MikeTheSnowman
commented
2 years ago Somewhat addressed by making it a "downloadable" tool with the tools module.
Closed MikeTheSnowman closed 2 years ago
MikeTheSnowman
commented
2 years ago Somewhat addressed by making it a "downloadable" tool with the tools module.
FortifyVulnerabilityExporter uses the fortify-client-api project, which uses a different (Apache) HTTP client and probably comes with many dependencies that may not be compatible with GraalVM/native binaries
Effectively it is just retrieving vulnerability data and transforming that to various formats, so potentially this could be rewritten and incorporated into fcli.
Need to think about how the command structure should look, especially since FortifyVulnerabiltityExporter is very configurable; see https://github.com/fortify/FortifyVulnerabilityExporter/tree/main/config and https://github.com/fortify/FortifyVulnerabilityExporter/tree/main/FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig
Oher notes: The 'transformation library' consists of just a couple of classes, mostly in https://github.com/fortify/FortifyVulnerabilityExporter/tree/main/FortifyVulnerabilityExporter-plugin-to-json/src/main/java/com/fortify/vulnexport/to/json/vuln, but as mentioned it heavily depends on Spring EL of which I'm not sure it will work well with native binaries. The transformation library is based on Spring Expression Language.
Other than that, it would be mostly replicating some of the functionality from my fortify-client-api to get and filter data from SSC and FoD, but then using the HTTP/REST client used by fcli.
In particular, based on configuration it should be possible to get additional data from SSC/FoD for a particular application version/release or vulnerability, like calling the details endpoint for every SSC vuln.