fortify
Cannot assign entitlement when doing fcli fod sast setup
Current Behavior
The issue is that we have a test repo with releases, but we are unable to start SAST scans on those.
When trying to do a fcli fod sast setup it fails because it cannot assign correctly an entitlement. I already talked with the FoD guys and they told me that it could be a CLI issue and to talk with you.
If I create the release programatically, then, I can start it from the Fortify web UI without issues, however when using the CLI I get these errors.
Expected Behavior
SAST setup command assigns the entitlement correctly so the SAST scan can start.
Steps To Reproduce
We launch the official docker container with the CLI:
$ docker run -it fortifydocker/fortify-ci-tools:7.0.0-jdk-21
Inside the container, we set the variables for login and login correctly (we ommited the values in this issue for security reasons):
root@d06eb1acd592:/# export FCLI_DEFAULT_FOD_CLIENT_ID=*********OMMITED*********
root@d06eb1acd592:/# export FCLI_DEFAULT_FOD_CLIENT_SECRET=*********OMMITED*********
root@d06eb1acd592:/# export FCLI_DEFAULT_FOD_TENANT='*********OMMITED*********'
root@d06eb1acd592:/# export FCLI_DEFAULT_FOD_URL='https://api.emea.fortify.com/'
root@d06eb1acd592:/# fcli fod session login
Name Type Url Created Expires Expired Action
default FoD https://api.emea.fortify.com/ 2025-05-12 11:36:16 UTC 2025-05-12 17:36:11 UTC No CREATED
We create the variables with the names we need (we will use them in later commands)
root@d06eb1acd592:/# export APP=PSO_TestRepo1
root@d06eb1acd592:/# export RELEASE="6.0"
root@d06eb1acd592:/# export REPOURL=https://code.europa.eu/simpl/simpl-open/development/data1/sdtooling-api-be.git
root@d06eb1acd592:/# export BASEURL=$(echo $REPOURL | awk -F'.git' '{print $1}')
root@d06eb1acd592:/# export REPOBRANCH=main
root@d06eb1acd592:/# export REPOSANITIZEDBRANCH=$(echo $REPOBRANCH | tr -s '/' '-')
root@d06eb1acd592:/# export APP_KEY=$(echo $REPOURL | awk -F'/development' '{print $2}' | awk -F'.git' '{print $1}')
root@d06eb1acd592:/# export PROJECT_KEY=$(echo $REPOURL | awk -F '/' '{print $NF}' | awk -F '.' '{print $1}')
root@d06eb1acd592:/# export PSO_PROJECT_KEY="PSO/$PROJECT_KEY"
We check that the app exists before doing anything:
root@d06eb1acd592:/# if fcli fod app get $APP 2>&1 >/dev/null
> then
> echo "App $APP found in FOD"
> else
> echo "The APP \"$APP\" does not exist in FOD. Please, create the app manually first in Fortify On Demand then retry this pipeline again."
> exit 1
> fi
App PSO_TestRepo1 found in FOD
Then we create the release (in this particular case, PSO_TestRepo1 will create release 6.0, however since it already exists, it skips it, that's ok.
root@d06eb1acd592:/# fcli fod rel create --skip-if-exists --auto-required-attrs "$APP:$RELEASE" --sdlc-status=QA --app-owner=PSO
Id Name Microservice Application SDLC Status Action
162844 6.0 PSO_TestRepo1 QA SKIPPED_EXISTING
We download the repository zip as "repo.zip" using a programmatic URL based on the previous set variables:
root@d06eb1acd592:/# wget -O repo.zip $BASEURL/-/archive/${REPOBRANCH}/${PROJECT_KEY}-${REPOSANITIZEDBRANCH}.zip
--2025-05-12 11:37:35-- https://code.europa.eu/simpl/simpl-open/development/data1/sdtooling-api-be/-/archive/main/sdtooling-api-be-main.zip
Resolving code.europa.eu (code.europa.eu)... 85.10.128.219
Connecting to code.europa.eu (code.europa.eu)|85.10.128.219|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/zip]
Saving to: ‘repo.zip’
repo.zip [ <=> ] 1.28M 5.76MB/s in 0.2s
2025-05-12 11:37:36 (5.76 MB/s) - ‘repo.zip’ saved [1347355]
We try to do a SAST setup with the CLI for java 21 language (Java language = ID 7, Java version 21 = ID 39), however it fails as there are no assessment types found for this particular release:
root@d06eb1acd592:/# fcli fod sast setup --release=$APP:$RELEASE --entitlement-id=3386 --assessment-type=117 --entitlement-frequency=SingleScan --audit-preference=Manual --technology-stack=7 --language-level=39
FcliSimpleException: No assessment types found for release id: 162844
at com.fortify.cli.fod.release.helper.FoDReleaseAssessmentTypeHelper.getAssessmentTypes(FoDReleaseAssessmentTypeHelper.java:57)
If I list the assesment types for this particular release, I see that I have 3 entitlements available for SAST:
root@d06eb1acd592:/# fcli fod release lsat --release=$APP:$RELEASE
Id Name Scan type Frequency type Units Entitlement id Entitlement description
117 Static Assessment Static Subscription 4 (of 230) 3386 3386 - Subscription (4 Units)
117 Static Assessment Static Subscription 4 (of 230) 3395 3395 - Subscription (4 Units)
117 Static Assessment Static Subscription 4 (of 230) 3397 3397 - Subscription (4 Units)
119 Dynamic Website Assessment Dynamic Subscription 6 (of 230) 3386 3386 - Subscription (6 Units)
119 Dynamic Website Assessment Dynamic Subscription 6 (of 230) 3395 3395 - Subscription (6 Units)
119 Dynamic Website Assessment Dynamic Subscription 6 (of 230) 3397 3397 - Subscription (6 Units)
And if I try to start a SAST scan directly it also fails because the previous setup was not done successfully:
root@d06eb1acd592:/# fcli fod sast start -f=repo.zip --release=$APP:$RELEASE
FcliSimpleException: The static scan configuration for release with id '162844' has not been setup correctly - 'Technology Stack/Language Level' is missing or empty.
at com.fortify.cli.fod.sast_scan.cli.cmd.FoDSastScanStartCommand.validateScanSetup(FoDSastScanStartCommand.java:85)
And I also tried this:
root@afa6caefc1cd:/# fcli fod sast setup --release=$APP:$RELEASE --assessment-type=Static --entitlement-frequency=Subscription --technology-stack=JAVA --audit-preference=Manual --language-level=21
java.lang.IllegalArgumentException: Cannot find appropriate assessment type for specified options.
at com.fortify.cli.fod.release.helper.FoDReleaseAssessmentTypeHelper.lambda$getAssessmentTypeDescriptor$1(FoDReleaseAssessmentTypeHelper.java:71)
at [[email protected]](mailto:[email protected])/java.util.Optional.orElseThrow(Optional.java:403)
at com.fortify.cli.fod.release.helper.FoDReleaseAssessmentTypeHelper.getAssessmentTypeDescriptor(FoDReleaseAssessmentTypeHelper.java:71)
at com.fortify.cli.fod.sast_scan.cli.cmd.FoDSastScanSetupCommand.setup(FoDSastScanSetupCommand.java:115)
at com.fortify.cli.fod.sast_scan.cli.cmd.FoDSastScanSetupCommand.getJsonNode(FoDSastScanSetupCommand.java:105)
at com.fortify.cli.fod._common.output.cli.cmd.AbstractFoDJsonNodeOutputCommand.getJsonNode(AbstractFoDJsonNodeOutputCommand.java:23)
at com.fortify.cli.common.output.cli.cmd.AbstractOutputCommand.call(AbstractOutputCommand.java:34)
at com.fortify.cli.common.output.cli.cmd.AbstractOutputCommand.call(AbstractOutputCommand.java:23)
at picocli.CommandLine.executeUserObject(CommandLine.java:2118)
at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2538)
at picocli.CommandLine$RunLast.handle(CommandLine.java:2530)
at picocli.CommandLine$RunLast.handle(CommandLine.java:2492)
at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2350)
at picocli.CommandLine$RunLast.execute(CommandLine.java:2494)
at picocli.CommandLine.execute(CommandLine.java:2247)
at com.fortify.cli.app.runner.DefaultFortifyCLIRunner.run(DefaultFortifyCLIRunner.java:63)
at com.fortify.cli.app.FortifyCLI.execute(FortifyCLI.java:38)
at com.fortify.cli.app.FortifyCLI.main(FortifyCLI.java:32)
at [[email protected]](mailto:[email protected])/java.lang.invoke.LambdaForm$DMH/sa346b79c.invokeStaticInit(LambdaForm$DMH)
Environment
Official docker container on Ubuntu 24.04.
Anything else?
No response
With reference to:
fcli fod sast setup --release=$APP:$RELEASE --entitlement-id=3386 --assessment-type=117 \
--entitlement-frequency=SingleScan --audit-preference=Manual --technology-stack=7 --language-level=39
--assessment-typeoption should be its "Name" fromfcli fod release lsatrather that its "Id"?--entitlement-frequencyprobably should not be "SingleScan" as it looks like the Application has already been setup for Subscription and this is why there are no SingleScan entries in thefcli fod release lsatoutput.- you can also use names for
--technology-stackand--language-level
I think something like the following might work:
fcli fod sast setup --release=$APP:$RELEASE --entitlement-frequency=Subscription \
--assessment-type="Static Assessment" --audit-preference=Manual--technology-stack=JAVA --language-level=21
Please let us know.
Indeed this command worked: $ fcli fod sast setup --release=$APP:$RELEASE --entitlement-frequency=Subscription --assessment-type="Static Assessment" --audit-preference=Manual --technology-stack=JAVA --language-level=21
And then I could start the scan successfully with this one: $ fcli fod sast start -f=repo.zip --release=$APP:$RELEASE
However, using quoted strings with spaces when there is an ID sounds counter intuitive to me. In the command help it only ask you to list the assessment types but it does not explain exactly what is the format expected. Can you specify that in the help as well? That would clarify the format that it is expecting.
Also it would help if you make a suggestion when the error comes, if the types are well known. For example, if I try to run this wrong command with "Sub":
root@c3fb91b7ec52:/# fcli fod sast setup --release=$APP:$RELEASE --entitlement-frequency=Sub --assessment-type="Static Assessment" --audit-preference=Manual --technology-stack=JAVA --language-level=21 Invalid value for option '--entitlement-frequency': expected one of [SingleScan, Subscription] (case-sensitive) but was 'Sub'
It makes a suggestion to use Subscription instead as a known parameter, so I think this kind of error feedback could be added as well to the assessment types.
Thanks for the help, I think you can close this issue :)
Hi @dgacias, thanks for confirming that the suggested command works.
Most fcli commands accept either a name or id, we'll need to check why this isn't the case for assessment type. Maybe there's a technical reason, like having to match the given name against the output of an FoD API endpoint that only returns the assessment type name, not id. @kadraman any idea?
As for providing suggestions in case of incorrect input, this is currently only done for command-line options that accept a fixed set of allowed values that are known at fcli build time. For example, allowed values for entitlement frequency are hardcoded in fcli, hence we can list allowed values in documentation, help output, and error messages.
Assessment types can vary across FoD tenants, hence these are handled in a different way. In this case, I think we probably have already retrieved the list of allowed assessment types from FoD when this exception is being thrown, hence we could list those in the exception message. @kadraman, do you think this is possible, and whether it's a good idea? If we implement this for --assessment-type, users may expect us to implement similar functionality for many other fcli options, which could require significant effort to implement and maintain.
In that case, what about adding to this line: https://github.com/fortify/fcli/blob/d3c436fdf6a51712b3bed58e8c069cd86593962e/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/_common/scan/helper/FoDScanHelper.java#L167
"Cannot find appropriate assessment type for specified options. Please specify the Name of a valid assessment type."
That would help future users.
This has now been fixed and released - the --assessment-type option now supports both a name or id.