search

fortify / fcli

fcli is a command-line utility for interacting with various Fortify products
https://fortify.github.io/fcli/
Other
27 stars 16 forks source link

Add `fcli tool debricked-cli *` commands #468

Closed rsenden closed 4 months ago

rsenden commented 8 months ago

This will be somewhat different compared to other tool commands, as Debricked provides platform-specific binaries. So, we'd need to:

  1. Determine which platform binary to download and install
  2. Determine checksums for all the different variants
  3. Ability to extract .tgz files

For #1, we'd need to use System.getProperty("os.name") and System.getProperty("os.arch") to determine the appropriate binary. We'd need to add functionality to the generic tool classes to allow the defaultDownloadUrl property in the yaml file to contain an {asset} placeholder, i.e. defaultDownloadUrl: https://github.com/debricked/cli/releases/download/v{toolVersion}/{asset}. The AbstractToolInstallCommand could then have a getAsset() method that returns null by default but overridden in ToolDebrickedCLIInstallCommand to return the appropriate asset name for the current platform/architecture, which is then passed to ToolHelper to determine the appropriate download URL.

For #2, to avoid having to maintain a list of all download checksums for all Debricked CLI variants, we should probably reuse the checksums.txt file as published by Debricked. Instead of:

versions:
  - version: x.y.z
    digest: SHA-256:7d3fc9ada2df3cd5ed6159685d36656d04cef6ddda69bff2110702c052e64fce

We could add support for something like:

versions:
  - version: 1.3.0
    digestFile:
      url: https://github.com/debricked/cli/releases/download/v1.3.0/checksums.txt
      algorithm: ...
      digest: SHA-256:... (digest of checksums.txt)

With this configuration, fcli would download the checksums.txt file, verify it's integrity, and then use the appropriate checksum to verify integrity of the actual tgz file being downloaded (based on the filename in the download URL).

For #3, probably best to use Apache commons-compress, unless we can find a better/smaller library (commons-compress supports many archive algorithms that we don't need)

crance commented 6 months ago

@rsenden will this enhancement takes consideration of uploading the results file to SSC after #3?

MikeTheSnowman commented 6 months ago

@crance , I've just created #488 which I think is a closter match to what you're requesting.

MikeTheSnowman commented 6 months ago

@crance , I've just created #488 which I think is a closter match to what you're requesting.

rsenden commented 4 months ago

@crance, this feature just enables fcli to install Debricked CLI, and has nothing to do with actually running Debricked scans or uploading Debricked results to SSC (for the latter, there's already the fcli ssc artifact import-debricked command).

I'm now closing this issue as the fcli tool debricked-cli * commands have been implemented in fcli v2.2.0. If you'd want to discuss any integration between Debricked and fcli, please comment on the issue #488 that @wtfacoconut created.