Merge branch 'fortify:dev/v3.x' into develop

Author: SangameshV

.release-please-manifest.json

@@ -1,3 +1,3 @@
 {
-  ".": "3.6.0"
+  ".": "3.7.0"
 }

CHANGELOG.md

@@ -1,5 +1,23 @@
 # Changelog
 
+## [3.7.0](https://github.com/fortify/fcli/compare/v3.6.0...v3.7.0) (2025-07-07)
+
+
+### Features
+
+* `fcli ssc session login`: Allow for disabling SC-SAST/SC-DAST connectivity (resolves [#740](https://github.com/fortify/fcli/issues/740)) ([b7aaae2](https://github.com/fortify/fcli/commit/b7aaae2e8676c2d900eb11a8052850b3f109b6ca))
+
+
+### Bug Fixes
+
+* `ci` action: Improve & complement usage help (fixes [#752](https://github.com/fortify/fcli/issues/752), closes [#762](https://github.com/fortify/fcli/issues/762)) ([22a5498](https://github.com/fortify/fcli/commit/22a549892a0ad61c297358d01165db6a95887be8))
+* `fcli aviator ssc audit`: Fix thread synchronization issues that randomly cause exceptions while auditing ([7819ec5](https://github.com/fortify/fcli/commit/7819ec5ec7427c74fa5c6f054a4918973a42ea26))
+* `gitlab-*-report` actions: Output empty string instead of `null` for `description` field ([da7f705](https://github.com/fortify/fcli/commit/da7f70526ce7350aded970c63185153807c3af2b))
+* `gitlab-dast-report` FoD action: Fix exception if site tree is unavailable ([6b24369](https://github.com/fortify/fcli/commit/6b2436991e124b720ddd4b62ad58c3fb943b8e7c))
+* Fix action progress messages not being cleared before final output (fixes [#766](https://github.com/fortify/fcli/issues/766)) ([4f03395](https://github.com/fortify/fcli/commit/4f033950d598575db5c7d8bd773baa5edfc4db50))
+* Fix incorrect synopsis in documentation for built-in actions (fixes [#765](https://github.com/fortify/fcli/issues/765)) (closes [#767](https://github.com/fortify/fcli/issues/767)) ([4f18948](https://github.com/fortify/fcli/commit/4f189483aa44eb32d7a8392dfaf833d86a4c4158))
+* SSC `check-policy` action: Fix --filterset option being ignored ([55e555d](https://github.com/fortify/fcli/commit/55e555dc96e0b22540a10c8f0c72b796e8484cac))
+
 ## [3.6.0](https://github.com/fortify/fcli/compare/v3.5.2...v3.6.0) (2025-06-14)
 
 

fcli-core/fcli-action/src/main/resources/com/fortify/cli/generic_action/actions/build-time/ci-envvars.yaml

@@ -219,8 +219,8 @@ formatters:
         desc: >-
           By default, the fcli `ci` action will wait for the SAST scan to complete. This behavior can be
           overridden by setting `DO_SAST_WAIT` to `false`, but note that doing so will skip any post-scan
-          tasks. The `SAST_WAIT_EXTRA_OPTS` environment variable can be used to pass extra options to the
-          `fcli sc-sast scan wait-for` command, for example to adjust the polling interval or timeout.
+          tasks. The `SAST_WAIT_EXTRA_OPTS` environment variable can be used to pass extra options to
+          the `fcli sc-sast scan wait-for` command, for example to adjust the polling interval or timeout.
     postScan:
       - names: DO_APPVERSION_SUMMARY\nAPPVERSION_SUMMARY_ACTION\nAPPVERSION_SUMMARY_EXTRA_OPTS
         desc: >-

fcli-core/fcli-aviator-common/src/main/java/com/fortify/cli/aviator/core/IssueAuditor.java

@@ -141,9 +141,9 @@ public AuditOutcome performAudit(Map<String, AuditResponse> auditResponses, Stri
         LOG.info("Built {} user prompts from vulnerabilities", userPrompts.size());
 
         userPrompts = userPrompts.stream().filter(this::shouldInclude).collect(Collectors.toList());
-        int totalIssuesToAudit = userPrompts.size();
 
         ConcurrentLinkedDeque<UserPrompt> filteredUserPrompts = getIssuesToAudit();
+        int totalIssuesToAudit = filteredUserPrompts.size();
         logger.progress("Filtered issues count: %d", filteredUserPrompts.size());
 
         if (filteredUserPrompts.isEmpty()) {

fcli-core/fcli-aviator-common/src/main/java/com/fortify/cli/aviator/grpc/AviatorGrpcClient.java

@@ -113,9 +113,7 @@ public class AviatorGrpcClient implements AutoCloseable {
     private final CountDownLatch initLatch = new CountDownLatch(1);
     private final Semaphore requestSemaphore;
     private final AtomicInteger outstandingRequests = new AtomicInteger(0);
-    private volatile StreamObserver<UserPromptRequest> requestObserver;
-    private final AtomicBoolean streamCompleted = new AtomicBoolean(false);
-    private volatile boolean isStreamActive = false;
+    private RequestHandler<UserPromptRequest> requestHandler;
 
     private final ScheduledExecutorService pingScheduler;
     private ScheduledFuture<?> pingTask;
@@ -231,7 +229,7 @@ private void stopPingPong() {
     // Send ping message
     private void sendPing() {
         try {
-            if (requestObserver != null && !streamCompleted.get() && isStreamActive) {
+            if (requestHandler != null && requestHandler.isReady()) {
                 PingRequest pingRequest = PingRequest.newBuilder()
                         .setStreamId(streamId)
                         .setTimestamp(System.currentTimeMillis())
@@ -242,23 +240,23 @@ private void sendPing() {
                         .build();
 
                 LOG.info("Sending ping streamId: {}", streamId);
-                requestObserver.onNext(pingMsg);
+                requestHandler.sendRequest(pingMsg);
             }
         } catch (Exception e) {
-            if (!streamCompleted.get()) {
+            if (requestHandler != null && !requestHandler.isCompleted()) {
                 LOG.warn("Failed to send ping: {}", e.getMessage());
             }
         }
     }
 
     public CompletableFuture<Map<String, AuditResponse>> processBatchRequests(
             Queue<UserPrompt> requests, String projectName, String token) {
-        isStreamActive = true;
         if (requests == null || requests.isEmpty()) {
             LOG.info("No issues to process");
             return CompletableFuture.completedFuture(new HashMap<>());
         }
 
+        requestHandler = new RequestHandler<>(streamId);
         logger.info("Starting processing - Total Issues: " + requests.size());
         CompletableFuture<Map<String, AuditResponse>> resultFuture = new CompletableFuture<>();
         Map<String, AuditResponse> responses = new ConcurrentHashMap<>();
@@ -272,7 +270,7 @@ public CompletableFuture<Map<String, AuditResponse>> processBatchRequests(
 
                     @Override
                     public void beforeStart(ClientCallStreamObserver<UserPromptRequest> requestStream) {
-                        requestObserver = requestStream;
+                        requestHandler.initialize(requestStream);
                     }
 
                     @Override
@@ -303,10 +301,9 @@ public void onNext(AuditorResponse response) {
                             String cliMessage = "Internal server error occurred";
                             logger.error(cliMessage);
                             resultFuture.completeExceptionally(new AviatorTechnicalException(cliMessage));
-                            if (requestObserver != null) {
-                                requestObserver.onCompleted();
+                            if (requestHandler != null) {
+                                requestHandler.complete();
                             }
-                            streamCompleted.set(true);
                             latch.countDown();
                             return;
                         }
@@ -315,7 +312,6 @@ public void onNext(AuditorResponse response) {
                             handleBackpressureWarning();
                         } else if ("BACKPRESSURE_VIOLATION".equals(response.getStatus())) {
                             logger.error("Server terminated stream due to backpressure violations: {}", response.getStatusMessage());
-                            streamCompleted.set(true);
                             if (!resultFuture.isDone()) {
                                 resultFuture.completeExceptionally(new AviatorTechnicalException("Stream terminated by server: " + response.getStatusMessage()));
                             }
@@ -341,8 +337,8 @@ public void onNext(AuditorResponse response) {
                             } else {
                                 logger.progress("Stream initialization failed: " + response.getStatusMessage());
                                 resultFuture.completeExceptionally(new AviatorTechnicalException("Stream initialization failed: " + response.getStatusMessage()));
-                                if (requestObserver != null) {
-                                    requestObserver.onCompleted();
+                                if (requestHandler != null) {
+                                    requestHandler.complete();
                                 }
                                 latch.countDown();
                             }
@@ -357,8 +353,8 @@ public void onNext(AuditorResponse response) {
 
                             if (completed + errorRequests.get() >= totalRequests) {
                                 logger.info("All requests processed, completing stream");
-                                if (streamCompleted.compareAndSet(false, true) && requestObserver != null) {
-                                    requestObserver.onCompleted();
+                                if (requestHandler != null && !requestHandler.isCompleted()) {
+                                    requestHandler.complete();
                                 }
                                 if (!resultFuture.isDone()) {
                                     resultFuture.complete(responses);
@@ -410,29 +406,27 @@ public void onCompleted() {
                             .build())
                     .build();
 
-            requestObserver.onNext(initRequest);
+            requestHandler.sendRequest(initRequest);
             LOG.info("Client Id  for stream initialization {}",streamId);
 
             processingExecutor.submit(() -> {
                 try {
                     if (!initLatch.await(30, TimeUnit.SECONDS)) {
                         throw new AviatorTechnicalException("Stream initialization timed out");
                     }
-                    processRequests(requests, requestObserver);
+                    processRequests(requests);
                 } catch (InterruptedException e) {
                     Thread.currentThread().interrupt();
                     throw new AviatorTechnicalException("Interrupted during request processing", e);
                 } catch (Exception e) {
-                    if (!streamCompleted.get()) {
+                    if (!requestHandler.isCompleted()) {
                         throw new AviatorTechnicalException("Error during request processing execution", e);
                     }
                     LOG.warn("Exception caught after stream completion during processing execution", e);
                 }
             });
         } catch (Exception e) {
-            if (requestObserver != null) {
-                requestObserver.onError(e);
-            }
+            requestHandler.sendError(e);
             throw new AviatorTechnicalException("Error initiating batch processing", e);
         }
 
@@ -445,12 +439,12 @@ public void onCompleted() {
         });
     }
 
-    private void processRequests(Queue<UserPrompt> requests, StreamObserver<UserPromptRequest> observer) {
+    private void processRequests(Queue<UserPrompt> requests) {
         logger.progress("Starting to process issues...");
         AtomicInteger failedRequests = new AtomicInteger(0);
         AtomicInteger pendingRequests = new AtomicInteger(0);
 
-        while (!requests.isEmpty() && !isShutdown.get() && !streamCompleted.get()) {
+        while (!requests.isEmpty() && !isShutdown.get() && !requestHandler.isCompleted()) {
             boolean acquiredSemaphore = false;
             try {
                 requestSemaphore.acquire();
@@ -461,11 +455,11 @@ private void processRequests(Queue<UserPrompt> requests, StreamObserver<UserProm
                     Thread.sleep(backoffMs);
                 }
 
-                while (pendingRequests.get() >= serverWindowSize.get() * 0.9 && !isShutdown.get() && !streamCompleted.get()) {
+                while (pendingRequests.get() >= serverWindowSize.get() * 0.9 && !isShutdown.get() && !requestHandler.isCompleted()) {
                     Thread.sleep(50);
                 }
 
-                if (streamCompleted.get()) {
+                if (requestHandler.isCompleted()) {
                     break;
                 }
 
@@ -505,15 +499,15 @@ private void processRequests(Queue<UserPrompt> requests, StreamObserver<UserProm
 
                 pendingRequests.decrementAndGet();
             } catch (InterruptedException ie) {
-                if (!streamCompleted.get()) {
+                if (!requestHandler.isCompleted()) {
                     Thread.currentThread().interrupt();
                     throw new AviatorTechnicalException("Thread interrupted while processing requests", ie);
                 }
                 break;
             } catch (AviatorSimpleException e) {
                 throw e;
             } catch (Exception e) {
-                if (!streamCompleted.get()) {
+                if (!requestHandler.isCompleted()) {
                     LOG.error("Error processing request: {}", e.getMessage(), e);
                     throw new AviatorTechnicalException("Error processing request", e);
                 }
@@ -528,12 +522,12 @@ private void processRequests(Queue<UserPrompt> requests, StreamObserver<UserProm
     private boolean sendRequestWithRetry(UserPromptRequest request, int maxRetries) {
         for (int attempt = 0; attempt < maxRetries; attempt++) {
             try {
-                if (requestObserver == null) {
-                    LOG.debug("Request observer is null, aborting send");
+                if (requestHandler == null || !requestHandler.isReady()) {
+                    LOG.debug("Request Handler is not ready, aborting send");
                     return false;
                 }
 
-                if (streamCompleted.get()) {
+                if (requestHandler.isCompleted()) {
                     return false;
                 }
 
@@ -543,12 +537,12 @@ private boolean sendRequestWithRetry(UserPromptRequest request, int maxRetries)
                     throw new AviatorSimpleException("Message size exceeds maximum allowed limit");
                 }
 
-                requestObserver.onNext(request);
+                CompletableFuture<Boolean> result = requestHandler.sendRequest(request);
                 return true;
             } catch (AviatorSimpleException e) {
                 throw e; // Propagate user-facing errors
             } catch (Exception e) {
-                if (!streamCompleted.get()) {
+                if (!requestHandler.isCompleted()) {
                     LOG.error("Error sending request (attempt {}): {}", attempt + 1, e.getMessage());
                 }
                 if (attempt == maxRetries - 1) {
@@ -603,27 +597,16 @@ public void close() {
         isShutdown.set(true);
         stopPingPong();
         try {
-            if (isStreamActive && !latch.await(10, TimeUnit.SECONDS)) {
+            if (requestHandler != null && requestHandler.isReady() && !latch.await(10, TimeUnit.SECONDS)) {
                 LOG.warn("Timed out waiting for stream completion");
             }
         } catch (InterruptedException e) {
             Thread.currentThread().interrupt();
             LOG.warn("Interrupted while waiting for stream completion");
         }
-        if (requestObserver != null && !streamCompleted.get()) {
+        if (requestHandler != null && !requestHandler.isCompleted()) {
             try {
-                if (requestObserver instanceof ClientCallStreamObserver) {
-                    ClientCallStreamObserver<?> clientObserver = (ClientCallStreamObserver<?>) requestObserver;
-                    if (clientObserver.isReady()) {
-                        streamCompleted.set(true);
-                        requestObserver.onCompleted();
-                        LOG.debug("Request observer completed");
-                    } else {
-                        LOG.debug("Request observer not ready, skipping onCompleted");
-                    }
-                } else {
-                    LOG.debug("Request observer is not a ClientCallStreamObserver, skipping onCompleted");
-                }
+                requestHandler.complete().get(5, TimeUnit.SECONDS);
             } catch (Exception e) {
                 LOG.debug("Exception during request observer completion, likely already closed: {}", e.getMessage());
             }
@@ -636,16 +619,18 @@ public void close() {
                 Thread.currentThread().interrupt();
                 LOG.warn("Interrupted during channel shutdown");
             } finally {
-                processingExecutor.shutdown();
-                try {
-                    if (!processingExecutor.awaitTermination(5, TimeUnit.SECONDS)) {
+                if (processingExecutor != null){
+                    processingExecutor.shutdown();
+                    try {
+                        if (!processingExecutor.awaitTermination(5, TimeUnit.SECONDS)) {
+                            processingExecutor.shutdownNow();
+                            LOG.debug("Processing executor forcibly shut down");
+                        }
+                    } catch (InterruptedException e) {
                         processingExecutor.shutdownNow();
-                        LOG.debug("Processing executor forcibly shut down");
+                        Thread.currentThread().interrupt();
+                        LOG.warn("Interrupted during executor shutdown");
                     }
-                } catch (InterruptedException e) {
-                    processingExecutor.shutdownNow();
-                    Thread.currentThread().interrupt();
-                    LOG.warn("Interrupted during executor shutdown");
                 }
             }
         }