First commit

Author: rsenden

.gitignore

@@ -0,0 +1,18 @@
+.gradle/
+.shelf/
+build/
+out/
+dist/
+*.iml
+*.iws
+*.ipr
+*~
+rebel.xml
+.idea/
+/fortifyRepository
+.settings/
+bin/
+lombok.config
+.classpath
+.project
+*.fpr

.travis.yml

@@ -0,0 +1,20 @@
+language: java
+install: true
+sudo: false
+    
+stages:
+  - name: build
+  - name: snapshotBranch
+    if: tag IS blank AND branch =~ /^(\d+.)+\d+-SNAPSHOT$/
+  - name: releaseTag
+    if: tag IS present
+    
+jobs:
+  include:
+    - stage: build
+      script: /bin/sh ./gradlew build
+    - stage: snapshotBranch
+      script: /bin/sh ./gradlew "-PoverrideVersion=$TRAVIS_BRANCH" bintrayUpload -x test -Dbuild.number=$TRAVIS_BUILD_NUMBER
+    - stage: releaseTag
+      script: /bin/sh ./gradlew "-PoverrideVersion=$TRAVIS_TAG" bintrayUpload -x test -Dbuild.number=$TRAVIS_BUILD_NUMBER
+      

LICENSE.TXT

@@ -0,0 +1,23 @@
+The MIT License (MIT)
+(c) Copyright 2020 Micro Focus or one of its affiliates, a Micro Focus company
+
+Permission is hereby granted, free of charge, to any person obtaining a 
+copy of this software and associated documentation files (the 
+"Software"), to deal in the Software without restriction, including without 
+limitation the rights to use, copy, modify, merge, publish, distribute, 
+sublicense, and/or sell copies of the Software, and to permit persons to 
+whom the Software is furnished to do so, subject to the following 
+conditions:
+
+The above copyright notice and this permission notice shall be included 
+in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 
+KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 
+WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 
+PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 
+DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 
+CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 
+IN THE SOFTWARE.

README.md

@@ -0,0 +1,170 @@
+<x-tag-head>
+<x-tag-meta http-equiv="X-UA-Compatible" content="IE=edge"/>
+
+<x-tag-script language="JavaScript"><!--
+<X-INCLUDE url="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@10.0.0/build/highlight.min.js"/>
+--></x-tag-script>
+
+<x-tag-script language="JavaScript"><!--
+<X-INCLUDE url="https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js" />
+--></x-tag-script>
+
+<x-tag-script language="JavaScript"><!--
+<X-INCLUDE url="${gradleHelpersLocation}/spa_readme.js" />
+--></x-tag-script>
+
+<x-tag-style><!--
+<X-INCLUDE url="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@10.0.0/build/styles/github.min.css" />
+--></x-tag-style>
+
+<x-tag-style><!--
+<X-INCLUDE url="${gradleHelpersLocation}/spa_readme.css" />
+--></x-tag-style>
+</x-tag-head>
+
+# Fortify SSC Parser Plugin for Symfony Security Checker
+
+## Introduction
+
+This Fortify SSC parser plugin allows for importing scan results from Symfony Security Checker.
+
+### Related Links
+
+* **Downloads**:  
+  _Beta versions may be unstable or non-functional. The `*-licenseReport.zip` and `*-dependencySources.zip` files are for informational purposes only and do not need to be downloaded._
+	* **Release versions**: https://bintray.com/package/files/fortify-ps/release/fortify-ssc-parser-symfony-security-checker?order=desc&sort=fileLastModified&basePath=&tab=files  
+	* **Beta versions**: https://bintray.com/package/files/fortify-ps/beta/fortify-ssc-parser-symfony-security-checker?order=desc&sort=fileLastModified&basePath=&tab=files
+	* **Sample input files**: [sampleData](sampleData)
+* **GitHub**: https://github.com/fortify-ps/fortify-ssc-parser-symfony-security-checker
+* **Automated builds**: https://travis-ci.com/fortify-ps/fortify-ssc-parser-symfony-security-checker
+* **Symfony Security Checker resources**:
+	* Web interface: https://security.symfony.com/
+	* CLI interface: https://github.com/sensiolabs/security-checker
+
+
+## Plugin Installation
+
+These sections describe how to install, upgrade and uninstall the plugin.
+
+### Install & Upgrade
+
+* Obtain the plugin binary jar file
+	* Either download from Bintray (see [Related Links](#related-links)) 
+	* Or by building yourself (see [Developers](#developers))
+* If you already have another version of the plugin installed, first uninstall the previously 
+ installed version of the plugin by following the steps under [Uninstall](#uninstall) below
+* In Fortify Software Security Center:
+	* Navigate to Administration->Plugins->Parsers
+	* Click the `NEW` button
+	* Accept the warning
+	* Upload the plugin jar file
+	* Enable the plugin by clicking the `ENABLE` button
+  
+### Uninstall
+
+* In Fortify Software Security Center:
+	* Navigate to Administration->Plugins->Parsers
+	* Select the parser plugin that you want to uninstall
+	* Click the `DISABLE` button
+	* Click the `REMOVE` button 
+
+
+## Obtain results
+
+Please see the Symfony Security Checker documentation for details on checking applications and 
+generating reports. Note that the SSC parser plugin requires the uploaded reports to be in JSON
+format.
+
+## Upload results
+
+SSC web interface (manual upload):
+
+* Navigate to the Artifacts tab of your application version
+* Click the `UPLOAD` button
+* Click the `ADD FILES` button, and select the JSON file to upload
+* Enable the `3rd party results` check box
+* Select the `SYMFONY_SECCHECK` type
+  
+SSC clients (FortifyClient, Maven plugin, ...):
+
+* Generate a scan.info file containing a single line as follows:  
+`engineType=SYMFONY_SECCHECK`
+* Generate a zip file containing the following:
+	* The scan.info file generated in the previous step
+	* The JSON file containing scan results
+* Upload the zip file generated in the previous step to SSC
+	* Using any SSC client, for example FortifyClient
+	* Similar to how you would upload an FPR file
+
+
+
+## Developers
+
+The following sections provide information that may be useful for developers of this 
+parser plugin.
+
+### IDE's
+
+This project uses Lombok. In order to have your IDE compile this project without errors, 
+you may need to add Lombok support to your IDE. Please see https://projectlombok.org/setup/overview 
+for more information.
+
+### Gradle Wrapper
+
+It is strongly recommended to build this project using the included Gradle Wrapper
+scripts; using other Gradle versions may result in build errors and other issues.
+
+The Gradle build uses various helper scripts from https://github.com/fortify-ps/gradle-helpers;
+please refer to the documentation and comments in included scripts for more information. 
+
+### Common Commands
+
+All commands listed below use Linux/bash notation; adjust accordingly if you
+are running on a different platform. All commands are to be executed from
+the main project directory.
+
+* `./gradlew tasks --all`: List all available tasks
+* Build: (plugin binary will be stored in `build/libs`)
+	* `./gradlew clean build`: Clean and build the project
+	* `./gradlew build`: Build the project without cleaning
+	* `./gradlew dist`: Build distribution zip
+* Version management:
+	* `./gradlew printProjectVersion`: Print the current version
+	* `./gradlew startSnapshotBranch -PnextVersion=2.0`: Start a new snapshot branch for an upcoming `2.0` version
+	* `./gradlew releaseSnapshot`: Merge the changes from the current branch to the master branch, and create release tag
+* `./fortify-scan.sh`: Run a Fortify scan; requires Fortify SCA to be installed
+
+Note that the version management tasks operate only on the local repository; you will need to manually
+push any changes (including tags and branches) to the remote repository.
+
+### Versioning
+
+The various version-related Gradle tasks assume the following versioning methodology:
+
+* The `master` branch is only used for creating tagged release versions
+* A branch named `<version>-SNAPSHOT` contains the current snapshot state for the upcoming release
+* Optionally, other branches can be used to develop individual features, perform bug fixes, ...
+	* However, note that the Gradle build may be unable to identify a correct version number for the project
+	* As such, only builds from tagged versions or from a `<version>-SNAPSHOT` branch should be published to a Maven repository
+
+### CI/CD
+
+Travis-CI builds are automatically triggered when there is any change in the project repository,
+for example due to pushing changes, or creating tags or branches. If applicable, binaries and related 
+artifacts are automatically published to Bintray using the `bintrayUpload` task:
+
+* Building a tagged version will result in corresponding release version artifacts to be published
+* Building a branch named `<version>-SNAPSHOT` will result in corresponding beta version artifacts to be published
+* No artifacts will be deployed for any other build, for example when Travis-CI builds the `master` branch
+
+See the [Related Links](#related-links) section for the relevant Travis-CI and Bintray links.
+
+
+## License
+<x-insert text="<!--"/>
+
+See [LICENSE.TXT](LICENSE.TXT)
+
+<x-insert text="-->"/>
+
+<x-include url="file:LICENSE.TXT"/>

build.gradle

@@ -0,0 +1,77 @@
+plugins {
+  id "io.freefair.lombok" version "4.1.2"
+  id "com.jfrog.bintray" version "1.8.4"
+  id 'org.ajoberstar.grgit' version "4.0.0"
+  id 'com.github.jk1.dependency-license-report' version '1.12'
+  id "org.kordamp.gradle.markdown" version "2.0.0"
+}
+
+group 'com.fortify.ssc.parser.clair.rest'
+
+ext {
+	gradleHelpersLocation = "https://raw.githubusercontent.com/fortify-ps/gradle-helpers/1.2"
+}
+
+apply from: "${gradleHelpersLocation}/repo-helper.gradle"
+apply from: "${gradleHelpersLocation}/junit-helper.gradle"
+apply from: "${gradleHelpersLocation}/version-helper.gradle"
+apply from: "${gradleHelpersLocation}/fortify-helper.gradle"
+
+// Project and plugin version based on SCM information
+version = getProjectVersionAsBetaOrRelease(true)
+ext {
+	sscParserPluginVersion = getProjectVersionAsPlainVersionNumber()
+	bintrayRepo = "${getBetaOrReleaseLabel()}"
+	bintrayPkgName = "${rootProject.name}"
+	bintrayDownloadContainerName = getProjectVersionAsBetaOrRelease(false)
+	projectLicense = 'MIT'
+}
+
+apply from: "${gradleHelpersLocation}/ssc-parser-plugin-helper.gradle"
+apply from: "${gradleHelpersLocation}/thirdparty-helper.gradle"
+apply from: "${gradleHelpersLocation}/bintray-binaries-helper.gradle"
+apply from: "${gradleHelpersLocation}/readme2html.gradle"
+
+apply plugin: 'java'
+sourceCompatibility = 1.8
+
+sourceSets {
+    test {
+        resources {
+            srcDir "sampleData"
+        }
+    }
+}
+
+configurations.all {
+    // Don't cache modules that may change (i.e. snapshots)
+	resolutionStrategy.cacheChangingModulesFor 0, 'seconds'
+}
+
+dependencies {
+    compileExport(group: 'com.fortify.ssc.parser.util', name: 'fortify-ssc-parser-util', version:'1.2-SNAPSHOT', changing: true) { transitive = true }
+}
+
+task dist(type: Zip) {
+	dependsOn 'build', 'readme2html'
+	archiveFileName = "${rootProject.name}-${project.version}.zip"
+	destinationDirectory = file("$buildDir/dist")
+	from("${libsDir}") {
+		include "${rootProject.name}-${project.version}.jar"
+	}
+	from "${buildDir}/html"
+	from("${projectDir}") {
+		include "sampleData/**/*"
+		include "LICENSE.TXT"
+	}
+}
+
+bintray {
+    filesSpec {
+       from("${buildDir}/dist") {
+          include "*.zip"
+       }
+       into '.'
+    }
+}
+_bintrayRecordingCopy.dependsOn 'clean', 'dist', 'distThirdParty'

fortify-scan.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# Set scan options
+# Modular scan doesn't work properly yet, so for now we just add the fortify-ssc-parser-util build model
+# Note that either approach requires fortify-ssc-parser-util to be translated/scanned on the same machine
+# before running this script.
+#scanOpts="-include-modules fortify-ssc-parser-util -scan"
+scanOpts="-b fortify-ssc-parser-util -scan" 
+
+# Load and execute actual scan script from GitHub
+curl -s https://raw.githubusercontent.com/fortify-ps/gradle-helpers/1.0/fortify-scan.sh | bash -s - ${scanOpts}

gradle/wrapper/gradle-wrapper.jar

@@ -0,0 +1,5 @@
+distributionBase=GRADLE_USER_HOME
+distributionPath=wrapper/dists
+distributionUrl=https\://services.gradle.org/distributions/gradle-5.6.4-bin.zip
+zipStoreBase=GRADLE_USER_HOME
+zipStorePath=wrapper/dists