Synopsis

fcli fod issue list [--aggregate] [--app=<appNameOrId>] [--delim=<delimiter>] [--filters-param=<filtersParam>] [-q=<SpEL expression>] [--rel=id|app[:ms]:rel] [--embed=<embedSuppliers>[, <embedSuppliers>…​]]…​ [-i=<status>[,<status>…​]]…​ [[-h] [--env-prefix=<prefix>] [--log-file=<logFile>] [--log-level=<logLevel>] [--log-mask=<level>] [--debug]] [[--fod-session=<sessionName>]] [[-o=<type+args>] [--style*=<style>,…​]…​ ] [--to-file=<outputFile>_]]

Description

This command allows for listing FoD vulnerability data for a given application or release. By default, only visible issues will be returned; the --include option can be used to (also) include suppressed or fixed issues. If any such issues are included, the default table output will show (S) and/or (F) for respectively suppressed and fixed issues.

Optionally, additional details may be included in the output using the --embed option, but please note that this may have a significant impact on performance as this will result in additional HTTP requests to FoD for every individual issue, and FoD rate limits may apply to those requests.

By default, issues will be written to the output as soon as they have been loaded from FoD. When listing issues at application level, this means that no aggregation data will be included in the output. Use the --aggregate option to include aggregation data like release id’s and names in which an issue was found, and the release-specific (vuln)id’s. Note that --aggregate is equivalent to --style=no-fast-output; all issue data will be collected before being written to output. Depending on the number of releases to be processed and the number of issues per release, it may take a long time before any output is generated.

Warning
 The --app option is currently in PREVIEW. If you wish to use this option it is recommended to use server-side filtering, via use of the --filters-param or --query options. For example, if you are only interested in issues with a specific severity, you can use a query like --filters-param "severityString:Critical" or --query "severityString='Critical'".

Options

--aggregate

Include aggregation data.

--app=<appNameOrId>

Application id or name. Note that numeric values are always interpreted as id’s. If you have numeric application names, you will need to specify the application id.

--delim=<delimiter>

Change the default delimiter character when using options that accept "application[:microservice]:release" as an argument or parameter.

--embed=<embedSuppliers>[,<embedSuppliers>…​]

Embed extra issue data. Due to FoD rate limits, this may significantly affect performance. Allowed values: allData, summary, details, recommendations, history, requestResponse, headers, parameters, traces. Using the --output option, this extra data can be included in the output. Using the --query option, this extra data can be queried upon. To get an understanding of the structure and contents of the embedded data, use the --output json or --output yaml options.

--filters-param=<filtersParam>

Server-side queries are automatically generated from the -q / --query option if possible; generated queries can be viewed in the debug log. The --q-param option can be used to override the automatically generated query, for example to further optimize the request. See the Fortify on Demand REST API documentation for information on supported formats.

-i, --include=<status>[,<status>…​]

By default, only visible issues will be returned. This option accepts a comma-separated list to allow (also) fixed and/or suppressed issues to be returned, for example --include visible,fixed (to return both visible and fixed issues) or --include fixed (to return only fixed issues). Allowed values: visible, fixed, suppressed.

-q, --query=<SpEL expression>

Only display records for which the given Spring Expression Language (SpEL) expression returns true.

--rel, --release=id|app[:ms]:rel

Release id or <application>[:<microservice>]:<release> name.

FoD session name options

--fod-session=<sessionName>

Name of the FoD session to use for executing this command. Default value: default.

Output options (also see documentation link below)

-o, --output=<type+args>

Select output type (csv, table, expr, json, xml, yaml) and optional type arguments.

--store=<var>[:<prop>]

Store JSON results in an fcli variable for later reference.

*--style*=<style>,…​

Select output style: header, no-header, pretty, no-pretty, flat, no-flat, array, single, border, no-border, md-border, wrap, no-wrap, fast-output, no-fast-output.

--to-file=<outputFile>

Write output to the specified file.

Generic fcli options (also see documentation link below)

--debug

Enable collection of debug logs.

--env-prefix=<prefix>

Prefix for resolving default option values. Default value: FCLI_DEFAULT.

-h, --help

Use 'fcli [command] -h' to display help for fcli (sub-)commands.

--log-file=<logFile>

Write log output to file. Default: ./fcli.log if logging is enabled.

--log-level=<logLevel>

Set logging level: TRACE, DEBUG, INFO, WARN, ERROR, NONE.

--log-mask=<level>

Log mask level: high, medium, low, none. Default: medium. Masking is done on a best-effort basis; no guarantee that all sensitive data will be masked.