fortify / fortify-client-api Goto Github PK

Java Utility packages for working with various Fortify products

License: Other

Java 99.98% Shell 0.02%

fortify-api fortify-on-demand fortify-sc-dast fortify-ssc fortify-webinspect

fortify-client-api's Introduction

Fortify Client API Libraries

Fortify Application Security provides your team with solutions to empower DevSecOps practices, enable cloud transformation, and secure your software supply chain. As the sole Code Security solution with over two decades of expertise and acknowledged as a market leader by all major analysts, Fortify delivers the most adaptable, precise, and scalable AppSec platform available, supporting the breadth of tech you use and integrated into your preferred toolchain. We firmly believe that your great code demands great security, and with Fortify, go beyond 'check the box' security to achieve that.

This repository contains various modules for interacting with Fortify products through their respective REST API's. This is by no means meant to act like an official Fortify client SDK; its primary purpose is to provide shared libraries for use by Fortify-provided integration utilities. Use of these libraries in 3^rd-party utilities is neither endorsed nor recommended. In particular, please note the following before considering using fortify-client-api in any application:

There is no guarantee that any functionality provided by fortify-client-api actually works; functionality is only tested indirectly through the various integration utilities that utilize fortify-client-api
fortify-client-api only covers a subset of the API's provided by the various Fortify products, as required by the various integration utilities
New versions of fortify-client-api may introduce significant changes without taking backward compatibility into account, and existing functionality may cease to exist; upgrading to a new version of fortify-client-api may require a significant rewrite of code dependent on fortify-client-api
No maintenance, including bug fixes, is being done on older versions of fortify-client-api
Feature requests are not accepted
Bug fixes are only considered if a bug affects any of the Fortify-provided integration utilities

Resources

Usage: USAGE.md
Source code: https://github.com/fortify/fortify-client-api
Automated builds: https://github.com/fortify/fortify-client-api/actions
Maven Repositories
- Releases: https://repo1.maven.org/maven2/
- Snapshots: https://s01.oss.sonatype.org/content/repositories/snapshots/
Sample Projects using fortify-client-api
Contributing Guidelines: CONTRIBUTING.md
Code of Conduct: CODE_OF_CONDUCT.md
License: LICENSE.txt

Support

The only warranties for products and services of Open Text and its affiliates and licensors (“Open Text”) are as may be set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Open Text shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.

The software is provided "as is" and is not supported through the regular OpenText Support channels. Support requests may be submitted through the GitHub Issues page for this repository. A (free) GitHub account is required to submit new issues or to comment on existing issues.

Support requests created through the GitHub Issues page may include bug reports, enhancement requests and general usage questions. Please avoid creating duplicate issues by checking whether there is any existing issue, either open or closed, that already addresses your question, bug or enhancement request. If an issue already exists, please add a comment to provide additional details if applicable.

Support requests on the GitHub Issues page are handled on a best-effort basis; there is no guaranteed response time, no guarantee that reported bugs will be fixed, and no guarantee that enhancement requests will be implemented. If you require dedicated support for this and other Fortify software, please consider purchasing OpenText Fortify Professional Services. OpenText Fortify Professional Services can assist with general usage questions, integration of the software into your processes, and implementing customizations, bug fixes, and feature requests (subject to feasibility analysis). Please contact your OpenText Sales representative or fill in the Professional Services Contact Form to obtain more information on pricing and the services that OpenText Fortify Professional Services can provide.

This document was auto-generated from README.template.md; do not edit by hand

fortify-client-api's People

Contributors

Stargazers

Watchers

Forkers

vjohari lynjudge kk-call ikkb77

fortify-client-api's Issues

Update jackson-databind to 2.13.2.1+

com.fasterxml.jackson:jackson-bom:2.13.2 has the same vulnerability reported as 2.13.1. Should ideally update to 2.13.2.1 or 2.13.2.2

https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind

The token end point got changed from /auth/obtain_token to /tokens.

https://github.com/fortify-ps/fortify-client-api/blob/7e1168807dabbe72802e1eba6d60249ec6105d38/client-api-ssc/src/main/lombok/com/fortify/client/ssc/connection/SSCTokenFactoryUserCredentials.java#L72

Error parsing SSC token expiration date

It seems like the token expiration date format returned by SSC is (slightly) different on different runtime platforms and maybe between different SSC versions. For example, in a test environment using the fortifydocker/sscdemo:21.1.0 image, connections to SSC fail with an exception like the following:

Caused by: java.time.format.DateTimeParseException: Text '2021-06-30T09:39:32.994+00:00' could not be parsed, unparsed text found at index 23
	at java.time.format.DateTimeFormatter.parseResolved0(Unknown Source) ~[?:1.8.0_291]
	at java.time.format.DateTimeFormatter.parseBest(Unknown Source) ~[?:1.8.0_291]
	at com.fortify.util.rest.json.JSONDateTimeConverter.parseTemporalAccessor(JSONDateTimeConverter.java:73) ~[common-rest-6.0.2.RELEASE.jar:?]
	at com.fortify.util.rest.json.JSONDateTimeConverter.parseZonedDateTime(JSONDateTimeConverter.java:62) ~[common-rest-6.0.2.RELEASE.jar:?]
	at com.fortify.util.rest.json.JSONDateTimeConverter.parseDate(JSONDateTimeConverter.java:58) ~[common-rest-6.0.2.RELEASE.jar:?]
	at com.fortify.util.rest.json.JSONDateTimeConverter.convert(JSONDateTimeConverter.java:54) ~[common-rest-6.0.2.RELEASE.jar:?]
	at com.fortify.util.rest.json.JSONDateTimeConverter.convert(JSONDateTimeConverter.java:37) ~[common-rest-6.0.2.RELEASE.jar:?]
	at org.springframework.core.convert.support.GenericConversionService$ConverterAdapter.convert(GenericConversionService.java:386) ~[spring-core-5.3.6.jar:5.3.6]
	at org.springframework.core.convert.support.ConversionUtils.invokeConverter(ConversionUtils.java:41) ~[spring-core-5.3.6.jar:5.3.6]
	... 20 more

cast error

		SSCAuthenticatingRestConnection sscClient = SSCAuthenticatingRestConnection.builder().userName(fortifyAccount).password(fortifyPassword).baseUrl(fortifyUrl).multiThreaded(true).build();

		SSCApplicationsQueryBuilder sscApplicationsQueryBuilder = sscClient.api(SSCApplicationAPI.class).queryApplications();
		for (Object o : sscApplicationsQueryBuilder.build().getAll()) {
//			JSONObject jsonObject = JSONUtil.parseObj(o);
//			System.out.println(jsonObject);
		}

err info:

Exception in thread "main" java.lang.ClassCastException: com.alibaba.fastjson.JSONObject cannot be cast to com.fortify.util.rest.json.JSONMap
	at com.fortify.client.ssc.connection.SSCTokenFactoryUserCredentials.getTokenData(SSCTokenFactoryUserCredentials.java:80)
	at com.fortify.client.ssc.connection.SSCTokenFactoryUserCredentials.lambda$getToken$0(SSCTokenFactoryUserCredentials.java:72)
	at com.fortify.util.log4j.LogMaskingHelper$AbstractMasker.on(LogMaskingHelper.java:105)
	at com.fortify.client.ssc.connection.SSCTokenFactoryUserCredentials.getToken(SSCTokenFactoryUserCredentials.java:71)
	at com.fortify.client.ssc.connection.SSCTokenFactoryUserCredentials.getTokenSynchronized(SSCTokenFactoryUserCredentials.java:65)
	at com.fortify.client.ssc.connection.SSCAuthenticatingRestConnection.updateBuilder(SSCAuthenticatingRestConnection.java:85)
	at com.fortify.util.rest.connection.AbstractRestConnection.executeRequest(AbstractRestConnection.java:242)
	at com.fortify.util.rest.connection.AbstractRestConnection.executeRequestWithFinalizedWebTarget(AbstractRestConnection.java:210)
	at com.fortify.util.rest.connection.AbstractRestConnection.executeRequest(AbstractRestConnection.java:200)
	at com.fortify.util.rest.connection.AbstractRestConnection.executeRequest(AbstractRestConnection.java:187)
	at com.fortify.util.rest.query.AbstractRestConnectionQuery.executeRequest(AbstractRestConnectionQuery.java:143)
	at com.fortify.util.rest.query.AbstractRestConnectionQuery.processSingleRequest(AbstractRestConnectionQuery.java:217)
	at com.fortify.util.rest.query.AbstractRestConnectionQuery.processAll(AbstractRestConnectionQuery.java:207)
	at com.fortify.util.rest.query.AbstractRestConnectionQuery.processAll(AbstractRestConnectionQuery.java:89)
	at com.fortify.util.rest.query.AbstractRestConnectionQuery.getAll(AbstractRestConnectionQuery.java:109)
	at com.wocnm.controller.TEST.main(TEST.java:37)

Move artifacts to other repository

Artifacts are currently being deployed to https://bintray.com/fortify-ps/maven, however BinTray will cease to exist later this year. Artifacts will need to be moved elsewhere, and projects that have a dependency on fortify-client-api must be updated to use the new location.

Where to move the artifacts is currently being discussed.

Update to using the version 2.17.1 of log4j

Hello,

It looks like there is already a pull request for this change: #17

However,

The 6.1.2 Release of the Fortify API client leverages log4j 2.16.0. The latest version being recommended in Maven is 2.17.1, which was released on Dec. 27 to mitigate all variations of the log4j vulnerability. It looks like the community supporting this API client needs to make a change to leverage the new 2.17.1 log4j instead of 2.16.0.

Please advise when this is going to be merged. I find it ironic that this has not been fixed, as this is a security fix that is not implemented yet for a security client api.

Thanks,
Sultan

Failed to convert from type [java.lang.String] to type [java.util.Date]

{"data":{"id":229,"token":"[hidden]","creationDate":"2021-03-24T20:35:20.052+0000","terminalDate":"2021-03-25T20:35:20.052+0000","remainingUsages":-1,"type":"UnifiedLoginToken","description":null,"username":"XXXXXXXXX"},"responseCode":200}

2021-03-24 13:35:20,114 [main] ERROR com.fortify.processrunner.RunProcessRunnerFromCLI - [Process] Error processing
org.springframework.core.convert.ConversionFailedException: Failed to convert from type [java.lang.String] to type [java.util.Date] for value '2021-03-25T20:35:20.052+0000'; nested exception is java.time.format.DateTimeParseException: Text '2021-03-25T20:35:20.052+0000' could not be parsed, unparsed text found at index 22
at org.springframework.core.convert.support.ConversionUtils.invokeConverter(ConversionUtils.java:47) ~[FortifyBugTrackerUtility-4.1.jar:?]
at org.springframework.core.convert.support.GenericConversionService.convert(GenericConversionService.java:191) ~[FortifyBugTrackerUtility-4.1.jar:?]
at org.springframework.core.convert.support.GenericConversionService.convert(GenericConversionService.java:174) ~[FortifyBugTrackerUtility-4.1.jar:?]
at com.fortify.util.rest.json.JSONMap.get(JSONMap.java:132) ~[FortifyBugTrackerUtility-4.1.jar:?]
at com.fortify.client.ssc.connection.SSCTokenFactoryUserCredentials.getTokenData(SSCTokenFactoryUserCredentials.java:81) ~[FortifyBugTrackerUtility-4.1.jar:?]
at com.fortify.client.ssc.connection.SSCTokenFactoryUserCredentials.lambda$getToken$0(SSCTokenFactoryUserCredentials.java:72) ~[FortifyBugTrackerUtility-4.1.jar:?]
at com.fortify.util.log4j.LogMaskingHelper$AbstractMasker.on(LogMaskingHelper.java:105) ~[FortifyBugTrackerUtility-4.1.jar:?]
at com.fortify.client.ssc.connection.SSCTokenFactoryUserCredentials.getToken(SSCTokenFactoryUserCredentials.java:71) ~[FortifyBugTrackerUtility-4.1.jar:?]
at com.fortify.client.ssc.connection.SSCAuthenticatingRestConnection.updateBuilder(SSCAuthenticatingRestConnection.java:86) ~[FortifyBugTrackerUtility-4.1.jar:?]
at com.fortify.util.rest.connection.AbstractRestConnection.executeRequest(AbstractRestConnection.java:207) ~[FortifyBugTrackerUtility-4.1.jar:?]
at com.fortify.util.rest.connection.AbstractRestConnection.executeRequestWithFinalizedWebTarget(AbstractRestConnection.java:175) ~[FortifyBugTrackerUtility-4.1.jar:?]
at com.fortify.util.rest.connection.AbstractRestConnection.executeRequest(AbstractRestConnection.java:165) ~[FortifyBugTrackerUtility-4.1.jar:?]
at com.fortify.util.rest.connection.AbstractRestConnection.executeRequest(AbstractRestConnection.java:152) ~[FortifyBugTrackerUtility-4.1.jar:?]
at com.fortify.util.rest.query.AbstractRestConnectionQuery.executeRequest(AbstractRestConnectionQuery.java:138) ~[FortifyBugTrackerUtility-4.1.jar:?]
at com.fortify.util.rest.query.AbstractRestConnectionQuery.processSingleRequest(AbstractRestConnectionQuery.java:207) ~[FortifyBugTrackerUtility-4.1.jar:?]
at com.fortify.util.rest.query.AbstractRestConnectionQuery.processAll(AbstractRestConnectionQuery.java:197) ~[FortifyBugTrackerUtility-4.1.jar:?]
at com.fortify.util.rest.query.AbstractRestConnectionQuery.processAll(AbstractRestConnectionQuery.java:87) ~[FortifyBugTrackerUtility-4.1.jar:?]
at com.fortify.util.rest.query.AbstractRestConnectionQuery.getAll(AbstractRestConnectionQuery.java:107) ~[FortifyBugTrackerUtility-4.1.jar:?]
at com.fortify.bugtracker.common.src.context.AbstractSourceContextGenerator.generateContexts(AbstractSourceContextGenerator.java:180) ~[FortifyBugTrackerUtility-4.1.jar:?]
at com.fortify.processrunner.RunProcessRunnerFromSpringConfig.getContexts(RunProcessRunnerFromSpringConfig.java:151) ~[FortifyBugTrackerUtility-4.1.jar:?]
at com.fortify.processrunner.RunProcessRunnerFromSpringConfig.run(RunProcessRunnerFromSpringConfig.java:81) ~[FortifyBugTrackerUtility-4.1.jar:?]
at com.fortify.processrunner.RunProcessRunnerFromCLI.run(RunProcessRunnerFromCLI.java:166) [FortifyBugTrackerUtility-4.1.jar:?]
at com.fortify.processrunner.RunProcessRunnerFromCLI.main(RunProcessRunnerFromCLI.java:359) [FortifyBugTrackerUtility-4.1.jar:?]
Caused by: java.time.format.DateTimeParseException: Text '2021-03-25T20:35:20.052+0000' could not be parsed, unparsed text found at index 22
at java.time.format.DateTimeFormatter.parseResolved0(Unknown Source) ~[?:1.8.0_281]
at java.time.format.DateTimeFormatter.parseBest(Unknown Source) ~[?:1.8.0_281]
at com.fortify.util.rest.json.JSONConversionServiceFactory$DateConverter.parseZonedDateTime(JSONConversionServiceFactory.java:72) ~[FortifyBugTrackerUtility-4.1.jar:?]
at com.fortify.util.rest.json.JSONConversionServiceFactory$DateConverter.parseDate(JSONConversionServiceFactory.java:68) ~[FortifyBugTrackerUtility-4.1.jar:?]
at com.fortify.util.rest.json.JSONConversionServiceFactory$DateConverter.convert(JSONConversionServiceFactory.java:64) ~[FortifyBugTrackerUtility-4.1.jar:?]
at com.fortify.util.rest.json.JSONConversionServiceFactory$DateConverter.convert(JSONConversionServiceFactory.java:61) ~[FortifyBugTrackerUtility-4.1.jar:?]
at org.springframework.core.convert.support.GenericConversionService$ConverterAdapter.convert(GenericConversionService.java:385) ~[FortifyBugTrackerUtility-4.1.jar:?]
at org.springframework.core.convert.support.ConversionUtils.invokeConverter(ConversionUtils.java:41) ~[FortifyBugTrackerUtility-4.1.jar:?]
... 22 more

Update README.md

Some of the information in README.md seems to be outdated, and README.md contains some TODO's. Before the next release, the information in README.md should be reviewed and adjusted as necessary.

Also, the 'Build Environment' section should probably be moved elsewhere, as this is only relevant for project maintainers and not relevant for project users.