You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
See fortify/github-action#15 for background information; FVE silently ignores unknown command-line arguments, which can lead to unexpected behavior.
For example, if a user or some integration omits quotes around application version/release name, like in --fod.release.name=App with space:rel1, FortifyVulnerabilityExporter will see --fod.release.name=App and ignore with space:rel1. Effectively, instead of processing this single release, FVE will process all releases for all applications containing App (case-insensitive) in the application name, due to a combination of FVE behavior (allowing for processing all releases for a given app if only app name is specified) and FoD behavior (FoD performing case-insensitive 'contains' matching instead of exact matching).
Unfortunately, there is no explicit list of supported command-line arguments, as each CLI argument basically represents an arbitrary property name that may or may not be used by a particular configuration. However, potentially we can check whether the CLI arguments adhere to the format as described at https://github.com/fortify/FortifyVulnerabilityExporter/blob/main/USAGE.md#generic-usage, i.e., first argument should be the name/path of a configuration file, and all remaining options should be in the format --prop.name=value. In the example above, with space:rel1 doesn't match the expected --prop.name=value format, and thus FVE could throw an error.
The text was updated successfully, but these errors were encountered:
See fortify/github-action#15 for background information; FVE silently ignores unknown command-line arguments, which can lead to unexpected behavior.
For example, if a user or some integration omits quotes around application version/release name, like in
--fod.release.name=App with space:rel1, FortifyVulnerabilityExporter will see--fod.release.name=Appand ignorewith space:rel1. Effectively, instead of processing this single release, FVE will process all releases for all applications containingApp(case-insensitive) in the application name, due to a combination of FVE behavior (allowing for processing all releases for a given app if only app name is specified) and FoD behavior (FoD performing case-insensitive 'contains' matching instead of exact matching).Unfortunately, there is no explicit list of supported command-line arguments, as each CLI argument basically represents an arbitrary property name that may or may not be used by a particular configuration. However, potentially we can check whether the CLI arguments adhere to the format as described at https://github.com/fortify/FortifyVulnerabilityExporter/blob/main/USAGE.md#generic-usage, i.e., first argument should be the name/path of a configuration file, and all remaining options should be in the format
--prop.name=value. In the example above,with space:rel1doesn't match the expected--prop.name=valueformat, and thus FVE could throw an error.The text was updated successfully, but these errors were encountered: