fod-dev / fod-uploader-java

Java Utility for uploading packages to FoD
MIT License
12 stars 27 forks source link

fod-uploader-java

Java utility for uploading code to Fortify on Demand

Usage

Current

Note: Command-line arguments have been reworked since 3.1.0. If you are upgrading from an older version to the latest version, make sure to update your arguments.

The following table describes the FoDUploader arguments. Arguments are named and can be in any order:

Short Name Long Name Required? Description
-z -zipLocation Yes Location of payload zip file
-ep -entitlementPreferenceType Yes Whether to use a single scan or subscription assessment: 1/SingleScanOnly, 2/SubscriptionOnly, 3/SingleScanFirstThenSubscription, 4/SubscriptionFirstThenSingleScan
-ac -apiCredentials Yes1 API credentials
-uc -userCredentials Yes1 User credentials (wrap each in quotations to handle certain non-alphanumeric characters in the CLI)
-bsi -bsiToken Yes2 BSI token
-rid -releaseId Yes2 Release ID
-purl -portalurl Yes3 Domain URL
-aurl -apiurl Yes3 API root URL
-tc -tenantCode Yes3 Tenant ID if using user credentials
-at -assessmentTypeId Yes4 Assessment type ID
-eid -entitlement Yes4 Entitlement ID
-ts -technologyStackId Yes4 Technology stack as an integer: 1 (.NET), 23 (.Net Core), 2 (ABAP), 21 (Apex/Visualforce), 3 (ASP), 5 (CFML), 6 (COBOL), 22 (Go), 7 (JAVA/J2EE), 16 (JS/TS/HTML), 18 (MBS/C/C++/Scala), 9 (PHP), 10 (PYTHON), 17 (Ruby), 12 (Swift/Objective C/C++), 11 (VB6), 14 (VBScript), 12 (Swift/Objective C/C++), 9 (PHP), 27 (Infrastructure-As-Code/Dockerfile), 31 (Solidity) , 28 (React Native), 29 (DART), 26 (Kotlin), "22": "GO",
-l -languageLevelId Yes4 Language level as an integer:
.NET: 2 (2.0), 3 (3.0), 4 (3.5), 5 (4.0), 11 (4.5), 15 (4.6), 16 (4.7), 30, (4.8), 32 (5.0),33 (6.0),35 (7.0),38 (8.0)
.NET Core: 23 (1.0), 24 (1.1), 25 (2.0), 26 (2.1), 27 (2.2), 28 (3.0), 29 (3.1)
Java: 12 (1.8), 17 (1.9), 19 (10), 20 (11), 21 (12), 22 (13),34 (17),39 (21)
GO 41(1.21)
Python: 13 (2), 14 (2 Django), 18 (3), 37 (4.2 Django)
,
-a -auditPreferenceId Yes4 Audit preference: Manual, Automated
-bs -isBinaryScan No4 Scan compiled and source code (the feature must be enabled)
-os -allowopenSourceComponentAnalysis No4 Include open source component analysis
-rp -remediationScanPreferenceType No Remediation scan preference: 0/RemediationScanIfAvailable, 1/RemediationScanOnly, 2/NonRemediationScanOnly (default)
-pp -inProgressScanActionType No If in-progress scan exists, the action to take for a new scan: 0/DoNotStartScan (default), 1/CancelScanInProgress, 2/Queue
-purchase -purchaseEntitlement No Whether to purchase an entitlement (if available)
-apf -allowPolicyFail No Whether to return exit(0) instead of exit(1) if the scan fails the security policy specified in Fortify on Demand
-n -notes No The notes about the scan
-I -pollingInterval No Interval between checking scan status in minutes
-P -proxy No Proxy connection details (order dependent):
-h -help No Print help dialog
-v -version No Print jar version

1Use either apiCredentials or userCredentials.
2Use either releaseId or bsiToken. If both are provided, then the scan settings that are retrieved from the release ID will be used.
3Required if BSI token is not provided.
4Required if neither release ID nor BSI token is provided. Values override existing release ID or BSI token settings.

Syntax:

FodUpload.jar -z <zip_file_path> -ep {1|SingleScanOnly|2|SubscriptionOnly|3|SingleScanFirstThenSubscription|4|SubscriptionFirstThenSingleScan} {-ac <key> <secret> | -uc <username> <password>} {-rid <release_id> | -bsi <token> | -at <assessment_id> -eid <entitlement_id> -ts <tstack_id> -l <lang_id> <-a {Manual|Automated} bs -os} -purl <domain_url> -aurl <api_url> -tc <tenant_id>  [-rp {0|RemediationScanIfAvailable|1|RemediationScanOnly|2|NonRemediationScanOnly}] [-pp {0|DoNotStartScan|1|CancelScanInProgress|2|Queue}] [-purchase] [-apf] [-n] [-I <minutes>] [-P <proxyUrl> <username> <password> <nt_domain> <nt_workstation>] [-h] [-v]

Previous

The following table describes the FoDUploader arguments for 3.1.0:

Short Name Long Name Required? Description
-bsi -bsiToken Yes Build server token
-z -zipLocation Yes Location of scan
-ep -entitlementPreference Yes Whether to use a single scan or subscription assessment (if available) (1/Single, 2/Subscription)
-ac -apiCredentials Yes* Api credentials ("key:" does not need to be appended to <key>)
-uc -userCredentials Yes* User login credentials (wrap each in quotations to avoid escaping characters in the CLI)
-a -auditPreferenceId No False positive audit type (1/Manual, 2/Automated)
-p -scanPreferenceId No Scan mode (1/Standard, 2/Express)
-I -pollingInterval No Interval between checking scan status in minutes
-P -proxy No Credentials for accessing the proxy
-os -runOpenSourceScan No Whether to run an Open Source Scan
-h -help No Print help dialog
-v -version No Print jar version
-itp -includeThirdPartyLibs No Include Third Party Libraries from scan
-r -isRemediationScan No Whether the scan is in remediation
-b -isBundledAssessment No Whether the scan is a bundled assessment
-purchase -purchaseEntitlement No Whether to purchase an entitlement (if available)
-n -notes No The notes about the scan.

*Use either apiCredentials or userCredentials.

Syntax:

FodUpload.jar -bsi <token> -z <file> {-ac <key> <secret> | -uc <username> <password>} -ep {1|SingleScan|2|Subscription} [-p {1|Standard|2|Express}] [-a {1|Manual|2|Automated}] [-itp] [-os] [-b] [-r] [-purchase] [-n] [-I <minutes>] [-P <proxy_url> <username> <password> <nt_domain> <nt_workstation>] [-h] [-v] 

Developer Setup

FoDUploader is configured to build a fat jar with the Gradle Shadow plugin as the default gradle task.

To compile, simply use the gradlew or gradlew.bat depending on your operating system.

.\gradlew.bat

For a better breakdown of the build process, compile gradle with the following:

.\gradlew.bat -I init.gradle build

If you are behind a firewall, you will need to configure gradle's proxy settings in:

/\/.gradle/gradle.properties

systemProp.http.proxyHost=<web-proxy-host>
systemProp.http.proxyPort=<web-proxy-port>

systemProp.https.proxyHost=<web-proxy-host>
systemProp.https.proxyPort=<web-proxy-port>