Fortify Application Security provides your team with solutions to empower DevSecOps practices, enable cloud transformation, and secure your software supply chain. As the sole Code Security solution with over two decades of expertise and acknowledged as a market leader by all major analysts, Fortify delivers the most adaptable, precise, and scalable AppSec platform available, supporting the breadth of tech you use and integrated into your preferred toolchain. We firmly believe that your great code demands great security, and with Fortify, go beyond 'check the box' security to achieve that.
This Fortify SSC parser plugin allows for importing scan results from Clair (Vulnerability Static Analysis for Containers).
Clair itself doesn't provide any file-based reports; as such this parser plugin parses files containing JSON produced by the
Clair 2.x /v1/layers/{layerId}?features&vulnerabilities REST API call
These sections describe how to install, upgrade and uninstall the parser plugin in SSC.
- Obtain the plugin binary jar file; either:
- Download from the repository release page: https://github.com/fortify/fortify-ssc-parser-clair-rest/releases
- Build the plugin from source: https://github.com/fortify/fortify-ssc-parser-clair-rest/blob/main/CONTRIBUTING.md
- If you already have another version of the plugin installed, first uninstall the previously installed version of the plugin by following the steps under Uninstall below
- In Fortify Software Security Center:
- Navigate to Administration->Plugins->Parsers
- Click the
NEWbutton - Accept the warning
- Upload the plugin jar file
- Enable the plugin by clicking the
ENABLEbutton
- In Fortify Software Security Center:
- Navigate to Administration->Plugins->Parsers
- Select the parser plugin that you want to uninstall
- Click the
DISABLEbutton - Click the
REMOVEbutton
- Have Clair perform a scan of your container image
- For example, using some Clair command line client like Yair
- Or through container registry integration
- Determine the bottom layer id of the container image that was scanned
- For example by inspecting the image manifest
- Invoke the Clair
/v1/layers/{layerId}?features&vulnerabilitiesREST endpoint- Replace
{layerId}with the bottom layer id identified in the previous step - Save the results in a file with the
.jsonextension - See https://coreos.com/clair/docs/latest/api_v1.html#get-layersname for more information about this API endpoint
- According to the documentation, this REST endpoint returns all vulnerabilities for both the given layer, and all upper layers
- Replace
The following steps were used to generate the sampleData/node_10.14.2-jessie.clair.rest.json file:
- Use Yair to scan the
node:10.14.2-jessieimage- See https://github.com/fortify-ps/fortify-ssc-parser-clair-yair#obtain-results for an example on how to set-up Clair and run a scan with Yair
- Use the following command to determine the bottom layer id:
layerId=$(docker manifest inspect -v node:10.14.2-jessie | jq -r '.[0]["SchemaV2Manifest"]["layers"][-1]["digest"]')- This command requires Docker experimental mode to be enabled
- Requires
jqto be installed - Other images may require slightly different approach, depending on manifest version
- Potentially there are better ways of obtaining this information
- Use the following command to invoke the Clair REST API endpoint and save the results:
curl -X GET "http://localhost:6060/v1/layers/${layerId}?features&vulnerabilities" -o node_10.14.2-jessie.clair.rest.json
Results can be uploaded through the SSC web interface, REST API, or SSC client utilities like FortifyClient or fcli. The SSC web interface, FortifyClient and most other Fortify clients require the raw results to be packaged into a zip-file; REST API and fcli allow for uploading raw results directly.
To upload results through the SSC web interface or most clients:
- Create a
scan.infofile containing a single line as follows:
engineType=CLAIR_REST_V1 - Create a zip file containing the following:
- The scan.info file generated in the previous step
- The raw results file as obtained from the target system (see Obtain results section above)
- Upload the zip file generated in the previous step to SSC
- Using any SSC client, for example FortifyClient or Maven plugin
- Or using the SSC web interface
- Similar to how you would upload an FPR file
Both SSC REST API and fcli provide options for specifying the engine type directly, and as such it is not necessary to package the raw results into a zip-file with accompanying scan.info file. For example, fcli allows for uploading raw scan results using a command like the following:
fcli ssc artifact upload -f <raw-results-file> --appversion MyApp:MyVersion --engine-type CLAIR_REST_V1
This document was auto-generated from USAGE.template.md; do not edit by hand