UNCLASSIFIED - NO CUI

fortify update to 25.4.0-bb.1

BB_AUTO_MR_TOKENrequested to merge
update-fortify-tag-25.4.0-bb.1 into master

Package Merge Request

Package Changes

https://repo1.dso.mil/big-bang/product/packages/fortify/-/blob/25.4.0-bb.1/CHANGELOG.md

Package MR

big-bang/product/packages/fortify!221 (merged)

For Issue

Closes big-bang/product/packages/fortify#175 (closed) Closes big-bang/product/packages/fortify#180 (closed)

Upgrade Notices

Fortify is now leveraging our bb-common integration for NetworkPolicies, Istio-related resources, and routes. Please refer to this blog post for additional information on the integration.

This update removes Fortify's legacy broad fallback egress policy for external databases. If you are using the bundled MySQL subchart, no additional action is required.

If you are using an external MySQL instance, the upgrade now requires all of the following:

  1. Set addons.fortify.values.mysql.enabled: false to disable the bundled MySQL subchart.
  2. Update addons.fortify.values.fortify_autoconfig so the datasourceProperties and dbMigrationProperties point to the external database.
  3. Set addons.fortify.externalDatabase.host and, if needed, addons.fortify.externalDatabase.port so Big Bang can generate the outbound bb-common route for the external database when Istio is enabled.
  4. Set addons.fortify.values.networkPolicies.egress.definitions.external-mysql.to with the allowed destination CIDRs for the external database so the Fortify webapp NetworkPolicy is actually enabled.

Fortify's external MySQL policy is now selector-scoped to the Fortify webapp and port-scoped to 3306. The route and the NetworkPolicy are configured separately:

  • addons.fortify.externalDatabase.host and addons.fortify.externalDatabase.port control the outbound bb-common route and, when Istio is enabled, the generated ServiceEntry.
  • addons.fortify.values.networkPolicies.egress.definitions.external-mysql.to controls whether the Fortify external-mysql egress NetworkPolicy is enabled.

Setting only addons.fortify.externalDatabase.host is not enough to allow database traffic. If the destination CIDRs are omitted, the Fortify chart still renders the external-mysql policy as disabled and the webapp will not be allowed to connect to the external database.

For instance, to disable the bundled MySQL chart and permit Fortify to connect to an external MySQL instance:

addons:
  fortify:
    externalDatabase:
      host: external-mysql.example.internal
      port: 3306
    values:
      mysql:
        enabled: false
      fortify_autoconfig: |
        appProperties:
          host.validation: false

        datasourceProperties:
          db.username: fortify
          db.password: change-me
          jdbc.url: 'jdbc:mysql://external-mysql.example.internal:3306/ssc_db?sessionVariables=collation_connection=latin1_general_cs&rewriteBatchedStatements=true'

        dbMigrationProperties:
          migration.enabled: true
          migration.username: fortify
          migration.password: change-me
      networkPolicies:
        egress:
          definitions:
            external-mysql:
              to:
                - ipBlock:
                    cidr: 10.20.30.40/32

If your external MySQL deployment is fronted by multiple addresses or subnets, add each allowed CIDR under addons.fortify.values.networkPolicies.egress.definitions.external-mysql.to. If those CIDRs are omitted, Fortify will not be able to reach the external database even if addons.fortify.externalDatabase.host is set and the outbound route is rendered. If Istio is disabled, the addons.fortify.externalDatabase.host and port values are not required for mesh registration. If you connect by IP instead of DNS, use that same address consistently in both addons.fortify.externalDatabase.host and the jdbc.url.

Edited by Dax McDonald

Merge request reports

UNCLASSIFIED - NO CUI