fortify / fortifyvulnerabilityexporter Goto Github PK

View Code? Open in Web Editor NEW

23.0 5.0 8.0 464 KB

Export Fortify vulnerability data to GitHub, GitLab, SonarQube and more

License: Other

Java 99.76% Shell 0.24%

fortify fortify-on-demand fortify-ssc github gitlab sonarqube defectdojo devsecops devops appsec

fortifyvulnerabilityexporter's People

Contributors

Stargazers

Watchers

Forkers

rongqinglee dylanbthomas zubairquazi rsenden kadraman kwasib simon-engledew swasti092

fortifyvulnerabilityexporter's Issues

Invalid line numbers in GitHub SARIF output under `codeFlows`

This issue is related to this closed issue in which errors were thrown as Fortify reports vulnerabilities on line number 0.

The same error happens now. But this time, it is under codeFlows as shown in the error below:

Error: Unable to upload "./gh-fortify-sast.sarif" as it is not valid SARIF:
- instance.runs[0].results[0].codeFlows[0].threadFlows[0].locations[0].location.physicalLocation.region.startLine must be greater than or equal to 1

To address the above, It may be possible to just use the same treatment here to handle the faulty startLine here.

`export.from` configuration name handling

According to the documentation, the export.from configuration property specifies the plugin and optional configuration name used to load vulnerability data. However, specifying a configuration name will cause problems as the fod or ssc profile will not be properly activated.

Technical details:

AbstractVulnerabilityLoaderFactory properly handles the optional configuration name
application.yml defines property spring.profiles.active as default, ${export.from}
Setting for example export.from to fod.instance1 will result in a profile named fod.instance1 to be activated instead of just fod
Plugin configuration files shipped with the to-json plugin however expect that either fod or ssc profile is activated

Add synchronization with external systems like bug trackers

Rationale

We currently provide FortifyBugTrackerUtility (FBTU) for submitting vulnerability data to bug tracking and other external systems. It makes sense to move this functionality to FortifyVulnerabilityExporter (FVE) for various reasons:

Submitting vulnerability data to a bug tracking system is just a special kind of export
There is already some overlap between the utilities, for example both can export vulnerability data to CSV format
Despite its name, FBTU supports exporting vulnerability data to non-bugtracking systems like CSV files and RSA Archer; having a generic export utility for such non-bugtracking targets makes more sense
FVE provides a much more modern and user-friendly configuration file format (YAML versus Spring XML)
FVE has a much simpler architecture and code base, utilizing modern Java features like lambda expressions
FVE build system and automated semantic versioning make it easier to publish small updates as patches

Requirements

Compatibility with FBTU is the main requirement for moving bug tracking support to FVE:

Bug links on vulnerabilities previously exported with FBTU must be properly recognized and processed by FVE
- Bug links stored as native bug links in SSC or FoD
- Bug links stored as comments in FoD
- Bug links stored as custom tags in SSC
Support for updating SSC custom tags with current (bug) state in target system
Support for updating previously submitted bugs/work items with updated SSC/FoD vulnerability state
- Update bug/work item contents like description
- Transition bug/work item to open/closed status
Support for the following external (bug tracking) systems:
- ALM Octane: required
- JIRA: required, including support for parent issues
- Azure DevOps: required
- CSV: already provided by FVE
- RSA Archer: not planned unless there is demand
- SSC bug trackers: not planned unless there is demand

Ideas for implementation

Vulnerability loading

Contrary to FBTU, FVE will by default load all vulnerabilities from FoD/SSC and process them all at once for both submitting new vulnerabilities and updating existing bugs/work items
- Avoids loading vulnerability data twice in case we need to do client-side filtering to differentiate between previously submitted vulnerabilities and new vulnerabilities to be exported
- Allows for easier, explicit, flexible and less error-prone configuration using client-side filtering
  - Explicit client-side filters specify whether hidden, removed or suppressed issues should be exported
  - Example filter expression for submitting new vulnerabilities: isOpen && !targetLocation && customTags['Analysis']=='Exploitable'
- Client-side filters are specified on the target configuration, rather than SSC/FoD configuration
  - Allows target implementation to provide different filtering options for different purposes
    - For example, bug tracker implementation can provide different filtering properties for handling new versus previously submitted vulnerabilities
  - Allows for exporting vulnerabilities to multiple systems/formats in a single run

Enhance embed processing

Add expression property to fortify-client-api StandardEmbedConfig class
- Provides explicit alternative for FBTU isVulnerabilityOpenExpression, by configuring for example ssc.vulnerability.embed with propertyName: isOpen and expression: removed==false && suppressed==false && hidden==false
Add support in fortify-client-api to embed SSC custom tag values by name
- Allows for filtering by for example Analysis tag value
- Allows for easy retrieval of export location from custom tag

Storing export details in SSC/FoD

Add configuration properties for FoD/SSC updates
- <targetType.instanceName>.<ssc|fod>.store:
  - exportLocation:
    - asNativeBugLink: <true|false> (SSC & FoD)
    - asCustomTag: <name> (SSC)
    - asComment: <commentFormat> (FoD)
  - extraCustomTags: (SSC)
    - <name>: <expression>
- Although property is under target configuration, it will be read by SSC/FoD implementation
  - For each configured target factory, SSC/FoD implementation will get <targetType.instanceName> from the factory and read the corresponding <targetType.instanceName>.<ssc|fod>.store: configuration
  - If <targetType.instanceName>.<ssc|fod>.store.exportLocation.asNativeBugLink is true, the target processor will not be created/invoked if native bug link is not available for the current application version/release (incorrect bug tracker configured on FoD, 'Register bug link' bug tracker not configured on SSC)
  - If <targetType.instanceName>.ssc.store.exportLocation.asCustomTag is defined, the target processor will not be created/invoked if custom tag is not available on current application version
  - If the application version/release is skipped for all configured targets, effectively no vulnerabilities will be loaded for that application version/release
Add updateVulnerabilityState method in IVulnerabilityConsumerContext that can be invoked by target implementation to request an update of SSC/FoD vulnerability state, for example to register export location (for newly exported issues) or to update extra custom tags in SSC (for newly and previously exported issues)
- Target passes <targetType.instanceName>, list of vulnerabilities (contents or id's?) to be updated, and target entity details (location, state, ...) to this method
- Is it necessary to differentiate between newly exported issues and previously exported issues?
- If so, separate methods or enum value?

Vulnerability grouping

Grouping is configured and performed by the target implementation
- Allows for different groupings for different targets in a single run
Standard grouping functionality is provided for easy re-use by the target implementations
- Can we re-use/generalize existing JSON formatting functionality to also perform grouping?

Reconsider ability to process all releases for matching app(s) when using `fod.release.name`/`ssc.version.name` properties

See #70 for background information. Potentially, we should reconsider the ability to process multiple versions/releases if release/version name is omitted from fod.release.name/ssc.version.name properties. If users want to process all releases/versions for a given application (or multiple applications), they can use the fod.release.regex/ssc.version.regex properties instead to perform wildcard matching.

Related to this, when querying FoD for app/release name, FoD uses case-insensitive 'contains' matching instead of exact matching. For example, when querying FoD for 'App', FoD will return App, My app, APP2, ... This is usually not what users expect, and is inconsistent with SSC behavior (which uses exact matching). We should probably fix/enhance fortify-client-api to add (optional) support for performing client-side exact matching on the results returned by FoD.

The "Release versions" BinTray link returns a 404

In your readme.md, the "Release versions: https://bintray.com/package/files/fortify-ps/release/FortifyVulnerabilityExporter?order=desc&sort=fileLastModified&basePath=&tab=files" link returns a 404.

Dockerfile

Hello @rsenden,

where can I find the Dockerfile for the tool ? I need to add our root CA to the cert storage(s) and build our own image.

SonarQube is not importing vulnerabilities from scan as "filePath" is without volume [E:]

SSC vulnerabilities cannot be imported in SonarQube 8.3.1 during scan.

Issue: json file was generated successfully from SSC app version with FortifyVulnerabilityExporter version 1.2.0, but SonarQube was not importing vulnerabilities from scan as "filePath" was without volume.

Examples:

filePath with volume: "filePath" : "E:/Agents/vbc/a0/_work/1/s/Source/AAA/BBB/C.asax.cs",
filePath without volume: "filePath" : "/Agents/vbc/a0/_work/1/s/Source/AAA/BBB/C.asax.cs",

"issues" : [ {
   "engineId" : "FortifySCA",
   "ruleId" : "Dead Code: Unused Field",
   "severity" : "INFO",
   "type" : "VULNERABILITY",
   "primaryLocation" : {
     "message" : "Dead Code: Unused Field - https://fortifyssc.veripark.com/ssc/html/ssc/version/10001/fix/8263/?engineType=SCA&issue=645F7B691879C8261100E0AA0E8AA3F0",
     "filePath" : "/Agents/vbc/a0/_work/1/s/Source/AAA/BBB/C.asax.cs",
     "textRange" : {
       "startLine" : 17
     }
   }

There were 0 issues imported. Error experienced during SonarQube scan with external Fortify issue import:

13:59:48.253 DEBUG: Importing issues from 'E:\Fortify\FortifyVulnerabilityExporter\sq-fortify-sast.json'
13:59:48.268 INFO: **Imported 0 issues in 0 files**
13:59:48.268 INFO: External issues ignored for 443 unknown files, including: Agents/xyz/a0/_work/1/s/Source/Business/EService/Global.asax.cs, Agents/xyz/a0/_work/1/s/Source/Business/EService/Web.config, Agents/xyz/a0/_work/1/s/Source/Business/EService/Web.Debug.config, Agents/xyz/a0/_work/1/s/Source/Business/EService/Web.Release.config, Agents/xyz/a0/_work/1/s/Source/Business/A.Business/Activities/BaseClass/BaseActivity.cs

Adding the E: volume to the filePath property fixes this issue.

Exports using GitHub or GitLab configuration files fail on Windows

Running FortifyVulnerabilityExporter on Windows results in an error if any of the following environment variables is set to an absolute path with drive letter:

EXPORT_DIR (all configuration files that refer to export.dir)
GITHUB_WORKSPACE (all GitHub-related configuration files)
CI_PROJECT_DIR (all GitLab-related configuration files)

The error doesn't occur in the following cases:

When using an absolute path without drive letter, i.e. \Temp\SomeDir
If the output file already exists (the error does occur though if the output directory exists but the file does not exist)

Errors look something like the below:

    Failed to bind properties under 'json.gitlab.dast.output.file' to java.io.File:

    Property: json.gitlab.dast.output.file
    Value: ${export.dir}/gl-fortify-dast.json
    Origin: URL [file:config/FoDToGitLab.yml] - 35:11
    Reason: failed to convert java.lang.String to java.io.File

Fortify SCA SARIF inaccuracy causing poor GitHub Code Scanning experience

👋 Hello! Not sure if this is the right place to raise this issue, but we've noticed that the way Fortify SCA is generating SARIF documents is causing a bad user experience with GitHub Code Scanning.

Code Scanning expects that rule metadata will be shared many times between different runs of a Code Scanning tool. A rule should represent a capability of the tool, not information about any specific finding. Information that is scan-specific should be included in the results message field instead (e.g: file paths, container checksums etc).

Fortify SCA appears to be generating large numbers of rules, each one with unique alert specific information in the help text. Possibly due to the configuration in these files?

javax.validation.ConstraintDeclarationException: HV000170: No JSR-223 scripting engine could be bootstrapped for language "javascript

Environment:

GitLab Runner
image: maven:3.8.4-openjdk-17-slim
FortifyVulnerabilityExporter installed via https://github.com/fortify/FortifyToolsInstaller

Command:

FortifyVulnerabilityExporter FoDToCSV --fod.baseUrl=$FOD_URL --fod.tenant=$FOD_TENANT --fod.userName=$FOD_USERNAME --fod.password=$FOD_PAT --fod.release.id=$FOD_RELEASE_ID --csv.output.file=$CI_PROJECT_DIR/scan-report.csv

Log:

11:48:16.336 [main] DEBUG com.fortify.util.spring.boot.container.PopulateContainerDirs - Populate container directories enabled: false
  ______         _   _  __                                  
 |  ____|       | | (_)/ _|                                 
 | |__ ___  _ __| |_ _| |_ _   _                            
 |  __/ _ \| '__| __| |  _| | | |                           
 | | | (_) | |  | |_| | | | |_| |                           
 |_|  \___/|_|   \__|_|_|  \__, |                           
 __      __    _            __/ |     _     _ _ _ _         
 \ \    / /   | |          |___/     | |   (_) (_) |        
  \ \  / /   _| |_ __   ___ _ __ __ _| |__  _| |_| |_ _   _ 
   \ \/ / | | | | '_ \ / _ \ '__/ _` | '_ \| | | | __| | | |
    \  /| |_| | | | | |  __/ | | (_| | |_) | | | | |_| |_| |
     \/  \__,_|_|_| |_|\___|_|  \__,_|_.__/|_|_|_|\__|\__, |
  ______                       _                       __/ |
 |  ____|                     | |                     |___/ 
 | |__  __  ___ __   ___  _ __| |_ ___ _ __                 
 |  __| \ \/ / '_ \ / _ \| '__| __/ _ \ '__|                
 | |____ >  <| |_) | (_) | |  | ||  __/ |                   
 |______/_/\_\ .__/ \___/|_|   \__\___|_|                   
             | |                                            
             |_|                                            
2022-01-26 11:48:17.705  INFO 725 --- [           main] e.p.PluginConfigEnvironmentPostProcessor : Loaded 13 plugin configuration files
2022-01-26 11:48:18.019  INFO 725 --- [           main] c.f.v.FortifyVulnerabilityExporter       : Starting FortifyVulnerabilityExporter v1.5.3 using Java 17.0.2 with PID 725 (/root/.fortify/tools/FortifyVulnerabilityExporter/latest-20220126/FortifyVulnerabilityExporter.jar started by root in /builds/[MASKED]cloud/violazione-command-service)
2022-01-26 11:48:18.019  INFO 725 --- [           main] c.f.v.FortifyVulnerabilityExporter       : The following profiles are active: default
2022-01-26 11:48:19.037  INFO 725 --- [           main] c.f.v.FortifyVulnerabilityExporter       : Using configuration file /root/.fortify/tools/FortifyVulnerabilityExporter/latest-20220126/config/FoDToCSV.yml
2022-01-26 11:48:19.039  INFO 725 --- [           main] c.f.v.FortifyVulnerabilityExporter       : Started FortifyVulnerabilityExporter in 2.34 seconds (JVM running for 3.012)
javax.validation.ConstraintDeclarationException: HV000170: No JSR-223 scripting engine could be bootstrapped for language "javascript".
	at org.hibernate.validator.internal.constraintvalidators.hv.AbstractScriptAssertValidator.initialize(AbstractScriptAssertValidator.java:42)
	at org.hibernate.validator.internal.constraintvalidators.hv.ScriptAssertValidator.initialize(ScriptAssertValidator.java:38)
	at org.hibernate.validator.internal.engine.constraintvalidation.AbstractConstraintValidatorManagerImpl.initializeValidator(AbstractConstraintValidatorManagerImpl.java:140)
	at org.hibernate.validator.internal.engine.constraintvalidation.AbstractConstraintValidatorManagerImpl.createAndInitializeValidator(AbstractConstraintValidatorManagerImpl.java:90)
	at org.hibernate.validator.internal.engine.constraintvalidation.ConstraintValidatorManagerImpl.getInitializedValidator(ConstraintValidatorManagerImpl.java:117)
	at org.hibernate.validator.internal.engine.constraintvalidation.ConstraintTree.getInitializedConstraintValidator(ConstraintTree.java:136)
	at org.hibernate.validator.internal.engine.constraintvalidation.SimpleConstraintTree.validateConstraints(SimpleConstraintTree.java:54)
	at org.hibernate.validator.internal.engine.constraintvalidation.ConstraintTree.validateConstraints(ConstraintTree.java:75)
	at org.hibernate.validator.internal.metadata.core.MetaConstraint.doValidateConstraint(MetaConstraint.java:130)
	at org.hibernate.validator.internal.metadata.core.MetaConstraint.validateConstraint(MetaConstraint.java:123)
	at org.hibernate.validator.internal.engine.ValidatorImpl.validateMetaConstraint(ValidatorImpl.java:555)
	at org.hibernate.validator.internal.engine.ValidatorImpl.validateConstraintsForSingleDefaultGroupElement(ValidatorImpl.java:518)
	at org.hibernate.validator.internal.engine.ValidatorImpl.validateConstraintsForDefaultGroup(ValidatorImpl.java:488)
	at org.hibernate.validator.internal.engine.ValidatorImpl.validateConstraintsForCurrentGroup(ValidatorImpl.java:450)
	at org.hibernate.validator.internal.engine.ValidatorImpl.validateInContext(ValidatorImpl.java:400)
	at org.hibernate.validator.internal.engine.ValidatorImpl.validateCascadedAnnotatedObjectForCurrentGroup(ValidatorImpl.java:629)
	at org.hibernate.validator.internal.engine.ValidatorImpl.validateCascadedConstraints(ValidatorImpl.java:590)
	at org.hibernate.validator.internal.engine.ValidatorImpl.validateInContext(ValidatorImpl.java:409)
	at org.hibernate.validator.internal.engine.ValidatorImpl.validate(ValidatorImpl.java:172)
	at org.springframework.validation.beanvalidation.SpringValidatorAdapter.validate(SpringValidatorAdapter.java:358)
	at com.fortify.util.config.loader.StandardConfigLoader.validateConfig(StandardConfigLoader.java:106)
	at com.fortify.util.config.loader.StandardConfigLoader.loadConfig(StandardConfigLoader.java:93)
	at com.fortify.vulnexport.spi.source.vuln.loader.AbstractVulnerabilityLoaderFactory.createConfig(AbstractVulnerabilityLoaderFactory.java:97)
	at com.fortify.vulnexport.spi.source.vuln.loader.AbstractVulnerabilityLoaderFactory.createVulnerabilityLoader(AbstractVulnerabilityLoaderFactory.java:73)
	at com.fortify.vulnexport.api.vuln.loader.active.ActiveVulnerabilityLoaderFactory.lambda$createVulnerabilityLoader$0(ActiveVulnerabilityLoaderFactory.java:59)
	at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197)
	at java.base/java.util.Iterator.forEachRemaining(Iterator.java:133)
	at java.base/java.util.Spliterators$IteratorSpliterator.forEachRemaining(Spliterators.java:1845)
	at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509)
	at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
	at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:921)
	at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
	at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:682)
	at com.fortify.vulnexport.api.vuln.loader.active.ActiveVulnerabilityLoaderFactory.createVulnerabilityLoader(ActiveVulnerabilityLoaderFactory.java:61)
	at com.fortify.vulnexport.FortifyVulnerabilityExporterRunnerFactory.runActiveVulnerabilityLoader(FortifyVulnerabilityExporterRunnerFactory.java:91)
	at com.fortify.util.spring.boot.scheduler.RunOrSchedule.runOnce(RunOrSchedule.java:76)
	at com.fortify.util.spring.boot.scheduler.RunOrSchedule.run(RunOrSchedule.java:48)
	at org.springframework.boot.SpringApplication.callRunner(SpringApplication.java:767)
	at org.springframework.boot.SpringApplication.callRunners(SpringApplication.java:751)
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:309)
	at com.fortify.vulnexport.FortifyVulnerabilityExporter.main(FortifyVulnerabilityExporter.java:62)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:568)
	at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:49)
	at org.springframework.boot.loader.Launcher.launch(Launcher.java:108)
	at org.springframework.boot.loader.Launcher.launch(Launcher.java:58)
	at org.springframework.boot.loader.PropertiesLauncher.main(PropertiesLauncher.java:467)
Caused by: org.hibernate.validator.spi.scripting.ScriptEvaluatorNotFoundException: HV000232: No JSR 223 script engine found for language "javascript".
	at org.hibernate.validator.internal.engine.scripting.DefaultScriptEvaluatorFactory.createNewScriptEvaluator(DefaultScriptEvaluatorFactory.java:66)
	at java.base/java.util.concurrent.ConcurrentHashMap.computeIfAbsent(ConcurrentHashMap.java:1708)
	at org.hibernate.validator.spi.scripting.AbstractCachingScriptEvaluatorFactory.getScriptEvaluatorByLanguageName(AbstractCachingScriptEvaluatorFactory.java:41)
	at org.hibernate.validator.internal.engine.constraintvalidation.HibernateConstraintValidatorInitializationContextImpl.getScriptEvaluatorForLanguage(HibernateConstraintValidatorInitializationContextImpl.java:50)
	at org.hibernate.validator.internal.constraintvalidators.hv.AbstractScriptAssertValidator.initialize(AbstractScriptAssertValidator.java:38)
	... 48 more
Cleaning up project directory and file based variables
00:00
ERROR: Job failed: exit code 1

How to add comments to Gitlab SSC output using custom config?

I have been working on building a custom.yml config file to add several pieces additional pieces we would like imported into Gitlab. So far I have been able to add the analysis results via the primaryTag, but adding comments is proving to be more difficult since that info is not part of the same uri.

I guess the first question is if this is even possible. If it is I could use some guidance on getting this working. I have tried a bunch of different configurations but haven't had much luck. I either get no comments in the report or errors. I'm assuming it has to do with me not understanding how the propertyName: attribute works.

Here is my latest configuration attempt:

export:
  from: ssc
  to: json.gitlab.sast

ssc:
  version:
    embed:
      - subEntity: currentStaticScan
        onError: LOG_INFO
  vulnerability:
    embed:
      - propertyName: detailsProp
        uri: /api/v1/issueDetails/{id}
        subEntity: details
        onError: LOG_INFO
     - propertyName: commentProp
     - uri: /api/v1/issues/{id}/comments?limit=-1
     - subEntity: comments
     - onError: LOG_INFO
     
export.dir: ${CI_PROJECT_DIR:${export.default.dir}}
json.gitlab.sast.output:
  stdout: false
  pretty: true
  file: ${export.dir}/gl-fortify-sast.json



json.gitlab.sast.filter.expr: vuln.engineType=='SCA'
json.gitlab.sast.format:
  fields:
    schema: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v14.1.1/dist/sast-report-format.json
    version: 14.1.1
    scan:
      start_time: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", applicationVersion.currentStaticScan?.uploadDate?:'1970-01-01T00:00:00')]
      end_time: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", applicationVersion.currentStaticScan?.uploadDate?:'1970-01-01T00:00:00')]
      status: success
      type: sast
      scanner:
        id: fortify-sca
        name: Fortify SCA
        url: https://www.microfocus.com/en-us/products/application-security-testing/overview
        version: SCA $[applicationVersion.currentStaticScan?.engineVersion?:'version unkown']
        vendor:
          name: Fortify
    vulnerabilities: $[vulnerabilityMappers.vulnerability.get()]
  vulnerabilityMappers.vulnerability.fields:
    id: $[vuln.issueInstanceId]
    category: sast
    name: $[vuln.issueName]
    message: $[vuln.issueName]
    description: $[#abbreviate(#htmlToText(vuln.detailsProp?.brief), 15000)]
    cve: 'N/A'
    severity: $[vuln.friority]
    confidence: $[(vuln.friority matches "(Critical|Medium)") ? "High":"Low" ]
    solution: $[#abbreviate(#htmlToText(vuln.detailsProp?.detail)+'\n\n'+#htmlToText(vulndetailsProp?.recommendation), 7000)]
    scanner:
      id: fortify-sca
      name: Fortify SCA
    identifiers:
      - name: "Analysis: $[vuln.primaryTag?: 'Not Audited']"
         type: primaryTag
         value: $[vuln.primaryTag?:'Not Audited']
         url: $[vuln.deepLink]
      - name: "Comments: $[vuln.commentProp?.comment?:'No Comments
        type: comment
        value: $[vuln.CommentProp?.comment?: 'No Comments']
    links:
      - name: Additional issue details, including analysis trace, in Software Security Center
        url: $[vuln.deepLink]
    location:
      file: $[vuln.fullFileName]
      start_line: $[vuln.lineNumber]

Got the following errors:

java.lang.RuntimeException: Error processing vulnerability

Caused by: java.lang.RuntimeException: Error processing vulnerability

Caused by: org.springframework.expressions.spel.SpelEvaluationException: EL1008E: Property of field 'comment' cannot be found on object of type 'com.fortify.util.rest.json.JSONList' - maybe not public or valid?

Double call to `SSCApplicationVersionsQueryBuilder.embed()` method

The embed(SSCApplicationVersionsQueryBuilder qb, SSCEmbedConfig config) method defined in https://github.com/fortify/FortifyVulnerabilityExporter/blob/main/FortifyVulnerabilityExporter-plugin-from-ssc/src/main/java/com/fortify/vulnexport/from/ssc/FromSSCVulnerabilityLoader.java provides special processing if the sub-entity to be embedded equals currentStaticScan, currentDynamicScan, or currentSonatypeScan. However, even when special processing takes place, the SSCApplicationVersionsQueryBuilder#embed(config) method is called again at the end of this method.

This is most likely not intended, but doesn't seem to cause any runtime issues. Further research is needed to investigate whether this might result in extra, invalid requests to SSC, and why these invalid requests are not logged.

Errors with SSC that uses self signed certs

When trying to export SSC SAST to Gitlab, and our SSC is using a self-signed cert you get the below error

to see jobs details look at #18

Using docker image sha256:68b7979a3875576df43e76e90b483634102afc63bc2cd5df21e737079514e7b5 for docker.jfrog.lfg.com/fortifydocker/fortify-vulnerability-exporter:latest_rc with digest docker.jfrog.lfg.com/fortifydocker/fortify-vulnerability-exporter@sha256:cbdc3a54cc2d8f4c7ed4b97adac35cb6c875b74f449904d58cc909f18e81bd13 ...
01:36:24.003 [main] DEBUG com.fortify.util.spring.boot.container.PopulateContainerDirs - Populate container directories enabled: true
01:36:24.007 [main] DEBUG com.fortify.util.spring.boot.container.PopulateContainerDirs - Checking whether container directories need to be initialized
01:36:24.013 [main] DEBUG com.fortify.util.spring.boot.container.PopulateContainerDirs - Target path /config is present: true
  ______         _   _  __                                  
 |  ____|       | | (_)/ _|                                 
 | |__ ___  _ __| |_ _| |_ _   _                            
 |  __/ _ \| '__| __| |  _| | | |                           
 | | | (_) | |  | |_| | | | |_| |                           
 |_|  \___/|_|   \__|_|_|  \__, |                           
 __      __    _            __/ |     _     _ _ _ _         
 \ \    / /   | |          |___/     | |   (_) (_) |        
  \ \  / /   _| |_ __   ___ _ __ __ _| |__  _| |_| |_ _   _ 
   \ \/ / | | | | '_ \ / _ \ '__/ _` | '_ \| | | | __| | | |
    \  /| |_| | | | | |  __/ | | (_| | |_) | | | | |_| |_| |
     \/  \__,_|_|_| |_|\___|_|  \__,_|_.__/|_|_|_|\__|\__, |
  ______                       _                       __/ |
 |  ____|                     | |                     |___/ 
 | |__  __  ___ __   ___  _ __| |_ ___ _ __                 
 |  __| \ \/ / '_ \ / _ \| '__| __/ _ \ '__|                
 | |____ >  <| |_) | (_) | |  | ||  __/ |                   
 |______/_/\_\ .__/ \___/|_|   \__\___|_|                   
             | |                                            
             |_|                                            
2021-04-14 01:36:24.697  INFO 1 --- [           main] e.p.PluginConfigEnvironmentPostProcessor : Loaded 11 plugin configuration files
2021-04-14 01:36:24.701  INFO 1 --- [           main] c.f.v.FortifyVulnerabilityExporter       : Starting FortifyVulnerabilityExporter v0.20210413.113124-dev_main using Java 11.0.10 on runner-w42yknzx-project-11312-concurrent-0 with PID 1 (/app/classpath/FortifyVulnerabilityExporter-0.20210413.113124-dev_main.jar started by root in /)
2021-04-14 01:36:24.702  INFO 1 --- [           main] c.f.v.FortifyVulnerabilityExporter       : The following profiles are active: default
2021-04-14 01:36:25.467  INFO 1 --- [           main] c.f.v.FortifyVulnerabilityExporter       : Started FortifyVulnerabilityExporter in 1.255 seconds (JVM running for 1.687)
2021-04-14 01:36:26.783 ERROR 1 --- [           main] o.s.boot.SpringApplication               : Application run failed
java.lang.IllegalStateException: Failed to execute CommandLineRunner
	at org.springframework.boot.SpringApplication.callRunner(SpringApplication.java:809) ~[spring-boot-2.4.4.jar:2.4.4]
	at org.springframework.boot.SpringApplication.callRunners(SpringApplication.java:790) ~[spring-boot-2.4.4.jar:2.4.4]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:333) ~[spring-boot-2.4.4.jar:2.4.4]
	at com.fortify.vulnexport.FortifyVulnerabilityExporter.main(FortifyVulnerabilityExporter.java:39) ~[FortifyVulnerabilityExporter-0.20210413.113124-dev_main.jar:0.20210413.113124-dev_main]
Caused by: java.lang.RuntimeException: Exception in call() method
	at com.fortify.util.log4j.LogMaskingHelper$AbstractMasker.on(LogMaskingHelper.java:117) ~[common-log-5.10.jar:na]
	at com.fortify.client.ssc.connection.SSCTokenFactoryUserCredentials.performTokenRequest(SSCTokenFactoryUserCredentials.java:111) ~[FortifyVulnerabilityExporter-plugin-from-ssc.jar:na]
	at com.fortify.client.ssc.connection.SSCTokenFactoryUserCredentials.getToken(SSCTokenFactoryUserCredentials.java:98) ~[FortifyVulnerabilityExporter-plugin-from-ssc.jar:na]
	at com.fortify.client.ssc.connection.SSCAuthenticatingRestConnection.updateBuilder(SSCAuthenticatingRestConnection.java:92) ~[FortifyVulnerabilityExporter-plugin-from-ssc.jar:na]
	at com.fortify.util.rest.connection.AbstractRestConnection.executeRequest(AbstractRestConnection.java:222) ~[common-rest-5.10.jar:na]
	at com.fortify.util.rest.connection.AbstractRestConnection.executeRequestWithFinalizedWebTarget(AbstractRestConnection.java:186) ~[common-rest-5.10.jar:na]
	at com.fortify.util.rest.connection.AbstractRestConnection.executeRequest(AbstractRestConnection.java:167) ~[common-rest-5.10.jar:na]
	at com.fortify.util.rest.connection.AbstractRestConnection.executeRequest(AbstractRestConnection.java:152) ~[common-rest-5.10.jar:na]
	at com.fortify.util.rest.query.AbstractRestConnectionQuery.executeRequest(AbstractRestConnectionQuery.java:141) ~[common-rest-5.10.jar:na]
	at com.fortify.util.rest.query.AbstractRestConnectionQuery.processSingleRequest(AbstractRestConnectionQuery.java:209) ~[common-rest-5.10.jar:na]
	at com.fortify.util.rest.query.AbstractRestConnectionQuery.processAll(AbstractRestConnectionQuery.java:200) ~[common-rest-5.10.jar:na]
	at com.fortify.util.rest.query.AbstractRestConnectionQuery.processAll(AbstractRestConnectionQuery.java:90) ~[common-rest-5.10.jar:na]
	at com.fortify.util.rest.query.AbstractRestConnectionQuery.processAll(AbstractRestConnectionQuery.java:95) ~[common-rest-5.10.jar:na]
	at com.fortify.vulnexport.from.ssc.FromSSCVulnerabilityLoader$_FromSSCVulnerabilityLoader.run(FromSSCVulnerabilityLoader.java:105) ~[FortifyVulnerabilityExporter-plugin-from-ssc.jar:na]
	at com.fortify.vulnexport.from.ssc.FromSSCVulnerabilityLoader.run(FromSSCVulnerabilityLoader.java:81) ~[FortifyVulnerabilityExporter-plugin-from-ssc.jar:na]
	at com.fortify.vulnexport.FortifyVulnerabilityExporterRunnerFactory.runActiveVulnerabilityLoader(FortifyVulnerabilityExporterRunnerFactory.java:91) ~[FortifyVulnerabilityExporter-0.20210413.113124-dev_main.jar:0.20210413.113124-dev_main]
	at com.fortify.util.spring.boot.scheduler.RunOrSchedule.runOnce(RunOrSchedule.java:68) ~[FortifyVulnerabilityExporter-0.20210413.113124-dev_main.jar:0.20210413.113124-dev_main]
	at com.fortify.util.spring.boot.scheduler.RunOrSchedule.run(RunOrSchedule.java:47) ~[FortifyVulnerabilityExporter-0.20210413.113124-dev_main.jar:0.20210413.113124-dev_main]
	at org.springframework.boot.SpringApplication.callRunner(SpringApplication.java:806) ~[spring-boot-2.4.4.jar:2.4.4]
	... 3 common frames omitted
Caused by: javax.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at org.glassfish.jersey.apache.connector.ApacheConnector.apply(ApacheConnector.java:531) ~[jersey-apache-connector-2.33.jar:na]
	at org.glassfish.jersey.client.ClientRuntime.invoke(ClientRuntime.java:297) ~[jersey-client-2.33.jar:na]
	at org.glassfish.jersey.client.JerseyInvocation.lambda$invoke$0(JerseyInvocation.java:630) ~[jersey-client-2.33.jar:na]
	at org.glassfish.jersey.client.JerseyInvocation.call(JerseyInvocation.java:665) ~[jersey-client-2.33.jar:na]
	at org.glassfish.jersey.client.JerseyInvocation.lambda$runInScope$3(JerseyInvocation.java:659) ~[jersey-client-2.33.jar:na]
	at org.glassfish.jersey.internal.Errors.process(Errors.java:292) ~[jersey-common-2.33.jar:na]
	at org.glassfish.jersey.internal.Errors.process(Errors.java:274) ~[jersey-common-2.33.jar:na]
	at org.glassfish.jersey.internal.Errors.process(Errors.java:205) ~[jersey-common-2.33.jar:na]
	at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:390) ~[jersey-common-2.33.jar:na]
	at org.glassfish.jersey.client.JerseyInvocation.runInScope(JerseyInvocation.java:659) ~[jersey-client-2.33.jar:na]
	at org.glassfish.jersey.client.JerseyInvocation.invoke(JerseyInvocation.java:629) ~[jersey-client-2.33.jar:na]
	at com.fortify.util.rest.connection.AbstractRestConnection.executeRequest(AbstractRestConnection.java:223) ~[common-rest-5.10.jar:na]
	at com.fortify.client.ssc.connection.SSCTokenFactoryUserCredentials.lambda$performTokenRequest$0(SSCTokenFactoryUserCredentials.java:112) ~[FortifyVulnerabilityExporter-plugin-from-ssc.jar:na]
	at com.fortify.util.log4j.LogMaskingHelper$AbstractMasker.on(LogMaskingHelper.java:115) ~[common-log-5.10.jar:na]
	... 21 common frames omitted
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source) ~[na:na]
	at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source) ~[na:na]
	at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source) ~[na:na]
	at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source) ~[na:na]
	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(Unknown Source) ~[na:na]
	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(Unknown Source) ~[na:na]
	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(Unknown Source) ~[na:na]
	at java.base/sun.security.ssl.SSLHandshake.consume(Unknown Source) ~[na:na]
	at java.base/sun.security.ssl.HandshakeContext.dispatch(Unknown Source) ~[na:na]
	at java.base/sun.security.ssl.HandshakeContext.dispatch(Unknown Source) ~[na:na]
	at java.base/sun.security.ssl.TransportContext.dispatch(Unknown Source) ~[na:na]
	at java.base/sun.security.ssl.SSLTransport.decode(Unknown Source) ~[na:na]
	at java.base/sun.security.ssl.SSLSocketImpl.decode(Unknown Source) ~[na:na]
	at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source) ~[na:na]
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) ~[na:na]
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) ~[na:na]
	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436) ~[httpclient-4.5.13.jar:4.5.13]
	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384) ~[httpclient-4.5.13.jar:4.5.13]
	at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142) ~[httpclient-4.5.13.jar:4.5.13]
	at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376) ~[httpclient-4.5.13.jar:4.5.13]
	at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393) ~[httpclient-4.5.13.jar:4.5.13]
	at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) ~[httpclient-4.5.13.jar:4.5.13]
	at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186) ~[httpclient-4.5.13.jar:4.5.13]
	at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) ~[httpclient-4.5.13.jar:4.5.13]
	at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) ~[httpclient-4.5.13.jar:4.5.13]
	at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) ~[httpclient-4.5.13.jar:4.5.13]
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:72) ~[httpclient-4.5.13.jar:4.5.13]
	at org.glassfish.jersey.apache.connector.ApacheConnector.apply(ApacheConnector.java:483) ~[jersey-apache-connector-2.33.jar:na]
	... 34 common frames omitted
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.validator.PKIXValidator.doBuild(Unknown Source) ~[na:na]
	at java.base/sun.security.validator.PKIXValidator.engineValidate(Unknown Source) ~[na:na]
	at java.base/sun.security.validator.Validator.validate(Unknown Source) ~[na:na]
	at java.base/sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source) ~[na:na]
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source) ~[na:na]
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source) ~[na:na]
	... 58 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source) ~[na:na]
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source) ~[na:na]
	at java.base/java.security.cert.CertPathBuilder.build(Unknown Source) ~[na:na]
	... 64 common frames omitted

JSON Raw format export issue of Java 8 date/time type

Hi,

Good day !

I'm using FortifyVulnerabilityExporter on sample WebGoat application's scan and trying to export FOD scan results using customized yml file with export_config: ${{github.workspace}}/MyCustomExportConfig_JSON.yml

While exporting I received following error -

Caused by: com.fasterxml.jackson.databind.exc.InvalidDefinitionException: Java 8 date/time type java.time.ZoneRegion not supported by default: add Module "com.fasterxml.jackson.datatype:jackson-datatype-jsr310" to enable handling (through reference chain: com.fortify.util.rest.json.JSONMap["release"]->com.fortify.util.rest.json.JSONMap["serverZoneId"])

I have attached my yml file. Any help in this regards is greatly appreciated.

Best Regards,
Rajesh Kumar

See FortifyVulnerabilityExporter documentation for FoD connection settings and release selection

export:
from: fod
to: json.raw

fod:
release:
embed: # Load static scan summaries if available
- propertyName: staticScanSummary
uri: /api/v3/scans/{currentStaticScanId}/summary
embedIf: currentStaticScanId!=null
vulnerability:
embed: # Load extra data, depending on what data you want to include in output
- subEntity: all-data
export.dir: ${export.default.dir} # Use default export directory (unless overridden)
json.raw.output:
stdout: false # Useful for debugging, disable for optimal performance
file: ${export.dir}/${release.applicationName}-${release.releaseName}.json

includeSuppressed

hi i might be reading the readme and/or using the configs wrongly.
As no matter what i set, im not able to export out Suppressed data.

Hi good day,

Ive used the FoD's inbuilt Export tool and it is able to export all my findings, including suppressed ones.
im using v2.0.2.

Hv tried to download vv2.0.0 and faced the same issue.

Ive attached my yaml. Any help is greatly appreciated.

Thks in adv. :)

'# See FortifyVulnerabilityExporter documentation for FoD connection settings and release selection

export:
from: fod
to: csv

'#fod:
vulnerability:
filterParam: scanType:Static
includeFixed: true
includeSuppressed: true
# embed:
# - subEntity: all-data

export.dir: ${export.default.dir} # Use default export directory (unless overridden)
csv:
output:
header: true
stdout: false
file: ${export.dir}/${release.applicationName}-${release.releaseName}.csv
fields:
source: Fortify on Demand
scanType: $[vuln.scantype]
id: $[vuln.id]
issueInstanceId: $[vuln.instanceId]
category: $[vuln.severityString]
description: $[vuln.category]
file: $[vuln.primaryLocationFull]
suppressed: $[vuln.isSuppressed]
line: $[vuln.lineNumber]
status: $[vuln.auditorStatus]

Docker: populate bind mount on /config directory

Default configuration files are placed into the /config directory inside the Docker container. These should be moved to /default/config to allow the default configuration files to be accessible if the /config directory is bind-mounted to the host system.

See https://github.com/fortify/FortifyVulnerabilityExporter/blob/main/src/main/java/com/fortify/util/spring/boot/container/PopulateContainerDirs.java for details.

Docker image for version 1.2.0 not working

The Docker image for FortifyVulnerabilityExporter version 1.2.0 uses Java 1.8. Due to #16, running this Docker image fails with an exception.

Fix Gradle warning

The following warning is shown when running ./gradlew distThirdParty --warning-mode=all:

> Task :generateLicenseReport
The runtime configuration has been deprecated for resolution. This will fail with an error in Gradle 7.0. Please resolve the runtimeClasspath configuration instead. Consult the upgrading guide for further information: https://docs.gradle.org/6.8.3/userguide/upgrading_version_5.html#dependencies_should_no_longer_be_declared_using_the_compile_and_runtime_configurations

This is caused by this issue: jk1/Gradle-License-Report#161 (comment)

Once this has been fixed in the plugin, the plugin version should be updated in our build.gradle.

fortify-vulnerability-exporter unable to generate report for GitLab

I am integrating trial.fortify.com and GitLab.
However, fortify-vulnerability-exporter unable to generate report for GitLab.
I was using this command $docker run --rm -v ./export:/export fortifydocker/fortify-vulnerability-exporter:latest FoDToGitLab --fod.baseUrl=https://trial.fortify.com --fod.tenant="" --fod.user="" --fod.password="" --fod.release.id="215288"

Error Logs:

02:48:48.286 [main] DEBUG com.fortify.util.spring.boot.container.PopulateContainerDirs - Populate container directories enabled:
true
02:48:48.292 [main] DEBUG com.fortify.util.spring.boot.container.PopulateContainerDirs - Checking whether container directories need to be initialized
02:48:48.306 [main] DEBUG com.fortify.util.spring.boot.container.PopulateContainerDirs - Target path /config is present: true

| | | | ()/ |
| | ___ _ _| | | | _ _
| / _ | '| __| | | | | |
| | | () | | | || | | | || |
|| ___/|| _||| _, |
__ __ _ / | _ _ _ _ _
\ \ / / | | |/ | | () () |
\ \ / / | | __ ___ _ __ __ | |_ | || | _ _
\ / / | | | | '_ \ / _ \ '/ ` | ' | | | | | | | |
\ /| || | | | | | __/ | | (| | |) | | | | || || |
/ _,||| ||_|| _,|./||||_|_, |
______ _ / |
| | | | |/
| | __ ___ __ ___ _ | | ___ _ __
| | \ / / ' \ / _ | '| / _ \ '|
| |__ > <| |) | () | | | || / |
|//_\ ./ _/|| ___||
| |
||
2023-08-11 02:48:50.789 INFO 1 --- [ main] e.p.PluginConfigEnvironmentPostProcessor : Loaded 14 plugin configuration files
2023-08-11 02:48:50.811 INFO 1 --- [ main] c.f.v.FortifyVulnerabilityExporter : Starting FortifyVulnerabilityExporter v2.0.3 using Java 11.0.19 on 1f7a2ed7f237 with PID 1 (/app/classpath/FortifyVulnerabilityExporter-2.0.3-plain.jar started by root in /)
2023-08-11 02:48:50.813 INFO 1 --- [ main] c.f.v.FortifyVulnerabilityExporter : The following 1 profile is active: "default"
2023-08-11 02:48:53.459 INFO 1 --- [ main] c.f.v.FortifyVulnerabilityExporter : Using configuration file /config/FoDToGitLab.yml
2023-08-11 02:48:53.470 INFO 1 --- [ main] c.f.v.FortifyVulnerabilityExporter : Started FortifyVulnerabilityExporter in 4.394 seconds (JVM running for 5.791)
2023-08-11 02:48:57.862 INFO 1 --- [ main] c.f.c.fod.connection.FoDTokenFactory : [FoD] Obtained access token, expiring at Fri Aug 11 08:48:52 UTC 2023
2023-08-11 02:48:58.810 INFO 1 --- [ main] c.f.v.f.fod.FromFoDVulnerabilityLoader : Processing Application Release: springboot:production-2
2023-08-11 02:49:01.718 INFO 1 --- [ main] c.f.v.f.fod.FromFoDVulnerabilityLoader : Processed 3 of 3 vulnerabilities
2023-08-11 02:49:01.719 INFO 1 --- [ main] bstractToFileStreamVulnerabilityConsumer : Opening output: JsonOutputConfig(super=FileOutputConfig(mkdir=true, stdout=false, stderr=false, file=/export/gl-fortify-sast.json), encoding=UTF8, pretty=true)
java.lang.RuntimeException: Error closing vulnerability consumer
at com.fortify.vulnexport.spi.target.vuln.consumer.AbstractVulnerabilityConsumer.handleCloseException(AbstractVulnerabilityConsumer.java:98)
at com.fortify.vulnexport.spi.target.vuln.consumer.AbstractVulnerabilityConsumer.close(AbstractVulnerabilityConsumer.java:82)
at java.base/java.util.ArrayList.forEach(Unknown Source)
at com.fortify.vulnexport.api.vuln.consumer.CompositeVulnerabilityConsumer.close(CompositeVulnerabilityConsumer.java:55)
at java.base/java.util.ArrayList.forEach(Unknown Source)
at com.fortify.vulnexport.api.vuln.consumer.CompositeVulnerabilityConsumer.close(CompositeVulnerabilityConsumer.java:55)
at com.fortify.vulnexport.from.fod.FromFoDVulnerabilityLoader$_FromFoDVulnerabilityLoader.processVulnerabilities(FromFoDVulnerabilityLoader.java:160)
at com.fortify.util.rest.query.AbstractRestConnectionQuery$1.process(AbstractRestConnectionQuery.java:99)
at com.fortify.util.rest.query.JSONMapProcessorWithPreProcessorsAndPagingSupport.process(JSONMapProcessorWithPreProcessorsAndPagingSupport.java:79)
at com.fortify.util.rest.query.AbstractRestConnectionQuery.processSingleRequest(AbstractRestConnectionQuery.java:218)
at com.fortify.util.rest.query.AbstractRestConnectionQuery.processAll(AbstractRestConnectionQuery.java:200)
at com.fortify.util.rest.query.AbstractRestConnectionQuery.processAll(AbstractRestConnectionQuery.java:90)
at com.fortify.util.rest.query.AbstractRestConnectionQuery.processAll(AbstractRestConnectionQuery.java:95)
at com.fortify.vulnexport.from.fod.FromFoDVulnerabilityLoader$_FromFoDVulnerabilityLoader.run(FromFoDVulnerabilityLoader.java:106)
at com.fortify.vulnexport.from.fod.FromFoDVulnerabilityLoader.run(FromFoDVulnerabilityLoader.java:82)
at com.fortify.vulnexport.FortifyVulnerabilityExporterRunnerFactory.runActiveVulnerabilityLoader(FortifyVulnerabilityExporterRunnerFactory.java:91)
at com.fortify.util.spring.boot.scheduler.RunOrSchedule.runOnce(RunOrSchedule.java:76)
at com.fortify.util.spring.boot.scheduler.RunOrSchedule.run(RunOrSchedule.java:48)
at org.springframework.boot.SpringApplication.callRunner(SpringApplication.java:768)
at org.springframework.boot.SpringApplication.callRunners(SpringApplication.java:752)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:314)
at com.fortify.vulnexport.FortifyVulnerabilityExporter.main(FortifyVulnerabilityExporter.java:61)
Caused by: java.lang.RuntimeException: Error closing vulnerability consumer
at com.fortify.vulnexport.spi.target.vuln.consumer.AbstractVulnerabilityConsumer.handleCloseException(AbstractVulnerabilityConsumer.java:98)
at com.fortify.vulnexport.spi.target.vuln.consumer.AbstractVulnerabilityConsumer.close(AbstractVulnerabilityConsumer.java:82)
at com.fortify.vulnexport.spi.target.vuln.consumer.FilteringConsumer._close(FilteringConsumer.java:71)
at com.fortify.vulnexport.spi.target.vuln.consumer.AbstractVulnerabilityConsumer.close(AbstractVulnerabilityConsumer.java:80)
... 20 more
Caused by: org.springframework.expression.spel.SpelEvaluationException: EL1021E: A problem occurred whilst attempting to access the property 'staticScanSummary': 'Error loading data for property staticScanSummary'
at org.springframework.expression.spel.ast.PropertyOrFieldReference.readProperty(PropertyOrFieldReference.java:209)
at org.springframework.expression.spel.ast.PropertyOrFieldReference.getValueInternal(PropertyOrFieldReference.java:104)
at org.springframework.expression.spel.ast.PropertyOrFieldReference.getValueInternal(PropertyOrFieldReference.java:91)
at org.springframework.expression.spel.ast.CompoundExpression.getValueRef(CompoundExpression.java:61)
at org.springframework.expression.spel.ast.CompoundExpression.getValueInternal(CompoundExpression.java:91)
at org.springframework.expression.spel.ast.Elvis.getValueInternal(Elvis.java:54)
at org.springframework.expression.spel.ast.FunctionReference.getArguments(FunctionReference.java:158)
at org.springframework.expression.spel.ast.FunctionReference.executeFunctionJLRMethod(FunctionReference.java:96)
at org.springframework.expression.spel.ast.FunctionReference.getValueInternal(FunctionReference.java:80)
at org.springframework.expression.spel.ast.SpelNodeImpl.getTypedValue(SpelNodeImpl.java:117)
at org.springframework.expression.spel.standard.SpelExpression.getValue(SpelExpression.java:376)
at com.fortify.util.spring.expression.WrappedExpression.getValue(WrappedExpression.java:131)
at com.fortify.util.spring.expression.helper.AbstractExpressionHelper.evaluateExpression(AbstractExpressionHelper.java:156)
at com.fortify.util.spring.expression.helper.AbstractExpressionHelper.evaluateTemplateExpression(AbstractExpressionHelper.java:166)
at com.fortify.util.spring.expression.TemplateExpressionMap.evaluateExpression(TemplateExpressionMap.java:44)
at com.fortify.util.spring.expression.AbstractExpressionMapEvaluator.lambda$evaluate$0(AbstractExpressionMapEvaluator.java:47)
at com.fortify.util.spring.expression.AbstractExpressionMapEvaluator.evaluate(AbstractExpressionMapEvaluator.java:52)
at com.fortify.vulnexport.to.json.vuln.formatter.JsonFormatter.write(JsonFormatter.java:131)
at com.fortify.vulnexport.to.json.vuln.formatter.JsonFormatter.write(JsonFormatter.java:105)
at com.fortify.vulnexport.to.json.ToJsonVulnerabilityConsumer.beforeClose(ToJsonVulnerabilityConsumer.java:65)
at com.fortify.vulnexport.spi.target.vuln.consumer.to.output.AbstractToOutputVulnerabilityConsumer._close(AbstractToOutputVulnerabilityConsumer.java:74)
at com.fortify.vulnexport.spi.target.vuln.consumer.AbstractVulnerabilityConsumer.close(AbstractVulnerabilityConsumer.java:80)
... 22 more
Caused by: java.lang.RuntimeException: Error loading data for property staticScanSummary
at com.fortify.util.rest.json.embed.StandardEmbedDefinition$OnErrorAction.fail(StandardEmbedDefinition.java:111)
at com.fortify.util.rest.json.embed.StandardEmbedDefinition$OnErrorAction.handle(StandardEmbedDefinition.java:106)
at com.fortify.util.rest.json.embed.StandardEmbedDefinition.getResultOnError(StandardEmbedDefinition.java:86)
at com.fortify.util.rest.json.preprocessor.enrich.JSONMapEnrichWithOnDemandRestData$JSONMapOnDemandLoaderRestData.getResult(JSONMapEnrichWithOnDemandRestData.java:61)
at com.fortify.util.rest.json.preprocessor.enrich.JSONMapEnrichWithOnDemandRestData$JSONMapOnDemandLoaderRestData.getOnDemand(JSONMapEnrichWithOnDemandRestData.java:53)
at com.fortify.util.rest.json.ondemand.AbstractJSONMapOnDemandLoaderWithConnection.getOnDemand(AbstractJSONMapOnDemandLoaderWithConnection.java:51)
at com.fortify.util.rest.json.ondemand.AbstractJSONMapOnDemandLoader.getAndStoreOnDemand(AbstractJSONMapOnDemandLoader.java:46)
at com.fortify.util.rest.json.JSONMap.getOnDemandValue(JSONMap.java:285)
at com.fortify.util.rest.json.JSONMap.get(JSONMap.java:130)
at com.fortify.util.spring.context.expression.MapAccessorIgnoreNonExistingProperties.read(MapAccessorIgnoreNonExistingProperties.java:50)
at org.springframework.expression.spel.ast.PropertyOrFieldReference.readProperty(PropertyOrFieldReference.java:204)
... 43 more
Caused by: java.lang.RuntimeException: Error accessing remote system https://api.trial.fortify.com: Not Found
at com.fortify.util.rest.connection.AbstractRestConnection.getUnsuccesfulResponseException(AbstractRestConnection.java:358)
at com.fortify.util.rest.connection.AbstractRestConnection.checkResponseAndGetOutput(AbstractRestConnection.java:322)
at com.fortify.util.rest.connection.AbstractRestConnection.executeRequest(AbstractRestConnection.java:224)
at com.fortify.util.rest.connection.AbstractRestConnection.executeRequestWithFinalizedWebTarget(AbstractRestConnection.java:186)
at com.fortify.client.fod.connection.FoDBasicRestConnection.executeRequestWithFinalizedWebTarget(FoDBasicRestConnection.java:76)
at com.fortify.util.rest.connection.AbstractRestConnection.executeRequest(AbstractRestConnection.java:167)
at com.fortify.util.rest.connection.AbstractRestConnection.executeRequest(AbstractRestConnection.java:152)
at com.fortify.util.rest.json.preprocessor.enrich.JSONMapEnrichWithOnDemandRestData$JSONMapOnDemandLoaderRestData.getResult(JSONMapEnrichWithOnDemandRestData.java:59)
... 50 more
Caused by: java.lang.Exception: Error accessing remote system https://api.trial.fortify.com: Not Found, response contents:
    ... 58 more

Gitlab report not parsing properly

Hi,

I am using the fortifydocker/fortify-ci-tools:latest which contains v1.5.5 FortifyVulnerabilityExporter.

Even though the CI logs seems fine and a gitlab artifact is successfully generated (gl-dast.json), I see the following issue in the security tab of the Gitlab pipeline. It seems like the json file is not parsed successfully.

Here is the zip file containing the DAST artifact. Do let me know if you require more info.
Thanks
gl-dast-report.json.zip

Update FortifyVulnerabilityExporter to use Fortify API Client 6.1.3, which utilizes log4j 2.17.1

An issue was opened recently (fortify/fortify-client-api#18) to request Fortify API client (6.1.2) upgrade to use log4j 2.17.1. The 6.1.2 Release of the Fortify API client leverages log4j 2.16.0. The latest version being recommended in Maven is 2.17.1, which was released on Dec. 27 to mitigage all variations of the log4j vulnerability. Fortify API client was upgraded and now utilizes log4f 2.17.1.

Can FortifyVulnerabilityExporter be upgraded to use Fortify API client 6.1.3?

Warning: Nashorn engine is planned to be removed from a future JDK release

When running on Java 11, the following warning is displayed in the output of FortifyVulnerabilityExporter: Warning: Nashorn engine is planned to be removed from a future JDK release.

This doesn't have any negative impact when running on Java 11, but if possible this should be fixed for cosmetic reasons and to avoid potential issues when running on later Java versions.

SSC to Bitbucket config is not working as expected

Since we dont have configuration file for SSC to Azure devops, i was trying to use SSCTOBITBUCKET and it retrieves the details as per our requirement. however there are some details that we want to filter. also the security result always set to passed even though the scans has security issues. can you please provide a sample config to customize the SSTOBITBUCKET.

we would like to filter below field,
1.logo_url
2.type" : "NUMBER",
"title" : "Critical (Overall)"
3."report_type" : "SECURITY" - validate correctly

How to disable SSC URL link within GITLAB-SSC integration using Vulnerability Exporter container.

It is possible to disable SSC callback url links on displayed sca finding within Gitlab dashboard via the Vulnerability Exporter Container integration. They ware trying to treat SSC as a black box and hope to keep users for clicking on SSC url links and attempting to login.

GitLab-specific instructions not working

Due to a change in configuration file handling, the GitLab-specific instructions in the README.md file are no longer functional. GitLab seems to be passing sh to the Docker container, which was ignored by older versions of the image but FortifyVulnerabilityExporter version 1.5.0 tries to interpret this as a configuration file specification. As there is no configuration file named sh, FortifyVulnerabilityExporter will fail.

As a quick work-around, please try using the older version of the Docker image using the following image instruction in your .gitlab-ci.yml:

image: fortifydocker/fortify-vulnerability-exporter:v1.4.1

Alternatively, you can use FortifyToolsInstaller to install and run FortifyVulnerabilityExporter in any arbitrary container; see https://gitlab.com/Fortify/example-eightball/-/blob/master/.gitlab-ci.yml#L58 for an example.

SonarQube: Don't output 0 as line number

In Fortify, some vulnerabilities have their lineNumber field set to 0, which is copied as-is to the SonarQube output. SonarQube however throws an error if the line number is 0. FortifyVulnerabilityExporter should set the line number to 1 in such cases, to prevent these SonarQube errors.

Sarif - any way to parameterize the output file name?

Opening issue on behalf of Nikola Aleksandrov [email protected] and ValueEdge ticket 11A1620012:

Hello team,

If we use the option "SSCToGitHub" the SARIF output is generated with the output file name as "gh-fortify-sast.sarif", this is fine and it is working as expected.

The Output file name is hard coded inside the file ".\config\SSCToGitHub.yml" like below:

...

sarif.output: ${export.dir}/gh-fortify-sast.sarif

...

Is there any way to parameterize the output file name?

The scenario will be like below:

PROJECTNAME="WebGoat"

Start loop for each VERSION in: "10, 20, 30, 40, 50"

Generate SARIF: java -jar FortifyVulnerabilityExporter.jar SSCToGitHub --ssc.baseUrl= --ssc.user= --ssc.password= --ssc.version.name="{PROJECTNAME}:${VERSION}"

Hint: the output file name should be generated with the name ${PROJECTNAME}_${VERSION}.sarif

End loop

After the loop, the below SARIF files should be created in the current folder.

WebGoat_10.sarif

WebGoat_20.sarif

WebGoat_30.sarif

WebGoat_40.sarif

WebGoat_50.sarif

is it possible?

Invalid line numbers in GitHub SARIF output

In some cases, Fortify reports vulnerabilities on line number 0. The GitHub SARIF output simply copies this line number to the output, however this will result in errors like the following when importing the SARIF file into GitHub:

Error: Unable to upload "./gh-fortify-sast.sarif" as it is not valid SARIF: 
- instance.runs[0].results[12].locations[0].physicalLocation.region.startLine must have a minimum value of 1 
- instance.runs[0].results[12].locations[0].physicalLocation.region.endLine must have a minimum value of 1

To avoid this error, the utility should output 1 as the line number in such cases.

FoD: Querying by release name causes error

Both the --fod.release.name and --fod.release.regex command line option seems to result in an Internal Server Error on FoD, possibly due to the utility sending an invalid request. This behavior has been observed with both version 1.1.3 and the latest development version. Until this gets fixed, users will need to use the --fod.release.id command line option.

NullPointerException if output file is specified without parent path

Caused by: java.lang.NullPointerException
	at com.fortify.vulnexport.spi.target.vuln.consumer.to.file.stream.MultiOutputStreamFactory$MultiOutputStream.createFileOutputStream(MultiOutputStreamFactory.java:88)
	at com.fortify.vulnexport.spi.target.vuln.consumer.to.file.stream.MultiOutputStreamFactory$MultiOutputStream.<init>(MultiOutputStreamFactory.java:79)
	at com.fortify.vulnexport.spi.target.vuln.consumer.to.file.stream.MultiOutputStreamFactory.createOutputStream(MultiOutputStreamFactory.java:53)

It seems like file.getParentFile() at

FortifyVulnerabilityExporter/FortifyVulnerabilityExporter-spi-to/src/main/java/com/fortify/vulnexport/spi/target/vuln/consumer/to/file/stream/MultiOutputStreamFactory.java

Line 87 in 4d8e14b

File dir = file.getParentFile();

may return null if a user specifies a simple file name (rather than fully qualified file path) as the output file. This causes an NPE in the next line when checking for directory existence:

FortifyVulnerabilityExporter/FortifyVulnerabilityExporter-spi-to/src/main/java/com/fortify/vulnexport/spi/target/vuln/consumer/to/file/stream/MultiOutputStreamFactory.java

Line 88 in 4d8e14b

if ( config.isMkdir() && !dir.exists() ) {

Fail on unknown command-line arguments

See fortify/github-action#15 for background information; FVE silently ignores unknown command-line arguments, which can lead to unexpected behavior.

For example, if a user or some integration omits quotes around application version/release name, like in --fod.release.name=App with space:rel1, FortifyVulnerabilityExporter will see --fod.release.name=App and ignore with space:rel1. Effectively, instead of processing this single release, FVE will process all releases for all applications containing App (case-insensitive) in the application name, due to a combination of FVE behavior (allowing for processing all releases for a given app if only app name is specified) and FoD behavior (FoD performing case-insensitive 'contains' matching instead of exact matching).

Unfortunately, there is no explicit list of supported command-line arguments, as each CLI argument basically represents an arbitrary property name that may or may not be used by a particular configuration. However, potentially we can check whether the CLI arguments adhere to the format as described at https://github.com/fortify/FortifyVulnerabilityExporter/blob/main/USAGE.md#generic-usage, i.e., first argument should be the name/path of a configuration file, and all remaining options should be in the format --prop.name=value. In the example above, with space:rel1 doesn't match the expected --prop.name=value format, and thus FVE could throw an error.

Version 1.2.0 doesn't run on Java 8

The fix for #11 apparently causes issues with the Nashorn engine on Java 8, causing the following exception message:

HV000232: No JSR 223 script engine found for language "javascript"

How to add the actual code snippets for each vulnerability when exporting to Json or Csv?

Hi there, so I'm able to generate the export in my terminal and I'm hoping to export that data into a .json or .csv. My question is that I saw that the code showing the vulnerability isn't included. I wanted to ask how does one include that code in the report. I am doing SSCToJsonRaw/SSCToJsonCustom/SSCToCSV as additional context. Thank you!

GitLab: Update schema version

Recent GitLab versions show a warning when ingesting the Fortify reports due to deprecated schema version:

How to export vulnerabilities to GitHub Security from a local file system (i.e. not using SSC)

I have a local installation of the Fortify SCA software installed in a GitHub Action container and am able to run a scan and get a resulting *.fpr file that is stored within that container. I need to upload the vulnerabilities found in that fpr file to GitHub Security but I do not have access to an SSC server. How would I go about accomplishing this task?

Add documentation section for BitBucket integration

Although support for generating BitBucket reports has been added some time ago, there is no mention of this feature in the documentation. For now, please see the following resources for more information:

Sample pipeline showing how BitBucket reports can be generated and published using FortifyVulnerabilityExporter: https://bitbucket.org/fortifysoftware/bb-sample-eightball/src/main/bitbucket-pipelines-cmds.yml.
The Fortify BitBucket Pipe also supports report generation and publishing: https://bitbucket.org/fortifysoftware/fortify-scan
Sample pipeline utilizing the Fortify BitBucket Pipe: https://bitbucket.org/fortifysoftware/bb-sample-eightball/src/main/bitbucket-pipelines-pipe.yml

error when trying to export to gitlab

What am I missing

I have tried ssc.Authtoken as well with out success

Gitlab yml

export/fortify:
  stage: .pre
  image: fortifydocker/fortify-vulnerability-exporter:latest
  variables:
    export_config: /config/SSCToGitLabSAST.yml
    ssc_baseUrl: $FORITY_URL
    ssc_user: $FORTIFY_USER
    ssc_password: $FORTIFY_PWD
    ssc_version_id: $FORTIFY_VID
  script: 
    - echo Script entry is required but not used
  #when: manual
  allow_failure: false
  artifacts:
    reports:
      sast: gl-fortify-sast.json

Gitlab log:

12:57:14.591 [main] DEBUG com.fortify.util.spring.boot.container.PopulateContainerDirs - Populate container directories enabled: true
12:57:14.595 [main] DEBUG com.fortify.util.spring.boot.container.PopulateContainerDirs - Checking whether container directories need to be initialized
  ______         _   _  __                                  
 |  ____|       | | (_)/ _|                                 
 | |__ ___  _ __| |_ _| |_ _   _                            
 |  __/ _ \| '__| __| |  _| | | |                           
 | | | (_) | |  | |_| | | | |_| |                           
 |_|  \___/|_|   \__|_|_|  \__, |                           
 __      __    _            __/ |     _     _ _ _ _         
 \ \    / /   | |          |___/     | |   (_) (_) |        
  \ \  / /   _| |_ __   ___ _ __ __ _| |__  _| |_| |_ _   _ 
   \ \/ / | | | | '_ \ / _ \ '__/ _` | '_ \| | | | __| | | |
    \  /| |_| | | | | |  __/ | | (_| | |_) | | | | |_| |_| |
     \/  \__,_|_|_| |_|\___|_|  \__,_|_.__/|_|_|_|\__|\__, |
  ______                       _                       __/ |
 |  ____|                     | |                     |___/ 
 | |__  __  ___ __   ___  _ __| |_ ___ _ __                 
 |  __| \ \/ / '_ \ / _ \| '__| __/ _ \ '__|                
 | |____ >  <| |_) | (_) | |  | ||  __/ |                   
 |______/_/\_\ .__/ \___/|_|   \__\___|_|                   
             | |                                            
             |_|                                            
2021-04-13 12:57:17.578  INFO 1 --- [           main] e.p.PluginConfigEnvironmentPostProcessor : Loaded 11 plugin configuration files
2021-04-13 12:57:17.700  INFO 1 --- [           main] c.f.v.FortifyVulnerabilityExporter       : Starting FortifyVulnerabilityExporter v1.2.0 using Java 1.8.0_275 on runner-estzx7bj-project-11312-concurrent-0 with PID 1 (/app/classpath/FortifyVulnerabilityExporter-1.2.0.jar started by root in /)
2021-04-13 12:57:17.711  INFO 1 --- [           main] c.f.v.FortifyVulnerabilityExporter       : The following profiles are active: default,ssc
2021-04-13 12:57:22.344  INFO 1 --- [           main] c.f.v.FortifyVulnerabilityExporter       : Started FortifyVulnerabilityExporter in 7.083 seconds (JVM running for 8.306)
2021-04-13 12:57:23.454 ERROR 1 --- [           main] o.s.boot.SpringApplication               : Application run failed
java.lang.IllegalStateException: Failed to execute CommandLineRunner
	at org.springframework.boot.SpringApplication.callRunner(SpringApplication.java:807) ~[spring-boot-2.4.3.jar:2.4.3]
	at org.springframework.boot.SpringApplication.callRunners(SpringApplication.java:788) ~[spring-boot-2.4.3.jar:2.4.3]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:333) ~[spring-boot-2.4.3.jar:2.4.3]
	at com.fortify.vulnexport.FortifyVulnerabilityExporter.main(FortifyVulnerabilityExporter.java:39) [FortifyVulnerabilityExporter-1.2.0.jar:1.2.0]
Caused by: javax.validation.ConstraintDeclarationException: HV000170: No JSR-223 scripting engine could be bootstrapped for language "javascript".
	at org.hibernate.validator.internal.constraintvalidators.hv.AbstractScriptAssertValidator.initialize(AbstractScriptAssertValidator.java:42) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
	at org.hibernate.validator.internal.constraintvalidators.hv.ScriptAssertValidator.initialize(ScriptAssertValidator.java:38) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
	at org.hibernate.validator.internal.engine.constraintvalidation.AbstractConstraintValidatorManagerImpl.initializeValidator(AbstractConstraintValidatorManagerImpl.java:140) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
	at org.hibernate.validator.internal.engine.constraintvalidation.AbstractConstraintValidatorManagerImpl.createAndInitializeValidator(AbstractConstraintValidatorManagerImpl.java:90) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
	at org.hibernate.validator.internal.engine.constraintvalidation.ConstraintValidatorManagerImpl.getInitializedValidator(ConstraintValidatorManagerImpl.java:117) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
	at org.hibernate.validator.internal.engine.constraintvalidation.ConstraintTree.getInitializedConstraintValidator(ConstraintTree.java:136) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
	at org.hibernate.validator.internal.engine.constraintvalidation.SimpleConstraintTree.validateConstraints(SimpleConstraintTree.java:54) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
	at org.hibernate.validator.internal.engine.constraintvalidation.ConstraintTree.validateConstraints(ConstraintTree.java:75) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
	at org.hibernate.validator.internal.metadata.core.MetaConstraint.doValidateConstraint(MetaConstraint.java:130) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
	at org.hibernate.validator.internal.metadata.core.MetaConstraint.validateConstraint(MetaConstraint.java:123) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
	at org.hibernate.validator.internal.engine.ValidatorImpl.validateMetaConstraint(ValidatorImpl.java:555) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
	at org.hibernate.validator.internal.engine.ValidatorImpl.validateConstraintsForSingleDefaultGroupElement(ValidatorImpl.java:518) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
	at org.hibernate.validator.internal.engine.ValidatorImpl.validateConstraintsForDefaultGroup(ValidatorImpl.java:488) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
	at org.hibernate.validator.internal.engine.ValidatorImpl.validateConstraintsForCurrentGroup(ValidatorImpl.java:450) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
	at org.hibernate.validator.internal.engine.ValidatorImpl.validateInContext(ValidatorImpl.java:400) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
	at org.hibernate.validator.internal.engine.ValidatorImpl.validateCascadedAnnotatedObjectForCurrentGroup(ValidatorImpl.java:629) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
	at org.hibernate.validator.internal.engine.ValidatorImpl.validateCascadedConstraints(ValidatorImpl.java:590) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
	at org.hibernate.validator.internal.engine.ValidatorImpl.validateInContext(ValidatorImpl.java:409) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
	at org.hibernate.validator.internal.engine.ValidatorImpl.validate(ValidatorImpl.java:172) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
	at org.springframework.validation.beanvalidation.SpringValidatorAdapter.validate(SpringValidatorAdapter.java:358) ~[spring-context-5.3.4.jar:5.3.4]
	at com.fortify.util.config.loader.StandardConfigLoader.validateConfig(StandardConfigLoader.java:69) ~[FortifyVulnerabilityExporter-api.jar:na]
	at com.fortify.util.config.loader.StandardConfigLoader.loadConfig(StandardConfigLoader.java:63) ~[FortifyVulnerabilityExporter-api.jar:na]
	at com.fortify.util.config.loader.AbstractConfigLoader.loadConfig(AbstractConfigLoader.java:62) ~[FortifyVulnerabilityExporter-api.jar:na]
	at com.fortify.vulnexport.spi.source.vuln.loader.AbstractVulnerabilityLoaderFactory.createConfig(AbstractVulnerabilityLoaderFactory.java:59) ~[FortifyVulnerabilityExporter-spi-from.jar:na]
	at com.fortify.vulnexport.spi.source.vuln.loader.AbstractVulnerabilityLoaderFactory.createVulnerabilityLoader(AbstractVulnerabilityLoaderFactory.java:51) ~[FortifyVulnerabilityExporter-spi-from.jar:na]
	at com.fortify.vulnexport.api.vuln.loader.active.ActiveVulnerabilityLoaderFactory.lambda$createVulnerabilityLoader$0(ActiveVulnerabilityLoaderFactory.java:59) ~[FortifyVulnerabilityExporter-api.jar:na]
	at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193) ~[na:1.8.0_275]
	at java.util.Iterator.forEachRemaining(Iterator.java:116) ~[na:1.8.0_275]
	at java.util.Spliterators$IteratorSpliterator.forEachRemaining(Spliterators.java:1801) ~[na:1.8.0_275]
	at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:482) ~[na:1.8.0_275]
	at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472) ~[na:1.8.0_275]
	at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708) ~[na:1.8.0_275]
	at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[na:1.8.0_275]
	at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:566) ~[na:1.8.0_275]
	at com.fortify.vulnexport.api.vuln.loader.active.ActiveVulnerabilityLoaderFactory.createVulnerabilityLoader(ActiveVulnerabilityLoaderFactory.java:61) ~[FortifyVulnerabilityExporter-api.jar:na]
	at com.fortify.vulnexport.FortifyVulnerabilityExporterRunnerFactory.runActiveVulnerabilityLoader(FortifyVulnerabilityExporterRunnerFactory.java:65) ~[FortifyVulnerabilityExporter-1.2.0.jar:1.2.0]
	at com.fortify.util.spring.boot.scheduler.RunOrSchedule.runOnce(RunOrSchedule.java:55) ~[FortifyVulnerabilityExporter-1.2.0.jar:1.2.0]
	at com.fortify.util.spring.boot.scheduler.RunOrSchedule.run(RunOrSchedule.java:34) ~[FortifyVulnerabilityExporter-1.2.0.jar:1.2.0]
	at org.springframework.boot.SpringApplication.callRunner(SpringApplication.java:804) ~[spring-boot-2.4.3.jar:2.4.3]
	... 3 common frames omitted
Caused by: org.hibernate.validator.spi.scripting.ScriptEvaluatorNotFoundException: HV000232: No JSR 223 script engine found for language "javascript".
	at org.hibernate.validator.internal.engine.scripting.DefaultScriptEvaluatorFactory.createNewScriptEvaluator(DefaultScriptEvaluatorFactory.java:66) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
	at java.util.concurrent.ConcurrentHashMap.computeIfAbsent(ConcurrentHashMap.java:1660) ~[na:1.8.0_275]
	at org.hibernate.validator.spi.scripting.AbstractCachingScriptEvaluatorFactory.getScriptEvaluatorByLanguageName(AbstractCachingScriptEvaluatorFactory.java:41) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
	at org.hibernate.validator.internal.engine.constraintvalidation.HibernateConstraintValidatorInitializationContextImpl.getScriptEvaluatorForLanguage(HibernateConstraintValidatorInitializationContextImpl.java:50) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
	at org.hibernate.validator.internal.constraintvalidators.hv.AbstractScriptAssertValidator.initialize(AbstractScriptAssertValidator.java:38) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
	... 41 common frames omitted

How to filter for all 10 'OWASP Top 10 2017' in SSC

I am working on a custom config where low friority vulnerabilities will only be exported if they are in the OWASP top 10.
So far I have found a way to filter for one at a time in the top 10 using the following filterParam

filterParam: EXTERNALLIST[3C6ECB67-BBD9-4259-A8DB-B49328927248]:11130

This returns all vulnerabilities that are A1 Injections or in other words the top 1 in the OWASP top 10. Then referencing 11131 would give you A2 and so on.

It seems like filtering for All 10 in the top 10 should be possible, just my knowledge of SpEL just isn't there so most of the different configurations of that parameter I've tried haven't been successful. So if you could point me in the right direction I'd appreciate it.

Add Debricked as SCA option

When using FortifyVulnerabilityExporter with tools that allow import of SCA findings from SSC/FoD allow Debricked information to be exported as well as Sonatype.

Backstage Plugin

Was wondering if there's any plans to also include Backstage integration? It would be great to have a Backstage plugin similar to the one synk created: https://github.com/snyk-tech-services/backstage-plugin-snyk where scan results can be posted to Backstage providing developers a single pane of glass view into a component.

Backstage: https://backstage.io/docs/overview/what-is-backstage is soon becoming the new Internal Developer Portal standard.