-
Notifications
You must be signed in to change notification settings - Fork 33
Add issue get command for FoD and SSC #978
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
jmadhur87
wants to merge
7
commits into
fortify:dev/v3.x
Choose a base branch
from
jmadhur87:mjain6/974
base: dev/v3.x
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
7 commits
Select commit
Hold shift + click to select a range
ca7f542
Added issue get command for FoD and SSC
jmadhur87 6b40ff9
Merge branch 'fortify:dev/v3.x' into mjain6/974
jmadhur87 6ada3b4
Added changes as per review comments
jmadhur87 f945c6f
Merge branch 'mjain6/974' of https://github.com/jmadhur87/fcli into m…
jmadhur87 4c69521
remove explicit check response status for fod
jmadhur87 ebfd029
Merge branch 'dev/v3.x' into mjain6/974
jmadhur87 cd0d1c9
Add review comment changes
jmadhur87 File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Some comments aren't visible on the classic Files Changed page.
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
85 changes: 85 additions & 0 deletions
85
fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/issue/cli/cmd/FoDIssueGetCommand.java
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,85 @@ | ||
| /* | ||
| * Copyright 2021-2026 Open Text. | ||
| * | ||
| * The only warranties for products and services of Open Text | ||
| * and its affiliates and licensors ("Open Text") are as may | ||
| * be set forth in the express warranty statements accompanying | ||
| * such products and services. Nothing herein should be construed | ||
| * as constituting an additional warranty. Open Text shall not be | ||
| * liable for technical or editorial errors or omissions contained | ||
| * herein. The information contained herein is subject to change | ||
| * without notice. | ||
| */ | ||
| package com.fortify.cli.fod.issue.cli.cmd; | ||
|
|
||
| import com.fasterxml.jackson.databind.JsonNode; | ||
| import com.fasterxml.jackson.databind.node.ObjectNode; | ||
| import com.fortify.cli.common.exception.FcliSimpleException; | ||
| import com.fortify.cli.common.json.producer.IObjectNodeProducer; | ||
| import com.fortify.cli.common.json.producer.ObjectNodeProducerApplyFrom; | ||
| import com.fortify.cli.common.output.cli.mixin.OutputHelperMixins; | ||
| import com.fortify.cli.fod._common.cli.mixin.FoDDelimiterMixin; | ||
| import com.fortify.cli.fod._common.output.cli.cmd.AbstractFoDOutputCommand; | ||
| import com.fortify.cli.fod._common.rest.FoDUrls; | ||
| import com.fortify.cli.fod._common.rest.helper.FoDInputTransformer; | ||
| import com.fortify.cli.fod.issue.cli.mixin.FoDIssueEmbedMixin; | ||
| import com.fortify.cli.fod.issue.cli.mixin.FoDIssueIncludeMixin; | ||
| import com.fortify.cli.fod.issue.helper.FoDIssueHelper; | ||
| import com.fortify.cli.fod.issue.helper.FoDIssueHelper.IssueAggregationData; | ||
| import com.fortify.cli.fod.release.cli.mixin.FoDReleaseByQualifiedNameOrIdResolverMixin; | ||
| import com.fortify.cli.fod.release.helper.FoDReleaseDescriptor; | ||
|
|
||
| import kong.unirest.HttpRequest; | ||
| import kong.unirest.UnirestInstance; | ||
| import lombok.Getter; | ||
| import picocli.CommandLine.Command; | ||
| import picocli.CommandLine.Mixin; | ||
| import picocli.CommandLine.Parameters; | ||
|
|
||
| @Command(name = OutputHelperMixins.Get.CMD_NAME) | ||
| public class FoDIssueGetCommand extends AbstractFoDOutputCommand { | ||
| @Getter @Mixin private OutputHelperMixins.Get outputHelper; | ||
| @Mixin private FoDDelimiterMixin delimiterMixin; // Is automatically injected in resolver mixins | ||
| @Mixin private FoDReleaseByQualifiedNameOrIdResolverMixin.RequiredOption releaseResolver; | ||
| @Parameters(index = "0", arity = "1", descriptionKey = "fcli.fod.issue.get.vulnId") | ||
| private String vulnId; | ||
| @Mixin private FoDIssueEmbedMixin embedMixin; | ||
| @Mixin private FoDIssueIncludeMixin includeMixin; | ||
|
|
||
| @Override | ||
| protected IObjectNodeProducer getObjectNodeProducer(UnirestInstance unirest) { | ||
| FoDReleaseDescriptor releaseDescriptor = releaseResolver.getReleaseDescriptor(unirest); | ||
| String releaseId = releaseDescriptor.getReleaseId().toString(); | ||
| JsonNode issue = findIssue(unirest, releaseId); | ||
| if ( issue==null ) { | ||
| throw new FcliSimpleException(String.format("No vulnerability found for vulnId '%s' in release '%s'", vulnId, releaseDescriptor.getReleaseName())); | ||
| } | ||
| if ( issue instanceof ObjectNode issueObject ) { | ||
| issueObject.put("releaseId", releaseId); | ||
| issueObject.put("releaseName", releaseDescriptor.getReleaseName()); | ||
| FoDIssueHelper.transformRecord(issueObject, IssueAggregationData.forSingleRelease(issueObject)); | ||
| } | ||
| return simpleObjectNodeProducerBuilder(ObjectNodeProducerApplyFrom.SPEC) | ||
| .source(issue) | ||
| .build(); | ||
| } | ||
|
|
||
| private JsonNode findIssue(UnirestInstance unirest, String releaseId) { | ||
| HttpRequest<?> request = unirest.get(FoDUrls.VULNERABILITIES) | ||
| .routeParam("relId", releaseId) | ||
| .queryString("filters", "vulnId:" + vulnId) | ||
| .queryString("limit", "2"); | ||
| JsonNode body = includeMixin.updateRequest(request).asObject(JsonNode.class).getBody(); | ||
| JsonNode items = FoDInputTransformer.getItems(body); | ||
| if ( items==null || !items.isArray() ) { return null; } | ||
| if ( items.size()>1 ) { | ||
| throw new FcliSimpleException(String.format("Multiple vulnerabilities found for vulnId '%s'; please check your input", vulnId)); | ||
| } | ||
| return items.isEmpty() ? null : items.get(0); | ||
| } | ||
|
|
||
| @Override | ||
| public boolean isSingular() { | ||
| return true; | ||
| } | ||
| } | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
56 changes: 56 additions & 0 deletions
56
fcli-core/fcli-ssc/src/main/java/com/fortify/cli/ssc/issue/cli/cmd/SSCIssueGetCommand.java
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,56 @@ | ||
| /* | ||
| * Copyright 2021-2026 Open Text. | ||
| * | ||
| * The only warranties for products and services of Open Text | ||
| * and its affiliates and licensors ("Open Text") are as may | ||
| * be set forth in the express warranty statements accompanying | ||
| * such products and services. Nothing herein should be construed | ||
| * as constituting an additional warranty. Open Text shall not be | ||
| * liable for technical or editorial errors or omissions contained | ||
| * herein. The information contained herein is subject to change | ||
| * without notice. | ||
| */ | ||
| package com.fortify.cli.ssc.issue.cli.cmd; | ||
|
|
||
| import com.fortify.cli.common.json.producer.IObjectNodeProducer; | ||
| import com.fortify.cli.common.json.producer.ObjectNodeProducerApplyFrom; | ||
| import com.fortify.cli.common.output.cli.mixin.OutputHelperMixins; | ||
| import com.fortify.cli.ssc._common.output.cli.cmd.AbstractSSCOutputCommand; | ||
| import com.fortify.cli.ssc._common.rest.ssc.SSCUrls; | ||
| import com.fortify.cli.ssc.appversion.cli.mixin.SSCAppVersionResolverMixin; | ||
| import com.fortify.cli.ssc.issue.cli.mixin.SSCIssueBulkEmbedMixin; | ||
| import com.fortify.cli.ssc.issue.cli.mixin.SSCIssueIncludeMixin; | ||
|
|
||
| import kong.unirest.HttpRequest; | ||
| import kong.unirest.UnirestInstance; | ||
| import lombok.Getter; | ||
| import picocli.CommandLine.Command; | ||
| import picocli.CommandLine.Mixin; | ||
| import picocli.CommandLine.Parameters; | ||
|
|
||
| @Command(name = OutputHelperMixins.Get.CMD_NAME) | ||
| public class SSCIssueGetCommand extends AbstractSSCOutputCommand { | ||
| @Getter @Mixin private OutputHelperMixins.Get outputHelper; | ||
| @Mixin private SSCAppVersionResolverMixin.RequiredOption parentResolver; | ||
| @Parameters(index = "0", arity = "1", descriptionKey = "fcli.ssc.issue.get.id") | ||
| private String id; | ||
| @Mixin private SSCIssueBulkEmbedMixin bulkEmbedMixin; | ||
| @Mixin private SSCIssueIncludeMixin includeMixin; | ||
|
jmadhur87 marked this conversation as resolved.
|
||
|
|
||
| @Override | ||
| protected IObjectNodeProducer getObjectNodeProducer(UnirestInstance unirest) { | ||
| String appVersionId = parentResolver.getAppVersionId(unirest); | ||
| return requestObjectNodeProducerBuilder(ObjectNodeProducerApplyFrom.SPEC) | ||
| .baseRequest(getBaseRequest(unirest, appVersionId)) | ||
| .build(); | ||
| } | ||
|
|
||
| private HttpRequest<?> getBaseRequest(UnirestInstance unirest, String appVersionId) { | ||
| return unirest.get(SSCUrls.PROJECT_VERSION_ISSUE(appVersionId, id)).queryString("qm", "issues"); | ||
| } | ||
|
|
||
| @Override | ||
| public boolean isSingular() { | ||
| return true; | ||
| } | ||
| } | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, same is true here as what I wrote for SSC. Although (contrary to SSC) the FoD endpoint used by this command does support the query parameters generated
FoDIssueIncludeMixin, the user shouldn't need to explicitly pass--includeif the given issue id is hidden/removed/... If user passes an id, we should just gt that id regardless of issue state. In other words, we should automatically pass query parameters to find issues in any state.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To confirm my understanding the fix here would be to remove the [--include] option from the [get] command and hardcode includeFixed=true and includeSuppressed=true in [findIssue()] for both ssc and fod, so that any issue can be retrieved by ID regardless of its state, without requiring the user to pass extra flags. Is that what you're expecting?
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Correct for FoD; you'd always add the request parameters to have FoD return fixed/suppressed/... issues, such that FoD will return the issue data for the requested id independent of whether it's visible, fixed, suppressed, ...
For SSC, you're using an endpoint to get the issue data for a specific issue id. This endpoint will return that data independent of whether the issue is hidden/removed/suppressed; the endpoint doesn't support the request parameters generated by the
SSCIssueIncludeMixin, and doesn't support theqmrequest parameter as explained in other comments.