chore: Merge Aviator 26.3 changes#1053
Merged
Merged
Conversation
…on and SSC upload - Add correlate-sast-dast command for SSC Aviator - Parse SAST (FVDL) and DAST (WebInspect) FPRs from SSC - Group findings by category, identify mixed SAST+DAST buckets - gRPC-based correlation stream with Aviator server - Inject ExternalFindings into DAST FPR for SSC correlation visibility - Upload enriched DAST FPR back to SSC - Add streaming WebInspect parser for large DAST FPRs - Add getLatestSASTArtifact/getLatestDASTArtifact helpers - Add unit and integration tests for ExternalFindings injection flow - Add correlation.proto for gRPC service definition
… upsert AI_CORRELATION_METADATA session - Extract AviatorSSCCorrelateHelper, AviatorSSCCorrelateFprParser, AviatorSSCCorrelateDownloadHelper from command class to reduce GOD class - Add proper try/catch(IOException) around FPR download calls - Add progress logging at each major step (download, parse, group, correlate, inject, upload) - Add per-response progress in CorrelationStreamProcessor (Correlating X of Y / Validating X of Y) - Rename ExternalFindingsInjector to DastFprCorrelationEnricher to reflect full scope - Upsert synthetic <Session requestId=AI_CORRELATION_METADATA> in webinspect.xml with HTTP Date header to avoid needing to delete prior DAST scan before re-upload - Update references in test classes
…ied pairs, write last_correlation attribute - Add CorrelationResult record to return both confirmed and rejected pairs from gRPC stream - Track rejected pairs in CorrelationStreamState + CorrelationStreamProcessor - Parse ExternalFindings from DAST FPR via StreamingWebInspectParser to build confirmed pair keys - Add SastFprCorrelationRecorder: read/write DAST_CORRELATION_STATUS tag in SAST FPR audit.xml - Namespace-aware XML parsing (setNamespaceAware + getElementsByTagNameNS) - Creates new Issue elements for SAST findings with no prior audit record - Merge logic: CORRELATED is sticky, cannot be downgraded to REJECTED on re-run - Skip both confirmed and rejected pairs on subsequent runs (alreadyTriedKeys union) - Fix SAST FPR upload: use PROJECT_VERSION_ARTIFACTS restUpload (not UPLOAD_RESULT_FILE htmlUpload) to avoid duplicate scan GUID error in SSC - Add AviatorSSCAttributeDefs + AviatorSSCAttributeHelper: create-if-not-exists last_correlation TEXT attribute definition on SSC instance, write ISO-8601 UTC timestamp after FPR uploads - Add last_correlation attribute synchronization to prepare command (AviatorSSCPrepareHelper) - Add Step 6c to correlate-sast-dast: write last_correlation timestamp after all FPR uploads - Fix AviatorSSCCustomTagHelper: null-safe cast for valueList on TEXT-type tags (NullNode guard)
…into p/kireetivar/bulk_correlation
…sueList namespace lookup, add audit.xml validation - Add receivedCorrelationResponses to CorrelationResult record for Phase 1 response count - Output now includes succeeded (responses received) and skipped (submitted - succeeded) - Fix SastFprCorrelationRecorder: fallback to no-namespace getElementsByTagName for IssueList in un-audited FPRs where audit.xml uses default (null) namespace - Match parent IssueList namespace when creating new Issue elements - Add audit.xml existence validation in parseSastFpr() and parseDastFpr() - Prevent double-wrapping of FcliSimpleException in FPR parser catch blocks
…into p/kireetivar/bulk_correlation
…n of SSC application versions
…into p/kireetivar/bulk_correlation
…ttribute classes to correlation-specific names, remove admin-only auto-create from writeLastCorrelationTimestamp
…into p/kireetivar/fix_extension_fallback
…into p/kireetivar/suppress_aduit_trail
feat: Add entitlement management to Aviator application
Feat/sast dast correlation
…/kireetivar/suppress_aduit_trail
…/kireetivar/fix_extension_fallback
…/kireetivar/bulk_correlation
feat(ssc): Add bulkcorrelate action for automated SAST-DAST correlation of SSC application versions
…llback fix: prefer FPR source file types over configured extension fallback
…trail fix(aviator): record suppression state changes in audit history
chore: Add description key for applicationId parameter in add-entitlement command
…folder-priority-order
…/kireetivar/option_bug
fix: fcli aviator ssc audit: Reject --skip-if-exceeding-quota with --…
chore: Align Aviator exception handling with Aviator simple/technical exceptions
- Add SynchronizationResult class to track tag sync status and system-managed flag - Implement /internalCustomTags fallback for Aviator built-in tags detection - Update prepare command to skip manual association for system-managed tags - Preserve DAST correlation tag and last_correlation attribute behavior - Fix AviatorLoggerImpl.warn() to output warnings to console (stderr) - Update help text to explain SSC 26.2+ behavior - Add unit tests for SynchronizationResult and PrepareResult
Prepare command upgraded ssc
Resolved build failure issue
Previously buildResultNode() used rd.asObjectNode() which dumped all 50+ FoDReleaseDescriptor fields into the output. Changed to create a fresh ObjectNode with only releaseId, applicationName, releaseName, and remediation metrics - matching the SSC helper pattern.
fix: FoD apply-remediation output shows only relevant fields
chore(aviator): align line-number enrichment with aviator-cli and initialize comment mapping
chore: add reflection configuration for DAST entitlement classes
| private Document parseXml(Path path) { | ||
| var factory = DocumentBuilderFactory.newInstance(); | ||
| factory.setNamespaceAware(false); | ||
| return factory.newDocumentBuilder().parse(Files.newInputStream(path)); |
| private Document parseXml(Path path) { | ||
| var factory = DocumentBuilderFactory.newInstance(); | ||
| factory.setNamespaceAware(false); | ||
| return factory.newDocumentBuilder().parse(Files.newInputStream(path)); |
| private static Document parseXml(Path path) { | ||
| var factory = DocumentBuilderFactory.newInstance(); | ||
| factory.setNamespaceAware(true); // must be true to find ns0:Issue / ns0:Tag by local name | ||
| return factory.newDocumentBuilder().parse(Files.newInputStream(path)); |
| private static Document parseXml(Path path) { | ||
| var factory = DocumentBuilderFactory.newInstance(); | ||
| factory.setNamespaceAware(true); // must be true to find ns0:Issue / ns0:Tag by local name | ||
| return factory.newDocumentBuilder().parse(Files.newInputStream(path)); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.