CHANGELOG.md

Changelog

3.14.3 (2026-01-21)

Bug Fixes

• Only mask values that are not blank and longer than 4 characters (as short values are not considered secure/sensitive and are more likely to interfere with regular output), to avoid unexpected masking in log & console output (fixes #904) (fac5538)

3.14.2 (2025-12-24)

Bug Fixes

• Update dependencies (aeab071)
• Update MCP SDK to avoid VS Code Copilot plugin errors (aeab071)

3.14.1 (2025-12-19)

Bug Fixes

• ci action: Write job summary to GitHub Actions job summary (9688fc6)
• Action framework: Return proper exit code as set by exit instruction (4a44f45)

3.14.0 (2025-12-18)

Features

• fcli tool * get: New commands for displaying detailed information about a specific installed tool version (737f39a)
• fcli tool * install: Add hidden --copy-if-matching option (internal use by fcli tool env init) to copy from existing installation instead of downloading (737f39a)
• fcli tool * install: Tool installations now show action status (installed/copied/registered/skipped) for better visibility (737f39a)
• fcli tool * register: New commands for registering existing tool installations with automatic version detection (supports binary path, bin directory, or installation directory) (737f39a)
• fcli tool definitions update: Add --force option to update definitions even if they are up-to-date (737f39a)
• fcli tool definitions update: Add --max-age option to only update definitions if older than specified period (e.g., 1h, 4h, 1d) (737f39a)
• fcli tool env init: New command for automatically setting up one or more Fortify tools (auto-detects pre-installed tools, downloads if necessary, supports air-gapped environments, and platform-specific tool caching) (737f39a)
• fcli tool env shell|powershell|github|gitlab|ado|expr: New commands for generating environment variable exports for installed or registered tools in various shell or CI/CD-specific formats (737f39a)
• fcli tool sc-client install: Add --jre option to specify custom JRE home directory for use with fcli tool sc-client run command (737f39a)
• fcli tool sc-client install: Improve JRE handling with automatic detection from environment variables (SC_CLIENT_JRE_HOME, SCANCENTRAL_JRE_HOME) (737f39a)
• Action SpEL functions: Add #opt(name, value) function for conditionally formatting command-line options (737f39a)
• Add fcli state persistency information in help output and 'session not found' errors when running in Docker containers (7c72c8a)
• Add UBI9 images for fortifydocker/fcli (b26962d)
• fcli ci action: Add support for PREINSTALLED environment variable to require all tools to be pre-installed, preventing automatic downloads (737f39a)
• fcli ci action: Add support for pre-installed tools via SC_CLIENT_HOME and DEBRICKED_HOME environment variables, complementing existing dynamic installation (737f39a)
• fcli debricked-scan action: Change default --cli-version from latest to auto for smarter version resolution (737f39a)
• fcli debricked-scan action: Simplify tool setup by using fcli tool env init instead of separate update/install steps (737f39a)
• fcli detect-env action: Renamed from ci-vars and updated to provide general environment detection capabilities (CI platform, Git repository, ...) (737f39a)
• fcli package action: Change default --sc-client-version from latest to auto for smarter version resolution (737f39a)
• fcli package action: Simplify tool setup by using fcli tool env init instead of separate update/install steps (737f39a)
• Publish shell-based UBI9 variant of fortifydocker/fcli to allow for interactive use (7c72c8a)

Bug Fixes

• fcli * action sign: Remove ability to generate private key to avoid the use of weak encryption algorithms (d04e38a)
• fcli aviator: Correct filtering logic to prevent valid issues from being skipped during audit (dd253b5)
• fcli aviator: Ensure consistent file hash generation across different builds (dd253b5)
• fcli fod sast-scan setup: Keep existing settings for "aviator" and "oss" unless explicit --[no-]oss or --[no-]use-aviator specified (fixes #885) (649cd88)
• fcli ssc session login: Fail with proper error if supplied token is invalid (09ce146)
• fcli ci action: Post-scan tasks (check-policy, release-summary, pr-comment, export) are now properly skipped if no scans were run (737f39a)
• fcli debricked-scan action: Mask Debricked token in console output (b28d342)
• fcli debricked-scan action: Show Debricked output both on successful run and in case of errors (b28d342)
• Improve error handling and error output (737f39a)

3.13.1 (2025-11-07)

Bug Fixes

• fcli aviator * apply-remediations: Fix NullPointerException if --source-dir not specified (fixes #860) (c5923d0)
• fcli sc-dast scan: Add support for new ScanCentral DAST scan status types (f50777a)
• fcli sc-dast scan: Fix ArrayIndexOutOfBoundsException if ScanCentral DAST returns a scan status type that is not (yet) known to fcli, now returning UnknownScanStatusType instead (f50777a)
• fcli util mcp-server start: Improve fcli tool * run commands to adhere to fcli stdout/stderr processing, to avoid tool output from interfering with MCP JSON-RPC messages (fixes #859) (2fa7817)
• fcli util mcp-server start: Improve support for long-running operations (ff757af)
• fcli util mcp-server start: Return paged records as soon as they become available (4f59fde)
• SSC bulkaudit action: Exclude from MCP tools as it doesn't make sense to run a batch process through LLM (de5472c)
• SSC bulkaudit action: Initialize stats.audit_failures counter to 0 to prevent error (0a0a00a)
• SSC debricked-scan action: Exclude from MCP tools as this actions requires sensitive data to be entered (16442a8)

3.13.0 (2025-10-31)

Features

• fcli license ncd-report: Add support for Azure DevOps (see #299) (bb0b9b9)
• fcli ssc appversion create: If there's only a single issue template marked as 'in use', this template will now be considered as the default template if no default template is explicitly configured in SSC (1a865d7)
• Add bulkaudit SSC action for automated SAST Aviator batch auditing of SSC application versions (2b9391d)
• FoD ci action: Add support for new scan-agnostic DO_WAIT environment variable & deprecate DO_SAST_WAIT (b87ac3b)
• SSC ci action: Add support for new scan-agnostic DO_WAIT environment variable & deprecate DO_SAST_WAIT (b87ac3b)
• SSC ci action: Incorporate debricked-scan action to allow for running both SAST & Debricked SCA scan (b87ac3b)
• SSC debricked-scan action: New action for running a Debricked scan and importing results to SSC (b87ac3b)

Bug Fixes

• fcli aviator * apply-remediations: Fix InvalidPathException for quoted paths (848b97e)
• fcli aviator ssc audit: Automatically refresh SSC metrics if necessary before auditing (2b9391d)
• fcli fod session login: Ignore --tenant when authenticating with client credentials (7014b3c)

3.12.0 (2025-10-27)

Features

• fcli util all-commands list: Include list of full command aliases (fe00faa)

Bug Fixes

• fcli * action help ci: Fix table layout (00f09a2)
• Action development guide: Add missing sample snippets (ad24754)
• Action development guide: Fix indentation in sample snippets (543037a)
• Action development guide: Fix typo in cli.option sample snippet (543037a)
• Action development guide: Various other minor improvements (543037a)
• Action framework: Fix stdout output being suppressed in run.fcli::records.for-each steps, affecting for example fcli ssc action run servicenow-csv-report -f stdout (d88d47f)
• Fix color output on Windows (jar/exe) (f2712f8)
• Fix table output on Linux native binary (d32d98b)
• Fix various code quality issues, like potentially unreleased resources, null pointer references, ... (24a3ca7)

3.11.0 (2025-10-21)

Features

• --style option: Add (no-)fast-output support to enable faster table output by sampling first 100 records to determine column width (b1e5659)
• --style option: Add (no-)wrap support to control text wrapping in table cells (b1e5659)
• ci action: Detect data from local Git repository (a52f0ef)
• fcli fod issue ls: Add --app option to allow for listing issues at application level (closes #596) (f9454b1)
• fcli ssc issue list: Add (queryable) folderName property in output (2212093)
• fcli ssc rest call: Add /api/v1 prefix if missing, to support same endpoint format as listed in the SSC REST API reference in recent SSC versions (c6dd23b)
• Action schema: Add #ifBlank SpEL function (a52f0ef)
• Action schema: Add #localRepo SpEL function for obtaining local repository metadata (bfeee2e)
• Add fcli fod attribute commands for managing FoD attributes (resolves #679) (3157d64)

Bug Fixes

• ci action: Improve Azure DevOps detection logic (a52f0ef)
• fcli aviator ssc prepare: Fix exception in fcli native binaries (fixes #830) (cbbdc2e)
• fcli aviator: Fix bugs in FPR source processing and remediation generation (#833) (9512d78)
• fcli fod issue ls: Some fixed issues were not properly annotated with (F) (fixes #820) (f9454b1)
• fcli fod session login: Fix NullPointerException if protocol is missing in FoD URL (fixes #827) (244bd94)
• fcli ssc session login: Improve exception if protocol is missing in SSC or SC-SAST Controller URL (8e89bd8)
• Compile native binaries in CPU compatibility mode to allow them to run on more CPU architectures (0217b8f)
• Improve table output (f18f2f0)

3.10.0 (2025-10-09)

Features

• fcli aviator app: Show quota in output of the create, get, list, and update commands (4fd5756)
• fcli aviator ssc audit: Add --filterset, --no-filterset, and --folder options to allow for selecting issues to be audited (4fd5756)
• Add fcli aviator fod apply-remediations command to apply Aviator-proposed remediations from an audited FPR file in FoD to a local source code directory (4fd5756)
• Add fcli aviator ssc apply-remediations command to apply Aviator-proposed remediations from an audited FPR file in SSC to a local source code directory (4fd5756)
• Add fcli aviator ssc prepare command to configure Aviator custom tags on SSC issue templates and application versions (4fd5756)
• Add fcli fod action run gitlab-debricked-report (#818) (2175af6)

Bug Fixes

• fcli aviator ssc audit: Add preflight check for auditable issues (4fd5756)
• fcli aviator ssc audit: Improve FPR handling with Zip File System Provider integration and proper resource cleanup (4fd5756)
• fcli aviator ssc audit: Improve FPR parsing speed and memory efficiency (4fd5756)
• fcli aviator ssc audit: Improve FPR validation for FPRs with DAST-only issues (4fd5756)
• fcli aviator ssc audit: Prevent race condition crash by checking executor state before retrying gRPC stream (#819) (646a963)
• fcli util mcp-server start: Some common actions were exposed as MCP tools on modules that don't support actions through the CLI (fa49f97)

3.9.1 (2025-10-02)

Bug Fixes

• fcli aviator ssc audit: Improve cleanup of temporary files (6175f54)
• fcli aviator ssc audit: Resolve file token leak during Aviator artifact uploads, to avoid SSC errors due to reaching maximum number of allowed file tokens (6d2e28c)
• fcli ssc: Reduce bulk request batch size to prevent potential networking timeouts due to SSC taking too long to process large bulk requests (eae7948)
• fcli util mcp-server start: Improve usage help (d4225ce)
• Improve progress message handling (9af8e67)

3.9.0 (2025-09-29)

Features

• fcli fod *-scan setup: Implement --skip-if-exists option for all scan types (resolves #593) (219c6f6)
• fcli fod microservice: Add --attrs and --auto-required-attrs options on applicable micro service commands (resolves #640) (5b7eb7e)
• fcli ssc appversion create: Add --add-tags and --rm-tags options (6c3a5a4)
• fcli ssc appversion update: Add --add-tags and --rm-tags options (6c3a5a4)
• fcli ssc issue-template create: Add --add-tags and --rm-tags options (6c3a5a4)
• fcli ssc issue-template update: Add --add-tags and --rm-tags options (6c3a5a4)
• Add fcli ssc custom-tag commands for creating, listing, and updating custom tags (6c3a5a4)
• Add fcli ssc issue-template commands for managing issue templates, deprecate corresponding fcli ssc issue *-template(s) commands (6c3a5a4)
• Add fcli util mcp-server start command to allow LLMs to interact with Fortify products through fcli (#806) (92131a6)

Bug Fixes

• fcli aviator ssc audit: Prevent command from stalling on errors & other error handling improvements (#811) (4deff48)
• fcli fod *-scan wait-for: Add scan queue position (see #677) (219c6f6)
• fcli fod access-control update-user: Change action field to REQUESTED instead of UPDATED, as changes may not be applied immediately by FoD (09e39bf)
• fcli fod dast-scan cancel not working (ba59f6f)
• fcli fod dast-scan start: Implemented DAST Automated scan queuing/cancelling to avoid error if scan already running (fixes #565) (51aa462)
• fcli ssc action run ci: Fix failure when Aviator audit is enabled (fixes #789) (103263a)
• Add fcli action SpEL functions documentation (#791) (daf54a5)

3.8.1 (2025-07-25)

Bug Fixes

• Fix build issue that caused fcli release process to fail (4d074d3)

3.8.0 (2025-07-25)

Features

• fcli aviator session login: Validate connection and token (0befdb7)
• fcli aviator ssc audit: Generate remediations.xml with code fixes from aviator audit results (0befdb7)
• fcli aviator: SAST Aviator 25.3.0 release (0befdb7)
• gitlab-sast-report actions: Add trace nodes (f2df2e4)
• Action schema: Support if: instruction on individual with: elements (f6f8175)
• Add gitlab-codequality-report actions for SSC and FOD (resolves #733) (8c9b87c)
• Add action schema documentation (see #701) (f1acba0)
• FoD setup-release action: Add --store option to store FoD release data in fcli variable (e325852)
• SSC ci action: Add support for running Aviator audit after scan completion (resolves #750) (5722a68)
• SSC setup-appversion action: Add --store option to store SSC application version data in fcli variable (e325852)

Bug Fixes

• fcli aviator ssc audit: Improve handling of PROTOCOL_ERROR by adding retry for failed streams (0befdb7)
• fcli aviator ssc audit: Skip suppressed issues in Aviator audit (0befdb7)
• fcli aviator token *: --email option is now optional in aviator token commands (0befdb7)
• Action run.fcli instruction: Improve error handling (5fedf4a)
• Commands that output Action column: Fix (renamed) __action__ property being included in output even if not explicitly listed in -o <fmt>=<properties> (fixes #774) (8352608)
• Commands that output Action column: Fix __action__ property improperly being renamed to Action for technical output formats like json or yaml (fixes #774) (8352608)
• Commands that output Action column: Fix ,__action__:Action being appended to expr output (fixes #774) (8352608)
• SSC setup-appversion action: Add missing quotes to avoid exception if the name of the application version to create contains spaces (9e0dbba)
• Throw proper exception on invalid character encoding (resolves #772) (3fb54bb)

3.7.0 (2025-07-07)

Features

• fcli ssc session login: Allow for disabling SC-SAST/SC-DAST connectivity (resolves #740) (b7aaae2)

Bug Fixes

• ci action: Improve & complement usage help (fixes #752, closes #762) (22a5498)
• fcli aviator ssc audit: Fix thread synchronization issues that randomly cause exceptions while auditing (7819ec5)
• gitlab-*-report actions: Output empty string instead of null for description field (da7f705)
• gitlab-dast-report FoD action: Fix exception if site tree is unavailable (6b24369)
• Fix action progress messages not being cleared before final output (fixes #766) (4f03395)
• Fix incorrect synopsis in documentation for built-in actions (fixes #765) (closes #767) (4f18948)
• SSC check-policy action: Fix --filterset option being ignored (55e555d)

3.6.0 (2025-06-14)

Features

• *-sast-report actions: Add --source-dir option to allow for matching Fortify-reported source file paths against repository file paths (fixes #749) (775c5a3)
• ci actions: Automatically pass --source-dir option to SAST report actions (fixes #749) (775c5a3)
• fcli fod: New fcli fod oss list-components command (resolves #244) (775c5a3)

Bug Fixes

• fcli fod sast-scan setup: Allow assessment type to be specified by Id or Name (resolves #738) (775c5a3)
• fcli fod: Fix issue with page handling in REST responses, potentially causing issues if more than 9 pages of results are available on FoD (775c5a3)

3.5.2 (2025-06-05)

Bug Fixes

• fcli aviator: Handle 0-byte and corrupted ZIP entries during FPR processing (3140991)

3.5.1 (2025-05-22)

Bug Fixes

• fcli aviator: Fix NullPointerException when auditing certain vulnerabilities (#744) (4bd9e5d)

3.5.0 (2025-05-19)

Features

• fcli fod mast-scan: Improve setup and start commands based on FoD API improvements (fixes #685) (#737) (4bdfd87)

Bug Fixes

• fcli aviator: Fix reflection issues in fcli native binaries (#736) (acb6794)

3.4.1 (2025-04-30)

Bug Fixes

• Fix bug in Aviator module (7f66cbc)

3.4.0 (2025-04-29)

Features

• Unhide fcli aviator commands for upcoming Aviator release (0e3d0c7)

3.3.0 (2025-04-25)

Features

• Add log masking capabilities (68a7875)

Bug Fixes

• FoD release-summary action: Support FoD 24.3 (FedRAMP) (#721) (7c87e8d)

3.2.1 (2025-04-15)

Bug Fixes

• fcli * action run: Apply generic fcli --debug option on transitive fcli invocations (af20495)
• fcli sc action run ci: Download server-side logs & FPR file if generic fcli --debug option is specified (af20495)
• fcli sc-sast scan start: Re-add separate option for enabling server-side diagnostics collection, independent of generic fcli --debug option (af20495)
• fcli tool sc-client run: Respect generic fcli --debug option to add ScanCentral Client -debug option (af20495)

3.2.0 (2025-04-14)

Features

• ci & package actions: Store ScanCentral Client log files in current working directory for easy access (d3f604b)
• fcli * action run package/ci: Use generic --debug option to enable ScanCentral Client debug logging (3f8b007)
• fcli sc-sast scan start: Use generic --debug option to enable both fcli logging and requesting ScanCentral diagnostic logs to be generated (3f8b007)
• fcli tool sc-client run: Add --logdir option to specify log file location (d3f604b)
• Add generic --debug flag; this enables both fcli logging, and may be used by some fcli commands or fcli actions to enable additional logging functionality (3f8b007)

Bug Fixes

• If --log-level was specified without --log-file, no log file was being generated (3f8b007)

3.1.1 (2025-04-07)

Bug Fixes

• Fix Docker image publishing (7426df9)

3.1.0 (2025-04-07)

Features

• Add FoD servicenow-csv-report action (7978f8d)
• Add gitlab-installer-svc Docker image (7978f8d)
• Add SSC servicenow-csv-report action (7978f8d)

Bug Fixes

• ci-vars action: Properly remove trailing .git from GitLab repo URL (b9938b8)
• fcli fod issue ls: Add partial server-side filtering support (daf4aec)
• Exception on YAML output if no data (e25994d)
• Fix stderr being suppressed in run.fcli action step (7e88f07)
• Fix table output exception (fixes #708) (24e70e3)
• Improve output on REST response exceptions (e051bcc)

3.0.0 (2025-03-18)

⚠ BREAKING CHANGES

• fcli:--output option: Removed some output formats, partially replaced by new --style option
• fcli fod: Renamed --session option to --fod-session
• fcli * action: Significant changes to fcli action yaml syntax; custom actions developed for fcli 2.x will not run on fcli 3.x, and vice versa
• fcli sc-dast session: All SC-DAST session commands have been removed; please use fcli ssc session commands instead
• fcli sc-dast: Renamed --session option to --ssc-session
• fcli sc-sast session: All SC-SAST session commands have been removed; please use fcli ssc session commands instead
• fcli sc-sast: Renamed --session option to --ssc-session
• fcli sc-sast scan start: Local files referenced in --sargs must now be preceded with @, not file:. This is a shorter, more common convention for referencing files.
• fcli sc-sast scan start: Renamed --ssc-ci-token option to --publish-token to better describe the purpose
• fcli sc-sast scan start: Remove -p / --package-file option; replaced by -f / --file
• fcli sc-sast scan start: Remove -m / --mbs-file option; replaced by -f / --file
• fcli ssc session: Now manages combined SSC/SC-SAST/SC-DAST sessions, allowing a single session to be used for invoking all SSC/SC-SAST/SC-DAST commands
• fcli ssc: Renamed --session option to --ssc-session
• fcli ssc session login: Removed --ci-token option; please use --token option instead
• fcli ssc appversion create: Removed deprecated AnalysisProcessingRules as allowed value for --copy option; use processing-rules instead
• fcli ssc appversion create: Removed deprecated BugTrackerConfiguration as allowed value for --copy option; use bugtracker instead
• fcli ssc issue: Removed hidden/preview check command, as this is now implemented through the check-policy action

Features

• fcli * action: New package action for packaging source code using ScanCentral Client (2a9e69e)
• fcli * action: Significant changes to fcli action yaml syntax; custom actions developed for fcli 2.x will not run on fcli 3.x, and vice versa (2a9e69e)
• fcli action: New top-level action command for cross-product or product-agnostic actions (2a9e69e)
• fcli aviator: New module to manage Fortify Aviator and run Aviator audits (hidden until Aviator has been released) (2a9e69e)
• fcli config: Add ability to configure fcli trust store through environment variables (#690) (2a9e69e)
• fcli fod app create: New --skip-if-exists option (2a9e69e)
• fcli fod issue: New update command (resolves fortify#669) (#698) (2a9e69e)
• fcli fod: Renamed --session option to --fod-session (2a9e69e)
• fcli sc-dast session: All SC-DAST session commands have been removed; please use fcli ssc session commands instead (2a9e69e)
• fcli sc-dast: Renamed --session option to --ssc-session (2a9e69e)
• fcli sc-sast scan download: New command for downloading FPR, logs, job files (2a9e69e)
• fcli sc-sast scan list: New command for listing scan jobs (2a9e69e)
• fcli sc-sast scan start: Add --debug option to request debug (diagnosis) logs to be collected for the scan job (2a9e69e)
• fcli sc-sast scan start: Add --no-replace option to keep existing scan jobs (2a9e69e)
• fcli sc-sast scan start: Add --publish-as option to specify the name of the FPR file that is uploaded to SSC (2a9e69e)
• fcli sc-sast scan start: Add --scan-timeout option to specify scan job time-out (2a9e69e)
• fcli sc-sast scan start: Add -f / --file option to specify scan payload; automatically detects MBS or package file (2a9e69e)
• fcli sc-sast scan start: Local files referenced in --sargs must now be preceded with @, not file:. This is a shorter, more common convention for referencing files. (2a9e69e)
• fcli sc-sast scan start: Remove -m / --mbs-file option; replaced by -f / --file (2a9e69e)
• fcli sc-sast scan start: Remove -p / --package-file option; replaced by -f / --file (2a9e69e)
• fcli sc-sast scan start: Renamed --ssc-ci-token option to --publish-token to better describe the purpose (2a9e69e)
• fcli sc-sast session: All SC-SAST session commands have been removed; please use fcli ssc session commands instead (2a9e69e)
• fcli sc-sast: Renamed --session option to --ssc-session (2a9e69e)
• fcli ssc action: Add support for sc-sast and sc-dast request targets in action implementations (2a9e69e)
• fcli ssc appversion create: Removed deprecated AnalysisProcessingRules as allowed value for --copy option; use processing-rules instead (2a9e69e)
• fcli ssc appversion create: Removed deprecated BugTrackerConfiguration as allowed value for --copy option; use bugtracker instead (2a9e69e)
• fcli ssc issue: Removed hidden/preview check command, as this is now implemented through the check-policy action (2a9e69e)
• fcli ssc session login: Default session lifetime when authenticating with user credentials is now 3 days for recent SSC versions, instead of only 1 day (2a9e69e)
• fcli ssc session login: New --client-auth-token option due to SC-SAST sessions now being managed through SSC sessions (2a9e69e)
• fcli ssc session login: New --sc-sast-url option due to SC-SAST sessions now being managed through SSC sessions (2a9e69e)
• fcli ssc session login: Removed --ci-token option; please use --token option instead (2a9e69e)
• fcli ssc session: Now manages combined SSC/SC-SAST/SC-DAST sessions, allowing a single session to be used for invoking all SSC/SC-SAST/SC-DAST commands (2a9e69e)
• fcli ssc: Renamed --session option to --ssc-session (2a9e69e)
• fcli tool: Allow cached tool installations to be re-used if fcli state information is lost (for example across different CI pipeline runs) (2a9e69e)
• fcli tool: New run commands for directly running installed tools through fcli (2a9e69e)
• fcli: New --style option to allow for overriding default output styles (2a9e69e)
• fcli:--output option: Removed some output formats, partially replaced by new --style option (2a9e69e)

Bug Fixes

• fcli fod action: gitlab-sast-report: Output empty string instead of null for description field (2a9e69e)
• fcli fod action: setup-release: Add tech stack and language level options (fixes #691) (#692) (2a9e69e)
• fcli fod app create: Allow for optional or numeric owner (fixes #686) (2a9e69e)
• fcli fod dast-scan start-legacy: New --validate-entitlement option to validate entitlement is defined and/or valid (fixes #682) (#684) (2a9e69e)
• fcli fod dast-scan start: New --validate-entitlement option to validate entitlement is defined and/or valid (fixes #682) (#684) (2a9e69e)
• fcli fod mast-scan start: New --validate-entitlement option to validate entitlement is defined and/or valid (fixes #682) (#684) (2a9e69e)
• fcli fod oss-scan start: New --validate-entitlement option to validate entitlement is defined and/or valid (fixes #682) (#684) (2a9e69e)
• fcli fod sast-scan start: New --validate-entitlement option to validate entitlement is defined and/or valid (fixes #682) (#684) (2a9e69e)
• fcli sc-sast scan start: Request Linux sensor if package contains file names that are incompatible with Windows sensors (2a9e69e)
• fcli sc-sast scan status: Use v4 endpoint to retrieve SSC-related properties (2a9e69e)
• fcli ssc report: Add missing report types (fixes #697) (bd5187b)

2.12.3 (2025-03-12)

Bug Fixes

• Refreshed build with updated tool definitions (870e3cd)

2.12.2 (2025-01-21)

Bug Fixes

• fcli fod action run github-sast-report: Add severity data to report (1e80d5e)
• fcli fod action run sarif-sast-report: Add severity data to report (1e80d5e)
• fcli ssc action run github-sast-report: Add severity data to report (1e80d5e)
• fcli ssc action run sarif-sast-report: Add severity data to report (1e80d5e)

2.12.1 (2025-01-07)

Bug Fixes

• fcli ssc av create: --copy-from option now copies all attribute values (fixes #666) (5a32f3f)

2.12.0 (2024-12-23)

Features

• fcli fod dast setup-website, fcli fod dast setup-workflow, fcli fod dast setup-api: Add --vpn option for specifying Fortify Connect network name (site-to-site VPN) to use (fixes #644) (8e38b94)
• fcli fod mast setup, fcli fod mast get-config: Updates for new API (fixes #642) (8e38b94)
• fcli tool sc-client install: Add options to install compatible JRE (85bc662)

Bug Fixes

• fcli fod action run release-summary: Improve/simply based on FoD 24.4 API changes (8e38b94)
• fcli fod release update: Add "Retired" option fo --sdlc-status (fixes #642) (8e38b94)
• fcli fod action run release-summary update (fixes #639) (b7e16c4)

2.11.1 (2024-12-11)

Bug Fixes

• fcli fod action run github-pr-comment: Use GITHUB_API_URL environment variable instead of hardcoded api.github.com to avoid failure on GitHub Enterprise (da7eba3)
• fcli ssc action run github-pr-comment: Use GITHUB_API_URL environment variable instead of hardcoded api.github.com to avoid failure on GitHub Enterprise (da7eba3)

2.11.0 (2024-12-11)

Features

• fcli ssc appversion list: Add --exclude option to allow for excluding empty versions, or versions that have no issues assigned to current user (ba0c126)
• fcli ssc appversion list: Add --include option to allow for listing active, inactive, or both active and inactive versions (ba0c126)

2.10.1 (2024-12-05)

Bug Fixes

• fcli sc-sast scan start: Output root exception if error occurs while determining .NET version (0bb7260)

2.10.0 (2024-11-21)

Features

• fcli sc-sast session login: Allow for overriding SC SAST Controller URL (resolves #611) (a5eb382)
• fcli ssc appversion update: Add --active option to allow activating/deactivating applications versions (resolves #625) (#647) (c2c9a33)

Bug Fixes

• fcli ssc artifact get: Include scan data in output (resolves #637) (e6f1a3e)

2.9.1 (2024-11-07)

Bug Fixes

• fcli ssc action run appversion-summary: Add note about removed issue count (0c93649)
• fcli ssc action run appversion-summary: Fix exception if application version has artifacts with 0 issues (fixes #633) (c89817d)

2.9.0 (2024-10-30)

Features

• fcli fod action run setup-release: Add support for creating parent application & microservice if not existing (9e3a8fd)
• fcli fod release create: Add support for creating parent application & microservice if not existing (576b620)
• fcli fod release create: Ignore --copy-from if equal to release being created (576b620)
• fcli fod release create: Ignore --copy-from if first release on new application (576b620)
• fcli fod release create: Throw user-friendly error when trying to copy release from different application (576b620)

Bug Fixes

• Improve parsing of boolean action parameters (d3b6f4c)

2.8.0 (2024-10-25)

Features

• fcli sc-sast scan start: Add support for passing scan arguments through --sargs option (resolves #449) (#627) (7920a40)
• Add fcli fod release wait-for command to wait for release(s) to leave suspended state (resolves #624) (0cdde30)

Bug Fixes

• fcli fod action run setup-release: Add Development default value for --sdlc-status (9a1b1bf)
• fcli fod action run setup-release: Wait for release to exit suspended state (07d0914)
• Fix fcli command links in action documentation (fixes #622) (fecf423)

2.7.1 (2024-09-27)

Bug Fixes

• Fix fcli completion script sourcing error (fixes #580) (4ff86f4)
• FoD release-summary action: Fix potential SpEL exception for releases with open-source scans enabled (fixes #612) (5260bc8)
• Improve synopsis order (fixes #133) (78b530c)
• Show proper syntax for --store option in help output (fixes #613) (cac574d)

2.7.0 (2024-09-25)

Features

• fcli fod release create: Support release attributes (fixes fortify#592) (3727329)
• fcli fod sast-scan setup: Add --skip-if-exists option (edcece5)
• fcli fod sast-scan setup: Add --use-aviator option (fixes fortify#594) (013af6f)
• fcli fod sast-scan setup: Set --technology-stack to Auto Detect by default (fixes #595) (852d7bf)
• fcli sc-sast scan start: Add option to select sensor pool for the scan (d071d25)
• fcli ssc appversion copy-state: Add --refresh-timeout option (89cf435)
• fcli ssc appversion create: Add --refresh-timeout option (89cf435)
• Add fcli sc-sast sensor-pool list command (77fcc1c)
• Add FoD setup-release action (4ab86c0)
• Add SSC setup-appversion action (e3a273c)
• FoD & SSC: Add aws-sast-report actions to enable integrating Fortify results with AWS Security Hub (#559) (dc79095)

Bug Fixes

• fcli fod app update: Ignore release attributes if included in --attrs option (fixes fortify#604) (e2077b9)
• fcli fod release create: Ignore application attributes if included in --attrs option (fixes fortify#604) (e2077b9)
• fcli fod release update: Ignore application attributes if included in --attrs option (fixes fortify#604) (e2077b9)
• fcli ssc appversion refresh-metrics: Allow for fcli state wait-for-job ::var:: to be invoked without errors even if no refresh was required (89cf435)
• Increase issue limit for github-sast-report to match current GitHub limits (3a2d489)

2.6.0 (2024-09-09)

Features

• Publish fortifydocker/fcli image (c72487d)

Bug Fixes

• fcli fod action run *-sast-report: Warn instead of fail if scan summary is not (yet) available from FoD (077157f)
• FoD: Improve help output for fcli fod *-scan wait-for commands (#587) (937baf5)
• Work-around for user.home in Docker images (9c6a56c)

2.5.3 (2024-08-30)

Bug Fixes

• Fix error on fcli ssc session login command on older SSC versions (fixes #584) (d028052)

2.5.2 (2024-08-21)

Bug Fixes

• FoD/SSC: Improve github-pr-comment action output (694e7ae)
• SSC: Fix application version link in appversion-summary & bitbucket-sast-report actions (4f40a04)

2.5.1 (2024-08-14)

Bug Fixes

• fcli fod mast-scan start: Add --platform option as required by current FoD API (7703939)
• fcli fod mast-scan start: Fix description for --file option (7703939)

2.5.0 (2024-08-13)

Features

• fcli ssc appversion create: Allow for copying attributes & user access (667ba4f)
• FoD: Debricked SBOM Export/Import (resolves #560) (aac8e10)

Bug Fixes

• fcli fod issue list: Add --include option to allow for retrieving fixed and/or suppressed issues (fixes #545) (01c2ac2)
• fcli ssc issue list: Add --include option to allow for retrieving hidden, fixed and/or suppressed issues (318ca98)
• fcli fod action run release-summary fails parsing scan dates (fixes fortify#569) (#570) (9ed8032)
• Fix exception in github-sast-report & sarif-sast-report actions if there are no SAST issues to be processed (01bce49)
• No longer require user credentials on SSC, SC-SAST & SC-DAST logout commands (requires SSC 24.2+) (cb7867b)
• NullPointerException in fcli fod *ast-scan get (fixes #553) (f2eab9c)
• Pass non-default session name to fcli: action statements (fixes #555) (8b762e2)
• Update copyright statement to 2024 (833c607)
• Update release-summary action to include OSS (resolves #561) (aac8e10)
• When authenticating with an SSC authentication token, the SSC, SC-SAST & SC-DAST session commands will now display token expiration date (requires SSC 24.2+) (c2e66bc)
• When authenticating with an SSC authentication token, the SSC, SC-SAST & SC-DAST session login commands will now validate whether the given token is a valid token (c2e66bc)

2.4.0 (2024-05-17)

Features

• Add fcli config public-key commands for managing trusted public keys (4dff325)
• Add fcli fod action commands for running a variety of yaml-based actions (4dff325)
• Add fcli fod issue list command (4dff325)
• Add fcli ssc action commands for running a variety of yaml-based actions (4dff325)
• Add fcli ssc issue list command (4dff325)
• Add actions for generating application version/release summary (4dff325)
• Add actions for generating BitBucket, GitHub, GitLab, SARIF and SonarQube vulnerability reports (4dff325)
• Add preview actions for generating GitHub Pull Request comments (4dff325)
• Add sample actions for checking security policy criteria (4dff325)
• Migrate FortifyVulnerabilityExporter functionality to yaml-based fcli actions (4dff325)

Bug Fixes

• fcli ssc appversion create: Command will now fail instead of creating uncommitted application version if the application version specified on --copy-from option does not exist (4dff325)
• FoD: Update wait-for commands to use internal API (closes #526, #500) (4dff325)

2.3.0 (2024-03-05)

Features

• Add support for configuring proxy settings through conventional environment variables HTTP_PROXY, HTTPS_PROXY, ALL_PROXY & NO_PROXY (used if proxy is not explicitly configured through 'fcli config proxy' commands) (881adbd)

2.2.0 (2024-02-05)

Features

• fcli fod: Add fcli fod report commands for creating and downloading FoD reports (resolves #263) (5796379)
• fcli fod: Add preview commands for starting and managing DAST Automated scans (db898ee)
• fcli ssc: Add fcli ssc report commands for generating, downloading & managing SSC reports (resolves #205) (60e7855)
• fcli tool: Add fcli tool * install --base-dir option to specify the base directory under which all tools will be installed. By default, fcli will now also install tool invocation scripts in a global <base-dir>/bin directory, unless the --no-global-bin option is specified. This allows for having a single bin-directory on the PATH, while managing the actual tool versions being invoked through the fcli tool * install commands. (e2db51d)
• fcli tool: Add fcli tool * install --uninstall option to remove existing tool installations while installing a new tool version, allowing for easy tool upgrades. (e2db51d)
• fcli tool: Add fcli tool debricked-cli commands for installing Debricked CLI and managing those installations. (e2db51d)
• fcli tool: Add fcli tool definitions commands, allowing tool definitions to be updated to make fcli aware of new tool versions that were released after the current fcli release. Customers may also host customized tool definitions, for example allowing for alternative tool download URLs or restricting the set of tool versions available to end users. (e2db51d)
• fcli tool: Add fcli tool fcli commands for installing Fortify CLI and managing those installations. (e2db51d)
• fcli tool: By default, the fcli tool * install commands will now install tools under the <user.home>/fortify/tools base directory (no dot/hidden directory), instead of <user.home>/.fortify/tools (e2db51d)
• fcli tool: Deprecate fcli tool * install --install-dir option; the new --base-dir option is now preferred as it supports new functionality like global bin-scripts. (e2db51d)

Bug Fixes

• fcli ssc: The --attributes option on fcli ssc appversion * and fcli ssc attribute * commands now supports setting multiple values for an attribute (bd3fd62)

2.1.0 (2023-11-21)

Features

• fcli ssc appversion create: Add options for copying existing application version (75461db)
• Add fcli ssc appversion copy-state command (75461db)
• Add fcli system-state wait-for-job command (75461db)

Bug Fixes

• rename new SSC_URL PROJECT_VERSION_ACTION-> PROJECT_VERSIONS_ACTION (55178be)

2.0.0 (2023-10-25)

⚠ BREAKING CHANGES

• Core: Most commands/options now use case-sensitive matching to avoid inconsistent behavior between server-side and client-side matching
• Core: Change fcli variable syntax & behavior for easier use
• Core: Change query expression syntax to allow for advanced queries
• Core: Restructure fcli home/data directories. Configuration & session data stored by earlier fcli versions will not be available after upgrading, and will not be automatically removed. It's recommended to manually delete the ~/.fortify/fcli folder when upgrading, and then use the new fcli version to re-apply configuration settings.
• Core: Change environment variable names for better clarity and avoiding conflicts with other Fortify command-line utilities
• Core: The .jar version of fcli now requires Java 17 or higher to run
• fcli config: Restructure command tree & options for consistency & ease of use
• fcli config: Move variable-related commands to fcli util
• fcli fod: Restructure existing commands & options for consistency & ease of use
• fcli sc-dast: Minor restructuring of command tree & options for consistency & ease of use
• fcli sc-sast: Minor restructuring of command options for consistency & ease of use
• fcli ssc: Restructure existing commands & options for consistency & ease of use
• fcli tool: Minor restructuring of command options for consistency & ease of use

Features

• fcli config: Move variable-related commands to fcli util (ae7ad75)
• fcli config: Restructure command tree & options for consistency & ease of use (ae7ad75)
• fcli fod: Fixes, usability improvements & new commands for managing applications, microservices, releases, scans & scan results (ae7ad75)
• fcli fod: Move out of preview mode, now officially supported (ae7ad75)
• fcli fod: Restructure existing commands & options for consistency & ease of use (ae7ad75)
• fcli fod: Various other fixes & usability improvements (ae7ad75)
• fcli license: New command, adding support for generating MSP & NCD license usage reports (ae7ad75)
• fcli sc-dast: Minor restructuring of command tree & options for consistency & ease of use (ae7ad75)
• fcli sc-dast: Various fixes & usability improvements (ae7ad75)
• fcli sc-sast: Minor restructuring of command options for consistency & ease of use (ae7ad75)
• fcli sc-sast: New command for listing ScanCentral SAST sensors (ae7ad75)
• fcli sc-sast: Various fixes & usability improvements (ae7ad75)
• fcli ssc: Add support for applying filters on issue counts (ae7ad75)
• fcli ssc: Add support for embedding additional data on fcli ssc appversion get/list commands (ae7ad75)
• fcli ssc: New commands for creating local users, refreshing metrics, listing rule packs & listing SSC configuration settings (ae7ad75)
• fcli ssc: New commands for managing performance indicators & variables (PREVIEW) (ae7ad75)
• fcli ssc: Restructure existing commands & options for consistency & ease of use (ae7ad75)
• fcli ssc: Various other fixes & usability improvements (ae7ad75)
• fcli tool: Add support for FortifyBugTrackerUtility (ae7ad75)
• fcli tool: Improve tool version & digest handling (ae7ad75)
• fcli tool: Minor restructuring of command options for consistency & ease of use (ae7ad75)
• fcli util: Add variable-related commands (moved from fcli config) (ae7ad75)
• fcli util: Add various other utility commands (ae7ad75)
• Core: Add support for interactive confirmation on commands that require confirmation (ae7ad75)
• Core: Change environment variable names for better clarity and avoiding conflicts with other Fortify command-line utilities (ae7ad75)
• Core: Change fcli variable syntax & behavior for easier use (ae7ad75)
• Core: Change query expression syntax to allow for advanced queries (ae7ad75)
• Core: Restructure fcli home/data directories. Configuration & session data stored by earlier fcli versions will not be available after upgrading, and will not be automatically removed. It's recommended to manually delete the ~/.fortify/fcli folder when upgrading, and then use the new fcli version to re-apply configuration settings. (ae7ad75)
• Core: The .jar version of fcli now requires Java 17 or higher to run (ae7ad75)

Bug Fixes

• Core: Most commands/options now use case-sensitive matching to avoid inconsistent behavior between server-side and client-side matching (ae7ad75)
• Core: Various bug fixes and many other improvements (ae7ad75)

1.3.2 (2023-10-12)

Bug Fixes

• fcli tool vuln-exporter install: Add support for latest (2.0.4) version (a44ddc3)

1.3.1 (2023-09-20)

Bug Fixes

• fcli tool sc-client install: Add support for latest (23.1.0) version (93af1c6)
• fcli tool vuln-exporter install: Add support for latest (2.0.3) version (c7d4af6)

1.3.0 (2023-08-18)

Features

• Configurable connect & socket timeout (3015bb5)

1.2.5 (2023-04-07)

Bug Fixes

• fcli tool vuln-exporter install: Add support for latest (2.0.2) version (e0ce21a)

1.2.4 (2023-04-07)

Bug Fixes

• fcli tool vuln-exporter install: Add support for latest (2.0.1) version (9c34f73)

1.2.3 (2023-03-09)

Bug Fixes

• fcli ssc appversion-artifact download: Include externalmetadata.xml in current state FPR download by passing arbitrary clientVersion parameter to SSC (fixes #257) (2694ffe)

1.2.2 (2023-03-05)

Bug Fixes

• fcli tool sc-client install: Add support for latest (22.2.1) version (38e93eb)

1.2.1 (2023-03-05)

Bug Fixes

• Custom trust store ignored by native binaries (fixes #253) (a0af875)

1.2.0 (2023-02-09)

Features

• FoD: Add fod sast-scan setup (implements #225) (e556f1e)
• FoD: Added functionality for user CRUD (implements #245) (818622a)
• FoD: Added functionality for user group CRUD (implements #246) (818622a)

Bug Fixes

• fcli tool vuln-exporter install: Add support for latest (2.0.0) version (d7ccaea)

1.1.0 (2023-01-19)

Features

• Add support for configuring custom SSL trust store (fixes #221) (2732e37)
• SSC: Add support for importing Debricked results (e2a6f1e)

Bug Fixes

• fcli * session login: Improve error output on previous session logout failure (fixes #219) (86b0868)
• fcli sc-dast session login: Require SSC credentials to be specified (fixes #223) (ea049ec)
• fcli sc-sast scan start: NullPointerException instead of proper error message if no options provided (fixes #232) (1efa62b)
• fcli sc-sast session login: Improve usage help for --client-auth-token and explicitly check token validity (fixes #230) (ce6324b)
• fcli sc-sast session login: Require SSC credentials to be specified (fixes #222) (b252069)
• Fix NoSuchFileExceptions if FCLI_HOME or FORTIFY_HOME set to relative directory (fixes #227) (2ef6b21)
• Fix NullPointerException if no module(s) configured for proxy (fixes #228) (11ec6e1)
• Improve help output for -h option (fixes #217) (f2e47b0)
• Improve output of session commands to provide better consistency with other CRUD commands (fixes #220) (153f96e)
• SSL verification was incorrectly disabled by default and enabled by -k option (fixes #231) (7fa56c3)

1.0.5 (2023-01-11)

Bug Fixes

• FoD: Fix some commands not working in native binaries (#216) (02baa48)

1.0.4 (2023-01-03)

Bug Fixes

• fcli sc-sast scan start: Accept both encoded or decoded token for --ssc-ci-token option (fixes #215) (1c0ba17)
• Improve interactive prompts (fixes #213) (ad15067)

1.0.3 (2022-12-22)

Bug Fixes

• fcli config var def list: Show created date as last accessed date if variable contents haven't been read yet (fixes #207) (302c9ca)
• fcli sc-dast sensor enable/disable: Fix HostNotFoundException due to hidden non-ASCII characters in endpoint URI (fixes #212) (ca65080)
• fcli ssc appversion-vuln count: Add missing -q option (fixes #209) (cdb2849)
• Better description of default behavior for boolean options (fixes #206) (903c1c4)
• Fix ANSI (color) codes on Windows (05e159e)

1.0.2 (2022-12-16)

Bug Fixes

• Fix fcli --version not displaying version number in native binaries (fixes #112) (b3b48e6)

1.0.1 (2022-12-15)

Bug Fixes

• fcli ssc app update: Fix 'application not found' error when updating app name (fixes #166) (f8ebad6)
• fcli ssc appversion update: Fix application name not shown in output (fixes #183) (32f130b)
• fcli ssc appversion update: Fix exception if no --userdel option is specified (fixes #175) (c7ebb98)
• fcli ssc appversion-artifact download: --no-include-sources now available for both application file and individual FPR download (fixes #173) (216ac2a)
• fcli ssc appversion-artifact download: HTTP 500 error when downloading application file (216ac2a)
• fcli ssc appversion-artifact upload: Improve usage message for --engine-type option (fixes #176) (6cc775e)
• fcli ssc attribute-definition get: Allow category prefix when specifying guid (fixes #186) (7b02f61)
• fcli ssc issue-template create: Display 'Default template=true' if --set-as-default specified (fixes #180) (6f2101e)
• fcli ssc issue-template delete: Fix issue templates not being deleted (fixes #182) (0b55974)
• fcli ssc issue-template update: Fix 'issue template not found' error when updating issue template name (fixes #181) (a6002b1)
• fcli ssc plugin: Fix "No serializer" errors (fixes #187, fixes #188) (88d8886)
• fcli ssc role create: Allow comma-separated list of permission id's (fixes #190) (1426116)
• fcli ssc role delete: Fix role not being deleted (fixes #191) (e329c89)
• fcli ssc token update: Improve usage message (fixes #177) (8e8b924)
• fcli ssc token: Make output more consistent with SSC UI (fixes #194) (35523cc)
• fcli tool sc-client install: Add support for latest (22.2.0) version (fixes #179) (dac4b37)

1.0.0 (2022-11-29)

Miscellaneous Chores

• release 1.0.0 (d983f62)