fcli icon indicating copy to clipboard operation
fcli copied to clipboard
verified publisher icon fortify

FoD: Add functionality for 'refreshing' scan settings with new entitlement id

Open rsenden opened this issue 1 year ago • 2 comments

Enhancement Request

If the entitlement associated with an existing scan setup is deactivated (usually because it was replaced with a new entitlement), the fcli fod sast-scan start (and possibly the same for other scan types) will fail with an exception like the following:

image

Ideally, if possible, this should be fixed on the FoD side, with any existing scan setups automatically being reconfigured with the new entitlement id if an existing entitlement is replaced with a new entitlement.

Alternatively, we could implement the following functionality in fcli:

  • Get existing scan settings
  • Check whether entitlement id is still valid
  • If not, determine appropriate new entitlement id for the given scan settings
  • Update the scan settings with the new entitlement id, leaving all other scan settings the same

We could potentially implement this in 3 different places:

  • Add a --refresh-entitlement option on the existing sast-scan setup command, but this may be confusing, in particular in combination with the --skip-if-exists option.
  • Add a new refresh-entitlement, refresh-setup or update-setup command (the latter would allow for updating any scan settings while leaving all other scan settings the same)
  • Add this functionality to the sast-scan start command, controlled through a --[no-]refresh-entitlement option, not sure whether this should be enabled by default; enabling by default would be most convenient to automatically avoid exceptions like the above, but not sure whether there's any risk of selecting the wrong entitlement id

rsenden avatar Sep 27 '24 08:09 rsenden

This logic is mostly already in fod xxx-scan setup via the ‎FoDScanHelper::getEntitlementToUse() method - which validates the entitlement is still valid. We could call this using existing scan configuration, e.g. Assessment Name/Type and try and find an appropriate entitlement but there is potential for a customer to have multiple current entitlements and there is no guarantee we would select the "right one". The entitlements are consumed at scan time so I can imagine if this is done automatically it could lead to lots of issues with wrong entitlements being consumed?

Maybe it would be better if the customer proactively had the ability to "migrate" the setup to using the correct entitlements. This would be best done using FoD UI itself, but maybe we can provide fcli commands to do this.

kadraman avatar Sep 27 '24 09:09 kadraman

What about having an fcli update-entitlements action that takes old and new entitlement id's as input, then iterates through all existing scan setups and updates entitlementId if current scan setup entitlement id matches the given old entitlement id?

Although users would need to run this manually, and it would potentially take a long time to iterate through all existing scan setups, it would provide an easy way for users to migrate any existing scan setups to a new entitlement id.

rsenden avatar Sep 27 '24 09:09 rsenden

@kadraman Any idea whether this is still relevant, or whether any improvements on the FoD side have been made to better handle this?

rsenden avatar Jun 05 '25 12:06 rsenden