In this part of the Mixeway tutorial, We will cover the topic of MicroFocus Fortify Integration.
MicroFocus Fortify is commercial software that performs Static Application Security Testing (SAST) on source code.
Unfortunately, Fortify does not provide any kind of API which allows remote tools to configure and run the scan. Mixeway team has decided to release our own FortifyScaRestAPI project which can be found on GitHub: https://github.com/Mixeway/MixewayFortifyScaRestApi
Integration option #1: Possibility to load vulnerabilities from fortify SSC
- Required: HTTP access to Fortify SSC
- Username and password for proper user
Integration option #2: Scan configuration and loading vulnerabilities, requirements:
- Required: HTTP accès to Fortify SSC
- Username and password
- Fortify SCA installed on Linux based machine
- MixewayFortifyScaRestApi installed on machine with SCA
- Java 8 installed on SCA machine
- Fortify Cloud Scan configured
- CloudScan token (generated from SSC admin zone)
This tutorial is made of 3 parts: Fortify SSC integration and usage, Fortify SCA integration and usage and Mixeway configuration to run scans.
Fortify SSC integration and usage
Step 1: register SSC on scanner tab.
To make this work go to :Admin Zone -> Scanners -> press “+ Add Scanner” button and fill the form:
- Type: Fortify SSC
- Routing Domain: not important, leave blank
- Proxy: if proxy is required to access API please pick it from select box (if You need to configure it, add it through settings tab from this view)
- API Url: url to SSC api: http<s>://<host>:<port>/<ssc_context>
- username and password: username which will have access to all projects and possibility to create new projects
If all provided data are correct You will be able to see new row in table with information :”Active: Yes”.
- incorrect username and password
- incorrect URL to API
- untrusted SSL certificate (on SSC) – in order to fix this add certificate to MixewayHub trust store (see configuration part of tutorial)
Step 2: create or link projects
If the operation was successful. From now on You are able to create projects on Fortify SSC, link projects on mixeway with projects on SSC, and load vulnerabilities for such projects.
To Create or link projects with the SSC project go to a specific project on MixewayHub, then click on “Configuration” and select the “Code Projects” tab. Press the “Add Group” button and fill the form
- Name: name to recognize project
- GIT URL: URL from where SCA will take the source code
- GIT auth option
- Tech: pick from JAVA, JS, MVN, PYTHON, PHP. This is important when You want to run scans, FortifyScaRestApi is limited to this projects
- Who is going to use the app?: If You don’t want to use VulnAuditor leave blank
- has dependant applications?: leave blank
From now on CodeProject will be present at the table. 3 actions can be performed at this time: Run scan (which cannot be done if no SCA integration is done), edit the project, and delete. To create a link between the project and SSC click on edit.
If You want to create new project on SSC. If You would like to link this project with already created version of project on SSC just pick the value from select box and press edit.
Fortify SCA Integration and usage
Fortify does not provide option to remotely run and configure SAST scans. To perform such operation REST API were prepared. To prepare installation make sure You have:
- trust bond between certificates on both MixewayHub and MixewayFortifyScaRestAPI (certificates should be stored in specific trust stores -> FortifyScaRestAPI certificate in MixewayHub trust store and MIxewayHub’s certificate in FortifyScaRestAPI)
- JAVA 8 is installed on machine where SCA is installed
- CloudScan option in Fortify is enabled
- Make sure that user which will run JAR will have access to /opt/mixerscan location (this is the place where source code will be pulled by git)
Step #1: download API
From: https://github.com/Mixeway/MixewayFortifyScaRestApi/releases download latest release JAR and store it somewhere on SCA Machine.
Step #2: generate certificate (skip if You have certificates already generated)
#where $CN is ip of machine openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout pki/private.key -out pki/cert.crt -subj "/CN=$CN" &> /dev/null # where $CN is ip of machine and $P12PASS is password to pkcs12 store openssl pkcs12 -export -inkey pki/private.key -in pki/cert.crt -out pki/certificate.p12 -name "$CN" -password pass:$P12PASS
Step #3: get Trust store
Get JVM trust store and copy it to specific location
Step #4: create bond between certificates
add MixewayFortifyScaRestAPI certificate to Mixeway trust store using:
keytool -import -alias fortifyscarestapi -file <api_certificate> -storetype JKS -keystore <mixeway_truststore> and add MixewayHub's certificate to MixewayFortifyScaRestAPI keytool -import -alias mixeway -file <mixeway_cert> -storetype JKS -keystore <fortifyscarestapi_truststore>
Step #5: Run Fortify Rest API:
java -Dhttps.proxyPort=<proxyPort> \ -DhttpsProxyHost=<proxyHost> \ -Dhttp.nonProxyHosts=<nonProxyHosts> \ --server.port=<serverPort> \ --server.ssl.key-store=<keyStore> \ --server.ssl.key-store-password=<keyStorePassword> \ --server.ssl.trust-store=<trustStore> \ --server.ssl.trust-store-password=<trustStorePassword> \ --allowed.user=<allowedUsers> \ -jar fortifyscaapi-1.0.0-SNAPSHOT.jar
proxyPort,proxyHost,nonProxyHosts - proxy informations used by git and sourceanalyzer (mvn, npm) serverPort - listening port for REST API keyStore, keyStorePassword - keystore for TLS trustStore, trustStorePassword - key store contaning certificates which will be accepted by API allowedUsers - CN of x509 Certificate which is authorized to use REST API
Step #6: Register API in MixewayHub
To do so go to: Admin zone-> Scanners -> Add Scanner
- type: Fortify SCA Rest API
- Routing domain: leave blank
- proxy: if necessary pick one or leave blank
- API URL: url to api -> https://<ip>:8443 if default port were selected
- Cloud Controller Token: token generated from Fortify SSC
- Not trusted bond between SSL certificates of MixewayHub and FortifyScaRestAPI. Make sure that both truststores contains proper certificate
- Not authenticated user. MixewayFortifyScaRestApi is using SSL Certificate base authentication. Make sure to enter proper CN name of MixewayHub certificate while running JAR (–allowed.user=)
Step #7: Run scan
From project (code projects tab in project configuration zone) You should be able to run scan using proper action button.
MixewayFortifyScaRestApi – how it work
This spring boot application is Mixeway team product available under MIT license without any warranty. It base on ProcessBuilder which means that in proper order and defined logic particular Operation Systems commands are performed. for example:
sourceanalyzer -b test -clean
sourceanalyzer -b test mvn
Logic behind each request is as follows:
- Pull or clone project with given url, auth and branch into /opt/mixerscan/<projectname>
- run sourceanalyzer -b <projectname> -clean
- Dependant on application technology run proper translate phase
- send MBA to cloudscan using proper cloudscan operation
MixewayFortifyScaRestAPI contains set of hardcoded operations and at this moment covers technologies of:
- MVN for maven projects
- ANT for ant’s projects
- PHP for php projects
- PYTHON for python projects
about what is run behind the scenes check https://github.com/Mixeway/MixewayFortifyScaRestApi/blob/master/src/main/java/io/mixeway/fortifyscaapi/fortifysca/FortifyScaClient.java if branch is empty or null during scan generation master is being taken as default.
IT Security Expert, DevSecOps enthusiast, Java developer in spare time, Mixeway lead architect and PhD candidate on Warsaw University of Technology in field of Machine learning techniques in Cybersecurity.