From 1c5b88eddb0f0ded732d191fd50beaf68a26e75a Mon Sep 17 00:00:00 2001
From: kadraman <klee2@opentext.com>
Date: Thu, 26 Feb 2026 12:41:06 +0000
Subject: [PATCH 1/3] chore: Minor fod fixes

---
 .../_common/scan/helper/FoDScanHelper.java    |  4 +--
 .../cmd/FoDDastAutomatedScanStartCommand.java | 25 +++++++++++++------
 .../cli/cmd/FoDMicroserviceCreateCommand.java |  4 +++
 3 files changed, 23 insertions(+), 10 deletions(-)

diff --git a/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/_common/scan/helper/FoDScanHelper.java b/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/_common/scan/helper/FoDScanHelper.java
index 9fca985aa6..6c1552bf90 100644
--- a/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/_common/scan/helper/FoDScanHelper.java
+++ b/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/_common/scan/helper/FoDScanHelper.java
@@ -146,7 +146,7 @@ public static FoDScanAssessmentTypeDescriptor getEntitlementToUse(UnirestInstanc
         Integer assessmentTypeId = 0;
         LOG.info("Finding/Validating entitlement to use.");
 
-        var atd = FoDReleaseAssessmentTypeHelper.getAssessmentTypeDescriptor(unirest, relId, scanType, 
+        var atd = FoDReleaseAssessmentTypeHelper.getAssessmentTypeDescriptor(unirest, relId, scanType,
             entitlementFrequencyType, assessmentType);
         assessmentTypeId = atd.getAssessmentTypeId();
         entitlementIdToUse = atd.getEntitlementId();
@@ -191,7 +191,7 @@ private static final FoDScanDescriptor getDescriptor(JsonNode node) {
         return JsonHelper.treeToValue(node, FoDScanDescriptor.class);
     }
 
-    private static final FoDScanDescriptor getEmptyDescriptor() {
+    public static final FoDScanDescriptor getEmptyDescriptor() {
         return JsonHelper.treeToValue(getObjectMapper().createObjectNode(), FoDScanDescriptor.class);
     }
 
diff --git a/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/dast_scan/cli/cmd/FoDDastAutomatedScanStartCommand.java b/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/dast_scan/cli/cmd/FoDDastAutomatedScanStartCommand.java
index c68709a4f1..1c772ea432 100644
--- a/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/dast_scan/cli/cmd/FoDDastAutomatedScanStartCommand.java
+++ b/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/dast_scan/cli/cmd/FoDDastAutomatedScanStartCommand.java
@@ -17,6 +17,8 @@
 import com.fortify.cli.fod._common.scan.cli.cmd.AbstractFoDScanStartCommand;
 import com.fortify.cli.fod._common.scan.cli.mixin.FoDInProgressScanActionTypeMixins;
 import com.fortify.cli.fod._common.scan.helper.FoDScanDescriptor;
+import com.fortify.cli.fod._common.scan.helper.FoDScanHelper;
+import com.fortify.cli.fod._common.scan.helper.FoDScanType;
 import com.fortify.cli.fod._common.scan.helper.dast.FoDScanDastAutomatedHelper;
 import com.fortify.cli.fod._common.util.FoDEnums;
 import com.fortify.cli.fod.release.helper.FoDReleaseDescriptor;
@@ -50,15 +52,21 @@ protected FoDScanDescriptor startScan(UnirestInstance unirest, FoDReleaseDescrip
             // get current setup to ensure the scan has been configured
             FoDScanDastAutomatedHelper.getSetupDescriptor(unirest, relId);
 
-            // check if scan is already in progress
-            FoDScanDescriptor scan = FoDScanDastAutomatedHelper.handleInProgressScan(unirest, releaseDescriptor,
-                    inProgressScanActionType.getInProgressScanActionType(), progressWriter, maxAttempts,
-                    waitInterval);
+            // check if there have been any scans previously run for this release
+            if (!FoDScanDastAutomatedHelper.getLatestScanDescriptor(unirest, relId, FoDScanType.Dynamic, true)
+                .equals(FoDScanHelper.getEmptyDescriptor())) {
 
-            if (scan != null && scan.getAnalysisStatusType().equals("In_Progress")) {
-                if (inProgressScanActionType.getInProgressScanActionType() == FoDEnums.InProgressScanActionType.DoNotStartScan) {
-                    scanAction = "NOT_STARTED_SCAN_IN_PROGRESS";
-                    return scan;
+                // if there is an in progress scan, handle according to the specified action type
+                FoDScanDescriptor scan = FoDScanDastAutomatedHelper.handleInProgressScan(unirest, releaseDescriptor,
+                        inProgressScanActionType.getInProgressScanActionType(), progressWriter, maxAttempts,
+                        waitInterval);
+
+                // if the action was to not start a new scan, return the in progress scan descriptor
+                if (scan != null && scan.getAnalysisStatusType().equals("In_Progress")) {
+                    if (inProgressScanActionType.getInProgressScanActionType() == FoDEnums.InProgressScanActionType.DoNotStartScan) {
+                        scanAction = "NOT_STARTED_SCAN_IN_PROGRESS";
+                        return scan;
+                    }
                 }
             }
 
@@ -70,4 +78,5 @@ protected FoDScanDescriptor startScan(UnirestInstance unirest, FoDReleaseDescrip
     public final String getActionCommandResult() {
         return scanAction;
     }
+
 }
diff --git a/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/microservice/cli/cmd/FoDMicroserviceCreateCommand.java b/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/microservice/cli/cmd/FoDMicroserviceCreateCommand.java
index 6ce2013820..64b2031dcc 100644
--- a/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/microservice/cli/cmd/FoDMicroserviceCreateCommand.java
+++ b/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/microservice/cli/cmd/FoDMicroserviceCreateCommand.java
@@ -52,6 +52,10 @@ public JsonNode getJsonNode(UnirestInstance unirest) {
         }
         FoDAppDescriptor appDescriptor = qualifiedMicroserviceNameResolver.getAppDescriptor(unirest, true);
         FoDQualifiedMicroserviceNameDescriptor qualifiedMicroserviceNameDescriptor = qualifiedMicroserviceNameResolver.getQualifiedMicroserviceNameDescriptor();
+        // if the application is not microservice enabled, return the application descriptor with an additional field indicating that the microservice was not created due to the application not being microservice enabled
+        if (!appDescriptor.isHasMicroservices()) {
+            return appDescriptor.asObjectNode().put("__action__", "NOT_MICROSERVICE_ENABLED");
+        }
         FoDMicroserviceUpdateRequest msCreateRequest = FoDMicroserviceUpdateRequest.builder()
                 .microserviceName(qualifiedMicroserviceNameDescriptor.getMicroserviceName())
                 .attributes(FoDAttributeHelper.getAttributesNode(unirest, FoDEnums.AttributeTypes.Microservice,

From dd5536509bacde8cdaa80f5b2927f51f5757f25a Mon Sep 17 00:00:00 2001
From: kadraman <klee2@opentext.com>
Date: Mon, 2 Mar 2026 17:24:12 +0000
Subject: [PATCH 2/3] feat: implement sarif import and SPDX sbom download
 (closes #914, #912)

---
 .../output/cli/mixin/OutputHelperMixins.java  |  4 ++
 .../fortify/cli/fod/_common/rest/FoDUrls.java |  1 +
 .../scan/helper/FoDScanDescriptor.java        | 13 +++++++
 .../cli/fod/_common/util/FoDEnums.java        | 24 ++++++++++++
 .../cli/cmd/FoDOssScanDownloadCommand.java    | 18 ++++++---
 .../cmd/FoDOssScanDownloadLatestCommand.java  | 11 +++++-
 .../cmd/FoDScanDownloadOpenSourceType.java    | 17 ++++++++
 .../cli/cmd/FoDSastScanCommands.java          |  3 +-
 .../cmd/FoDSastScanImportSarifCommand.java    | 39 +++++++++++++++++++
 .../cli/fod/i18n/FoDMessages.properties       |  5 +++
 10 files changed, 128 insertions(+), 7 deletions(-)
 create mode 100644 fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/oss_scan/cli/cmd/FoDScanDownloadOpenSourceType.java
 create mode 100644 fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/sast_scan/cli/cmd/FoDSastScanImportSarifCommand.java

diff --git a/fcli-core/fcli-common/src/main/java/com/fortify/cli/common/output/cli/mixin/OutputHelperMixins.java b/fcli-core/fcli-common/src/main/java/com/fortify/cli/common/output/cli/mixin/OutputHelperMixins.java
index 2137a1d1f9..ba6a3a80ca 100644
--- a/fcli-core/fcli-common/src/main/java/com/fortify/cli/common/output/cli/mixin/OutputHelperMixins.java
+++ b/fcli-core/fcli-common/src/main/java/com/fortify/cli/common/output/cli/mixin/OutputHelperMixins.java
@@ -232,4 +232,8 @@ public static class RestCall extends DetailsWithQuery {
         public static final String CMD_NAME = "call";
     }
 
+    public static class ImportSarif extends TableNoQuery {
+        public static final String CMD_NAME = "import-sarif";
+    }
+
 }
diff --git a/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/_common/rest/FoDUrls.java b/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/_common/rest/FoDUrls.java
index fa16b04832..9785e30930 100644
--- a/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/_common/rest/FoDUrls.java
+++ b/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/_common/rest/FoDUrls.java
@@ -42,6 +42,7 @@ public class FoDUrls {
     public static final String RELEASE_SCANS = RELEASE + "/scans";
     public static final String STATIC_SCANS = ApiBase + "/releases/{relId}/static-scans";
     public static final String STATIC_SCANS_IMPORT = STATIC_SCANS + "/import-scan";
+    public static final String STATIC_SCANS_IMPORT_SARIF = STATIC_SCANS + "/import-sarif";
     public static final String STATIC_SCAN_START = STATIC_SCANS + "/start-scan";
     public static final String STATIC_SCAN_START_WITH_DEFAULTS = STATIC_SCANS + "/start-scan-with-defaults";
     public static final String STATIC_SCAN_START_ADVANCED = STATIC_SCANS + "/start-scan-advanced";
diff --git a/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/_common/scan/helper/FoDScanDescriptor.java b/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/_common/scan/helper/FoDScanDescriptor.java
index e286ad88f0..358be4237c 100644
--- a/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/_common/scan/helper/FoDScanDescriptor.java
+++ b/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/_common/scan/helper/FoDScanDescriptor.java
@@ -12,12 +12,16 @@
  */
 package com.fortify.cli.fod._common.scan.helper;
 
+import java.util.ArrayList;
 import java.util.Date;
+import java.util.HashMap;
+import java.util.Map;
 
 import com.fasterxml.jackson.annotation.JsonFormat;
 import com.fasterxml.jackson.annotation.JsonIgnore;
 import com.formkiq.graalvm.annotations.Reflectable;
 import com.fortify.cli.common.json.JsonNodeHolder;
+import com.fortify.cli.fod.attribute.helper.FoDAttributeDescriptor;
 
 import lombok.Data;
 import lombok.EqualsAndHashCode;
@@ -35,6 +39,7 @@ public class FoDScanDescriptor extends JsonNodeHolder {
     private String microserviceName;
     private String analysisStatusType;
     private String status;
+    private ArrayList<FoDAttributeDescriptor> attributes;
 
     @JsonIgnore
     public String getReleaseAndScanId() {
@@ -45,4 +50,12 @@ public String getReleaseAndScanId() {
     private Date startedDateTime;
     @JsonFormat(shape = JsonFormat.Shape.STRING, pattern = "yyy-MM-dd'T'hh:mm:ss")
     private Date completedDateTime;
+
+    public Map<Integer, String> attributesAsMap() {
+        Map<Integer, String> attrMap = new HashMap<>();
+        for (FoDAttributeDescriptor attr : attributes) {
+            attrMap.put(attr.getId(), attr.getValue());
+        }
+        return  attrMap;
+    }
 }
diff --git a/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/_common/util/FoDEnums.java b/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/_common/util/FoDEnums.java
index 826c0a560a..3a9208d46f 100644
--- a/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/_common/util/FoDEnums.java
+++ b/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/_common/util/FoDEnums.java
@@ -633,4 +633,28 @@ public static java.util.Optional<String> resolveValue(String input) {
         }
     }
 
+    public enum SBOMFormat implements IFoDEnumValueSupplier<String> {
+        CycloneDX("CycloneDX"),
+        SPDX("SPDX");
+
+        public final String value;
+
+        SBOMFormat(String value) {
+            this.value = value;
+        }
+
+        public String getValue() {
+            return this.value;
+        }
+
+        /**
+         * Resolve an input string which may be either the enum constant name (e.g. "CycloneDX")
+         * or the user-facing value (e.g. "Cyclone DX") to the canonical user-facing value.
+         * Comparison for the enum name is case-insensitive. Returns an empty Optional when no match.
+         */
+        public static java.util.Optional<String> resolveValue(String input) {
+            return IFoDEnumValueSupplier.resolveEnumValue(input, values());
+        }
+    }
+
 }
diff --git a/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/oss_scan/cli/cmd/FoDOssScanDownloadCommand.java b/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/oss_scan/cli/cmd/FoDOssScanDownloadCommand.java
index 238f35cf38..5ad9777edd 100644
--- a/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/oss_scan/cli/cmd/FoDOssScanDownloadCommand.java
+++ b/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/oss_scan/cli/cmd/FoDOssScanDownloadCommand.java
@@ -16,24 +16,32 @@
 import com.fortify.cli.fod._common.scan.cli.cmd.AbstractFoDScanDownloadCommand;
 import com.fortify.cli.fod._common.scan.helper.FoDScanDescriptor;
 import com.fortify.cli.fod._common.scan.helper.FoDScanType;
+import com.fortify.cli.fod._common.util.FoDEnums;
 
 import kong.unirest.GetRequest;
 import kong.unirest.UnirestInstance;
 import lombok.Getter;
 import picocli.CommandLine.Command;
 import picocli.CommandLine.Mixin;
+import picocli.CommandLine.Option;
 
 @Command(name = OutputHelperMixins.Download.CMD_NAME)
 public class FoDOssScanDownloadCommand extends AbstractFoDScanDownloadCommand {
     @Getter @Mixin private OutputHelperMixins.Download outputHelper;
-    
+    @Option(names="--format", required = false)
+    private FoDEnums.SBOMFormat format;
+
     @Override
     protected GetRequest getDownloadRequest(UnirestInstance unirest, FoDScanDescriptor scanDescriptor) {
-        return unirest.get("/api/v3/open-source-scans/{scanId}/sbom")
-                .routeParam("scanId", scanDescriptor.getScanId())
-                .accept("application/octet-stream");
+        String path = "/api/v3/open-source-scans/{scanId}/sbom";
+        GetRequest req = unirest.get(path)
+                .routeParam("scanId", scanDescriptor.getScanId());
+        if ( format != null ) {
+            req = req.queryString("format", format.name());
+        }
+        return req.accept("application/octet-stream");
     }
-    
+
     @Override
     protected FoDScanType getScanType() {
         return FoDScanType.OpenSource;
diff --git a/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/oss_scan/cli/cmd/FoDOssScanDownloadLatestCommand.java b/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/oss_scan/cli/cmd/FoDOssScanDownloadLatestCommand.java
index b1f7dbf633..e558eda3ee 100644
--- a/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/oss_scan/cli/cmd/FoDOssScanDownloadLatestCommand.java
+++ b/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/oss_scan/cli/cmd/FoDOssScanDownloadLatestCommand.java
@@ -16,6 +16,7 @@
 import com.fortify.cli.fod._common.scan.cli.cmd.AbstractFoDScanDownloadLatestCommand;
 import com.fortify.cli.fod._common.scan.helper.FoDScanDescriptor;
 import com.fortify.cli.fod._common.scan.helper.FoDScanType;
+import com.fortify.cli.fod._common.util.FoDEnums;
 import com.fortify.cli.fod.release.helper.FoDReleaseDescriptor;
 
 import kong.unirest.GetRequest;
@@ -23,15 +24,23 @@
 import lombok.Getter;
 import picocli.CommandLine.Command;
 import picocli.CommandLine.Mixin;
+import picocli.CommandLine.Option;
 
 @Command(name = FoDOutputHelperMixins.DownloadLatest.CMD_NAME)
 public class FoDOssScanDownloadLatestCommand extends AbstractFoDScanDownloadLatestCommand {
     @Getter @Mixin private FoDOutputHelperMixins.DownloadLatest outputHelper;
+    @Option(names="--format", required = false)
+    private FoDEnums.SBOMFormat format;
 
     @Override
     protected GetRequest getDownloadRequest(UnirestInstance unirest, FoDReleaseDescriptor releaseDescriptor, FoDScanDescriptor scanDescriptor) {
-        return unirest.get("/api/v3/open-source-scans/{scanId}/sbom")
+        String path = "/api/v3/open-source-scans/{scanId}/sbom";
+        GetRequest req = unirest.get(path)
                 .routeParam("scanId", scanDescriptor.getScanId());
+        if ( format != null ) {
+            req = req.routeParam("format", format.name());
+        }
+        return req.accept("application/octet-stream");
     }
 
     @Override
diff --git a/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/oss_scan/cli/cmd/FoDScanDownloadOpenSourceType.java b/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/oss_scan/cli/cmd/FoDScanDownloadOpenSourceType.java
new file mode 100644
index 0000000000..7075a229ce
--- /dev/null
+++ b/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/oss_scan/cli/cmd/FoDScanDownloadOpenSourceType.java
@@ -0,0 +1,17 @@
+/*
+ * Copyright 2021-2026 Open Text.
+ *
+ * The only warranties for products and services of Open Text
+ * and its affiliates and licensors ("Open Text") are as may
+ * be set forth in the express warranty statements accompanying
+ * such products and services. Nothing herein should be construed
+ * as constituting an additional warranty. Open Text shall not be
+ * liable for technical or editorial errors or omissions contained
+ * herein. The information contained herein is subject to change
+ * without notice.
+ */
+package com.fortify.cli.fod.oss_scan.cli.cmd;
+
+public class FoDScanDownloadOpenSourceType {
+
+}
diff --git a/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/sast_scan/cli/cmd/FoDSastScanCommands.java b/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/sast_scan/cli/cmd/FoDSastScanCommands.java
index 1f70d0d7c0..9fd9948793 100644
--- a/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/sast_scan/cli/cmd/FoDSastScanCommands.java
+++ b/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/sast_scan/cli/cmd/FoDSastScanCommands.java
@@ -25,11 +25,12 @@
                 FoDSastScanGetCommand.class,
                 FoDSastScanGetConfigCommand.class,
                 FoDSastScanImportCommand.class,
+                FoDSastScanImportSarifCommand.class,
                 FoDSastScanListCommand.class,
                 FoDSastScanSetupCommand.class,
                 FoDSastScanStartCommand.class,
                 FoDSastScanWaitForCommand.class,
-        }
+    }
 )
 @DefaultVariablePropertyName("releaseAndScanId")
 public class FoDSastScanCommands extends AbstractContainerCommand {
diff --git a/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/sast_scan/cli/cmd/FoDSastScanImportSarifCommand.java b/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/sast_scan/cli/cmd/FoDSastScanImportSarifCommand.java
new file mode 100644
index 0000000000..186d7a0882
--- /dev/null
+++ b/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/sast_scan/cli/cmd/FoDSastScanImportSarifCommand.java
@@ -0,0 +1,39 @@
+/*
+ * Copyright 2021-2026 Open Text.
+ *
+ * The only warranties for products and services of Open Text
+ * and its affiliates and licensors ("Open Text") are as may
+ * be set forth in the express warranty statements accompanying
+ * such products and services. Nothing herein should be construed
+ * as constituting an additional warranty. Open Text shall not be
+ * liable for technical or editorial errors or omissions contained
+ * herein. The information contained herein is subject to change
+ * without notice.
+ */
+package com.fortify.cli.fod.sast_scan.cli.cmd;
+
+import com.fortify.cli.common.output.cli.mixin.OutputHelperMixins;
+import com.fortify.cli.fod._common.rest.FoDUrls;
+import com.fortify.cli.fod._common.scan.cli.cmd.AbstractFoDScanImportCommand;
+import com.fortify.cli.fod._common.scan.helper.FoDScanType;
+
+import kong.unirest.HttpRequest;
+import kong.unirest.UnirestInstance;
+import lombok.Getter;
+import picocli.CommandLine.Command;
+import picocli.CommandLine.Mixin;
+
+@Command(name = OutputHelperMixins.ImportSarif.CMD_NAME)
+public class FoDSastScanImportSarifCommand extends AbstractFoDScanImportCommand {
+    @Getter @Mixin private OutputHelperMixins.ImportSarif outputHelper;
+
+    @Override
+    protected HttpRequest<?> getBaseRequest(UnirestInstance unirest, String releaseId) {
+        return unirest.put(FoDUrls.STATIC_SCANS_IMPORT_SARIF).routeParam("relId", releaseId);
+    }
+
+    @Override
+    protected FoDScanType getScanType() {
+        return FoDScanType.Static;
+    }
+}
diff --git a/fcli-core/fcli-fod/src/main/resources/com/fortify/cli/fod/i18n/FoDMessages.properties b/fcli-core/fcli-fod/src/main/resources/com/fortify/cli/fod/i18n/FoDMessages.properties
index 107e94e051..82bbae8115 100644
--- a/fcli-core/fcli-fod/src/main/resources/com/fortify/cli/fod/i18n/FoDMessages.properties
+++ b/fcli-core/fcli-fod/src/main/resources/com/fortify/cli/fod/i18n/FoDMessages.properties
@@ -567,6 +567,9 @@ fcli.fod.sast-scan.setup.use-aviator = Use Fortify Aviator to audit results and
 fcli.fod.sast-scan.import.usage.header = Import existing SAST scan results (from an FPR file).
 fcli.fod.sast-scan.import.usage.description = As FoD doesn't return a scan id for imported scans, the output of this command cannot be used with commands that expect a scan id, like the wait-for command.
 fcli.fod.sast-scan.import.file = FPR file containing existing SAST scan results to be imported.
+fcli.fod.sast-scan.import-sarif.usage.header = Import existing SAST scan results (from a SARIF file).
+fcli.fod.sast-scan.import-sarif.usage.description = As FoD doesn't return a scan id for imported scans, the output of this command cannot be used with commands that expect a scan id, like the wait-for command.
+fcli.fod.sast-scan.import-sarif.file = SARIF file containing existing SAST scan results to be imported.
 fcli.fod.sast-scan.download.usage.header = Download scan results.
 fcli.fod.sast-scan.download.file = File path and name where to save the FPR file.
 fcli.fod.sast-scan.download-latest.usage.header = Download latest scan results from release.
@@ -867,8 +870,10 @@ fcli.fod.oss-scan.wait-for.while = ${fcli.fod.scan.wait-for.while}
 fcli.fod.oss-scan.wait-for.any-state = ${fcli.fod.scan.wait-for.any-state}
 fcli.fod.oss-scan.download.usage.header = Download scan results.
 fcli.fod.oss-scan.download.file = File path and name where to save the SBOM file.
+fcli.fod.oss-scan.download.format = Open Source scan results file format. Valid values: ${COMPLETION-CANDIDATES} (default value is CycloneDX).
 fcli.fod.oss-scan.download-latest.usage.header = Download latest scan results from release.
 fcli.fod.oss-scan.download-latest.file = File path and name where to save the SBOM file.
+fcli.fod.oss-scan.download-latest.format = Open Source scan results file format. Valid values: ${COMPLETION-CANDIDATES} (default value is CycloneDX).
 
 # fcli fod issue
 fcli.fod.issue.usage.header = Manage FoD issues (vulnerabilities) and related entities.

From bdbaec04705042d4ea39a4593d24f1f9b0375959 Mon Sep 17 00:00:00 2001
From: kadraman <klee2@opentext.com>
Date: Tue, 3 Mar 2026 12:19:44 +0000
Subject: [PATCH 3/3] chore: updated after PR review

---
 .../main/java/com/fortify/cli/fod/_common/util/FoDEnums.java    | 2 +-
 .../fod/oss_scan/cli/cmd/FoDOssScanDownloadLatestCommand.java   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/_common/util/FoDEnums.java b/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/_common/util/FoDEnums.java
index 3a9208d46f..919384af7a 100644
--- a/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/_common/util/FoDEnums.java
+++ b/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/_common/util/FoDEnums.java
@@ -649,7 +649,7 @@ public String getValue() {
 
         /**
          * Resolve an input string which may be either the enum constant name (e.g. "CycloneDX")
-         * or the user-facing value (e.g. "Cyclone DX") to the canonical user-facing value.
+         * or the user-facing value (e.g. "CycloneDX") to the canonical user-facing value.
          * Comparison for the enum name is case-insensitive. Returns an empty Optional when no match.
          */
         public static java.util.Optional<String> resolveValue(String input) {
diff --git a/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/oss_scan/cli/cmd/FoDOssScanDownloadLatestCommand.java b/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/oss_scan/cli/cmd/FoDOssScanDownloadLatestCommand.java
index e558eda3ee..e01e0d9866 100644
--- a/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/oss_scan/cli/cmd/FoDOssScanDownloadLatestCommand.java
+++ b/fcli-core/fcli-fod/src/main/java/com/fortify/cli/fod/oss_scan/cli/cmd/FoDOssScanDownloadLatestCommand.java
@@ -38,7 +38,7 @@ protected GetRequest getDownloadRequest(UnirestInstance unirest, FoDReleaseDescr
         GetRequest req = unirest.get(path)
                 .routeParam("scanId", scanDescriptor.getScanId());
         if ( format != null ) {
-            req = req.routeParam("format", format.name());
+            req = req.queryString("format", format.name());
         }
         return req.accept("application/octet-stream");
     }