chore: Merge Aviator 26.2 changes

fcli-core/fcli-aviator-common/build.gradle.kts

@@ -14,10 +14,15 @@ tasks.withType<JavaCompile>().configureEach { dependsOn("generateProto") }
 dependencies {
     implementation(project(":fcli-core:fcli-common"))
     implementation("org.yaml:snakeyaml:2.3")
-    implementation("jakarta.xml.bind:jakarta.xml.bind-api:2.3.3")
-    implementation("org.glassfish.jaxb:jaxb-runtime:2.3.3")
+
+    // JAXB for XML object marshalling (used in FVDLProcessor legacy parser)
+    implementation("jakarta.xml.bind:jakarta.xml.bind-api:3.0.1")
+    implementation("org.glassfish.jaxb:jaxb-runtime:3.0.2")
     implementation("com.sun.activation:jakarta.activation:2.0.1")
-    implementation("jakarta.xml.ws:jakarta.xml.ws-api:3.0.1")
+
+    // Note: StAX (javax.xml.stream) uses Woodstox 7.1.1 via jackson-dataformat-xml
+    // from fcli-common (needed for XML output). No explicit dependency required.
+
     implementation("com.auth0:java-jwt:4.5.0")
     implementation("io.grpc:grpc-netty-shaded:1.76.0")
     implementation("io.grpc:grpc-protobuf:1.76.0")

fcli-core/fcli-aviator-common/src/main/java/com/fortify/cli/aviator/_common/exception/AviatorQuotaFilterException.java

@@ -0,0 +1,24 @@
+/*
+ * Copyright 2021-2026 Open Text.
+ *
+ * The only warranties for products and services of Open Text
+ * and its affiliates and licensors ("Open Text") are as may
+ * be set forth in the express warranty statements accompanying
+ * such products and services. Nothing herein should be construed
+ * as constituting an additional warranty. Open Text shall not be
+ * liable for technical or editorial errors or omissions contained
+ * herein. The information contained herein is subject to change
+ * without notice.
+ */
+package com.fortify.cli.aviator._common.exception;
+
+/**
+ * Exception thrown when quota-based filtering results in zero issues to audit.
+ * This is not a technical error but a business logic outcome indicating that
+ * all issues were filtered out based on quota and priority constraints.
+ */
+public class AviatorQuotaFilterException extends AviatorSimpleException {
+    public AviatorQuotaFilterException(String message) {
+        super(message);
+    }
+}

fcli-core/fcli-aviator-common/src/main/java/com/fortify/cli/aviator/applyRemediation/ApplyAutoRemediationOnSource.java

@@ -32,7 +32,7 @@ public static RemediationMetric applyRemediations(FprHandle fprHandle, String so
         LOG.info("Starting apply auto-remediation process for file: {}", fprHandle.getFprPath());
 
         if (!fprHandle.hasRemediations()) {
-            LOG.error("FPR file does not contain remediations.xml file: {}", fprHandle.getFprPath());
+            //LOG.error("FPR file does not contain remediations.xml file: {}", fprHandle.getFprPath());
             throw new AviatorSimpleException("FPR file does not contain remediations.xml file.");
         }
         LOG.info("FPR validation successful");

fcli-core/fcli-aviator-common/src/main/java/com/fortify/cli/aviator/audit/AuditFPR.java

@@ -37,7 +37,7 @@
 import com.fortify.cli.aviator.fpr.model.AuditIssue;
 import com.fortify.cli.aviator.fpr.model.FPRInfo;
 import com.fortify.cli.aviator.fpr.processor.AuditProcessor;
-import com.fortify.cli.aviator.fpr.processor.FVDLProcessor;
+import com.fortify.cli.aviator.fpr.processor.StreamingFVDLProcessor;
 import com.fortify.cli.aviator.util.FprHandle;
 import com.fortify.cli.aviator.util.ResourceUtil;
 
@@ -65,28 +65,29 @@ public static FPRAuditResult auditFPR(AuditFprOptions options)
         Map<String, AuditResponse> auditResponses = new ConcurrentHashMap<>();
         AuditOutcome auditOutcome = performAviatorAudit(
                 parsedData, options.getLogger(), options.getToken(), options.getAppVersion(), options.getUrl(), options.getSscAppName(), options.getSscAppVersion(),
-                auditResponses, filterSelection
+                auditResponses, filterSelection, options.getFprHandle(), options.getFolderPriorityOrder()
         );
 
         // --- STAGE 4: FINALIZATION ---
         return finalizeFprAudit(
                 auditOutcome, auditResponses, parsedData.auditProcessor,
-                tagMappingConfig, parsedData.fprInfo, parsedData.fvdlProcessor
+                tagMappingConfig, parsedData.fprInfo
         );
     }
 
     private static ParsedFprData prepareAndParseFpr(FprHandle fprHandle) {
         try {
             // Processors now take the FprHandle directly, no more extracted path
             AuditProcessor auditProcessor = new AuditProcessor(fprHandle);
-            FVDLProcessor fvdlProcessor = new FVDLProcessor(fprHandle);
+            //FVDLProcessor fvdlProcessor = new FVDLProcessor(fprHandle);
+            StreamingFVDLProcessor streamingFVDLProcessor = new StreamingFVDLProcessor(fprHandle);
 
             Map<String, AuditIssue> auditIssueMap = auditProcessor.processAuditXML();
             FPRProcessor fprProcessor = new FPRProcessor(fprHandle, auditIssueMap, auditProcessor);
-            List<Vulnerability> vulnerabilities = fprProcessor.process(fvdlProcessor);
+            List<Vulnerability> vulnerabilities = fprProcessor.process(streamingFVDLProcessor);
             FPRInfo fprInfo = fprProcessor.getFprInfo();
 
-            return new ParsedFprData(auditIssueMap, vulnerabilities, fprInfo, auditProcessor, fvdlProcessor);
+            return new ParsedFprData(auditIssueMap, vulnerabilities, fprInfo, auditProcessor, streamingFVDLProcessor);
         } catch (Exception e) {
             LOG.error("A critical error occurred during FPR processing.", e);
             throw new AviatorTechnicalException("Failed to process FPR contents.", e);
@@ -106,21 +107,28 @@ private static TagMappingConfig loadTagMappingConfig(String tagMappingFilePath)
     private static AuditOutcome performAviatorAudit(
             ParsedFprData parsedData, IAviatorLogger logger,
             String token, String appVersion, String url, String sscAppName, String sscAppVersion,
-            Map<String, AuditResponse> auditResponsesToFill, FilterSelection filterSelection) {
+            Map<String, AuditResponse> auditResponsesToFill, FilterSelection filterSelection, FprHandle fprHandle, List<String> folderPriorityOrder) {
 
         IssueAuditor issueAuditor = new IssueAuditor(
-                parsedData.vulnerabilities, parsedData.auditProcessor, parsedData.auditIssueMap,
-                parsedData.fprInfo, sscAppName, sscAppVersion, filterSelection, logger
+                parsedData.vulnerabilities,
+                parsedData.auditProcessor,
+                parsedData.auditIssueMap,
+                parsedData.fprInfo,
+                sscAppName,
+                sscAppVersion,
+                filterSelection,
+                logger,
+                folderPriorityOrder
         );
         return issueAuditor.performAudit(
-                auditResponsesToFill, token, appVersion, parsedData.fprInfo.getBuildId(), url
+                auditResponsesToFill, token, appVersion, parsedData.fprInfo.getBuildId(), url, fprHandle
         );
     }
 
     private static FPRAuditResult finalizeFprAudit(
             AuditOutcome auditOutcome, Map<String, AuditResponse> auditResponses,
             AuditProcessor auditProcessor, TagMappingConfig tagMappingConfig,
-            FPRInfo fprInfo, FVDLProcessor fvdlProcessor) {
+            FPRInfo fprInfo) {
 
         int totalIssuesToAudit = auditOutcome.getTotalIssuesToAudit();
         if (auditResponses.isEmpty()) {
@@ -160,10 +168,10 @@ private static FPRAuditResult finalizeFprAudit(
 
         File updatedFile = null;
         if (issuesSuccessfullyAudited > 0) {
-            updatedFile = auditProcessor.updateAndSaveAuditAndRemediationsXml(auditResponses, tagMappingConfig, fprInfo, fvdlProcessor);
+            updatedFile = auditProcessor.updateAndSaveAuditAndRemediationsXml(auditResponses, tagMappingConfig, fprInfo);
         }
 
         LOG.info("FPR audit process completed with status: {}", status);
         return new FPRAuditResult(updatedFile, status, message, (int) issuesSuccessfullyAudited, totalIssuesToAudit);
     }
-}
+}

fcli-core/fcli-aviator-common/src/main/java/com/fortify/cli/aviator/audit/IssueAuditor.java

@@ -32,6 +32,7 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import com.fortify.cli.aviator._common.exception.AviatorQuotaFilterException;
 import com.fortify.cli.aviator._common.exception.AviatorSimpleException;
 import com.fortify.cli.aviator._common.exception.AviatorTechnicalException;
 import com.fortify.cli.aviator.audit.model.AuditOutcome;
@@ -51,6 +52,7 @@
 import com.fortify.cli.aviator.grpc.AviatorGrpcClient;
 import com.fortify.cli.aviator.grpc.AviatorGrpcClientHelper;
 import com.fortify.cli.aviator.util.Constants;
+import com.fortify.cli.aviator.util.FprHandle;
 import com.fortify.cli.aviator.util.StringUtil;
 
 
@@ -74,15 +76,16 @@ public class IssueAuditor {
     private final FPRInfo fprInfo;
     private final FilterSelection filterSelection;
 
-
     private final TagDefinition analysisTag;
     private TagDefinition humanAuditTag;
     private TagDefinition aviatorStatusTag;
 
     private final IAviatorLogger logger;
+    private final List<String> customPriorityOrder;
 
-    public IssueAuditor(List<Vulnerability> vulnerabilities, AuditProcessor auditProcessor, Map<String, AuditIssue> auditIssueMap, FPRInfo fprInfo, String SSCApplicationName, String SSCApplicationVersion, FilterSelection filterSelection , IAviatorLogger logger) {
+    public IssueAuditor(List<Vulnerability> vulnerabilities, AuditProcessor auditProcessor, Map<String, AuditIssue> auditIssueMap, FPRInfo fprInfo, String SSCApplicationName, String SSCApplicationVersion, FilterSelection filterSelection , IAviatorLogger logger, List<String> customPriorityOrder) {
         this.logger = logger;
+        this.customPriorityOrder = customPriorityOrder;
         this.MAX_PER_CATEGORY = Constants.MAX_PER_CATEGORY;
         this.MAX_TOTAL = Constants.MAX_TOTAL;
         this.MAX_PER_CATEGORY_EXCEEDED = Constants.MAX_PER_CATEGORY_EXCEEDED;
@@ -141,7 +144,7 @@ private TagDefinition resolveHumanAuditStatus() {
     }
 
     public AuditOutcome performAudit(Map<String, AuditResponse> auditResponses, String token,
-                                    String projectName, String projectBuildId, String url) {
+                                     String projectName, String projectBuildId, String url, FprHandle fprHandle) {
         projectName = StringUtil.isEmpty(projectName) ? projectBuildId : projectName;
         logger.progress("Starting audit for project: %s", projectName);
 
@@ -154,13 +157,18 @@ public AuditOutcome performAudit(Map<String, AuditResponse> auditResponses, Stri
         } else {
             try (AviatorGrpcClient client = AviatorGrpcClientHelper.createClient(url, logger, DEFAULT_PING_INTERVAL_SECONDS)) {
                 CompletableFuture<Map<String, AuditResponse>> future =
-                        client.processBatchRequests(promptsToAudit, projectName, fprInfo.getBuildId(), SSCApplicationName, SSCApplicationVersion, token);
+                        client.processBatchRequests(promptsToAudit, projectName, fprInfo.getBuildId(), SSCApplicationName, SSCApplicationVersion, token, fprHandle, customPriorityOrder);
                 Map<String, AuditResponse> responses = future.get(500, TimeUnit.MINUTES);
                 responses.forEach((requestId, response) -> auditResponses.put(response.getIssueId(), response));
                 logger.progress("Audit completed");
             } catch (ExecutionException e) {
                 Throwable cause = e.getCause();
-                if (cause instanceof AviatorSimpleException) {
+                // Handle quota filtering exception (all issues filtered out)
+                if (cause instanceof AviatorQuotaFilterException) {
+                    logger.progress("All issues filtered out due to quota constraints: %s", cause.getMessage());
+                    // Update totalIssuesToAudit to reflect actual auditable count (0)
+                    totalIssuesToAudit = 0;
+                } else if (cause instanceof AviatorSimpleException) {
                     throw (AviatorSimpleException) cause;
                 } else if (cause instanceof AviatorTechnicalException) {
                     throw (AviatorTechnicalException) cause;
@@ -203,10 +211,11 @@ private ConcurrentLinkedDeque<UserPrompt> prepareAndFilterPrompts() {
                 .collect(Collectors.toList());
 
         // Apply secondary checks (like 'isAudited')
+        prompts = prompts.stream()
+                .filter(this::shouldInclude)
+                .collect(Collectors.toList());
 
-        return prompts.stream()
-                .filter(this::shouldInclude).collect(Collectors.toCollection(ConcurrentLinkedDeque::new));
-
+        return prompts.stream().collect(Collectors.toCollection(ConcurrentLinkedDeque::new));
     }