Merge pull request #458 from kadraman/fod-2.0-stabilization

FoD 2.0 stabilization
fortify · Oct 16, 2023 · df54206 · df54206
2 parents c99be89 + 58e1f72
commit df54206
Show file tree

Hide file tree

Showing 26 changed files with 443 additions and 181 deletions.
diff --git a/...cli-fod/src/main/java/com/fortify/cli/fod/_common/output/mixin/FoDOutputHelperMixins.java b/...cli-fod/src/main/java/com/fortify/cli/fod/_common/output/mixin/FoDOutputHelperMixins.java
@@ -84,4 +84,11 @@ public static class DownloadResults extends OutputHelperMixins.TableNoQuery {
     public static class AssessmentType extends OutputHelperMixins.TableWithQuery {
         public static final String CMD_NAME = "assessment-type";
     }
+
+    public static class StartLegacy extends OutputHelperMixins.TableNoQuery {
+        public static final String CMD_NAME = "start-legacy";
+    }
+    public static class GetConfigLegacy extends OutputHelperMixins.DetailsNoQuery {
+        public static final String CMD_NAME = "get-config-legacy";
+    }
 }
diff --git a/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/_common/rest/FoDUrls.java b/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/_common/rest/FoDUrls.java
@@ -51,5 +51,7 @@ public class FoDUrls {
     public static final String MOBILE_SCANS_SETUP = MOBILE_SCANS + "/scan-setup";
     public static final String MOBILE_SCANS_START = MOBILE_SCANS + "/start-scan";
     public static final String ENTITLEMENTS = ApiBase + "/tenant-entitlements";
+    public static final String OSS_SCANS = ApiBase + "/releases/{relId}/open-source-scans";
+    public static final String OSS_SCANS_START = OSS_SCANS + "/start-scan";
 
 }
diff --git a/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/app/cli/cmd/FoDAppCreateCommand.java b/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/app/cli/cmd/FoDAppCreateCommand.java
@@ -53,7 +53,8 @@ public class FoDAppCreateCommand extends AbstractFoDJsonNodeOutputCommand implem
     @Spec CommandSpec spec;
 
     @EnvSuffix("NAME") @Parameters(index = "0", arity = "1", descriptionKey = "fcli.fod.app.app-name")
-    private String applicationName;
+    protected String applicationName;
+
     @Option(names = {"--description", "-d"})
     protected String description;
     @DisableTest(MULTI_OPT_PLURAL_NAME)
@@ -85,7 +86,7 @@ public JsonNode getJsonNode(UnirestInstance unirest) {
         validateMicroserviceName(microserviceName);
 
         var ownerId = FoDUserHelper.getUserDescriptor(unirest, owner, true).getUserId();
-        List<String> microservices = StringUtils.isBlank(microserviceName) 
+        List<String> microservices = StringUtils.isBlank(microserviceName)
                 ? Collections.emptyList() : new ArrayList<>(Arrays.asList(microserviceName));
         FoDAppCreateRequest appCreateRequest = FoDAppCreateRequest.builder()
                 .applicationName(applicationName)

diff --git a/...ore/fcli-fod/src/main/java/com/fortify/cli/fod/dast_scan/cli/cmd/FoDDastScanCommands.java b/...ore/fcli-fod/src/main/java/com/fortify/cli/fod/dast_scan/cli/cmd/FoDDastScanCommands.java
@@ -21,9 +21,9 @@
         subcommands = {
                 FoDDastScanListCommand.class,
                 FoDDastScanGetCommand.class,
-                FoDDastScanGetConfigCommand.class,
+                FoDDastScanGetConfigLegacyCommand.class,
                 //FoDDastScanSetupCommand.class,
-                FoDDastScanStartCommand.class,
+                FoDDastScanStartLegacyCommand.class,
                 FoDDastScanCancelCommand.class,
                 FoDDastScanWaitForCommand.class,
                 FoDDastScanImportCommand.class,

diff --git a/.../cli/cmd/FoDDastScanGetConfigCommand.java → ...md/FoDDastScanGetConfigLegacyCommand.java b/.../cli/cmd/FoDDastScanGetConfigCommand.java → ...md/FoDDastScanGetConfigLegacyCommand.java
@@ -22,8 +22,8 @@
 import picocli.CommandLine.Command;
 import picocli.CommandLine.Mixin;
 
-@Command(name = FoDOutputHelperMixins.GetConfig.CMD_NAME, hidden = true)
-public class FoDDastScanGetConfigCommand extends AbstractFoDScanConfigGetCommand {
+@Command(name = FoDOutputHelperMixins.GetConfigLegacy.CMD_NAME, hidden = true)
+public class FoDDastScanGetConfigLegacyCommand extends AbstractFoDScanConfigGetCommand {
     @Getter @Mixin private FoDOutputHelperMixins.GetConfig outputHelper;
 
     @Override

diff --git a/...scan/cli/cmd/FoDDastScanStartCommand.java → ...li/cmd/FoDDastScanStartLegacyCommand.java b/...scan/cli/cmd/FoDDastScanStartCommand.java → ...li/cmd/FoDDastScanStartLegacyCommand.java
@@ -49,8 +49,8 @@
 import picocli.CommandLine.Mixin;
 import picocli.CommandLine.Option;
 
-@Command(name = OutputHelperMixins.Start.CMD_NAME, hidden = true)
-public class FoDDastScanStartCommand extends AbstractFoDJsonNodeOutputCommand implements IRecordTransformer, IActionCommandResultSupplier {
+@Command(name = FoDOutputHelperMixins.StartLegacy.CMD_NAME, hidden = true)
+public class FoDDastScanStartLegacyCommand extends AbstractFoDJsonNodeOutputCommand implements IRecordTransformer, IActionCommandResultSupplier {
     DateTimeFormatter dtf = DateTimeFormatter.ofPattern("MM/dd/yyyy HH:mm");
 
     @Getter @Mixin private OutputHelperMixins.Start outputHelper;

diff --git a/.../src/main/java/com/fortify/cli/fod/microservice/cli/cmd/FoDMicroserviceCreateCommand.java b/.../src/main/java/com/fortify/cli/fod/microservice/cli/cmd/FoDMicroserviceCreateCommand.java
@@ -34,7 +34,7 @@
 @Command(name = OutputHelperMixins.Create.CMD_NAME)
 public class FoDMicroserviceCreateCommand extends AbstractFoDJsonNodeOutputCommand implements IActionCommandResultSupplier {
     @Getter @Mixin private OutputHelperMixins.Create outputHelper;
-    
+
     @Mixin private FoDDelimiterMixin delimiterMixin; // Is automatically injected in resolver mixins
     @Mixin private FoDMicroserviceByQualifiedNameResolverMixin.PositionalParameter qualifiedMicroserviceNameResolver;
 

diff --git a/...-core/fcli-fod/src/main/java/com/fortify/cli/fod/oss_scan/cli/cmd/FoDOssScanCommands.java b/...-core/fcli-fod/src/main/java/com/fortify/cli/fod/oss_scan/cli/cmd/FoDOssScanCommands.java
@@ -23,7 +23,7 @@
                 FoDOssScanGetCommand.class,
                 //FoDOssScanGetConfigCommand.class,
                 //FoDOssScanSetupCommand.class,
-                //FoDOssScanStartCommand.class,
+                FoDOssScanStartCommand.class,
                 //FoDOssScanCancelCommand.class,
                 //FoDOssScanWaitForCommand.class
                 FoDOssScanImportCommand.class,

diff --git a/...e/fcli-fod/src/main/java/com/fortify/cli/fod/oss_scan/cli/cmd/FoDOssScanStartCommand.java b/...e/fcli-fod/src/main/java/com/fortify/cli/fod/oss_scan/cli/cmd/FoDOssScanStartCommand.java
@@ -0,0 +1,77 @@
+/*******************************************************************************
+ * Copyright 2021, 2023 Open Text.
+ *
+ * The only warranties for products and services of Open Text
+ * and its affiliates and licensors ("Open Text") are as may
+ * be set forth in the express warranty statements accompanying
+ * such products and services. Nothing herein should be construed
+ * as constituting an additional warranty. Open Text shall not be
+ * liable for technical or editorial errors or omissions contained
+ * herein. The information contained herein is subject to change
+ * without notice.
+ *******************************************************************************/
+
+package com.fortify.cli.fod.oss_scan.cli.cmd;
+
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fortify.cli.common.output.cli.mixin.OutputHelperMixins;
+import com.fortify.cli.common.output.transform.IActionCommandResultSupplier;
+import com.fortify.cli.common.output.transform.IRecordTransformer;
+import com.fortify.cli.common.util.FcliBuildPropertiesHelper;
+import com.fortify.cli.common.util.StringUtils;
+import com.fortify.cli.fod._common.cli.mixin.FoDDelimiterMixin;
+import com.fortify.cli.fod._common.output.cli.AbstractFoDJsonNodeOutputCommand;
+import com.fortify.cli.fod._common.util.FoDEnums;
+import com.fortify.cli.fod.release.cli.mixin.FoDReleaseByQualifiedNameOrIdResolverMixin;
+import com.fortify.cli.fod.sast_scan.helper.FoDScanConfigSastDescriptor;
+import com.fortify.cli.fod.scan.cli.mixin.FoDRemediationScanPreferenceTypeMixins;
+import com.fortify.cli.fod.scan.helper.FoDScanHelper;
+import com.fortify.cli.fod.scan.helper.oss.FoDScanOssHelper;
+import com.fortify.cli.fod.scan.helper.oss.FoDScanOssStartRequest;
+import com.fortify.cli.fod.scan.helper.sast.FoDScanSastHelper;
+import com.fortify.cli.fod.scan.helper.sast.FoDScanSastStartRequest;
+import kong.unirest.UnirestInstance;
+import lombok.Getter;
+import picocli.CommandLine.Command;
+import picocli.CommandLine.Mixin;
+import picocli.CommandLine.Option;
+
+import java.io.File;
+import java.util.Properties;
+
+@Command(name = OutputHelperMixins.Start.CMD_NAME, hidden = false)
+public class FoDOssScanStartCommand extends AbstractFoDJsonNodeOutputCommand implements IRecordTransformer, IActionCommandResultSupplier {
+    @Getter @Mixin private OutputHelperMixins.Start outputHelper;
+
+    @Mixin private FoDDelimiterMixin delimiterMixin; // Is automatically injected in resolver mixins
+    @Mixin private FoDReleaseByQualifiedNameOrIdResolverMixin.RequiredOption releaseResolver;
+
+    @Option(names = {"-f", "--file"}, required = true)
+    private File scanFile;
+
+    @Override
+    public JsonNode getJsonNode(UnirestInstance unirest) {
+        var releaseDescriptor = releaseResolver.getReleaseDescriptor(unirest);
+        String relId = releaseDescriptor.getReleaseId();
+
+        FoDScanOssStartRequest startScanRequest = FoDScanOssStartRequest.builder().build();
+
+        return FoDScanOssHelper.startScanWithDefaults(unirest, releaseDescriptor, startScanRequest, scanFile).asJsonNode();
+    }
+
+    @Override
+    public JsonNode transformRecord(JsonNode record) {
+        return FoDScanHelper.renameFields(record);
+    }
+
+    @Override
+    public String getActionCommandResult() {
+        return "STARTED";
+    }
+
+    @Override
+    public boolean isSingular() {
+        return true;
+    }
+
+}
diff --git a/...cli-fod/src/main/java/com/fortify/cli/fod/oss_scan/helper/FoDScanConfigOssDescriptor.java b/...cli-fod/src/main/java/com/fortify/cli/fod/oss_scan/helper/FoDScanConfigOssDescriptor.java
@@ -0,0 +1,26 @@
+/*******************************************************************************
+ * Copyright 2021, 2023 Open Text.
+ *
+ * The only warranties for products and services of Open Text
+ * and its affiliates and licensors ("Open Text") are as may
+ * be set forth in the express warranty statements accompanying
+ * such products and services. Nothing herein should be construed
+ * as constituting an additional warranty. Open Text shall not be
+ * liable for technical or editorial errors or omissions contained
+ * herein. The information contained herein is subject to change
+ * without notice.
+ *******************************************************************************/
+
+package com.fortify.cli.fod.oss_scan.helper;
+
+import com.formkiq.graalvm.annotations.Reflectable;
+import com.fortify.cli.common.json.JsonNodeHolder;
+import lombok.Data;
+import lombok.EqualsAndHashCode;
+import lombok.NoArgsConstructor;
+
+@Reflectable @NoArgsConstructor
+@Data @EqualsAndHashCode(callSuper=false)
+public class FoDScanConfigOssDescriptor extends JsonNodeHolder {
+    private Integer releaseId;
+}
diff --git a/...e/fcli-fod/src/main/java/com/fortify/cli/fod/release/cli/cmd/FoDReleaseCreateCommand.java b/...e/fcli-fod/src/main/java/com/fortify/cli/fod/release/cli/cmd/FoDReleaseCreateCommand.java
@@ -52,8 +52,8 @@ public class FoDReleaseCreateCommand extends AbstractFoDJsonNodeOutputCommand im
     public JsonNode getJsonNode(UnirestInstance unirest) {
         if (skipIfExists) {
             var descriptor = releaseNameResolver.getReleaseDescriptor(unirest, false);
-            if (descriptor != null) { 
-                return descriptor.asObjectNode().put(IActionCommandResultSupplier.actionFieldName, "SKIPPED_EXISTING"); 
+            if (descriptor != null) {
+                return descriptor.asObjectNode().put(IActionCommandResultSupplier.actionFieldName, "SKIPPED_EXISTING");
             }
         }
         // Ensure app exists
@@ -64,7 +64,7 @@ public JsonNode getJsonNode(UnirestInstance unirest) {
         if ( appDescriptor.isHasMicroservices() && microserviceDescriptor==null ) {
             throw new IllegalArgumentException("Microservice name must be specified for microservices application");
         }
-        
+
         String simpleReleaseName = releaseNameResolver.getSimpleReleaseName();
         String copyReleaseId = copyFromReleaseResolver.getReleaseId(unirest);
 

diff --git a/...fcli-fod/src/main/java/com/fortify/cli/fod/scan/cli/cmd/AbstractFoDScanImportCommand.java b/...fcli-fod/src/main/java/com/fortify/cli/fod/scan/cli/cmd/AbstractFoDScanImportCommand.java
@@ -28,14 +28,16 @@
 import kong.unirest.HttpRequest;
 import kong.unirest.UnirestInstance;
 import lombok.Getter;
+import picocli.CommandLine;
 import picocli.CommandLine.Mixin;
+import picocli.CommandLine.Option;
 import picocli.CommandLine.Parameters;
 
 public abstract class AbstractFoDScanImportCommand extends AbstractFoDJsonNodeOutputCommand implements IActionCommandResultSupplier {
     @Mixin private FoDDelimiterMixin delimiterMixin; // Is automatically injected in resolver mixins
     @Mixin private FoDReleaseByQualifiedNameOrIdResolverMixin.RequiredOption releaseResolver;
 
-    @EnvSuffix("FILE") @Parameters(index = "0", arity = "1", descriptionKey = "fcli.fod.scan.import.scan-file")
+    @EnvSuffix("FILE") @Option(names = {"-f", "--file"}, required = true, descriptionKey = "fcli.fod.scan.import.scan-file")
     private File scanFile;
 
     @Override

diff --git a/...-core/fcli-fod/src/main/java/com/fortify/cli/fod/scan/cli/mixin/FoDScanResolverMixin.java b/...-core/fcli-fod/src/main/java/com/fortify/cli/fod/scan/cli/mixin/FoDScanResolverMixin.java
@@ -1,13 +1,13 @@
 /*******************************************************************************
  * Copyright 2021, 2023 Open Text.
  *
- * The only warranties for products and services of Open Text 
- * and its affiliates and licensors ("Open Text") are as may 
- * be set forth in the express warranty statements accompanying 
- * such products and services. Nothing herein should be construed 
- * as constituting an additional warranty. Open Text shall not be 
- * liable for technical or editorial errors or omissions contained 
- * herein. The information contained herein is subject to change 
+ * The only warranties for products and services of Open Text
+ * and its affiliates and licensors ("Open Text") are as may
+ * be set forth in the express warranty statements accompanying
+ * such products and services. Nothing herein should be construed
+ * as constituting an additional warranty. Open Text shall not be
+ * liable for technical or editorial errors or omissions contained
+ * herein. The information contained herein is subject to change
  * without notice.
  *******************************************************************************/
 package com.fortify.cli.fod.scan.cli.mixin;
@@ -57,10 +57,15 @@ public String[] getScanIds(UnirestInstance unirest) {
     }
 
     public static class RequiredOption extends AbstractFoDScanResolverMixin {
-        @Option(names = {"--scan"}, required = true)
+        @EnvSuffix("SCAN") @Option(names = {"--scan"}, required = true)
         @Getter private String scanId;
     }
 
+    public static class RequiredOptionMulti extends AbstractFoDMultiScanResolverMixin {
+        @EnvSuffix("SCANS") @Option(names = {"--scans"}, required=true, split=",", descriptionKey = "fcli.fod.scan.scan-id")
+        @Getter private String[] scanIds;
+    }
+
     public static class PositionalParameter extends AbstractFoDScanResolverMixin {
         @EnvSuffix("SCAN") @Parameters(index = "0", arity = "1", paramLabel="scan-id", descriptionKey = "fcli.fod.scan.scan-id")
         @Getter private String scanId;

diff --git a/...core/fcli-fod/src/main/java/com/fortify/cli/fod/scan/helper/oss/FoDScanOssDescriptor.java b/...core/fcli-fod/src/main/java/com/fortify/cli/fod/scan/helper/oss/FoDScanOssDescriptor.java
@@ -0,0 +1,28 @@
+/*******************************************************************************
+ * Copyright 2021, 2023 Open Text.
+ *
+ * The only warranties for products and services of Open Text
+ * and its affiliates and licensors ("Open Text") are as may
+ * be set forth in the express warranty statements accompanying
+ * such products and services. Nothing herein should be construed
+ * as constituting an additional warranty. Open Text shall not be
+ * liable for technical or editorial errors or omissions contained
+ * herein. The information contained herein is subject to change
+ * without notice.
+ *******************************************************************************/
+
+package com.fortify.cli.fod.scan.helper.oss;
+
+import com.formkiq.graalvm.annotations.Reflectable;
+import com.fortify.cli.common.json.JsonNodeHolder;
+import lombok.Data;
+import lombok.EqualsAndHashCode;
+import lombok.NoArgsConstructor;
+
+@Reflectable @NoArgsConstructor
+@Data @EqualsAndHashCode(callSuper = true)
+public class FoDScanOssDescriptor extends JsonNodeHolder {
+    private Integer scanId;
+    private String scanType;
+
+}
diff --git a/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/scan/helper/oss/FoDScanOssHelper.java b/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/scan/helper/oss/FoDScanOssHelper.java
@@ -0,0 +1,80 @@
+/*******************************************************************************
+ * Copyright 2021, 2023 Open Text.
+ *
+ * The only warranties for products and services of Open Text
+ * and its affiliates and licensors ("Open Text") are as may
+ * be set forth in the express warranty statements accompanying
+ * such products and services. Nothing herein should be construed
+ * as constituting an additional warranty. Open Text shall not be
+ * liable for technical or editorial errors or omissions contained
+ * herein. The information contained herein is subject to change
+ * without notice.
+ *******************************************************************************/
+
+package com.fortify.cli.fod.scan.helper.oss;
+
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.node.ObjectNode;
+import com.fortify.cli.common.json.JsonHelper;
+import com.fortify.cli.fod._common.rest.FoDUrls;
+import com.fortify.cli.fod._common.rest.helper.FoDFileTransferHelper;
+import com.fortify.cli.fod.oss_scan.helper.FoDScanConfigOssDescriptor;
+import com.fortify.cli.fod.release.helper.FoDReleaseDescriptor;
+import com.fortify.cli.fod.scan.helper.FoDScanDescriptor;
+import com.fortify.cli.fod.scan.helper.FoDScanHelper;
+import com.fortify.cli.fod.scan.helper.FoDScanType;
+import com.fortify.cli.fod.scan.helper.FoDStartScanResponse;
+import kong.unirest.GetRequest;
+import kong.unirest.HttpRequest;
+import kong.unirest.UnirestInstance;
+import lombok.Getter;
+
+import java.io.File;
+
+public class FoDScanOssHelper extends FoDScanHelper {
+    @Getter
+    private static final ObjectMapper objectMapper = new ObjectMapper();
+
+    public static final FoDScanDescriptor startScanWithDefaults(UnirestInstance unirest, FoDReleaseDescriptor releaseDescriptor,
+                                                                FoDScanOssStartRequest req, File scanFile) {
+        var relId = releaseDescriptor.getReleaseId();
+        HttpRequest<?> request = unirest.post(FoDUrls.OSS_SCANS_START).routeParam("relId", relId);
+        return startScan(unirest, releaseDescriptor, request, scanFile);
+    }
+
+    private static FoDScanDescriptor startScan(UnirestInstance unirest, FoDReleaseDescriptor releaseDescriptor, HttpRequest<?> request, File scanFile) {
+        JsonNode response = FoDFileTransferHelper.uploadChunked(unirest, request, scanFile);
+        FoDStartScanResponse startScanResponse = JsonHelper.treeToValue(response, FoDStartScanResponse.class);
+        if (startScanResponse == null || startScanResponse.getScanId() <= 0) {
+            throw new RuntimeException("Unable to retrieve scan id from response when starting OSS scan.");
+        }
+        JsonNode node = objectMapper.createObjectNode()
+                .put("scanId", startScanResponse.getScanId())
+                .put("scanType", FoDScanType.OpenSource.name())
+                .put("analysisStatusType", "Pending")
+                .put("applicationName", releaseDescriptor.getApplicationName())
+                .put("releaseName", releaseDescriptor.getReleaseName())
+                .put("microserviceName", releaseDescriptor.getMicroserviceName());
+        return JsonHelper.treeToValue(node, FoDScanDescriptor.class);
+    }
+
+    public static final FoDScanConfigOssDescriptor getSetupDescriptor(UnirestInstance unirest, String relId) {
+        GetRequest request = unirest.get(FoDUrls.OSS_SCANS + "/scan-setup")
+                .routeParam("relId", relId);
+        JsonNode setup = request.asObject(ObjectNode.class).getBody()
+                .put("applicationName", "test");
+        return JsonHelper.treeToValue(setup, FoDScanConfigOssDescriptor.class);
+    }
+
+    public static final FoDScanConfigOssDescriptor getSetupDescriptorWithAppRel(UnirestInstance unirest, FoDReleaseDescriptor releaseDescriptor) {
+        GetRequest request = unirest.get(FoDUrls.OSS_SCANS + "/scan-setup")
+                .routeParam("relId", releaseDescriptor.getReleaseId());
+        JsonNode setup = request.asObject(ObjectNode.class).getBody()
+                .put("applicationName", releaseDescriptor.getApplicationName())
+                .put("releaseName", releaseDescriptor.getReleaseName())
+                .put("microserviceName", releaseDescriptor.getMicroserviceName());
+        return JsonHelper.treeToValue(setup, FoDScanConfigOssDescriptor.class);
+    }
+
+}