Enable fortify scanning for .NET Framework projects. (#759)

claudiamurialdo · web-flow · commit 5e224cc60162 · 2023-02-01T09:22:51.000-03:00
* Enable fortify scanning for .NET Framework projects.

* Fix actions name
diff --git a/.github/workflows/fortify-net-framework.yml b/.github/workflows/fortify-net-framework.yml
@@ -0,0 +1,100 @@
+
+name: Fortify on Demand Scan (.NET Framework)
+
+# TODO: Customize trigger events based on your DevSecOps processes and typical FoD SAST scan time
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - 'master'
+      - 'beta'
+      - 'release-*'
+  #Run at the end of every day
+  schedule:
+    - cron: '0 0 * * *'
+  
+jobs:
+  FoD-SAST-Scan:
+    # Use the appropriate runner for building your source code. 
+    # TODO: Use a Windows runner for .NET Framework projects that use msbuild. Additional changes to RUN commands will be required to switch to Windows syntax.
+    runs-on: windows-latest
+
+    steps:
+      # Check out source code
+      - name: Checkout repository
+        uses: actions/checkout@v2
+        with:
+          repository: ''
+
+      # Java 8 required by ScanCentral Client and FoD Uploader(Univeral CI Tool)
+      - name: Setup Java
+        uses: actions/setup-java@v1
+        with:
+          java-version: 1.8
+      
+      - name: Setup MSBuild
+        uses: microsoft/setup-msbuild@v1
+        with:
+          vs-version: 10.0
+          
+      - name: Create temporal solution
+        run: |
+          $fortifysolution = "FortifySolution"
+          dotnet new sln --name $fortifysolution --output dotnet --force
+          dotnet msbuild dotnet\DotNetStandardClasses.sln /t:DumpProjects -p:DumpSolutionName=$fortifysolution /m:1 -p:DumpSolutionTargetFrameworkDefault=net4
+          
+      # Prepare source+dependencies for upload. The default example is for a Maven project that uses pom.xml.
+      # TODO: Update PACKAGE_OPTS based on the ScanCentral Client documentation for your project's included tech stack(s). Helpful hints:
+      #   ScanCentral Client will download dependencies for maven (-bt mvn) and gradle (-bt gradle).
+      #   ScanCentral Client can download dependencies for msbuild projects (-bt msbuild); however, you must convert the workflow to use a Windows runner.
+      #   ScanCentral has additional options that should be set for PHP and Python projects
+      #   For other build tools, add your build commands to download necessary dependencies and prepare according to Fortify on Demand Packaging documentation.
+      #   ScanCentral Client documentation is located at https://www.microfocus.com/documentation/fortify-software-security-center/ 
+      - name: Download Fortify ScanCentral Client
+        uses: fortify/gha-setup-scancentral-client@v1
+      - name: Package Code + Dependencies
+        run: scancentral package -bt msbuild -bf ./dotnet/FortifySolution.sln -o package.zip
+      
+      - name: Show package contents
+        run: unzip -v package.zip
+        
+      # Start Fortify on Demand SAST scan and wait until results complete. For more information on FoDUploader commands, see https://github.com/fod-dev/fod-uploader-java
+      # TODO: Update ENV variables for your application and create the necessary GitHub Secrets.  Helpful hints:
+      #   Credentials and release ID should be obtained from your FoD tenant (either Personal Access Token or API Key can be used).
+      #   Automated Audit preference should be configured for the release's Static Scan Settings in the Fortify on Demand portal.
+      - name: Download Fortify on Demand Universal CI Tool
+        uses: fortify/gha-setup-fod-uploader@v1.0.1
+      - name: Perform SAST Scan
+        run: java -jar ${env:FOD_UPLOAD_JAR} -z package.zip -aurl ${env:FOD_API_URL} -purl ${env:FOD_URL} -rid "${env:FOD_RELEASE_ID}" -tc "${env:FOD_TENANT}" -ac "${env:FOD_USER}" "${env:FOD_PAT}" -ep 2 -pp 1 -I 1 -apf -n "${env:FOD_UPLOADER_NOTES}"
+ 
+        env: 
+          FOD_TENANT: ${{ secrets.FOD_TENANT }}  
+          FOD_USER: ${{ secrets.FOD_USER }}
+          FOD_PAT: ${{ secrets.FOD_PAT }}
+          FOD_RELEASE_ID: ${{ secrets.FOD_RELEASE_ID }}
+          FOD_URL: "https://ams.fortify.com"
+          FOD_API_URL: "https://api.ams.fortify.com"
+          FOD_UPLOADER_NOTES: 'Triggered by GitHub Actions (${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})'
+
+      # Once scan completes, pull SAST issues from Fortify on Demand and generate SARIF output.
+      - name: Export Results
+        uses: fortify/gha-export-vulnerabilities@v1.0.2
+        with:
+          export_target: GitHub
+          fod_base_url: "https://ams.fortify.com/"
+          fod_tenant: ${{ secrets.FOD_TENANT }}
+          fod_client_id: ${{ secrets.FOD_USER }}
+          fod_client_secret: ${{ secrets.FOD_PAT }}
+          fod_release_id: ${{ secrets.FOD_RELEASE_ID }}
+      
+      - name: Patch sarif file
+        run: |
+          (Get-Content -Path gh-fortify-sast.sarif) | 
+            ForEach-Object { $_ -Replace '"startLine" : 0', '"startLine" : 1' } | 
+            Set-Content gh-fortify-sast-patched.sarif
+
+      # Import Fortify on Demand results to GitHub Security Code Scanning
+      - name: Import Results
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: ./gh-fortify-sast-patched.sarif
diff --git a/.github/workflows/fortify.yml b/.github/workflows/fortify.yml
@@ -1,5 +1,5 @@
 
-name: Fortify on Demand Scan
+name: Fortify on Demand Scan (.NET)
 
 # TODO: Customize trigger events based on your DevSecOps processes and typical FoD SAST scan time
 on:
