GitLab updates

.gitlab-ci.yml

@@ -1,34 +1,51 @@
+# Comment/Uncomment the below depending on whether you are using Fortify on Demand
+# or ScanCentral SAST/DAST. 
 include:
-  - local: '/devops-integrations/gitlab/debricked-sca.yml'
-  - local: '/devops-integrations/gitlab/fortify-sast-scancentral.yml'
-  - local: '/devops-integrations/gitlab/fortify-dast-scancentral.yml'
-  #- local: '/devops-integrations/gitlab/fortify-sast-fod.yml'
-
+  #- local: '/devops-integrations/gitlab/debricked-sca.yml'
+  #- local: '/devops-integrations/gitlab/fortify-sca.yml'
+  #- local: '/devops-integrations/gitlab/fortify-sast-scancentral.yml'
+  #- local: '/devops-integrations/gitlab/fortify-dast-api-scancentral.yml'
+  #- local: '/devops-integrations/gitlab/fortify-dast-web-scancentral.yml'
+  - local: '/devops-integrations/gitlab/fortify-sast-fod.yml'
+  - local: '/devops-integrations/gitlab/fortify-dast-fod.yml'
+  #- local: '/devops-integrations/gitlab/fortify-ssc-gate.yml'
+  - local: '/devops-integrations/gitlab/fortify-fod-gate.yml'
+
 stages:
   - build
   - deploy
   - test
+  - dast
+  - report
 
 build:
   stage: build
-  image: maven:3.8.6-eclipse-temurin-8
+  image: maven:3.9-eclipse-temurin-11
 
-  script: 
+  script:
     - echo Building project...
-    - mvn -Pjar clean package
+    - mvn -Dskip.unit.tests=false -DfailIfNoTests=false -Dtest="*,!PasswordConstraintValidatorTest,!UserServiceTest,!DefaultControllerTest" -P jar -B verify package --file pom.xml
     - mvn dependency:tree
         -DoutputFile=.debricked-maven-dependencies.tgf
         -DoutputType=tgf
-  when: manual
+  #when: manual
   artifacts:
     paths:
-    - .debricked-maven-dependencies.tgf
-    - /
+      - .debricked-maven-dependencies.tgf
+      - target/surefire-reports/TEST-*.xml
     expire_in: 3 days
-    when: on_success
+    reports:
+      junit: target/surefire-reports/TEST-*.xml
+    when: always
 
 deploy:
   stage: deploy
   needs: [build]
   script:
     - echo 'Simulating deployment of application...'
+
+functional-test:
+  stage: test
+  needs: [deploy]
+  script:
+    - echo 'Simulating functional test of application...'

devops-integrations/gitlab/debricked-sca.yml

@@ -1,13 +1,17 @@
 # Integrate Debricked software composition analysis into your Gitlab CICD pipeline
-# The following Gitlab environment variables must be defined before using this job
+# The following Gitab environment variables must be defined before using this job
 #   - $DEBRICKED_TOKEN
+#   - $DEBRICKED_REPO
 
-debricked-sca:
+debricked-scan:
+  image: maven:3.9-eclipse-temurin-11
   stage: test
-  script: 
-    - curl -L https://github.com/debricked/cli/releases/download/release-v2/cli_linux_x86_64.tar.gz | tar -xz debricked
-    - ./debricked scan 
   needs: [build]
   variables:
-    DEBRICKED_TOKEN: $DEBRICKED_TOKEN
+    DEBRICKED_TOKEN: $DEBRICKED_TOKEN 
+    DEBRICKED_EXCLUSIONS: "*.lock,*.json,*fingerprints*,target/**,samples/**"
+  script: 
+    - curl -L https://github.com/debricked/cli/releases/download/release-v2/cli_linux_x86_64.tar.gz | tar -xz debricked
+    - chmod +x debricked
+    - ./debricked scan --callgraph --prefer-npm -r "${DEBRICKED_REPO}" --access-token="${DEBRICKED_TOKEN}" . 
   allow_failure: true

devops-integrations/gitlab/fortify-dast-api-scancentral.yml

@@ -0,0 +1,40 @@
+# Integrate Fortify ScanCentral Dynamic AppSec Testing (DAST) into your Gitlab CICD pipeline
+# The following Gitlab environment variables must be defined before using this job
+#   - $_FCLI_DEFAULT_SSC_URL
+#   - $_FCLI_DEFAULT_SSC_USER
+#   - $_FCLI_DEFAULT_SSC_PASSWORD
+#   - $SSC_APP_VERSION_ID
+#   - $SC_DAST_API_SETTINGS
+
+fortify-dast-api:
+  image: fortifydocker/fortify-ci-tools:5.5.0-jdk-17
+  stage: test
+  needs: [deploy]
+  only:
+    variables:
+      - $CI_COMMIT_BRANCH == "main"
+  variables:
+    FCLI_DEFAULT_SSC_USER: $_FCLI_DEFAULT_SSC_USER
+    FCLI_DEFAULT_SSC_PASSWORD: $_FCLI_DEFAULT_SSC_PASSWORD
+    FCLI_DEFAULT_SSC_CI_TOKEN: $_FCLI_DEFAULT_SSC_CI_TOKEN
+    FCLI_DEFAULT_SSC_URL: $_FCLI_DEFAULT_SSC_URL
+    SC_DAST_API_SETTINGS: $SC_DAST_API_SETTINGS
+    SC_DAST_SCAN_NAME: "GitLab-Pipelines-API-Scan"
+  script:
+    - fcli ssc session login 
+    - fcli sc-dast session login
+
+    - fcli sc-dast scan start --name "$SC_DAST_SCAN_NAME" --settings $SC_DAST_API_SETTINGS --store=Id
+    - 'fcli sc-dast scan wait-for ::Id:: --interval=30s'
+
+    - fcli ssc issue count --appversion=$SSC_APP_VERSION_ID
+    - fcli ssc action run gitlab-dast-report --appversion=$SSC_APP_VERSION_ID --page-size=1000
+
+    - fcli sc-dast session logout
+    - fcli ssc session logout
+  allow_failure: true
+  artifacts:
+    reports:
+      dast: gl-fortify-dast.json
+    expire_in: 3 days
+    when: always

devops-integrations/gitlab/fortify-dast-fod.yml

@@ -0,0 +1,39 @@
+# Integrate Fortify on Demand Dynamic AppSec Testing (DAST) into your Gitlab CICD pipeline
+# The following Gitlab environment variables must be defined before using this job
+#   - $_FOD_RELEASE_ID
+#   - $_FCLI_DEFAULT_FOD_USER
+#   - $_FCLI_DEFAULT_FOD_PASSWORD
+#   - $_FCLI_DEFAULT_FOD_TENANT
+#   - $_FCLI_DEFAULT_FOD_URL
+# Note: this assumes the FoD Release has already been configured for a DAST Automated Website scan
+
+fortify-dast:
+  image: fortifydocker/fortify-ci-tools:5.5.0-jdk-17
+  stage: test
+  needs: [deploy]
+  only:
+    variables:
+      - $CI_COMMIT_BRANCH == "main"
+  variables:
+    FCLI_DEFAULT_FOD_USER: $_FCLI_DEFAULT_FOD_USER
+    FCLI_DEFAULT_FOD_PASSWORD: $_FCLI_DEFAULT_FOD_PASSWORD
+    FCLI_DEFAULT_FOD_TENANT: $_FCLI_DEFAULT_FOD_TENANT
+    FCLI_DEFAULT_FOD_URL: $_FCLI_DEFAULT_FOD_URL
+    FOD_RELEASE_ID: $_FOD_RELEASE_ID
+    FOD_NOTES: "Triggered by Gitlab Pipeline IID $CI_PIPELINE_IID: $CI_PIPELINE_URL"
+  script:
+    - fcli fod session login
+
+    - fcli fod dast start --release=$FOD_RELEASE_ID --store=Id
+    - 'fcli fod dast wait-for ::Id:: --interval=30s'
+
+    - 'fcli fod issue list --release=$FOD_RELEASE_ID --filters-param "scanType:Dynamic+severty:Critical|High"'
+    - fcli fod action run gitlab-dast-report --release=$FOD_RELEASE_ID
+
+    - fcli fod session logout
+  allow_failure: true
+  artifacts:
+    reports:
+      dast: gl-fortify-dast.json
+    expire_in: 3 days
+    when: always

devops-integrations/gitlab/fortify-dast-web-scancentral.yml

@@ -0,0 +1,40 @@
+# Integrate Fortify ScanCentral Dynamic AppSec Testing (DAST) into your Gitlab CICD pipeline
+# The following Gitlab environment variables must be defined before using this job
+#   - $_FCLI_DEFAULT_SSC_URL
+#   - $_FCLI_DEFAULT_SSC_USER
+#   - $_FCLI_DEFAULT_SSC_PASSWORD
+#   - $SSC_APP_VERSION_ID
+#   - $SC_DAST_WEB_SETTINGS
+
+fortify-dast-web:
+  image: fortifydocker/fortify-ci-tools:5.5.0-jdk-17
+  stage: test
+  needs: [deploy]
+  only:
+    variables:
+      - $CI_COMMIT_BRANCH == "main"
+  variables:
+    FCLI_DEFAULT_SSC_USER: $_FCLI_DEFAULT_SSC_USER
+    FCLI_DEFAULT_SSC_PASSWORD: $_FCLI_DEFAULT_SSC_PASSWORD
+    FCLI_DEFAULT_SSC_CI_TOKEN: $_FCLI_DEFAULT_SSC_CI_TOKEN
+    FCLI_DEFAULT_SSC_URL: $_FCLI_DEFAULT_SSC_URL
+    SC_DAST_WEB_SETTINGS: $SC_DAST_WEB_SETTINGS
+    SC_DAST_SCAN_NAME: "GitLab-Pipelines-Web-Scan"
+  script:
+    - fcli ssc session login 
+    - fcli sc-dast session login
+
+    - fcli sc-dast scan start --name "$SC_DAST_SCAN_NAME" --settings $SC_DAST_WEB_SETTINGS --store=Id
+    - 'fcli sc-dast scan wait-for ::Id:: --interval=30s'
+
+    - fcli ssc issue count --appversion=$SSC_APP_VERSION_ID
+    - fcli ssc action run gitlab-dast-report --appversion=$SSC_APP_VERSION_ID --page-size=1000
+
+    - fcli sc-dast session logout
+    - fcli ssc session logout
+  allow_failure: true
+  artifacts:
+    reports:
+      dast: gl-fortify-dast.json
+    expire_in: 3 days
+    when: always

devops-integrations/gitlab/fortify-fod-gate.yml

@@ -0,0 +1,25 @@
+# Integrate Fortify on Demand Static Security Gate into your Gitlab CICD pipeline
+# The following Gitlab environment variables must be defined before using this job
+#   - $_FOD_RELEASE_ID
+#   - $_FCLI_DEFAULT_FOD_USER
+#   - $_FCLI_DEFAULT_FOD_PASSWORD
+#   - $_FCLI_DEFAULT_FOD_TENANT
+#   - $_FCLI_DEFAULT_FOD_URL
+
+fortify-security-gate:
+  image: fortifydocker/fortify-ci-tools:5.5.0-jdk-17
+  stage: report
+  variables:
+    FCLI_DEFAULT_FOD_USER: $_FCLI_DEFAULT_FOD_USER
+    FCLI_DEFAULT_FOD_PASSWORD: $_FCLI_DEFAULT_FOD_PASSWORD
+    FCLI_DEFAULT_FOD_TENANT: $_FCLI_DEFAULT_FOD_TENANT
+    FCLI_DEFAULT_FOD_URL: $_FCLI_DEFAULT_FOD_URL
+    FOD_RELEASE_ID: $_FOD_RELEASE_ID
+    FOD_NOTES: "Triggered by Gitlab Pipeline IID $CI_PIPELINE_IID: $CI_PIPELINE_URL"
+  script:
+    - fcli fod session login
+
+    - fcli fod action run release-summary --release=$FOD_RELEASE_ID
+    - fcli fod action run check-policy --release=$FOD_RELEASE_ID
+
+    - fcli fod session logout

devops-integrations/gitlab/fortify-sast-fod.yml

@@ -1,13 +1,16 @@
 # Integrate Fortify on Demand Static AppSec Testing (SAST) into your Gitlab CICD pipeline
 # The following Gitlab environment variables must be defined before using this job
-#   - $FOD_RELEASE_ID
-#   - $FOD_USER
-#   - $FOD_PAT
-#   - $FOD_TENANT
+#   - $_FOD_RELEASE_ID
+#   - $_FCLI_DEFAULT_FOD_USER
+#   - $_FCLI_DEFAULT_FOD_PASSWORD
+#   - $_FCLI_DEFAULT_FOD_TENANT
+#   - $_FCLI_DEFAULT_FOD_URL
+# Note: this assumes the FoD Release has already been configured
 
 fortify-sast:
-  image: fortifydocker/fortify-ci-tools:5.4.1-jdk-17
+  image: fortifydocker/fortify-ci-tools:5.5.0-jdk-17
   stage: test
+  needs: [build]
   variables:
     FCLI_DEFAULT_FOD_USER: $_FCLI_DEFAULT_FOD_USER
     FCLI_DEFAULT_FOD_PASSWORD: $_FCLI_DEFAULT_FOD_PASSWORD
@@ -17,11 +20,14 @@ fortify-sast:
     FOD_NOTES: "Triggered by Gitlab Pipeline IID $CI_PIPELINE_IID: $CI_PIPELINE_URL"
   script:
     - fcli fod session login
+
     - scancentral package -bt mvn -oss -o package.zip
     - fcli fod sast start --release=$FOD_RELEASE_ID --file=package.zip --remediation=NonRemediationScanOnly --notes="$FOD_NOTES" --store=Id
     - 'fcli fod sast wait-for ::Id:: --interval=30s'
-    - fcli fod issue list --release=$FOD_RELEASE_ID
+
+    - 'fcli fod issue list --release=$FOD_RELEASE_ID --filters-param "scanType:Static+severty:Critical|High"'
     - fcli fod action run gitlab-sast-report --release=$FOD_RELEASE_ID
+
     - fcli fod session logout
   allow_failure: true
   artifacts:

devops-integrations/gitlab/fortify-sast-scancentral.yml

@@ -5,11 +5,11 @@
 #   - $_FCLI_DEFAULT_SSC_URL
 #   - $_FCLI_DEFAULT_SSC_USER
 #   - $_FCLI_DEFAULT_SSC_PASSWORD
-#   - $_SSC_APP_VERSION_ID
+#   - $SSC_APP_VERSION_ID
 
 fortify-sast:
   stage: test
-  image: fortifydocker/fortify-ci-tools:5.4.1-jdk-17
+  image: fortifydocker/fortify-ci-tools:5.5.0-jdk-17
   needs: [build]
   variables:
     SC_SAST_SENSOR_VERSION: 24.2
@@ -18,22 +18,19 @@ fortify-sast:
     FCLI_DEFAULT_SSC_PASSWORD: $_FCLI_DEFAULT_SSC_PASSWORD
     FCLI_DEFAULT_SSC_CI_TOKEN: $_FCLI_DEFAULT_SSC_CI_TOKEN
     FCLI_DEFAULT_SSC_URL: $_FCLI_DEFAULT_SSC_URL
-    SSC_APP_VERSION_ID: $_SSC_APP_VERSION_ID
   script:
     - fcli ssc session login
-    - fcli sc-sast session login
-
+    - fcli sc-sast session login 
+    
     - scancentral package -bt mvn -o package.zip 
     - fcli sc-sast scan start --publish-to=$SSC_APP_VERSION_ID --sensor-version=$SC_SAST_SENSOR_VERSION --package-file=package.zip --store=Id
-
     - 'fcli sc-sast scan wait-for ::Id:: --interval=30s'
-
-    - fcli ssc issue count --appversion=$SSC_APP_VERSION_ID
 
+    - fcli ssc issue count --appversion=$SSC_APP_VERSION_ID
     - fcli ssc action run gitlab-sast-report --appversion=$SSC_APP_VERSION_ID --page-size=1000
-
+    
     - fcli sc-sast session logout
-    - fcli ssc session logout  
+    - fcli ssc session logout
   allow_failure: true
   artifacts:
     reports:

devops-integrations/gitlab/fortify-sca.yml

@@ -0,0 +1,51 @@
+# Integrate Debricked software composition analysis into your Gitlab CICD pipeline
+# The following Gitlab environment variables must be defined before using this job
+#   - $DEBRICKED_TOKEN
+#   - $DEBRICKED_REPO
+#   - $_FCLI_DEFAULT_SSC_URL
+#   - $_FCLI_DEFAULT_SSC_USER
+#   - $_FCLI_DEFAULT_SSC_PASSWORD
+#   - $SSC_APP_VERSION_ID
+
+debricked-scan:
+  image: maven:3.9-eclipse-temurin-11
+  stage: test
+  needs: [build]
+  variables:
+    DEBRICKED_TOKEN: $DEBRICKED_TOKEN 
+    DEBRICKED_EXCLUSIONS: "*.lock,*.json,*fingerprints*,target/**,samples/**"
+  script: 
+    - curl -L https://github.com/debricked/cli/releases/download/release-v2/cli_linux_x86_64.tar.gz | tar -xz debricked
+    - chmod +x debricked
+    - ./debricked scan --callgraph --prefer-npm -r "${DEBRICKED_REPO}" --access-token="${DEBRICKED_TOKEN}" . 
+  allow_failure: true
+
+fortify-sca:
+  image: fortifydocker/fortify-ci-tools:5.5.0-jdk-17
+  stage: test
+  needs: [debricked-scan]
+  variables:
+    FCLI_DEFAULT_SSC_USER: $_FCLI_DEFAULT_SSC_USER
+    FCLI_DEFAULT_SSC_PASSWORD: $_FCLI_DEFAULT_SSC_PASSWORD
+    FCLI_DEFAULT_SSC_URL: $_FCLI_DEFAULT_SSC_URL
+  script: 
+    - fcli ssc session login
+
+    - fcli ssc artifact import-debricked --appversion=$SSC_APP_VERSION_ID --debricked-access-token=$DEBRICKED_TOKEN --repository=$DEBRICKED_REPO --branch=$CI_COMMIT_BRANCH --save-sbom-as=debricked-sbom.json --store=Id
+
+    - 'fcli ssc artifact wait-for ::Id:: --interval=30s'
+
+    - fcli ssc action run appversion-summary --appversion=$SSC_APP_VERSION_ID
+    - fcli ssc action run gitlab-debricked-report --appversion=$SSC_APP_VERSION_ID
+
+    - fcli ssc session logout
+  allow_failure: true
+  artifacts:
+    reports:
+      dependency_scanning: gl-fortify-debricked-depscan.json
+      #cyclonedx: debricked-sbom.json
+    paths:
+      - debricked-sbom.json
+    expire_in: 3 days
+    when: always
+

devops-integrations/gitlab/fortify-ssc-gate.yml

@@ -0,0 +1,23 @@
+# Integrate Fortify Software Security Center Gate into your Gitlab CICD pipeline
+# The following Gitlab environment variables must be defined before using this job
+#   - $_FCLI_DEFAULT_SSC_CI_TOKEN
+#   - $_FCLI_DEFAULT_SSC_URL
+#   - $_FCLI_DEFAULT_SSC_USER
+#   - $_FCLI_DEFAULT_SSC_PASSWORD
+#   - $SSC_APP_VERSION_ID
+
+fortify-security-gate:
+  image: fortifydocker/fortify-ci-tools:5.5.0-jdk-17
+  stage: report
+  variables:
+    FCLI_DEFAULT_SSC_USER: $_FCLI_DEFAULT_SSC_USER
+    FCLI_DEFAULT_SSC_PASSWORD: $_FCLI_DEFAULT_SSC_PASSWORD
+    FCLI_DEFAULT_SSC_CI_TOKEN: $_FCLI_DEFAULT_SSC_CI_TOKEN
+    FCLI_DEFAULT_SSC_URL: $_FCLI_DEFAULT_SSC_URL
+  script:
+    - fcli ssc session login
+
+    - fcli ssc action run appversion-summary --appversion=$SSC_APP_VERSION_ID --filtersets="default"
+    - fcli ssc action run check-policy --appversion=$SSC_APP_VERSION_ID
+
+    - fcli ssc session logout