feat(ssc): Add bulkcorrelate action for automated SAST-DAST correlation of SSC application versions#993
Closed
kireetivar wants to merge 27 commits intofortify:feat/v3.x/aviator/26.3from
Closed
Conversation
…-rel/v3.x chore(rel/v3.x): release 3.17.0
…on and SSC upload - Add correlate-sast-dast command for SSC Aviator - Parse SAST (FVDL) and DAST (WebInspect) FPRs from SSC - Group findings by category, identify mixed SAST+DAST buckets - gRPC-based correlation stream with Aviator server - Inject ExternalFindings into DAST FPR for SSC correlation visibility - Upload enriched DAST FPR back to SSC - Add streaming WebInspect parser for large DAST FPRs - Add getLatestSASTArtifact/getLatestDASTArtifact helpers - Add unit and integration tests for ExternalFindings injection flow - Add correlation.proto for gRPC service definition
…`update` commands Co-authored-by: mjain6 <mjain6@opentext.com>
Co-authored-by: mjain6 <mjain6@opentext.com>
fix: `fcli fod dast-scan get-config`: Fix `NullPointerException` when DAST Automated scan has not been configured fix: `fcli fod dast-scan setup-*`: Improve error messaging with information on locked settings. chore: Update `fcli fod dast-scan get-config` to return empty descriptor when not setup rather than throw exception. Co-authored-by: kadraman <klee2@opentext.com>
feat: `fcli fod * list`: Add `--fetch` option on most `list` commands to fetch subset of records from FoD feat: `fcli ssc * list`: Add `--fetch` option on most `list` commands to fetch subset of records from SSC feat: `fcli sc-sast * list`: Add `--fetch` option on some `list` commands that utilize SSC REST endpoints to fetch subset of records from SSC feat: `fcli sc-dast * list`: Add `--fetch` option on most `list` commands to fetch subset of records from ScanCentral DAST feat: fcli `--style` option: Add `[no-]envelope` style for various output formats like JSON and YAML to allow for outputting paging and potentially other metadata feat: fcli action framework: Emit `<key>.metadata` variable on `run.fcli` instructions to allow actions to access paging and potentially other metadata produced by the fcli command
… upsert AI_CORRELATION_METADATA session - Extract AviatorSSCCorrelateHelper, AviatorSSCCorrelateFprParser, AviatorSSCCorrelateDownloadHelper from command class to reduce GOD class - Add proper try/catch(IOException) around FPR download calls - Add progress logging at each major step (download, parse, group, correlate, inject, upload) - Add per-response progress in CorrelationStreamProcessor (Correlating X of Y / Validating X of Y) - Rename ExternalFindingsInjector to DastFprCorrelationEnricher to reflect full scope - Upsert synthetic <Session requestId=AI_CORRELATION_METADATA> in webinspect.xml with HTTP Date header to avoid needing to delete prior DAST scan before re-upload - Update references in test classes
Co-authored-by: cdatla <cdatla@opentext.com>
feat: `fcli ssc session list`: Add `--validate` option to check and update session data based on current SSC token state (token deleted, expiry date changed, ...) feat: `fcli fod session list`: Add `--validate` option to check validity of FoD OAuth token Co-authored-by: mjain6 <mjain6@opentext.com>
feat: `fcli util rpc-server start`: New JSON-RPC server command for programmatic fcli access (hidden, for internal use only for now)
feat: `fcli util mcp-server start`: Add `--import` option for importing action YAML files, exposing exported action functions as MCP tools or resource templates
feat: `fcli util mcp-server start`: `--module` option is now optional (at least one of `--module` or `--import` must be specified)
feat: `fcli util mcp-server start`: Support MCP resource templates via function `meta.mcp.resource` metadata
feat: `fcli util all-commands list`: Enrich output with module category (`PRODUCT`/`CONFIG`/`UTIL`) and session requirement metadata
feat: fcli action framework: Add `functions` support — define reusable functions in action YAML with typed arguments, return values, and streaming (lazy `fn.yield`) capabilities; invoke via `#fn.call('name', args...)` SpEL function
feat: fcli action framework: Add `with.product` step for establishing product context (SSC/FoD) within action steps, making product-specific SpEL functions and REST targets available without running product-specific action commands
feat: fcli action framework: Add `fn.yield` step for emitting records from streaming functions, with automatic consumer termination detection
feat: fcli action framework: Add `sleep` step for pausing execution for a SpEL-evaluated duration in milliseconds
feat: fcli action framework: Add `#fcli.listCommands()`, `#fcli.listCommands(query)`, `#fcli.getCommandSpec(command)`, and `#fcli.getCommandArgs(command)` SpEL functions for querying available fcli commands from within action YAML
fix: `fcli util mcp-server start`: Fix option `required` reporting for options inside optional argument groups
fix: Fix some potential issues related to fcli stdio handling
fix: Fix potential concurrent modification of global values in multi-threaded contexts (e.g., async jobs in RPC/MCP servers)
…-rel/v3.x chore(rel/v3.x): release 3.18.0
feat: `fcli fod app/release update`: Add `--auto-required-attrs` option to automatically set required attributes that were not set before
…ied pairs, write last_correlation attribute - Add CorrelationResult record to return both confirmed and rejected pairs from gRPC stream - Track rejected pairs in CorrelationStreamState + CorrelationStreamProcessor - Parse ExternalFindings from DAST FPR via StreamingWebInspectParser to build confirmed pair keys - Add SastFprCorrelationRecorder: read/write DAST_CORRELATION_STATUS tag in SAST FPR audit.xml - Namespace-aware XML parsing (setNamespaceAware + getElementsByTagNameNS) - Creates new Issue elements for SAST findings with no prior audit record - Merge logic: CORRELATED is sticky, cannot be downgraded to REJECTED on re-run - Skip both confirmed and rejected pairs on subsequent runs (alreadyTriedKeys union) - Fix SAST FPR upload: use PROJECT_VERSION_ARTIFACTS restUpload (not UPLOAD_RESULT_FILE htmlUpload) to avoid duplicate scan GUID error in SSC - Add AviatorSSCAttributeDefs + AviatorSSCAttributeHelper: create-if-not-exists last_correlation TEXT attribute definition on SSC instance, write ISO-8601 UTC timestamp after FPR uploads - Add last_correlation attribute synchronization to prepare command (AviatorSSCPrepareHelper) - Add Step 6c to correlate-sast-dast: write last_correlation timestamp after all FPR uploads - Fix AviatorSSCCustomTagHelper: null-safe cast for valueList on TEXT-type tags (NullNode guard)
…into p/kireetivar/bulk_correlation
…sueList namespace lookup, add audit.xml validation - Add receivedCorrelationResponses to CorrelationResult record for Phase 1 response count - Output now includes succeeded (responses received) and skipped (submitted - succeeded) - Fix SastFprCorrelationRecorder: fallback to no-namespace getElementsByTagName for IssueList in un-audited FPRs where audit.xml uses default (null) namespace - Match parent IssueList namespace when creating new Issue elements - Add audit.xml existence validation in parseSastFpr() and parseDastFpr() - Prevent double-wrapping of FcliSimpleException in FPR parser catch blocks
…into p/kireetivar/bulk_correlation
…n of SSC application versions
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add a new preview
bulkcorrelateSSC action to run SAST-DAST correlation across multiple SSC application versions in a single command.What Changed
bulkcorrelateSSC actionlast_correlationvalue is already up to date with the most recent scan date--aviator-app-mappingaviator ssc preparebefore correlation so required tags and attributes are available