feat(fortify): Added a check for fortify binary in $PATH (#3925)

* added check for fortifyupdate and sourceanalyzer bin Co-authored-by: sumeet patil <sumeet.patil@sap.com>
2024-12-12 10:55:20 +02:00 · 2022-08-04 17:34:54 +05:30 · 2022-08-04 17:34:54 +05:30 · aa41641d41
commit aa41641d41
parent 73f7d61743
2 changed files with 63 additions and 0 deletions
--- a/cmd/fortifyExecuteScan.go
+++ b/cmd/fortifyExecuteScan.go
@ -7,6 +7,7 @@ import (
 	"io/ioutil"
 	"math"
 	"os"
+	"os/exec"
 	"path/filepath"
 	"regexp"
 	"runtime"
@ -107,6 +108,8 @@ const (
 	classpathFileName = "fortify-execute-scan-cp.txt"
 )

+var execInPath = exec.LookPath
+
 func fortifyExecuteScan(config fortifyExecuteScanOptions, telemetryData *telemetry.CustomData, influx *fortifyExecuteScanInflux) {
 	// TODO provide parameter for trusted certs
 	ctx, client, err := piperGithub.NewClient(config.GithubToken, config.GithubAPIURL, "", []string{})
@ -145,6 +148,13 @@ func determineArtifact(config fortifyExecuteScanOptions, utils fortifyUtils) (ve
 func runFortifyScan(ctx context.Context, config fortifyExecuteScanOptions, sys fortify.System, utils fortifyUtils, telemetryData *telemetry.CustomData, influx *fortifyExecuteScanInflux, auditStatus map[string]string) ([]piperutils.Path, error) {
 	var reports []piperutils.Path
 	log.Entry().Debugf("Running Fortify scan against SSC at %v", config.ServerURL)
+	executable_list := []string{"fortifyupdate", "sourceanalyzer"}
+	for _, exec := range executable_list {
+		_, err := execInPath(exec)
+		if err != nil {
+			return reports, fmt.Errorf("ERROR , command not found: %v. Please configure a supported docker image or install Fortify SCA on the system.", exec)
+		}
+	}

 	if config.BuildTool == "maven" && config.InstallArtifacts {
 		err := maven.InstallMavenArtifacts(&maven.EvaluateOptions{
--- a/cmd/fortifyExecuteScan_test.go
+++ b/cmd/fortifyExecuteScan_test.go
@ -62,6 +62,31 @@ func newFortifyTestUtilsBundle() fortifyTestUtilsBundle {
 	}
 	return utilsBundle
 }
+func mockExecinPath(exec string) (string, error) {
+	executable_list := []string{"fortifyupdate", "sourceanalyzer"}
+	for _, exec := range executable_list {
+		if exec == "fortifyupdate" || exec == "sourceanalyzer" {
+			return "/" + exec, nil
+		} else {
+			err_string := fmt.Sprintf("ERROR , command not found: %s. Please configure a supported docker image or install Fortify SCA on the system.", exec)
+			return "", errors.New(err_string)
+		}
+	}
+	return "", nil
+}
+
+func failMockExecinPathfortifyupdate(exec string) (string, error) {
+	if exec == "fortifyupdate" {
+		return "", errors.New("ERROR , command not found: fortifyupdate. Please configure a supported docker image or install Fortify SCA on the system.")
+	}
+	return "/fortifyupdate", nil
+}
+func failMockExecinPathsourceanalyzer(exec string) (string, error) {
+	if exec == "sourceanalyzer" {
+		return "", errors.New("ERROR , command not found: sourceanalyzer. Please configure a supported docker image or install Fortify SCA on the system.")
+	}
+	return "/sourceanalyzer", nil
+}

 type artifactMock struct {
 	Coordinates versioning.Coordinates
@ -429,6 +454,33 @@ func TestDetermineArtifact(t *testing.T) {
 	})
 }

+func TestFailFortifyexecinPath(t *testing.T) {
+	t.Run("Testing if fortifyupdate in $PATH or not", func(t *testing.T) {
+		ff := fortifyMock{}
+		ctx := context.Background()
+		utils := newFortifyTestUtilsBundle()
+		influx := fortifyExecuteScanInflux{}
+		auditStatus := map[string]string{}
+		execInPath = failMockExecinPathfortifyupdate
+		config := fortifyExecuteScanOptions{SpotCheckMinimum: 4, MustAuditIssueGroups: "Audit All, Corporate Security Requirements", SpotAuditIssueGroups: "Spot Checks of Each Category"}
+		_, err := runFortifyScan(ctx, config, &ff, &utils, nil, &influx, auditStatus)
+		assert.EqualError(t, err, "ERROR , command not found: fortifyupdate. Please configure a supported docker image or install Fortify SCA on the system.")
+
+	})
+	t.Run("Testing if sourceanalyzer in $PATH or not", func(t *testing.T) {
+		ff := fortifyMock{}
+		ctx := context.Background()
+		utils := newFortifyTestUtilsBundle()
+		influx := fortifyExecuteScanInflux{}
+		auditStatus := map[string]string{}
+		execInPath = failMockExecinPathsourceanalyzer
+		config := fortifyExecuteScanOptions{SpotCheckMinimum: 4, MustAuditIssueGroups: "Audit All, Corporate Security Requirements", SpotAuditIssueGroups: "Spot Checks of Each Category"}
+		_, err := runFortifyScan(ctx, config, &ff, &utils, nil, &influx, auditStatus)
+		assert.EqualError(t, err, "ERROR , command not found: sourceanalyzer. Please configure a supported docker image or install Fortify SCA on the system.")
+
+	})
+}
+
 func TestExecutions(t *testing.T) {
 	type parameterTestData struct {
 		nameOfRun             string
@ -464,6 +516,7 @@ func TestExecutions(t *testing.T) {
 			utils := newFortifyTestUtilsBundle()
 			influx := fortifyExecuteScanInflux{}
 			auditStatus := map[string]string{}
+			execInPath = mockExecinPath
 			reports, _ := runFortifyScan(ctx, data.config, &ff, &utils, nil, &influx, auditStatus)
 			if len(data.expectedReports) != data.expectedReportsLength {
 				assert.Fail(t, fmt.Sprintf("Wrong number of reports detected, expected %v, actual %v", data.expectedReportsLength, len(data.expectedReports)))