fortify / fortifyvulnerabilityexporter Goto Github PK
View Code? Open in Web Editor NEWExport Fortify vulnerability data to GitHub, GitLab, SonarQube and more
License: Other
Export Fortify vulnerability data to GitHub, GitLab, SonarQube and more
License: Other
This issue is related to this closed issue in which errors were thrown as Fortify reports vulnerabilities on line number 0.
The same error happens now. But this time, it is under codeFlows
as shown in the error below:
Error: Unable to upload "./gh-fortify-sast.sarif" as it is not valid SARIF:
- instance.runs[0].results[0].codeFlows[0].threadFlows[0].locations[0].location.physicalLocation.region.startLine must be greater than or equal to 1
To address the above, It may be possible to just use the same treatment here to handle the faulty startLine
here.
According to the documentation, the export.from
configuration property specifies the plugin and optional configuration name used to load vulnerability data. However, specifying a configuration name will cause problems as the fod
or ssc
profile will not be properly activated.
Technical details:
AbstractVulnerabilityLoaderFactory
properly handles the optional configuration nameapplication.yml
defines property spring.profiles.active
as default, ${export.from}
export.from
to fod.instance1
will result in a profile named fod.instance1
to be activated instead of just fod
fod
or ssc
profile is activatedWe currently provide FortifyBugTrackerUtility (FBTU) for submitting vulnerability data to bug tracking and other external systems. It makes sense to move this functionality to FortifyVulnerabilityExporter (FVE) for various reasons:
Compatibility with FBTU is the main requirement for moving bug tracking support to FVE:
isOpen && !targetLocation && customTags['Analysis']=='Exploitable'
Add expression
property to fortify-client-api StandardEmbedConfig class
isVulnerabilityOpenExpression
, by configuring for example ssc.vulnerability.embed
with propertyName: isOpen
and expression: removed==false && suppressed==false && hidden==false
Add support in fortify-client-api to embed SSC custom tag values by name
<targetType.instanceName>.<ssc|fod>.store:
exportLocation:
asNativeBugLink: <true|false>
(SSC & FoD)asCustomTag: <name>
(SSC)asComment: <commentFormat>
(FoD)extraCustomTags:
(SSC)
<name>: <expression>
<targetType.instanceName>
from the factory and read the corresponding <targetType.instanceName>.<ssc|fod>.store:
configuration<targetType.instanceName>.<ssc|fod>.store.exportLocation.asNativeBugLink
is true, the target processor will not be created/invoked if native bug link is not available for the current application version/release (incorrect bug tracker configured on FoD, 'Register bug link' bug tracker not configured on SSC)<targetType.instanceName>.ssc.store.exportLocation.asCustomTag
is defined, the target processor will not be created/invoked if custom tag is not available on current application versionupdateVulnerabilityState
method in IVulnerabilityConsumerContext
that can be invoked by target implementation to request an update of SSC/FoD vulnerability state, for example to register export location (for newly exported issues) or to update extra custom tags in SSC (for newly and previously exported issues)
<targetType.instanceName>
, list of vulnerabilities (contents or id's?) to be updated, and target entity details (location, state, ...) to this methodSee #70 for background information. Potentially, we should reconsider the ability to process multiple versions/releases if release/version name is omitted from fod.release.name
/ssc.version.name
properties. If users want to process all releases/versions for a given application (or multiple applications), they can use the fod.release.regex
/ssc.version.regex
properties instead to perform wildcard matching.
Related to this, when querying FoD for app/release name, FoD uses case-insensitive 'contains' matching instead of exact matching. For example, when querying FoD for 'App', FoD will return App
, My app
, APP2
, ... This is usually not what users expect, and is inconsistent with SSC behavior (which uses exact matching). We should probably fix/enhance fortify-client-api to add (optional) support for performing client-side exact matching on the results returned by FoD.
In your readme.md, the "Release versions: https://bintray.com/package/files/fortify-ps/release/FortifyVulnerabilityExporter?order=desc&sort=fileLastModified&basePath=&tab=files" link returns a 404.
Hello @rsenden,
where can I find the Dockerfile for the tool ? I need to add our root CA to the cert storage(s) and build our own image.
SSC vulnerabilities cannot be imported in SonarQube 8.3.1 during scan.
Issue: json file was generated successfully from SSC app version with FortifyVulnerabilityExporter version 1.2.0, but SonarQube was not importing vulnerabilities from scan as "filePath" was without volume.
Examples:
filePath with volume: "filePath" : "E:/Agents/vbc/a0/_work/1/s/Source/AAA/BBB/C.asax.cs",
filePath without volume: "filePath" : "/Agents/vbc/a0/_work/1/s/Source/AAA/BBB/C.asax.cs",
"issues" : [ {
"engineId" : "FortifySCA",
"ruleId" : "Dead Code: Unused Field",
"severity" : "INFO",
"type" : "VULNERABILITY",
"primaryLocation" : {
"message" : "Dead Code: Unused Field - https://fortifyssc.veripark.com/ssc/html/ssc/version/10001/fix/8263/?engineType=SCA&issue=645F7B691879C8261100E0AA0E8AA3F0",
"filePath" : "/Agents/vbc/a0/_work/1/s/Source/AAA/BBB/C.asax.cs",
"textRange" : {
"startLine" : 17
}
}
There were 0 issues imported. Error experienced during SonarQube scan with external Fortify issue import:
13:59:48.253 DEBUG: Importing issues from 'E:\Fortify\FortifyVulnerabilityExporter\sq-fortify-sast.json'
13:59:48.268 INFO: **Imported 0 issues in 0 files**
13:59:48.268 INFO: External issues ignored for 443 unknown files, including: Agents/xyz/a0/_work/1/s/Source/Business/EService/Global.asax.cs, Agents/xyz/a0/_work/1/s/Source/Business/EService/Web.config, Agents/xyz/a0/_work/1/s/Source/Business/EService/Web.Debug.config, Agents/xyz/a0/_work/1/s/Source/Business/EService/Web.Release.config, Agents/xyz/a0/_work/1/s/Source/Business/A.Business/Activities/BaseClass/BaseActivity.cs
Adding the E:
volume to the filePath
property fixes this issue.
Running FortifyVulnerabilityExporter on Windows results in an error if any of the following environment variables is set to an absolute path with drive letter:
EXPORT_DIR
(all configuration files that refer to export.dir
)GITHUB_WORKSPACE
(all GitHub-related configuration files)CI_PROJECT_DIR
(all GitLab-related configuration files)The error doesn't occur in the following cases:
\Temp\SomeDir
Errors look something like the below:
Failed to bind properties under 'json.gitlab.dast.output.file' to java.io.File:
Property: json.gitlab.dast.output.file
Value: ${export.dir}/gl-fortify-dast.json
Origin: URL [file:config/FoDToGitLab.yml] - 35:11
Reason: failed to convert java.lang.String to java.io.File
๐ Hello! Not sure if this is the right place to raise this issue, but we've noticed that the way Fortify SCA is generating SARIF documents is causing a bad user experience with GitHub Code Scanning.
Code Scanning expects that rule metadata will be shared many times between different runs of a Code Scanning tool. A rule should represent a capability of the tool, not information about any specific finding. Information that is scan-specific should be included in the results message field instead (e.g: file paths, container checksums etc).
Fortify SCA appears to be generating large numbers of rules, each one with unique alert specific information in the help text. Possibly due to the configuration in these files?
Environment:
Command:
FortifyVulnerabilityExporter FoDToCSV --fod.baseUrl=$FOD_URL --fod.tenant=$FOD_TENANT --fod.userName=$FOD_USERNAME --fod.password=$FOD_PAT --fod.release.id=$FOD_RELEASE_ID --csv.output.file=$CI_PROJECT_DIR/scan-report.csv
Log:
11:48:16.336 [main] DEBUG com.fortify.util.spring.boot.container.PopulateContainerDirs - Populate container directories enabled: false
______ _ _ __
| ____| | | (_)/ _|
| |__ ___ _ __| |_ _| |_ _ _
| __/ _ \| '__| __| | _| | | |
| | | (_) | | | |_| | | | |_| |
|_| \___/|_| \__|_|_| \__, |
__ __ _ __/ | _ _ _ _ _
\ \ / / | | |___/ | | (_) (_) |
\ \ / / _| |_ __ ___ _ __ __ _| |__ _| |_| |_ _ _
\ \/ / | | | | '_ \ / _ \ '__/ _` | '_ \| | | | __| | | |
\ /| |_| | | | | | __/ | | (_| | |_) | | | | |_| |_| |
\/ \__,_|_|_| |_|\___|_| \__,_|_.__/|_|_|_|\__|\__, |
______ _ __/ |
| ____| | | |___/
| |__ __ ___ __ ___ _ __| |_ ___ _ __
| __| \ \/ / '_ \ / _ \| '__| __/ _ \ '__|
| |____ > <| |_) | (_) | | | || __/ |
|______/_/\_\ .__/ \___/|_| \__\___|_|
| |
|_|
2022-01-26 11:48:17.705 INFO 725 --- [ main] e.p.PluginConfigEnvironmentPostProcessor : Loaded 13 plugin configuration files
2022-01-26 11:48:18.019 INFO 725 --- [ main] c.f.v.FortifyVulnerabilityExporter : Starting FortifyVulnerabilityExporter v1.5.3 using Java 17.0.2 with PID 725 (/root/.fortify/tools/FortifyVulnerabilityExporter/latest-20220126/FortifyVulnerabilityExporter.jar started by root in /builds/[MASKED]cloud/violazione-command-service)
2022-01-26 11:48:18.019 INFO 725 --- [ main] c.f.v.FortifyVulnerabilityExporter : The following profiles are active: default
2022-01-26 11:48:19.037 INFO 725 --- [ main] c.f.v.FortifyVulnerabilityExporter : Using configuration file /root/.fortify/tools/FortifyVulnerabilityExporter/latest-20220126/config/FoDToCSV.yml
2022-01-26 11:48:19.039 INFO 725 --- [ main] c.f.v.FortifyVulnerabilityExporter : Started FortifyVulnerabilityExporter in 2.34 seconds (JVM running for 3.012)
javax.validation.ConstraintDeclarationException: HV000170: No JSR-223 scripting engine could be bootstrapped for language "javascript".
at org.hibernate.validator.internal.constraintvalidators.hv.AbstractScriptAssertValidator.initialize(AbstractScriptAssertValidator.java:42)
at org.hibernate.validator.internal.constraintvalidators.hv.ScriptAssertValidator.initialize(ScriptAssertValidator.java:38)
at org.hibernate.validator.internal.engine.constraintvalidation.AbstractConstraintValidatorManagerImpl.initializeValidator(AbstractConstraintValidatorManagerImpl.java:140)
at org.hibernate.validator.internal.engine.constraintvalidation.AbstractConstraintValidatorManagerImpl.createAndInitializeValidator(AbstractConstraintValidatorManagerImpl.java:90)
at org.hibernate.validator.internal.engine.constraintvalidation.ConstraintValidatorManagerImpl.getInitializedValidator(ConstraintValidatorManagerImpl.java:117)
at org.hibernate.validator.internal.engine.constraintvalidation.ConstraintTree.getInitializedConstraintValidator(ConstraintTree.java:136)
at org.hibernate.validator.internal.engine.constraintvalidation.SimpleConstraintTree.validateConstraints(SimpleConstraintTree.java:54)
at org.hibernate.validator.internal.engine.constraintvalidation.ConstraintTree.validateConstraints(ConstraintTree.java:75)
at org.hibernate.validator.internal.metadata.core.MetaConstraint.doValidateConstraint(MetaConstraint.java:130)
at org.hibernate.validator.internal.metadata.core.MetaConstraint.validateConstraint(MetaConstraint.java:123)
at org.hibernate.validator.internal.engine.ValidatorImpl.validateMetaConstraint(ValidatorImpl.java:555)
at org.hibernate.validator.internal.engine.ValidatorImpl.validateConstraintsForSingleDefaultGroupElement(ValidatorImpl.java:518)
at org.hibernate.validator.internal.engine.ValidatorImpl.validateConstraintsForDefaultGroup(ValidatorImpl.java:488)
at org.hibernate.validator.internal.engine.ValidatorImpl.validateConstraintsForCurrentGroup(ValidatorImpl.java:450)
at org.hibernate.validator.internal.engine.ValidatorImpl.validateInContext(ValidatorImpl.java:400)
at org.hibernate.validator.internal.engine.ValidatorImpl.validateCascadedAnnotatedObjectForCurrentGroup(ValidatorImpl.java:629)
at org.hibernate.validator.internal.engine.ValidatorImpl.validateCascadedConstraints(ValidatorImpl.java:590)
at org.hibernate.validator.internal.engine.ValidatorImpl.validateInContext(ValidatorImpl.java:409)
at org.hibernate.validator.internal.engine.ValidatorImpl.validate(ValidatorImpl.java:172)
at org.springframework.validation.beanvalidation.SpringValidatorAdapter.validate(SpringValidatorAdapter.java:358)
at com.fortify.util.config.loader.StandardConfigLoader.validateConfig(StandardConfigLoader.java:106)
at com.fortify.util.config.loader.StandardConfigLoader.loadConfig(StandardConfigLoader.java:93)
at com.fortify.vulnexport.spi.source.vuln.loader.AbstractVulnerabilityLoaderFactory.createConfig(AbstractVulnerabilityLoaderFactory.java:97)
at com.fortify.vulnexport.spi.source.vuln.loader.AbstractVulnerabilityLoaderFactory.createVulnerabilityLoader(AbstractVulnerabilityLoaderFactory.java:73)
at com.fortify.vulnexport.api.vuln.loader.active.ActiveVulnerabilityLoaderFactory.lambda$createVulnerabilityLoader$0(ActiveVulnerabilityLoaderFactory.java:59)
at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197)
at java.base/java.util.Iterator.forEachRemaining(Iterator.java:133)
at java.base/java.util.Spliterators$IteratorSpliterator.forEachRemaining(Spliterators.java:1845)
at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509)
at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:921)
at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:682)
at com.fortify.vulnexport.api.vuln.loader.active.ActiveVulnerabilityLoaderFactory.createVulnerabilityLoader(ActiveVulnerabilityLoaderFactory.java:61)
at com.fortify.vulnexport.FortifyVulnerabilityExporterRunnerFactory.runActiveVulnerabilityLoader(FortifyVulnerabilityExporterRunnerFactory.java:91)
at com.fortify.util.spring.boot.scheduler.RunOrSchedule.runOnce(RunOrSchedule.java:76)
at com.fortify.util.spring.boot.scheduler.RunOrSchedule.run(RunOrSchedule.java:48)
at org.springframework.boot.SpringApplication.callRunner(SpringApplication.java:767)
at org.springframework.boot.SpringApplication.callRunners(SpringApplication.java:751)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:309)
at com.fortify.vulnexport.FortifyVulnerabilityExporter.main(FortifyVulnerabilityExporter.java:62)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:49)
at org.springframework.boot.loader.Launcher.launch(Launcher.java:108)
at org.springframework.boot.loader.Launcher.launch(Launcher.java:58)
at org.springframework.boot.loader.PropertiesLauncher.main(PropertiesLauncher.java:467)
Caused by: org.hibernate.validator.spi.scripting.ScriptEvaluatorNotFoundException: HV000232: No JSR 223 script engine found for language "javascript".
at org.hibernate.validator.internal.engine.scripting.DefaultScriptEvaluatorFactory.createNewScriptEvaluator(DefaultScriptEvaluatorFactory.java:66)
at java.base/java.util.concurrent.ConcurrentHashMap.computeIfAbsent(ConcurrentHashMap.java:1708)
at org.hibernate.validator.spi.scripting.AbstractCachingScriptEvaluatorFactory.getScriptEvaluatorByLanguageName(AbstractCachingScriptEvaluatorFactory.java:41)
at org.hibernate.validator.internal.engine.constraintvalidation.HibernateConstraintValidatorInitializationContextImpl.getScriptEvaluatorForLanguage(HibernateConstraintValidatorInitializationContextImpl.java:50)
at org.hibernate.validator.internal.constraintvalidators.hv.AbstractScriptAssertValidator.initialize(AbstractScriptAssertValidator.java:38)
... 48 more
Cleaning up project directory and file based variables
00:00
ERROR: Job failed: exit code 1
I have been working on building a custom.yml
config file to add several pieces additional pieces we would like imported into Gitlab. So far I have been able to add the analysis results via the primaryTag
, but adding comments is proving to be more difficult since that info is not part of the same uri.
I guess the first question is if this is even possible. If it is I could use some guidance on getting this working. I have tried a bunch of different configurations but haven't had much luck. I either get no comments in the report or errors. I'm assuming it has to do with me not understanding how the propertyName:
attribute works.
Here is my latest configuration attempt:
export:
from: ssc
to: json.gitlab.sast
ssc:
version:
embed:
- subEntity: currentStaticScan
onError: LOG_INFO
vulnerability:
embed:
- propertyName: detailsProp
uri: /api/v1/issueDetails/{id}
subEntity: details
onError: LOG_INFO
- propertyName: commentProp
- uri: /api/v1/issues/{id}/comments?limit=-1
- subEntity: comments
- onError: LOG_INFO
export.dir: ${CI_PROJECT_DIR:${export.default.dir}}
json.gitlab.sast.output:
stdout: false
pretty: true
file: ${export.dir}/gl-fortify-sast.json
json.gitlab.sast.filter.expr: vuln.engineType=='SCA'
json.gitlab.sast.format:
fields:
schema: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v14.1.1/dist/sast-report-format.json
version: 14.1.1
scan:
start_time: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", applicationVersion.currentStaticScan?.uploadDate?:'1970-01-01T00:00:00')]
end_time: $[#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", applicationVersion.currentStaticScan?.uploadDate?:'1970-01-01T00:00:00')]
status: success
type: sast
scanner:
id: fortify-sca
name: Fortify SCA
url: https://www.microfocus.com/en-us/products/application-security-testing/overview
version: SCA $[applicationVersion.currentStaticScan?.engineVersion?:'version unkown']
vendor:
name: Fortify
vulnerabilities: $[vulnerabilityMappers.vulnerability.get()]
vulnerabilityMappers.vulnerability.fields:
id: $[vuln.issueInstanceId]
category: sast
name: $[vuln.issueName]
message: $[vuln.issueName]
description: $[#abbreviate(#htmlToText(vuln.detailsProp?.brief), 15000)]
cve: 'N/A'
severity: $[vuln.friority]
confidence: $[(vuln.friority matches "(Critical|Medium)") ? "High":"Low" ]
solution: $[#abbreviate(#htmlToText(vuln.detailsProp?.detail)+'\n\n'+#htmlToText(vulndetailsProp?.recommendation), 7000)]
scanner:
id: fortify-sca
name: Fortify SCA
identifiers:
- name: "Analysis: $[vuln.primaryTag?: 'Not Audited']"
type: primaryTag
value: $[vuln.primaryTag?:'Not Audited']
url: $[vuln.deepLink]
- name: "Comments: $[vuln.commentProp?.comment?:'No Comments
type: comment
value: $[vuln.CommentProp?.comment?: 'No Comments']
links:
- name: Additional issue details, including analysis trace, in Software Security Center
url: $[vuln.deepLink]
location:
file: $[vuln.fullFileName]
start_line: $[vuln.lineNumber]
Got the following errors:
java.lang.RuntimeException: Error processing vulnerability
Caused by: java.lang.RuntimeException: Error processing vulnerability
Caused by: org.springframework.expressions.spel.SpelEvaluationException: EL1008E: Property of field 'comment' cannot be found on object of type 'com.fortify.util.rest.json.JSONList' - maybe not public or valid?
The embed(SSCApplicationVersionsQueryBuilder qb, SSCEmbedConfig config)
method defined in https://github.com/fortify/FortifyVulnerabilityExporter/blob/main/FortifyVulnerabilityExporter-plugin-from-ssc/src/main/java/com/fortify/vulnexport/from/ssc/FromSSCVulnerabilityLoader.java provides special processing if the sub-entity to be embedded equals currentStaticScan
, currentDynamicScan
, or currentSonatypeScan
. However, even when special processing takes place, the SSCApplicationVersionsQueryBuilder#embed(config)
method is called again at the end of this method.
This is most likely not intended, but doesn't seem to cause any runtime issues. Further research is needed to investigate whether this might result in extra, invalid requests to SSC, and why these invalid requests are not logged.
When trying to export SSC SAST to Gitlab, and our SSC is using a self-signed cert you get the below error
to see jobs details look at #18
Using docker image sha256:68b7979a3875576df43e76e90b483634102afc63bc2cd5df21e737079514e7b5 for docker.jfrog.lfg.com/fortifydocker/fortify-vulnerability-exporter:latest_rc with digest docker.jfrog.lfg.com/fortifydocker/fortify-vulnerability-exporter@sha256:cbdc3a54cc2d8f4c7ed4b97adac35cb6c875b74f449904d58cc909f18e81bd13 ...
01:36:24.003 [main] DEBUG com.fortify.util.spring.boot.container.PopulateContainerDirs - Populate container directories enabled: true
01:36:24.007 [main] DEBUG com.fortify.util.spring.boot.container.PopulateContainerDirs - Checking whether container directories need to be initialized
01:36:24.013 [main] DEBUG com.fortify.util.spring.boot.container.PopulateContainerDirs - Target path /config is present: true
______ _ _ __
| ____| | | (_)/ _|
| |__ ___ _ __| |_ _| |_ _ _
| __/ _ \| '__| __| | _| | | |
| | | (_) | | | |_| | | | |_| |
|_| \___/|_| \__|_|_| \__, |
__ __ _ __/ | _ _ _ _ _
\ \ / / | | |___/ | | (_) (_) |
\ \ / / _| |_ __ ___ _ __ __ _| |__ _| |_| |_ _ _
\ \/ / | | | | '_ \ / _ \ '__/ _` | '_ \| | | | __| | | |
\ /| |_| | | | | | __/ | | (_| | |_) | | | | |_| |_| |
\/ \__,_|_|_| |_|\___|_| \__,_|_.__/|_|_|_|\__|\__, |
______ _ __/ |
| ____| | | |___/
| |__ __ ___ __ ___ _ __| |_ ___ _ __
| __| \ \/ / '_ \ / _ \| '__| __/ _ \ '__|
| |____ > <| |_) | (_) | | | || __/ |
|______/_/\_\ .__/ \___/|_| \__\___|_|
| |
|_|
2021-04-14 01:36:24.697 INFO 1 --- [ main] e.p.PluginConfigEnvironmentPostProcessor : Loaded 11 plugin configuration files
2021-04-14 01:36:24.701 INFO 1 --- [ main] c.f.v.FortifyVulnerabilityExporter : Starting FortifyVulnerabilityExporter v0.20210413.113124-dev_main using Java 11.0.10 on runner-w42yknzx-project-11312-concurrent-0 with PID 1 (/app/classpath/FortifyVulnerabilityExporter-0.20210413.113124-dev_main.jar started by root in /)
2021-04-14 01:36:24.702 INFO 1 --- [ main] c.f.v.FortifyVulnerabilityExporter : The following profiles are active: default
2021-04-14 01:36:25.467 INFO 1 --- [ main] c.f.v.FortifyVulnerabilityExporter : Started FortifyVulnerabilityExporter in 1.255 seconds (JVM running for 1.687)
2021-04-14 01:36:26.783 ERROR 1 --- [ main] o.s.boot.SpringApplication : Application run failed
java.lang.IllegalStateException: Failed to execute CommandLineRunner
at org.springframework.boot.SpringApplication.callRunner(SpringApplication.java:809) ~[spring-boot-2.4.4.jar:2.4.4]
at org.springframework.boot.SpringApplication.callRunners(SpringApplication.java:790) ~[spring-boot-2.4.4.jar:2.4.4]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:333) ~[spring-boot-2.4.4.jar:2.4.4]
at com.fortify.vulnexport.FortifyVulnerabilityExporter.main(FortifyVulnerabilityExporter.java:39) ~[FortifyVulnerabilityExporter-0.20210413.113124-dev_main.jar:0.20210413.113124-dev_main]
Caused by: java.lang.RuntimeException: Exception in call() method
at com.fortify.util.log4j.LogMaskingHelper$AbstractMasker.on(LogMaskingHelper.java:117) ~[common-log-5.10.jar:na]
at com.fortify.client.ssc.connection.SSCTokenFactoryUserCredentials.performTokenRequest(SSCTokenFactoryUserCredentials.java:111) ~[FortifyVulnerabilityExporter-plugin-from-ssc.jar:na]
at com.fortify.client.ssc.connection.SSCTokenFactoryUserCredentials.getToken(SSCTokenFactoryUserCredentials.java:98) ~[FortifyVulnerabilityExporter-plugin-from-ssc.jar:na]
at com.fortify.client.ssc.connection.SSCAuthenticatingRestConnection.updateBuilder(SSCAuthenticatingRestConnection.java:92) ~[FortifyVulnerabilityExporter-plugin-from-ssc.jar:na]
at com.fortify.util.rest.connection.AbstractRestConnection.executeRequest(AbstractRestConnection.java:222) ~[common-rest-5.10.jar:na]
at com.fortify.util.rest.connection.AbstractRestConnection.executeRequestWithFinalizedWebTarget(AbstractRestConnection.java:186) ~[common-rest-5.10.jar:na]
at com.fortify.util.rest.connection.AbstractRestConnection.executeRequest(AbstractRestConnection.java:167) ~[common-rest-5.10.jar:na]
at com.fortify.util.rest.connection.AbstractRestConnection.executeRequest(AbstractRestConnection.java:152) ~[common-rest-5.10.jar:na]
at com.fortify.util.rest.query.AbstractRestConnectionQuery.executeRequest(AbstractRestConnectionQuery.java:141) ~[common-rest-5.10.jar:na]
at com.fortify.util.rest.query.AbstractRestConnectionQuery.processSingleRequest(AbstractRestConnectionQuery.java:209) ~[common-rest-5.10.jar:na]
at com.fortify.util.rest.query.AbstractRestConnectionQuery.processAll(AbstractRestConnectionQuery.java:200) ~[common-rest-5.10.jar:na]
at com.fortify.util.rest.query.AbstractRestConnectionQuery.processAll(AbstractRestConnectionQuery.java:90) ~[common-rest-5.10.jar:na]
at com.fortify.util.rest.query.AbstractRestConnectionQuery.processAll(AbstractRestConnectionQuery.java:95) ~[common-rest-5.10.jar:na]
at com.fortify.vulnexport.from.ssc.FromSSCVulnerabilityLoader$_FromSSCVulnerabilityLoader.run(FromSSCVulnerabilityLoader.java:105) ~[FortifyVulnerabilityExporter-plugin-from-ssc.jar:na]
at com.fortify.vulnexport.from.ssc.FromSSCVulnerabilityLoader.run(FromSSCVulnerabilityLoader.java:81) ~[FortifyVulnerabilityExporter-plugin-from-ssc.jar:na]
at com.fortify.vulnexport.FortifyVulnerabilityExporterRunnerFactory.runActiveVulnerabilityLoader(FortifyVulnerabilityExporterRunnerFactory.java:91) ~[FortifyVulnerabilityExporter-0.20210413.113124-dev_main.jar:0.20210413.113124-dev_main]
at com.fortify.util.spring.boot.scheduler.RunOrSchedule.runOnce(RunOrSchedule.java:68) ~[FortifyVulnerabilityExporter-0.20210413.113124-dev_main.jar:0.20210413.113124-dev_main]
at com.fortify.util.spring.boot.scheduler.RunOrSchedule.run(RunOrSchedule.java:47) ~[FortifyVulnerabilityExporter-0.20210413.113124-dev_main.jar:0.20210413.113124-dev_main]
at org.springframework.boot.SpringApplication.callRunner(SpringApplication.java:806) ~[spring-boot-2.4.4.jar:2.4.4]
... 3 common frames omitted
Caused by: javax.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.glassfish.jersey.apache.connector.ApacheConnector.apply(ApacheConnector.java:531) ~[jersey-apache-connector-2.33.jar:na]
at org.glassfish.jersey.client.ClientRuntime.invoke(ClientRuntime.java:297) ~[jersey-client-2.33.jar:na]
at org.glassfish.jersey.client.JerseyInvocation.lambda$invoke$0(JerseyInvocation.java:630) ~[jersey-client-2.33.jar:na]
at org.glassfish.jersey.client.JerseyInvocation.call(JerseyInvocation.java:665) ~[jersey-client-2.33.jar:na]
at org.glassfish.jersey.client.JerseyInvocation.lambda$runInScope$3(JerseyInvocation.java:659) ~[jersey-client-2.33.jar:na]
at org.glassfish.jersey.internal.Errors.process(Errors.java:292) ~[jersey-common-2.33.jar:na]
at org.glassfish.jersey.internal.Errors.process(Errors.java:274) ~[jersey-common-2.33.jar:na]
at org.glassfish.jersey.internal.Errors.process(Errors.java:205) ~[jersey-common-2.33.jar:na]
at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:390) ~[jersey-common-2.33.jar:na]
at org.glassfish.jersey.client.JerseyInvocation.runInScope(JerseyInvocation.java:659) ~[jersey-client-2.33.jar:na]
at org.glassfish.jersey.client.JerseyInvocation.invoke(JerseyInvocation.java:629) ~[jersey-client-2.33.jar:na]
at com.fortify.util.rest.connection.AbstractRestConnection.executeRequest(AbstractRestConnection.java:223) ~[common-rest-5.10.jar:na]
at com.fortify.client.ssc.connection.SSCTokenFactoryUserCredentials.lambda$performTokenRequest$0(SSCTokenFactoryUserCredentials.java:112) ~[FortifyVulnerabilityExporter-plugin-from-ssc.jar:na]
at com.fortify.util.log4j.LogMaskingHelper$AbstractMasker.on(LogMaskingHelper.java:115) ~[common-log-5.10.jar:na]
... 21 common frames omitted
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source) ~[na:na]
at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source) ~[na:na]
at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source) ~[na:na]
at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source) ~[na:na]
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(Unknown Source) ~[na:na]
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(Unknown Source) ~[na:na]
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(Unknown Source) ~[na:na]
at java.base/sun.security.ssl.SSLHandshake.consume(Unknown Source) ~[na:na]
at java.base/sun.security.ssl.HandshakeContext.dispatch(Unknown Source) ~[na:na]
at java.base/sun.security.ssl.HandshakeContext.dispatch(Unknown Source) ~[na:na]
at java.base/sun.security.ssl.TransportContext.dispatch(Unknown Source) ~[na:na]
at java.base/sun.security.ssl.SSLTransport.decode(Unknown Source) ~[na:na]
at java.base/sun.security.ssl.SSLSocketImpl.decode(Unknown Source) ~[na:na]
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source) ~[na:na]
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) ~[na:na]
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) ~[na:na]
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436) ~[httpclient-4.5.13.jar:4.5.13]
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384) ~[httpclient-4.5.13.jar:4.5.13]
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142) ~[httpclient-4.5.13.jar:4.5.13]
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376) ~[httpclient-4.5.13.jar:4.5.13]
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393) ~[httpclient-4.5.13.jar:4.5.13]
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) ~[httpclient-4.5.13.jar:4.5.13]
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186) ~[httpclient-4.5.13.jar:4.5.13]
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) ~[httpclient-4.5.13.jar:4.5.13]
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) ~[httpclient-4.5.13.jar:4.5.13]
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) ~[httpclient-4.5.13.jar:4.5.13]
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:72) ~[httpclient-4.5.13.jar:4.5.13]
at org.glassfish.jersey.apache.connector.ApacheConnector.apply(ApacheConnector.java:483) ~[jersey-apache-connector-2.33.jar:na]
... 34 common frames omitted
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(Unknown Source) ~[na:na]
at java.base/sun.security.validator.PKIXValidator.engineValidate(Unknown Source) ~[na:na]
at java.base/sun.security.validator.Validator.validate(Unknown Source) ~[na:na]
at java.base/sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source) ~[na:na]
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source) ~[na:na]
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source) ~[na:na]
... 58 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source) ~[na:na]
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source) ~[na:na]
at java.base/java.security.cert.CertPathBuilder.build(Unknown Source) ~[na:na]
... 64 common frames omitted
Hi,
Good day !
I'm using FortifyVulnerabilityExporter on sample WebGoat application's scan and trying to export FOD scan results using customized yml file with export_config: ${{github.workspace}}/MyCustomExportConfig_JSON.yml
While exporting I received following error -
Caused by: com.fasterxml.jackson.databind.exc.InvalidDefinitionException: Java 8 date/time type java.time.ZoneRegion
not supported by default: add Module "com.fasterxml.jackson.datatype:jackson-datatype-jsr310" to enable handling (through reference chain: com.fortify.util.rest.json.JSONMap["release"]->com.fortify.util.rest.json.JSONMap["serverZoneId"])
I have attached my yml file. Any help in this regards is greatly appreciated.
Best Regards,
Rajesh Kumar
export:
from: fod
to: json.raw
fod:
release:
embed: # Load static scan summaries if available
- propertyName: staticScanSummary
uri: /api/v3/scans/{currentStaticScanId}/summary
embedIf: currentStaticScanId!=null
vulnerability:
embed: # Load extra data, depending on what data you want to include in output
- subEntity: all-data
export.dir: ${export.default.dir} # Use default export directory (unless overridden)
json.raw.output:
stdout: false # Useful for debugging, disable for optimal performance
file: ${export.dir}/${release.applicationName}-${release.releaseName}.json
hi i might be reading the readme and/or using the configs wrongly.
As no matter what i set, im not able to export out Suppressed data.
Hi good day,
Ive used the FoD's inbuilt Export tool and it is able to export all my findings, including suppressed ones.
im using v2.0.2.
Hv tried to download vv2.0.0 and faced the same issue.
Ive attached my yaml. Any help is greatly appreciated.
Thks in adv. :)
'# See FortifyVulnerabilityExporter documentation for FoD connection settings and release selection
export:
from: fod
to: csv
'#fod:
vulnerability:
filterParam: scanType:Static
includeFixed: true
includeSuppressed: true
# embed:
# - subEntity: all-data
export.dir: ${export.default.dir} # Use default export directory (unless overridden)
csv:
output:
header: true
stdout: false
file: ${export.dir}/${release.applicationName}-${release.releaseName}.csv
fields:
source: Fortify on Demand
scanType: $[vuln.scantype]
id: $[vuln.id]
issueInstanceId: $[vuln.instanceId]
category: $[vuln.severityString]
description: $[vuln.category]
file: $[vuln.primaryLocationFull]
suppressed: $[vuln.isSuppressed]
line: $[vuln.lineNumber]
status: $[vuln.auditorStatus]
Default configuration files are placed into the /config
directory inside the Docker container. These should be moved to /default/config
to allow the default configuration files to be accessible if the /config
directory is bind-mounted to the host system.
See https://github.com/fortify/FortifyVulnerabilityExporter/blob/main/src/main/java/com/fortify/util/spring/boot/container/PopulateContainerDirs.java for details.
The Docker image for FortifyVulnerabilityExporter version 1.2.0 uses Java 1.8. Due to #16, running this Docker image fails with an exception.
The following warning is shown when running ./gradlew distThirdParty --warning-mode=all
:
> Task :generateLicenseReport
The runtime configuration has been deprecated for resolution. This will fail with an error in Gradle 7.0. Please resolve the runtimeClasspath configuration instead. Consult the upgrading guide for further information: https://docs.gradle.org/6.8.3/userguide/upgrading_version_5.html#dependencies_should_no_longer_be_declared_using_the_compile_and_runtime_configurations
This is caused by this issue: jk1/Gradle-License-Report#161 (comment)
Once this has been fixed in the plugin, the plugin version should be updated in our build.gradle
.
I am integrating trial.fortify.com and GitLab.
However, fortify-vulnerability-exporter unable to generate report for GitLab.
I was using this command $docker run --rm -v ./export:/export fortifydocker/fortify-vulnerability-exporter:latest FoDToGitLab --fod.baseUrl=https://trial.fortify.com --fod.tenant="" --fod.user="" --fod.password="" --fod.release.id="215288"
Error Logs:
02:48:48.286 [main] DEBUG com.fortify.util.spring.boot.container.PopulateContainerDirs - Populate container directories enabled:
true
02:48:48.292 [main] DEBUG com.fortify.util.spring.boot.container.PopulateContainerDirs - Checking whether container directories need to be initialized
02:48:48.306 [main] DEBUG com.fortify.util.spring.boot.container.PopulateContainerDirs - Target path /config is present: true
| | | | ()/ |
| | ___ _ _| | | | _ _
| / _ | '| __| | | | | |
| | | () | | | || | | | || |
|| ___/|| _||| _, |
__ __ _ / | _ _ _ _ _
\ \ / / | | |/ | | () () |
\ \ / / | | __ ___ _ __ __ | |_ | || | _ _
\ / / | | | | '_ \ / _ \ '/ ` | ' | | | | | | | |
\ /| || | | | | | __/ | | (| | |) | | | | || || |
/ _,||| ||_|| _,|./||||_|_, |
______ _ / |
| | | | |/
| | __ ___ __ ___ _ | | ___ _ __
| | \ / / ' \ / _ | '| / _ \ '|
| |__ > <| |) | () | | | || / |
|//_\ ./ _/|| ___||
| |
||
2023-08-11 02:48:50.789 INFO 1 --- [ main] e.p.PluginConfigEnvironmentPostProcessor : Loaded 14 plugin configuration files
2023-08-11 02:48:50.811 INFO 1 --- [ main] c.f.v.FortifyVulnerabilityExporter : Starting FortifyVulnerabilityExporter v2.0.3 using Java 11.0.19 on 1f7a2ed7f237 with PID 1 (/app/classpath/FortifyVulnerabilityExporter-2.0.3-plain.jar started by root in /)
2023-08-11 02:48:50.813 INFO 1 --- [ main] c.f.v.FortifyVulnerabilityExporter : The following 1 profile is active: "default"
2023-08-11 02:48:53.459 INFO 1 --- [ main] c.f.v.FortifyVulnerabilityExporter : Using configuration file /config/FoDToGitLab.yml
2023-08-11 02:48:53.470 INFO 1 --- [ main] c.f.v.FortifyVulnerabilityExporter : Started FortifyVulnerabilityExporter in 4.394 seconds (JVM running for 5.791)
2023-08-11 02:48:57.862 INFO 1 --- [ main] c.f.c.fod.connection.FoDTokenFactory : [FoD] Obtained access token, expiring at Fri Aug 11 08:48:52 UTC 2023
2023-08-11 02:48:58.810 INFO 1 --- [ main] c.f.v.f.fod.FromFoDVulnerabilityLoader : Processing Application Release: springboot:production-2
2023-08-11 02:49:01.718 INFO 1 --- [ main] c.f.v.f.fod.FromFoDVulnerabilityLoader : Processed 3 of 3 vulnerabilities
2023-08-11 02:49:01.719 INFO 1 --- [ main] bstractToFileStreamVulnerabilityConsumer : Opening output: JsonOutputConfig(super=FileOutputConfig(mkdir=true, stdout=false, stderr=false, file=/export/gl-fortify-sast.json), encoding=UTF8, pretty=true)
java.lang.RuntimeException: Error closing vulnerability consumer
at com.fortify.vulnexport.spi.target.vuln.consumer.AbstractVulnerabilityConsumer.handleCloseException(AbstractVulnerabilityConsumer.java:98)
at com.fortify.vulnexport.spi.target.vuln.consumer.AbstractVulnerabilityConsumer.close(AbstractVulnerabilityConsumer.java:82)
at java.base/java.util.ArrayList.forEach(Unknown Source)
at com.fortify.vulnexport.api.vuln.consumer.CompositeVulnerabilityConsumer.close(CompositeVulnerabilityConsumer.java:55)
at java.base/java.util.ArrayList.forEach(Unknown Source)
at com.fortify.vulnexport.api.vuln.consumer.CompositeVulnerabilityConsumer.close(CompositeVulnerabilityConsumer.java:55)
at com.fortify.vulnexport.from.fod.FromFoDVulnerabilityLoader$_FromFoDVulnerabilityLoader.processVulnerabilities(FromFoDVulnerabilityLoader.java:160)
at com.fortify.util.rest.query.AbstractRestConnectionQuery$1.process(AbstractRestConnectionQuery.java:99)
at com.fortify.util.rest.query.JSONMapProcessorWithPreProcessorsAndPagingSupport.process(JSONMapProcessorWithPreProcessorsAndPagingSupport.java:79)
at com.fortify.util.rest.query.AbstractRestConnectionQuery.processSingleRequest(AbstractRestConnectionQuery.java:218)
at com.fortify.util.rest.query.AbstractRestConnectionQuery.processAll(AbstractRestConnectionQuery.java:200)
at com.fortify.util.rest.query.AbstractRestConnectionQuery.processAll(AbstractRestConnectionQuery.java:90)
at com.fortify.util.rest.query.AbstractRestConnectionQuery.processAll(AbstractRestConnectionQuery.java:95)
at com.fortify.vulnexport.from.fod.FromFoDVulnerabilityLoader$_FromFoDVulnerabilityLoader.run(FromFoDVulnerabilityLoader.java:106)
at com.fortify.vulnexport.from.fod.FromFoDVulnerabilityLoader.run(FromFoDVulnerabilityLoader.java:82)
at com.fortify.vulnexport.FortifyVulnerabilityExporterRunnerFactory.runActiveVulnerabilityLoader(FortifyVulnerabilityExporterRunnerFactory.java:91)
at com.fortify.util.spring.boot.scheduler.RunOrSchedule.runOnce(RunOrSchedule.java:76)
at com.fortify.util.spring.boot.scheduler.RunOrSchedule.run(RunOrSchedule.java:48)
at org.springframework.boot.SpringApplication.callRunner(SpringApplication.java:768)
at org.springframework.boot.SpringApplication.callRunners(SpringApplication.java:752)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:314)
at com.fortify.vulnexport.FortifyVulnerabilityExporter.main(FortifyVulnerabilityExporter.java:61)
Caused by: java.lang.RuntimeException: Error closing vulnerability consumer
at com.fortify.vulnexport.spi.target.vuln.consumer.AbstractVulnerabilityConsumer.handleCloseException(AbstractVulnerabilityConsumer.java:98)
at com.fortify.vulnexport.spi.target.vuln.consumer.AbstractVulnerabilityConsumer.close(AbstractVulnerabilityConsumer.java:82)
at com.fortify.vulnexport.spi.target.vuln.consumer.FilteringConsumer._close(FilteringConsumer.java:71)
at com.fortify.vulnexport.spi.target.vuln.consumer.AbstractVulnerabilityConsumer.close(AbstractVulnerabilityConsumer.java:80)
... 20 more
Caused by: org.springframework.expression.spel.SpelEvaluationException: EL1021E: A problem occurred whilst attempting to access the property 'staticScanSummary': 'Error loading data for property staticScanSummary'
at org.springframework.expression.spel.ast.PropertyOrFieldReference.readProperty(PropertyOrFieldReference.java:209)
at org.springframework.expression.spel.ast.PropertyOrFieldReference.getValueInternal(PropertyOrFieldReference.java:104)
at org.springframework.expression.spel.ast.PropertyOrFieldReference.getValueInternal(PropertyOrFieldReference.java:91)
at org.springframework.expression.spel.ast.CompoundExpression.getValueRef(CompoundExpression.java:61)
at org.springframework.expression.spel.ast.CompoundExpression.getValueInternal(CompoundExpression.java:91)
at org.springframework.expression.spel.ast.Elvis.getValueInternal(Elvis.java:54)
at org.springframework.expression.spel.ast.FunctionReference.getArguments(FunctionReference.java:158)
at org.springframework.expression.spel.ast.FunctionReference.executeFunctionJLRMethod(FunctionReference.java:96)
at org.springframework.expression.spel.ast.FunctionReference.getValueInternal(FunctionReference.java:80)
at org.springframework.expression.spel.ast.SpelNodeImpl.getTypedValue(SpelNodeImpl.java:117)
at org.springframework.expression.spel.standard.SpelExpression.getValue(SpelExpression.java:376)
at com.fortify.util.spring.expression.WrappedExpression.getValue(WrappedExpression.java:131)
at com.fortify.util.spring.expression.helper.AbstractExpressionHelper.evaluateExpression(AbstractExpressionHelper.java:156)
at com.fortify.util.spring.expression.helper.AbstractExpressionHelper.evaluateTemplateExpression(AbstractExpressionHelper.java:166)
at com.fortify.util.spring.expression.TemplateExpressionMap.evaluateExpression(TemplateExpressionMap.java:44)
at com.fortify.util.spring.expression.AbstractExpressionMapEvaluator.lambda$evaluate$0(AbstractExpressionMapEvaluator.java:47)
at com.fortify.util.spring.expression.AbstractExpressionMapEvaluator.evaluate(AbstractExpressionMapEvaluator.java:52)
at com.fortify.vulnexport.to.json.vuln.formatter.JsonFormatter.write(JsonFormatter.java:131)
at com.fortify.vulnexport.to.json.vuln.formatter.JsonFormatter.write(JsonFormatter.java:105)
at com.fortify.vulnexport.to.json.ToJsonVulnerabilityConsumer.beforeClose(ToJsonVulnerabilityConsumer.java:65)
at com.fortify.vulnexport.spi.target.vuln.consumer.to.output.AbstractToOutputVulnerabilityConsumer._close(AbstractToOutputVulnerabilityConsumer.java:74)
at com.fortify.vulnexport.spi.target.vuln.consumer.AbstractVulnerabilityConsumer.close(AbstractVulnerabilityConsumer.java:80)
... 22 more
Caused by: java.lang.RuntimeException: Error loading data for property staticScanSummary
at com.fortify.util.rest.json.embed.StandardEmbedDefinition$OnErrorAction.fail(StandardEmbedDefinition.java:111)
at com.fortify.util.rest.json.embed.StandardEmbedDefinition$OnErrorAction.handle(StandardEmbedDefinition.java:106)
at com.fortify.util.rest.json.embed.StandardEmbedDefinition.getResultOnError(StandardEmbedDefinition.java:86)
at com.fortify.util.rest.json.preprocessor.enrich.JSONMapEnrichWithOnDemandRestData$JSONMapOnDemandLoaderRestData.getResult(JSONMapEnrichWithOnDemandRestData.java:61)
at com.fortify.util.rest.json.preprocessor.enrich.JSONMapEnrichWithOnDemandRestData$JSONMapOnDemandLoaderRestData.getOnDemand(JSONMapEnrichWithOnDemandRestData.java:53)
at com.fortify.util.rest.json.ondemand.AbstractJSONMapOnDemandLoaderWithConnection.getOnDemand(AbstractJSONMapOnDemandLoaderWithConnection.java:51)
at com.fortify.util.rest.json.ondemand.AbstractJSONMapOnDemandLoader.getAndStoreOnDemand(AbstractJSONMapOnDemandLoader.java:46)
at com.fortify.util.rest.json.JSONMap.getOnDemandValue(JSONMap.java:285)
at com.fortify.util.rest.json.JSONMap.get(JSONMap.java:130)
at com.fortify.util.spring.context.expression.MapAccessorIgnoreNonExistingProperties.read(MapAccessorIgnoreNonExistingProperties.java:50)
at org.springframework.expression.spel.ast.PropertyOrFieldReference.readProperty(PropertyOrFieldReference.java:204)
... 43 more
Caused by: java.lang.RuntimeException: Error accessing remote system https://api.trial.fortify.com: Not Found
at com.fortify.util.rest.connection.AbstractRestConnection.getUnsuccesfulResponseException(AbstractRestConnection.java:358)
at com.fortify.util.rest.connection.AbstractRestConnection.checkResponseAndGetOutput(AbstractRestConnection.java:322)
at com.fortify.util.rest.connection.AbstractRestConnection.executeRequest(AbstractRestConnection.java:224)
at com.fortify.util.rest.connection.AbstractRestConnection.executeRequestWithFinalizedWebTarget(AbstractRestConnection.java:186)
at com.fortify.client.fod.connection.FoDBasicRestConnection.executeRequestWithFinalizedWebTarget(FoDBasicRestConnection.java:76)
at com.fortify.util.rest.connection.AbstractRestConnection.executeRequest(AbstractRestConnection.java:167)
at com.fortify.util.rest.connection.AbstractRestConnection.executeRequest(AbstractRestConnection.java:152)
at com.fortify.util.rest.json.preprocessor.enrich.JSONMapEnrichWithOnDemandRestData$JSONMapOnDemandLoaderRestData.getResult(JSONMapEnrichWithOnDemandRestData.java:59)
... 50 more
Caused by: java.lang.Exception: Error accessing remote system https://api.trial.fortify.com: Not Found, response contents:... 58 more
Hi,
I am using the fortifydocker/fortify-ci-tools:latest which contains v1.5.5 FortifyVulnerabilityExporter.
Even though the CI logs seems fine and a gitlab artifact is successfully generated (gl-dast.json), I see the following issue in the security tab of the Gitlab pipeline. It seems like the json file is not parsed successfully.
Here is the zip file containing the DAST artifact. Do let me know if you require more info.
Thanks
gl-dast-report.json.zip
An issue was opened recently (fortify/fortify-client-api#18) to request Fortify API client (6.1.2) upgrade to use log4j 2.17.1. The 6.1.2 Release of the Fortify API client leverages log4j 2.16.0. The latest version being recommended in Maven is 2.17.1, which was released on Dec. 27 to mitigage all variations of the log4j vulnerability. Fortify API client was upgraded and now utilizes log4f 2.17.1.
Can FortifyVulnerabilityExporter be upgraded to use Fortify API client 6.1.3?
When running on Java 11, the following warning is displayed in the output of FortifyVulnerabilityExporter: Warning: Nashorn engine is planned to be removed from a future JDK release
.
This doesn't have any negative impact when running on Java 11, but if possible this should be fixed for cosmetic reasons and to avoid potential issues when running on later Java versions.
Since we dont have configuration file for SSC to Azure devops, i was trying to use SSCTOBITBUCKET and it retrieves the details as per our requirement. however there are some details that we want to filter. also the security result always set to passed even though the scans has security issues. can you please provide a sample config to customize the SSTOBITBUCKET.
we would like to filter below field,
1.logo_url
2.type" : "NUMBER",
"title" : "Critical (Overall)"
3."report_type" : "SECURITY" - validate correctly
It is possible to disable SSC callback url links on displayed sca finding within Gitlab dashboard via the Vulnerability Exporter Container integration. They ware trying to treat SSC as a black box and hope to keep users for clicking on SSC url links and attempting to login.
Due to a change in configuration file handling, the GitLab-specific instructions in the README.md file are no longer functional. GitLab seems to be passing sh
to the Docker container, which was ignored by older versions of the image but FortifyVulnerabilityExporter version 1.5.0 tries to interpret this as a configuration file specification. As there is no configuration file named sh
, FortifyVulnerabilityExporter will fail.
As a quick work-around, please try using the older version of the Docker image using the following image instruction in your .gitlab-ci.yml
:
image: fortifydocker/fortify-vulnerability-exporter:v1.4.1
Alternatively, you can use FortifyToolsInstaller to install and run FortifyVulnerabilityExporter in any arbitrary container; see https://gitlab.com/Fortify/example-eightball/-/blob/master/.gitlab-ci.yml#L58 for an example.
In Fortify, some vulnerabilities have their lineNumber field set to 0, which is copied as-is to the SonarQube output. SonarQube however throws an error if the line number is 0. FortifyVulnerabilityExporter should set the line number to 1 in such cases, to prevent these SonarQube errors.
Opening issue on behalf of Nikola Aleksandrov [email protected] and ValueEdge ticket 11A1620012:
Hello team,
If we use the option "SSCToGitHub" the SARIF output is generated with the output file name as "gh-fortify-sast.sarif", this is fine and it is working as expected.
The Output file name is hard coded inside the file ".\config\SSCToGitHub.yml" like below:
...
sarif.output: ${export.dir}/gh-fortify-sast.sarif
...
Is there any way to parameterize the output file name?
The scenario will be like below:
PROJECTNAME="WebGoat"
Start loop for each VERSION in: "10, 20, 30, 40, 50"
Generate SARIF: java -jar FortifyVulnerabilityExporter.jar SSCToGitHub --ssc.baseUrl= --ssc.user= --ssc.password= --ssc.version.name="{PROJECTNAME}:${VERSION}"
Hint: the output file name should be generated with the name ${PROJECTNAME}_${VERSION}.sarif
End loop
After the loop, the below SARIF files should be created in the current folder.
WebGoat_10.sarif
WebGoat_20.sarif
WebGoat_30.sarif
WebGoat_40.sarif
WebGoat_50.sarif
is it possible?
In some cases, Fortify reports vulnerabilities on line number 0. The GitHub SARIF output simply copies this line number to the output, however this will result in errors like the following when importing the SARIF file into GitHub:
Error: Unable to upload "./gh-fortify-sast.sarif" as it is not valid SARIF:
- instance.runs[0].results[12].locations[0].physicalLocation.region.startLine must have a minimum value of 1
- instance.runs[0].results[12].locations[0].physicalLocation.region.endLine must have a minimum value of 1
To avoid this error, the utility should output 1 as the line number in such cases.
Both the --fod.release.name
and --fod.release.regex
command line option seems to result in an Internal Server Error
on FoD, possibly due to the utility sending an invalid request. This behavior has been observed with both version 1.1.3 and the latest development version. Until this gets fixed, users will need to use the --fod.release.id
command line option.
Caused by: java.lang.NullPointerException
at com.fortify.vulnexport.spi.target.vuln.consumer.to.file.stream.MultiOutputStreamFactory$MultiOutputStream.createFileOutputStream(MultiOutputStreamFactory.java:88)
at com.fortify.vulnexport.spi.target.vuln.consumer.to.file.stream.MultiOutputStreamFactory$MultiOutputStream.<init>(MultiOutputStreamFactory.java:79)
at com.fortify.vulnexport.spi.target.vuln.consumer.to.file.stream.MultiOutputStreamFactory.createOutputStream(MultiOutputStreamFactory.java:53)
It seems like file.getParentFile()
at
See fortify/github-action#15 for background information; FVE silently ignores unknown command-line arguments, which can lead to unexpected behavior.
For example, if a user or some integration omits quotes around application version/release name, like in --fod.release.name=App with space:rel1
, FortifyVulnerabilityExporter will see --fod.release.name=App
and ignore with space:rel1
. Effectively, instead of processing this single release, FVE will process all releases for all applications containing App
(case-insensitive) in the application name, due to a combination of FVE behavior (allowing for processing all releases for a given app if only app name is specified) and FoD behavior (FoD performing case-insensitive 'contains' matching instead of exact matching).
Unfortunately, there is no explicit list of supported command-line arguments, as each CLI argument basically represents an arbitrary property name that may or may not be used by a particular configuration. However, potentially we can check whether the CLI arguments adhere to the format as described at https://github.com/fortify/FortifyVulnerabilityExporter/blob/main/USAGE.md#generic-usage, i.e., first argument should be the name/path of a configuration file, and all remaining options should be in the format --prop.name=value
. In the example above, with space:rel1
doesn't match the expected --prop.name=value
format, and thus FVE could throw an error.
The fix for #11 apparently causes issues with the Nashorn engine on Java 8, causing the following exception message:
HV000232: No JSR 223 script engine found for language "javascript"
Hi there, so I'm able to generate the export in my terminal and I'm hoping to export that data into a .json or .csv. My question is that I saw that the code showing the vulnerability isn't included. I wanted to ask how does one include that code in the report. I am doing SSCToJsonRaw/SSCToJsonCustom/SSCToCSV as additional context. Thank you!
I have a local installation of the Fortify SCA software installed in a GitHub Action container and am able to run a scan and get a resulting *.fpr file that is stored within that container. I need to upload the vulnerabilities found in that fpr file to GitHub Security but I do not have access to an SSC server. How would I go about accomplishing this task?
Although support for generating BitBucket reports has been added some time ago, there is no mention of this feature in the documentation. For now, please see the following resources for more information:
What am I missing
I have tried ssc.Authtoken as well with out success
Gitlab yml
export/fortify:
stage: .pre
image: fortifydocker/fortify-vulnerability-exporter:latest
variables:
export_config: /config/SSCToGitLabSAST.yml
ssc_baseUrl: $FORITY_URL
ssc_user: $FORTIFY_USER
ssc_password: $FORTIFY_PWD
ssc_version_id: $FORTIFY_VID
script:
- echo Script entry is required but not used
#when: manual
allow_failure: false
artifacts:
reports:
sast: gl-fortify-sast.json
Gitlab log:
12:57:14.591 [main] DEBUG com.fortify.util.spring.boot.container.PopulateContainerDirs - Populate container directories enabled: true
12:57:14.595 [main] DEBUG com.fortify.util.spring.boot.container.PopulateContainerDirs - Checking whether container directories need to be initialized
______ _ _ __
| ____| | | (_)/ _|
| |__ ___ _ __| |_ _| |_ _ _
| __/ _ \| '__| __| | _| | | |
| | | (_) | | | |_| | | | |_| |
|_| \___/|_| \__|_|_| \__, |
__ __ _ __/ | _ _ _ _ _
\ \ / / | | |___/ | | (_) (_) |
\ \ / / _| |_ __ ___ _ __ __ _| |__ _| |_| |_ _ _
\ \/ / | | | | '_ \ / _ \ '__/ _` | '_ \| | | | __| | | |
\ /| |_| | | | | | __/ | | (_| | |_) | | | | |_| |_| |
\/ \__,_|_|_| |_|\___|_| \__,_|_.__/|_|_|_|\__|\__, |
______ _ __/ |
| ____| | | |___/
| |__ __ ___ __ ___ _ __| |_ ___ _ __
| __| \ \/ / '_ \ / _ \| '__| __/ _ \ '__|
| |____ > <| |_) | (_) | | | || __/ |
|______/_/\_\ .__/ \___/|_| \__\___|_|
| |
|_|
2021-04-13 12:57:17.578 INFO 1 --- [ main] e.p.PluginConfigEnvironmentPostProcessor : Loaded 11 plugin configuration files
2021-04-13 12:57:17.700 INFO 1 --- [ main] c.f.v.FortifyVulnerabilityExporter : Starting FortifyVulnerabilityExporter v1.2.0 using Java 1.8.0_275 on runner-estzx7bj-project-11312-concurrent-0 with PID 1 (/app/classpath/FortifyVulnerabilityExporter-1.2.0.jar started by root in /)
2021-04-13 12:57:17.711 INFO 1 --- [ main] c.f.v.FortifyVulnerabilityExporter : The following profiles are active: default,ssc
2021-04-13 12:57:22.344 INFO 1 --- [ main] c.f.v.FortifyVulnerabilityExporter : Started FortifyVulnerabilityExporter in 7.083 seconds (JVM running for 8.306)
2021-04-13 12:57:23.454 ERROR 1 --- [ main] o.s.boot.SpringApplication : Application run failed
java.lang.IllegalStateException: Failed to execute CommandLineRunner
at org.springframework.boot.SpringApplication.callRunner(SpringApplication.java:807) ~[spring-boot-2.4.3.jar:2.4.3]
at org.springframework.boot.SpringApplication.callRunners(SpringApplication.java:788) ~[spring-boot-2.4.3.jar:2.4.3]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:333) ~[spring-boot-2.4.3.jar:2.4.3]
at com.fortify.vulnexport.FortifyVulnerabilityExporter.main(FortifyVulnerabilityExporter.java:39) [FortifyVulnerabilityExporter-1.2.0.jar:1.2.0]
Caused by: javax.validation.ConstraintDeclarationException: HV000170: No JSR-223 scripting engine could be bootstrapped for language "javascript".
at org.hibernate.validator.internal.constraintvalidators.hv.AbstractScriptAssertValidator.initialize(AbstractScriptAssertValidator.java:42) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
at org.hibernate.validator.internal.constraintvalidators.hv.ScriptAssertValidator.initialize(ScriptAssertValidator.java:38) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
at org.hibernate.validator.internal.engine.constraintvalidation.AbstractConstraintValidatorManagerImpl.initializeValidator(AbstractConstraintValidatorManagerImpl.java:140) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
at org.hibernate.validator.internal.engine.constraintvalidation.AbstractConstraintValidatorManagerImpl.createAndInitializeValidator(AbstractConstraintValidatorManagerImpl.java:90) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
at org.hibernate.validator.internal.engine.constraintvalidation.ConstraintValidatorManagerImpl.getInitializedValidator(ConstraintValidatorManagerImpl.java:117) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
at org.hibernate.validator.internal.engine.constraintvalidation.ConstraintTree.getInitializedConstraintValidator(ConstraintTree.java:136) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
at org.hibernate.validator.internal.engine.constraintvalidation.SimpleConstraintTree.validateConstraints(SimpleConstraintTree.java:54) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
at org.hibernate.validator.internal.engine.constraintvalidation.ConstraintTree.validateConstraints(ConstraintTree.java:75) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
at org.hibernate.validator.internal.metadata.core.MetaConstraint.doValidateConstraint(MetaConstraint.java:130) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
at org.hibernate.validator.internal.metadata.core.MetaConstraint.validateConstraint(MetaConstraint.java:123) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
at org.hibernate.validator.internal.engine.ValidatorImpl.validateMetaConstraint(ValidatorImpl.java:555) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
at org.hibernate.validator.internal.engine.ValidatorImpl.validateConstraintsForSingleDefaultGroupElement(ValidatorImpl.java:518) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
at org.hibernate.validator.internal.engine.ValidatorImpl.validateConstraintsForDefaultGroup(ValidatorImpl.java:488) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
at org.hibernate.validator.internal.engine.ValidatorImpl.validateConstraintsForCurrentGroup(ValidatorImpl.java:450) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
at org.hibernate.validator.internal.engine.ValidatorImpl.validateInContext(ValidatorImpl.java:400) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
at org.hibernate.validator.internal.engine.ValidatorImpl.validateCascadedAnnotatedObjectForCurrentGroup(ValidatorImpl.java:629) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
at org.hibernate.validator.internal.engine.ValidatorImpl.validateCascadedConstraints(ValidatorImpl.java:590) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
at org.hibernate.validator.internal.engine.ValidatorImpl.validateInContext(ValidatorImpl.java:409) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
at org.hibernate.validator.internal.engine.ValidatorImpl.validate(ValidatorImpl.java:172) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
at org.springframework.validation.beanvalidation.SpringValidatorAdapter.validate(SpringValidatorAdapter.java:358) ~[spring-context-5.3.4.jar:5.3.4]
at com.fortify.util.config.loader.StandardConfigLoader.validateConfig(StandardConfigLoader.java:69) ~[FortifyVulnerabilityExporter-api.jar:na]
at com.fortify.util.config.loader.StandardConfigLoader.loadConfig(StandardConfigLoader.java:63) ~[FortifyVulnerabilityExporter-api.jar:na]
at com.fortify.util.config.loader.AbstractConfigLoader.loadConfig(AbstractConfigLoader.java:62) ~[FortifyVulnerabilityExporter-api.jar:na]
at com.fortify.vulnexport.spi.source.vuln.loader.AbstractVulnerabilityLoaderFactory.createConfig(AbstractVulnerabilityLoaderFactory.java:59) ~[FortifyVulnerabilityExporter-spi-from.jar:na]
at com.fortify.vulnexport.spi.source.vuln.loader.AbstractVulnerabilityLoaderFactory.createVulnerabilityLoader(AbstractVulnerabilityLoaderFactory.java:51) ~[FortifyVulnerabilityExporter-spi-from.jar:na]
at com.fortify.vulnexport.api.vuln.loader.active.ActiveVulnerabilityLoaderFactory.lambda$createVulnerabilityLoader$0(ActiveVulnerabilityLoaderFactory.java:59) ~[FortifyVulnerabilityExporter-api.jar:na]
at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193) ~[na:1.8.0_275]
at java.util.Iterator.forEachRemaining(Iterator.java:116) ~[na:1.8.0_275]
at java.util.Spliterators$IteratorSpliterator.forEachRemaining(Spliterators.java:1801) ~[na:1.8.0_275]
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:482) ~[na:1.8.0_275]
at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472) ~[na:1.8.0_275]
at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708) ~[na:1.8.0_275]
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[na:1.8.0_275]
at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:566) ~[na:1.8.0_275]
at com.fortify.vulnexport.api.vuln.loader.active.ActiveVulnerabilityLoaderFactory.createVulnerabilityLoader(ActiveVulnerabilityLoaderFactory.java:61) ~[FortifyVulnerabilityExporter-api.jar:na]
at com.fortify.vulnexport.FortifyVulnerabilityExporterRunnerFactory.runActiveVulnerabilityLoader(FortifyVulnerabilityExporterRunnerFactory.java:65) ~[FortifyVulnerabilityExporter-1.2.0.jar:1.2.0]
at com.fortify.util.spring.boot.scheduler.RunOrSchedule.runOnce(RunOrSchedule.java:55) ~[FortifyVulnerabilityExporter-1.2.0.jar:1.2.0]
at com.fortify.util.spring.boot.scheduler.RunOrSchedule.run(RunOrSchedule.java:34) ~[FortifyVulnerabilityExporter-1.2.0.jar:1.2.0]
at org.springframework.boot.SpringApplication.callRunner(SpringApplication.java:804) ~[spring-boot-2.4.3.jar:2.4.3]
... 3 common frames omitted
Caused by: org.hibernate.validator.spi.scripting.ScriptEvaluatorNotFoundException: HV000232: No JSR 223 script engine found for language "javascript".
at org.hibernate.validator.internal.engine.scripting.DefaultScriptEvaluatorFactory.createNewScriptEvaluator(DefaultScriptEvaluatorFactory.java:66) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
at java.util.concurrent.ConcurrentHashMap.computeIfAbsent(ConcurrentHashMap.java:1660) ~[na:1.8.0_275]
at org.hibernate.validator.spi.scripting.AbstractCachingScriptEvaluatorFactory.getScriptEvaluatorByLanguageName(AbstractCachingScriptEvaluatorFactory.java:41) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
at org.hibernate.validator.internal.engine.constraintvalidation.HibernateConstraintValidatorInitializationContextImpl.getScriptEvaluatorForLanguage(HibernateConstraintValidatorInitializationContextImpl.java:50) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
at org.hibernate.validator.internal.constraintvalidators.hv.AbstractScriptAssertValidator.initialize(AbstractScriptAssertValidator.java:38) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
... 41 common frames omitted
I am working on a custom config where low friority vulnerabilities will only be exported if they are in the OWASP top 10.
So far I have found a way to filter for one at a time in the top 10 using the following filterParam
filterParam: EXTERNALLIST[3C6ECB67-BBD9-4259-A8DB-B49328927248]:11130
This returns all vulnerabilities that are A1 Injections or in other words the top 1 in the OWASP top 10. Then referencing 11131 would give you A2 and so on.
It seems like filtering for All 10 in the top 10 should be possible, just my knowledge of SpEL just isn't there so most of the different configurations of that parameter I've tried haven't been successful. So if you could point me in the right direction I'd appreciate it.
When using FortifyVulnerabilityExporter with tools that allow import of SCA findings from SSC/FoD allow Debricked information to be exported as well as Sonatype.
Was wondering if there's any plans to also include Backstage integration? It would be great to have a Backstage plugin similar to the one synk created: https://github.com/snyk-tech-services/backstage-plugin-snyk where scan results can be posted to Backstage providing developers a single pane of glass view into a component.
Backstage: https://backstage.io/docs/overview/what-is-backstage is soon becoming the new Internal Developer Portal standard.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.