Skip to content

Commit

Permalink
fix: Core: Various bug fixes and many other improvements
Browse files Browse the repository at this point in the history
fix!: Core: Most commands/options now use case-sensitive matching to avoid inconsistent behavior between server-side and client-side matching

feat!: Core: Change fcli variable syntax & behavior for easier use

feat!: Core: Change query expression syntax to allow for advanced queries

feat: Core: Add support for interactive confirmation on commands that require confirmation

feat!: Core: Restructure fcli home/data directories. Configuration & session data stored by earlier fcli versions will not be available after upgrading, and will not be automatically removed. It's recommended to manually delete the ~/.fortify/fcli folder when upgrading, and then use the new fcli version to re-apply configuration settings.

feat!: Core: Change environment variable names for better clarity and avoiding conflicts with other Fortify command-line utilities

feat!: Core: The .jar version of fcli now requires Java 17 or higher to run

feat!: `fcli config`: Restructure command tree & options for consistency & ease of use

feat!: `fcli config`: Move variable-related commands to `fcli util`

feat: `fcli fod`: Move out of preview mode, now officially supported

feat!: `fcli fod`: Restructure existing commands & options for consistency & ease of use

feat: `fcli fod`: Fixes, usability improvements & new commands for managing applications, microservices, releases, scans & scan results

feat: `fcli fod`: Various other fixes & usability improvements

feat!: `fcli sc-dast`: Minor restructuring of command tree & options for consistency & ease of use

feat: `fcli sc-dast`: Various fixes & usability improvements

feat!: `fcli sc-sast`: Minor restructuring of command options for consistency & ease of use

feat: `fcli sc-sast`: New command for listing ScanCentral SAST sensors

feat: `fcli sc-sast`: Various fixes & usability improvements

feat!: `fcli ssc`: Restructure existing commands & options for consistency & ease of use

feat: `fcli ssc`: New commands for creating local users, refreshing metrics, listing rule packs & listing SSC configuration settings

feat: `fcli ssc`: New commands for managing performance indicators & variables (PREVIEW)

feat: `fcli ssc`: Add support for applying filters on issue counts

feat: `fcli ssc`: Add support for embedding additional data on `fcli ssc appversion get/list` commands

feat: `fcli ssc`: Various other fixes & usability improvements

feat: `fcli license`: New command, adding support for generating MSP & NCD license usage reports

feat: `fcli tool`: Add support for FortifyBugTrackerUtility

feat!: `fcli tool`: Minor restructuring of command options for consistency & ease of use

feat: `fcli tool`: Improve tool version & digest handling

feat: `fcli util`: Add variable-related commands (moved from `fcli config`)

feat: `fcli util`: Add various other utility commands
  • Loading branch information
rsenden committed Oct 25, 2023
1 parent 6a8b2b8 commit 21892d1
Show file tree
Hide file tree
Showing 1,789 changed files with 122,609 additions and 45,214 deletions.
61 changes: 26 additions & 35 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
@@ -1,13 +1,15 @@
name: Build and release
on:
workflow_dispatch:

push:
branches:
- '**'

env:
native_image_opts: --verbose -H:Log=registerResource:verbose -H:+PrintClassInitialization
graal_version: 22.3.1
graal_java_version: 11
graal_distribution: graalvm-community
graal_java_version: 17

jobs:
build:
Expand All @@ -16,6 +18,10 @@ jobs:
steps:
- name: Check-out source code
uses: actions/checkout@v3
- uses: actions/setup-java@v3
with:
distribution: 'temurin'
java-version: '17'

- name: PROD - Prepare GitHub release
id: create_prod_release
Expand All @@ -24,8 +30,8 @@ jobs:
with:
command: github-release
release-type: simple
package-name: ${{ github.event.repository.name }}
default-branch: main
package-name: ${{ github.event.repository.name }}
default-branch: main

- name: PROD - Define release info
if: steps.create_prod_release.outputs.release_created
Expand Down Expand Up @@ -62,7 +68,7 @@ jobs:
- name: Build release ${{env.RELEASE_VERSION}}
if: env.DO_BUILD
run: ./gradlew clean build dist distThirdParty -Pversion=${{env.RELEASE_VERSION}}
run: ./gradlew clean build dist distThirdPartyReleaseAsset distFtest -Pversion=${{env.RELEASE_VERSION}}

- name: Check fcli version
if: env.DO_BUILD
Expand All @@ -71,7 +77,7 @@ jobs:
- name: Publish build artifacts
uses: actions/upload-artifact@v3
with:
path: build/dist/*
path: build/dist/**/*

outputs:
do_release: ${{ env.DO_RELEASE }}
Expand All @@ -92,7 +98,7 @@ jobs:

- uses: graalvm/setup-graalvm@v1
with:
version: ${{ env.graal_version }}
distribution: ${{ env.graal_distribution }}
java-version: ${{ env.graal_java_version }}
components: 'native-image'
native-image-musl: true
Expand All @@ -110,7 +116,7 @@ jobs:
# at build time (see https://www.graalvm.org/22.1/reference-manual/native-image/Properties/).
# We also exclude the native Jansi library resources, as these are now no longer needed.
- name: Create native fcli
run: native-image ${{ env.native_image_opts }} --static --libc=musl -Djansi.disable=true --initialize-at-build-time=com.fortify.cli.app.FortifyCLI -H:ExcludeResources="org/fusesource/jansi/internal/native/.*" -jar ./artifact/fcli.jar fcli
run: native-image ${{ env.native_image_opts }} --static --libc=musl -Djansi.disable=true --initialize-at-build-time=com.fortify.cli.app.FortifyCLI -H:ExcludeResources="org/fusesource/jansi/internal/native/.*" -jar ./artifact/release-assets/fcli.jar fcli

- name: Compress native fcli
uses: svenstaro/upx-action@v2
Expand All @@ -124,23 +130,23 @@ jobs:
run: ./fcli --version | tee /dev/stderr | grep -E '[0-9]+\.[0-9]+\.[0-9]+' >/dev/null || (echo "fcli --version doesn't output proper version number"; exit 1)

- name: Package native fcli
run: tar -zcvf fcli-linux.tgz fcli -C ./artifact fcli_completion
run: tar -zcvf artifact/release-assets/fcli-linux.tgz fcli -C ./artifact fcli_completion

- uses: actions/upload-artifact@v3
with:
path: ./fcli-linux.tgz
path: ./artifact/**/fcli-linux.tgz

native_mac:
name: native-image-mac
needs: build
runs-on: macos-12
runs-on: macos-latest
steps:
- name: Check-out source code
uses: actions/checkout@v3

- uses: graalvm/setup-graalvm@v1
with:
version: ${{ env.graal_version }}
distribution: ${{ env.graal_distribution }}
java-version: ${{ env.graal_java_version }}
components: 'native-image'
github-token: ${{ secrets.GITHUB_TOKEN }}
Expand All @@ -153,7 +159,7 @@ jobs:
# file to include native libraries for all platforms; we override this to include only the MacOS
# libraries
- name: Create native fcli
run: native-image ${{ env.native_image_opts }} -H:ExcludeResources="org/fusesource/jansi/internal/native/Windows/.*" -H:ExcludeResources="org/fusesource/jansi/internal/native/Linux/.*" -H:ExcludeResources="org/fusesource/jansi/internal/native/FreeBSD/.*" -jar ./artifact/fcli.jar fcli
run: native-image ${{ env.native_image_opts }} -march=compatibility -H:ExcludeResources="org/fusesource/jansi/internal/native/Windows/.*" -H:ExcludeResources="org/fusesource/jansi/internal/native/Linux/.*" -H:ExcludeResources="org/fusesource/jansi/internal/native/FreeBSD/.*" -jar ./artifact/release-assets/fcli.jar fcli

- name: Compress native fcli
uses: svenstaro/upx-action@v2
Expand All @@ -164,11 +170,11 @@ jobs:
run: ./fcli --help && ./fcli get --help

- name: Package native fcli
run: tar -zcvf fcli-mac.tgz fcli -C ./artifact fcli_completion
run: tar -zcvf ./artifact/release-assets/fcli-mac.tgz fcli -C ./artifact fcli_completion

- uses: actions/upload-artifact@v3
with:
path: ./fcli-mac.tgz
path: ./artifact/**/fcli-mac.tgz

native_win:
name: native-image-win
Expand All @@ -177,7 +183,7 @@ jobs:
steps:
- uses: graalvm/setup-graalvm@v1
with:
version: ${{ env.graal_version }}
distribution: ${{ env.graal_distribution }}
java-version: ${{ env.graal_java_version }}
components: 'native-image'
github-token: ${{ secrets.GITHUB_TOKEN }}
Expand All @@ -192,7 +198,7 @@ jobs:
- name: Create native fcli
run: >-
"C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvars64.bat" &&
${{ env.JAVA_HOME }}\bin\native-image.cmd ${{ env.native_image_opts }} -H:ExcludeResources="org/fusesource/jansi/internal/native/Mac/.*" -H:ExcludeResources="org/fusesource/jansi/internal/native/Linux/.*" -H:ExcludeResources="org/fusesource/jansi/internal/native/FreeBSD/.*" -jar .\artifact\fcli.jar fcli
${{ env.JAVA_HOME }}\bin\native-image.cmd ${{ env.native_image_opts }} -H:ExcludeResources="org/fusesource/jansi/internal/native/Mac/.*" -H:ExcludeResources="org/fusesource/jansi/internal/native/Linux/.*" -H:ExcludeResources="org/fusesource/jansi/internal/native/FreeBSD/.*" -jar .\artifact\release-assets\fcli.jar fcli
shell: cmd

# We don't compress the Windows binary for now as this is incompatible with current Graal version.
Expand All @@ -208,11 +214,11 @@ jobs:
.\fcli.exe get --help
- name: Package native fcli
run: 7z a fcli-windows.zip fcli*.exe
run: 7z a artifact\release-assets\fcli-windows.zip fcli*.exe

- uses: actions/upload-artifact@v3
with:
path: ./fcli-windows.zip
path: ./artifact/**/fcli-windows.zip

release:
name: release
Expand All @@ -228,9 +234,6 @@ jobs:
with:
path: ./

- name: Remove fcli_completion script
run: rm -f artifact/fcli_completion

- name: PROD - Prepare release PR
if: github.ref == 'refs/heads/main'
uses: GoogleCloudPlatform/release-please-action@v3
Expand Down Expand Up @@ -259,7 +262,7 @@ jobs:
- name: Upload assets to release
if: needs.build.outputs.do_release
run: |
files=$(find "./artifact" -type f -printf "%p ")
files=$(find "./artifact/release-assets" -type f -printf "%p ")
gh release upload "${{ needs.build.outputs.release_tag }}" $files --clobber
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Expand Down Expand Up @@ -315,15 +318,3 @@ jobs:
publish_dir: ./docs
enable_jekyll: true


cleanup:
name: cleanup
if: needs.build.outputs.do_release
needs: [release, publishPages]
runs-on: ubuntu-latest
steps:
- name: Delete artifacts if uploaded to release
uses: geekyeggo/delete-artifact@v1
with:
name: artifact
failOnError: false
25 changes: 13 additions & 12 deletions .github/workflows/fortify-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ name: Fortify on Demand Scan
on:
workflow_dispatch:
push:
branches: [ main ]
branches: [ develop ]
schedule:
- cron: '16 0 * * 5'

Expand All @@ -39,14 +39,17 @@ jobs:
steps:
# Check out source code
- name: Check Out Source Code
uses: actions/checkout@v2
uses: actions/checkout@v4
with:
ref: develop

# Java is required to run the various Fortify utilities.
# When scanning a Java application, please use the appropriate Java version for building your application.
- name: Setup Java
uses: actions/setup-java@v1
uses: actions/setup-java@v3
with:
java-version: 11
distribution: 'temurin'
java-version: '17'

# Prepare source+dependencies for upload. The default example is for a Maven project that uses pom.xml.
# TODO: Update PACKAGE_OPTS based on the ScanCentral Client documentation for your project's included tech stack(s). Helpful hints:
Expand All @@ -56,20 +59,18 @@ jobs:
# For other build tools, add your build commands to download necessary dependencies and prepare according to Fortify on Demand Packaging documentation.
# ScanCentral Client documentation is located at https://www.microfocus.com/documentation/fortify-software-security-center/
- name: Download Fortify ScanCentral Client
uses: fortify/gha-setup-scancentral-client@5b7382f8234fb9840958c49d5f32ae854115f9f3
with:
version: 21.2.0-prerelease # Required as Gradle 7.2 not supported by earlier versions
uses: fortify/gha-setup-scancentral-client@v2
- name: Package Code + Dependencies
run: scancentral package $PACKAGE_OPTS -o package.zip
env:
PACKAGE_OPTS: "-bt gradle"
PACKAGE_OPTS: "-bt gradle -oss"

# Start Fortify on Demand SAST scan and wait until results complete. For more information on FoDUploader commands, see https://github.com/fod-dev/fod-uploader-java
# TODO: Update ENV variables for your application and create the necessary GitHub Secrets. Helpful hints:
# Credentials and release ID should be obtained from your FoD tenant (either Personal Access Token or API Key can be used).
# Automated Audit preference should be configured for the release's Static Scan Settings in the Fortify on Demand portal.
- name: Download Fortify on Demand Universal CI Tool
uses: fortify/gha-setup-fod-uploader@6e6bb8a33cb476e240929fa8ebc739ff110e7433
uses: fortify/gha-setup-fod-uploader@v1
- name: Perform SAST Scan
run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" $FOD_UPLOADER_OPTS -n "$FOD_UPLOADER_NOTES"
env:
Expand All @@ -84,7 +85,7 @@ jobs:

# Once scan completes, pull SAST issues from Fortify on Demand and generate SARIF output.
- name: Export results to GitHub-optimized SARIF
uses: fortify/gha-export-vulnerabilities@fcb374411cff9809028c911dabb8b57dbdae623b
uses: fortify/gha-export-vulnerabilities@v1
with:
fod_base_url: "https://ams.fortify.com/"
fod_tenant: ${{ secrets.OSS_FOD_TENANT }}
Expand All @@ -94,6 +95,6 @@ jobs:

# Import Fortify on Demand results to GitHub Security Code Scanning
- name: Import Results
uses: github/codeql-action/upload-sarif@v1
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ./gh-fortify-sast.sarif
sarif_file: ./gh-fortify-sast.sarif
Loading

0 comments on commit 21892d1

Please sign in to comment.