Open
Conversation
Contributor
rsenden
commented
Mar 27, 2026
rsenden
commented
…s and deprecate 'list'
feat: 'fcli aviator entitlement': Add 'list-sast'/'list-dast' commands and deprecate 'list'
…parser performance
- Remove explicit woodstox-core:6.5.1 (available via jackson-dataformat-xml 7.1.1) - Remove unused jakarta.xml.ws-api:3.0.1 (SOAP APIs not used) - Update JAXB dependencies to 3.0.x for version consistency - Add comments explaining transitive StAX dependency All code uses standard javax.xml.stream APIs, no changes required. Woodstox 7.1.1 remains available transitively via fcli.java-conventions plugin which adds jackson-dataformat-xml to all modules. Addresses PR feedback on minimizing dependencies and avoiding outdated versions.
Implement streaming FVDL processing with memory tracking to optimize …
…ta` flags for audit command - Added new gRPC RPC `GetApplicationByToken` to retrieve application quota. - Introduced `--skip-if-exceeding-quota` to skip audits if open issues exceed quota. - Introduced `--test-exceeding-quota` for dry-run mode to report potential skips without auditing. - Enhanced `AviatorSSCAuditHelper` with methods to get available quota and top unaudited categories. - Updated FCLI client and server-side implementations to support new features. - Modified bulk audit YAML to include new options and track quota-skipped statistics. - Added comprehensive error handling and logging for quota checks. - Updated documentation and messages for new command options.
This commit implements quota-based filtering with folder priority ordering for SSC audit operations. Key changes: - Add quota and quotaLastUpdated fields to InitRequest proto message - Implement QuotaBasedFilter class for filtering user prompts based on available quota and folder priority - Add --folder-priority-order CLI option to AviatorSSCAuditCommand for custom priority ordering - Modify AviatorStreamProcessor to apply quota filtering before processing prompts - Update StreamState to track quota information from server - Add QuotaConfig model for quota configuration - Update bulkaudit.yaml action to support folder priority ordering - Add unit tests for QuotaBasedFilter - Pass custom priority order through IssueAuditor constructor When quota is less than the number of issues to audit, prompts are filtered based on: 1. Custom folder priority order if provided via --folder-priority-order 2. Default priority order (Critical, High, Medium, Low) if no custom order specified 3. Prompts with folders not in the custom order are excluded from filtering This ensures efficient use of limited quota by prioritizing issues based on their folder/severity. # Conflicts: # fcli-core/fcli-aviator-common/src/main/java/com/fortify/cli/aviator/audit/AuditFPR.java # fcli-core/fcli-aviator-common/src/main/java/com/fortify/cli/aviator/audit/IssueAuditor.java # fcli-core/fcli-aviator-common/src/main/java/com/fortify/cli/aviator/grpc/AviatorGrpcClient.java
…older Add issue prioritization by folder for audit commands
… tenant_name, signature, and message
feat: SSC `bulkaudit` action: Add `--aviator-app-mapping` option
Updated the output format of audit command to be consistent and extensible. Made --default-quota-fallback unhidden. Refactored getJsonNode method in Aviatorsscauditcommand class to be shorter and readable by splitting.
…ogic chore: Add validation for --aviator-app-mapping option
…it2995/fcli into ankit/aviator_quota_overflow
This reverts commit 0d66c01.
feat: Implement `--skip-if-exceeding-quota` and `--test-exceeding-quo…
…ing results in zero issues When quota-based filtering (via --folder-priority-order) resulted in zero auditable issues, the client output is Failed(No response from server). Changes: - Add AviatorQuotaFilterException for zero-issue quota filter scenario - Add dedicated catch block in AviatorStreamProcessor for cleanup: - Stops ping-pong keepalive (stopPingPong()) - Completes request handler (requestHandler.complete()) - Counts down stream latch (streamLatch.countDown()) - Add exception handler in IssueAuditor to set totalIssuesToAudit=0 Result: - Client exits cleanly within 1-2 seconds - Displays: SKIPPED (0 issues to audit as per --folder-priority-order [...]) - No resource leaks or hanging threads
…older fix: Prevent Failed(No response from server) output when quota filter…
…ate related logic in AviatorStreamProcessor test: add unit test for FPRInfo to verify default buildId behavior refactor: enhance logging and request handling in AviatorSSCAuditHelper
feat: Bug Fixes
…n-issues, and --since options This enhancement provides a more flexible and user-friendly experience for applying Aviator auto-remediations by introducing multiple artifact selection modes: - --latest: Automatically select the most recent Aviator-processed artifact - --all-open-issues: Process all artifacts with open issues in bulk - --since: Filter artifacts by upload date (relative: 7d, 2w, 1M; absolute: 2025-01-01) Key Changes: - Replaced required --artifact-id with flexible selection modes - Added SinceOptionHelper for robust date/period parsing - Enhanced SSCArtifactHelper with getLatestAviatorArtifact() and getAllAviatorArtifacts() - Improved command validation with mutual exclusivity checks - Added comprehensive unit tests for all new options - Updated i18n messages with detailed usage descriptions Technical Details: - SinceOptionHelper supports relative periods (d, w, M, y) and absolute ISO-8601 dates - DateTimePeriodHelper integration for consistent period parsing across fcli - Proper UTC timezone handling for date comparisons - Backward compatible - existing --artifact-id usage unchanged Closes: #XXX
- Use Picocli ArgGroups for mutually exclusive --artifact-id, --latest, --all-open-issues options in new AviatorSSCApplyRemediationsArtifactSelectorMixin; note @mixin is not supported inside @ArgGroups, so --av/--delim options are inlined with manual validation in validate() - Refactor AviatorSSCApplyRemediationsCommand to use inner ArtifactProcessor class with @requiredargsconstructor, eliminating repeated unirest/logger/ progressWriter parameters and removing nested progress writer in downloadArtifactFpr() - Fix isSingular() to always return true; all three modes (--artifact-id, --latest, --all-open-issues) return exactly one aggregated ObjectNode, so output structure must be consistent regardless of option chosen - Refactor SSCArtifactHelper to reduce code duplication between getLatestAviatorArtifact() and getAllAviatorArtifacts() by extracting shared logic into fetchAviatorArtifacts(), isAviatorArtifact(), and shouldStopProcessing() helpers - Fix loop early-termination bug in getLatestAviatorArtifact(): change continue to break when uploadDate < sinceDate, since artifacts are ordered DESC and all subsequent artifacts will also be too old - Switch getAllAviatorArtifacts() from ASC to DESC ordering to enable early termination when --since is used; reverse result list before returning to maintain ascending order contract - Add SLF4J logger to SSCArtifactHelper and log a warning with artifact id when uploadDate cannot be parsed, instead of silently returning false - Add explanatory comment on the no-data check in getLatestAviatorArtifact() clarifying why an exception is thrown rather than returning null - Remove AviatorSSCApplyRemediationsCommandTest as validation is now handled declaratively by Picocli ArgGroups
…nd add usage examples - Move apply-remediations command from fcli-aviator to fcli-fod module (FoDAviatorApplyRemediationsCommand, FoDAviatorCommands, AviatorFoDApplyRemediationsHelper) - Remove FoD aviator subcommand from AviatorCommands; add aviator subcommand to FoDCommands - Add fcli-aviator dependency to fcli-fod build.gradle.kts - Update FoDMessages.properties with i18n keys for the moved command - Add concrete usage examples to apply-remediations command description covering --artifact-id, --latest, --all-open-issues, --since, and --source-dir combinations - Remove CHANGELOG.md (not applicable for this branch)
feat(aviator): Improve apply-remediations UX with --latest, --all-ope…
…dule Moved AviatorFoDApplyRemediationsCommandTest from fcli-aviator module to fcli-fod module (as FoDAviatorApplyRemediationsCommandTest) to align with the relocation of FoDAviatorApplyRemediationsCommand to fcli-fod. - Deleted: fcli-aviator/.../AviatorFoDApplyRemediationsCommandTest.java - Added: fcli-fod/.../FoDAviatorApplyRemediationsCommandTest.java
refactor: move FoDAviatorApplyRemediationsCommand test to fcli-fod mo…
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); | ||
| factory.setFeature("http://xml.org/sax/features/validation", false); | ||
| DocumentBuilder builder = factory.newDocumentBuilder(); | ||
| Document indexDoc = builder.parse(indexPath.toFile()); |
Check failure
Code scanning / Fortify on Demand
XML External Entity Injection High
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.