fix: prefer FPR source file types over configured extension fallback#999
Draft
kireetivar wants to merge 9 commits into
Draft
fix: prefer FPR source file types over configured extension fallback#999kireetivar wants to merge 9 commits into
kireetivar wants to merge 9 commits into
Conversation
…on and SSC upload - Add correlate-sast-dast command for SSC Aviator - Parse SAST (FVDL) and DAST (WebInspect) FPRs from SSC - Group findings by category, identify mixed SAST+DAST buckets - gRPC-based correlation stream with Aviator server - Inject ExternalFindings into DAST FPR for SSC correlation visibility - Upload enriched DAST FPR back to SSC - Add streaming WebInspect parser for large DAST FPRs - Add getLatestSASTArtifact/getLatestDASTArtifact helpers - Add unit and integration tests for ExternalFindings injection flow - Add correlation.proto for gRPC service definition
… upsert AI_CORRELATION_METADATA session - Extract AviatorSSCCorrelateHelper, AviatorSSCCorrelateFprParser, AviatorSSCCorrelateDownloadHelper from command class to reduce GOD class - Add proper try/catch(IOException) around FPR download calls - Add progress logging at each major step (download, parse, group, correlate, inject, upload) - Add per-response progress in CorrelationStreamProcessor (Correlating X of Y / Validating X of Y) - Rename ExternalFindingsInjector to DastFprCorrelationEnricher to reflect full scope - Upsert synthetic <Session requestId=AI_CORRELATION_METADATA> in webinspect.xml with HTTP Date header to avoid needing to delete prior DAST scan before re-upload - Update references in test classes
…ied pairs, write last_correlation attribute - Add CorrelationResult record to return both confirmed and rejected pairs from gRPC stream - Track rejected pairs in CorrelationStreamState + CorrelationStreamProcessor - Parse ExternalFindings from DAST FPR via StreamingWebInspectParser to build confirmed pair keys - Add SastFprCorrelationRecorder: read/write DAST_CORRELATION_STATUS tag in SAST FPR audit.xml - Namespace-aware XML parsing (setNamespaceAware + getElementsByTagNameNS) - Creates new Issue elements for SAST findings with no prior audit record - Merge logic: CORRELATED is sticky, cannot be downgraded to REJECTED on re-run - Skip both confirmed and rejected pairs on subsequent runs (alreadyTriedKeys union) - Fix SAST FPR upload: use PROJECT_VERSION_ARTIFACTS restUpload (not UPLOAD_RESULT_FILE htmlUpload) to avoid duplicate scan GUID error in SSC - Add AviatorSSCAttributeDefs + AviatorSSCAttributeHelper: create-if-not-exists last_correlation TEXT attribute definition on SSC instance, write ISO-8601 UTC timestamp after FPR uploads - Add last_correlation attribute synchronization to prepare command (AviatorSSCPrepareHelper) - Add Step 6c to correlate-sast-dast: write last_correlation timestamp after all FPR uploads - Fix AviatorSSCCustomTagHelper: null-safe cast for valueList on TEXT-type tags (NullNode guard)
…sueList namespace lookup, add audit.xml validation - Add receivedCorrelationResponses to CorrelationResult record for Phase 1 response count - Output now includes succeeded (responses received) and skipped (submitted - succeeded) - Fix SastFprCorrelationRecorder: fallback to no-namespace getElementsByTagName for IssueList in un-audited FPRs where audit.xml uses default (null) namespace - Match parent IssueList namespace when creating new Issue elements - Add audit.xml existence validation in parseSastFpr() and parseDastFpr() - Prevent double-wrapping of FcliSimpleException in FPR parser catch blocks
…ttribute classes to correlation-specific names, remove admin-only auto-create from writeLastCorrelationTimestamp
…into p/kireetivar/fix_extension_fallback
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This change makes fcli use the source file type recorded in the FPR when building Aviator audit requests.
Language resolution now prefers
Build/SourceFiles/File@typefromaudit.fvdl, then falls back to vulnerabilityfiletype, then to configured extension mapping.What changed
Build/SourceFiles/File@typeinStreamingFVDLProcessorFVDLMetadataSourceLanguageResolverfor centralized precedence handlingIssueObjBuilder,IssueAuditor, andAuditFPRto use resolved FPR-backed language dataResolution order
filetypeUnknownWhy this matters
This keeps request language selection aligned with the current-state FPR instead of relying only on filename extensions.