/// <summary>
/// Checks if selected optional scan settings may be used and sets entitlement ID to available if not manually specified
/// </summary>
/// <param name="api"></param>
/// <param name="options"></param>
private static void CheckAssessmentOptions(FoDapi api, Options options)
{
var assessmentFeatures = api.GetFeatureInfo();
var features = assessmentFeatures.Items.Select(feature => feature.Name).ToList();
if (options.OpensourceReport)
{
if (!features.Contains("SonaType"))
{
Trace.WriteLine("Note: Open-source reporting is not enabled for your account, proceeding without this option.");
}
}
if (options.AutomatedAudit)
{
if (!features.Contains("AuditPreference"))
{
Trace.WriteLine("Note: Automated Audit is not enabled for your account, proceeding without this option.");
}
}
if (options.ExpressScan)
{
if (!features.Contains("ScanPreference"))
{
Trace.WriteLine("Note: Express Scan is not enabled for your account, proceeding without this option.");
}
}
}
/// <summary>
/// Lists all valid assessment types, with entitlement IDs, for Static submissions
/// </summary>
/// <param name="options"></param>
/// <param name="zipPath"></param>
private static void DisplayAccountInformation(Options options)
{
var api = new FoDapi(options, GetqueryParameters(new UriBuilder(options.UploadUrl)));
if (!api.IsLoggedIn())
{
if (!api.Authorize())
{
Trace.WriteLine("Error authenticating to Fortify on Demand, please check your settings.");
Environment.Exit(-1);
}
Trace.WriteLine("Successfully authenticated to Fortify on Demand.");
}
// Once logged in check and display entitlement information related to the release ID.
api.ListAssessmentTypes();
}
/// <summary>
/// Checks the release to determine if it's retired, in progress, or paused
/// </summary>
/// <param name="api"></param>
private static void CheckReleaseStatus(FoDapi api)
{
var releaseInfo = api.GetReleaseInfo();
var isRetired = releaseInfo.sdlcStatusType.Equals("Retired");
if (isRetired) // cannot submit to this release as it is retired in the portal
{
Trace.WriteLine($"Error submitting to Fortify on Demand: You cannot create an assessment for \"{releaseInfo.applicationName} - {releaseInfo.releaseName}\" as this release is retired.");
Environment.Exit(-1);
}
// Ensure a scan is not already running for the application prior to attempting to upload.
if (releaseInfo.currentAnalysisStatusType.Equals("In_Progress") || releaseInfo.currentAnalysisStatusType.Equals("Waiting")) // "In Progress" or "Waiting" // need to checkt these values to see what they map to now
{
Trace.WriteLine($"Error submitting to Fortify on Demand: You cannot create another scan for \"{releaseInfo.applicationName} - {releaseInfo.releaseName}\" at this time.");
Environment.Exit(-1);
}
}
private static void Run(Options options)
{
var queryParameters = GetqueryParameters(new UriBuilder(options.UploadUrl));
_technologyStack = queryParameters.Get("ts");
_languageLevel = queryParameters.Get("ll");
_tenantCode = queryParameters.Get("tc");
_assessmentTypeId = queryParameters.Get("astid");
_includeAllFiles = options.IncludeAllPayload;
if ((string.IsNullOrEmpty(options.ApiToken) || string.IsNullOrEmpty(options.ApiTokenSecret)))
{
if (string.IsNullOrEmpty(options.Username) || string.IsNullOrEmpty(options.Password))
{
Trace.WriteLine("Error: You must specify either an API token and secret or a username and password to authenticate." + Environment.NewLine);
Trace.WriteLine(options.GetUsage());
Environment.Exit(-1);
}
_isTokenAuth = false;
}
// Workaround for trailing quote character in a folder bug in the CommandLine nuget library - will fix and submit a pull request on Github
if (options.Source.EndsWith("\""))
{
options.Source = options.Source.Trim('"');
}
// Check specified source path
CheckSource(options);
PrintSelectedOptions(options);
// If the user has selected to view entitlement information display it and exit
if (options.DisplayAccountInformation)
{
DisplayAccountInformation(options);
Trace.WriteLine("Note: You may specify an entitlement ID manually with --entitlementID <ID>, please run the utility without --displayEntitlement to proceed.");
if (_isConsole)
{
Trace.WriteLine("Press any key to quit...");
Console.ReadKey();
Environment.Exit(0);
}
Environment.Exit(0);
}
var zipPath = ZipFolder(options.Source);
var api = new FoDapi(options, zipPath, GetqueryParameters(new UriBuilder(options.UploadUrl)));
if (!api.IsLoggedIn())
{
if (!api.Authorize())
{
Trace.WriteLine("Error authenticating to Fortify on Demand, please check your settings.");
Environment.Exit(-1);
}
Trace.WriteLine("Successfully authenticated to Fortify on Demand.");
}
var fi = new FileInfo(zipPath);
double mbyteSize = (fi.Length / 1024f) / 1024f;
double kbyteSize = (fi.Length / 1024f);
Trace.WriteLine(fi.Length < (1024f * 1024f)
? $"Payload prepared size: {Math.Round(kbyteSize, 2)} kb"
: $"Payload prepared size: {Math.Round(mbyteSize, 2)} Mb");
if (mbyteSize > MaxUploadSizeInMb)
{
Trace.WriteLine($"Assessment payload size exceeds {MaxUploadSizeInMb} Mb, cannot continue.");
Environment.Exit(-1);
}
CheckReleaseStatus(api);
CheckAssessmentOptions(api, options);
api.SendScanPost();
// always retire the token
api.RetireToken();
// hold console open - ask around if this is something we want to do for interactive runs? Feedback has been conflicting regarding this behavior.
if (_isConsole)
{
Console.WriteLine("Press any key to exit...");
Console.ReadKey();
}
}
