Merge branch 'fortify:dev/v3.x' into develop

Author: SangameshV

.release-please-manifest.json

@@ -1,3 +1,3 @@
 {
-  ".": "3.5.1"
+  ".": "3.6.0"
 }

CHANGELOG.md

@@ -1,5 +1,27 @@
 # Changelog
 
+## [3.6.0](https://github.com/fortify/fcli/compare/v3.5.2...v3.6.0) (2025-06-14)
+
+
+### Features
+
+* `*-sast-report` actions: Add `--source-dir` option to allow for matching Fortify-reported source file paths against repository file paths (fixes [#749](https://github.com/fortify/fcli/issues/749)) ([775c5a3](https://github.com/fortify/fcli/commit/775c5a32ca65c435dd77d5eb760ddfda70796c95))
+* `ci` actions: Automatically pass `--source-dir` option to SAST report actions (fixes [#749](https://github.com/fortify/fcli/issues/749)) ([775c5a3](https://github.com/fortify/fcli/commit/775c5a32ca65c435dd77d5eb760ddfda70796c95))
+* `fcli fod`: New `fcli fod oss list-components` command (resolves [#244](https://github.com/fortify/fcli/issues/244)) ([775c5a3](https://github.com/fortify/fcli/commit/775c5a32ca65c435dd77d5eb760ddfda70796c95))
+
+
+### Bug Fixes
+
+* `fcli fod sast-scan setup`: Allow assessment type to be specified by Id or Name (resolves [#738](https://github.com/fortify/fcli/issues/738)) ([775c5a3](https://github.com/fortify/fcli/commit/775c5a32ca65c435dd77d5eb760ddfda70796c95))
+* `fcli fod`: Fix issue with page handling in REST responses, potentially causing issues if more than 9 pages of results are available on FoD ([775c5a3](https://github.com/fortify/fcli/commit/775c5a32ca65c435dd77d5eb760ddfda70796c95))
+
+## [3.5.2](https://github.com/fortify/fcli/compare/v3.5.1...v3.5.2) (2025-06-05)
+
+
+### Bug Fixes
+
+* `fcli aviator`: Handle 0-byte and corrupted ZIP entries during FPR processing ([3140991](https://github.com/fortify/fcli/commit/31409913b33456b4515100572ab8d029a02cd4a0))
+
 ## [3.5.1](https://github.com/fortify/fcli/compare/v3.5.0...v3.5.1) (2025-05-22)
 
 

fcli-core/fcli-common/src/main/java/com/fortify/cli/common/action/runner/ActionRunnerHelper.java

@@ -48,7 +48,9 @@ public static final Object getValueAsObject(ActionRunnerVars vars, TemplateExpre
 
     public static final JsonNode getValueAsJsonNode(ActionRunnerVars vars, TemplateExpressionWithFormatter templateExpressionWithFormatter) {
         var rawValue = getValueAsObject(vars, templateExpressionWithFormatter);
-        return rawValue==null ? null : JsonHelper.getObjectMapper().valueToTree(rawValue);
+        if ( rawValue==null ) { return null; }
+        if ( rawValue instanceof JsonNode ) { return (JsonNode)rawValue; }
+        return JsonHelper.getObjectMapper().valueToTree(rawValue);
     }
 
     public static final Object formatValueAsObject(ActionRunnerContext ctx, ActionRunnerVars vars, TemplateExpressionWithFormatter templateExpressionWithFormatter) {

fcli-core/fcli-common/src/main/java/com/fortify/cli/common/action/runner/ActionRunnerVars.java

@@ -25,6 +25,8 @@
 
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.ObjectWriter;
+import com.fasterxml.jackson.databind.SerializationFeature;
 import com.fasterxml.jackson.databind.node.ArrayNode;
 import com.fasterxml.jackson.databind.node.ObjectNode;
 import com.fasterxml.jackson.databind.node.TextNode;
@@ -45,6 +47,7 @@
 public final class ActionRunnerVars {
     private static final Logger LOG = LoggerFactory.getLogger(ActionRunnerVars.class);
     private static final ObjectMapper objectMapper = JsonHelper.getObjectMapper();
+    private static final ObjectWriter debugObjectWriter = new ObjectMapper().configure(SerializationFeature.FAIL_ON_EMPTY_BEANS, false).writerWithDefaultPrettyPrinter();
     private static final String GLOBAL_VAR_NAME = "global";
     private static final String CLI_OPTIONS_VAR_NAME = "cli";
     private static final String[] PROTECTED_VAR_NAMES = {GLOBAL_VAR_NAME, CLI_OPTIONS_VAR_NAME};
@@ -134,15 +137,15 @@ public final void set(String name, JsonNode value) {
             getter = globalValues::get;
         }
         var finalName = name; // Needed for lambda below
-        logDebug(()->String.format("Set %s: %s", finalName, value==null ? null : value.toPrettyString()));
+        logDebug(()->String.format("Set %s: %s", finalName, toDebugString(value)));
         _set(finalName, value, getter, setter);
     }
 
     /**
      * Set a variable on this instance only
      */
     public final void setLocal(String name, JsonNode value) {
-        logDebug(()->String.format("Set Local %s: %s", name, value==null ? null : value.toPrettyString()));
+        logDebug(()->String.format("Set Local %s: %s", name, toDebugString(value)));
         _set(name, value, values::get, values::set);
     }
 
@@ -244,4 +247,12 @@ private static final void logDebug(Supplier<String> messageSupplier) {
             LOG.debug(messageSupplier.get());
         }
     }
+    
+    private static final String toDebugString(JsonNode value) {
+        try {
+            return value==null ? null : debugObjectWriter.writeValueAsString(value);
+        } catch ( Exception e ) {
+            return "<ERROR FORMATTING VALUE>";
+        }
+    }
 }

fcli-core/fcli-common/src/main/java/com/fortify/cli/common/action/runner/ActionSpelFunctions.java

@@ -40,6 +40,7 @@
 
 import com.fasterxml.jackson.databind.node.ArrayNode;
 import com.fasterxml.jackson.databind.node.ObjectNode;
+import com.fasterxml.jackson.databind.node.POJONode;
 import com.formkiq.graalvm.annotations.Reflectable;
 import com.fortify.cli.common.action.helper.ActionLoaderHelper;
 import com.fortify.cli.common.action.helper.ActionLoaderHelper.ActionSource;
@@ -48,6 +49,7 @@
 import com.fortify.cli.common.json.JSONDateTimeConverter;
 import com.fortify.cli.common.json.JsonHelper;
 import com.fortify.cli.common.util.EnvHelper;
+import com.fortify.cli.common.util.IssueSourceFileResolver;
 import com.fortify.cli.common.util.StringUtils;
 
 import lombok.NoArgsConstructor;
@@ -432,6 +434,13 @@ public static final ArrayNode properties(ObjectNode o) {
         return result;
     }
 
+    public static final POJONode issueSourceFileResolver(Map<String,String> config) {
+        var sourceDir = config.get("sourceDir");
+        var builder = IssueSourceFileResolver.builder().sourcePath(StringUtils.isBlank(sourceDir) ? null : Path.of(sourceDir) );
+        // TODO Update builder based on other config properties
+        return new POJONode(builder.build());
+    }
+    
     public static final String copyright() {
         return String.format("Copyright (c) %s Open Text", Year.now().getValue());
     }

fcli-core/fcli-common/src/main/java/com/fortify/cli/common/rest/unirest/URIHelper.java

@@ -38,7 +38,7 @@ public static final URI addOrReplaceParam(URI uri, String param, Object newValue
         // Note that this only works for simple parameter names, not parameter names that
         // contain characters that have a special meaning in regex. For example, if param
         // contains a dot like in a.c=value, we'd also match and remove abc=value.
-        var pattern = String.format("^%s=[^&]+&?|&%s=[^&]", param, param);
+        var pattern = String.format("^%s=[^&]*+&?|&%s=[^&]*", param, param);
         var query = uri.getQuery();
         if (StringUtils.isNotBlank(query)) { query = query.replaceAll(pattern, ""); }
         var newParamAndValue = String.format("%s=%s", param, URLEncoder.encode(newValue.toString(), StandardCharsets.UTF_8));

fcli-core/fcli-common/src/main/java/com/fortify/cli/common/util/FileUtils.java

@@ -238,4 +238,17 @@ public static final boolean isFilePathInUse(Path path) {
         }
         return false;
     }
+
+    /**
+     * Convert the given path to a string, using the given separator character.
+     * If given path is null, null will be returned.
+     */
+    public static final String pathToString(Path path, char separatorChar) {
+        if ( path==null ) { return null; }
+        StringBuilder result = new StringBuilder();
+        path.iterator().forEachRemaining(part -> result.append(separatorChar).append(part));
+        if ( !path.isAbsolute() ) { result.deleteCharAt(0); } // Remove leading separator character if path is not absolute
+        // TODO If original path contains a drive letter, should we include this?
+        return result.toString();
+    }
 }

fcli-core/fcli-common/src/main/java/com/fortify/cli/common/util/IssueSourceFileResolver.java

@@ -0,0 +1,199 @@
+/**
+ * Copyright 2023 Open Text.
+ *
+ * The only warranties for products and services of Open Text 
+ * and its affiliates and licensors ("Open Text") are as may 
+ * be set forth in the express warranty statements accompanying 
+ * such products and services. Nothing herein should be construed 
+ * as constituting an additional warranty. Open Text shall not be 
+ * liable for technical or editorial errors or omissions contained 
+ * herein. The information contained herein is subject to change 
+ * without notice.
+ */
+package com.fortify.cli.common.util;
+
+import java.io.File;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.util.Collection;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.concurrent.atomic.AtomicReference;
+import java.util.stream.Stream;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.formkiq.graalvm.annotations.Reflectable;
+
+import lombok.Builder;
+import lombok.Getter;
+import lombok.RequiredArgsConstructor;
+import lombok.SneakyThrows;
+
+/**
+ * <p>Due to the way that Fortify packages and scans code, source file paths returned by FoD and SSC
+ * may not exactly match original source file paths. In some cases, a leading path may be added
+ * by Fortify, like /scancentral12345678/work/..., whereas in other cases, leading paths may be
+ * stripped, like removing src/main/java from a path like src/main/java/my/pkg/Class.java</p>
+ * 
+ * <p>This may lead to user confusion, and may cause issues when importing reports generated by
+ * fcli actions like gitlab-sast-report or github-sast-report into the respective 3rd-party systems, 
+ * as these systems will then be unable to match the file path on which an issue is being reported
+ * against an actual repository path.</p>
+ * 
+ * <p>To work around these issues, this class attempts to map Fortify-provided issue source file 
+ * paths against local file system paths relative to a given source code directory, basically 
+ * finding the longest matching path suffix.</p>
+ *  
+ * @author Ruud Senden
+ */
+// TODO Also see TODO comments in IssueSourceFileResolverTest
+// TODO How to handle absolute paths? Always return as-is (or null if not existing and OnNoMatch.NULL)? Or try to resolve against sourcePath?
+// TODO How to handle drive letters (with either absolute or relative path)?
+@Builder @Reflectable
+public class IssueSourceFileResolver {
+    private static final Logger LOG = LoggerFactory.getLogger(IssueSourceFileResolver.class);
+    @Getter private final Path sourcePath;
+    @Builder.Default private final OnNoMatch onNoMatch = OnNoMatch.ORIGINAL;
+    @Builder.Default private final FileSeparator separatorOnReturn = FileSeparator.LINUX;
+    private final AtomicReference<SourceFileIndex> indexReference = new AtomicReference<>();
+    
+    /**
+     * Find the given {@link Path} in the configured source path. Based on the Fortify behavior
+     * described in the class description, if the configured source path contains a single file 
+     * <code>src/main/java/com/fortify/X.java</code>, this method will return a relative {@link Path} 
+     * representing <code>src/main/java/com/fortify/X.java</code> for each of the following input paths:
+     * <ul>
+     *  <li><code>scancentral123/work/src/main/java/com/fortify/X.java</code></li>
+     *  <li><code>any/leading/dir/src/main/java/com/fortify/X.java</code></li>
+     *  <li><code>src/main/java/com/fortify/X.java</code></li>
+     *  <li><code>main/java/com/fortify/X.java</code></li>
+     *  <li><code>java/com/fortify/X.java</code></li>
+     *  <li><code>com/fortify/X.java</code></li>
+     *  <li><code>fortify/X.java</code></li>
+     *  <li><code>X.java</code></li>
+     * </ul>
+     * Any other input path will be considered a non-matching path, in which case either the given 
+     * path or <code>null</code> will be returned, based on the configured {@link OnNoMatch} setting.
+     * In particular, note that if the given path includes a leading directory, it will only match
+     * if any of its sub-paths match the full relative source path. With the example above, this
+     * means that <code>scancentral123/work/com/fortify/X.java</code> will be considered non-matching,
+     * as it lacks the <code>src/main/java</code> path.
+     */
+    public final Path resolve(Path issuePath) {
+        var result = indexReference.updateAndGet(this::createIndexIfNull).resolve(issuePath);
+        if ( result!=null && LOG.isTraceEnabled() ) { LOG.trace("Resolved issue path {} to source path {}", issuePath, result); }
+        if ( result==null && onNoMatch==OnNoMatch.ORIGINAL ) {
+            result = issuePath;
+        }
+        return result;
+    }
+    
+    /**
+     * This is the {@link String}-based variant of {@link #resolve(Path)}:
+     * <ol>
+     *  <li>Convert the given {@link String} into a {@link Path} instance</li>
+     *  <li>Call the {@link #resolve(Path)} method to find this path in the configured source path</li>
+     *  <li>Convert the {@link Path} instance returned by {@link #resolve(Path)} into a {@link String},
+     *      using the configured {@link #separatorOnReturn} file separator.</li>
+     * </ol>
+     */
+    public final String resolve(String issuePath) {
+        return FileUtils.pathToString(resolve(Path.of(issuePath)), separatorOnReturn.getSeparatorChar());
+    }
+    
+    private final SourceFileIndex createIndexIfNull(SourceFileIndex index) {
+        if ( index==null ) {
+            index = new SourceFileIndex(sourcePath);
+        }
+        return index;
+    }
+    
+    public static enum OnNoMatch {
+        NULL, ORIGINAL
+    }
+    
+    @RequiredArgsConstructor
+    public static enum FileSeparator {
+        LINUX('/'), WINDOWS('\\'), PLATFORM(File.separatorChar);
+        
+        @Getter private final char separatorChar;
+    }
+    
+    private static final class SourceFileIndex {
+        /** Full relative paths, like src/main/java/com/fortify/X.java */
+        private final Map<String,Path> fullRelativePathsIndex;
+        /** Full and partial relative paths, like src/main/java/com/fortify/X.java, com/fortify/X.java, X.java */ 
+        private final Map<String,Path> fullAndPartialRelativePathsIndex;
+        
+        private SourceFileIndex(Path sourcePath) {
+            this.fullRelativePathsIndex = createFullRelativePathsIndex(sourcePath);
+            this.fullAndPartialRelativePathsIndex = createFullAndPartialRelativePathsIndex(fullRelativePathsIndex.values());
+        }
+        
+        /**
+         * <p>This method first tries to match the given path against {@link #fullAndPartialRelativePathsIndex}, which, given a 
+         * source path <code>src/main/java/com/fortify/X.java</code>, will match each of the following input paths:
+         * <code>X.java</code>, <code>com/fortify/X.java</code>, and <code>src/main/java/com/fortify/X.java</code>. This handles 
+         * situations where Fortify strips leading directories.</p>
+         * 
+         * <p>If no match is found in {@link #fullAndPartialRelativePathsIndex}, this method will then attempt to match any of 
+         * the sub-paths in the given path against {@link #fullRelativePathsIndex}, which, given a source path
+         * <code>src/main/java/com/fortify/X.java</code>, will match an input path like 
+         * <code>any/leading/dir/src/main/java/com/fortify/X.java</code>, but not <code>any/leading/dir/com/fortify/X.java</code>.</p> 
+         */
+        protected final Path resolve(Path path) {
+            var normalizedPath = path.normalize();
+            var result = fullAndPartialRelativePathsIndex.get(pathToString(normalizedPath));
+            return result!=null ? result : resolveSubPathFromFullRelativePathsIndex(path);
+        }
+
+        private Path resolveSubPathFromFullRelativePathsIndex(Path normalizedPath) {
+            var result = fullRelativePathsIndex.get(pathToString(normalizedPath));
+            if ( result==null ) {
+                var nameCount = normalizedPath.getNameCount();
+                if ( nameCount > 1 ) {
+                    return resolveSubPathFromFullRelativePathsIndex(normalizedPath.subpath(1, nameCount));
+                }
+            }
+            return result;
+        }
+
+        @SneakyThrows
+        private static final Map<String, Path> createFullRelativePathsIndex(Path sourcePath) {
+            var result = new HashMap<String, Path>();
+            if ( sourcePath!=null && Files.isDirectory(sourcePath) ) {
+                var normalizedSourcePath = sourcePath.normalize();
+                try (Stream<Path> stream = Files.walk(normalizedSourcePath)) {
+                    stream.filter(Files::isRegularFile)
+                          .forEach(p->addPathToFullRelativePathsIndex(result, normalizedSourcePath.relativize(p.normalize())));
+                }
+            }
+            return result;
+        }
+
+        private static final void addPathToFullRelativePathsIndex(Map<String, Path> result, Path fullRelativePath) {
+            if ( LOG.isTraceEnabled() ) { LOG.trace("Adding source path {} to index", fullRelativePath); }
+            result.put(pathToString(fullRelativePath), fullRelativePath);
+        }
+        
+        private static final Map<String, Path> createFullAndPartialRelativePathsIndex(Collection<Path> fullRelativePaths) {
+            var result = new HashMap<String, Path>();
+            fullRelativePaths.forEach(p->addPathToFullAndPartialRelativePathsIndex(result, p, p));
+            return result;
+        }
+        
+        private static final void addPathToFullAndPartialRelativePathsIndex(Map<String, Path> index, Path fullRelativePath, Path partialRelativePath) {
+            index.put(pathToString(partialRelativePath), fullRelativePath);
+            var nameCount = partialRelativePath.getNameCount(); 
+            if ( nameCount > 1 ) {
+                addPathToFullAndPartialRelativePathsIndex(index, fullRelativePath, partialRelativePath.subpath(1, nameCount));
+            }
+        }
+        
+        private static final String pathToString(Path normalizedPath) {
+            return FileUtils.pathToString(normalizedPath, '/');
+        }
+    }
+}

fcli-core/fcli-common/src/main/resources/com/fortify/cli/common/actions/zip/ci-vars.yaml

@@ -22,6 +22,7 @@ steps:
       global.ci.qualifiedRepoName:  # Fully qualified repository name
       global.ci.sourceBranch:       # The current branch being processed/scanned 
       global.ci.commitSHA:          # Commit SHA for current commit
+      global.ci.sourceDir:          # Directory containing source files to be scanned           
       # The following are set by default at the end, but may be overridden by individual CI configurations
       global.fod.prCommentAction:   # FoD PR comment action
       global.ssc.prCommentAction:   # SSC PR comment action
@@ -40,6 +41,7 @@ steps:
       global.ci.qualifiedRepoName: ${#env('GITHUB_REPOSITORY')}
       global.ci.sourceBranch:      ${#env('GITHUB_HEAD_REF')?:#env('GITHUB_REF_NAME')}
       global.ci.commitSHA:         ${#env('GITHUB_SHA')}
+      global.ci.sourceDir:         ${#env('SOURCE_DIR')?:#env('GITHUB_WORKSPACE')?:'.'}
 
   # GitLab
   - if: ${#env('GITLAB_CI')=='true'}
@@ -49,6 +51,7 @@ steps:
       global.ci.qualifiedRepoName: ${#env('CI_REPOSITORY_URL').replaceAll('[^:]+://[^/]+/','').replaceAll('\.git$', '')}
       global.ci.sourceBranch:      ${#env('CI_COMMIT_BRANCH')?:#env('CI_MERGE_REQUEST_SOURCE_BRANCH_NAME')}
       global.ci.commitSHA:         ${#env('CI_COMMIT_SHA')}
+      global.ci.sourceDir:         ${#env('SOURCE_DIR')?:#env('CI_PROJECT_DIR')?:'.'}
 
   # Azure DevOps
   - if: ${#isNotBlank(#env('Build.Repository.Name'))}

fcli-core/fcli-common/src/test/java/com/fortify/cli/common/rest/unirest/URIHelperTest.java

@@ -33,6 +33,8 @@ public class URIHelperTest {
         "?o=5&oo=5,?oo=5&o=10",
         "?oo=5&o=5&oo=7,?oo=5&oo=7&o=10",
         "?oo=5&o=5&o=6&oo=7,?oo=5&oo=7&o=10",
+        "?oo=5&o=50&o=60&oo=7,?oo=5&oo=7&o=10",
+        "?oo=5&o=500&o=600&oo=7,?oo=5&oo=7&o=10",
     })
     public void testAddOrReplaceParam(String input, String expected) throws Exception {
         if ( input==null ) { input = ""; }