From 77dc696a3eb4f262b00504f61cc94ad287a328fc Mon Sep 17 00:00:00 2001 From: Jan Laan <233992+janlaan@users.noreply.github.com> Date: Thu, 21 Sep 2023 11:55:02 +0200 Subject: [PATCH 01/10] Draft documentation for importing external security findings --- docs/_includes/menu.html | 3 + docs/_includes/stylesheet.css | 4 + .../system-security-importing-checkmarx.md | 61 ++++++ .../system-security-importing-fortify.md | 202 ++++++++++++++++++ .../capabilities/system-security-importing.md | 25 +++ 5 files changed, 295 insertions(+) create mode 100644 docs/capabilities/system-security-importing-checkmarx.md create mode 100644 docs/capabilities/system-security-importing-fortify.md create mode 100644 docs/capabilities/system-security-importing.md diff --git a/docs/_includes/menu.html b/docs/_includes/menu.html index 092f243d..4af1641c 100644 --- a/docs/_includes/menu.html +++ b/docs/_includes/menu.html @@ -40,6 +40,9 @@ Frequently Asked Questions Security Frequently Asked Questions + Importing security findings + Importing security findings: Fortify + Importing security findings: Checkmarx Open Source Health Publishing your dependencies Objectives diff --git a/docs/_includes/stylesheet.css b/docs/_includes/stylesheet.css index f62d6d6f..00d8d75d 100644 --- a/docs/_includes/stylesheet.css +++ b/docs/_includes/stylesheet.css @@ -94,6 +94,10 @@ h2, h3 { font-size: 10px !important; } +.container nav .toc a.subSubPage { + padding-left: 80px !important; + font-size: 10px !important; +} .container nav .currentCategory { display: block; } diff --git a/docs/capabilities/system-security-importing-checkmarx.md b/docs/capabilities/system-security-importing-checkmarx.md new file mode 100644 index 00000000..cb89eee8 --- /dev/null +++ b/docs/capabilities/system-security-importing-checkmarx.md @@ -0,0 +1,61 @@ +# Importing Checkmarx security findings into Sigrid + +**Note: This documentation does not yet completely describe how to export Checkmarx results using your CI platform, but it does provide pointers for doing so. Please contact SIG support if you need help getting up and running.** + +Sigrid allows you to import your security findings into Sigrid so you can use Sigrid as single source of truth for all software quality needs.\ +Imported findings will show up in the Security Findings page in Sigrid. + +## Prerequisites + +* A valid Checkmarx subscription (either hosted/on demand or on-premise) configured to run scans on the system that you want to import. +* A Sigrid subscription that includes security. + +## Running scans with Checkmarx + +Sigrid does not specify how you run your scans. This can be on-demand in your pipeline, or on a regular schedule. For setting up Checkmarx and running scans, please use the [Checkmarx SAST documentation](https://checkmarx.com/resource/documents/en/34965-46398-sast-user-guide.html). + +## Importing results into Sigrid + +Checkmarx results can be exported using the tool [CxFlow](https://github.com/checkmarx-ltd/cx-flow) provided by Checkmarx. Use CxFlow to export results into the `SARIF` format. This export file should then be placed in a `.sigrid` folder in the root of your codebase and pushed to Sigrid. It will then be automatically processed when you push your code to Sigrid. + +- [CxFlow download page](https://github.com/checkmarx-ltd/cx-flow/releases) +- [CxFlow documentation](https://github.com/checkmarx-ltd/cx-flow/wiki/) + +Below is a sample CxFlow configuration file that can be used. It should be tailored to your situation, but the export format should be Sarif. the [CxFlow wiki](https://github.com/checkmarx-ltd/cx-flow/wiki/Configuration) documents available configuration options. + +This can be executed in a CI pipeline. CxFlow provides [tutorials to integrate with various CI platforms](https://github.com/checkmarx-ltd/cx-flow/wiki/Tutorials). The simplest version is running e.g.: `java -jar cx-flow.jar --spring.config.location=cxflow-config.yml --scan --cx-project= -- app= --f=` + +```yml +server: + port: 8982 +logging: + file: + name: cxflow.log + +cxflow: + bug-tracker: Sarif + bug-tracker-impl: + - Sarif + branches: + - main + filter-severity: + filter-category: + filter-cwe: + filter-status: + +checkmarx: + version: 9.0 + username: + password: + client-secret: 014DF517-39D1-4453-B7B3-9930C563627C + base-url: + team: /CxServer + url: ${checkmarx.base-url}/cxrestapi + #WSDL Config + portal-url: ${checkmarx.base-url}/cxwebinterface/Portal/CxWebService.asmx + sdk-url: ${checkmarx.base-url}/cxwebinterface/SDK/CxSDKWebService.asmx + portal-wsdl: ${checkmarx.base-url}/Portal/CxWebService.asmx?wsdl + sdk-wsdl: ${checkmarx.base-url}/SDK/CxSDKWebService.asmx?wsdl + app: +``` +*File: cxflow-config.yml* \ No newline at end of file diff --git a/docs/capabilities/system-security-importing-fortify.md b/docs/capabilities/system-security-importing-fortify.md new file mode 100644 index 00000000..88fadcf8 --- /dev/null +++ b/docs/capabilities/system-security-importing-fortify.md @@ -0,0 +1,202 @@ +# Importing Fortify on Demand security findings into Sigrid + +Sigrid allows you to import your security findings into Sigrid so you can use Sigrid as single source of truth for all software quality needs.\ +Imported findings will show up in the Security Findings page in Sigrid. + +## Prerequisites + +- A valid Fortify subscription (either hosted/on demand or on-premise) configured to run scans on the system that you want to import. +- A Sigrid subscription that includes security. + +## Running scans with Fortify + +Sigrid does not specify how you run your scans. This can be on-demand in your pipeline, or on a regular schedule. For setting up Fortify and running scans, please use the Fortify documentation. + +## Importing results into Sigrid + +The Sigrid integration uses Fortify's [VunerabilityExporter](https://github.com/fortify/FortifyVulnerabilityExporter) tool to extract the findings from Fortify in the `SARIF` format. This Sarif export file should be placed in a `.sigrid` folder in the root of your codebase and pushed to Sigrid. It will then be automatically processed when you push your code to Sigrid. + +To ensure compatibility with Sigrid, please use the provided Fortify VulnerabilityExporter configuration file. Place this configuration file in the `.sigrid` folder in your repository root: [Sigrid_Fortify_export.yml](#sigrid_fortify_exportyml) + +Below are guidelines for specific CI platforms. If yours is not listed, it will still be possible to integrate Fortify with Sigrid using a similar approach. + +### Github + +This Github action extracts the latest findings from Sigrid, commits the export file and pushes it to Sigrid. Use it in conjunction with the SIG configuration for Fortify VulnerabilityExporter. + +1. Copy this Github action into your repository +2. Place [Sigrid_Fortify_export.yml](#sigrid_fortify_exportyml) into the `.sigrid` folder in your codebase. +3. Configure the following FOD secrets as repository or organization secrets [Github docs on secrets](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions): + * `FOD_TENANT` : Your Fortify on Demand tenant ID + * `FOD_USER` : Your Fortify on Demand username + * `FOD_PAT` : Your Fortify on Demand access token, this can be created via the Fortify web interface. [Fortify docs](https://www.microfocus.com/documentation/fortify-software-security-center/2010/SSC_Help_20.1.0/Content/SSC_UG/Gen_Auth_Tokens.htm) + * `FOD_RELEASE_ID` : The integer release ID of the system in Fortify. Find this by opening the release in Fortify and looking at the URL, for example: `https://emea.fortify.com/Releases//Overview` +4. Change the environment variables at the top of the script: + * `FOD_BASE_URL`: Location where your Fortify installation runs, in this example it's emea.fortify.com + * `SIGRID_CUSTOMER`: Your customer name as defined in Sigrid + * `SIGRID_SYSTEM`: Your system name as defined in Sigrid. +5. Change the top section so that this action runs when you want, e.g. on a specific schedule or event. Default: Daily at 5:30 AM. [Github docs on triggering actions](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows). + +Note that this action also includes the `sigrid-publish` workflow to push all code to Sigrid. (The last two steps in this action) This is optional if you are already using a separate action to push code to Sigrid, but pushing too often is not harmful. + +{% raw %} +```yml +name: Import Fortify On Demand SAST Results into Sigrid +on: + # Allow action to be triggered manually + workflow_dispatch: + # Run daily at 5:33 AM + schedule: + - cron: '33 5 * * *' + +env: + FOD_BASE_URL: "https://emea.fortify.com/" + SIGRID_CUSTOMER: "examplecustomername" + SIGRID_SYSTEM: "examplesystemname" + +jobs: + Export-Fortify-To-Sigrid: + runs-on: ubuntu-latest + permissions: + actions: read + contents: write + steps: + - uses: actions/checkout@v3 + # Pull SAST issues from Fortify and generate Sigrid-optimized SARIF output + - name: Export Results from FoD + uses: fortify/gha-export-vulnerabilities@v1 + with: + export_config: ${{github.workspace}}/.sigrid/Sigrid_Fortify_export.yml + fod_base_url: ${{ env.FOD_BASE_URL }} + fod_tenant: ${{ secrets.FOD_TENANT }} + fod_user: ${{ secrets.FOD_USER }} + fod_password: ${{ secrets.FOD_PAT }} + fod_release_id: ${{ secrets.FOD_RELEASE_ID }} + - run: "mkdir -p .sigrid && mv ./fortify-sast.sarif .sigrid" + - name: Display contents of .sigrid folder + run: ls -R + working-directory: .sigrid + - name: Commit Fortify export to repository + run: | + git config --global user.name 'Fortify export' + git add .sigrid/fortify-sast.sarif + git commit -m "Automated Fortify export for Sigrid" + git push + # Optional: Directly push code to Sigrid, this will import the security findings, and also trigger a new maintainability analysis + - name: Download Sigrid CI + run: "git clone https://github.com/Software-Improvement-Group/sigridci.git sigridci" + - name: Run Sigrid CI to upload code + env: + SIGRID_CI_TOKEN: "${{ secrets.SIGRID_CI_TOKEN }}" + run: "./sigridci/sigridci/sigridci.py --customer ${{env.SIGRID_CUSTOMER}} --system ${{env.SIGRID_SYSTEM}} --source . --publish" +``` +{% endraw %} +*File: .github/workflows/Fortify_export_to_Sigrid.yml* + + +### Gitlab / BitBucket + +There are no detailed instructions at this time. However, the Fortify VulnerabilityExporter documentation explains how to enable the exporter for [Gitlab](https://github.com/fortify/FortifyVulnerabilityExporter/blob/main/USAGE.md#gitlab-integration) and [Bitbucket](https://github.com/fortify/FortifyVulnerabilityExporter/blob/main/USAGE.md#bitbucket-integration) Please use these instructions together with the [Sigrid_Fortify_export.yml](#sigrid_fortify_exportyml) export configuration file and ensure that the resulting SARIF file is committed to the `.sigrid` folder in the repository root. It can then be published to Sigrid alongside the code using the Sigrid CI integration for Gitlab or Bitbucket. + + +### Sigrid_Fortify_export.yml +Use this Fortify VulnerabilityExporter configuration to ensure compatibility with Sigrid: +{% raw %} +```yml +# See FortifyVulnerabilityExporter documentation for FoD connection settings and release selection + +export: + from: fod + to: json.github.sast + +fod: + release: + embed: # Load static scan summary as required for GitHub output + - propertyName: staticScanSummary + uri: /api/v3/scans/{currentStaticScanId}/summary + vuln: + filterParam: scantype:Static # Have FoD return only static issues + embed: # Also load details as required for GitLab output + - subEntity: details + - subEntity: recommendations + - subEntity: traces + +export.dir: ${GITHUB_WORKSPACE:${export.default.dir}} # Unless overridden, use GITHUB_WORKSPACE if defined, otherwise default export dir +sarif.output: ${export.dir}/fortify-sast.sarif # Define default output file location and name +json.github.sast.output: + stdout: false # Disabled by default to avoid vulnerability data being exposed through log files + pretty: true # Useful for debugging, disable for optimal performance + file: ${sarif.output} # Output file + + spring.config.activate.on-loader-plugin: fod + +json.github.sast.filter.expr: vuln.scantype=='Static' +json.github.sast.format: + fields: + "[$schema]": https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json + version: '2.1.0' + runs: + - tool: + driver: + name: 'Fortify on Demand' + version: SCA $[release.staticScanSummary?.staticScanSummaryDetails?.engineVersion?:'version unknown']; Rulepack $[release.staticScanSummary?.staticScanSummaryDetails?.rulePackVersion?:'version unknown'] + rules: $[vulnerabilityMappers.rules.get()] + results: $[#check(vulnerabilityMappers.result.get().size()>1000, "GitHub does not support importing more than 1000 vulnerabilities. Please clean the scan results or update vulnerability search criteria.")?vulnerabilityMappers.result.get():{}] + vulnerabilityMappers: + rules.fields: + id: $[vuln.checkId+''] + name: $[vuln.category] + shortDescription.text: $[vuln.category] + fullDescription.text: $[#htmlToText(vuln.details?.summary)] + help: + text: $[#htmlToText(vuln.details?.explanation)+'\n\n'+#htmlToText(vuln.recommendations?.recommendations)+"\n\nFor more information, see "+vuln.deepLink] + helpUri: $[vuln.deepLink] + properties: + tags: $[vuln.cwe?.split(",")] + precision: $[(vuln.severityString matches "(Critical|Medium)") ? "high":"low" ] + security-severity: $[{Critical:10.0,High:8.9,Medium:6.9,Low:3.9}.get(vuln.severityString)+''] + result.fields: + ruleId: $[vuln.checkId+''] + message: + text: $[vuln.category] + level: $[(vuln.severityString matches "(Critical|High)") ? "warning":"note" ] + properties: + tags: $[vuln.cwe?.split(",")] + partialFingerprints: + issueInstanceId: $[vuln.instanceId] + locations: + - physicalLocation: + artifactLocation: + uri: $[vuln.primaryLocationFull] + region: + startLine: $[vuln.lineNumber==0?1:vuln.lineNumber] + endLine: $[vuln.lineNumber==0?1:vuln.lineNumber] + startColumn: $[1] # Needs to be specified as an expression in order to end up as integer instead of string in JSON + endColumn: $[80] + codeFlows: |- + $[ + vuln.traces==null ? {} + : + {{ + threadFlows: vuln.traces.![{ + locations: traceEntries?.![{ + location: { + message: { + text: #htmlToText(displayText).replaceAll(" ", " ") + }, + physicalLocation: { + artifactLocation: { + uri: location + }, + region: { + startLine: lineNumber + } + } + } + }] + }] + }} + ] +``` +{% endraw %} +*File: .sigrid/Sigrid_Fortify_export.yml* \ No newline at end of file diff --git a/docs/capabilities/system-security-importing.md b/docs/capabilities/system-security-importing.md new file mode 100644 index 00000000..2fcb9246 --- /dev/null +++ b/docs/capabilities/system-security-importing.md @@ -0,0 +1,25 @@ +# Importing your security tool findings into Sigrid + +Sigrid allows you to import your security findings into Sigrid so you can use Sigrid as single source of truth for all software quality needs. Imported findings will show up in the Security Findings page in Sigrid. + +## Importing - general process + +Whichever security tool you use, the process of importing into Sigrid is largely the same: + +1. **Security license needed:** A security license is needed to access Sigrid's security features. Contact your SIG account manager if you do not have one yet. +2. **Note on interchange format:** The preferred interchange format is [SARIF](https://sarifweb.azurewebsites.net/). Many security tools can export to this format. If your tool does not, and it is not explicitly supported otherwise, please contact SIG to see if we can add support. +3. **Run analysis**: How the security analysis is ran depends on your tool. SIG provides guidance for popular tools, but it is up to you to run your security tool and export its findings. +4. **Place findings alongside codebase**: The SARIF (or other) export should be placed in a `.sigrid` folder in the root of your repository and have a `.sarif` extension. Ideally this file is updated every time your security scan tool runs, either via scheduled scans or scans after a merge request. Choose the option that works best with your development workflow. +5. **Send findings to Sigrid**: + 1. **Sigrid CI**: Because the export file is part of the codebase, it will be pushed to Sigrid along with the rest of the code if you use Sigrid CI with the publish workflow. You can also choose to explicitly push to Sigrid after updating the export file. + 2. **SFTP / manual uploads**: Include the `.sigrid` folder with the `.sarif` file in your upload to SIG and its findings will be imported. + +## Importing - specific tool support / instructions + +Many tools that export SARIF will be supported with no or minimal extra effort from SIG, contact us to be sure. The below tools are guaranteed to work: + +- [Fortify (SARIF format)](system-security-importing-fortify.md) +- [Checkmarx (SARIF format)](system-security-importing-checkmarx.md) + +## Triaging findings: Which system is in control? +Security findings typically need to be processed and triaged to determine whether they are false positives, prioritized, etc. When importing external results, you can choose to either do the triage in your own tool, or in Sigrid which [also provides this feature](system-security.md#changing-a-findings-status-and-audit-trail). To ensure consistency, make an explicit choice which system is in charge of triage. Where possible, Sigrid respects already triaged findings during its import. \ No newline at end of file From 8e6caa57a0446f059d72597e03234488a683b2eb Mon Sep 17 00:00:00 2001 From: syllosigm <131661923+syllosigm@users.noreply.github.com> Date: Thu, 21 Sep 2023 12:10:15 +0200 Subject: [PATCH 02/10] Update system-security-importing-checkmarx.md --- docs/capabilities/system-security-importing-checkmarx.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/docs/capabilities/system-security-importing-checkmarx.md b/docs/capabilities/system-security-importing-checkmarx.md index cb89eee8..c4e27379 100644 --- a/docs/capabilities/system-security-importing-checkmarx.md +++ b/docs/capabilities/system-security-importing-checkmarx.md @@ -2,8 +2,7 @@ **Note: This documentation does not yet completely describe how to export Checkmarx results using your CI platform, but it does provide pointers for doing so. Please contact SIG support if you need help getting up and running.** -Sigrid allows you to import your security findings into Sigrid so you can use Sigrid as single source of truth for all software quality needs.\ -Imported findings will show up in the Security Findings page in Sigrid. +Sigrid allows you to import your security findings into Sigrid so you can use Sigrid as single source of truth for all software quality needs. Imported findings will show up in the Security Findings page in Sigrid. ## Prerequisites @@ -12,7 +11,7 @@ Imported findings will show up in the Security Findings page in Sigrid. ## Running scans with Checkmarx -Sigrid does not specify how you run your scans. This can be on-demand in your pipeline, or on a regular schedule. For setting up Checkmarx and running scans, please use the [Checkmarx SAST documentation](https://checkmarx.com/resource/documents/en/34965-46398-sast-user-guide.html). +Sigrid does not specify how you run should your scans. This can be on-demand in your pipeline, or scheduled. For setting up Checkmarx and running scans, please use the [Checkmarx SAST documentation](https://checkmarx.com/resource/documents/en/34965-46398-sast-user-guide.html). ## Importing results into Sigrid @@ -21,7 +20,7 @@ Checkmarx results can be exported using the tool [CxFlow](https://github.com/che - [CxFlow download page](https://github.com/checkmarx-ltd/cx-flow/releases) - [CxFlow documentation](https://github.com/checkmarx-ltd/cx-flow/wiki/) -Below is a sample CxFlow configuration file that can be used. It should be tailored to your situation, but the export format should be Sarif. the [CxFlow wiki](https://github.com/checkmarx-ltd/cx-flow/wiki/Configuration) documents available configuration options. +Below is a sample CxFlow configuration file that can be used. It should be tailored to your situation, but the export format should be Sarif. See the [CxFlow wiki](https://github.com/checkmarx-ltd/cx-flow/wiki/Configuration) documents available configuration options. This can be executed in a CI pipeline. CxFlow provides [tutorials to integrate with various CI platforms](https://github.com/checkmarx-ltd/cx-flow/wiki/Tutorials). The simplest version is running e.g.: `java -jar cx-flow.jar --spring.config.location=cxflow-config.yml --scan --cx-project= -- app= --f=` @@ -58,4 +57,4 @@ checkmarx: sdk-wsdl: ${checkmarx.base-url}/SDK/CxSDKWebService.asmx?wsdl app: ``` -*File: cxflow-config.yml* \ No newline at end of file +*File: cxflow-config.yml* From 5cc6395d89757e2285cfa0eff03a4cf7cd222568 Mon Sep 17 00:00:00 2001 From: syllosigm <131661923+syllosigm@users.noreply.github.com> Date: Thu, 21 Sep 2023 12:13:07 +0200 Subject: [PATCH 03/10] Update system-security-importing-fortify.md --- .../capabilities/system-security-importing-fortify.md | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/docs/capabilities/system-security-importing-fortify.md b/docs/capabilities/system-security-importing-fortify.md index 88fadcf8..befd5a86 100644 --- a/docs/capabilities/system-security-importing-fortify.md +++ b/docs/capabilities/system-security-importing-fortify.md @@ -1,7 +1,6 @@ # Importing Fortify on Demand security findings into Sigrid -Sigrid allows you to import your security findings into Sigrid so you can use Sigrid as single source of truth for all software quality needs.\ -Imported findings will show up in the Security Findings page in Sigrid. +Sigrid allows you to import your security findings into Sigrid so you can use Sigrid as single source of truth for all software quality needs. Imported findings will show up in the Security Findings page in Sigrid. ## Prerequisites @@ -16,7 +15,7 @@ Sigrid does not specify how you run your scans. This can be on-demand in your pi The Sigrid integration uses Fortify's [VunerabilityExporter](https://github.com/fortify/FortifyVulnerabilityExporter) tool to extract the findings from Fortify in the `SARIF` format. This Sarif export file should be placed in a `.sigrid` folder in the root of your codebase and pushed to Sigrid. It will then be automatically processed when you push your code to Sigrid. -To ensure compatibility with Sigrid, please use the provided Fortify VulnerabilityExporter configuration file. Place this configuration file in the `.sigrid` folder in your repository root: [Sigrid_Fortify_export.yml](#sigrid_fortify_exportyml) +To ensure compatibility with Sigrid, please use the provided Fortify `VulnerabilityExporter` configuration file. Place this configuration file in the `.sigrid` folder in your repository root: [Sigrid_Fortify_export.yml](#sigrid_fortify_exportyml). Below are guidelines for specific CI platforms. If yours is not listed, it will still be possible to integrate Fortify with Sigrid using a similar approach. @@ -37,7 +36,7 @@ This Github action extracts the latest findings from Sigrid, commits the export * `SIGRID_SYSTEM`: Your system name as defined in Sigrid. 5. Change the top section so that this action runs when you want, e.g. on a specific schedule or event. Default: Daily at 5:30 AM. [Github docs on triggering actions](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows). -Note that this action also includes the `sigrid-publish` workflow to push all code to Sigrid. (The last two steps in this action) This is optional if you are already using a separate action to push code to Sigrid, but pushing too often is not harmful. +Note that this action also includes the `sigrid-publish` workflow to push all code to Sigrid. This is optional if you are already using a separate action to push code to Sigrid, but pushing too often is not harmful. {% raw %} ```yml @@ -96,7 +95,7 @@ jobs: ### Gitlab / BitBucket -There are no detailed instructions at this time. However, the Fortify VulnerabilityExporter documentation explains how to enable the exporter for [Gitlab](https://github.com/fortify/FortifyVulnerabilityExporter/blob/main/USAGE.md#gitlab-integration) and [Bitbucket](https://github.com/fortify/FortifyVulnerabilityExporter/blob/main/USAGE.md#bitbucket-integration) Please use these instructions together with the [Sigrid_Fortify_export.yml](#sigrid_fortify_exportyml) export configuration file and ensure that the resulting SARIF file is committed to the `.sigrid` folder in the repository root. It can then be published to Sigrid alongside the code using the Sigrid CI integration for Gitlab or Bitbucket. +There are no detailed instructions at this time. However, the Fortify `VulnerabilityExporter` documentation explains how to enable the exporter for [Gitlab](https://github.com/fortify/FortifyVulnerabilityExporter/blob/main/USAGE.md#gitlab-integration) and [Bitbucket](https://github.com/fortify/FortifyVulnerabilityExporter/blob/main/USAGE.md#bitbucket-integration) Please use these instructions together with the [Sigrid_Fortify_export.yml](#sigrid_fortify_exportyml) export configuration file and ensure that the resulting SARIF file is committed to the `.sigrid` folder in the repository root. It can then be published to Sigrid alongside the code using the Sigrid CI integration for Gitlab or Bitbucket. ### Sigrid_Fortify_export.yml @@ -199,4 +198,4 @@ json.github.sast.format: ] ``` {% endraw %} -*File: .sigrid/Sigrid_Fortify_export.yml* \ No newline at end of file +*File: .sigrid/Sigrid_Fortify_export.yml* From ae7e509add171776c84a5ef4d34b6eb9f7b6c1ef Mon Sep 17 00:00:00 2001 From: Jan Laan <233992+janlaan@users.noreply.github.com> Date: Tue, 26 Sep 2023 12:59:05 -0400 Subject: [PATCH 04/10] Move security integration documentation to Integrations section --- docs/_includes/menu.html | 10 +++++++--- docs/_includes/stylesheet.css | 4 ---- .../integration-security-checkmarx.md} | 0 .../integration-security-fortify.md} | 0 .../integration-security.md} | 0 5 files changed, 7 insertions(+), 7 deletions(-) rename docs/{capabilities/system-security-importing-checkmarx.md => integrations/integration-security-checkmarx.md} (100%) rename docs/{capabilities/system-security-importing-fortify.md => integrations/integration-security-fortify.md} (100%) rename docs/{capabilities/system-security-importing.md => integrations/integration-security.md} (100%) diff --git a/docs/_includes/menu.html b/docs/_includes/menu.html index 4af1641c..70c269e4 100644 --- a/docs/_includes/menu.html +++ b/docs/_includes/menu.html @@ -40,9 +40,6 @@ Frequently Asked Questions Security Frequently Asked Questions - Importing security findings - Importing security findings: Fortify - Importing security findings: Checkmarx Open Source Health Publishing your dependencies Objectives @@ -72,6 +69,13 @@ Siemens Polarion Other environments + +
External integrations
+
+ Importing security findings + Importing security findings: Fortify + Importing security findings: Checkmarx +
Reference
diff --git a/docs/_includes/stylesheet.css b/docs/_includes/stylesheet.css index 00d8d75d..f62d6d6f 100644 --- a/docs/_includes/stylesheet.css +++ b/docs/_includes/stylesheet.css @@ -94,10 +94,6 @@ h2, h3 { font-size: 10px !important; } -.container nav .toc a.subSubPage { - padding-left: 80px !important; - font-size: 10px !important; -} .container nav .currentCategory { display: block; } diff --git a/docs/capabilities/system-security-importing-checkmarx.md b/docs/integrations/integration-security-checkmarx.md similarity index 100% rename from docs/capabilities/system-security-importing-checkmarx.md rename to docs/integrations/integration-security-checkmarx.md diff --git a/docs/capabilities/system-security-importing-fortify.md b/docs/integrations/integration-security-fortify.md similarity index 100% rename from docs/capabilities/system-security-importing-fortify.md rename to docs/integrations/integration-security-fortify.md diff --git a/docs/capabilities/system-security-importing.md b/docs/integrations/integration-security.md similarity index 100% rename from docs/capabilities/system-security-importing.md rename to docs/integrations/integration-security.md From 43f99d99bd1df07fa3ac37176562e3e51dbce83f Mon Sep 17 00:00:00 2001 From: Dennis Bijlsma Date: Wed, 27 Sep 2023 15:05:24 +0200 Subject: [PATCH 05/10] Update README.md --- docs/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/README.md b/docs/README.md index e39f486e..8b7d36d6 100644 --- a/docs/README.md +++ b/docs/README.md @@ -1,4 +1,4 @@ -# Sigrid | One platform to manage your entire IT organization +# Sigrid | Software Assurance Platform [Sigrid](https://www.softwareimprovementgroup.com/solutions/sigrid-software-assurance-platform/) helps you to improve your software by measuring your system's code quality, and then compares the results against a benchmark of 10,000 industry systems to give you concrete advice on areas where you can improve. From 6ff787df7be0ce13d93f8303fd2f725246500765 Mon Sep 17 00:00:00 2001 From: Dennis Bijlsma Date: Wed, 27 Sep 2023 15:09:45 +0200 Subject: [PATCH 06/10] Put OSH stuff in integrations. --- docs/_includes/menu.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/_includes/menu.html b/docs/_includes/menu.html index 70c269e4..4ed52fe3 100644 --- a/docs/_includes/menu.html +++ b/docs/_includes/menu.html @@ -41,7 +41,6 @@ Security Frequently Asked Questions Open Source Health - Publishing your dependencies Objectives
@@ -72,6 +71,7 @@
External integrations
+ Publishing your dependencies Importing security findings Importing security findings: Fortify Importing security findings: Checkmarx From 0f2e20cbf366bd6d3586b9d39df33a4b77d9f0b1 Mon Sep 17 00:00:00 2001 From: syllosigm <131661923+syllosigm@users.noreply.github.com> Date: Wed, 27 Sep 2023 15:59:15 +0200 Subject: [PATCH 07/10] Update integration-security.md --- docs/integrations/integration-security.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/integrations/integration-security.md b/docs/integrations/integration-security.md index 2fcb9246..ee7241fb 100644 --- a/docs/integrations/integration-security.md +++ b/docs/integrations/integration-security.md @@ -18,8 +18,8 @@ Whichever security tool you use, the process of importing into Sigrid is largely Many tools that export SARIF will be supported with no or minimal extra effort from SIG, contact us to be sure. The below tools are guaranteed to work: -- [Fortify (SARIF format)](system-security-importing-fortify.md) -- [Checkmarx (SARIF format)](system-security-importing-checkmarx.md) +- [Fortify (SARIF format)](system-security-fortify.md) +- [Checkmarx (SARIF format)](system-security-checkmarx.md) ## Triaging findings: Which system is in control? -Security findings typically need to be processed and triaged to determine whether they are false positives, prioritized, etc. When importing external results, you can choose to either do the triage in your own tool, or in Sigrid which [also provides this feature](system-security.md#changing-a-findings-status-and-audit-trail). To ensure consistency, make an explicit choice which system is in charge of triage. Where possible, Sigrid respects already triaged findings during its import. \ No newline at end of file +Security findings typically need to be processed and triaged to determine whether they are false positives, prioritized, etc. When importing external results, you can choose to either do the triage in your own tool, or in Sigrid which [also provides this feature](system-security.md#changing-a-findings-status-and-audit-trail). To ensure consistency, make an explicit choice which system is in charge of triage. Where possible, Sigrid respects already triaged findings during its import. From 8309770bdabfa19ca5a3e5b48d0250d431bf9dc5 Mon Sep 17 00:00:00 2001 From: Dennis Bijlsma Date: Wed, 27 Sep 2023 16:04:41 +0200 Subject: [PATCH 08/10] Do not count HTTPS external links. --- test/test_documentation.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/test_documentation.py b/test/test_documentation.py index c3cb5a79..bcadfad5 100644 --- a/test/test_documentation.py +++ b/test/test_documentation.py @@ -25,7 +25,7 @@ class DocumentationTest(TestCase): def testDocumentationDoesNotContainDeadLinks(self): for file, contents in self.readDocumentationPages(): for match in self.LINK.finditer(contents): - if ".md" in match.group(2): + if ".md" in match.group(2) and not match.group(2).startswith("https://"): parentDir = os.path.dirname(file) linkedFile = os.path.join(parentDir, match.group(2).split(".md")[0] + ".md") self.assertTrue(os.path.exists(linkedFile), f"Dead link in {file} to {linkedFile}") From 6a067d63f67c7f42fd13087011a985e02d9dc08d Mon Sep 17 00:00:00 2001 From: syllosigm <131661923+syllosigm@users.noreply.github.com> Date: Wed, 27 Sep 2023 16:09:06 +0200 Subject: [PATCH 09/10] Update integration-security.md --- docs/integrations/integration-security.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/integrations/integration-security.md b/docs/integrations/integration-security.md index ee7241fb..3c0a880b 100644 --- a/docs/integrations/integration-security.md +++ b/docs/integrations/integration-security.md @@ -18,8 +18,8 @@ Whichever security tool you use, the process of importing into Sigrid is largely Many tools that export SARIF will be supported with no or minimal extra effort from SIG, contact us to be sure. The below tools are guaranteed to work: -- [Fortify (SARIF format)](system-security-fortify.md) -- [Checkmarx (SARIF format)](system-security-checkmarx.md) +- [Fortify (SARIF format)](integration-security-fortify.md) +- [Checkmarx (SARIF format)](integration-security-checkmarx.md) ## Triaging findings: Which system is in control? Security findings typically need to be processed and triaged to determine whether they are false positives, prioritized, etc. When importing external results, you can choose to either do the triage in your own tool, or in Sigrid which [also provides this feature](system-security.md#changing-a-findings-status-and-audit-trail). To ensure consistency, make an explicit choice which system is in charge of triage. Where possible, Sigrid respects already triaged findings during its import. From beb07b9614beabde45ced9cf53b00b10689abf69 Mon Sep 17 00:00:00 2001 From: syllosigm <131661923+syllosigm@users.noreply.github.com> Date: Wed, 27 Sep 2023 16:12:26 +0200 Subject: [PATCH 10/10] Update integration-security.md --- docs/integrations/integration-security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/integrations/integration-security.md b/docs/integrations/integration-security.md index 3c0a880b..e4ae163e 100644 --- a/docs/integrations/integration-security.md +++ b/docs/integrations/integration-security.md @@ -22,4 +22,4 @@ Many tools that export SARIF will be supported with no or minimal extra effort f - [Checkmarx (SARIF format)](integration-security-checkmarx.md) ## Triaging findings: Which system is in control? -Security findings typically need to be processed and triaged to determine whether they are false positives, prioritized, etc. When importing external results, you can choose to either do the triage in your own tool, or in Sigrid which [also provides this feature](system-security.md#changing-a-findings-status-and-audit-trail). To ensure consistency, make an explicit choice which system is in charge of triage. Where possible, Sigrid respects already triaged findings during its import. +Security findings typically need to be processed and triaged to determine whether they are false positives, prioritized, etc. When importing external results, you can choose to either do the triage in your own tool, or in Sigrid which [also provides this feature](../capabilities/system-security.md#changing-a-findings-status-and-audit-trail). To ensure consistency, make an explicit choice which system is in charge of triage. Where possible, Sigrid respects already triaged findings during its import.