Merge branch 'rf-add-fortify-template' into 'master'

Add Fortify on Demand (FoD) SAST template See merge request gitlab-org/gitlab!91956

Merge branch 'rf-add-fortify-template' into 'master'
2e9cc6e0 · Laura Montemayor · c2215120 · c4899c50 · 2e9cc6e0 · 2e9cc6e0
--- a/config/metrics/counts_28d/20220715195415_p_ci_templates_security_fortify_fod_sast_monthly.yml
+++ b/config/metrics/counts_28d/20220715195415_p_ci_templates_security_fortify_fod_sast_monthly.yml
+---
+key_path: redis_hll_counters.ci_templates.p_ci_templates_security_fortify_fod_sast_monthly
+description: Count of pipelines using the Fortify FoD SAST template
+product_section: sec
+product_stage: secure
+product_group: static_analysis
+product_category: SAST
+value_type: number
+status: active
+milestone: "15.3"
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/91956
+time_frame: 28d
+data_source: redis_hll
+data_category: optional
+instrumentation_class: RedisHLLMetric
+distribution:
+- ce
+- ee
+tier:
+- free
+- premium
+- ultimate
+options:
+  events:
+  - p_ci_templates_security_fortify_fod_sast
--- a/config/metrics/counts_28d/20220719133315_p_ci_templates_implicit_security_fortify_fod_sast_monthly.yml
+++ b/config/metrics/counts_28d/20220719133315_p_ci_templates_implicit_security_fortify_fod_sast_monthly.yml
+---
+key_path: redis_hll_counters.ci_templates.p_ci_templates_implicit_security_fortify_fod_sast_monthly
+description: Count of pipelines with implicit runs using the Fortify FoD SAST template
+product_section: sec
+product_stage: secure
+product_group: static_analysis
+product_category: SAST
+value_type: number
+status: active
+milestone: "15.3"
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/91956
+time_frame: 28d
+data_source: redis_hll
+data_category: optional
+instrumentation_class: RedisHLLMetric
+distribution:
+- ce
+- ee
+tier:
+- free
+- premium
+- ultimate
+options:
+  events:
+  - p_ci_templates_implicit_security_fortify_fod_sast
--- a/config/metrics/counts_7d/20220715195411_p_ci_templates_security_fortify_fod_sast_weekly.yml
+++ b/config/metrics/counts_7d/20220715195411_p_ci_templates_security_fortify_fod_sast_weekly.yml
+---
+key_path: redis_hll_counters.ci_templates.p_ci_templates_security_fortify_fod_sast_weekly
+description: Count of pipelines using the Fortify FoD SAST template
+product_section: sec
+product_stage: secure
+product_group: static_analysis
+product_category: SAST
+value_type: number
+status: active
+milestone: "15.3"
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/91956
+time_frame: 7d
+data_source: redis_hll
+data_category: optional
+instrumentation_class: RedisHLLMetric
+distribution:
+- ce
+- ee
+tier:
+- free
+- premium
+- ultimate
+options:
+  events:
+  - p_ci_templates_security_fortify_fod_sast
--- a/config/metrics/counts_7d/20220719133311_p_ci_templates_implicit_security_fortify_fod_sast_weekly.yml
+++ b/config/metrics/counts_7d/20220719133311_p_ci_templates_implicit_security_fortify_fod_sast_weekly.yml
+---
+key_path: redis_hll_counters.ci_templates.p_ci_templates_implicit_security_fortify_fod_sast_weekly
+description: Count of pipelines with implicit runs using the Fortify FoD SAST template
+product_section: sec
+product_stage: secure
+product_group: static_analysis
+product_category: SAST
+value_type: number
+status: active
+milestone: "15.3"
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/91956
+time_frame: 7d
+data_source: redis_hll
+data_category: optional
+instrumentation_class: RedisHLLMetric
+distribution:
+- ce
+- ee
+tier:
+- free
+- premium
+- ultimate
+options:
+  events:
+  - p_ci_templates_implicit_security_fortify_fod_sast
--- a/lib/gitlab/ci/templates/Security/Fortify-FoD-sast.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/Fortify-FoD-sast.gitlab-ci.yml
+# This template is provided and maintained by Fortify, an official Technology Partner with GitLab.
+# You can copy and paste this template into a new `.gitlab-ci.yml` file.
+# You should not add this template to an existing `.gitlab-ci.yml` file by using the `include:` keyword.
+
+################################################################################################################################################
+# Fortify lets you build secure software fast with an appsec platform that automates testing throughout the DevSecOps pipeline. Fortify static,#
+# dynamic, interactive, and runtime security testing is available on premises or as a service. To learn more about Fortify, start a free trial #
+# or contact our sales team, visit microfocus.com/appsecurity.                                                                                 #
+#                                                                                                                                              #
+# Use this pipeline template as a basis for integrating Fortify on Demand Static Application Security Testing(SAST) into your GitLab pipelines.#
+# This template demonstrates the steps to prepare the code+dependencies and initiate a scan. As an option, it also supports waiting for the    #
+# SAST scan to complete and optinally failing the job. Software Composition Analysis can be also be performed in conjunection with the SAST    #
+# scan if that service has been purchased. Users should review inputs and environment variables below to configure scanning for an existing    #
+# application in your Fortify on Demand tenant. Additional information is available in the comments throughout the template and the Fortify on #
+# Demand, FoD Uploader and ScanCentral Client product documentation. If you need additional assistance with configuration, feel free to create #
+# a help ticket in the Fortify on Demand portal.                                                                                               #
+################################################################################################################################################
+
+fortify_fod_sast:
+  image: fortifydocker/fortify-ci-tools:3-jdk-8
+  variables:
+    # Update/override PACKAGE_OPTS based on the ScanCentral Client documentation for your project's included tech stack(s). Helpful hints:
+    #   ScanCentral Client will download dependencies for maven (-bt mvn) and gradle (-bt gradle).
+    #   The current fortify-ci-tools image is Linux only at this time. Msbuild integration is not currently supported.
+    #   ScanCentral has additional options that should be set for PHP and Python projects.
+    #   For other build tools (-bt none), add your build commands to download necessary dependencies and prepare according to Fortify on Demand Packaging documentation.
+    #   ScanCentral Client documentation is located at https://www.microfocus.com/documentation/fortify-software-security-center/
+    PACKAGE_OPTS: "-bt mvn"
+
+    # Update/override the FoDUploader environment variables as needed. For more information on FoDUploader commands, see https://github.com/fod-dev/fod-uploader-java. Helpful hints:
+    #   Credentials (FOD_USERNAME, FOD_PAT, FOD_TENANT) are expected as GitLab CICD Variables in the template (masking recommended).
+    #   Static scan settings should be configured in Fortify on Demand portal (Automated Audit preference strongly recommended).
+    #   FOD_RELEASE_ID is expected as a GitLab CICD Variable.
+    #   FOD_UPLOADER_OPTS can be adjusted to wait for scan completion/pull results (-I 1) and control whether to fail the job (-apf).
+    FOD_URL: "https://ams.fortify.com"
+    FOD_API_URL: "https://api.ams.fortify.com/"
+    FOD_UPLOADER_OPTS: "-ep 2 -pp 0"
+    FOD_NOTES: "Triggered by Gitlab Pipeline IID $CI_PIPELINE_IID: $CI_PIPELINE_URL"
+
+  script:
+    # Package source code and dependencies using Fortify ScanCentral client
+    - 'scancentral package $PACKAGE_OPTS -o package.zip'
+    # Start Fortify on Demand SAST scan
+    - 'FoDUpload -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid "$FOD_RELEASE" -tc "$FOD_TENANT" -uc "$FOD_USERNAME" "$FOD_PAT" $FOD_UPLOADER_OPTS -I 1 -n "$FOD_NOTES"'
+    # Generate GitLab reports
+    - 'FortifyVulnerabilityExporter FoDToGitLabSAST --fod.baseUrl=$FOD_URL --fod.tenant="$FOD_TENANT" --fod.userName="$FOD_USERNAME" --fod.password="$FOD_PAT" --fod.release.id=$FOD_RELEASE'
+  # Change to false to fail the entire pipeline if the scan fails and/or the result of a scan causes security policy failure (see "-apf" option in FoDUploader documentation)
+  allow_failure: true
+  # Report SAST vulnerabilities back to GitLab
+  artifacts:
+    reports:
+      sast: gl-fortify-sast.json
--- a/lib/gitlab/usage_data_counters/known_events/ci_templates.yml
+++ b/lib/gitlab/usage_data_counters/known_events/ci_templates.yml
@@ -147,6 +147,10 @@
  category: ci_templates
  redis_slot: ci_templates
  aggregation: weekly
+- name: p_ci_templates_security_fortify_fod_sast
+  category: ci_templates
+  redis_slot: ci_templates
+  aggregation: weekly
 - name: p_ci_templates_security_sast_iac_latest
  category: ci_templates
  redis_slot: ci_templates
@@ -639,6 +643,10 @@
  category: ci_templates
  redis_slot: ci_templates
  aggregation: weekly
+- name: p_ci_templates_implicit_security_fortify_fod_sast
+  category: ci_templates
+  redis_slot: ci_templates
+  aggregation: weekly
 - name: p_ci_templates_implicit_security_sast_iac_latest
  category: ci_templates
  redis_slot: ci_templates