Updating makefile

Author: kadraman

Makefile

@@ -3,16 +3,25 @@
 ROOT_DIR := $(abspath $(dir $(lastword $(MAKEFILE_LIST)))/..)
 ROOT_DIR := $(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
 PROJECT := InsecureRestAPI
+PROJECT_LOWER := $(shell echo $(PROJECT) | tr '[:upper:]' '[:lower:]')
 PROJECTS := $(shell ls . | grep project)
 VERSION ?= $(shell git describe --tags --always --dirty --match=v* 2> /dev/null || echo "1.0.0")
 COMMIT := $(shell git log -1 --pretty=format:"%H")
+UNAME := $(shell uname)
 
 FLASK_APP := iwa
-FLASK := FLASK_APP=$(FLASK_APP) .venv/bin/flask
 
 SAST_DEFAULT_OPTS := -Dcom.fortify.sca.ProjectRoot=.fortify -b "$(PROJECT)"
-SAST_TRANSLATE_OPTS := $(SAST_DEFAULT_OPTS) .
 SAST_SCAN_OPTS := $(SAST_DEFAULT_OPTS)
+ifeq ($(OS),Windows_NT)
+	SAST_TRANSLATE_OPTS := $(SAST_DEFAULT_OPTS) iwa
+	SAST_CUSTOM_RULES := etc\\sast-custom-rules\\example-custom-rules.xml
+	SAST_FILTER := etc\\sast-filters\\example-filter.txt
+else
+	SAST_TRANSLATE_OPTS := $(SAST_DEFAULT_OPTS) iwa
+	SAST_CUSTOM_RULES := $(ROOT_DIR)/etc/sast-custom-rules/example-custom-rules.xml
+	SAST_FILTER := $(ROOT_DIR)/etc/sast-filters/example-filter.txt 
+endif
 
 .PHONY: default
 default: help
@@ -21,6 +30,11 @@ default: help
 .PHONY: help
 help: ## help information about make commands
 	@grep -h -P '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
+ifeq ($(OS),Windows_NT)
+	@echo Running on Windows: $(OS)
+else
+	@echo Running on Linux/UNIX: $(UNAME)
+endif
 
 .PHONY: version
 version: ## display the version of the service
@@ -29,6 +43,7 @@ version: ## display the version of the service
 .PHONY: build
 build:  ## build the project
 	@echo "Building $(PROJECT)..."
+	npm install
 	npm run swagger
 	npm run build
 
@@ -54,22 +69,34 @@ test: ## run unit tests for the project
 
 .PHONY: clean
 clean: ## remove temporary files
+ifeq ($(OS),Windows_NT)
+	cmd /c "rmdir /s /q instance node-modules .fortify"
+else
 	rm -rf instance node-modules .fortify *.lock *.fpr
+endif
 
 .PHONY: sast-scan
 sast-scan: ## run OpenText static application security testing
 	@echo "Running OpenText static application security testing..."
-	@sourceanalyzer $(SAST_DEFAULT_OPTS) -clean
-	@sourceanalyzer $(SAST_TRANSLATE_OPTS)
-	@sourceanalyzer $(SAST_SCAN_OPTS) -scan \
-		-rules $(ROOT_DIR)/etc/sast-custom-rules/example-custom-rules.xml \
-		-filter $(ROOT_DIR)/etc/sast-filters/example-filter.txt \
+	sourceanalyzer $(SAST_DEFAULT_OPTS) -clean
+	sourceanalyzer $(SAST_TRANSLATE_OPTS)
+	sourceanalyzer $(SAST_SCAN_OPTS) -scan \
+		-rules $(SAST_CUSTOM_RULES) \
+		-filter $(SAST_FILTER) \
 		-build-project "$(PROJECT)" -build-version "$(VERSION)" -build-label "SNAPSHOT" \
 		-f "$(PROJECT).fpr"
-	@FPRUtility -information -analyzerIssueCounts -project "$(PROJECT).fpr"
+ifeq ($(OS),Windows_NT)
+	cmd /c "FPRUtility -information -analyzerIssueCounts -project $(PROJECT).fpr"
+else
+	FPRUtility -information -analyzerIssueCounts -project "$(PROJECT).fpr"
+endif
 
 .PHONY: sca-scan
 sca-scan: ## run OpenText software composition analysis
 	@echo "Running OpenText software composition analysis..."
-	@debricked scan . -r $(PROJECT) -c $(COMMIT) -t $(DEBRICKED_TOKEN)
+	debricked scan . -r $(PROJECT) -c $(COMMIT) -t $(DEBRICKED_TOKEN)
 
+.PHONY: nexus-iq-scan
+nexus-iq-scan: ## run Sonatype Nexus IQ software composition analysis
+	@echo "Running Sonatype Nexusi IQ software composition analysis..."
+	nexus-iq-cli -i $(PROJECT_LOWER) -s $(NEXUS_IQ_URL) -a "$(NEXUS_IQ_USERNAME):$(NEXUS_IQ_PASSWORD)" package-lock.json

README.md

@@ -2,15 +2,14 @@
 
 # InsecureRestAPI
 
-_InsecureRestAPI_ is a simple NodeJS/Express/MongoFB REST API fthat can be used for the demonstration of Application Security testing tools - such as [OpenText Application Security](https://www.opentext.com/products/application-security).
+_InsecureRestAPI_ is a simple NodeJS/Express/MongoFB REST API that can be used for the demonstration of Application Security testing tools - such as [OpenText Application Security](https://www.opentext.com/products/application-security).
 
 Pre-requisities
 ---------------
 
- - Windows or Linux machine with Node 20 or later
- - [node package manager](https://docs.npmjs.com/about-npm)
- - [GNU Make](https://www.gnu.org/software/make/)
- - [MongoDB](https://www.mongodb.com/) Community Edition (optional)
+ - [Node.js 20 or later](https://nodejs.org/en/download)
+ - [CygWin](https://www.cygwin.com/) - if running on Windows
+ - [MongoDB](https://www.mongodb.com/) Community Edition (optional as a version is embedded for testing)
  - Docker installation (optional)
 
 Run Application (locally)
@@ -20,9 +19,8 @@ You can the run the application locally using the following:
 
 
 ```
-npm i
-npm i -g ts-node-dev
-npm run dev
+npm install -g ts-node-dev
+make run
 ```
 
 The API should then be available at the URL `http://localhost:5000`. If it fails to start,
@@ -34,7 +32,7 @@ Run Application (as Docker container)
 You also can build a Docker image for the application using the following:
 
 ```
-npm run build
+make build
 docker build -t demoapi:latest .
 ```
 
@@ -50,7 +48,18 @@ make sure you have no other applications running on port 8080.
 Using the API
 -------------
 
-Most of the API operations do not require authentication.
+You can use the Swagger Documentation to test the API endpoints.
+First login as a user using the endpoint "/api/v1/site/sign-in" and either of the following credentials
+
+    - email: user1@localhost.com
+      password: password
+    - email: admin@localhost.com
+      password: password
+
+Then copy the value of the `accessToken` returned. Go back to the top of the page. Click on **Authorize**
+and enter this value.
+
+There are also some example [Postman](https://www.postman.com/downloads/) collections in the `etc` directory.
 
 Scan Application (with OpenText Application Security)
 -----------------------------------------------------