apache License, Version 2.0 (the "License"); 5 | @rem you may not use this file except in compliance with the License. 6 | @rem You may obtain a copy of the License at 7 | @rem 8 | @rem https://www.apache.org/licenses/LICENSE-2.0 9 | @rem 10 | @rem Unless required by applicable law or agreed to in writing, software 11 | @rem distributed under the License is distributed on an "AS IS" BASIS, 12 | @rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | @rem See the License for the specific language governing permissions and 14 | @rem limitations under the License. 15 | @rem 16 | 17 | @if "%DEBUG%"=="" @echo off 18 | @rem ########################################################################## 19 | @rem 20 | @rem Gradle startup script for Windows 21 | @rem 22 | @rem ########################################################################## 23 | 24 | @rem Set local scope for the variables with windows NT shell 25 | if "%OS%"=="Windows_NT" setlocal 26 | 27 | set DIRNAME=%~dp0 28 | if "%DIRNAME%"=="" set DIRNAME=. 29 | @rem This is normally unused 30 | set APP_BASE_NAME=%~n0 31 | set APP_HOME=%DIRNAME% 32 | 33 | @rem Resolve any "." and ".." in APP_HOME to make it shorter. 34 | for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi 35 | 36 | @rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. 37 | set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m" 38 | 39 | @rem Find java.exe 40 | if defined JAVA_HOME goto findJavaFromJavaHome 41 | 42 | set JAVA_EXE=java.exe 43 | %JAVA_EXE% -version >NUL 2>&1 44 | if %ERRORLEVEL% equ 0 goto execute 45 | 46 | echo. 47 | echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 48 | echo. 49 | echo Please set the JAVA_HOME variable in your environment to match the 50 | echo location of your Java installation. 51 | 52 | goto fail 53 | 54 | :findJavaFromJavaHome 55 | set JAVA_HOME=%JAVA_HOME:"=% 56 | set JAVA_EXE=%JAVA_HOME%/bin/java.exe 57 | 58 | if exist "%JAVA_EXE%" goto execute 59 | 60 | echo. 61 | echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% 62 | echo. 63 | echo Please set the JAVA_HOME variable in your environment to match the 64 | echo location of your Java installation. 65 | 66 | goto fail 67 | 68 | :execute 69 | @rem Setup the command line 70 | 71 | set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar 72 | 73 | 74 | @rem Execute Gradle 75 | "%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* 76 | 77 | :end 78 | @rem End local scope for the variables with windows NT shell 79 | if %ERRORLEVEL% equ 0 goto mainEnd 80 | 81 | :fail 82 | rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of 83 | rem the _cmd.exe /c_ return code! 84 | set EXIT_CODE=%ERRORLEVEL% 85 | if %EXIT_CODE% equ 0 set EXIT_CODE=1 86 | if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% 87 | exit /b %EXIT_CODE% 88 | 89 | :mainEnd 90 | if "%OS%"=="Windows_NT" endlocal 91 | 92 | :omega 93 | -------------------------------------------------------------------------------- /settings.gradle: -------------------------------------------------------------------------------- 1 | rootProject.name = 'FortifyVulnerabilityExporter' 2 | include 'FortifyVulnerabilityExporter-api' 3 | include 'FortifyVulnerabilityExporter-spi-from' 4 | include 'FortifyVulnerabilityExporter-spi-to' 5 | include 'FortifyVulnerabilityExporter-plugin-from-ssc' 6 | include 'FortifyVulnerabilityExporter-plugin-from-fod' 7 | include 'FortifyVulnerabilityExporter-plugin-to-csv' 8 | include 'FortifyVulnerabilityExporter-plugin-to-json' 9 | include 'FortifyVulnerabilityExporter-plugin-raw' 10 | 11 | -------------------------------------------------------------------------------- /src/main/java/com/fortify/util/spring/boot/env/plugin/PluginConfigEnvironmentPostProcessor.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.util.spring.boot.env.plugin; 26 | 27 | import java.io.IOException; 28 | 29 | import org.springframework.boot.SpringApplication; 30 | import org.springframework.boot.env.EnvironmentPostProcessor; 31 | import org.springframework.boot.env.YamlPropertySourceLoader; 32 | import org.springframework.boot.logging.DeferredLog; 33 | import org.springframework.core.Ordered; 34 | import org.springframework.core.annotation.Order; 35 | import org.springframework.core.env.ConfigurableEnvironment; 36 | import org.springframework.core.env.MutablePropertySources; 37 | import org.springframework.core.io.Resource; 38 | import org.springframework.core.io.support.ResourcePatternUtils; 39 | 40 | /** 41 | * This {@link EnvironmentPostProcessor} implementation adds plugin configuration files 42 | * as property sources. Spring loads this class based on src/main/resources/META-INF/spring.factories. 43 | * 44 | * @author Ruud Senden 45 | * 46 | */ 47 | @Order(Ordered.LOWEST_PRECEDENCE) 48 | public class PluginConfigEnvironmentPostProcessor implements EnvironmentPostProcessor { 49 | private final DeferredLog log = new DeferredLog(); 50 | 51 | @Override 52 | public void postProcessEnvironment(ConfigurableEnvironment environment, SpringApplication application) { 53 | application.addInitializers(ctx -> log.replayTo(PluginConfigEnvironmentPostProcessor.class)); 54 | addPluginConfigPropertySources(environment.getPropertySources()); 55 | } 56 | 57 | private final void addPluginConfigPropertySources(MutablePropertySources propertySources) { 58 | int count = 0; 59 | try { 60 | YamlPropertySourceLoader yamlLoader = new YamlPropertySourceLoader(); 61 | Resource[] resources = ResourcePatternUtils.getResourcePatternResolver(null).getResources("classpath*:/pluginConfig/**/*.yml"); 62 | for ( Resource resource : resources ) { 63 | yamlLoader.load(resource.getFilename(), resource).forEach(propertySources::addLast); 64 | log.debug("Loaded plugin configuration file "+resource.getFilename()); 65 | count++; 66 | } 67 | } catch (IOException e ) { 68 | throw new IllegalStateException("Error loading plugin configuration files"); 69 | } 70 | log.info("Loaded "+count+" plugin configuration files"); 71 | } 72 | 73 | } 74 | -------------------------------------------------------------------------------- /src/main/java/com/fortify/util/spring/boot/scheduler/BasicSchedulableRunnerFactory.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.util.spring.boot.scheduler; 26 | 27 | import java.util.function.Supplier; 28 | 29 | /** 30 | * Basic {@link ISchedulableRunnerFactory} implementation that allows for configuring 31 | * {@link Supplier} instances for {@link ISchedulableRunner}, enabled flag, and cron 32 | * schedule through the constructor. 33 | * 34 | * @author Ruud Senden 35 | * 36 | */ 37 | public class BasicSchedulableRunnerFactory implements ISchedulableRunnerFactory { 38 | private final Supplier enabled; 39 | private final Supplier cronSchedule; 40 | private final Supplier runnerSupplier; 41 | 42 | public BasicSchedulableRunnerFactory(Supplier runnerSupplier, Supplier enabled, Supplier cronSchedule) { 43 | this.runnerSupplier = runnerSupplier; 44 | this.enabled = enabled; 45 | this.cronSchedule = cronSchedule; 46 | } 47 | @Override 48 | public boolean isEnabled() { 49 | return enabled.get(); 50 | } 51 | @Override 52 | public String getCronSchedule() { 53 | return cronSchedule.get(); 54 | } 55 | @Override 56 | public ISchedulableRunner getRunner() { 57 | return runnerSupplier.get(); 58 | } 59 | } 60 | -------------------------------------------------------------------------------- /src/main/java/com/fortify/util/spring/boot/scheduler/ISchedulableRunner.java: -------------------------------------------------------------------------------- 1 | package com.fortify.util.spring.boot.scheduler; 2 | /******************************************************************************* 3 | * (c) Copyright 2020 Micro Focus or one of its affiliates 4 | * 5 | * Permission is hereby granted, free of charge, to any person obtaining a 6 | * copy of this software and associated documentation files (the 7 | * "Software"), to deal in the Software without restriction, including without 8 | * limitation the rights to use, copy, modify, merge, publish, distribute, 9 | * sublicense, and/or sell copies of the Software, and to permit persons to 10 | * whom the Software is furnished to do so, subject to the following 11 | * conditions: 12 | * 13 | * The above copyright notice and this permission notice shall be included 14 | * in all copies or substantial portions of the Software. 15 | * 16 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 17 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 18 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 19 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 20 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 21 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 22 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 23 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 24 | * IN THE SOFTWARE. 25 | ******************************************************************************/ 26 | 27 | /** 28 | * This interface defines a schedulable runner, which can be run once or on a 29 | * schedule as defined by the corresponding {@link ISchedulableRunnerFactory}. 30 | * 31 | * @author Ruud Senden 32 | */ 33 | public interface ISchedulableRunner extends Runnable { 34 | } 35 | -------------------------------------------------------------------------------- /src/main/java/com/fortify/util/spring/boot/scheduler/ISchedulableRunnerFactory.java: -------------------------------------------------------------------------------- 1 | package com.fortify.util.spring.boot.scheduler; 2 | 3 | import org.springframework.scheduling.support.CronExpression; 4 | import org.springframework.stereotype.Component; 5 | 6 | /******************************************************************************* 7 | * (c) Copyright 2020 Micro Focus or one of its affiliates 8 | * 9 | * Permission is hereby granted, free of charge, to any person obtaining a 10 | * copy of this software and associated documentation files (the 11 | * "Software"), to deal in the Software without restriction, including without 12 | * limitation the rights to use, copy, modify, merge, publish, distribute, 13 | * sublicense, and/or sell copies of the Software, and to permit persons to 14 | * whom the Software is furnished to do so, subject to the following 15 | * conditions: 16 | * 17 | * The above copyright notice and this permission notice shall be included 18 | * in all copies or substantial portions of the Software. 19 | * 20 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 21 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 22 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 23 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 24 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 25 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 26 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 27 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 28 | * IN THE SOFTWARE. 29 | ******************************************************************************/ 30 | 31 | /** 32 | * This interface provides access to an {@link ISchedulableRunner} instance, 33 | * together with information about whether the runner is enabled and optional 34 | * cron schedule specifying when the runner should be run. Implementations 35 | * should use the {@link Component} annotation to allow auto-wiring into 36 | * {@link RunOrSchedule}. 37 | * 38 | * @author Ruud Senden 39 | * 40 | */ 41 | public interface ISchedulableRunnerFactory { 42 | /** 43 | * @return true if the {@link ISchedulableRunner} returned by the {@link #getRunner()} method is enabled, false otherwise 44 | */ 45 | public boolean isEnabled(); 46 | 47 | /** 48 | * @return Cron expression specifying when to run the {@link ISchedulableRunner} returned by the {@link #getRunner()} method; 49 | * see {@link CronExpression#parse(String)} for details on cron expression format. 50 | */ 51 | public String getCronSchedule(); 52 | 53 | /** 54 | * @return {@link ISchedulableRunner} instance 55 | */ 56 | public ISchedulableRunner getRunner(); 57 | } 58 | -------------------------------------------------------------------------------- /src/main/java/com/fortify/vulnexport/FortifyVulnerabilityExporterRunnerConfig.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.vulnexport; 26 | 27 | import org.springframework.boot.context.properties.ConfigurationProperties; 28 | import org.springframework.stereotype.Component; 29 | 30 | import lombok.Data; 31 | 32 | /** 33 | * This class defines the configuration for {@link FortifyVulnerabilityExporterRunnerFactory}. 34 | * This only defines the export.cronSchedule property; other configuration 35 | * properties used by FortifyVulnerabilityExporter are processed by other configuration classes. 36 | * 37 | * @author Ruud Senden 38 | * 39 | */ 40 | @Component 41 | @ConfigurationProperties(prefix = "export") 42 | @Data 43 | public class FortifyVulnerabilityExporterRunnerConfig { 44 | private String cronSchedule = "-"; 45 | } 46 | -------------------------------------------------------------------------------- /src/main/jib/config/.empty: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fortify/FortifyVulnerabilityExporter/c5e56109ff6a799e5ee7ab9336c35c921cd779cb/src/main/jib/config/.empty -------------------------------------------------------------------------------- /src/main/jib/export/.empty: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fortify/FortifyVulnerabilityExporter/c5e56109ff6a799e5ee7ab9336c35c921cd779cb/src/main/jib/export/.empty -------------------------------------------------------------------------------- /src/main/resources/META-INF/spring.factories: -------------------------------------------------------------------------------- 1 | org.springframework.boot.env.EnvironmentPostProcessor=com.fortify.util.spring.boot.env.plugin.PluginConfigEnvironmentPostProcessor -------------------------------------------------------------------------------- /src/main/resources/application.yml: -------------------------------------------------------------------------------- 1 | # Define default logging configuration 2 | # The following common command line options/environment variables can be used to 3 | # manage logging: 4 | # --logging.level.com.fortify=TRACE 5 | # --logging.file.name=FortifyVulnerabilityExporter.log # Enable logging to file, write to given file name 6 | # --logging.file.path=/var/log # Enable logging to file, default file name is spring.log 7 | logging: 8 | level: 9 | org.springframework: WARN 10 | org.quartz: WARN 11 | com.fortify: INFO 12 | 13 | spring: 14 | config: 15 | import: optional:file:${export.config:FortifyVulnerabilityExporter.yml} 16 | profiles: 17 | active: default 18 | main: 19 | web-application-type: NONE 20 | 21 | # Set default export directory to . 22 | # This is overridden to /export by the Docker image 23 | export.default.dir: . 24 | -------------------------------------------------------------------------------- /src/main/resources/banner.txt: -------------------------------------------------------------------------------- 1 | ______ _ _ __ 2 | | ____| | | (_)/ _| 3 | | |__ ___ _ __| |_ _| |_ _ _ 4 | | __/ _ \| '__| __| | _| | | | 5 | | | | (_) | | | |_| | | | |_| | 6 | |_| \___/|_| \__|_|_| \__, | 7 | __ __ _ __/ | _ _ _ _ _ 8 | \ \ / / | | |___/ | | (_) (_) | 9 | \ \ / / _| |_ __ ___ _ __ __ _| |__ _| |_| |_ _ _ 10 | \ \/ / | | | | '_ \ / _ \ '__/ _` | '_ \| | | | __| | | | 11 | \ /| |_| | | | | | __/ | | (_| | |_) | | | | |_| |_| | 12 | \/ \__,_|_|_| |_|\___|_| \__,_|_.__/|_|_|_|\__|\__, | 13 | ______ _ __/ | 14 | | ____| | | |___/ 15 | | |__ __ ___ __ ___ _ __| |_ ___ _ __ 16 | | __| \ \/ / '_ \ / _ \| '__| __/ _ \ '__| 17 | | |____ > <| |_) | (_) | | | || __/ | 18 | |______/_/\_\ .__/ \___/|_| \__\___|_| 19 | | | 20 | |_| -------------------------------------------------------------------------------- /src/main/resources/loader.properties: -------------------------------------------------------------------------------- 1 | jarLocation=. 2 | pluginDir=${jarLocation}/plugins 3 | loader.path=${pluginDir} -------------------------------------------------------------------------------- /version.txt: -------------------------------------------------------------------------------- 1 | 2.1.0 2 | --------------------------------------------------------------------------------