Closed webmutation closed 11 months ago
Hi, to start with, I'd recommend using the latest fcli 1.x version which is currently 1.3.2, although instructions below will likely work with older versions as well.
The appversion-vuln count
command is based on grouping functionality provided by SSC, so you'd need to group by analysis type to get the vulnerability count for SCA only, for example using the following fcli command:
fcli ssc appversion-vuln count --appversion MyApp:version --by 11111111-1111-1111-1111-111111111151 -q id=SCA
The supported values for the --by
option can be viewed in SSC; navigate to the Audit
page for any application version, select a grouping type in the Group by
box, and look for the groupingtype request parameter in the browser URL bar:
This approach only allows for retrieving the total/audited number of Fortify SCA issues, without differentiating between Critical/High/.... I think neither fcli 1.x or the upcoming fcli 2.0.0 allows for allows for combining filtering and grouping like in the SSC UI; we should probably consider this as a useful enhancement.
If you'd like to combine grouping and filtering, I can think of two possible approaches:
fcli ssc appversion-vuln count
command to combine filterset-based filtering with the appropriate grouping type.fcli ssc rest call
command, for example: fcli ssc rest call '/api/v1/projectVersions/10004/issueGroups?qm=issues&groupingtype=FOLDER&filter=ISSUE_11111111-1111-1111-1111-111111111151%3ASCA'
. Note that with fcli 1.x, you'll need to manually post-process the JSON output of the fcli ssc rest call
command. With the upcoming fcli 2.0.0 release or one of the (dev_develop/dev_2.0.0-beta) pre-releases, you can use the standard fcli output options to properly output the results of this command in table format for example. Note that in fcli 2.0.0, the fcli ssc appversion-vuln count
command has been renamed to fcli ssc vulnerability count
.
Thank you! Very useful information I was not aware that we could use pure REST calls like that from the CLI, that will come in handy!
I end up figuring out looking at the UI URL changes that i could get the filterset id in the URL, so I end up doing it like this... This filterset only shows CSA results, however the report now does not have Medium or Low vulnerabilities, which in my case is not critical, I will ask the Fortify administrators to create a new filterset for me to use. Meanwhile this does the trick...
fcli ssc appversion-vuln count --appversion MyApp:version --filterset=32142c2d-3f7f-4863-a1bf-42jadfrfasd2ed -q id=Critical -o expr={visibleCount}
fcli ssc appversion-vuln count --appversion MyApp:version --filterset=32142c2d-3f7f-4863-a1bf-42jadfrfasd2ed -q id=High -o expr={visibleCount}
"I think neither fcli 1.x or the upcoming fcli 2.0.0 allows for allows for combining filtering and grouping like in the SSC UI; we should probably consider this as a useful enhancement."
That would be AWSOME!
@webmutation Good to know that this approach works for you. Just a minor potential optimization; with the commands above (especially if you'll do the same for Medium and Low vulnerabilities), you're querying the same data from SSC multiple times. Using fcli variable support, you can reduce this to one SSC roundtrip:
fcli ssc appversion-vuln count --appversion MyApp:version --filterset=32142c2d-3f7f-4863-a1bf-42jadfrfasd2ed --store vulncount
fcli cfg var contents list vulncount -q id=Critical -o expr={visibleCount}
fcli cfg var contents list vulncount -q id=High -o expr={visibleCount}
...
fcli cfg var def delete vulncount
Some notes:
vulncount
variable (and session data) from another pipeline.appversion-vuln
command has been renamed to vulnerability
, the variable commands have moved to fcli util variable
with just a single contents
command, and query expression syntax will change to something like -q 'id=="Critical"'
.Greatly appreciate the suggestion, already put it in place. I just started a couple of weeks to learn fcli, your guidance has been invaluable. Thanks!
Hi, I am trying to run the following command on fcli v1.2.3 to get only the SCA scan results report
fcli ssc appversion-vuln count --appversion MyApp:version -q scanType=SCA No data
com.jayway.jsonpath.PathNotFoundException: No results for path: $['scanType']
Is there a way to count only specific scan types? I was also looking at -
fcli ssc appversion-vuln count --appversion MyApp:version --by=SCA
but that does not work either... so pretty sure i am missing something there.