chore: correct filtering logic to prevent valid issues from being skipped during audit (#882)

fix: `fcli aviator`: Correct filtering logic to prevent valid issues from being skipped during audit

fix: `fcli aviator`: Ensure consistent file hash generation across different builds

Co-authored-by: cdatla <[email protected]>

Author: kireetivar

fcli-core/fcli-aviator-common/src/main/java/com/fortify/cli/aviator/audit/IssueAuditor.java

@@ -28,7 +28,6 @@
 import java.util.concurrent.TimeUnit;
 import java.util.concurrent.TimeoutException;
 import java.util.stream.Collectors;
-import java.util.stream.Stream;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -44,8 +43,8 @@
 import com.fortify.cli.aviator.fpr.filter.Filter;
 import com.fortify.cli.aviator.fpr.filter.FilterSet;
 import com.fortify.cli.aviator.fpr.filter.FolderDefinition;
-import com.fortify.cli.aviator.fpr.filter.SearchTree;
 import com.fortify.cli.aviator.fpr.filter.TagDefinition;
+import com.fortify.cli.aviator.fpr.filter.VulnerabilityFilterer;
 import com.fortify.cli.aviator.fpr.model.AuditIssue;
 import com.fortify.cli.aviator.fpr.model.FPRInfo;
 import com.fortify.cli.aviator.fpr.processor.AuditProcessor;
@@ -279,106 +278,69 @@ private boolean isAudited(UserPrompt userPrompt) {
         }
         return false;
     }
+
     private List<Vulnerability> filterVulnerabilities(List<Vulnerability> allVulnerabilities, FilterSet fs) {
         List<String> targetFolderNames = filterSelection.getTargetFolderNames();
 
         List<Filter> folderFilters = fs.getFilters().stream()
-                .filter(f -> "setFolder".equalsIgnoreCase(f.getAction())).collect(Collectors.toList());
+            .filter(f -> "setFolder".equalsIgnoreCase(f.getAction()))
+            .collect(Collectors.toList());
+
         List<Filter> hideFilters = fs.getFilters().stream()
-                .filter(f -> "hide".equalsIgnoreCase(f.getAction())).collect(Collectors.toList());
-
-        Map<Filter, SearchTree> parsedQueries = new HashMap<>();
-        // Use a stream to populate the map
-        Stream.concat(folderFilters.stream(), hideFilters.stream()).forEach(f -> {
-            try {
-                parsedQueries.put(f, com.fortify.cli.aviator.fpr.filter.engine.FilterParser.parse(f.getQuery()));
-            } catch (Exception e) {
-                LOG.error("Failed to parse filter query: '{}'. This filter will be skipped.", f.getQuery(), e);
-                parsedQueries.put(f, new com.fortify.cli.aviator.fpr.filter.SearchTree(null));
-            }
-        });
+            .filter(f -> "hide".equalsIgnoreCase(f.getAction()))
+            .collect(Collectors.toList());
 
         Map<String, List<Vulnerability>> folderContents = new HashMap<>();
-        for (Vulnerability vuln : allVulnerabilities) {
+
+        // 1. Process "setFolder" filters
+        if (folderFilters.isEmpty()) {
+            folderContents.put("Default", new ArrayList<>(allVulnerabilities));
+        } else {
             for (Filter folderFilter : folderFilters) {
-                if (com.fortify.cli.aviator.fpr.filter.engine.VulnerabilityEvaluator.evaluate(parsedQueries.get(folderFilter), vuln)) {
-                    folderContents.computeIfAbsent(folderFilter.getActionParam(), k -> new ArrayList<>()).add(vuln);
-                    break;
-                }
+                List<Vulnerability> matches = VulnerabilityFilterer.filter(allVulnerabilities, folderFilter.getQuery());
+                folderContents.computeIfAbsent(folderFilter.getActionParam(), k -> new ArrayList<>()).addAll(matches);
             }
         }
 
-        folderContents.values().forEach(vulnList ->
-                vulnList.removeIf(vuln -> hideFilters.stream().anyMatch(
-                        hideFilter -> com.fortify.cli.aviator.fpr.filter.engine.VulnerabilityEvaluator.evaluate(parsedQueries.get(hideFilter), vuln)
-                ))
-        );
+        // 2. Process "hide" filters
+        for (Filter hideFilter : hideFilters) {
+            for (List<Vulnerability> folderList : folderContents.values()) {
+                if (folderList.isEmpty()) continue;
 
+                List<Vulnerability> toHide = VulnerabilityFilterer.filter(folderList, hideFilter.getQuery());
+                if (!toHide.isEmpty()) {
+                    folderList.removeAll(toHide);
+                }
+            }
+        }
+
+        // 3. Selection Logic (Flatten all or select specific folders)
         if (!filterSelection.isFilteringByFolder()) {
-            List<Vulnerability> result = folderContents.values().stream().flatMap(List::stream).collect(Collectors.toList());
+            List<Vulnerability> result = folderContents.values().stream()
+                .flatMap(List::stream)
+                .distinct()
+                .collect(Collectors.toList());
             logger.info("FilterSet '{}' applied. {} of {} total vulnerabilities remain.", fs.getTitle(), result.size(), allVulnerabilities.size());
             return result;
         } else {
-            // This logic correctly finds folder IDs based on user-provided names.
             Set<String> targetFolderIds = fs.getFolderDefinitions().stream()
-                    .filter(fd -> targetFolderNames.stream().anyMatch(name -> name.equalsIgnoreCase(fd.getName())))
-                    .map(FolderDefinition::getId)
-                    .collect(Collectors.toSet());
+                .filter(fd -> targetFolderNames.stream().anyMatch(name -> name.equalsIgnoreCase(fd.getName())))
+                .map(FolderDefinition::getId)
+                .collect(Collectors.toSet());
 
             if (targetFolderIds.isEmpty()) {
                 String available = fs.getFolderDefinitions().stream().map(FolderDefinition::getName).collect(Collectors.joining("', '", "'", "'"));
                 throw new AviatorSimpleException("Folder(s) not found in FilterSet '"+fs.getTitle()+"'. Available folders: "+available);
             }
 
             List<Vulnerability> result = folderContents.entrySet().stream()
-                    .filter(entry -> targetFolderIds.contains(entry.getKey()))
-                    .flatMap(entry -> entry.getValue().stream())
-                    .collect(Collectors.toList());
+                .filter(entry -> targetFolderIds.contains(entry.getKey()))
+                .flatMap(entry -> entry.getValue().stream())
+                .distinct()
+                .collect(Collectors.toList());
 
             logger.info("Filtered by folder(s) '{}'. {} vulnerabilities remain.", targetFolderNames, result.size());
             return result;
         }
     }
-
-    private void updateSkippedIssue(UserPrompt userPrompt, String reasonTemplate, int issuesInCategory, int totalIssues) {
-        if (userPrompt == null || userPrompt.getIssueData() == null) {
-            LOG.error("Cannot update skipped issue status for null userPrompt or issue data.");
-            return;
-        }
-        String instanceId = userPrompt.getIssueData().getInstanceID();
-        AuditIssue auditIssue = auditIssueMap.get(instanceId);
-
-        String comment = reasonTemplate
-                .replace("{issues_new_in_category}", String.valueOf(issuesInCategory))
-                .replace("{MAX_PER_CATEGORY}", String.valueOf(MAX_PER_CATEGORY))
-                .replace("{issues_new_total}", String.valueOf(totalIssues))
-                .replace("{MAX_TOTAL}", String.valueOf(MAX_TOTAL));
-
-        if (auditIssue != null) {
-            LOG.debug("Updating existing audit entry for skipped issue: {}", instanceId);
-            try {
-                auditProcessor.addCommentToIssueXml(instanceId, comment, Constants.USER_NAME);
-            } catch (Exception e) {
-                LOG.error("Failed to add comment to XML for skipped issue {}: {}", instanceId, e.getMessage());
-            }
-
-            auditProcessor.updateIssueTag(auditIssue, Constants.AVIATOR_STATUS_TAG_ID, Constants.PROCESSED_BY_AVIATOR);
-
-            Map<String, String> tags = auditIssue.getTags();
-            String currentAnalysisStatus = tags.get(Constants.ANALYSIS_TAG_ID);
-            if (currentAnalysisStatus == null || currentAnalysisStatus.isEmpty() || "Not Set".equalsIgnoreCase(currentAnalysisStatus)) {
-                auditProcessor.updateIssueTag(auditIssue, Constants.ANALYSIS_TAG_ID, Constants.PENDING_REVIEW);
-                LOG.debug("Set Analysis tag to Pending Review for skipped issue: {}", instanceId);
-            } else {
-                LOG.debug("Skipped issue {} already has Analysis status '{}', not changing.", instanceId, currentAnalysisStatus);
-            }
-
-        } else {
-            try {
-                auditProcessor.addSkippedIssueElement(instanceId, comment);
-            } catch (Exception e) {
-                LOG.error("Failed to add skipped issue element to audit.xml for {}: {}", instanceId, e.getMessage());
-            }
-        }
-    }
-}
+}

fcli-core/fcli-aviator-common/src/main/java/com/fortify/cli/aviator/fpr/utils/FileUtils.java

@@ -14,6 +14,7 @@
 
 
 import java.io.IOException;
+import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.util.Arrays;
@@ -44,7 +45,7 @@ public List<String> readFileWithFallback(Path filePath) {
         return fileContentCache.computeIfAbsent(filePath, path -> {
             try {
                 byte[] fileBytes = Files.readAllBytes(path);
-                String content = new String(fileBytes);
+                String content = new String(fileBytes, StandardCharsets.UTF_8);
                 return Arrays.asList(content.split("\\r?\\n"));
             } catch (IOException e) {
                 logger.error("Failed to read file: {}", path, e);
@@ -137,4 +138,4 @@ public Optional<String> getSourceFileContent(FprHandle fprHandle, String relativ
             return Optional.empty();
         }
     }
-}
+}

fcli-core/fcli-aviator-common/src/test/java/com/fortify/cli/aviator/audit/IssueAuditorTest.java

@@ -0,0 +1,149 @@
+/*
+ * Copyright 2021-2025 Open Text.
+ *
+ * The only warranties for products and services of Open Text
+ * and its affiliates and licensors ("Open Text") are as may
+ * be set forth in the express warranty statements accompanying
+ * such products and services. Nothing herein should be construed
+ * as constituting an additional warranty. Open Text shall not be
+ * liable for technical or editorial errors or omissions contained
+ * herein. The information contained herein is subject to change
+ * without notice.
+ */
+package com.fortify.cli.aviator.audit;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+import java.io.IOException;
+import java.lang.reflect.Method;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.stream.Collectors;
+import java.util.zip.ZipEntry;
+import java.util.zip.ZipOutputStream;
+
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+
+import com.fortify.cli.aviator.audit.model.FilterSelection;
+import com.fortify.cli.aviator.config.IAviatorLogger;
+import com.fortify.cli.aviator.fpr.Vulnerability;
+import com.fortify.cli.aviator.fpr.filter.Filter;
+import com.fortify.cli.aviator.fpr.filter.FilterSet;
+import com.fortify.cli.aviator.fpr.filter.FilterTemplate;
+import com.fortify.cli.aviator.fpr.model.FPRInfo;
+import com.fortify.cli.aviator.util.FprHandle;
+
+
+class IssueAuditorTest {
+
+    private Path tempFprFile;
+    private FprHandle fprHandle;
+
+    @BeforeEach
+    void setup() throws IOException {
+        // 1. Create a temporary dummy FPR file (ZIP format)
+        tempFprFile = Files.createTempFile("test_aviator", ".fpr");
+        try (ZipOutputStream zos = new ZipOutputStream(Files.newOutputStream(tempFprFile))) {
+
+            // A. Add a minimal audit.fvdl
+            ZipEntry entry = new ZipEntry("audit.fvdl");
+            zos.putNextEntry(entry);
+            String minimalXml = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><FVDL><UUID>test-uuid</UUID><Build><BuildID>test-build</BuildID></Build></FVDL>";
+            zos.write(minimalXml.getBytes(StandardCharsets.UTF_8));
+            zos.closeEntry();
+
+            // B. Add src-archive/index.xml to suppress the warning
+            ZipEntry indexEntry = new ZipEntry("src-archive/index.xml");
+            zos.putNextEntry(indexEntry);
+            String indexXml = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><index></index>";
+            zos.write(indexXml.getBytes(StandardCharsets.UTF_8));
+            zos.closeEntry();
+        }
+        fprHandle = new FprHandle(tempFprFile);
+    }
+
+    @AfterEach
+    void tearDown() throws IOException {
+        if (fprHandle != null) {
+            fprHandle.close();
+        }
+        if (tempFprFile != null) {
+            Files.deleteIfExists(tempFprFile);
+        }
+    }
+
+    @Test
+    void testFilterVulnerabilities_LegacySyntaxWithSpaces() throws Exception {
+
+        // Manual Logger Stub (No-op)
+        IAviatorLogger dummyLogger = new IAviatorLogger() {
+            @Override public void progress(String format, Object... args) {}
+            @Override public void info(String format, Object... args) {}
+            @Override public void warn(String format, Object... args) {}
+            @Override public void error(String format, Object... args) {}
+        };
+
+        FPRInfo fprInfo = new FPRInfo(fprHandle);
+
+        FilterTemplate dummyTemplate = new FilterTemplate();
+        dummyTemplate.setTagDefinitions(new ArrayList<>());
+        // Note: FPRInfo.setFilterTemplate() exists in the provided code
+        fprInfo.setFilterTemplate(dummyTemplate);
+
+        // --- 2. SETUP FILTER SET WITH LEGACY SYNTAX ---
+        // The "Buggy" Filter String (Legacy syntax: Space in range AND between terms)
+        String legacyQuery = "impact:![2.5, 5.0] [Analysis Type]:!SONATYPE";
+
+        Filter filter = new Filter();
+        filter.setAction("hide");
+        filter.setQuery(legacyQuery);
+
+        FilterSet filterSet = new FilterSet();
+        filterSet.setTitle("Regression Test Set");
+        filterSet.setFilters(Collections.singletonList(filter));
+
+        FilterSelection selection = new FilterSelection(filterSet, null);
+
+        // Target Issue: High Impact (4.0), Null Analysis Type.
+        // Result: Should NOT be hidden.
+        Vulnerability targetVuln = new Vulnerability();
+        targetVuln.setInstanceID("TARGET_ISSUE");
+        targetVuln.setImpact(4.0);
+
+        // Noise Issue: Low Impact (1.0).
+        // Result: Should be hidden.
+        Vulnerability hiddenVuln = new Vulnerability();
+        hiddenVuln.setInstanceID("HIDDEN_ISSUE");
+        hiddenVuln.setImpact(1.0);
+
+        List<Vulnerability> inputList = Arrays.asList(targetVuln, hiddenVuln);
+
+        IssueAuditor auditor = new IssueAuditor(
+            inputList, null, new HashMap<>(), fprInfo,
+            "TestApp", "1.0", selection, dummyLogger
+        );
+
+        Method filterMethod = IssueAuditor.class.getDeclaredMethod("filterVulnerabilities", List.class, FilterSet.class);
+        filterMethod.setAccessible(true);
+
+        @SuppressWarnings("unchecked")
+        List<Vulnerability> results = (List<Vulnerability>) filterMethod.invoke(auditor, inputList, filterSet);
+
+        List<String> remainingIds = results.stream()
+            .map(Vulnerability::getInstanceID)
+            .collect(Collectors.toList());
+
+        assertEquals(1, remainingIds.size(), "Should verify that exactly one issue remains");
+        assertTrue(remainingIds.contains("TARGET_ISSUE"),
+            "Regression Failed: IssueAuditor hid the target issue. It likely used the Modern parser on a Legacy query string.");
+    }
+}