Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update FoD scan status polling to use internal REST API #526

Closed
kadraman opened this issue Apr 30, 2024 · 2 comments · Fixed by #532
Closed

Update FoD scan status polling to use internal REST API #526

kadraman opened this issue Apr 30, 2024 · 2 comments · Fixed by #532

Comments

@kadraman
Copy link
Collaborator

The current implementation of FoD API has intermittent failure if polling status of scan via id for first few seconds/minutes (see #500). The FoD API plugins use an "internal" REST API to retrieve the scan status as follows:

 /api/v3/releases/RELEASE_ID/scans/SCAN_ID/polling-summary

We should update wait-for commands to use this internal API and re-test to see if this is a better solution.
@kadraman
Copy link
Collaborator Author

kadraman commented Apr 30, 2024
edited
Loading

Since this API needs both a Scan and Release Id to work we cannot update wait-for commands as is because they have no release context. For example we could implement:

fcli fod sast-scan wait-for 12345 **--release 56789**

but this API is only really designed for one scan id, for multiple scans the API would need to called multiple times!

The response from this API also has different names, e.g.:

[ {
  "ScanId" : 10322560,
  "OpenSourceScanId" : null,
  "TenantId" : 2935,
  "AnalysisStatusId" : 2,
  "OpenSourceStatusId" : 0,
  "AnalysisStatusTypeValue" : "Completed",
  "AnalysisStatusReasonId" : null,
  "AnalysisStatusReason" : "",
  "AnalysisStatusReasonNotes" : null,
  "IssueCountCritical" : 45,
  "IssueCountHigh" : 76,
  "IssueCountMedium" : 34,
  "IssueCountLow" : 19,
  "PassFailStatus" : false,
  "PassFailReasonType" : null,
  "PauseDetails" : null,
  "ScanType" : 2
} ]

In this analysisStatusType is now AnalysisStatusTypeValue!

@rsenden
Copy link
Contributor

rsenden commented Apr 30, 2024
edited
Loading

Thanks for looking into this. It's unfortunate that this endpoint also requires release id, maybe we should ask FoD team why there's no /api/v3/scans/<scan-id>/polling-summary? (I tried but doesn't exist 😉)

For the time being, maybe we could:

  • Have the scan start/list/get/... commands return a new field releaseAndScanId (or similar) that contains <release id>:<scan id>
  • Change @DefaultVariablePropertyName("scanId") to @DefaultVariablePropertyName("releaseAndScanId")
  • Have all fcli scan-related commands accept <release id>:<scan id> as input (but also still support plain <scan id>)
  • If the wait-for command receives only a scan id, use the endpoint that we're currently using
  • If the wait-for command receives both release id and scan id, use the polling-summary endpoint
  • Use record transformers or other approach to modify the output of the polling-summary endpoint to match the output of the regular summary endpoint

Do you think this would work? Please let me know if you need any assistance/updates to the generic wait-for framework to support this use case.

@rsenden rsenden closed this as completed in 4cf9342 May 2, 2024
rsenden added a commit that referenced this issue May 17, 2024
@rsenden
chore: Squash-merge develop branch into main
4dff325 
fix: `fcli ssc appversion create`: Command will now fail instead of creating uncommitted application version if the application version specified on `--copy-from` option does not exist

fix: FoD: Update `wait-for` commands to use internal API (closes #526, #500)

feat: Add `fcli config public-key` commands for managing trusted public keys

feat: Add `fcli fod issue list` command

feat: Add `fcli ssc issue list` command

feat: Add `fcli ssc action` commands for running a variety of yaml-based actions

feat: Add `fcli fod action` commands for running a variety of yaml-based actions

feat: Migrate FortifyVulnerabilityExporter functionality to yaml-based fcli actions

feat: Add actions for generating BitBucket, GitHub, GitLab, SARIF and SonarQube vulnerability reports

feat: Add actions for generating application version/release summary

feat: Add preview actions for generating GitHub Pull Request comments

feat: Add sample actions for checking security policy criteria
This was referenced May 17, 2024
Merged
Merged
@github-actions github-actions bot mentioned this issue May 17, 2024
Merged
@github-actions github-actions bot mentioned this issue Aug 13, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore: Squash-merge develop branch into main fortify/fcli
2 participants
@kadraman @rsenden