Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FoD: Add command for downloading FPR #423

Closed
rsenden opened this issue Aug 17, 2023 · 3 comments · Fixed by #446
Closed

FoD: Add command for downloading FPR #423

rsenden opened this issue Aug 17, 2023 · 3 comments · Fixed by #446
Labels
fcli-fod Issue related to 'fcli fod' commands
Milestone
2.0.0

Comments

@rsenden
Copy link
Contributor

rsenden commented Aug 17, 2023

Add fcli fod release download-fpr --scan-type <type> -f <file> or similar command.
@rsenden rsenden added the fcli-fod Issue related to 'fcli fod' commands label Aug 17, 2023
@rsenden rsenden added this to the 2.0.0 milestone Aug 17, 2023
@rsenden
Copy link
Contributor Author

rsenden commented Aug 17, 2023
edited
Loading

Rudimentary implementation in a918cda.

To-do's:

  • Add progress information/updates
  • Handle situations where no FPR file is available for download (FoD returns HTTP 202 indefinitely, causing this command to hang)
  • Decide on consistency with import-* commands; we currently have a single download-fpr command that accepts --scan-type option, whereas we have separate import-* commands for each scan type
  • Does the endpoint always return an FPR file, even for OSS/Debricked results for example? If not, maybe we should rename to download-scan instead?
  • Decide on polling interval; too short (like 5 seconds) causes rate limit error, too long will keep the user waiting for longer than necessary (also see FoD: Gracefully handle rate limits #404; once we gracefully handle rate limits, we can potentially shorten the polling interval)

@rsenden
Copy link
Contributor Author

rsenden commented Sep 8, 2023

For now, fcli will need to assume a 2-year retention period; if last scan date is older than 2 years, then fcli will need to throw an error instead of trying to invoke the download-fpr endpoint. Just to be sure, we may want to add a time-out option with an appropriate default value like 1 or 5 minutes, aborting the download operation with an error if FoD has been returning 202 responses for longer than the configured time-out.

Structuring of the commands is subject to ongoing discussion.

For OSS/SBOM, there are separate endpoints; download-fpr endpoints only support Static and Dynamic scan types.

kadraman added a commit to kadraman/fcli that referenced this issue Sep 28, 2023
@kadraman
fix: FoD: FoD: Cannot find release for "XXX:YYY" in 2.0.0.develop (re…
7dee137 
…solves fortify#445)

fix: FoD: Decide on command structure for managing scans (resolves fortify#435)

fix: FoD: Add command for downloading FPR (resolved fortify#423)
@kadraman kadraman mentioned this issue Sep 28, 2023
Merged
kadraman added a commit to kadraman/fcli that referenced this issue Oct 2, 2023
@kadraman
fix: FoD: Add command for downloading FPR (resolves fortify#423) adde…
8cd9bd5 
…d check for last scan being over 2 years

chore: FoD: updated tests for refactored commands
@kadraman
Copy link
Collaborator

kadraman commented Oct 2, 2023

The check for last scan date has been added.

I also looked at adding a maxRetries check but is unclear what a suitable value would be as it seems if the FPR is not available it is generated/pulled from some sort of storage (which can take some time) but after that is more or less instantly available.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
fcli-fod Issue related to 'fcli fod' commands
Projects
None yet
Milestone
2.0.0
Development

Successfully merging a pull request may close this issue.

FoD scan command refactoring kadraman/fcli
2 participants
@kadraman @rsenden