search

fortify-ps / FortifyBugTrackerUtility

Automated submission of FoD and SSC vulnerabilities to external systems
MIT License
25 stars 14 forks source link

UAT Feedback #10

Closed drharper closed 8 years ago

drharper commented 8 years ago

Default Configuration file Comment out the following two properties in fod.topLevelFieldFilters

  <entry value="In Remediation" key="developerStatus"/>

Error Handling Providing an incorrect password to FoD gives error message "Error Accessing bug tracker" instead of "Error accessing FoD"

-JiraPassword Specifying this on the command line causes Java to stop working

Credentials in XML file If you specify credentials in the XML file you still need to specify FoDBaseUrl and JiraBaseUrl on the command line

User Feedback As tickets are created it lists them on the console (nice). However, if nothing is created nothing is listed which might confuse people. I think the program should always end with the message "Processing completed successfully: XX tickets created in Jira" or words to that effect.

LogFile and LogLevel No log file generated - This might be users error!

Supporting files attached JiraTest.zip

ryancblack commented 8 years ago

Resolved misleading error message for FoD credentials.

ryancblack commented 8 years ago

-JiraPassword Specifying this on the command line causes Java to stop working

This does not crash when running the same arguments in Eclipse but is readily reproducible at the command line with:

java -jar FoDBugTrackerUtility-1.0.jar fodUserCredentialsToJiraGrouped -FoDBaseUrl https://emea.hpfod.com/ -FoDTenant redact-FoDUserName redact -FoDPassword "redact" -JiraBaseUrl http://redact:8080/ -JiraPassword "redact" -JiraUserName "redact" -FoDReleaseId redact -JiraProjectKey ABC

If -Xcheck:jni is used warnings are emitted and the utility runs without crashing the JRE:

WARNING: JNI local refs: zu, exceeds capacity: zu at java.lang.System.initProperties(Native Method) at java.lang.System.initializeSystemClass(System.java:1166) WARNING in native method: JNI call made without checking exceptions when required to from CallStaticObjectMethod

Will followup with @rsenden for advice as the cause of the issue is not readily apparent to me.

ryancblack commented 8 years ago

@drharper - Can you please clarify the properties you want commented in the default config?

Default Configuration file Comment out the following two properties in fod.topLevelFieldFilters

drharper commented 8 years ago

The default configuration file includes:

which were left over from testing. These should be commented out. They are useful examples but should not be the defaults.

ryancblack commented 8 years ago

Configuration items commented.

ryancblack commented 8 years ago

Credentials in XML file If you specify credentials in the XML file you still need to specify FoDBaseUrl and JiraBaseUrl on the command line

Configuration sections are an "all or none" setup, perhaps we handle this with documentation around that?

ryancblack commented 8 years ago

User Feedback As tickets are created it lists them on the console (nice). However, if nothing is created nothing is listed which might confuse people. I think the program should always end with the message "Processing completed successfully: XX tickets created in Jira" or words to that effect

Added "processing complete for process runner" logging message

ryancblack commented 8 years ago

@drharper - logging must be set before the specified processor. I can confirm the below works:

-logFile logname.log -logLevel debug fodClientCredentialsToJiraNonGrouped -FoDBaseUrl https://hpfod.com/ -FoDTenant redacted -FoDClientId redacted -FoDClientSecret "redacted" -FoDReleaseId redacted-JiraProjectKey JPU -JiraBaseUrl http://nope.com:8080/ -JiraUserName redacted-JiraPassword "redacted"

The default log level is info

ryancblack commented 8 years ago

Credentials in XML file If you specify credentials in the XML file you still need to specify FoDBaseUrl and JiraBaseUrl on the command line

Set

contextProperties.add(new ContextProperty(IContextJiraConnectionProperties.PRP_BASE_URL, "JIRA base URL", context, getBaseUrl(), false));

Required to false, read from console in:

/processrunner-bugtracker-jira/src/main/java/com/fortify/processrunner/jira/connection/ContextAwareJiraConnectionRetriever.java

ryancblack commented 8 years ago

@drharper - please try the attached build and let me know if the above are resolved.

https://github.com/ryancblack/FoDBugTrackerUtility/commit/54cca4cdbc00b9a8752ff987a147b721a6ddf0dc

FoDBugTrackerUtility-1.0.zip

drharper commented 8 years ago

All identified issues addressed except for

Error Handling Providing an incorrect password to FoD gives error message "Error Accessing bug tracker" instead of "Error accessing FoD"

This issue is not a show-stopper.

Test script attached. JiraTest.zip

ryancblack commented 8 years ago

Issue addressed.