log.Entry().Fatal("failed to persist Influx environment")
}
}
// FortifyExecuteScanCommand This BETA step executes a Fortify scan on the specified project to perform static code analysis and check the source code for security flaws.
funcFortifyExecuteScanCommand()*cobra.Command{
constSTEP_NAME="fortifyExecuteScan"
metadata:=fortifyExecuteScanMetadata()
varstepConfigfortifyExecuteScanOptions
varstartTimetime.Time
varinfluxfortifyExecuteScanInflux
varcreateFortifyExecuteScanCmd=&cobra.Command{
Use:STEP_NAME,
Short:"This BETA step executes a Fortify scan on the specified project to perform static code analysis and check the source code for security flaws.",
cmd.Flags().StringVar(&stepConfig.AuthToken,"authToken",os.Getenv("PIPER_authToken"),"The FortifyToken to use for authentication")
cmd.Flags().StringVar(&stepConfig.GithubToken,"githubToken",os.Getenv("PIPER_githubToken"),"GitHub personal access token as per https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line")
cmd.Flags().BoolVar(&stepConfig.AutoCreate,"autoCreate",false,"Whether Fortify project and project version shall be implicitly auto created in case they cannot be found in the backend")
cmd.Flags().StringVar(&stepConfig.ModulePath,"modulePath",`./`,"Allows providing the path for the module to scan")
cmd.Flags().StringVar(&stepConfig.PythonRequirementsFile,"pythonRequirementsFile",os.Getenv("PIPER_pythonRequirementsFile"),"The requirements file used in `buildTool: 'pip'` to populate the build environment with the necessary dependencies")
cmd.Flags().BoolVar(&stepConfig.AutodetectClasspath,"autodetectClasspath",true,"Whether the classpath is automatically determined via build tool i.e. maven or pip or not at all")
cmd.Flags().StringVar(&stepConfig.MustAuditIssueGroups,"mustAuditIssueGroups",`Corporate Security Requirements, Audit All`,"Comma separated list of issue groups that must be audited completely")
cmd.Flags().StringVar(&stepConfig.SpotAuditIssueGroups,"spotAuditIssueGroups",`Spot Checks of Each Category`,"Comma separated list of issue groups that are spot checked and for which `spotCheckMinimum` audited issues are enforced")
cmd.Flags().StringVar(&stepConfig.PythonRequirementsInstallSuffix,"pythonRequirementsInstallSuffix",os.Getenv("PIPER_pythonRequirementsInstallSuffix"),"The suffix for the command used to install the requirements file in `buildTool: 'pip'` to populate the build environment with the necessary dependencies")
cmd.Flags().StringVar(&stepConfig.PythonVersion,"pythonVersion",`python3`,"Python version to be used in `buildTool: 'pip'`")
cmd.Flags().BoolVar(&stepConfig.UploadResults,"uploadResults",true,"Whether results shall be uploaded or not")
cmd.Flags().StringVar(&stepConfig.BuildDescriptorFile,"buildDescriptorFile",os.Getenv("PIPER_buildDescriptorFile"),"Path to the build descriptor file addressing the module/folder to be scanned. Defaults are for buildTool=`maven`: `./pom.xml`, buildTool=`pip`: `./setup.py`.")
cmd.Flags().StringVar(&stepConfig.CommitID,"commitId",os.Getenv("PIPER_commitId"),"Set the Git commit ID for identifying artifacts throughout the scan.")
cmd.Flags().StringVar(&stepConfig.CommitMessage,"commitMessage",os.Getenv("PIPER_commitMessage"),"Set the Git commit message for identifying pull request merges throughout the scan.")
cmd.Flags().StringVar(&stepConfig.Owner,"owner",os.Getenv("PIPER_owner"),"Set the GitHub organization.")
cmd.Flags().StringVar(&stepConfig.Repository,"repository",os.Getenv("PIPER_repository"),"Set the GitHub repository.")
cmd.Flags().StringVar(&stepConfig.Memory,"memory",`-Xmx4G -Xms512M`,"The amount of memory granted to the translate/scan executions")
cmd.Flags().BoolVar(&stepConfig.UpdateRulePack,"updateRulePack",true,"Whether the rule pack shall be updated and pulled from Fortify SSC before scanning or not")
cmd.Flags().StringVar(&stepConfig.ReportDownloadEndpoint,"reportDownloadEndpoint",`/transfer/reportDownload.html`,"Fortify SSC endpoint for Report downloads")
cmd.Flags().IntVar(&stepConfig.PollingMinutes,"pollingMinutes",30,"The number of minutes for which an uploaded FPR artifact''s status is being polled to finish queuing/processing, if exceeded polling will be stopped and an error will be thrown")
cmd.Flags().BoolVar(&stepConfig.QuickScan,"quickScan",false,"Whether a quick scan should be performed, please consult the related Fortify documentation on JAM on the impact of this setting")
cmd.Flags().StringVar(&stepConfig.Translate,"translate",os.Getenv("PIPER_translate"),"Options for translate phase of Fortify. Most likely, you do not need to set this parameter. See src, exclude. If `'src'` and `'exclude'` are set they are automatically used. Technical details: It has to be a JSON string of list of maps with required key `'src'`, and optional keys `'exclude'`, `'libDirs'`, `'aspnetcore'`, and `'dotNetCoreVersion'`")
cmd.Flags().StringSliceVar(&stepConfig.Src,"src",[]string{},"A list of source directories to scan. Wildcards can be used, e.g., `'src/main/java/**/*'`. If `'translate'` is set, this will ignored. The default value for `buildTool: 'maven'` is ['**/*.xml', '**/*.html', '**/*.jsp', '**/*.js', '**/src/main/resources/**/*', '**/src/main/java/**/*'], for `buildTool: 'pip'` it is ['./**/*'].")
cmd.Flags().StringSliceVar(&stepConfig.Exclude,"exclude",[]string{},"A list of directories/files to be excluded from the scan. Wildcards can be used, e.g., `'**/Test.java'`. If `translate` is set, this will ignored.")
cmd.Flags().StringVar(&stepConfig.APIEndpoint,"apiEndpoint",`/api/v1`,"Fortify SSC endpoint used for uploading the scan results and checking the audit state")
cmd.Flags().StringVar(&stepConfig.ReportType,"reportType",`PDF`,"The type of report to be generated")
cmd.Flags().StringSliceVar(&stepConfig.PythonAdditionalPath,"pythonAdditionalPath",[]string{`./lib`,`.`},"A list of additional paths which can be used in `buildTool: 'pip'` for customization purposes")
cmd.Flags().StringVar(&stepConfig.ArtifactURL,"artifactUrl",os.Getenv("PIPER_artifactUrl"),"Path/URL pointing to an additional artifact repository for resolution of additional artifacts during the build")
cmd.Flags().BoolVar(&stepConfig.ConsiderSuspicious,"considerSuspicious",true,"Whether suspicious issues should trigger the check to fail or not")
cmd.Flags().StringVar(&stepConfig.FprUploadEndpoint,"fprUploadEndpoint",`/upload/resultFileUpload.html`,"Fortify SSC endpoint for FPR uploads")
cmd.Flags().StringVar(&stepConfig.ProjectName,"projectName",`{{list.GroupID.ArtifactID|join"-"|trimAll"-"}}`,"The project used for reporting results in SSC")
cmd.Flags().BoolVar(&stepConfig.Reporting,"reporting",false,"Influences whether a report is generated or not")
cmd.Flags().StringVar(&stepConfig.ServerURL,"serverUrl",os.Getenv("PIPER_serverUrl"),"Fortify SSC Url to be used for accessing the APIs")
cmd.Flags().IntVar(&stepConfig.PullRequestMessageRegexGroup,"pullRequestMessageRegexGroup",1,"The group number for extracting the pull request id in `'pullRequestMessageRegex'`")
cmd.Flags().IntVar(&stepConfig.DeltaMinutes,"deltaMinutes",5,"The number of minutes for which an uploaded FPR artifact is considered to be recent and healthy, if exceeded an error will be thrown")
cmd.Flags().IntVar(&stepConfig.SpotCheckMinimum,"spotCheckMinimum",1,"The minimum number of issues that must be audited per category in the `Spot Checks of each Category` folder to avoid an error being thrown")
cmd.Flags().StringVar(&stepConfig.VersioningModel,"versioningModel",`major`,"The default project versioning model used for creating the version based on the build descriptor version to report results in SSC, can be one of `'major'`, `'major-minor'`, `'semantic'`, `'full'`")
cmd.Flags().StringVar(&stepConfig.PythonInstallCommand,"pythonInstallCommand",`{{.Pip}} install --user .`,"Additional install command that can be run when `buildTool: 'pip'` is used which allows further customizing the execution environment of the scan")
cmd.Flags().IntVar(&stepConfig.ReportTemplateID,"reportTemplateId",18,"Report template ID to be used for generating the Fortify report")
cmd.Flags().StringVar(&stepConfig.FilterSetTitle,"filterSetTitle",`SAP`,"Title of the filter set to use for analysing the results")
cmd.Flags().StringVar(&stepConfig.PullRequestName,"pullRequestName",os.Getenv("PIPER_pullRequestName"),"The name of the pull request branch which will trigger creation of a new version in Fortify SSC based on the master branch version")
cmd.Flags().StringVar(&stepConfig.PullRequestMessageRegex,"pullRequestMessageRegex",`.*Merge pull request #(\\d+) from.*`,"Regex used to identify the PR-XXX reference within the merge commit message")
cmd.Flags().StringVar(&stepConfig.BuildTool,"buildTool",`maven`,"Scan type used for the step which can be `'maven'`, `'pip'`")
cmd.Flags().StringVar(&stepConfig.ProjectSettingsFile,"projectSettingsFile",os.Getenv("PIPER_projectSettingsFile"),"Path to the mvn settings file that should be used as project settings file.")
cmd.Flags().StringVar(&stepConfig.GlobalSettingsFile,"globalSettingsFile",os.Getenv("PIPER_globalSettingsFile"),"Path to the mvn settings file that should be used as global settings file.")
cmd.Flags().StringVar(&stepConfig.M2Path,"m2Path",os.Getenv("PIPER_m2Path"),"Path to the location of the local repository that should be used.")
cmd.Flags().BoolVar(&stepConfig.VerifyOnly,"verifyOnly",false,"Whether the step shall only apply verification checks or whether it does a full scan and check cycle")
