Current Behavior
After a successful FoD Scan with Aviator enabled and remediations to apply, if we run:
> fcli fod aviator apply-remediations --release "Fortify Demo App:remediation-test" --log-level DEBUG --log-file fcli.log
Release id Total remediation Applied remediation Skipped remediation Action
194274 16 13 3 Remediation-Applied
However, if we introduce a new vulnerability without applying the remediations from the above then only the latest vulnerability will be remediated:
> fcli fod aviator apply-remediations --release "Fortify Demo App:remediation-test" --log-level DEBUG --log-file fcli.log
Release id Total remediation Applied remediation Skipped remediation Action
194274 1 1 0 Remediation-Applied
it is now impossible to remediate the 16 findings from the first scan as the command only downloads the latest FPR.
If another scan was carried out (that fixes a vulnerability or doesn't add any new ones) then Aviator won't be run and then we get:
fcli fod aviator apply-remediations --release "Fortify Demo App:remediation-test" --log-level DEBUG --log-file fcli.log
AviatorSimpleException: FPR file does not contain remediations.xml file.
at com.fortify.cli.aviator.applyRemediation.ApplyAutoRemediationOnSource.applyRemediations(ApplyAutoRemediationOnSource.java:36)
So now we can run "apply-remediations" any more to resolve any of the outstanding issues with remediation available.
Expected Behavior
The "apply-remediations" should either be able to download older FPRs and apply the remediations incrementally or an alternative approach should be used to remediate individual findings, e.g. the FoD API endpoint: /api/v3/releases/{releaseId}/vulnerabilities/{vulnId}/aviator-remediation-guidance.
In reality it is very unlikely that a Developer would apply multiple remediations automatically unless they were Low severity, they would more likely pick individually, by file, by category etc. This is probably a better approach for this type of auto-remediation?
Steps To Reproduce
No response
Environment
Anything else?
No response
Current Behavior
After a successful FoD Scan with Aviator enabled and remediations to apply, if we run:
However, if we introduce a new vulnerability without applying the remediations from the above then only the latest vulnerability will be remediated:
it is now impossible to remediate the 16 findings from the first scan as the command only downloads the latest FPR.
If another scan was carried out (that fixes a vulnerability or doesn't add any new ones) then Aviator won't be run and then we get:
So now we can run "apply-remediations" any more to resolve any of the outstanding issues with remediation available.
Expected Behavior
The "apply-remediations" should either be able to download older FPRs and apply the remediations incrementally or an alternative approach should be used to remediate individual findings, e.g. the FoD API endpoint:
/api/v3/releases/{releaseId}/vulnerabilities/{vulnId}/aviator-remediation-guidance.In reality it is very unlikely that a Developer would apply multiple remediations automatically unless they were Low severity, they would more likely pick individually, by file, by category etc. This is probably a better approach for this type of auto-remediation?
Steps To Reproduce
No response
Environment
Anything else?
No response