JDK 9 and subsequently 10 added a feature to build native .exe's. We should migrate to the latest java version to make this easier. The concern here would be that older JREs that people are using could have problems.

Swagger defines ScanPreferenceType as a string (either "Standard" or "Express"), but the call to start-scan from the uploader is ScanPreferenceId. ScanPreferenceId becomes an ignored property and the scan defaults to Standard.

https://api.hpfod.com/swagger/ui/index#!/StaticScans/StaticScansV3_StartScan

Is there a way to consume credentials via environment variables? Rather than the -apiCredentials or -userCredentials parameters. This is more secure (process list won't show creds) and easier to manage in non-interactive environments.

While working on adding options for isBundledAssessment and parentAssessmentTypeId, I noticed that all scans were being started as a Single scan. API v3 changed this to be a string value vs the old integers, so it would make sense for this to be switched to an enum. Will work on this and file a pull request.

Hi. I tried running FoDUpload.win.exe from https://github.com/fod-dev/fod-uploader-java/releases/tag/v3.0.8 but got an error

This application was configured to use a bundled Java Runtime Environment but the runtime is missing or corrupted.

What have I missed?

By using bsi token produces a NullPointerException because the lack of value for the releaseId attribute.

$ java -jar FodUpload-530.jar -ac <apikey> <apisecret> -z <package>.zip -bsi <bsitoken> -ep 1 -rp 0 -pp 0 -n "Packaged using ScanCentral tool"
Authenticating
Authenticated
java.io.IOException: Unexpected code: Response{protocol=http/1.1, code=404, message=Not Found, url=https://api.emea.fortify.com/api/v3/releases/0/static-scans/scan-setup}
	at com.fortify.fod.fodapi.controllers.ReleaseController.getReleaseScanSettings(ReleaseController.java:128)
	at com.fortify.fod.Main.main(Main.java:113)
java.lang.NullPointerException
	at com.fortify.fod.fodapi.controllers.ReleaseController.UpdateScanSettings(ReleaseController.java:196)
	at com.fortify.fod.Main.main(Main.java:113)

The resulting url is https://api.emea.fortify.com/api/v3/releases/0/static-scans/scan-setup where 0 should be the releaseId. In this case I guess 0 stands for null.

Attempting to scan a Python 3 application as follows:

java -jar FodUpload.jar -z package.zip -ac $API_KEY $API_SECRET -rid "$RELEASE_ID" -aurl $API_URL -purl $URL -at 274 -eid 10053 -ts 10 -l 18 -a 2 -ep 2 -pp 0 -I 1 -apf

Gives the following result:

Authenticating
Authenticated
Error saving Scan Settings
1 - Binary Scanning option is not allowed
Retiring Token : Token Retired Successfully

However, -bs (or -isBinaryScan), per the documentation, should, by default, be false.

What's more, manually specifying -bs false results in an error: "Was passed main parameter 'false' but no main parameter was defined"

Observed behaviour :
If multiple scans are in the queue, the uploader will not check for the status of scan with id X but checks the status of first scan in queue

Also, only first workflow in GHA has correct results. The following workflows have 0 vulns (event though the scan returned vulns)

An FoDUpload.win.exe is provided for v3.0.1 (to replace the old, obsolete Windows FoDUploader): https://github.com/fod-dev/fod-uploader-java/releases/tag/v3.0.1

But v3.0.1 is already out of date, and does not support the options documented online here: https://ams.fortify.com/Docs/en/HPE_Fortify_on_Demand_User_Guide.htm#Additional_Services/Tools/FoD_Uploader/BSI_Running.htm%3FTocPath%3DAdditional%2520Services%7CTools%7CFoDUploader%7C_____2

This is especially annoying/broken because FoDUpload v3.0.1 does not support BSI Tokens (taking the old BSI URLs instead), but following FoD changes which occurred along with the HPE -> Microfocus dashboard makeover in November 2017, the FoD portal no longer generates BSI URLs. Only BSI tokens are generated, now!

Scan is rejected if the entitlement period expired while there are valid entitlements available to start a new subscription.

Disabling the previous entitlement in the admin portal will allow the scan to obtain a new entitlement id and and start anew subscription

Authenticating
Beginning upload
Upload Status - Bytes sent:5242880
Upload Status - Bytes sent:10485760
Upload Status - Bytes sent:15422750
Package upload failed for the following reasons:
1) Unexpected error processing request
Retiring Token : Token Retired Successfully

Hello,

Not an issue with this code, but couldn’t see a way to contact you sorry.

I am trying to port how you have done a scan start to PowerShell but not getting far. Would you be able to see what is not working on this ticket? https://stackoverflow.com/q/56410352/1616989

Currently FodUploader 4.0.1 returns 0 if the scan completes successfully and 1 if not (for any reason, including using the -pp options). I'd like to see it return a non-zero return code if the scan fails policy as well, which will help in CI pipelines to fail scan tasks by cuing in on this code. Thanks!

Environment:

• GitLab Runner
• image: maven:3.6.3-openjdk-14
• FoDUpload installed via https://raw.githubusercontent.com/fortify/FortifyToolsInstaller/v2/FortifyToolsInstaller.sh

Command:

FoDUpload -z package.zip -aurl "$FOD_API_URL" -purl "$FOD_URL" -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USERNAME" "$FOD_PAT" $FOD_UPLOADER_OPTS -n "Submitted from GitLab Pipeline"

Log:

$ FoDUpload -z package.zip -aurl "$FOD_API_URL" -purl "$FOD_URL" -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USERNAME" "$FOD_PAT" $FOD_UPLOADER_OPTS -n "Submitted from GitLab Pipeline"
Authenticating
Authenticated
Beginning upload
com.google.gson.JsonSyntaxException: java.lang.IllegalStateException: Expected BEGIN_OBJECT but was STRING at line 1 column 1 path $
	at com.google.gson.internal.bind.ReflectiveTypeAdapterFactory$Adapter.read(ReflectiveTypeAdapterFactory.java:224)
	at com.google.gson.Gson.fromJson(Gson.java:887)
	at com.google.gson.Gson.fromJson(Gson.java:852)
	at com.google.gson.Gson.fromJson(Gson.java:801)
	at com.google.gson.Gson.fromJson(Gson.java:773)
	at com.fortify.fod.fodapi.controllers.StaticScanController.StartStaticScan(StaticScanController.java:121)
	at com.fortify.fod.Main.main(Main.java:117)
Caused by: java.lang.IllegalStateException: Expected BEGIN_OBJECT but was STRING at line 1 column 1 path $
	at com.google.gson.stream.JsonReader.beginObject(JsonReader.java:385)
	at com.google.gson.internal.bind.ReflectiveTypeAdapterFactory$Adapter.read(ReflectiveTypeAdapterFactory.java:213)
	... 6 more
Retiring Token : Token Retired Successfully

Related to Issue: #10

Hello,

Good day.
Issue still affecting the foduploader.
Issue: Encountering "Techstack is invalid" when the Technology scan has no language level
Foduploader version: v3.0.1

Steps to reproduce:

1. Generate a BSI where the Techstack has no language level (I used Objective C/C++)
2. Start a scan using Fodupload.jar.

Expected result: Scan will be created.
Actual result: Techstack is invalid

See screenshot below for your reference.

Description:

• I am trying to start a scan and telling the command that I am using a bundled scan.
• When I add -b, I am getting the java.lang.NullPointerException error.
• I tried -b, --b, -B, -isBundledAssessment, -b 2, -b "True"

This has been requested to be submitted by me on behalf of a user:

fod-uploader-java:
https://github.com/fod-dev/fod-uploader-java

binaries currently here:
https://github.com/fod-dev/fod-uploader-java/releases

these binaries should be uploaded to maven central to enable simple integration with build scripts.

currently the jar file has to be downloaded manually and stored in source control which is a primitive way of working.

Here's what I see in my TeamCity logs this AM when a build profile attempts to run the Windows binary for the FoD uploader fetched from the indicated URL (created in response to #22):

[09:39:58][Step 6/7] Uploading D:\TeamCity\buildAgent\work\2b9299460950c628\payload.zip
[09:39:58][Step 6/7] Command line: D:\TeamCity\buildAgent\work\2b9299460950c628\FodUpload.win.exe -z "D:\TeamCity\buildAgent\work\2b9299460950c628\payload.zip" -ac -ep "Subscription" -a "Manual" -bsi "eyJ0ZW5hbnRJZCI6MTMxNywidGVuYW50Q29kZSI6IlpvY2RvYyIsInJlbGVhc2VJZCI6MTI3NzE2LCJwYXlsb2FkVHlwZSI6IkFOQUxZU0lTX1BBWUxPQUQiLCJhc3Nlc3NtZW50VHlwZUlkIjoyNzMsInRlY2hub2xvZ3lUeXBlIjoiLk5FVCIsInRlY2hub2xvZ3lUeXBlSWQiOjEsInRlY2hub2xvZ3lWZXJzaW9uIjoiNC41IiwidGVjaG5vbG9neVZlcnNpb25JZCI6MTEsImF1ZGl0UHJlZmVyZW5jZSI6Ik1hbnVhbCIsImF1ZGl0UHJlZmVyZW5jZUlkIjoxLCJpbmNsdWRlVGhpcmRQYXJ0eSI6ZmFsc2UsImluY2x1ZGVPcGVuU291cmNlQW5hbHlzaXMiOnRydWUsInNjYW5QcmVmZXJlbmNlIjoiMCIsInNjYW5QcmVmZXJlbmNlSWQiOjAsInBvcnRhbFVyaSI6Imh0dHBzOi8vYW1zLmZvcnRpZnkuY29tIiwiYXBpVXJpIjoiaHR0cHM6Ly9hcGkuYW1zLmZvcnRpZnkuY29tIn0="
[09:40:02][Step 6/7] This application requires a Java Runtime Environment 1.8.0_144

The latest release (5.3.0) reports version 5.2.1 as the one before.

This is the version attribute in build.gradle

group = 'com.fortify.fod'
version = '5.2.1'

buildscript {
    repositories {

This is the output from jar package

$ wget https://github.com/fod-dev/fod-uploader-java/releases/download/v5.3.0/FodUpload.jar
$ java -jar FodUpload.jar -version
Version 5.2.1

This is an error code, and when this is included in a build step in jenkins it fails the build. Please return 0 when upload succeeds.

Hello,

Please see issue found.
Issue: Encountering "Techstack is invalid" when the Technology scan has no language level

Steps to reproduce:

1. Generate a BSI where the Techstack has no language level (I used Objective C/C++)
2. Start a scan using Fodupload.jar.

Expected result: Scan will be created.
Actual result: Techstack is invalid

See screenshot below for your reference.

Hello!

We are FOD customer. I tried using this tool (FYI it is only working on openjdk for me, not IBM jdk (1.8))

The upload process works fine, my EAR file is large (1.2 GB). But after the upload status - bytes sent... sends the whole file, things stop (at 1.2 GB which is correct) then nothing for a few mins. Finally I will get SotcketTimeoutException (com.fortify.fod.fodapi.controllers.StaticScanController.StartStaticScan(staticScanController.java:92))

I have used the command line option "-I 1" to no avail. Any help appreciated.

The generated API Key/Secret for our CI account was generated with comma in the secret. When using the FoD Java Uploader, it refused to accept the input giving the following error each time:

The following options are required: -apiCredentials, -ac or -userCredentials, -uc Usage: <main class> [options] ...

I eventually isolated the issue by just deleting any special characters from the string until it attempted to connect. Attempts to shell escape the key in Bash did not help either. We did work around by regenerating our API Key for our CI systems.

Workaround: regenerate the API key/secret until you get one without a comma.

java -jar FodUpload.jar -ep Subscription -z ABC.zip -ac vvvvvvvv 'dddddddd' -u 'https://api.ams.fortify.com/bsi2.aspx?tid=123&tc=Carnival&pv=12345&payloadType=ANALYSIS_PAYLOAD&astid=120&ts=JAVA%2fJ2EE&ll=1.7'
Authenticating
Beginning upload
java.lang.Exception: Invalid entitlement/assessment type
valid entitlement/assessment type
at com.fortify.fod.fodapi.controllers.StaticScanController.StartStaticScan(StaticScanController.java:50)
at com.fortify.fod.Main.main(Main.java:66)

Issue: -ITP is not working
Foduploader version: v3.1.0

When the customer starts a scan in foduploader that includes 3rd party libraries, aside from enabling the 3rd party libraries in the portal, they need to include the -itp in their command line.

The issue is that -itp and -includeThirdPartyLibs is not being accepted and the started scan is starting excluding 3rd party libraries.

Screenshot attached.

Setting -inProgressScanActionType = 0 returns an exit code of 1 when a scan is already running.

For example running via GitHub actions with this value returns:

Authenticating
Beginning upload
Package upload failed for the following reasons: 
1) Can not start scan another scan is in progress
Retiring Token : Token Retired Successfully
Error: Process completed with exit code 1.

An exit code of 1 will signify an (un)expected failure of the task. For me this would make more sense to return a successful exit code when a scan is already running as your intention of including the value in ProgressScanActionType = 0 is that a scan should not be actioned if another is already in progress, meaning that this task has been completed successfully.

Could this function be amended or a new option be provided to exit successfully if a scan is already running?

According to my experience can't automate release creation, process FoD upload process from bash or shell scripts via new encryption approach

example from my case

-u 'https://api.ams.fortify.com/bsi2.aspx?tid=122&tc=xxxx&pv='${RIID}'&payloadType=ANALYSIS_PAYLOAD&astid=111&ts=JS%252FXML%252FHTML'

Can I pass RELEASE ID ='$RIID' in new approach?

using the command line:
java -jar c:\tools\FodUpload.jar -ac -a Automated -bsi -ep Subscription -notes "note" -p Standard -isRemediationScan false -z ToScan.zip
result in:
ERROR> Was passed main parameter 'false' but no main parameter was defined

tried with --r, same result.

Since SCA dropped support for 1.5-1.7 please remove Java 1.5-1.7 in the parameters of -languageLevelId and -l. Thank you.

Customer was trying to work on build integration from a linux environment but the scan start was failing immediately after upload with an obtuse error (see red text below). It took some debugging but we figured it out.

Issue: when using FODUploader to start a scan of an application that has already been scanned its important that the entitlement period attribute (-ep) use the same type as the type previously used if the entitlement is active. In our case the app had been started with a subscription several weeks earlier. The user was specifying “–ep 1” which is single scan instead of “-ep 2” subscription. The portal backend saw that, decided it was a conflict and threw a NullPointerException instead of a more useful error message.

[commandprompt] $ java -jar /home/{username}/HP_Fortify/FodUpload.jar -uc 'name' 'pass’ -z /home/{username}/tmp/{zipfilename}.zip -bsi eyJwer5hbnRJZCI6MTQ3NCwidGVuYW50Q29kZSI6IlBPVl9UcmF2ZWxwb3J0IiwicmVsZWFzZUlkIjoxMzYzNjIsInBheWxvYWRUeXBlIjoiQU5BTFlTSVNfUEFZTE9BRCIsImFzcwsec21lbnRUeXBlSWQiOjI4MCwidGVjaG5vbG9neVR5cGUiOiJQWVRIT04iLCJ0ZWNobm9sb2d5VHlwZUlkIjoxMCwidGVjaG5vbG9neVZlcnNpb24iOiJTdGFuZGFyZCBQeXRob24iLCJ0ZWNobm9sb2d5VmVyc2lvbklkIjoxMywiYXVkaXRQcmVmZXJlbmNlIjoiQXV0b21hdGVkIiwiYXVkaXRQcmVmZXJlbmNlSWQiOjIsImluY2x1ZGVUaGlyZFBhcnR5IjpmYWxzZSwiaW5jbHVkZU9wZW5Tb3VyY2VBbmFseXNpcyI6ZmFsc2UsInNjYW5QcmVmZXJlbmNlIjoiMCIsInNjYW5QcmVmZXJlbmNlSWQiOjAsInBvcnRhbFVyaSI6Imh0dHBzOi8vYW1zLmZvcnRpZnkuY29tIiwiYXBpVXJpIjoiaHR0cHM6Ly9hcGkuYW1zLmZvcnRpZnkuY29tIn0= -ep 1 -P http://{proxy address}:8080
Authenticating
Beginning upload
java.lang.NullPointerException
at com.fortify.fod.fodapi.controllers.StaticScanController.StartStaticScan(StaticScanController.java:53)
at com.fortify.fod.Main.main(Main.java:66)
Retiring Token : Token Retired Successfully

Once the user changed –ep 1 to –ep 2 the upload w2as successful and the scan successfully started, validating the script worked and they could then proceed with build integrations for the specific application.

When launching the 3.0.8 version of the Win.exe version receiving error:

"This application was configured to use a bundled Java Runtime Environment but the runtime is missing or corrupted."

Running JRE build 1.8.0_161-b12

Version 3.0.7 Works with out issue.

I think it would just be a matter of allowing on the commandline a parameter for whether the assessment type is bundled such as -IsBundled 1, then when you call the API to Start Scans you supply that value for isBundledAssessment. 

Any logic that checks whether it really is bundled should be handled by the API. The default should be -IsBundled 0 in case the intent is to start a Static Premium without ever running a dynamic scan.

When you attempt to authenticate with the user credentials (-uc), it fails to authorize

Fortify Commit Analyzer detected 1 security weakness(es) in the changed files:

• Critical: Password Management - Hardcoded Password ( CWE-259 CWE-798 )

In previous versions of fodupload.jar, scanning third party -excludeThirdPartyLibs or -x
was an option that was on by default. In this latest version it is off. TAMs are concerned that will result in confusion with customers having to update their commands and is responsible for a huge increase in the number of larger payloads due to scanning third party libraries.

Could we please make the default on again like it was before? Thanks in advance.

At one point, fod-uploader contacts FoD to find out which assessment types are valid for the ReleaseID. If there are parameters on the commandline of fod-uploader that would result in that API call to have more than 1 filter, the call will fail and Java uploader will report a very generic Java exception. In the API Logs however a very specific error is shown indicating "Input String was not in a correct format" regarding the following API call

http://hpfod.com/api/v3/releases/123750/assessment-types?scanType=1&filters=frequencyTypeId:2+isBundledAssessment:true

It appears the url is not getting encoded when it is sent to FoD's API which is a requirement.

Greetings.

I encounter issue when using FODUploader.jar.

FodUploader version : 5.4.0

Command line
java -jar FodUpload.jar -z package.zip -aurl https://api.trial.fortify.com -purl https://trial.fortify.com -rid "$FOD_RELEASE_ID" -tc "FOD_TENANT" -uc "$FOD_USERNAME" "$FOD_PAT" -ep 1 -I 5
release id, tenant, username, personal access token is masked for privacy purpose.

Zip files is contains of jar file + one .java file.
package.zip

Authentication process is succeed, but upload process is failed.

Authenticating
Authenticated
Beginning upload
Package upload failed for the following reasons:

1. Stream out of sync
   Retiring Token : Token Retired Successfully

Is FodUploader cannot be used for Fortify on Demand trial version ?
Any help would be greatly appreciated.