Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/coveros-archive/fortify-to-sonarqube

Node.js app and Docker image to convert Fortify SCA CSV output to SonarQube Generic Issue JSON
https://github.com/coveros-archive/fortify-to-sonarqube

Last synced: about 1 month ago
JSON representation

Node.js app and Docker image to convert Fortify SCA CSV output to SonarQube Generic Issue JSON

Awesome Lists containing this project

README 

        
# Fortify to SonarQube



Node.js app as Docker image to convert Fortify SCA CSV output to SonarQube Generic Issue JSON. 



### Distributable Docker Image



Available as the Docker image `coveros/fortify-to-sonarqube`: https://hub.docker.com/r/coveros/fortify-to-sonarqube



```

$ docker pull coveros/fortify-to-sonarqube

```



### Transform Fortify CSV to SonarQube JSON



Mount the host directory containing the input file and the output file destination. By default, the application

expects the input file to be `/app/date/input.csv`, and will output to `/app/data/output.json`. 



To use these default settings, place the input file at `/host/path/to/files/input.csv` on your machine, and run the

following command:



```

$ docker run --rm -v /host/path/to/files:/app/data coveros/fortify-to-sonarqube

```



The JSON output will be availabe at `/host/path/to/files/output.json`



To specify the names of the input and output files, execute the `transform` command, defining one or

both as input arguments. For example, if you have an input file `/host/path/to/files/custom-input-name.csv` and you would

like to generate `/host/path/to/files/custom-output-name.json`, run the following command:



```

$ docker run --rm -v /host/path/to/files:/app/data coveros/fortify-to-sonarqube transform -i /app/data/custom-input-name.csv -o /app/data/custom-output-name.json

```



### Use in Jenkins Pipeline



Before converting the Fortify CSV input into the output required for the SonarQube Generic Webhook, you first need to

perform the Fortify SCA scan and convert the output to csv using `FPRUtility`.



```

docker.image().inside() {

  ...perform Fortify scan, generating .fpr file...

  sh "FPRUtility -information -listIssues -project path/to/fpr/output.fpr -outputFormat CSV -f path/to/fprcsv.csv"

}

```



By using `docker.image().inside()`, Jenkins will mount the workspace directory to the `fortify-to-sonarqube` container, 

and execute the commands from that location. Therefore, the file locations will be relative to the workspace. Set the

input file to the csv created in the prior step.



```

docker.image('coveros/fortify-to-sonarqube:latest').inside() {

  sh 'transform -i path/to/fprcsv.csv -o path/to/output.json'

}

```



Upload the transformed output as a SonarQube External Issues Report: https://docs.sonarqube.org/latest/analysis/external-issues/



For example, when using Maven



```

mvn sonar:sonar -Dsonar.externalIssuesReportPaths=path/to/output.json

```



### Example Transformation



##### Fortify CSV 

```

sep=,

IID, category, path, analyzer

1, Dead Code: Unused Field, src/main/java/com/api/helloWorld/HelloWorld.java:41, structural

```



##### SonarQube Generic Issue JSON



```

{

  "issues": [

    {

      "engineId": "fortify",

      "ruleId": "1",

      "primaryLocation": {

        "message": "Dead Code: Unused Field",

        "filePath": "src/main/java/com/api/helloWorld/HelloWorld.java",

        "textRange": {

          "startLine": 41

        }

      },

      "type": "VULNERABILITY",

      "severity": "INFO",

      "effortMinutes": 0

    }

  ]

}

```



### From Source



#### Build



To compile the Typescript source into distributable Javascript



```

$ npm run tsc

```



Compiled Javascript located in the `dist` directory 



#### Test



Application uses Jest for unit testing



```

$ npm run test

```



#### Lint



Application uses TSLint for code quality analysis



```

$ npm run lint 

```



#### Run



Run the application, specifying the input file and output file location



```

$ npm run start -- -i /path/to/input.csv -o /path/to/output.json

```



or...



```

$ node dist/index.js -i /path/to/input.csv -o /path/to/output.json

```



For example



```

$ npm run start -- -i ./test/testinput.csv -o ./test/testoutput.json

```



#### Build Docker Image



To build the docker image `coveros/fortify-to-sonarqube:latest`



```

$ docker build -t coveros/fortify-to-sonarqube:latest .

```