Search in sources :

Example 21 with BugTracker

use of com.checkmarx.flow.dto.BugTracker in project cx-flow by checkmarx-ltd.

the class ADOController method pushRequest.

/**
 * Push Request event submitted (JSON), along with the Product (cx for example)
 */
@PostMapping(value = { "/{product}/ado/push", "/ado/push" })
public ResponseEntity<EventResponse> pushRequest(@RequestBody PushEvent body, @RequestHeader(value = AUTHORIZATION) String auth, @PathVariable(value = "product", required = false) String product, ControllerRequest controllerRequest, AdoDetailsRequest adoDetailsRequest) {
    // TODO handle different state (Active/Closed)
    String uid = helperService.getShortUid();
    MDC.put(FlowConstants.MAIN_MDC_ENTRY, uid);
    log.info("Processing Azure Push request");
    Action action = Action.PUSH;
    controllerRequest = ensureNotNull(controllerRequest);
    validateBasicAuth(auth, controllerRequest);
    adoDetailsRequest = ensureDetailsNotNull(adoDetailsRequest);
    ResourceContainers resourceContainers = body.getResourceContainers();
    try {
        Resource resource = body.getResource();
        Repository repository = resource.getRepository();
        String app = repository.getName();
        if (repository.getName().startsWith(properties.getTestRepository())) {
            log.info("Handling ADO Test Event");
            return ResponseEntity.status(HttpStatus.OK).body(EventResponse.builder().message("Test Event").success(true).build());
        }
        if (StringUtils.isNotEmpty(controllerRequest.getApplication())) {
            app = controllerRequest.getApplication();
        }
        // set the default bug tracker as per yml
        setBugTracker(flowProperties, controllerRequest);
        BugTracker.Type bugType = ScanUtils.getBugTypeEnum(controllerRequest.getBug(), flowProperties.getBugTrackerImpl());
        initAdoSpecificParams(adoDetailsRequest);
        if (controllerRequest.getAppOnly() != null) {
            flowProperties.setTrackApplicationOnly(controllerRequest.getAppOnly());
        }
        if (StringUtils.isEmpty(product)) {
            product = ScanRequest.Product.CX.getProduct();
        }
        ScanRequest.Product p = ScanRequest.Product.valueOf(product.toUpperCase(Locale.ROOT));
        // determine branch (without refs)
        String ref = resource.getRefUpdates().get(0).getName();
        String currentBranch = ScanUtils.getBranchFromRef(ref);
        List<String> branches = getBranches(controllerRequest, flowProperties);
        BugTracker bt = ScanUtils.getBugTracker(controllerRequest.getAssignee(), bugType, jiraProperties, controllerRequest.getBug());
        FilterConfiguration filter = filterFactory.getFilter(controllerRequest, flowProperties);
        Map<FindingSeverity, Integer> thresholdMap = getThresholds(controllerRequest);
        List<String> emails = determineEmails(resource);
        // build request object
        String gitUrl = repository.getRemoteUrl();
        log.debug("Using url: {}", gitUrl);
        String configToken = scmConfigOverrider.determineConfigToken(properties, controllerRequest.getScmInstance());
        String gitAuthUrl = gitAuthUrlGenerator.addCredToUrl(ScanRequest.Repository.ADO, gitUrl, configToken);
        String defaultBranch = ScanUtils.getBranchFromRef(Optional.ofNullable(repository.getDefaultBranch()).orElse(ref));
        ScanRequest request = ScanRequest.builder().application(app).product(p).project(controllerRequest.getProject()).team(controllerRequest.getTeam()).namespace(determineNamespace(resourceContainers)).altProject(determineAzureProject(repository)).repoName(repository.getName()).repoUrl(gitUrl).repoUrlWithAuth(gitAuthUrl).repoType(ScanRequest.Repository.ADO).branch(currentBranch).defaultBranch(defaultBranch).refs(ref).email(emails).scanPreset(controllerRequest.getPreset()).incremental(controllerRequest.getIncremental()).excludeFolders(controllerRequest.getExcludeFolders()).excludeFiles(controllerRequest.getExcludeFiles()).bugTracker(bt).filter(filter).thresholds(thresholdMap).organizationId(determineNamespace(resourceContainers)).gitUrl(gitUrl).build();
        setScmInstance(controllerRequest, request);
        request.putAdditionalMetadata(ADOService.PROJECT_SELF_URL, getTheProjectURL(body.getResourceContainers()));
        addMetadataToScanRequest(adoDetailsRequest, request);
        fillRequestWithAdditionalData(request, repository, body.toString());
        // if an override blob/file is provided, substitute these values
        checkForConfigAsCode(request, getConfigBranch(request, resource, action));
        request.setId(uid);
        // only initiate scan/automation if target branch is applicable
        if (helperService.isBranch2Scan(request, branches)) {
            flowService.initiateAutomation(request);
        } else if (isDeleteBranchEvent(resource) && properties.getDeleteCxProject()) {
            flowService.deleteProject(request);
        }
    } catch (IllegalArgumentException e) {
        return getBadRequestMessage(e, controllerRequest, product);
    }
    return getSuccessMessage();
}
Also used : FilterConfiguration(com.checkmarx.sdk.dto.filtering.FilterConfiguration) BugTracker(com.checkmarx.flow.dto.BugTracker) ScanRequest(com.checkmarx.flow.dto.ScanRequest)

Example 22 with BugTracker

use of com.checkmarx.flow.dto.BugTracker in project cx-flow by checkmarx-ltd.

the class PostRequestData method latestScanResults.

@GetMapping(value = "/scanresults", produces = "application/json")
public ScanResults latestScanResults(// Mandatory parameters
@RequestParam(value = "project") String project, @RequestHeader(value = TOKEN_HEADER) String token, // Optional parameters
@RequestParam(value = "team", required = false) String team, @RequestParam(value = "application", required = false) String application, @RequestParam(value = "severity", required = false) List<String> severity, @RequestParam(value = "cwe", required = false) List<String> cwe, @RequestParam(value = "category", required = false) List<String> category, @RequestParam(value = "status", required = false) List<String> status, @RequestParam(value = "assignee", required = false) String assignee, @RequestParam(value = "override", required = false) String override, @RequestParam(value = "bug", required = false) String bug) {
    String uid = helperService.getShortUid();
    MDC.put(FlowConstants.MAIN_MDC_ENTRY, uid);
    // Validate shared API token from header
    validateToken(token);
    // This primes the shard when Shard Manager is turned on
    if (cxProperties.getEnableShardManager()) {
        ShardSession shard = sessionTracker.getShardSession();
        // ensures this gets fixed like this: /CxServer/CHECKMARX
        if (team.charAt(0) != '/') {
            team = ("/" + team);
        }
        shard.setTeam(team);
        shard.setProject(project);
    }
    // Create bug tracker
    BugTracker bugTracker = getBugTracker(assignee, bug);
    // Create filters if available
    ControllerRequest request = new ControllerRequest(severity, cwe, category, status, null);
    FilterConfiguration filter = filterFactory.getFilter(request, properties);
    // Create the scan request
    ScanRequest scanRequest = ScanRequest.builder().application(ScanUtils.empty(application) ? project : application).product(// Default product: CX
    ScanRequest.Product.CX).project(project).team(team).bugTracker(bugTracker).filter(filter).build();
    scanRequest.setId(uid);
    // If an override blob/file is provided, substitute these values
    if (!ScanUtils.empty(override)) {
        FlowOverride ovr = ScanUtils.getMachinaOverride(override);
        scanRequest = configOverrider.overrideScanRequestProperties(ovr, scanRequest);
    }
    // Fetch the Checkmarx Scan Results based on given ScanRequest.
    // The cxProject parameter is null because the required project metadata
    // is already contained in the scanRequest parameter.
    ScanResults scanResults = CxScannerService.getScanner(cxgoScanner, sastScanner).getLatestScanResults(scanRequest);
    log.debug("ScanResults {}", scanResults);
    return scanResults;
}
Also used : ScanRequest(com.checkmarx.flow.dto.ScanRequest) ShardSession(com.checkmarx.sdk.ShardManager.ShardSession) ScanResults(com.checkmarx.sdk.dto.ScanResults) FilterConfiguration(com.checkmarx.sdk.dto.filtering.FilterConfiguration) BugTracker(com.checkmarx.flow.dto.BugTracker) ControllerRequest(com.checkmarx.flow.dto.ControllerRequest) FlowOverride(com.checkmarx.flow.dto.FlowOverride)

Example 23 with BugTracker

use of com.checkmarx.flow.dto.BugTracker in project cx-flow by checkmarx-ltd.

the class PostRequestData method scanPostback.

@PostMapping(value = "/postbackAction/{scanID}")
public ResponseEntity<EventResponse> scanPostback(@RequestBody String postBackData, @PathVariable(value = "scanID") String scanID) {
    log.debug("Handling post-back from SAST");
    int maxNumberOfTokens = 100;
    PostRequestData prd = new PostRequestData();
    String token = " ";
    String bugTracker = properties.getBugTracker();
    // 
    // / Decode the scan details.
    // 
    StringTokenizer postData = new StringTokenizer(postBackData, "&");
    int iteration = 0;
    while (postData.hasMoreTokens() && iteration < maxNumberOfTokens) {
        String strToken = postData.nextToken();
        if (strToken.length() > 6 && strToken.startsWith("token=")) {
            token = strToken.substring(6);
        }
        if (strToken.length() > 13 && strToken.startsWith("scancomments=")) {
            String scanDetails = strToken.substring(13);
            try {
                String postRequest = URLDecoder.decode(scanDetails, "UTF-8");
                decodePostBackReq(postRequest, prd);
            } catch (Exception e) {
                log.error("Error decoding scan details");
            }
        }
        iteration++;
    }
    validateToken(token);
    try {
        String product = "CX";
        ScanRequest.Product p = ScanRequest.Product.valueOf(product.toUpperCase(Locale.ROOT));
        ScanRequest scanRequest = ScanRequest.builder().namespace(prd.namespace).repoName(prd.repoName).project(prd.project).team(prd.team).repoType(ScanRequest.Repository.GITHUB).product(p).branch(prd.branch).build();
        // There won't be a scan ID on the post-back, so we need to fake it in the
        // event shard support is turned on (very likely if using post-back support).
        String uid = helperService.getShortUid();
        MDC.put(FlowConstants.MAIN_MDC_ENTRY, uid);
        ScanRequestConverter src = sastScanner.getScanRequestConverter();
        src.setShardPropertiesIfExists(scanRequest, prd.team);
        // Now go ahead and process the scan as normal.
        ScanResults scanResults = cxService.getReportContentByScanId(Integer.parseInt(scanID), scanRequest.getFilter());
        scanRequest.putAdditionalMetadata("statuses_url", prd.pullRequestURL);
        scanRequest.setMergeNoteUri(prd.mergeNoteUri);
        BugTracker bt = ScanUtils.getBugTracker(null, prd.bugType, jiraProperties, bugTracker);
        scanRequest.setBugTracker(bt);
        scanResults.setSastScanId(Integer.parseInt(scanID));
        resultsService.publishCombinedResults(scanRequest, scanResults);
    } catch (Exception e) {
        log.error("Error posting SAST scan results", e);
    }
    return ResponseEntity.status(HttpStatus.OK).body(EventResponse.builder().message("Scan Results Successfully Processed").success(true).build());
}
Also used : ScanRequest(com.checkmarx.flow.dto.ScanRequest) ScanResults(com.checkmarx.sdk.dto.ScanResults) ScanRequestConverter(com.checkmarx.flow.sastscanning.ScanRequestConverter) BugTracker(com.checkmarx.flow.dto.BugTracker) InvalidTokenException(com.checkmarx.flow.exception.InvalidTokenException)

Example 24 with BugTracker

use of com.checkmarx.flow.dto.BugTracker in project cx-flow by checkmarx-ltd.

the class BitbucketServerMergeHandler method execute.

@Override
public ResponseEntity<EventResponse> execute(String uid) {
    try {
        BugTracker.Type bugType = BugTracker.Type.BITBUCKETSERVERPULL;
        if (!ScanUtils.empty(controllerRequest.getBug())) {
            bugType = ScanUtils.getBugTypeEnum(controllerRequest.getBug(), configProvider.getFlowProperties().getBugTrackerImpl());
        }
        Optional.ofNullable(controllerRequest.getAppOnly()).ifPresent(configProvider.getFlowProperties()::setTrackApplicationOnly);
        ScanRequest.Product p = ScanRequest.Product.valueOf(product.toUpperCase(Locale.ROOT));
        List<String> branches = webhookUtils.getBranches(controllerRequest, configProvider.getFlowProperties());
        BugTracker bt = ScanUtils.getBugTracker(controllerRequest.getAssignee(), bugType, configProvider.getJiraProperties(), controllerRequest.getBug());
        FilterConfiguration filter = configProvider.getFilterFactory().getFilter(controllerRequest, configProvider.getFlowProperties());
        String gitUrl = getGitUrl();
        String gitAuthUrl = getGitAuthUrl(gitUrl);
        String repoSelfUrl = getRepoSelfUrl(toProjectKey, toSlug);
        String mergeEndpoint = repoSelfUrl.concat(MERGE_COMMENT);
        mergeEndpoint = mergeEndpoint.replace("{id}", pullRequestId);
        String buildStatusEndpoint = configProvider.getBitBucketProperties().getUrl().concat(BUILD_STATUS);
        buildStatusEndpoint = buildStatusEndpoint.replace("{commit}", fromRefLatestCommit);
        String blockerCommentUrl = repoSelfUrl.concat(BLOCKER_COMMENT);
        blockerCommentUrl = blockerCommentUrl.replace("{id}", pullRequestId);
        ScanRequest request = ScanRequest.builder().application(application).product(p).project(controllerRequest.getProject()).team(controllerRequest.getTeam()).namespace(getNamespace()).repoName(repositoryName).repoUrl(gitUrl).repoUrlWithAuth(gitAuthUrl).repoType(ScanRequest.Repository.BITBUCKETSERVER).branch(currentBranch).mergeTargetBranch(targetBranch).mergeNoteUri(mergeEndpoint).refs(refId).email(null).incremental(controllerRequest.getIncremental()).scanPreset(controllerRequest.getPreset()).excludeFolders(controllerRequest.getExcludeFolders()).excludeFiles(controllerRequest.getExcludeFiles()).bugTracker(bt).filter(filter).hash(fromRefLatestCommit).build();
        webhookUtils.setScmInstance(controllerRequest, request);
        setBrowseUrl(request);
        fillRequestWithCommonAdditionalData(request, toProjectKey, toSlug, webhookPayload);
        checkForConfigAsCode(request);
        request.putAdditionalMetadata("buildStatusUrl", buildStatusEndpoint);
        request.putAdditionalMetadata("cxBaseUrl", configProvider.getCxScannerService().getProperties().getBaseUrl());
        request.putAdditionalMetadata("blocker-comment-url", blockerCommentUrl);
        request.setId(uid);
        // only initiate scan/automation if target branch is applicable
        if (configProvider.getHelperService().isBranch2Scan(request, branches)) {
            configProvider.getFlowService().initiateAutomation(request);
        }
    } catch (IllegalArgumentException e) {
        log.debug("Error occurred while processing the request " + e);
        return webhookUtils.getBadRequestMessage(e, controllerRequest, product);
    }
    return webhookUtils.getSuccessMessage();
}
Also used : ScanRequest(com.checkmarx.flow.dto.ScanRequest) FilterConfiguration(com.checkmarx.sdk.dto.filtering.FilterConfiguration) BugTracker(com.checkmarx.flow.dto.BugTracker)

Example 25 with BugTracker

use of com.checkmarx.flow.dto.BugTracker in project cx-flow by checkmarx-ltd.

the class JiraService method getIssues.

private List<Issue> getIssues(ScanRequest request, String scannerFilter) {
    log.info("Executing getIssues API call");
    List<Issue> issues = new ArrayList<>();
    String jql;
    BugTracker bugTracker = request.getBugTracker();
    /*Namespace/Repo/Branch provided*/
    if (!flowProperties.isTrackApplicationOnly() && !flowProperties.isApplicationRepoOnly() && !ScanUtils.empty(request.getNamespace()) && !ScanUtils.empty(request.getRepoName()) && !ScanUtils.empty(request.getBranch())) {
        jql = String.format("project = %s and issueType = \"%s\" and (\"%s\" = \"%s\" and \"%s\" = \"%s:%s\" and \"%s\" = \"%s:%s\" and \"%s\" = \"%s:%s\")", bugTracker.getProjectKey(), bugTracker.getIssueType(), jiraProperties.getLabelTracker(), request.getProduct().getProduct(), jiraProperties.getLabelTracker(), jiraProperties.getOwnerLabelPrefix(), request.getNamespace(), jiraProperties.getLabelTracker(), jiraProperties.getRepoLabelPrefix(), request.getRepoName(), jiraProperties.getLabelTracker(), jiraProperties.getBranchLabelPrefix(), request.getBranch());
    } else /*Only application and repo provided */
    if (!ScanUtils.empty(request.getApplication()) && !ScanUtils.empty(request.getRepoName())) {
        jql = String.format("project = %s and issueType = \"%s\" and (\"%s\" = \"%s\" and \"%s\" = \"%s:%s\" and \"%s\" = \"%s:%s\")", bugTracker.getProjectKey(), bugTracker.getIssueType(), jiraProperties.getLabelTracker(), request.getProduct().getProduct(), jiraProperties.getLabelTracker(), jiraProperties.getAppLabelPrefix(), request.getApplication(), jiraProperties.getLabelTracker(), jiraProperties.getRepoLabelPrefix(), request.getRepoName());
    } else /*Only application provided*/
    if (!ScanUtils.empty(request.getApplication())) {
        jql = String.format("project = %s and issueType = \"%s\" and (\"%s\" = \"%s\" and \"%s\" = \"%s:%s\")", bugTracker.getProjectKey(), bugTracker.getIssueType(), jiraProperties.getLabelTracker(), request.getProduct().getProduct(), jiraProperties.getLabelTracker(), jiraProperties.getAppLabelPrefix(), request.getApplication());
    } else {
        log.error("Namespace/Repo/Branch or App must be provided in order to properly track ");
        throw new MachinaRuntimeException();
    }
    if (!StringUtils.isEmpty(scannerFilter)) {
        jql = jql.concat(String.format(" and \"%s\" in (%s)", jiraProperties.getLabelTracker(), scannerFilter));
    }
    log.debug("jql query: {}", jql);
    HashSet<String> fields = new HashSet<>();
    Collections.addAll(fields, "key", "project", "issuetype", "summary", LABEL_FIELD_TYPE, "created", "updated", "status");
    SearchResult searchResults;
    int totalResultsCount = MAX_RESULTS_ALLOWED;
    SearchRestClient searchClient = this.client.getSearchClient();
    // Retrieve JQL results through pagination (jira.max-jql-results per page -> default 50), don't allow less than 10.
    int maxJqlResultsPerPage = Integer.max(10, jiraProperties.getMaxJqlResults());
    for (int startAt = 0; startAt < totalResultsCount; startAt += maxJqlResultsPerPage) {
        searchResults = searchClient.searchJql(jql, maxJqlResultsPerPage, startAt, fields).claim();
        searchResults.getIssues().forEach(issues::add);
        totalResultsCount = Integer.min(searchResults.getTotal(), MAX_RESULTS_ALLOWED);
    }
    return issues;
}
Also used : MachinaRuntimeException(com.checkmarx.flow.exception.MachinaRuntimeException) BugTracker(com.checkmarx.flow.dto.BugTracker)

Aggregations

BugTracker (com.checkmarx.flow.dto.BugTracker)32 ScanRequest (com.checkmarx.flow.dto.ScanRequest)23 FilterConfiguration (com.checkmarx.sdk.dto.filtering.FilterConfiguration)13 CxConfig (com.checkmarx.sdk.dto.sast.CxConfig)6 MachinaRuntimeException (com.checkmarx.flow.exception.MachinaRuntimeException)5 ScanResults (com.checkmarx.sdk.dto.ScanResults)5 JiraClientException (com.checkmarx.flow.exception.JiraClientException)4 IssueInputBuilder (com.atlassian.jira.rest.client.api.domain.input.IssueInputBuilder)3 ComplexIssueInputFieldValue (com.atlassian.jira.rest.client.api.domain.input.ComplexIssueInputFieldValue)2 FieldInput (com.atlassian.jira.rest.client.api.domain.input.FieldInput)2 ControllerRequest (com.checkmarx.flow.dto.ControllerRequest)2 FlowOverride (com.checkmarx.flow.dto.FlowOverride)2 Repository (com.checkmarx.flow.dto.bitbucket.Repository)2 InvalidTokenException (com.checkmarx.flow.exception.InvalidTokenException)2 ObjectMapper (com.fasterxml.jackson.databind.ObjectMapper)2 IOException (java.io.IOException)2 HttpClientErrorException (org.springframework.web.client.HttpClientErrorException)2 com.atlassian.jira.rest.client.api (com.atlassian.jira.rest.client.api)1 com.atlassian.jira.rest.client.api.domain (com.atlassian.jira.rest.client.api.domain)1 TransitionInput (com.atlassian.jira.rest.client.api.domain.input.TransitionInput)1