feat: AWS Security Hub Integration

fcli-core/fcli-fod/src/main/resources/com/fortify/cli/fod/actions/zip/aws-sast-report.yaml

@@ -0,0 +1,107 @@
+# yaml-language-server: $schema=https://fortify.github.io/fcli/schemas/action/fcli-action-schema-dev.json
+
+author: Fortify
+usage:
+  header: Generate a AWS Security Hub SAST report listing FoD SAST vulnerabilities. 
+  description: |
+    For information on how to create or update findings into AWS Security Hub, see 
+    https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-update-types.html
+
+parameters:
+  - name: report-file
+    cliAliases: r
+    description: "Optional report output file name (or 'stdout' / 'stderr'). Default value: aws-fortify-report.json"
+    required: false
+    defaultValue: aws-fortify-report.json
+  - name: release
+    cliAliases: rel
+    description: "Required release id or <appName>:[<microserviceName>:]<releaseName>"
+    type: release_single
+  - name: aws-region
+    description: 'Required AWS region. Default value: AWS_REGION environment variable.'
+    required: true
+    defaultValue: ${#env('AWS_REGION')}    
+  - name: aws-account
+    description: 'Required AWS account id. Default value: AWS_ACCOUNT_ID environment variable.'
+    required: true
+    defaultValue: ${#env('AWS_ACCOUNT_ID')}
+
+defaults:
+  requestTarget: fod
+
+steps:
+  - progress: Loading static scan summary
+  - requests:
+      - name: staticScanSummary
+        uri:  /api/v3/scans/${parameters.release.currentStaticScanId}/summary
+        if:   ${parameters.release.currentStaticScanId!=null}
+  - progress: Processing issue data
+  - requests:
+    - name: issues
+      uri: /api/v3/releases/${parameters.release.releaseId}/vulnerabilities?limit=50
+      query:
+        filters: scantype:Static
+      pagingProgress:
+        postPageProcess: Processed ${totalIssueCount?:0} of ${issues_raw.totalCount} issues
+      forEach:
+        name: issue
+        embed:
+          - name: details
+            uri: /api/v3/releases/${parameters.release.releaseId}/vulnerabilities/${issue.vulnId}/details
+          - name: recommendations
+            uri: /api/v3/releases/${parameters.release.releaseId}/vulnerabilities/${issue.vulnId}/recommendations
+        do:
+          - append:
+            - name: vulnerabilities
+              valueTemplate: issues
+  - write:
+    - to: ${parameters['report-file']}
+      valueTemplate: report
+    - if: ${parameters.file!='stdout'}
+      to: stdout
+      value: |
+        Report written to ${parameters['report-file']}
+
+valueTemplates:
+  - name: report
+    contents:
+      issues: ${vulnerabilities?:{}} 
+
+  - name: issues
+    contents:
+      SchemaVersion: 2018-10-08
+      Id: ${parameters.release.releaseId}-${issue.id}
+      ProductArn: "arn:aws:securityhub:${parameters['aws-region']}:${parameters['aws-account']}:product/${parameters['aws-account']}/default"
+      GeneratorId: "arn:aws:securityhub:${parameters['aws-region']}:${parameters['aws-account']}:product/${parameters['aws-account']}/default"
+      ProductName: 'Fortify SAST'
+      CompanyName: OpenText
+      Types: "[ 'Software and Configuration Checks/Vulnerabilities/CVE' ]"
+      CreatedAt: ${#formatDateTimewithZoneIdAsUTC("yyyy-MM-dd'T'HH:mm:ss.SSSSSS'Z'",parameters.release.staticScanDate?:'1970-01-01T00:00:00',parameters.release.serverZoneId)}
+      UpdatedAt: ${#formatDateTimewithZoneIdAsUTC("yyyy-MM-dd'T'HH:mm:ss.SSSSSS'Z'",parameters.release.staticScanSummary?.completedDateTime?:'1970-01-01T00:00:00',parameters.release.serverZoneId)}
+      severity: 
+        Original: ${issue.severityString}
+        Normalized: ${{'Critical':10.0,'High':8.9,'Medium':6.9,'Low':3.9}.get(issue.severityString)}
+      Title: ${issue.category}
+      Description: ${#abbreviate(#htmlToText(issue.details?.summary), 510)}
+      Remediation:
+        Recommendation:
+          Text: ${#abbreviate(#htmlToText(issue.recommendations?.recommendations), 510)}
+          Url: ${#fod.issueBrowserUrl(issue)}
+      ProductFields:
+        Product Name: 'Fortify SAST'
+        'aws/securityhub/CompanyName': OpenText
+        'aws/securityhub/ProductName': 'Fortify SAST'
+      Resources:
+        Type: Application
+        Id: ${parameters.release.releaseId}-${issue.id}
+        Partition: aws
+        Region: ${parameters['aws-region']}
+        details:
+          Other:
+            APPLICATION: ${parameters.release.releaseId}
+            APPLICATION NAME: ${parameters.release.applicationName}
+            APPLICATION VERSION: ${parameters.release.releaseName}
+            PRIMARY LOCATION: ${issue.primaryLocationFull}
+            LINE NUMBER: ${issue.lineNumber}
+            INSTANCE ID: ${issue.instanceId}
+      RecordState: ACTIVE

fcli-core/fcli-ssc/src/main/resources/com/fortify/cli/ssc/actions/zip/aws-sast-report.yaml

@@ -0,0 +1,125 @@
+# yaml-language-server: $schema=https://fortify.github.io/fcli/schemas/action/fcli-action-schema-dev.json
+
+author: Fortify
+usage:
+  header: Generate a GitHub Code Scanning report listing SSC SAST vulnerabilities.  
+  description: |
+    For information on how to import this report into GitHub, see 
+    https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github
+
+defaults:
+  requestTarget: ssc
+
+parameters:
+  - name: file
+    cliAliases: f
+    description: "Optional report output file name (or 'stdout' / 'stderr'). Default value: aws-fortify-report.json"
+    required: false
+    defaultValue: aws-fortify-report.json
+  - name: appversion
+    cliAliases: av
+    description: "Required application version id or <appName>:<versionName>"
+    type: appversion_single
+  - name: filterset
+    cliAliases: fs
+    description: "Filter set name or guid from which to load issue data. Default value: Default filter set for given application version"
+    required: false
+    type: filterset    
+  - name: page-size
+    description: "Number of vulnerabilities to retrieve at a time. Higher numbers may reduce time required to build the report, at the cost of increased memory usage (on both fcli and SSC), and could potentially negatively affect overall SSC performance or result in read time-outs (see --socket-timeout option on fcli ssc session login command). Default value: 100"
+    required: false
+    defaultValue: "100"    
+  - name: aws-region
+    description: 'Required AWS region. Default value: AWS_REGION environment variable.'
+    required: true
+    defaultValue: ${#env('AWS_REGION')}    
+  - name: aws-account
+    description: 'Required AWS account id. Default value: AWS_ACCOUNT_ID environment variable.'
+    required: true
+    defaultValue: ${#env('AWS_ACCOUNT_ID')}
+
+steps:
+  - progress: Loading latest static scan
+  - requests:
+    - name: artifacts
+      uri:  /api/v1/projectVersions/${parameters.appversion.id}/artifacts
+      type: paged
+      query:
+        embed: scans
+      forEach:
+        name: artifact
+        breakIf: ${lastStaticScan!=null}
+        do:
+          - set:
+            - name: lastStaticScan
+              value: ${artifact._embed.scans?.^[type=='SCA']}
+  - progress: Processing issue data
+  - requests:
+    - name: issues
+      uri: /api/v1/projectVersions/${parameters.appversion.id}/issues
+      query:
+        filter: ISSUE[11111111-1111-1111-1111-111111111151]:SCA
+        filterset: ${parameters.filterset.guid}
+        limit: ${parameters['page-size']}
+      pagingProgress:
+        postPageProcess: Processed ${totalIssueCount?:0} of ${issues_raw.count} issues
+      forEach:
+        name: issue
+        embed:
+          - name: details
+            uri: /api/v1/issueDetails/${issue.id}
+        do:
+          - append:
+            - name: vulnerabilities
+              valueTemplate: issues
+  - write:
+    - to: ${parameters.file}
+      valueTemplate: aws-sast-report
+    - if: ${parameters.file!='stdout'}
+      to: stdout
+      value: |
+        Output written to ${parameters.file}
+
+valueTemplates:
+  - name: aws-sast-report
+    contents:
+      issues: ${vulnerabilities?:{}}
+
+  - name: issues
+    contents:
+      SchemaVersion: 2018-10-08
+      id: ${parameters.appversion.id}-${issue.id}
+      ProductArn: "arn:aws:securityhub:${parameters['aws-region']}:${parameters['aws-account']}:product/${parameters['aws-account']}/default"
+      GeneratorId: "arn:aws:securityhub:${parameters['aws-region']}:${parameters['aws-account']}:product/${parameters['aws-account']}/default"
+      ProductName: 'Fortify SAST'
+      CompanyName: OpenText
+      Types: "[ 'Software and Configuration Checks/Vulnerabilities/CVE' ]"
+      start_time: ${#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", lastStaticScan?.uploadDate?:'1970-01-01T00:00:00')}
+      end_time: ${#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", lastStaticScan?.uploadDate?:'1970-01-01T00:00:00')}
+      severity: 
+        Original: ${issue.friority}
+        Normalized: ${{'Critical':10.0,'High':8.9,'Medium':6.9,'Low':3.9}.get(issue.friority)}
+      Title: ${issue.issueName}
+      Description: ${#abbreviate(#htmlToText(issue.details?.brief), 510)}
+      Remediation:
+        Recommendation:
+          Text: ${#abbreviate(#htmlToText(issue.details?.recommendation), 510)}
+          Url: ${#ssc.appversionBrowserUrl(parameters.appversion)}
+      ProductFields:
+        Product Name: 'Fortify SAST'
+        'aws/securityhub/CompanyName': OpenText
+        'aws/securityhub/ProductName': 'Fortify SAST'
+      Resources:
+        Type: Application
+        Id: ${parameters.appversion.id}-${issue.id}
+        Partition: aws
+        Region: ${parameters['aws-region']}
+        details:
+          Other:
+            APPLICATION: ${parameters.appversion.id}
+            APPLICATION NAME: ${parameters.appversion.project.name}
+            APPLICATION VERSION: ${parameters.appversion.name}
+            PRIMARY LOCATION:  ${issue.fullFileName}
+            LINE NUMBER: ${issue.lineNumber}
+            INSTANCE ID: ${issue.issueInstanceId}
+      RecordState: ACTIVE