Search in sources :

Example 6 with ScanRequest

use of com.checkmarx.flow.dto.ScanRequest in project cx-flow by checkmarx-ltd.

the class ScanUtilsTest method testCxConfigFlowOverride.

@Test
public void testCxConfigFlowOverride() {
    ScanRequest request = ScanRequest.builder().application("abc").product(ScanRequest.Product.CX).project("test").team("\\CxServer\\SP\\Checkmarx").namespace("Custodela").repoName("Riches").repoUrl("https://github.com/Custodela/Riches.git").repoType(ScanRequest.Repository.GITHUB).branch("master").refs(Constants.CX_BRANCH_PREFIX.concat("master")).email(null).incremental(true).scanPreset(Constants.CX_DEFAULT_PRESET).build();
    File file = new File(getClass().getClassLoader().getResource("CxConfig-flow.json").getFile());
    CxConfig cxConfig = ScanUtils.getConfigAsCode(file);
    assertNotNull(cxConfig);
    configOverrider.overrideScanRequestProperties(cxConfig, request);
    assertEquals("/a/b/c", request.getTeam());
    assertEquals("XYZ-Riches-master", request.getProject());
    assertEquals("test app", request.getApplication());
    assertEquals(2, request.getActiveBranches().size());
    assertNotNull(request.getFilter());
    assertNotNull(request.getFilter().getSastFilters().getSimpleFilters());
    assertFalse(request.getFilter().getSastFilters().getSimpleFilters().isEmpty());
}
Also used : ScanRequest(com.checkmarx.flow.dto.ScanRequest) CxConfig(com.checkmarx.sdk.dto.sast.CxConfig) File(java.io.File) Test(org.junit.Test)

Example 7 with ScanRequest

use of com.checkmarx.flow.dto.ScanRequest in project cx-flow by checkmarx-ltd.

the class BitbucketCloudController method pushRequest.

/**
 * Receive Push event submitted from Bitbucket
 */
@PostMapping(value = { "/{product}", "/" }, headers = PUSH)
public ResponseEntity<EventResponse> pushRequest(@RequestBody PushEvent body, @PathVariable(value = "product", required = false) String product, ControllerRequest controllerRequest, @RequestParam(value = "token") String token) {
    log.debug("Push Request body contents are {}", body.toString());
    String uid = helperService.getShortUid();
    MDC.put(FlowConstants.MAIN_MDC_ENTRY, uid);
    validateBitBucketRequest(token);
    controllerRequest = ensureNotNull(controllerRequest);
    try {
        Repository repository = body.getRepository();
        String app = repository.getName();
        if (!ScanUtils.empty(controllerRequest.getApplication())) {
            app = controllerRequest.getApplication();
        }
        // set the default bug tracker as per yml
        setBugTracker(flowProperties, controllerRequest);
        BugTracker.Type bugType = ScanUtils.getBugTypeEnum(controllerRequest.getBug(), flowProperties.getBugTrackerImpl());
        if (controllerRequest.getAppOnly() != null) {
            flowProperties.setTrackApplicationOnly(controllerRequest.getAppOnly());
        }
        if (ScanUtils.empty(product)) {
            product = ScanRequest.Product.CX.getProduct();
        }
        ScanRequest.Product p = ScanRequest.Product.valueOf(product.toUpperCase(Locale.ROOT));
        List<Change> changeList = body.getPush().getChanges();
        String currentBranch = null;
        if (changeList != null) {
            currentBranch = changeList.get(0).getNew().getName();
        }
        List<String> branches = getBranches(controllerRequest, flowProperties);
        String hash = null;
        if (changeList != null) {
            hash = changeList.get(0).getNew().getTarget().getHash();
        }
        BugTracker bt = ScanUtils.getBugTracker(controllerRequest.getAssignee(), bugType, jiraProperties, controllerRequest.getBug());
        FilterConfiguration filter = filterFactory.getFilter(controllerRequest, flowProperties);
        /*Determine emails*/
        List<String> emails = new ArrayList<>();
        if (changeList != null) {
            for (Change ch : changeList) {
                for (Commit c : ch.getCommits()) {
                    String author = c.getAuthor().getRaw();
                    if (!ScanUtils.empty(author)) {
                        emails.add(author);
                    }
                }
            }
        }
        String gitUrl = repository.getLinks().getHtml().getHref().concat(".git");
        String configToken = scmConfigOverrider.determineConfigToken(properties, controllerRequest.getScmInstance());
        String gitAuthUrl = gitAuthUrlGenerator.addCredToUrl(ScanRequest.Repository.BITBUCKET, gitUrl, configToken);
        ScanRequest request = ScanRequest.builder().application(app).product(p).project(controllerRequest.getProject()).team(controllerRequest.getTeam()).namespace(getProjectNamespace(repository)).repoName(repository.getName()).repoUrl(gitUrl).repoUrlWithAuth(gitAuthUrl).repoType(ScanRequest.Repository.BITBUCKET).branch(currentBranch).refs(Constants.CX_BRANCH_PREFIX.concat(currentBranch)).email(emails).scanPreset(controllerRequest.getPreset()).incremental(controllerRequest.getIncremental()).excludeFolders(controllerRequest.getExcludeFolders()).excludeFiles(controllerRequest.getExcludeFiles()).bugTracker(bt).filter(filter).hash(hash).organizationId(getOrganizationid(repository)).gitUrl(gitUrl).build();
        setScmInstance(controllerRequest, request);
        fillRequestWithAdditionalData(request, repository, body.toString());
        checkForConfigAsCode(request);
        request.setId(uid);
        if (helperService.isBranch2Scan(request, branches)) {
            flowService.initiateAutomation(request);
        }
    } catch (IllegalArgumentException e) {
        return getBadRequestMessage(e, controllerRequest, product);
    }
    return getSuccessMessage();
}
Also used : FilterConfiguration(com.checkmarx.sdk.dto.filtering.FilterConfiguration) ArrayList(java.util.ArrayList) Change(com.checkmarx.flow.dto.bitbucket.Change) BugTracker(com.checkmarx.flow.dto.BugTracker) ScanRequest(com.checkmarx.flow.dto.ScanRequest) Repository(com.checkmarx.flow.dto.bitbucket.Repository) Commit(com.checkmarx.flow.dto.bitbucket.Commit) PostMapping(org.springframework.web.bind.annotation.PostMapping)

Example 8 with ScanRequest

use of com.checkmarx.flow.dto.ScanRequest in project cx-flow by checkmarx-ltd.

the class BitbucketCloudController method handleMergeEvent.

public ResponseEntity<EventResponse> handleMergeEvent(MergeEvent body, String product, ControllerRequest controllerRequest, String token) {
    log.debug("Merge Request body contents are {}", body.toString());
    String uid = helperService.getShortUid();
    MDC.put(FlowConstants.MAIN_MDC_ENTRY, uid);
    validateBitBucketRequest(token);
    log.info("Processing BitBucket MERGE request");
    controllerRequest = ensureNotNull(controllerRequest);
    try {
        Repository repository = body.getRepository();
        String app = repository.getName();
        if (!ScanUtils.empty(controllerRequest.getApplication())) {
            app = controllerRequest.getApplication();
        }
        BugTracker.Type bugType = BugTracker.Type.BITBUCKETPULL;
        if (!ScanUtils.empty(controllerRequest.getBug())) {
            bugType = ScanUtils.getBugTypeEnum(controllerRequest.getBug(), flowProperties.getBugTrackerImpl());
        }
        if (controllerRequest.getAppOnly() != null) {
            flowProperties.setTrackApplicationOnly(controllerRequest.getAppOnly());
        }
        if (ScanUtils.empty(product)) {
            product = ScanRequest.Product.CX.getProduct();
        }
        ScanRequest.Product p = ScanRequest.Product.valueOf(product.toUpperCase(Locale.ROOT));
        Pullrequest pullRequest = body.getPullrequest();
        String currentBranch = pullRequest.getSource().getBranch().getName();
        String targetBranch = pullRequest.getDestination().getBranch().getName();
        List<String> branches = getBranches(controllerRequest, flowProperties);
        String hash = pullRequest.getSource().getCommit().getHash();
        BugTracker bt = ScanUtils.getBugTracker(controllerRequest.getAssignee(), bugType, jiraProperties, controllerRequest.getBug());
        FilterConfiguration filter = filterFactory.getFilter(controllerRequest, flowProperties);
        String gitUrl = repository.getLinks().getHtml().getHref().concat(".git");
        String configToken = scmConfigOverrider.determineConfigToken(properties, controllerRequest.getScmInstance());
        String gitAuthUrl = gitAuthUrlGenerator.addCredToUrl(ScanRequest.Repository.BITBUCKET, gitUrl, configToken);
        String mergeEndpoint = pullRequest.getLinks().getComments().getHref();
        ScanRequest request = ScanRequest.builder().application(app).product(p).project(controllerRequest.getProject()).team(controllerRequest.getTeam()).namespace(getProjectNamespace(repository)).repoName(repository.getName()).repoUrl(gitUrl).repoUrlWithAuth(gitAuthUrl).repoType(ScanRequest.Repository.BITBUCKET).branch(currentBranch).mergeTargetBranch(targetBranch).mergeNoteUri(mergeEndpoint).refs(Constants.CX_BRANCH_PREFIX.concat(currentBranch)).email(null).scanPreset(controllerRequest.getPreset()).incremental(controllerRequest.getIncremental()).excludeFolders(controllerRequest.getExcludeFolders()).excludeFiles(controllerRequest.getExcludeFiles()).bugTracker(bt).filter(filter).hash(hash).organizationId(getOrganizationid(repository)).gitUrl(gitUrl).build();
        setScmInstance(controllerRequest, request);
        fillRequestWithAdditionalData(request, repository, body.toString());
        checkForConfigAsCode(request);
        request.setId(uid);
        if (helperService.isBranch2Scan(request, branches)) {
            flowService.initiateAutomation(request);
        }
    } catch (IllegalArgumentException e) {
        return getBadRequestMessage(e, controllerRequest, product);
    }
    return getSuccessMessage();
}
Also used : ScanRequest(com.checkmarx.flow.dto.ScanRequest) Repository(com.checkmarx.flow.dto.bitbucket.Repository) FilterConfiguration(com.checkmarx.sdk.dto.filtering.FilterConfiguration) BugTracker(com.checkmarx.flow.dto.BugTracker) Pullrequest(com.checkmarx.flow.dto.bitbucket.Pullrequest)

Example 9 with ScanRequest

use of com.checkmarx.flow.dto.ScanRequest in project cx-flow by checkmarx-ltd.

the class ServiceNowTracker method getIssues.

/**
 * Get Incidents/Issues from Service Now.
 * @param request
 * @return issues collection of data.
 * @throws MachinaException
 */
@Override
public List<Issue> getIssues(ScanRequest request) throws MachinaException {
    log.debug("Executing getIssues Service Now API call");
    try {
        String apiRequest = createServiceNowRequest(request);
        URI apiRequestUri = URI.create(apiRequest);
        Optional<Result> res = Optional.ofNullable(restOperations.getForObject(apiRequestUri, Result.class));
        if (res.isPresent()) {
            List results = res.get().getIncidents().stream().map(i -> mapToIssue(i)).collect(Collectors.toList());
            log.debug("Found {} issues in ServiceNow for this project.", results != null ? results.size() : 0);
            return results;
        }
    } catch (RestClientException e) {
        log.error("Error occurred while fetching ServiceNow Issues");
        log.error(ExceptionUtils.getStackTrace(e));
        throw new MachinaRuntimeException();
    }
    return Lists.newArrayList();
}
Also used : Issue(com.checkmarx.flow.dto.Issue) ScanRequest(com.checkmarx.flow.dto.ScanRequest) ScanResults(com.checkmarx.sdk.dto.ScanResults) LoggerFactory(org.slf4j.LoggerFactory) Autowired(org.springframework.beans.factory.annotation.Autowired) FlowProperties(com.checkmarx.flow.config.FlowProperties) HTMLHelper(com.checkmarx.flow.utils.HTMLHelper) Lists(com.google.common.collect.Lists) Service(org.springframework.stereotype.Service) Locale(java.util.Locale) URI(java.net.URI) RestClientException(org.springframework.web.client.RestClientException) Result(com.checkmarx.flow.dto.servicenow.Result) Logger(org.slf4j.Logger) RestOperations(org.springframework.web.client.RestOperations) RestTemplateBuilder(org.springframework.boot.web.client.RestTemplateBuilder) Maps(com.google.common.collect.Maps) Collectors(java.util.stream.Collectors) StandardCharsets(java.nio.charset.StandardCharsets) ServiceNowProperties(com.checkmarx.flow.config.ServiceNowProperties) HttpClientErrorException(org.springframework.web.client.HttpClientErrorException) URLEncoder(java.net.URLEncoder) List(java.util.List) Incident(com.checkmarx.flow.dto.servicenow.Incident) MachinaRuntimeException(com.checkmarx.flow.exception.MachinaRuntimeException) ScanUtils(com.checkmarx.flow.utils.ScanUtils) Optional(java.util.Optional) MachinaException(com.checkmarx.flow.exception.MachinaException) UnsupportedEncodingException(java.io.UnsupportedEncodingException) JSONArray(org.json.JSONArray) ExceptionUtils(org.apache.commons.lang3.exception.ExceptionUtils) MachinaRuntimeException(com.checkmarx.flow.exception.MachinaRuntimeException) RestClientException(org.springframework.web.client.RestClientException) List(java.util.List) URI(java.net.URI) Result(com.checkmarx.flow.dto.servicenow.Result)

Example 10 with ScanRequest

use of com.checkmarx.flow.dto.ScanRequest in project cx-flow by checkmarx-ltd.

the class GitHubController method pullRequest.

/**
 * Pull Request event submitted (JSON)
 */
@PostMapping(value = { "/{product}", "/" }, headers = PULL)
public ResponseEntity<EventResponse> pullRequest(@RequestBody String body, @RequestHeader(value = SIGNATURE) String signature, @PathVariable(value = "product", required = false) String product, ControllerRequest controllerRequest) {
    String uid = helperService.getShortUid();
    MDC.put(FlowConstants.MAIN_MDC_ENTRY, uid);
    log.info("Processing GitHub PULL request");
    PullEvent event;
    ObjectMapper mapper = new ObjectMapper();
    Integer installationId = null;
    controllerRequest = ensureNotNull(controllerRequest);
    try {
        event = mapper.readValue(body, PullEvent.class);
    } catch (IOException e) {
        throw new MachinaRuntimeException(e);
    }
    gitHubService.initConfigProviderOnPullEvent(uid, event);
    // verify message signature
    verifyHmacSignature(body, signature, controllerRequest);
    try {
        String action = event.getAction();
        // synchronize - happens when user pushes code into a branch for which a pull request exists
        if (!action.equalsIgnoreCase("opened") && !action.equalsIgnoreCase("reopened") && !action.equalsIgnoreCase("synchronize")) {
            log.info("Pull requested not processed.  Status was not opened ({})", action);
            return ResponseEntity.status(HttpStatus.OK).body(EventResponse.builder().message("No processing occurred for updates to Pull Request").success(true).build());
        }
        Repository repository = event.getRepository();
        String app = repository.getName();
        if (!ScanUtils.empty(controllerRequest.getApplication())) {
            app = controllerRequest.getApplication();
        }
        // By default, when a pull request is opened, use the current source control provider as a bug tracker
        // (GitHub in this case). Bug tracker from the config is not used, because we only want to notify the user
        // that their code has some issues. I.e. we don't want to open real issues in the "official" bug tracker yet.
        BugTracker.Type bugType = BugTracker.Type.GITHUBPULL;
        // However, if the bug tracker is overridden in the query string, use the override value.
        if (!ScanUtils.empty(controllerRequest.getBug())) {
            bugType = ScanUtils.getBugTypeEnum(controllerRequest.getBug(), flowProperties.getBugTrackerImpl());
        }
        if (controllerRequest.getAppOnly() != null) {
            flowProperties.setTrackApplicationOnly(controllerRequest.getAppOnly());
        }
        if (ScanUtils.empty(product)) {
            product = ScanRequest.Product.CX.getProduct();
        }
        ScanRequest.Product p = ScanRequest.Product.valueOf(product.toUpperCase(Locale.ROOT));
        PullRequest pullRequest = event.getPullRequest();
        String currentBranch = pullRequest.getHead().getRef();
        String targetBranch = pullRequest.getBase().getRef();
        List<String> branches = getBranches(controllerRequest, flowProperties);
        BugTracker bt = ScanUtils.getBugTracker(controllerRequest.getAssignee(), bugType, jiraProperties, controllerRequest.getBug());
        FilterConfiguration filter = filterFactory.getFilter(controllerRequest, flowProperties);
        Map<FindingSeverity, Integer> thresholdMap = getThresholds(controllerRequest);
        // build request object
        String gitUrl = Optional.ofNullable(pullRequest.getHead().getRepo()).map(Repo::getCloneUrl).orElse(repository.getCloneUrl());
        String token;
        String gitAuthUrl;
        log.info("Using url: {}", gitUrl);
        if (event.getInstallation() != null && event.getInstallation().getId() != null) {
            installationId = event.getInstallation().getId();
            token = gitHubAppAuthService.getInstallationToken(installationId);
            token = FlowConstants.GITHUB_APP_CLONE_USER.concat(":").concat(token);
        } else {
            token = scmConfigOverrider.determineConfigToken(properties, controllerRequest.getScmInstance());
        }
        gitAuthUrl = gitAuthUrlGenerator.addCredToUrl(ScanRequest.Repository.GITHUB, gitUrl, token);
        ScanRequest request = ScanRequest.builder().application(app).product(p).project(controllerRequest.getProject()).team(controllerRequest.getTeam()).namespace(pullRequest.getHead().getRepo().getOwner().getLogin().replace(" ", "_")).repoName(repository.getName()).repoUrl(repository.getCloneUrl()).repoUrlWithAuth(gitAuthUrl).repoType(ScanRequest.Repository.GITHUB).branch(currentBranch).defaultBranch(repository.getDefaultBranch()).refs(Constants.CX_BRANCH_PREFIX.concat(currentBranch)).mergeNoteUri(pullRequest.getIssueUrl().concat("/comments")).mergeTargetBranch(targetBranch).email(null).scanPreset(controllerRequest.getPreset()).incremental(controllerRequest.getIncremental()).excludeFolders(controllerRequest.getExcludeFolders()).excludeFiles(controllerRequest.getExcludeFiles()).bugTracker(bt).filter(filter).thresholds(thresholdMap).organizationId(getOrganizationid(repository)).gitUrl(gitUrl).hash(pullRequest.getHead().getSha()).build();
        setScmInstance(controllerRequest, request);
        // Check if an installation Id is provided and store it for later use
        if (installationId != null) {
            request.putAdditionalMetadata(FlowConstants.GITHUB_APP_INSTALLATION_ID, installationId.toString());
        }
        /*Check for Config as code (cx.config) and override*/
        CxConfig cxConfig = gitHubService.getCxConfigOverride(request);
        request = configOverrider.overrideScanRequestProperties(cxConfig, request);
        request.putAdditionalMetadata(HTMLHelper.WEB_HOOK_PAYLOAD, body);
        request.putAdditionalMetadata("statuses_url", pullRequest.getStatusesUrl());
        request.setId(uid);
        // only initiate scan/automation if target branch is applicable
        if (helperService.isBranch2Scan(request, branches)) {
            flowService.initiateAutomation(request);
        }
    } catch (IllegalArgumentException e) {
        return getBadRequestMessage(e, controllerRequest, product);
    }
    return getSuccessMessage();
}
Also used : FilterConfiguration(com.checkmarx.sdk.dto.filtering.FilterConfiguration) CxConfig(com.checkmarx.sdk.dto.sast.CxConfig) IOException(java.io.IOException) BugTracker(com.checkmarx.flow.dto.BugTracker) ScanRequest(com.checkmarx.flow.dto.ScanRequest) MachinaRuntimeException(com.checkmarx.flow.exception.MachinaRuntimeException) ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper)

Aggregations

ScanRequest (com.checkmarx.flow.dto.ScanRequest)68 BugTracker (com.checkmarx.flow.dto.BugTracker)24 ScanResults (com.checkmarx.sdk.dto.ScanResults)20 When (io.cucumber.java.en.When)14 FilterConfiguration (com.checkmarx.sdk.dto.filtering.FilterConfiguration)12 MachinaException (com.checkmarx.flow.exception.MachinaException)11 CxConfig (com.checkmarx.sdk.dto.sast.CxConfig)11 Test (org.junit.Test)11 File (java.io.File)10 SpringBootTest (org.springframework.boot.test.context.SpringBootTest)7 Issue (com.checkmarx.flow.dto.Issue)5 MachinaRuntimeException (com.checkmarx.flow.exception.MachinaRuntimeException)5 IOException (java.io.IOException)5 ExecutionException (java.util.concurrent.ExecutionException)5 TimeoutException (java.util.concurrent.TimeoutException)5 ParameterizedTest (org.junit.jupiter.params.ParameterizedTest)4 IfProfileValue (org.springframework.test.annotation.IfProfileValue)4 EventResponse (com.checkmarx.flow.dto.EventResponse)3 ObjectMapper (com.fasterxml.jackson.databind.ObjectMapper)3 FlowProperties (com.checkmarx.flow.config.FlowProperties)2