This is an example Mulesoft Anypoint project that can be used for Fortify Static Code Analyzer vulnerability scanning of Mulesoft's XML configuration files.
The example includes a MuleSoft domain project (where global configuration is typically set) and an APIKit application project. The application project exposes a MySQL database as a REST API. It also includes a Postman collection so that the deployed API can be tested and vulnerability scanned using Fortify WebInspect (or ScanCentral DAST).
Environment Setup
To demonstrate this application you will need the following installed and configured:
- Fortify Static Code Analyzer
- Fortify WebInspect or ScanCentral DAST (optional)
- The Postman app (optional)
- AnyPoint Studio
- MySQL Community Server
- PowerShell (if not already installed)
If you want to use the PowerShell scripts that are included with this project you will need to create an .env file in the root directory with contents
similar to the following:
# The applications URL
APP_URL=http://localhost:8082/api/products
# The URL of Software Security Center
SSC_URL=http://YOUR_SCC_SERVER_URL
SSC_USERNAME=admin
SSC_PASSWORD=password
# SSC Authentication Token (recommended to use CIToken)
SSC_AUTH_TOKEN=XXXX...
SSC_AUTH_TOKEN_BASE64=YYYYY...
# Name of the application in SSC
SSC_APP_NAME=FortifyMuleSoftDemo
# Name of the application version in SSC
SSC_APP_VER_NAME=main
NOTE: do not place this file under source control
Creating the MySQL database
To create the required MySQL database, first install MySQL and then as a privileged MySQL user (e.g. root) execute the following:
mysql -u root -p
mysql> source mule-api-app\src\main\resources\sql\schema.sql
mysql> source mule-api-app\src\main\resources\sql\data.sql
mysql> exit
Editing and Running in Anypoint Studio
To edit and run this project in Anypoint Studio you need to import both the domain and application project(s). This can be achieved as follows:
- Download this repository to a directory on your local disk using Git:
git checkout https://github.com/fortify-presales/FortifyMuleSoftDemo.git - Startup Anypoint Studio and select the default workspace.
- In the Package Explorer click on Import Project and select
Anypoint Studio project from Filesystem. - Browse to the local copy of the downloaded
mule-domaindirectory. The Project Name should be shown asfortify-1.0.0-mule-domain. Note: I usually keep the downloaded files in the current location by untickingCopy project into workspace. - Repeat the Import operation again by right-clicking in the Package Explorer and this time select the
mule-api-appdirectory.
You can now run the MuleSoft API application by right-clicking on it and selecting Run As->Mule Application.
Once the application (and domain) have deployed you can browse to the API at https://localhost:8082/console/ or use the provided Postman collection
in the mule-api-app\src\test\resources directory to exercise it.
Deploying to a standalone server
TBD
Fortify Static Code Analyzer (SAST) scan
To execute a Fortify Static Code Analyzer SAST scan, run the following commands from the root directory of the project:
sourceanalyzer -verbose -scan mule-domain/src/main/ mule-api-app/src/main/
or you can use the provided PowerShell script [bin\fortify_sast.ps1]:
powershell bin\fortify-sca.ps1 -SkipSSC
Note: if you want to upload the results to Software Security Center you can remove the -SkipSSC switch.
You can then view the results with Audit Workbench as follows:
auditworkbench FortifyMuleSoftDemo.fpr
You should see output similar to the following:
Issue counts by analyzer:
"configuration" => 13 Issues
mule-api-app/src/main/mule/store-api.xml:34 (Password Management: Password in Comment)
mule-api-app/src/main/mule/store-api.xml:44 (Mule Misconfiguration: Hardcoded Password)
mule-api-app/src/main/mule/store-api.xml:44 (Mule Misconfiguration: Insecure Database Transport)
mule-api-app/src/main/mule/store-api.xml:44 (Password Management: Password in Configuration File)
mule-api-app/src/main/mule/store-api.xml:61 (Password Management: Password in Comment)
mule-api-app/src/main/resources/beans.xml:19 (Password Management: Password in Configuration File)
mule-api-app/src/main/resources/beans.xml:20 (Password Management: Password in Configuration File)
mule-api-app/src/main/resources/beans.xml:21 (Password Management: Password in Configuration File)
mule-api-app/src/main/resources/beans.xml:22 (Password Management: Password in Configuration File)
mule-domain/src/main/mule/mule-domain-config.xml:42 (Mule Misconfiguration: Server Identity Verification Disabled)
mule-domain/src/main/mule/mule-domain-config.xml:45 (Password Management: Password in Configuration File)
mule-domain/src/main/resources/ssl/server-dev-keystore.p12:0 (Key Management: Hardcoded Encryption Key)
mule-domain/src/main/resources/ssl/trusted-client-truststore.p12:0 (Key Management: Hardcoded Encryption Key)
"semantic" => 2 Issues
mule-api-app/src/main/java/com/microfocus/example/StockService.java:18 (Insecure Randomness)
mule-api-app/src/main/java/com/microfocus/example/StockService.java:26 (Insecure Randomness)
"structural" => 7 Issues
mule-api-app/src/main/java/com/microfocus/example/StockService.java:31 (J2EE Bad Practices: Leftover Debug Code)
mule-api-app/src/main/resources/config/config-dev.yaml:22 (Password Management: Hardcoded Password)
mule-api-app/src/main/resources/config/config-dev.yaml:27 (Password Management: Hardcoded Password)
mule-api-app/src/main/resources/config/config-local.yaml:22 (Password Management: Hardcoded Password)
mule-api-app/src/main/resources/config/config-local.yaml:27 (Password Management: Hardcoded Password)
mule-domain/src/main/resources/config/config-dev.yaml:9 (Password Management: Hardcoded Password)
mule-domain/src/main/resources/config/config-local.yaml:9 (Password Management: Hardcoded Password)
Total for all analyzers => 22 Issues
Note: because the API project also contains some Java beans and encryption keys - these issues are also found.
Fortify ScanCentral (SAST) scan
Since MuleSoft uses non standard Maven directories (e.g. src/main/mule) and Fortify ScanCentral SAST package
command cannot yet pickup custom directories, any Maven pom.xml files will need "tweaking" to copy files from
src/main/mule to src/main/resources/mule. An example configuration of the "maven-resources-plugin" to achieve
this is shown below:
<plugin>
<artifactId>maven-resources-plugin</artifactId>
<version>3.3.1</version>
<executions>
<execution>
<id>copy-resources</id>
<phase>validate</phase>
<goals>
<goal>copy-resources</goal>
</goals>
<configuration>
<outputDirectory>${basedir}/src/main/resources/mule</outputDirectory>
<resources>
<resource>
<directory>src/main/mule</directory>
<filtering>true</filtering>
</resource>
</resources>
</configuration>
</execution>
</executions>
</plugin>
To create a ScanCentral SAST package, you can then carry out commands similar to the following:
cd mule-api-app
scancentral package -bt mvn -bc "clean package" -o package.zip
...
Fortify WebInpsect (DAST) scan
A Postman collection is included so that the deployed API can also be vulnerability scanned with Fortify WebInspect.
To use Postman collections with WebInspect you will need to have installed node.js and newman as per the Fortify Documentation. Then start the application, load the Postman collection into WebInspect and then execute it.
Fortify ScanCentral DAST scan
A Postman collection is included so that the deployed API can also be vulnerability scanned with Fortify WebInspect and/or Fortify ScanCentral DAST.
Kevin A. Lee (kadraman) - [email protected]