Merge branch 'fortify:dev/v3.x' into develop

Author: SangameshV

fcli-core/fcli-action/src/main/resources/com/fortify/cli/generic_action/actions/build-time/ci-envvars.yaml

@@ -127,12 +127,19 @@ formatters:
           `SETUP_EXTRA_OPTS`. To allow this action to create new applications, depending on FoD version,
           you may (also) need to provide the `--app-owner <user id or name>` option through `SETUP_EXTRA_OPTS`.
     scan:
-      - names: DO_SAST_SCAN\nSAST_SCAN_EXTRA_OPTS\nDO_SAST_WAIT
+      - names: DO_SAST_SCAN\nSAST_SCAN_EXTRA_OPTS
         desc: >-
-          For now, this fcli action only supports running a SAST scan, which is enabled by default. The
-          `SAST_SCAN_EXTRA_OPTS` environment variable can be used to pass extra options to the `fcli fod sast-scan start`
-          command. By default, this action will wait until the scan has been completed, unless `DO_SAST_WAIT`
-          is set to `false`; note that any post-scan tasks will be skipped in this case.
+          The fcli `ci` action currently only supports running a SAST scan, which is enabled by default.
+          The `SAST_SCAN_EXTRA_OPTS` environment variable can be used to provide additional options to the
+          `fcli fod sast-scan start` command, for example to specify scan notes. Note that these environment
+          variables only control the submission of the scan request; see the information below for details
+          on waiting for the scan to complete.
+      - names: DO_SAST_WAIT\nSAST_WAIT_EXTRA_OPTS
+        desc: >-
+          By default, the fcli `ci` action will wait for the SAST scan to complete. This behavior can be
+          overridden by setting `DO_SAST_WAIT` to `false`, but note that doing so will skip any post-scan
+          tasks. The `SAST_WAIT_EXTRA_OPTS` environment variable can be used to pass extra options to the
+          `fcli fod sast-scan wait-for` command, for example to adjust the polling interval or timeout.
     postScan:
       - names: DO_RELEASE_SUMMARY\nRELEASE_SUMMARY_ACTION\nRELEASE_SUMMARY_EXTRA_OPTS
         desc: >-
@@ -201,12 +208,19 @@ formatters:
           application version representing your default branch by passing the `--copy-from` option through
           `SETUP_EXTRA_OPTS`.
     scan:
-      - names: DO_SAST_SCAN\nSAST_SCAN_EXTRA_OPTS\nDO_SAST_WAIT
+      - names: DO_SAST_SCAN\nSAST_SCAN_EXTRA_OPTS
+        desc: >-
+          The fcli `ci` action currently only supports running a SAST scan, which is enabled by default.
+          The `SAST_SCAN_EXTRA_OPTS` environment variable can be used to provide additional options to
+          the `fcli sc-sast scan start` command, for example to request a scan completion email notification.
+          Note that these environment variables only control the submission of the scan request; see the
+          information below for details on waiting for the scan to complete. 
+      - names: DO_SAST_WAIT\nSAST_WAIT_EXTRA_OPTS
         desc: >-
-            For now, this fcli action only supports running a SAST scan, which is enabled by default. The
-            `SAST_SCAN_EXTRA_OPTS` environment variable can be used to pass extra options to the `fcli sc-sast scan start`
-            command. By default, this action will wait until the scan has been completed, unless `DO_SAST_WAIT`
-            is set to `false`; note that any post-scan tasks will be skipped in this case.
+          By default, the fcli `ci` action will wait for the SAST scan to complete. This behavior can be
+          overridden by setting `DO_SAST_WAIT` to `false`, but note that doing so will skip any post-scan
+          tasks. The `SAST_WAIT_EXTRA_OPTS` environment variable can be used to pass extra options to the
+          `fcli sc-sast scan wait-for` command, for example to adjust the polling interval or timeout.
     postScan:
       - names: DO_APPVERSION_SUMMARY\nAPPVERSION_SUMMARY_ACTION\nAPPVERSION_SUMMARY_EXTRA_OPTS
         desc: >-

fcli-core/fcli-common/src/main/java/com/fortify/cli/common/action/runner/ActionRunner.java

@@ -13,6 +13,8 @@
 package com.fortify.cli.common.action.runner;
 
 import java.io.OutputStreamWriter;
+import java.util.Collections;
+import java.util.List;
 import java.util.Map;
 
 import com.fasterxml.jackson.databind.node.ObjectNode;
@@ -50,7 +52,13 @@ public final Integer run(String[] args) {
         return _run(args);
     }
 
+    // TODO Review try/close/finally blocks and handling of output in delayed console writers
+    //      to see whether anything can be simplified, and whether there are any bugs.
     public final Integer _run(String[] args) {
+        List<Runnable> delayedConsoleWriterRunnables = Collections.emptyList();
+        Map<ActionStepCheckEntry, CheckStatus> checkStatuses = Collections.emptyMap();
+        CheckStatus overallCheckstatus = CheckStatus.SKIP;
+        int exitCode = 0;
         try ( var progressWriter = createProgressWriter() ) {
             var parameterValues = getParameterValues(args);
             try ( var ctx = createContext(progressWriter, parameterValues) ) {
@@ -59,14 +67,20 @@ public final Integer _run(String[] args) {
                 try {
                     new ActionStepProcessorSteps(ctx, vars, config.getAction().getSteps()).process();
                 } finally {
-                    ctx.getDelayedConsoleWriterRunnables().forEach(Runnable::run);
-                    if ( !ctx.getCheckStatuses().isEmpty() ) {
-                        printCheckStatuses(ctx);
-                    }
+                    // Collect outputs from context; we can't write any of these outputs
+                    // until after the progress writer has been closed.
+                    delayedConsoleWriterRunnables = ctx.getDelayedConsoleWriterRunnables();
+                    checkStatuses = ctx.getCheckStatuses();
+                    exitCode = ctx.getExitCode();
                 }
-                return ctx.getExitCode();
             }
+        } finally {
+            // Write delayed console output and check statuses, now that progress writer has been closed
+            delayedConsoleWriterRunnables.forEach(Runnable::run);
+            overallCheckstatus = processAndPrintCheckStatuses(checkStatuses);
         }
+        // Determine final exit code
+        return exitCode==0 && overallCheckstatus==CheckStatus.FAIL ? 100 : exitCode;
     }
 
     private IProgressWriterI18n createProgressWriter() {
@@ -105,17 +119,16 @@ private static final void initializeCheckStatuses(ActionRunnerContext ctx) {
         }
     }
 
-    private final void printCheckStatuses(ActionRunnerContext ctx) {
+    private final CheckStatus processAndPrintCheckStatuses(Map<ActionStepCheckEntry, CheckStatus> checkStatuses) {
+        if ( checkStatuses.isEmpty() ) { return CheckStatus.SKIP; }
         try ( var recordWriter = createCheckStatusWriter(); ) {
-            ctx.getCheckStatuses().entrySet().stream()
+            checkStatuses.entrySet().stream()
                 .filter(e->e.getValue()!=CheckStatus.HIDE)
                 .map(this::checkStatusAsObjectNode)
                 .forEach(recordWriter::append);
-            var overallStatus = CheckStatus.combine(ctx.getCheckStatuses().values());
+            var overallStatus = CheckStatus.combine(checkStatuses.values());
             recordWriter.append(checkStatusAsObjectNode("Overall Status", overallStatus));
-            if ( ctx.getExitCode()==0 && overallStatus==CheckStatus.FAIL ) {
-                ctx.setExitCode(100);
-            }
+            return overallStatus;
         }
     }
 

fcli-core/fcli-fod/src/main/resources/com/fortify/cli/fod/actions/zip/gitlab-dast-report.yaml

@@ -32,7 +32,7 @@ steps:
         uri:    /api/v3/scans/${rel.currentDynamicScanId}/site-tree
         if:     ${rel.currentDynamicScanId!=null}
         on.fail: 
-          - log.debug: "Site tree unavailable: ${exception.getMessage()}"
+          - log.debug: "Site tree unavailable: ${siteTree_exception.getMessage()}"
   - log.progress: Processing issue data
   - rest.call:
       issues:
@@ -98,7 +98,7 @@ formatters:
       category: dast
       name: ${issue.category}
       message: ${issue.category}
-      description: ${#abbreviate(#htmlToText(issue.details?.summary), 15000)}
+      description: ${#abbreviate(#htmlToText(issue.details?.summary?:""), 15000)}
       cve: 'N/A'
       severity: ${{'Critical':'Critical','High':'High','Medium':'Medium','Low':'Low','Best Practice':'Info','Info':'Info'}.get(issue.severityString)?:'Unknown'}
       confidence: ${(issue.severityString matches "(Critical|Medium)") ? "High":"Low" }

fcli-core/fcli-fod/src/main/resources/com/fortify/cli/fod/actions/zip/gitlab-sast-report.yaml

@@ -60,8 +60,8 @@ steps:
 
 formatters:
   gitlab-sast-report:
-      schema: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v15.0.0/dist/sast-report-format.json
-      version: 15.0.0
+      schema: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v15.2.1/dist/sast-report-format.json
+      version: 15.2.1
       scan:
         start_time: ${#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", staticScanSummary?.startedDateTime?:'1970-01-01T00:00:00')}
         end_time: ${#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", staticScanSummary?.completedDateTime?:'1970-01-01T00:00:00')}
@@ -84,11 +84,18 @@ formatters:
       vulnerabilities: ${vulnerabilities?:{}} 
 
   vulnerabilities:
+      id: ${issue.vulnId}
       category: sast
-      confidence: ${(issue.severityString matches "(Critical|Medium)") ? "High":"Low" }
+      name: ${issue.category}
+      message: ${issue.category}
       description: ${#abbreviate(#htmlToText(issue.details?.summary?:""), 15000)}
-      id: ${issue.vulnId}
       cve: 'N/A'
+      severity: ${issue.severityString}
+      confidence: ${(issue.severityString matches "(Critical|Medium)") ? "High":"Low" }
+      solution: ${#abbreviate(#htmlToText(issue.details?.explanation)+'\n\n'+#htmlToText(issue.recommendations?.recommendations), 7000)}
+      scanner:
+        id: FoD-SAST
+        name: Fortify on Demand
       identifiers: |-
         ${{
             {
@@ -98,16 +105,9 @@ formatters:
               value: issue.instanceId
             }
         }}
-      location:
-        file:       ${issueSourceFileResolver.resolve(issue.primaryLocationFull)}
-        start_line: ${issue.lineNumber}
       links:
         - name: Additional issue details, including analysis trace, in Fortify on Demand
           url:  ${#fod.issueBrowserUrl(issue)}
-      message: ${issue.category}
-      name: ${issue.category}
-      scanner:
-        id: FoD-SAST
-        name: Fortify on Demand
-      severity: ${issue.severityString}
-      solution: ${#abbreviate(#htmlToText(issue.details?.explanation)+'\n\n'+#htmlToText(issue.recommendations?.recommendations), 7000)}
+      location:
+        file:       ${issueSourceFileResolver.resolve(issue.primaryLocationFull)}
+        start_line: ${issue.lineNumber==0?1:issue.lineNumber}

fcli-core/fcli-ssc/src/main/resources/com/fortify/cli/ssc/actions/zip/gitlab-dast-report.yaml

@@ -110,7 +110,7 @@ formatters:
       category: sast
       name: ${issue.issueName}
       message: ${issue.issueName}
-      description: ${#abbreviate(#htmlToText(issue.details?.brief), 15000)}
+      description: ${#abbreviate(#htmlToText(issue.details?.brief?:""), 15000)}
       cve: 'N/A'
       severity: ${issue.friority}
       confidence: ${(issue.friority matches "(Critical|Medium)") ? "High":"Low" }

fcli-core/fcli-ssc/src/main/resources/com/fortify/cli/ssc/actions/zip/gitlab-debricked-report.yaml

@@ -100,7 +100,7 @@ formatters:
       category: dependency_scanning
       name: ${issue.issueName}
       message: ${issue.issueName}
-      description: ${#abbreviate(#htmlToText(issue.details?.brief), 15000)}
+      description: ${#abbreviate(#htmlToText(issue.details?.brief?:""), 15000)}
       cve: ${issue.details?.customAttributes?.externalId}
       severity: ${issue.friority}
       confidence: ${(issue.friority matches "(Critical|Medium)") ? "High":"Low" }

fcli-core/fcli-ssc/src/main/resources/com/fortify/cli/ssc/actions/zip/gitlab-sast-report.yaml

@@ -77,8 +77,8 @@ steps:
 
 formatters:
   gitlab-sast-report:
-      schema: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v15.0.0/dist/sast-report-format.json
-      version: 15.0.0
+      schema: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v15.2.1/dist/sast-report-format.json
+      version: 15.2.1
       scan:
         start_time: ${#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", lastStaticScan?.uploadDate?:'1970-01-01T00:00:00')}
         end_time: ${#formatDateTime("yyyy-MM-dd'T'HH:mm:ss", lastStaticScan?.uploadDate?:'1970-01-01T00:00:00')}
@@ -104,7 +104,7 @@ formatters:
       category: sast
       name: ${issue.issueName}
       message: ${issue.issueName}
-      description: ${#abbreviate(#htmlToText(issue.details?.brief), 15000)}
+      description: ${#abbreviate(#htmlToText(issue.details?.brief?:""), 15000)}
       cve: 'N/A'
       severity: ${issue.friority}
       confidence: ${(issue.friority matches "(Critical|Medium)") ? "High":"Low"}
@@ -124,4 +124,5 @@ formatters:
           url:  ${issue.details?.appSecTrainingUrl}
       location:
         file:       ${issueSourceFileResolver.resolve(issue.fullFileName)}
-        start_line: ${issue.lineNumber}
+        start_line: ${issue.lineNumber==0?1:issue.lineNumber}
+        

fcli-core/fcli-ssc/src/main/resources/com/fortify/cli/ssc/actions/zip/gitlab-sonatype-report.yaml

@@ -99,7 +99,7 @@ formatters:
       category: dependency_scanning
       name: ${issue.issueName}
       message: ${issue.issueName}
-      description: ${#abbreviate(#htmlToText(issue.details?.brief), 15000)}
+      description: ${#abbreviate(#htmlToText(issue.details?.brief?:""), 15000)}
       cve: 'N/A'
       severity: ${issue.friority}
       confidence: ${(issue.friority matches "(Critical|Medium)") ? "High":"Low" }