From b671ee6c7bf976f49aa402423911466d733b218e Mon Sep 17 00:00:00 2001
From: Ruud Senden <ruud.senden@microfocus.com>
Date: Mon, 13 Sep 2021 10:13:58 +0200
Subject: [PATCH 1/6] Add original Fortify on Demand workflow

---
 code-scanning/fortify-on-demand.yml           | 92 +++++++++++++++++++
 .../fortify-on-demand.properties.json         |  7 ++
 icons/fortify.svg                             |  1 +
 3 files changed, 100 insertions(+)
 create mode 100644 code-scanning/fortify-on-demand.yml
 create mode 100644 code-scanning/properties/fortify-on-demand.properties.json
 create mode 100644 icons/fortify.svg

diff --git a/code-scanning/fortify-on-demand.yml b/code-scanning/fortify-on-demand.yml
new file mode 100644
index 0000000000..2baf56bc0d
--- /dev/null
+++ b/code-scanning/fortify-on-demand.yml
@@ -0,0 +1,92 @@
+################################################################################################################################################
+# Fortify lets you build secure software fast with an appsec platform that automates testing throughout the DevSecOps pipeline. Fortify static,#
+# dynamic, interactive, and runtime security testing is available on premises or as a service. To learn more about Fortify, start a free trial #
+# or contact our sales team, visit microfocus.com/appsecurity.                                                                                 #
+#                                                                                                                                              #
+# Use this workflow template as a basis for integrating Fortify on Demand Static Application Security Testing(SAST) into your GitHub workflows.#
+# This template demonstrates the steps to prepare the code+dependencies, initiate a scan, download results once complete and import into       #
+# GitHub Security Code Scanning Alerts. Existing customers should review inputs and environment variables below to configure scanning against  #
+# an existing application in your Fortify on Demand tenant. Additional information is available in the comments throughout the workflow, the   #
+# documentation for the Fortify actions used, and the Fortify on Demand / ScanCentral Client product documentation. If you need additional     #
+# assistance with configuration, feel free to create a help ticket in the Fortify on Demand portal.                                            #
+################################################################################################################################################
+
+name: Fortify on Demand Scan
+
+# TODO: Customize trigger events based on your DevSecOps processes and typical FoD SAST scan time
+on:
+  workflow_dispatch:
+  push:
+    branches: [ master ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ master ]
+  schedule:
+    - cron: '24 18 * * 5'
+
+jobs:
+  FoD-SAST-Scan:
+    # Use the appropriate runner for building your source code.
+    # TODO: Use a Windows runner for .NET projects that use msbuild. Additional changes to RUN commands will be required to switch to Windows syntax.
+    runs-on: ubuntu-latest
+
+    steps:
+      # Check out source code
+      - name: Check Out Source Code
+        uses: actions/checkout@v2
+
+      # Java 8 required by ScanCentral Client and FoD Uploader(Univeral CI Tool)
+      - name: Setup Java
+        uses: actions/setup-java@v1
+        with:
+          java-version: 1.8
+
+      # Prepare source+dependencies for upload. The default example is for a Maven project that uses pom.xml.
+      # TODO: Update PACKAGE_OPTS based on the ScanCentral Client documentation for your project's included tech stack(s). Helpful hints:
+      #   ScanCentral Client will download dependencies for maven (-bt mvn) and gradle (-bt gradle).
+      #   ScanCentral Client can download dependencies for msbuild projects (-bt msbuild); however, you must convert the workflow to use a Windows runner.
+      #   ScanCentral has additional options that should be set for PHP and Python projects
+      #   For other build tools, add your build commands to download necessary dependencies and prepare according to Fortify on Demand Packaging documentation.
+      #   ScanCentral Client documentation is located at https://www.microfocus.com/documentation/fortify-software-security-center/
+      - name: Download Fortify ScanCentral Client
+        uses: fortify/gha-setup-scancentral-client@v1
+      - name: Package Code + Dependencies
+        run: scancentral package $PACKAGE_OPTS -o package.zip
+        env:
+          PACKAGE_OPTS: "-bt mvn"
+
+      # Start Fortify on Demand SAST scan and wait until results complete. For more information on FoDUploader commands, see https://github.com/fod-dev/fod-uploader-java
+      # TODO: Update ENV variables for your application and create the necessary GitHub Secrets.  Helpful hints:
+      #   Credentials and release ID should be obtained from your FoD tenant (either Personal Access Token or API Key can be used).
+      #   Automated Audit preference should be configured for the release's Static Scan Settings in the Fortify on Demand portal.
+      - name: Download Fortify on Demand Universal CI Tool
+        uses: fortify/gha-setup-fod-uploader@v1
+      - name: Perform SAST Scan
+        run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" $FOD_UPLOADER_OPTS -n "$FOD_UPLOADER_NOTES"
+        env:
+          FOD_TENANT: ${{ secrets.FOD_TENANT }}
+          FOD_USER: ${{ secrets.FOD_USER }}
+          FOD_PAT: ${{ secrets.FOD_PAT }}
+          FOD_RELEASE_ID: ${{ secrets.FOD_RELEASE_ID }}
+          FOD_URL: "https://ams.fortify.com/"
+          FOD_API_URL: "https://api.ams.fortify.com/"
+          FOD_UPLOADER_OPTS: "-ep 2 -pp 0 -I 1 -apf"
+          FOD_UPLOADER_NOTES: 'Triggered by GitHub Actions (${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})'
+
+      # Once scan completes, pull SAST issues from Fortify on Demand and generate SARIF output.
+      # TODO: Review Action inputs. For most users, these will be the same as used in the Perform SAST Scan step.
+      - name: Download Results
+        uses: fortify/gha-fod-generate-sarif@1.1.0
+        with:
+          base-url: https://ams.fortify.com
+          tenant: ${{ secrets.FOD_TENANT }}
+          user: ${{ secrets.FOD_USER }}
+          password: ${{ secrets.FOD_PAT }}
+          release-id: ${{ secrets.FOD_RELEASE_ID }}
+          output: ./sarif/output.sarif
+
+      # Import Fortify on Demand results to GitHub Security Code Scanning
+      - name: Import Results
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: ./sarif/output.sarif
diff --git a/code-scanning/properties/fortify-on-demand.properties.json b/code-scanning/properties/fortify-on-demand.properties.json
new file mode 100644
index 0000000000..5a7ee5ec40
--- /dev/null
+++ b/code-scanning/properties/fortify-on-demand.properties.json
@@ -0,0 +1,7 @@
+{
+    "name": "Fortify on Demand Scan",
+    "creator": "Micro Focus",
+    "description": "Integrate Fortify's comprehensive static code analysis (SAST) for 27+ languages into your DevSecOps workflows to build secure software faster.",
+    "iconName": "fortify",
+    "categories": ["Code Scanning", "ABAP", "ActionScript", "Apex", "C#", "C", "C++", "COBOL", "ColdFusion", "Go", "HTML", "Java", "JavaScript", "JSP", "Kotlin", "MXML", "Objective C", "PHP", "PL/SQL", "Python", "Ruby", "Scala", "Swift", "T-SQL", "TypeScript", "VBScript", "VB.NET", "Visual Basic", "XML"]
+}
diff --git a/icons/fortify.svg b/icons/fortify.svg
new file mode 100644
index 0000000000..45a0d77f57
--- /dev/null
+++ b/icons/fortify.svg
@@ -0,0 +1 @@
+<svg width="95" height="63" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" overflow="hidden"><defs><clipPath id="clip0"><rect x="979" y="281" width="95" height="63"/></clipPath></defs><g clip-path="url(#clip0)" transform="translate(-979 -281)"><path d="M0.495362 32.6809 16.4466 32.6809 16.4466 36.8041 5.29445 36.8041 5.29445 41.7043 16.2098 41.7043 16.2098 45.8261 5.29445 45.8261 5.29445 55.2206 0.495362 55.2206Z" transform="matrix(1 0 0 1.01243 979.012 281)"/><path d="M17.6294 47.0435C17.6294 42.4134 20.8731 38.4938 26.247 38.4938 31.6541 38.4938 34.8978 42.4134 34.8978 47.0435 34.8978 51.7069 31.6541 55.6264 26.247 55.6264 20.8731 55.6264 17.6294 51.7025 17.6294 47.0435ZM30.4366 47.0435C30.4366 44.5089 28.9173 42.3123 26.2484 42.3123 23.5795 42.3123 22.0963 44.5089 22.0963 47.0435 22.0963 49.6113 23.5824 51.8094 26.2528 51.8094 28.9231 51.8094 30.4366 49.6113 30.4366 47.0435Z" transform="matrix(1 0 0 1.01243 979.012 281)"/><path d="M37.0612 38.8997 41.3534 38.8997 41.3534 41.1295C42.5087 39.6766 44.5306 38.5299 46.5525 38.5299L46.5525 42.7181C46.1644 42.6295 45.7677 42.584 45.3697 42.5824 43.95 42.5824 42.0581 43.394 41.349 44.4411L41.349 55.2206 37.0612 55.2206Z" transform="matrix(1 0 0 1.01243 979.012 281)"/><path d="M50.4027 51.1667 50.4027 42.6459 47.7064 42.6459 47.7064 38.891 50.4027 38.891 50.4027 34.4385 54.7354 34.4385 54.7354 38.8997 58.0469 38.8997 58.0469 42.6546 54.7354 42.6546 54.7354 50.02C54.7354 51.031 55.2755 51.8108 56.2214 51.8108 56.8641 51.8108 57.4721 51.574 57.709 51.3386L58.6203 54.5823C57.979 55.16 56.8295 55.6293 55.0386 55.6293 52.0318 55.6264 50.4027 54.0725 50.4027 51.1667Z" transform="matrix(1 0 0 1.01243 979.012 281)"/><path d="M59.533 33.9388C59.5282 32.5199 60.6746 31.3657 62.0936 31.3609 63.5125 31.3561 64.6667 32.5025 64.6715 33.9215 64.6762 35.3404 63.5298 36.4946 62.1109 36.4994 62.1076 36.4994 62.1041 36.4994 62.1008 36.4994 60.69 36.4884 59.5479 35.3495 59.533 33.9388ZM59.9663 38.9069 64.2671 38.9069 64.2671 55.2264 59.9735 55.2264Z" transform="matrix(1 0 0 1.01243 979.012 281)"/><path d="M68.4553 42.6502 65.7517 42.6502 65.7517 38.8953 68.4553 38.8953 68.4553 38.0158C68.4553 34.4674 70.753 32.3386 73.9635 32.3386 75.1795 32.3386 76.2944 32.6087 77.0729 33.0145L76.1934 36.056C75.7716 35.8179 75.2923 35.701 74.8083 35.7181 73.5909 35.7181 72.7865 36.5297 72.7865 38.0837L72.7865 38.8953 76.098 38.8953 76.098 42.6502 72.7879 42.6502 72.7879 55.2148 68.4553 55.2148Z" transform="matrix(1 0 0 1.01243 979.012 281)"/><path d="M80.3166 58.0267C81.4315 58.0267 82.1752 57.722 82.5811 56.8439L83.1862 55.4575 76.5659 38.8997 81.1643 38.8997 85.4189 50.2583 89.6851 38.8997 94.3066 38.8997 86.6364 57.8909C85.4189 60.9657 83.257 61.7773 80.4523 61.8452 79.737 61.8309 79.0244 61.7516 78.3235 61.6083L78.9648 57.7552C79.3944 57.9294 79.853 58.0214 80.3166 58.0267Z" transform="matrix(1 0 0 1.01243 979.012 281)"/><path d="M22.5166 12.2757C22.519 17.9292 17.9379 22.5141 12.2844 22.5166 12.2815 22.5166 12.2786 22.5166 12.2757 22.5166L0 22.5166 0 12.2757ZM12.2757 10.2351 12.2757 10.2351C17.9284 10.2383 22.5134 5.65845 22.5166 0.00577884 22.5166 0.00385269 22.5166 0.00192654 22.5166 3.96827e-07L0 0 0 10.2351Z" fill="#F42147" transform="matrix(1 0 0 1.01243 979.012 281)"/></g></svg>
\ No newline at end of file

From 99fae1ecb1b2463b453bd35393072e8385772cb2 Mon Sep 17 00:00:00 2001
From: Ruud Senden <ruud.senden@microfocus.com>
Date: Mon, 13 Sep 2021 10:29:38 +0200
Subject: [PATCH 2/6] Update Fortify on Demand workflow

---
 code-scanning/fortify-on-demand.yml | 34 ++++++++++++++---------------
 1 file changed, 17 insertions(+), 17 deletions(-)

diff --git a/code-scanning/fortify-on-demand.yml b/code-scanning/fortify-on-demand.yml
index 2baf56bc0d..4e3c3b6408 100644
--- a/code-scanning/fortify-on-demand.yml
+++ b/code-scanning/fortify-on-demand.yml
@@ -17,10 +17,7 @@ name: Fortify on Demand Scan
 on:
   workflow_dispatch:
   push:
-    branches: [ master ]
-  pull_request:
-    # The branches below must be a subset of the branches above
-    branches: [ master ]
+    branches: [ $default-branch ]
   schedule:
     - cron: '24 18 * * 5'
 
@@ -29,13 +26,18 @@ jobs:
     # Use the appropriate runner for building your source code.
     # TODO: Use a Windows runner for .NET projects that use msbuild. Additional changes to RUN commands will be required to switch to Windows syntax.
     runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
 
     steps:
       # Check out source code
       - name: Check Out Source Code
         uses: actions/checkout@v2
 
-      # Java 8 required by ScanCentral Client and FoD Uploader(Univeral CI Tool)
+      # Java is required to run the various Fortify utilities.
+      # When scanning a Java application, please use the appropriate Java version for building your application.
       - name: Setup Java
         uses: actions/setup-java@v1
         with:
@@ -64,29 +66,27 @@ jobs:
       - name: Perform SAST Scan
         run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" $FOD_UPLOADER_OPTS -n "$FOD_UPLOADER_NOTES"
         env:
+          FOD_URL: "https://ams.fortify.com/"
+          FOD_API_URL: "https://api.ams.fortify.com/"
           FOD_TENANT: ${{ secrets.FOD_TENANT }}
           FOD_USER: ${{ secrets.FOD_USER }}
           FOD_PAT: ${{ secrets.FOD_PAT }}
           FOD_RELEASE_ID: ${{ secrets.FOD_RELEASE_ID }}
-          FOD_URL: "https://ams.fortify.com/"
-          FOD_API_URL: "https://api.ams.fortify.com/"
           FOD_UPLOADER_OPTS: "-ep 2 -pp 0 -I 1 -apf"
           FOD_UPLOADER_NOTES: 'Triggered by GitHub Actions (${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})'
 
       # Once scan completes, pull SAST issues from Fortify on Demand and generate SARIF output.
-      # TODO: Review Action inputs. For most users, these will be the same as used in the Perform SAST Scan step.
-      - name: Download Results
-        uses: fortify/gha-fod-generate-sarif@1.1.0
+      - name: Export results to GitHub-optimized SARIF
+        uses: fortify/gha-export-vulnerabilities@v1
         with:
-          base-url: https://ams.fortify.com
-          tenant: ${{ secrets.FOD_TENANT }}
-          user: ${{ secrets.FOD_USER }}
-          password: ${{ secrets.FOD_PAT }}
-          release-id: ${{ secrets.FOD_RELEASE_ID }}
-          output: ./sarif/output.sarif
+          fod_base_url: "https://ams.fortify.com/"
+          fod_tenant: ${{ secrets.FOD_TENANT }}
+          fod_user: ${{ secrets.FOD_USER }}
+          fod_password: ${{ secrets.FOD_PAT }}
+          fod_release_id: ${{ secrets.FOD_RELEASE_ID }}
 
       # Import Fortify on Demand results to GitHub Security Code Scanning
       - name: Import Results
         uses: github/codeql-action/upload-sarif@v1
         with:
-          sarif_file: ./sarif/output.sarif
+          sarif_file: ./gh-fortify-sast.sarif

From 6d89fb8045968bc5f12cd8989b25a9b6d04cfb3a Mon Sep 17 00:00:00 2001
From: Ruud Senden <ruud.senden@microfocus.com>
Date: Tue, 14 Sep 2021 08:56:36 +0200
Subject: [PATCH 3/6] Update Fortify on Demand supported languages

---
 code-scanning/properties/fortify-on-demand.properties.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/code-scanning/properties/fortify-on-demand.properties.json b/code-scanning/properties/fortify-on-demand.properties.json
index 5a7ee5ec40..100b4bb1b3 100644
--- a/code-scanning/properties/fortify-on-demand.properties.json
+++ b/code-scanning/properties/fortify-on-demand.properties.json
@@ -3,5 +3,5 @@
     "creator": "Micro Focus",
     "description": "Integrate Fortify's comprehensive static code analysis (SAST) for 27+ languages into your DevSecOps workflows to build secure software faster.",
     "iconName": "fortify",
-    "categories": ["Code Scanning", "ABAP", "ActionScript", "Apex", "C#", "C", "C++", "COBOL", "ColdFusion", "Go", "HTML", "Java", "JavaScript", "JSP", "Kotlin", "MXML", "Objective C", "PHP", "PL/SQL", "Python", "Ruby", "Scala", "Swift", "T-SQL", "TypeScript", "VBScript", "VB.NET", "Visual Basic", "XML"]
+    "categories": ["Code Scanning", "ABAP", "ActionScript", "Apex", "C#", "C", "C++", "COBOL", "ColdFusion", "Dockerfile", "Go", "HTML", "Java", "JavaScript", "JSON", "Java Server Pages", "Kotlin", "MXML", "Objective-C", "Objective-C++", "PHP", "PLSQL", "Python", "Ruby", "Scala", "Swift", "TSQL", "TypeScript", "VBScript", "Visual Basic .NET", "Visual Basic", "XML"]
 }

From 30715e86a480f31a76cecd9b66c04fd1de636d73 Mon Sep 17 00:00:00 2001
From: Ruud Senden <ruud.senden@microfocus.com>
Date: Tue, 14 Sep 2021 09:06:33 +0200
Subject: [PATCH 4/6] Add 3rd-party GitHub Actions disclaimer

---
 code-scanning/fortify-on-demand.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/code-scanning/fortify-on-demand.yml b/code-scanning/fortify-on-demand.yml
index 4e3c3b6408..da200a602c 100644
--- a/code-scanning/fortify-on-demand.yml
+++ b/code-scanning/fortify-on-demand.yml
@@ -1,3 +1,8 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
 ################################################################################################################################################
 # Fortify lets you build secure software fast with an appsec platform that automates testing throughout the DevSecOps pipeline. Fortify static,#
 # dynamic, interactive, and runtime security testing is available on premises or as a service. To learn more about Fortify, start a free trial #

From 97de22b47c64dfc718d0793874168c3fc08a1814 Mon Sep 17 00:00:00 2001
From: Ruud Senden <ruud.senden@microfocus.com>
Date: Wed, 22 Sep 2021 14:12:39 +0200
Subject: [PATCH 5/6] Update according to PR review comments

---
 code-scanning/fortify-on-demand.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/code-scanning/fortify-on-demand.yml b/code-scanning/fortify-on-demand.yml
index da200a602c..d67d194897 100644
--- a/code-scanning/fortify-on-demand.yml
+++ b/code-scanning/fortify-on-demand.yml
@@ -24,7 +24,7 @@ on:
   push:
     branches: [ $default-branch ]
   schedule:
-    - cron: '24 18 * * 5'
+    - cron: $cron-weekly
 
 jobs:
   FoD-SAST-Scan:
@@ -56,7 +56,7 @@ jobs:
       #   For other build tools, add your build commands to download necessary dependencies and prepare according to Fortify on Demand Packaging documentation.
       #   ScanCentral Client documentation is located at https://www.microfocus.com/documentation/fortify-software-security-center/
       - name: Download Fortify ScanCentral Client
-        uses: fortify/gha-setup-scancentral-client@v1
+        uses: fortify/gha-setup-scancentral-client@5b7382f8234fb9840958c49d5f32ae854115f9f3
       - name: Package Code + Dependencies
         run: scancentral package $PACKAGE_OPTS -o package.zip
         env:
@@ -67,7 +67,7 @@ jobs:
       #   Credentials and release ID should be obtained from your FoD tenant (either Personal Access Token or API Key can be used).
       #   Automated Audit preference should be configured for the release's Static Scan Settings in the Fortify on Demand portal.
       - name: Download Fortify on Demand Universal CI Tool
-        uses: fortify/gha-setup-fod-uploader@v1
+        uses: fortify/gha-setup-fod-uploader@6e6bb8a33cb476e240929fa8ebc739ff110e7433
       - name: Perform SAST Scan
         run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" $FOD_UPLOADER_OPTS -n "$FOD_UPLOADER_NOTES"
         env:
@@ -82,7 +82,7 @@ jobs:
 
       # Once scan completes, pull SAST issues from Fortify on Demand and generate SARIF output.
       - name: Export results to GitHub-optimized SARIF
-        uses: fortify/gha-export-vulnerabilities@v1
+        uses: fortify/gha-export-vulnerabilities@fcb374411cff9809028c911dabb8b57dbdae623b
         with:
           fod_base_url: "https://ams.fortify.com/"
           fod_tenant: ${{ secrets.FOD_TENANT }}

From cb6678504a1584c607f7472df3c5ecc7ba72ad31 Mon Sep 17 00:00:00 2001
From: Ruud Senden <ruud.senden@microfocus.com>
Date: Tue, 28 Sep 2021 10:24:29 +0200
Subject: [PATCH 6/6] File renames as requested in PR comments

---
 code-scanning/{fortify-on-demand.yml => fortify.yml}              | 0
 .../{fortify-on-demand.properties.json => fortify.json}           | 0
 2 files changed, 0 insertions(+), 0 deletions(-)
 rename code-scanning/{fortify-on-demand.yml => fortify.yml} (100%)
 rename code-scanning/properties/{fortify-on-demand.properties.json => fortify.json} (100%)

diff --git a/code-scanning/fortify-on-demand.yml b/code-scanning/fortify.yml
similarity index 100%
rename from code-scanning/fortify-on-demand.yml
rename to code-scanning/fortify.yml
diff --git a/code-scanning/properties/fortify-on-demand.properties.json b/code-scanning/properties/fortify.json
similarity index 100%
rename from code-scanning/properties/fortify-on-demand.properties.json
rename to code-scanning/properties/fortify.json