fcli SSC filter vulnerabilities by scanType

[webmutation]

Hi, I am trying to run the following command on fcli v1.2.3 to get only the SCA scan results report

fcli ssc appversion-vuln count --appversion MyApp:version -q scanType=SCA No data

com.jayway.jsonpath.PathNotFoundException: No results for path: $['scanType']

Is there a way to count only specific scan types? I was also looking at -

fcli ssc appversion-vuln count --appversion MyApp:version --by=SCA

but that does not work either... so pretty sure i am missing something there.

[rsenden]

Hi, to start with, I'd recommend using the latest fcli 1.x version which is currently 1.3.2, although instructions below will likely work with older versions as well.

The appversion-vuln count command is based on grouping functionality provided by SSC, so you'd need to group by analysis type to get the vulnerability count for SCA only, for example using the following fcli command:

fcli ssc appversion-vuln count --appversion MyApp:version --by 11111111-1111-1111-1111-111111111151 -q id=SCA

The supported values for the --by option can be viewed in SSC; navigate to the Audit page for any application version, select a grouping type in the Group by box, and look for the groupingtype request parameter in the browser URL bar:

This approach only allows for retrieving the total/audited number of Fortify SCA issues, without differentiating between Critical/High/.... I think neither fcli 1.x or the upcoming fcli 2.0.0 allows for allows for combining filtering and grouping like in the SSC UI; we should probably consider this as a useful enhancement.

If you'd like to combine grouping and filtering, I can think of two possible approaches:

• Define a custom filter set that shows only SCA results, then pass the appropriate filter set id to the fcli ssc appversion-vuln count command to combine filterset-based filtering with the appropriate grouping type.
• Utilize the fcli ssc rest call command, for example: fcli ssc rest call '/api/v1/projectVersions/10004/issueGroups?qm=issues&groupingtype=FOLDER&filter=ISSUE_11111111-1111-1111-1111-111111111151%3ASCA'.

Note that with fcli 1.x, you'll need to manually post-process the JSON output of the fcli ssc rest call command. With the upcoming fcli 2.0.0 release or one of the (dev_develop/dev_2.0.0-beta) pre-releases, you can use the standard fcli output options to properly output the results of this command in table format for example. Note that in fcli 2.0.0, the fcli ssc appversion-vuln count command has been renamed to fcli ssc vulnerability count.

[webmutation]

Thank you! Very useful information I was not aware that we could use pure REST calls like that from the CLI, that will come in handy!

I end up figuring out looking at the UI URL changes that i could get the filterset id in the URL, so I end up doing it like this... This filterset only shows CSA results, however the report now does not have Medium or Low vulnerabilities, which in my case is not critical, I will ask the Fortify administrators to create a new filterset for me to use. Meanwhile this does the trick...

fcli ssc appversion-vuln count --appversion MyApp:version --filterset=32142c2d-3f7f-4863-a1bf-42jadfrfasd2ed -q id=Critical -o expr={visibleCount}

fcli ssc appversion-vuln count --appversion MyApp:version --filterset=32142c2d-3f7f-4863-a1bf-42jadfrfasd2ed -q id=High -o expr={visibleCount}

"I think neither fcli 1.x or the upcoming fcli 2.0.0 allows for allows for combining filtering and grouping like in the SSC UI; we should probably consider this as a useful enhancement."

That would be AWSOME!

[rsenden]

@webmutation Good to know that this approach works for you. Just a minor potential optimization; with the commands above (especially if you'll do the same for Medium and Low vulnerabilities), you're querying the same data from SSC multiple times. Using fcli variable support, you can reduce this to one SSC roundtrip:

fcli ssc appversion-vuln count --appversion MyApp:version --filterset=32142c2d-3f7f-4863-a1bf-42jadfrfasd2ed --store vulncount
fcli cfg var contents list vulncount -q id=Critical -o expr={visibleCount}
fcli cfg var contents list vulncount -q id=High -o expr={visibleCount}
...
fcli cfg var def delete vulncount

Some notes:

• Variable data (just like session data) is stored in the fcli working directory, so you'll want to make sure that multiple pipelines/automations that potentially run in parallel use different data directories, to avoid one pipeline using or overwriting the vulncount variable (and session data) from another pipeline.
• As previously mentioned, there will be some changes when migrating to fcli 2.0.0; the appversion-vuln command has been renamed to vulnerability, the variable commands have moved to fcli util variable with just a single contents command, and query expression syntax will change to something like -q 'id=="Critical"'.

[webmutation]

Greatly appreciate the suggestion, already put it in place. I just started a couple of weeks to learn fcli, your guidance has been invaluable. Thanks!