Comments (3)
Okay I got a clean export to gitlab SAST json, by creating our own image that images calls
Custom Docker Image
process explained above
next I will trying to get Sonar to work
from fortifyvulnerabilityexporter.
At the moment, FortifyVulnerabilityExporter doesn't provide any functionality to configure which certificates are to be trusted. Usually you would just add the certificate to the cacerts
file of your JRE, but this is a bit more complicated with a Docker image.
We could potentially add configuration options to FortifyVulnerabilityExporter to handle situations like these, like specifying the path to a certificate to be trusted, or options to disable certificate checks (which would not recommended for a production environment). It may take some time though for us to implement such configuration options, if at all.
Possibly one of the ideas listed below is sufficient to handle self-signed certificates and custom/proprietary root certificates. Please let us know whether any of the options below work for you, we can then add this information to the documentation.
System Properties
Set the following environment variable while running the fortifydocker/fortify-vulnerability-exporter
image:
JAVA_OPTS=-Djavax.net.ssl.trustStore=/path/to/alternative/cacerts -Djavax.net.ssl.trustStorePassword=changeit
The trust store at /path/to/alternative/cacerts
should of course contain your self-signed certificate or proprietary root certificate. For example, this could point to a cacerts
file in your GitLab workspace or a standard cacerts
file on your GitLab Runner.
Custom Docker Image
This option is similar to the traditional method of adding a custom certificate to the cacerts
file used by the JRE in the Docker image. You will need to build a custom Docker image and reference this custom image in your pipelines rather than the standard fortifydocker/fortify-vulnerability-exporter
image.
Following is an example Dockerfile; your mycert.cer
needs to be located in the same directory as your Dockerfile when building the image:
FROM fortifydocker/fortify-vulnerability-exporter:latest_rc
COPY mycert.cer /tmp/mycert.cer
RUN keytool -importcert -cacerts -storepass changeit -noprompt -alias mycert -file /tmp/mycert.cer
Note that this example only works for latest_rc
and future releases; older versions require the full path to keytool
to be specified and use the Java 8 keytool
syntax.
Volume Mapping
I don't think this is applicable for a GitLab environment (unless you change your workflow to invoke docker
manually to run the image), but you could use something like the following to override the cacerts
file included with the Docker image:
docker run -v /path/to/host/cacerts:opt/java/openjdk/lib/security/cacerts fortifydocker/fortify-vulnerability-exporter:latest_rc
Note that if the System properties option listed above works, I think that would be a much better option for specifying an alternative trust store at runtime. The System properties option can be used when you cannot customize volume mappings, and you don't need to know the location of the cacerts
file in the Docker image.
from fortifyvulnerabilityexporter.
sorry I missed your message and had to start working hight priority issues at work.
I will get back on this,
from fortifyvulnerabilityexporter.
Related Issues (20)
- javax.validation.ConstraintDeclarationException: HV000170: No JSR-223 scripting engine could be bootstrapped for language "javascript HOT 2
- Add documentation section for BitBucket integration HOT 3
- How to disable SSC URL link within GITLAB-SSC integration using Vulnerability Exporter container. HOT 2
- Backstage Plugin HOT 3
- Gitlab report not parsing properly HOT 2
- Dockerfile HOT 1
- How to add comments to Gitlab SSC output using custom config? HOT 2
- SSC to Bitbucket config is not working as expected HOT 2
- GitLab: Update schema version
- Add Debricked as SCA option HOT 1
- How to filter for all 10 'OWASP Top 10 2017' in SSC HOT 3
- How to add the actual code snippets for each vulnerability when exporting to Json or Csv? HOT 6
- includeSuppressed HOT 2
- JSON Raw format export issue of Java 8 date/time type
- How to export vulnerabilities to GitHub Security from a local file system (i.e. not using SSC) HOT 2
- Invalid line numbers in GitHub SARIF output under `codeFlows` HOT 2
- fortify-vulnerability-exporter unable to generate report for GitLab HOT 2
- Fail on unknown command-line arguments
- Reconsider ability to process all releases for matching app(s) when using `fod.release.name`/`ssc.version.name` properties
- Fortify SCA SARIF inaccuracy causing poor GitHub Code Scanning experience HOT 17
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fortifyvulnerabilityexporter.