chore: Squash-merge develop branch into main

fix: `fcli ssc appversion create`: Command will now fail instead of creating uncommitted application version if the application version specified on `--copy-from` option does not exist fix: FoD: Update `wait-for` commands to use internal API (closes #526, #500) feat: Add `fcli config public-key` commands for managing trusted public keys feat: Add `fcli fod issue list` command feat: Add `fcli ssc issue list` command feat: Add `fcli ssc action` commands for running a variety of yaml-based actions feat: Add `fcli fod action` commands for running a variety of yaml-based actions feat: Migrate FortifyVulnerabilityExporter functionality to yaml-based fcli actions feat: Add actions for generating BitBucket, GitHub, GitLab, SARIF and SonarQube vulnerability reports feat: Add actions for generating application version/release summary feat: Add preview actions for generating GitHub Pull Request comments feat: Add sample actions for checking security policy criteria
fortify · May 17, 2024 · 4dff325 · 4dff325
1 parent db8bea9
commit 4dff325
Show file tree

Hide file tree

Showing 417 changed files with 14,626 additions and 1,459 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -9,7 +9,7 @@ on:
 env:
   native_image_opts: --verbose -H:Log=registerResource:verbose -H:+PrintClassInitialization
   graal_distribution: graalvm-community
-  graal_java_version: 17
+  graal_java_version: 21
 
 jobs:
   build:
@@ -101,7 +101,6 @@ jobs:
         with:
           distribution: ${{ env.graal_distribution }}
           java-version: ${{ env.graal_java_version }}
-          components: 'native-image'
           native-image-musl: true
           github-token: ${{ secrets.GITHUB_TOKEN }}
 
@@ -151,7 +150,6 @@ jobs:
         with:
           distribution: ${{ env.graal_distribution }}
           java-version: ${{ env.graal_java_version }}
-          components: 'native-image'
           github-token: ${{ secrets.GITHUB_TOKEN }}
 
       - uses: actions/download-artifact@v4
@@ -165,10 +163,11 @@ jobs:
       - name: Create native fcli
         run: native-image ${{ env.native_image_opts }} -march=compatibility -H:ExcludeResources="org/fusesource/jansi/internal/native/Windows/.*" -H:ExcludeResources="org/fusesource/jansi/internal/native/Linux/.*" -H:ExcludeResources="org/fusesource/jansi/internal/native/FreeBSD/.*" -jar ./artifacts/release-assets/fcli.jar fcli
 
-      - name: Compress native fcli
-        uses: svenstaro/upx-action@v2
-        with:
-          files: fcli
+      # Disabled for now, as compressed binaries crash on macOS Ventura or above
+      #- name: Compress native fcli
+      #  uses: svenstaro/upx-action@v2
+      #  with:
+      #    files: fcli
 
       - name: Basic test of native fcli
         run: ./fcli --help && ./fcli get --help
@@ -190,7 +189,6 @@ jobs:
         with:
           distribution: ${{ env.graal_distribution }}
           java-version: ${{ env.graal_java_version }}
-          components: 'native-image'
           github-token: ${{ secrets.GITHUB_TOKEN }}
 
       - uses: actions/download-artifact@v4
@@ -236,6 +234,17 @@ jobs:
         with:
           path: ./artifacts
           merge-multiple: true
+      - run: |
+          cd ./artifacts/release-assets
+          for f in *; do 
+            sha256sum ${f} > ${f}.sha256
+          done
+          for f in *; do 
+            openssl dgst -sha256 -passin env:SIGN_PASSPHRASE -sign <(echo "${SIGN_KEY}") -out ${f}.rsa_sha256 ${f}
+          done
+        env:
+          SIGN_PASSPHRASE: ${{ secrets.SIGN_PASSPHRASE }}
+          SIGN_KEY: ${{ secrets.SIGN_KEY }}
       - uses: actions/upload-artifact@v4
         with:
           path: ./artifacts
@@ -292,7 +301,7 @@ jobs:
   publishPages:
     name: publishPages
     if: needs.build.outputs.do_release
-    needs: [build, release, combine-artifacts]
+    needs: [build]
     runs-on: ubuntu-latest
     steps:
       - name: Check-out existing docs from gh-pages branch
@@ -305,7 +314,7 @@ jobs:
         uses: actions/download-artifact@v4
         with:
           path: ./artifacts
-          name: combined-artifacts
+          name: build-output
 
       - name: Update documentation from artifact
         run: |
@@ -335,7 +344,7 @@ jobs:
           ls -d dev_* | sort | while read line; do echo "- '$line'"; done > _data/versions/dev.yml
           
       - name: Deploy documentation
-        uses: peaceiris/actions-gh-pages@v3
+        uses: peaceiris/actions-gh-pages@v4
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           publish_dir: ./docs

diff --git a/build.gradle b/build.gradle
@@ -1,8 +1,9 @@
 plugins {
-    id('com.github.jk1.dependency-license-report') version '2.5' apply false
+    id('com.github.jk1.dependency-license-report') version '2.6' apply false
     id("com.github.johnrengelman.shadow") version "8.1.1" apply false
-    id "org.asciidoctor.jvm.convert" version "3.3.2" apply false
-    id "io.freefair.lombok" version "8.1.0" apply false
+    id "org.asciidoctor.jvm.convert" version "4.0.2" apply false
+    //id "org.asciidoctor.jvm.convert" version "3.3.2" apply false
+    id "io.freefair.lombok" version "8.6" apply false
 }
 
 group = "com.fortify.cli"
@@ -13,6 +14,7 @@ ext {
     	def result = project.findProperty('version');
     	return !result || result=='unspecified' ? buildTime.format('0.yyyyMMdd.HHmmss') : result;
 	}
+    fcliActionSchemaUrl = "https://fortify.github.io/fcli/schemas/action/fcli-action-schema-${fcliActionSchemaVersion}.json"
 }
 
 allprojects {

diff --git a/fcli-core/fcli-app/build.gradle b/fcli-core/fcli-app/build.gradle
@@ -20,29 +20,6 @@ dependencies {
 	runtimeOnly("org.fusesource.jansi:jansi")
 }
 
-// Generate build properties and associated resource-config.json file
-ext.buildPropertiesDir = "${buildDir}/generated-build-properties"
-task generateFcliBuildProperties {
-    doLast {
-        def outputDir = "${buildPropertiesDir}/com/fortify/cli/app"
-        mkdir "${outputDir}"
-        ant.propertyfile(file: "${outputDir}/fcli-build.properties") {
-            entry(key: "projectName", value: "fcli")
-            entry(key: "projectVersion", value: project.version)
-            entry(key: "buildDate", value: buildTime.format('yyyy-MM-dd HH:mm:ss'))
-        }
-        def resourceConfigOutputDir = "${buildPropertiesDir}/META-INF/native-image/fcli-build-properties"
-        mkdir "${resourceConfigOutputDir}"
-        def contents = 
-        	'{"resources":[\n' +
-  			'  {"pattern":"com/fortify/cli/app/fcli-build.properties"}\n' +
-			']}\n'
-        file("${resourceConfigOutputDir}/resource-config.json").text = contents;
-        println contents
-    }
-}
-sourceSets.main.output.dir buildPropertiesDir, builtBy: generateFcliBuildProperties
-
 // Generate reflect-config.json for picocli-related classes
 ext.generatedPicocliReflectConfigDir = "${buildDir}/generated-reflect-config"
 task generatePicocliReflectConfig(type: JavaExec) {

diff --git a/.../fcli-app/src/main/java/com/fortify/cli/app/runner/util/FortifyCLIDynamicInitializer.java b/.../fcli-app/src/main/java/com/fortify/cli/app/runner/util/FortifyCLIDynamicInitializer.java
@@ -111,12 +111,13 @@ private CommandLine createGenericOptionsCommandLine() {
 
     @Command(name = "fcli")
     @RequiredArgsConstructor
-    public static final class FortifyCLIInitializerCommand extends AbstractRunnableCommand implements Runnable {
+    public static final class FortifyCLIInitializerCommand extends AbstractRunnableCommand {
         private final Consumer<GenericOptionsArgGroup> consumer;
 
         @Override
-        public void run() {
+        public Integer call() {
             consumer.accept(getGenericOptions());
+            return 0;
         }
     }
 }
diff --git a/...e/fcli-app/src/main/java/com/fortify/cli/app/runner/util/FortifyCLIStaticInitializer.java b/...e/fcli-app/src/main/java/com/fortify/cli/app/runner/util/FortifyCLIStaticInitializer.java
@@ -15,12 +15,14 @@
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.util.Locale;
+import java.util.function.Function;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
+import com.fortify.cli.common.action.helper.ActionSchemaHelper;
 import com.fortify.cli.common.http.ssl.truststore.helper.TrustStoreConfigDescriptor;
 import com.fortify.cli.common.http.ssl.truststore.helper.TrustStoreConfigHelper;
 import com.fortify.cli.common.i18n.helper.LanguageHelper;
@@ -56,28 +58,33 @@ public void initialize() {
         initializeSCDastProperties();
         initializeSCSastProperties();
         initializeSSCProperties();
+        initializeActionProperties();
     }
 
     private void initializeFoDProperties() {
-        System.setProperty("fcli.fod.scan.states", getValuesString(FoDScanStatus.values()));
-        System.setProperty("fcli.fod.scan.states.complete", getValuesString(FoDScanStatus.getDefaultCompleteStates()));
+        System.setProperty("fcli.fod.scan.states", getValueNamesString(FoDScanStatus.values()));
+        System.setProperty("fcli.fod.scan.states.complete", getValueNamesString(FoDScanStatus.getDefaultCompleteStates()));
     }
 
     private void initializeSCDastProperties() {
-        System.setProperty("fcli.sc-dast.scan.states", getValuesString(SCDastScanStatus.values()));
-        System.setProperty("fcli.sc-dast.scan.states.complete", getValuesString(SCDastScanStatus.getDefaultCompleteStates()));
+        System.setProperty("fcli.sc-dast.scan.states", getValueNamesString(SCDastScanStatus.values()));
+        System.setProperty("fcli.sc-dast.scan.states.complete", getValueNamesString(SCDastScanStatus.getDefaultCompleteStates()));
     }
 
     private void initializeSCSastProperties() {
-        System.setProperty("fcli.sc-sast.scan.jobStates", getValuesString(SCSastControllerScanJobState.values()));
-        System.setProperty("fcli.sc-sast.scan.jobStates.complete", getValuesString(SCSastControllerScanJobState.getDefaultCompleteStates()));
-        System.setProperty("fcli.sc-sast.scan.jobArtifactStates", getValuesString(SCSastControllerScanJobArtifactState.values()));
-        System.setProperty("fcli.sc-sast.scan.jobArtifactStates.complete", getValuesString(SCSastControllerScanJobArtifactState.getDefaultCompleteStates()));
+        System.setProperty("fcli.sc-sast.scan.jobStates", getValueNamesString(SCSastControllerScanJobState.values()));
+        System.setProperty("fcli.sc-sast.scan.jobStates.complete", getValueNamesString(SCSastControllerScanJobState.getDefaultCompleteStates()));
+        System.setProperty("fcli.sc-sast.scan.jobArtifactStates", getValueNamesString(SCSastControllerScanJobArtifactState.values()));
+        System.setProperty("fcli.sc-sast.scan.jobArtifactStates.complete", getValueNamesString(SCSastControllerScanJobArtifactState.getDefaultCompleteStates()));
     }
 
     private void initializeSSCProperties() {
-        System.setProperty("fcli.ssc.artifact.states", getValuesString(SSCArtifactStatus.values()));
-        System.setProperty("fcli.ssc.artifact.states.complete", getValuesString(SSCArtifactStatus.getDefaultCompleteStates()));
+        System.setProperty("fcli.ssc.artifact.states", getValueNamesString(SSCArtifactStatus.values()));
+        System.setProperty("fcli.ssc.artifact.states.complete", getValueNamesString(SSCArtifactStatus.getDefaultCompleteStates()));
+    }
+
+    private void initializeActionProperties() {
+        System.setProperty("fcli.action.supportedSchemaVersions", ActionSchemaHelper.getSupportedSchemaVersionsString());
     }
 
     private void initializeTrustStore() {
@@ -103,8 +110,12 @@ private void initializeTrustStore() {
     private void initializeLocale() {
         Locale.setDefault(LanguageHelper.getConfiguredLanguageDescriptor().getLocale());
     }
-
-    private String getValuesString(Enum<?>[] values) {
-        return Stream.of(values).map(Enum::name).collect(Collectors.joining(", "));
+
+    private String getValueNamesString(Enum<?>[] values) {
+        return getValuesString(values, Enum::name);
+    }
+
+    private String getValuesString(Enum<?>[] values, Function<Enum<?>, String> f) {
+        return Stream.of(values).map(f).collect(Collectors.joining(", "));
     }
 }
diff --git a/fcli-core/fcli-common/build.gradle b/fcli-core/fcli-common/build.gradle
@@ -1 +1,36 @@
-apply from: "${sharedGradleScriptsDir}/fcli-java.gradle"
+task zipResources_templates(type: Zip) {
+    destinationDirectory = file("${buildDir}/generated-zip-resources/com/fortify/cli/common")
+    archiveFileName = "actions.zip"
+    from("${projectDir}/src/main/resources//com/fortify/cli/common/actions/zip") {
+        // TODO We should also sign file; how do we invoke a sign operation from Gradle?
+        filter(line->project.version.startsWith('0.')
+            ? line 
+            : line.replaceAll("https://fortify.github.io/fcli/schemas/action/fcli-action-schema-dev.json", "https://fortify.github.io/fcli/schemas/action/fcli-action-schema-${fcliActionSchemaVersion}.json"))
+    }
+}
+
+apply from: "${sharedGradleScriptsDir}/fcli-java.gradle"
+
+// Generate build properties and associated resource-config.json file
+ext.buildPropertiesDir = "${buildDir}/generated-build-properties"
+task generateFcliBuildProperties {
+    doLast {
+        def outputDir = "${buildPropertiesDir}/com/fortify/cli/common"
+        mkdir "${outputDir}"
+        ant.propertyfile(file: "${outputDir}/fcli-build.properties") {
+            entry(key: "projectName", value: "fcli")
+            entry(key: "projectVersion", value: project.version)
+            entry(key: "buildDate", value: buildTime.format('yyyy-MM-dd HH:mm:ss'))
+            entry(key: "actionSchemaVersion", value: fcliActionSchemaVersion)
+        }
+        def resourceConfigOutputDir = "${buildPropertiesDir}/META-INF/native-image/fcli-build-properties"
+        mkdir "${resourceConfigOutputDir}"
+        def contents =
+            '{"resources":[\n' +
+            '  {"pattern":"com/fortify/cli/common/fcli-build.properties"}\n' +
+            ']}\n'
+        file("${resourceConfigOutputDir}/resource-config.json").text = contents;
+        println contents
+    }
+}
+sourceSets.main.output.dir buildPropertiesDir, builtBy: generateFcliBuildProperties
diff --git a/...-common/src/main/java/com/fortify/cli/common/action/cli/cmd/AbstractActionGetCommand.java b/...-common/src/main/java/com/fortify/cli/common/action/cli/cmd/AbstractActionGetCommand.java
@@ -0,0 +1,32 @@
+/*******************************************************************************
+ * Copyright 2021, 2023 Open Text.
+ *
+ * The only warranties for products and services of Open Text 
+ * and its affiliates and licensors ("Open Text") are as may 
+ * be set forth in the express warranty statements accompanying 
+ * such products and services. Nothing herein should be construed 
+ * as constituting an additional warranty. Open Text shall not be 
+ * liable for technical or editorial errors or omissions contained 
+ * herein. The information contained herein is subject to change 
+ * without notice.
+ *******************************************************************************/
+package com.fortify.cli.common.action.cli.cmd;
+
+import com.fortify.cli.common.action.cli.mixin.ActionResolverMixin;
+import com.fortify.cli.common.action.helper.ActionLoaderHelper.ActionValidationHandler;
+import com.fortify.cli.common.cli.cmd.AbstractRunnableCommand;
+
+import picocli.CommandLine.Mixin;
+
+public abstract class AbstractActionGetCommand extends AbstractRunnableCommand {
+    @Mixin private ActionResolverMixin.RequiredParameter actionResolver;
+
+    @Override
+    public final Integer call() {
+        initMixins();
+        System.out.println(actionResolver.loadActionContents(getType(), ActionValidationHandler.WARN));
+        return 0;
+    }
+
+    protected abstract String getType();
+}