From 0339591327e18fcee8192e99e95d09da8bbe26fd Mon Sep 17 00:00:00 2001 From: Rohit Baryha <72431329+rohitbaryha1@users.noreply.github.com> Date: Wed, 26 Jun 2024 10:49:34 +0530 Subject: [PATCH] feat: AWS Security Hub Integration added configuration for AWS security hub --- .../cli/fod/actions/zip/aws-sast-report.yaml | 107 +++++++++++++++ .../cli/ssc/actions/zip/aws-sast-report.yaml | 125 ++++++++++++++++++ 2 files changed, 232 insertions(+) create mode 100644 fcli-core/fcli-fod/src/main/resources/com/fortify/cli/fod/actions/zip/aws-sast-report.yaml create mode 100644 fcli-core/fcli-ssc/src/main/resources/com/fortify/cli/ssc/actions/zip/aws-sast-report.yaml diff --git a/fcli-core/fcli-fod/src/main/resources/com/fortify/cli/fod/actions/zip/aws-sast-report.yaml b/fcli-core/fcli-fod/src/main/resources/com/fortify/cli/fod/actions/zip/aws-sast-report.yaml new file mode 100644 index 000000000..b98c5f814 --- /dev/null +++ b/fcli-core/fcli-fod/src/main/resources/com/fortify/cli/fod/actions/zip/aws-sast-report.yaml @@ -0,0 +1,107 @@ +# yaml-language-server: $schema=https://fortify.github.io/fcli/schemas/action/fcli-action-schema-dev.json + +author: Fortify +usage: + header: Generate a AWS Security Hub SAST report listing FoD SAST vulnerabilities. + description: | + For information on how to create or update findings into AWS Security Hub, see + https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-update-types.html + +parameters: + - name: report-file + cliAliases: r + description: "Optional report output file name (or 'stdout' / 'stderr'). Default value: aws-fortify-report.json" + required: false + defaultValue: aws-fortify-report.json + - name: release + cliAliases: rel + description: "Required release id or :[:]" + type: release_single + - name: aws-region + description: 'Required AWS region. Default value: AWS_REGION environment variable.' + required: true + defaultValue: ${#env('AWS_REGION')} + - name: aws-account + description: 'Required AWS account id. Default value: AWS_ACCOUNT_ID environment variable.' + required: true + defaultValue: ${#env('AWS_ACCOUNT_ID')} + +defaults: + requestTarget: fod + +steps: + - progress: Loading static scan summary + - requests: + - name: staticScanSummary + uri: /api/v3/scans/${parameters.release.currentStaticScanId}/summary + if: ${parameters.release.currentStaticScanId!=null} + - progress: Processing issue data + - requests: + - name: issues + uri: /api/v3/releases/${parameters.release.releaseId}/vulnerabilities?limit=50 + query: + filters: scantype:Static + pagingProgress: + postPageProcess: Processed ${totalIssueCount?:0} of ${issues_raw.totalCount} issues + forEach: + name: issue + embed: + - name: details + uri: /api/v3/releases/${parameters.release.releaseId}/vulnerabilities/${issue.vulnId}/details + - name: recommendations + uri: /api/v3/releases/${parameters.release.releaseId}/vulnerabilities/${issue.vulnId}/recommendations + do: + - append: + - name: vulnerabilities + valueTemplate: issues + - write: + - to: ${parameters['report-file']} + valueTemplate: report + - if: ${parameters.file!='stdout'} + to: stdout + value: | + Report written to ${parameters['report-file']} + +valueTemplates: + - name: report + contents: + issues: ${vulnerabilities?:{}} + + - name: issues + contents: + SchemaVersion: 2018-10-08 + Id: ${parameters.release.releaseId}-${issue.id} + ProductArn: "arn:aws:securityhub:${parameters['aws-region']}:${parameters['aws-account']}:product/${parameters['aws-account']}/default" + GeneratorId: "arn:aws:securityhub:${parameters['aws-region']}:${parameters['aws-account']}:product/${parameters['aws-account']}/default" + ProductName: 'Fortify SAST' + CompanyName: OpenText + Types: "[ 'Software and Configuration Checks/Vulnerabilities/CVE' ]" + CreatedAt: ${#formatDateTimewithZoneIdAsUTC("yyyy-MM-dd'T'HH:mm:ss.SSSSSS'Z'",parameters.release.staticScanDate?:'1970-01-01T00:00:00',parameters.release.serverZoneId)} + UpdatedAt: ${#formatDateTimewithZoneIdAsUTC("yyyy-MM-dd'T'HH:mm:ss.SSSSSS'Z'",parameters.release.staticScanSummary?.completedDateTime?:'1970-01-01T00:00:00',parameters.release.serverZoneId)} + severity: + Original: ${issue.severityString} + Normalized: ${{'Critical':10.0,'High':8.9,'Medium':6.9,'Low':3.9}.get(issue.severityString)} + Title: ${issue.category} + Description: ${#abbreviate(#htmlToText(issue.details?.summary), 510)} + Remediation: + Recommendation: + Text: ${#abbreviate(#htmlToText(issue.recommendations?.recommendations), 510)} + Url: ${#fod.issueBrowserUrl(issue)} + ProductFields: + Product Name: 'Fortify SAST' + 'aws/securityhub/CompanyName': OpenText + 'aws/securityhub/ProductName': 'Fortify SAST' + Resources: + Type: Application + Id: ${parameters.release.releaseId}-${issue.id} + Partition: aws + Region: ${parameters['aws-region']} + details: + Other: + APPLICATION: ${parameters.release.releaseId} + APPLICATION NAME: ${parameters.release.applicationName} + APPLICATION VERSION: ${parameters.release.releaseName} + PRIMARY LOCATION: ${issue.primaryLocationFull} + LINE NUMBER: ${issue.lineNumber} + INSTANCE ID: ${issue.instanceId} + RecordState: ACTIVE \ No newline at end of file diff --git a/fcli-core/fcli-ssc/src/main/resources/com/fortify/cli/ssc/actions/zip/aws-sast-report.yaml b/fcli-core/fcli-ssc/src/main/resources/com/fortify/cli/ssc/actions/zip/aws-sast-report.yaml new file mode 100644 index 000000000..9074995c7 --- /dev/null +++ b/fcli-core/fcli-ssc/src/main/resources/com/fortify/cli/ssc/actions/zip/aws-sast-report.yaml @@ -0,0 +1,125 @@ +# yaml-language-server: $schema=https://fortify.github.io/fcli/schemas/action/fcli-action-schema-dev.json + +author: Fortify +usage: + header: Generate a GitHub Code Scanning report listing SSC SAST vulnerabilities. + description: | + For information on how to import this report into GitHub, see + https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github + +defaults: + requestTarget: ssc + +parameters: + - name: file + cliAliases: f + description: "Optional report output file name (or 'stdout' / 'stderr'). Default value: aws-fortify-report.json" + required: false + defaultValue: aws-fortify-report.json + - name: appversion + cliAliases: av + description: "Required application version id or :" + type: appversion_single + - name: filterset + cliAliases: fs + description: "Filter set name or guid from which to load issue data. Default value: Default filter set for given application version" + required: false + type: filterset + - name: page-size + description: "Number of vulnerabilities to retrieve at a time. Higher numbers may reduce time required to build the report, at the cost of increased memory usage (on both fcli and SSC), and could potentially negatively affect overall SSC performance or result in read time-outs (see --socket-timeout option on fcli ssc session login command). Default value: 100" + required: false + defaultValue: "100" + - name: aws-region + description: 'Required AWS region. Default value: AWS_REGION environment variable.' + required: true + defaultValue: ${#env('AWS_REGION')} + - name: aws-account + description: 'Required AWS account id. Default value: AWS_ACCOUNT_ID environment variable.' + required: true + defaultValue: ${#env('AWS_ACCOUNT_ID')} + +steps: + - progress: Loading latest static scan + - requests: + - name: artifacts + uri: /api/v1/projectVersions/${parameters.appversion.id}/artifacts + type: paged + query: + embed: scans + forEach: + name: artifact + breakIf: ${lastStaticScan!=null} + do: + - set: + - name: lastStaticScan + value: ${artifact._embed.scans?.^[type=='SCA']} + - progress: Processing issue data + - requests: + - name: issues + uri: /api/v1/projectVersions/${parameters.appversion.id}/issues + query: + filter: ISSUE[11111111-1111-1111-1111-111111111151]:SCA + filterset: ${parameters.filterset.guid} + limit: ${parameters['page-size']} + pagingProgress: + postPageProcess: Processed ${totalIssueCount?:0} of ${issues_raw.count} issues + forEach: + name: issue + embed: + - name: details + uri: /api/v1/issueDetails/${issue.id} + do: + - append: + - name: vulnerabilities + valueTemplate: issues + - write: + - to: ${parameters.file} + valueTemplate: aws-sast-report + - if: ${parameters.file!='stdout'} + to: stdout + value: | + Output written to ${parameters.file} + +valueTemplates: + - name: aws-sast-report + contents: + issues: ${vulnerabilities?:{}} + + - name: issues + contents: + SchemaVersion: 2018-10-08 + id: ${parameters.appversion.id}-${issue.id} + ProductArn: "arn:aws:securityhub:${parameters['aws-region']}:${parameters['aws-account']}:product/${parameters['aws-account']}/default" + GeneratorId: "arn:aws:securityhub:${parameters['aws-region']}:${parameters['aws-account']}:product/${parameters['aws-account']}/default" + ProductName: 'Fortify SAST' + CompanyName: OpenText + Types: "[ 'Software and Configuration Checks/Vulnerabilities/CVE' ]" + start_time: ${#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", lastStaticScan?.uploadDate?:'1970-01-01T00:00:00')} + end_time: ${#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", lastStaticScan?.uploadDate?:'1970-01-01T00:00:00')} + severity: + Original: ${issue.friority} + Normalized: ${{'Critical':10.0,'High':8.9,'Medium':6.9,'Low':3.9}.get(issue.friority)} + Title: ${issue.issueName} + Description: ${#abbreviate(#htmlToText(issue.details?.brief), 510)} + Remediation: + Recommendation: + Text: ${#abbreviate(#htmlToText(issue.details?.recommendation), 510)} + Url: ${#ssc.appversionBrowserUrl(parameters.appversion)} + ProductFields: + Product Name: 'Fortify SAST' + 'aws/securityhub/CompanyName': OpenText + 'aws/securityhub/ProductName': 'Fortify SAST' + Resources: + Type: Application + Id: ${parameters.appversion.id}-${issue.id} + Partition: aws + Region: ${parameters['aws-region']} + details: + Other: + APPLICATION: ${parameters.appversion.id} + APPLICATION NAME: ${parameters.appversion.project.name} + APPLICATION VERSION: ${parameters.appversion.name} + PRIMARY LOCATION: ${issue.fullFileName} + LINE NUMBER: ${issue.lineNumber} + INSTANCE ID: ${issue.issueInstanceId} + RecordState: ACTIVE \ No newline at end of file