For example, if a user or some integration omits quotes around application version/release name, like in --fod.release.name=App with space:rel1, FortifyVulnerabilityExporter will see --fod.release.name=App and ignore with space:rel1. Effectively, instead of processing this single release, FVE will process all releases for all applications containing App (case-insensitive) in the application name, due to a combination of FVE behavior (allowing for processing all releases for a given app if only app name is specified) and FoD behavior (FoD performing case-insensitive 'contains' matching instead of exact matching).
Unfortunately, there is no explicit list of supported command-line arguments, as each CLI argument basically represents an arbitrary property name that may or may not be used by a particular configuration. However, potentially we can check whether the CLI arguments adhere to the format as described at https://github.com/fortify/FortifyVulnerabilityExporter/blob/main/USAGE.md#generic-usage, i.e., first argument should be the name/path of a configuration file, and all remaining options should be in the format --prop.name=value. In the example above, with space:rel1 doesn't match the expected --prop.name=value format, and thus FVE could throw an error.
See https://github.com/fortify/github-action/issues/15 for background information; FVE silently ignores unknown command-line arguments, which can lead to unexpected behavior.
For example, if a user or some integration omits quotes around application version/release name, like in
--fod.release.name=App with space:rel1, FortifyVulnerabilityExporter will see--fod.release.name=Appand ignorewith space:rel1. Effectively, instead of processing this single release, FVE will process all releases for all applications containingApp(case-insensitive) in the application name, due to a combination of FVE behavior (allowing for processing all releases for a given app if only app name is specified) and FoD behavior (FoD performing case-insensitive 'contains' matching instead of exact matching).Unfortunately, there is no explicit list of supported command-line arguments, as each CLI argument basically represents an arbitrary property name that may or may not be used by a particular configuration. However, potentially we can check whether the CLI arguments adhere to the format as described at https://github.com/fortify/FortifyVulnerabilityExporter/blob/main/USAGE.md#generic-usage, i.e., first argument should be the name/path of a configuration file, and all remaining options should be in the format
--prop.name=value. In the example above,with space:rel1doesn't match the expected--prop.name=valueformat, and thus FVE could throw an error.