fortify/fcli

`fcli ssc issue count`: Groups containing 0 issues not included in output

Opened this issue · 0 comments

rsenden commented

The fcli ssc issue count command uses the /api/v1/projectVersions/12/issueGroups endpoint to obtain issue counts for the given grouping type. Unfortunately, this endpoint only returns grouping values (like folders, categories) that contain one or more issues. If a certain group doesn't contain any issues, it's omitted from the output instead of returning *Count: 0.

As an example, suppose we have a 'Security Gate' filter set with single 'Issues failing Security Gate' folder. As long as there are any issues failing the security gate, the fcli ssc issue count returns the appropriate number of issues. However, if there are no issues failing the security gate, the fcli ssc issue count command returns no records, instead of returning a count of 0.

This makes it difficult to interpret the output in automation scripts, and for example it's impossible to have an output expression like -o 'expr={totalCount>0?"Fail":"Success"}'; if there are no output records, the expression is never being evaluated and thus 'Success' is never printed.

According to SSC engineering, there is currently no endpoint that allows for obtaining issue counts for 'empty' issue grouping type values. The only way around this would be to query all available grouping type values, for example using the filterBySet property returned by the issueSelectorSet endpoint, and have fcli generate the 'missing' records.

This is cumbersome though, and may require additional processing for individual grouping types. For example, the FOLDER entry in filterBySet lists all folders from all filter sets, but we'd want to only output the folders for the selected filter set. Or, in other words, if we have an issue template with both standard Security Auditor/Quick View and 'Security Gate' filter set as described above, when querying issue counts for 'Security Gate' filter set, we'd want to output only the 'Issues failing Security Gate' folder counts, not the counts for Critical/High/... folders defined in the other filter sets.