Refactoring actions and structure

Author: kevinalee-duplicate

.github/workflows/fod.yml

@@ -297,7 +297,7 @@ jobs:
         run: |
           fcli fod session login --url $FOD_API_URI --client-id $FOD_CLIENT_ID --client-secret $FOD_CLIENT_SECRET --fod-session github-actions
           fcli fod action run release-summary --release "${FOD_RELEASE}" --fod-session github-actions >> $GITHUB_STEP_SUMMARY
-          fcli fod action run etc/custom-check-policy.action --on-unsigned=ignore --release "${FOD_RELEASE}" --fod-session github-actions
+          fcli fod action run etc/actions/custom-check-policy.action --on-unsigned=ignore --release "${FOD_RELEASE}" --fod-session github-actions
           fcli fod session logout --fod-session github-actions
         continue-on-error: true # allow the workflow to continue even if this job fails
         env:

.gitignore

@@ -140,3 +140,6 @@ logs
 email-db.json
 iwa.db
 *.fpr
+junit.xml
+aviator_*
+.fortify

.gitlab-ci.yml

@@ -0,0 +1,200 @@
+#
+# An example GitLab CI/CD pipeline configuration file for a Python application yhat includes build, test, deploy and 
+#   - OpenText Application Security Core (FoD) SAST/DAST/SCA scans ... or
+#   - OpenText Application Security (ScanCentral) SAST/DAST scans
+#   - OpenText SCA Core (Debricked) ... or
+#   - Sonatype Lifecycle (Nexus IQ Server)
+#
+# This pipeline uses the Fortify fcli tool and GitLab CI/CD Components (https://gitlab.com/Fortify/components)
+#
+# If using OpenText Application Security Core (FoD) set the following variables in your GitLab project/organisation:
+#   - FOD_URL: Fortify on Demand URL (e.g., https://ams.fortify.com)
+#   - FOD_API_URL: Fortify API URL (e.g., https://api.ams.fortify.com)
+#   - FOD_CLIENT_ID: Fortify on Demand Client ID
+#   - FOD_CLIENT_SECRET: Fortify on Demand Client Secret
+#   - FOD_APP_NAME_POSTFIX: Optional postfix for the application name
+#
+# If using OpenText Application Security (ScanCentral) set the following variables in your GitLab project/organisation:
+#   - SSC_URL: Software Security Center URL (e.g. https://ssc.customer.fortifyhosted.net/)
+#   - SSC_TOKEN: Sofware Security Center CIToken
+#   - SC_SAST_TOKEN: ScanCentral SAST Client Authentication Token
+#   - SSC_APP_NAME_POSTFIX: Optional postfix for the application name
+#   - SCDAST_SETTINGS_ID: Optional ScanCentral DAST Settings Id for DAST scan to run
+#
+# If using Sonatype Lifecycle (Nexus IQ Server) set the following variables in your GitLab project/organisation:
+#   - NEXUS_IQ_URL: Nexus IQ Server URL
+#   - NEXUS_IQ_USERNAME: Nexus IQ Username
+#   - NEXUS_IQ_PASSWORD: Nexus IQ Password
+#
+# If using OpenText SCA Core (Debricked) set the following variables in your GitLab project/organisation:
+#   - DEBRICKED_TOKEN: Debricked Access Token
+#
+# These variables are used to control which jobs to run
+#
+
+
+spec:
+  inputs:
+    debug:
+      default: false
+      type: boolean
+    
+---
+
+image: node:20    # default image to use for the pipeline
+
+stages:
+  - build
+  - dockerize
+  - test
+  - deploy
+  - scan
+
+workflow:
+  rules:
+    # Only run the pipeline for merge requests and pushes to branches (not both when a merge request is open)
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+    - if: $CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS
+      when: never
+    - if: $CI_COMMIT_BRANCH
+
+variables:
+  DEFAULT_APP_NAME: "InsecureRestAPI"
+  DEFAULT_PARENT_RELEASE_NAME: "main"
+  DEFAULT_PARENT_APPVERSION_NAME: "main"
+  DEFAULT_RELEASE_NAME: "${CI_COMMIT_BRANCH}"
+  DEFAULT_APPVERSION_NAME: "${CI_COMMIT_BRANCH}"
+  DEFAULT_SONATYPE_IQ_APPLICATION_ID: "insecurerestapi"
+  IMAGE_TAG: $CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA
+
+# use a cache for Python .venv and deps
+cache:
+  key: ${CI_COMMIT_REF_SLUG}
+  paths:
+    - node_modules
+
+# include CI/CD components and jobs depending on what we want to run
+# there are lots of conditional includes based on CI/CD variables to ensure only jobs required are run
+include:
+  # include fortify jobs
+  - component: $CI_SERVER_FQDN/Fortify/components/fcli/linux@main
+    inputs:
+      stage: scan                # Stage in which to run the fcli commands
+  - component: $CI_SERVER_FQDN/Fortify/components/ast-scan/linux@main
+    inputs:
+      job-name: fortify-sast-scan # Optional job name used for running the AST scan, defaults to 'fortify-ast-scan'
+      stage: scan                 # Stage in which to run the AST scan, defaults to 'test'
+    rules:
+      - if: ( $SSC_URL != null || $SSC_URL =~ /^./ )
+      - if: ( $FOD_URL != null || $FOD_URL =~ /^./ )
+  # include Sonatype Nexus IQ jobs if NEXUS_IQ_URL is defined
+  - component: $CI_SERVER_FQDN/sonatype-integrations/components/evaluate-sbom@main
+    inputs:
+      application-id: $DEFAULT_SONATYPE_IQ_APPLICATION_ID
+      scan-targets:
+        - package-lock.json
+      result-file: evaluation-result.json
+      report-name: evaluation-report.html
+      sbom-standard: cycloneDx
+      sbom-version: "1.5"
+      ignore-system-errors: true
+    rules:
+      - if: ( $NEXUS_IQ_URL != null || $NEXUS_IQ_URL =~ /^./ )
+  # include Debricked jobs if $DEBRICKED_TOKEN is defined
+  - local: etc/gitlab-debricked.yml 
+    rules:
+      - if: ( $DEBRICKED_TOKEN != null || $DEBRICKED_TOKEN =~ /^./ )
+  # include FoD jobs is $FOD_URL is defined
+  - local: etc/gitlab-fod.yml
+    rules:
+      - if: ( $FOD_URL != null || $FOD_URL =~ /^./ )
+  # include ScanCentral jobs if $SSC_URL is defined
+  - local: etc/gitlab-scancentral.yml 
+    rules:
+      - if: ( $SSC_URL != null || $SSC_URL =~ /^./ )
+
+      
+# Set fcli job to "never run" as it will be extended by other jobs included
+fcli:
+  stage: scan
+  rules:
+    - when: never
+
+
+# This is a sample job to build the application. You can replace it with your actual build job.
+npm-build:
+  stage: build
+  before_script:
+    - npm i
+  script:
+    - echo "Building the application..."
+    - npm run swagger
+    - npm run build
+  artifacts:
+    paths:
+      - dist
+
+# This is a sample job to test a Node application using jest. You can replace it with your actual test job.
+npm-test:
+  stage: test
+  before_script:
+    - npm i
+  script:
+    - echo "Testing the application..."
+    - npm run test
+  artifacts:
+    when: always
+    reports:
+      junit:
+        - junit.xml
+
+# This is a sample job to build the application into a Docker image and push it to the GitLab Container Registry
+docker-build:
+  stage: dockerize
+  image: docker:latest
+  dependencies:
+    - npm-build
+  services:
+    - docker:dind
+  before_script:
+    - echo $CI_JOB_TOKEN | docker login -u gitlab-ci-token --password-stdin $CI_REGISTRY
+    - echo $IMAGE_TAG
+  script:
+    - docker build -t $IMAGE_TAG .
+    - docker push $IMAGE_TAG
+  rules:
+    - if: $CI_COMMIT_BRANCH == "main"
+
+# This job runs Sonatype Nexus IQ evaluation on the Docker image built in the docker-build job.
+sonatype-docker-scan:
+  stage: test
+  image: docker:latest
+  services:
+    - docker:dind
+  needs: 
+  - job: docker-build
+  before_script:
+    - echo $CI_JOB_TOKEN | docker login -u gitlab-ci-token --password-stdin $CI_REGISTRY
+    - echo $IMAGE_TAG
+    - docker pull $IMAGE_TAG
+    - export NEXUS_CONTAINER_IMAGE_REGISTRY_USER=gitlab-ci-token
+    - export NEXUS_CONTAINER_IMAGE_REGISTRY_PASSWORD=$CI_JOB_TOKEN
+    - export NEXUS_CONTAINER_INCLUDE_ONLY_OS_COMPONENTS=true
+  script:
+    - |
+      docker run -v /tmp:/tmp -v $CI_PROJECT_DIR:/sonatype/reports -v /var/run/docker.sock:/var/run/docker.sock \
+      -e NEXUS_IQ_URL -e NEXUS_IQ_USERNAME -e NEXUS_IQ_PASSWORD -e NEXUS_CONTAINER_IMAGE_REGISTRY_USER -e NEXUS_CONTAINER_IMAGE_REGISTRY_PASSWORD \
+      sonatype/gitlab-nexus-iq-pipeline:latest /sonatype/evaluate -i $DEFAULT_SONATYPE_IQ_APPLICATION_ID -t stage-release container:$IMAGE_TAG
+  artifacts:
+    paths:
+      - $CI_PROJECT_DIR/$CI_PROJECT_NAME-policy-eval-report.html
+  rules:
+    - if: $CI_COMMIT_BRANCH == "main"
+
+# This is a sample job to deploy the application. You can replace it with your actual deploy job.
+deploy:
+  stage: deploy
+  script:
+    - echo "Deploying the application..."
+  rules:
+  - if: $CI_COMMIT_BRANCH == "main"

.sonatype-config

@@ -0,0 +1,4 @@
+iq-for-vscode:
+  applicationId: insecurerestapi
+  includeDev: false
+  type: ['npm']

Makefile

@@ -98,5 +98,5 @@ sca-scan: ## run OpenText software composition analysis
 
 .PHONY: nexus-iq-scan
 nexus-iq-scan: ## run Sonatype Nexus IQ software composition analysis
-	@echo "Running Sonatype Nexusi IQ software composition analysis..."
+	@echo "Running Sonatype Nexus IQ software composition analysis..."
 	nexus-iq-cli -i $(PROJECT_LOWER) -s $(NEXUS_IQ_URL) -a "$(NEXUS_IQ_USERNAME):$(NEXUS_IQ_PASSWORD)" package-lock.json

README.md

@@ -1,5 +1,3 @@
-[![Fortify Security Scan](https://github.com/fortify-presales/InsecureRestAPI/actions/workflows/fod.yml/badge.svg)](https://github.com/fortify-presales/InsecureRestAPI/actions/workflows/fod.yml) [![Debricked](https://github.com/kadraman/InsecureRestAPI/actions/workflows/debricked.yml/badge.svg)](https://github.com/kadraman/InsecureRestAPI/actions/workflows/debricked.yml)
-
 # InsecureRestAPI
 
 _InsecureRestAPI_ is a simple NodeJS/Express/MongoFB REST API that can be used for the demonstration of Application Security testing tools - such as [OpenText Application Security](https://www.opentext.com/products/application-security).
@@ -8,8 +6,7 @@ Pre-requisities
 ---------------
 
  - [Node.js 20 or later](https://nodejs.org/en/download)
- - [CygWin](https://www.cygwin.com/) - if running on Windows
- - [MongoDB](https://www.mongodb.com/) Community Edition (optional as a version is embedded for testing)
+ - [MongoDB](https://www.mongodb.com/) Community Edition (optional as an embedded version will be downloaded for testing)
  - Docker installation (optional)
 
 Run Application (locally)
@@ -19,8 +16,9 @@ You can the run the application locally using the following:
 
 
 ```
+npm install
 npm install -g ts-node-dev
-make run
+npm run dev
 ```
 
 The API should then be available at the URL `http://localhost:5000`. If it fails to start,
@@ -32,7 +30,7 @@ Run Application (as Docker container)
 You also can build a Docker image for the application using the following:
 
 ```
-make build
+npm run build
 docker build -t demoapi:latest .
 ```
 

babel.config.js

@@ -0,0 +1,6 @@
+module.exports = {
+  presets: [
+    ['@babel/preset-env', {targets: {node: 'current'}}],
+    '@babel/preset-typescript',
+  ],
+};

bin/cleanup.ps1

@@ -0,0 +1,19 @@
+
+# Import local environment specific settings
+$EnvSettings = $(ConvertFrom-StringData -StringData (Get-Content ".\.env" | Where-Object {-not ($_.StartsWith('#'))} | Out-String))
+$AppName = $EnvSettings['SSC_APP_NAME']
+
+Write-Host "Removing files..."
+Remove-Item -Force -Recurse ".fortify" -ErrorAction SilentlyContinue
+Remove-Item "$($AppName)*.fpr" -ErrorAction SilentlyContinue
+Remove-Item "$($AppName)*.pdf" -ErrorAction SilentlyContinue
+Remove-Item "fod.zip" -ErrorAction SilentlyContinue
+Remove-Item "*Package.zip" -ErrorAction SilentlyContinue
+Remove-Item "fortifypackage.zip" -ErrorAction SilentlyContinue
+Remove-Item -Force -Recurse ".debricked" -ErrorAction SilentlyContinue
+Remove-Item -Force -Recurse "dist" -ErrorAction SilentlyContinue
+Remove-Item -Force -Recurse "logs" -ErrorAction SilentlyContinue
+Remove-Item "*.lock" -ErrorAction SilentlyContinue
+Remove-Item "*.log" -ErrorAction SilentlyContinue
+
+Write-Host "Done."

bin/sast-scan.ps1

@@ -0,0 +1,54 @@
+#
+# Example script to perform Fortify Static Code Analysis
+#
+
+# Parameters
+param (
+    [Parameter(Mandatory=$false)]
+    [ValidateSet('classic','security','devops')]
+    [string]$ScanPolicy = "classic",
+    [Parameter(Mandatory=$false)]
+    [switch]$CreatePDF,
+    [Parameter(Mandatory=$false)]
+    [switch]$UploadToSSC
+)
+
+# Import local environment specific settings
+$EnvSettings = $(ConvertFrom-StringData -StringData (Get-Content ".\.env" | Where-Object {-not ($_.StartsWith('#'))} | Out-String))
+$AppName = $EnvSettings['SSC_APP_NAME']
+$AppVersion = $EnvSettings['SSC_APP_VER_NAME']
+$SSCUrl = $EnvSettings['SSC_URL']
+$SSCAuthToken = $EnvSettings['SSC_AUTH_TOKEN'] # AnalysisUploadToken or CIToken
+$JVMArgs = "-Xss256M"
+#$ScanSwitches = "-Dcom.fortify.sca.rules.enable_wi_correlation=true"
+$ScanSwitches = "-Dcom.fortify.sca.ProjectRoot=.fortify"
+
+if ([string]::IsNullOrEmpty($AppName)) { throw "Application Name has not been set in '.env'" }
+if ([string]::IsNullOrEmpty($AppVersion)) { throw "Application Version has not been set in '.env'" }
+
+# Run the translation and scan
+
+Write-Host Running translation...
+& sourceanalyzer $JVMArgs $ScanSwitches -b "$AppName" .
+
+Write-Host Running scan...
+& sourceanalyzer '-Dcom.fortify.sca.ProjectRoot=.fortify' $JVMArgs $ScanSwitches -b "$AppName" `
+    -verbose -scan-policy $ScanPolicy `
+    -rules etc/sast-custom-rules/example-custom-rules.xml -filter etc/sast-filters/example-filter.txt `
+    -build-project "$AppName" -build-version "$AppVersion" -build-label "SNAPSHOT" `
+    -scan -f "$($AppName).fpr"
+
+# summarise issue count by analyzer
+& FPRUtility -information -analyzerIssueCounts -project "$($AppName).fpr"
+
+if ($CreatePDF) {
+    Write-Host Generating PDF report...
+    & ReportGenerator '-Dcom.fortify.sca.ProjectRoot=.fortify' -user "Demo User" -format pdf -f "$($AppName).pdf" -source "$($AppName).fpr"
+}
+
+if ($UploadToSSC) {
+    Write-Host Uploading results to SSC...
+    & fortifyclient uploadFPR -file "$($AppName).fpr" -url $SSCUrl -authtoken $SSCAuthToken -application $AppName -applicationVersion $AppVersion
+}
+
+Write-Host Done.

bin/sast-scan.sh

@@ -36,7 +36,7 @@ source .env
 AppName=$SSC_APP_NAME
 AppVersion=$SSC_APP_VER_NAME
 SSCUrl=$SSC_URL
-SSCAuthToken=$SSC_AUTH_TOKEN # AnalysisUploadToken
+SSCAuthToken=$SSC_AUTH_TOKEN # AnalysisUploadToken or CIToken
 JVMArgs="-Xss256M"
 ScanSwitches="-Dcom.fortify.sca.ProjectRoot=.fortify"
 
@@ -53,7 +53,7 @@ echo Running translation...
 sourceanalyzer $ScanSwitches $JVMArgs -b "$AppName" .
 
 echo Running scan...
-sourceanalyzer $ScanSwitches $JVMArgs -b "$AppName" -debug -verbose \
+sourceanalyzer $ScanSwitches $JVMArgs -b "$AppName" -verbose \
     -scan-policy $ScanPolicy -build-project "$AppName" -build-version "$AppVersion" -build-label "SNAPSHOT" \
     -scan -f "${AppName}.fpr"