Search in sources :

Example 31 with ScanRequest

use of com.checkmarx.flow.dto.ScanRequest in project cx-flow by checkmarx-ltd.

the class GitLabController method mergeRequest.

/**
 * Merge Request event webhook submitted.
 */
@PostMapping(value = { "/{product}", "/" }, headers = MERGE)
public ResponseEntity<EventResponse> mergeRequest(@RequestBody MergeEvent body, @RequestHeader(value = TOKEN_HEADER) String token, @PathVariable(value = "product", required = false) String product, ControllerRequest controllerRequest) {
    String uid = helperService.getShortUid();
    MDC.put(FlowConstants.MAIN_MDC_ENTRY, uid);
    log.info("Processing GitLab MERGE request");
    controllerRequest = ensureNotNull(controllerRequest);
    validateGitLabRequest(token, controllerRequest);
    try {
        ObjectAttributes objectAttributes = body.getObjectAttributes();
        if (!objectAttributes.getState().equalsIgnoreCase("opened") || isWIP(body)) {
            log.info("Merge requested not processed.  Status was not opened , or was WIP ({})", objectAttributes.getState());
            return ResponseEntity.status(HttpStatus.OK).body(EventResponse.builder().message("No processing occurred for updates to Merge Request").success(true).build());
        }
        String app = body.getRepository().getName();
        if (StringUtils.isNotEmpty(controllerRequest.getApplication())) {
            app = controllerRequest.getApplication();
        }
        BugTracker.Type bugType = BugTracker.Type.GITLABMERGE;
        if (StringUtils.isNotEmpty(controllerRequest.getBug())) {
            bugType = ScanUtils.getBugTypeEnum(controllerRequest.getBug(), flowProperties.getBugTrackerImpl());
        }
        if (controllerRequest.getAppOnly() != null) {
            flowProperties.setTrackApplicationOnly(controllerRequest.getAppOnly());
        }
        if (ScanUtils.empty(product)) {
            product = ScanRequest.Product.CX.getProduct();
        }
        ScanRequest.Product p = ScanRequest.Product.valueOf(product.toUpperCase(Locale.ROOT));
        String currentBranch = objectAttributes.getSourceBranch();
        String targetBranch = objectAttributes.getTargetBranch();
        String defaultBranch = objectAttributes.getTarget().getDefaultBranch();
        List<String> branches = getBranches(controllerRequest, flowProperties);
        BugTracker bt = ScanUtils.getBugTracker(controllerRequest.getAssignee(), bugType, jiraProperties, controllerRequest.getBug());
        FilterConfiguration filter = filterFactory.getFilter(controllerRequest, flowProperties);
        Project proj = body.getProject();
        String gitUrl = proj.getGitHttpUrl();
        log.info("Using url: {}", gitUrl);
        String configToken = scmConfigOverrider.determineConfigToken(properties, controllerRequest.getScmInstance());
        String gitAuthUrl = gitAuthUrlGenerator.addCredToUrl(ScanRequest.Repository.GITLAB, gitUrl, configToken);
        ScanRequest request = ScanRequest.builder().id(String.valueOf(proj.getId())).application(app).product(p).project(controllerRequest.getProject()).team(controllerRequest.getTeam()).namespace(proj.getNamespace().replace(" ", "_")).repoName(proj.getName()).repoUrl(proj.getGitHttpUrl()).repoUrlWithAuth(gitAuthUrl).repoType(ScanRequest.Repository.GITLAB).branch(currentBranch).defaultBranch(defaultBranch).mergeTargetBranch(targetBranch).refs(Constants.CX_BRANCH_PREFIX.concat(currentBranch)).email(null).incremental(controllerRequest.getIncremental()).scanPreset(controllerRequest.getPreset()).excludeFolders(controllerRequest.getExcludeFolders()).excludeFiles(controllerRequest.getExcludeFiles()).bugTracker(bt).filter(filter).organizationId(getOrganizationId(proj)).gitUrl(gitUrl).hash(objectAttributes.getLastCommit().getId()).build();
        setMergeEndPointUri(objectAttributes, proj, request);
        setScmInstance(controllerRequest, request);
        if (proj.getId() != null) {
            request.setRepoProjectId(proj.getId());
        }
        /*Check for Config as code (cx.config) and override*/
        CxConfig cxConfig = gitLabService.getCxConfigOverride(request);
        request = configOverrider.overrideScanRequestProperties(cxConfig, request);
        request.putAdditionalMetadata(HTMLHelper.WEB_HOOK_PAYLOAD, body.toString());
        request.putAdditionalMetadata(FlowConstants.MERGE_ID, objectAttributes.getIid().toString());
        request.putAdditionalMetadata(FlowConstants.MERGE_TITLE, objectAttributes.getTitle());
        request.setId(uid);
        if (helperService.isBranch2Scan(request, branches)) {
            flowService.initiateAutomation(request);
        }
    } catch (IllegalArgumentException e) {
        return getBadRequestMessage(e, controllerRequest, product);
    }
    return getSuccessMessage();
}
Also used : ScanRequest(com.checkmarx.flow.dto.ScanRequest) FilterConfiguration(com.checkmarx.sdk.dto.filtering.FilterConfiguration) CxConfig(com.checkmarx.sdk.dto.sast.CxConfig) BugTracker(com.checkmarx.flow.dto.BugTracker)

Example 32 with ScanRequest

use of com.checkmarx.flow.dto.ScanRequest in project cx-flow by checkmarx-ltd.

the class GitLabController method pushRequest.

/**
 * Push Request event webhook submitted.
 */
@PostMapping(value = { "/{product}", "/" }, headers = PUSH)
public ResponseEntity<EventResponse> pushRequest(@RequestBody PushEvent body, @RequestHeader(value = TOKEN_HEADER) String token, @PathVariable(value = "product", required = false) String product, ControllerRequest controllerRequest) {
    String uid = helperService.getShortUid();
    MDC.put(FlowConstants.MAIN_MDC_ENTRY, uid);
    controllerRequest = ensureNotNull(controllerRequest);
    validateGitLabRequest(token, controllerRequest);
    try {
        String app;
        if (body != null && body.getRepository() != null) {
            app = body.getRepository().getName();
        } else {
            throw new IllegalArgumentException("Request body or request repository cannot be null");
        }
        if (StringUtils.isNotEmpty(controllerRequest.getApplication())) {
            app = controllerRequest.getApplication();
        }
        // set the default bug tracker as per yml
        setBugTracker(flowProperties, controllerRequest);
        BugTracker.Type bugType = ScanUtils.getBugTypeEnum(controllerRequest.getBug(), flowProperties.getBugTrackerImpl());
        if (controllerRequest.getAppOnly() != null) {
            flowProperties.setTrackApplicationOnly(controllerRequest.getAppOnly());
        }
        if (ScanUtils.empty(product)) {
            product = ScanRequest.Product.CX.getProduct();
        }
        ScanRequest.Product p = ScanRequest.Product.valueOf(product.toUpperCase(Locale.ROOT));
        // extract branch from ref (refs/heads/master -> master)
        String currentBranch = ScanUtils.getBranchFromRef(body.getRef());
        List<String> branches = getBranches(controllerRequest, flowProperties);
        BugTracker bt = ScanUtils.getBugTracker(controllerRequest.getAssignee(), bugType, jiraProperties, controllerRequest.getBug());
        FilterConfiguration filter = filterFactory.getFilter(controllerRequest, flowProperties);
        Project proj = body.getProject();
        String gitUrl = proj.getGitHttpUrl();
        log.debug("Using url: {}", gitUrl);
        String configToken = scmConfigOverrider.determineConfigToken(properties, controllerRequest.getScmInstance());
        String gitAuthUrl = gitAuthUrlGenerator.addCredToUrl(ScanRequest.Repository.GITLAB, gitUrl, configToken);
        ScanRequest request = ScanRequest.builder().id(String.valueOf(body.getProjectId())).application(app).product(p).project(controllerRequest.getProject()).team(controllerRequest.getTeam()).namespace(proj.getNamespace().replace(" ", "_")).repoName(proj.getName()).repoUrl(proj.getGitHttpUrl()).repoUrlWithAuth(gitAuthUrl).repoType(ScanRequest.Repository.GITLAB).branch(currentBranch).refs(body.getRef()).incremental(controllerRequest.getIncremental()).scanPreset(controllerRequest.getPreset()).excludeFolders(controllerRequest.getExcludeFolders()).excludeFiles(controllerRequest.getExcludeFiles()).bugTracker(bt).filter(filter).organizationId(getOrganizationId(proj)).gitUrl(gitUrl).hash(body.getAfter()).build();
        /*Determine emails*/
        List<String> emails = new ArrayList<>();
        String commitEndpoint = null;
        commitEndpoint = setUserEmail(body, bugType, proj, request, emails, commitEndpoint);
        request.setMergeNoteUri(commitEndpoint);
        request.setEmail(emails);
        setScmInstance(controllerRequest, request);
        if (StringUtils.isNotEmpty(controllerRequest.getPreset())) {
            request.setScanPreset(controllerRequest.getPreset());
            request.setScanPresetOverride(true);
        }
        if (proj.getId() != null) {
            request.setRepoProjectId(proj.getId());
        }
        /*Check for Config as code (cx.config) and override*/
        CxConfig cxConfig = gitLabService.getCxConfigOverride(request);
        request = configOverrider.overrideScanRequestProperties(cxConfig, request);
        request.putAdditionalMetadata(HTMLHelper.WEB_HOOK_PAYLOAD, body.toString());
        request.setId(uid);
        if (helperService.isBranch2Scan(request, branches)) {
            flowService.initiateAutomation(request);
        }
    } catch (IllegalArgumentException e) {
        return getBadRequestMessage(e, controllerRequest, product);
    }
    return getSuccessMessage();
}
Also used : ScanRequest(com.checkmarx.flow.dto.ScanRequest) FilterConfiguration(com.checkmarx.sdk.dto.filtering.FilterConfiguration) ArrayList(java.util.ArrayList) CxConfig(com.checkmarx.sdk.dto.sast.CxConfig) BugTracker(com.checkmarx.flow.dto.BugTracker)

Example 33 with ScanRequest

use of com.checkmarx.flow.dto.ScanRequest in project cx-flow by checkmarx-ltd.

the class IastController method stopScanAndCreateIssue.

@PostMapping(value = { "/stop-scan-and-create-{tracker}-issue/{scanTag}" })
public ResponseEntity<EventResponse> stopScanAndCreateIssue(@PathVariable(value = "scanTag", required = false) String scanTag, @PathVariable(value = "tracker", required = false) String bugTrackerName, @RequestHeader(value = TOKEN_HEADER) String token, @RequestBody @Valid CreateIssue body) {
    HttpStatus httpStatusReturn = HttpStatus.OK;
    String returnMessage = "OK";
    try {
        // Validate shared API token from header
        tokenUtils.validateToken(token);
        if (Strings.isBlank(bugTrackerName.trim())) {
            throw new InvalidParameterException("tracker parameter cannot be empty.");
        }
        if (Strings.isBlank(scanTag)) {
            throw new InvalidParameterException("scanTag parameter cannot be empty.");
        }
        ScanRequest request;
        BugTracker.Type bugTrackerType;
        switch(bugTrackerName.toLowerCase()) {
            case "jira":
                bugTrackerType = BugTracker.Type.JIRA;
                break;
            case "github":
                bugTrackerType = BugTracker.Type.GITHUBCOMMIT;
                break;
            case "gitlab":
                bugTrackerType = BugTracker.Type.GITLABCOMMIT;
                break;
            case "ado":
            case "azure":
                bugTrackerType = BugTracker.Type.ADOPULL;
                break;
            default:
                throw new NotImplementedException(bugTrackerName + ". That bug tracker not implemented.");
        }
        request = getRepoScanRequest(body, bugTrackerType);
        iastService.stopScanAndCreateIssue(request, scanTag);
    } catch (InvalidTokenException e) {
        log.error(e.getMessage(), e);
        returnMessage = e.getMessage();
        httpStatusReturn = HttpStatus.FORBIDDEN;
    } catch (InvalidParameterException | NotImplementedException e) {
        log.error(e.getMessage(), e);
        returnMessage = e.getMessage();
        httpStatusReturn = HttpStatus.BAD_REQUEST;
    } catch (IOException | JiraClientException | RuntimeException e) {
        log.error(e.getMessage(), e);
        returnMessage = e.getMessage();
        httpStatusReturn = HttpStatus.INTERNAL_SERVER_ERROR;
    }
    return ResponseEntity.status(httpStatusReturn).body(EventResponse.builder().message(returnMessage).success(httpStatusReturn == HttpStatus.OK).build());
}
Also used : InvalidTokenException(com.checkmarx.flow.exception.InvalidTokenException) HttpStatus(org.springframework.http.HttpStatus) NotImplementedException(org.apache.commons.lang3.NotImplementedException) JiraClientException(com.checkmarx.flow.exception.JiraClientException) IOException(java.io.IOException) BugTracker(com.checkmarx.flow.dto.BugTracker) InvalidParameterException(java.security.InvalidParameterException) ScanRequest(com.checkmarx.flow.dto.ScanRequest)

Example 34 with ScanRequest

use of com.checkmarx.flow.dto.ScanRequest in project cx-flow by checkmarx-ltd.

the class ADOController method pullRequest.

/**
 * Pull Request event submitted (JSON)
 */
@PostMapping(value = { "/{product}/ado/pull", "/ado/pull" })
public ResponseEntity<EventResponse> pullRequest(@RequestBody PullEvent body, @RequestHeader(value = AUTHORIZATION) String auth, @PathVariable(value = "product", required = false) String product, ControllerRequest controllerRequest, AdoDetailsRequest adoDetailsRequest) {
    String uid = helperService.getShortUid();
    MDC.put(FlowConstants.MAIN_MDC_ENTRY, uid);
    log.info("Processing Azure PULL request");
    Action action = Action.PULL;
    controllerRequest = ensureNotNull(controllerRequest);
    validateBasicAuth(auth, controllerRequest);
    adoDetailsRequest = ensureDetailsNotNull(adoDetailsRequest);
    ResourceContainers resourceContainers = body.getResourceContainers();
    if (!PULL_EVENT.contains(body.getEventType()) || !body.getResource().getStatus().equals("active")) {
        log.info("Pull requested not processed.  Event was not opened ({})", body.getEventType());
        return ResponseEntity.status(HttpStatus.OK).body(EventResponse.builder().message("No processing occurred for updates to Pull Request").success(true).build());
    }
    try {
        Resource resource = body.getResource();
        Repository repository = resource.getRepository();
        String pullUrl = resource.getUrl();
        String app = repository.getName();
        if (repository.getName().startsWith(properties.getTestRepository())) {
            log.info("Handling ADO Test Event");
            return ResponseEntity.status(HttpStatus.OK).body(EventResponse.builder().message("Test Event").success(true).build());
        }
        if (StringUtils.isNotEmpty(controllerRequest.getApplication())) {
            app = controllerRequest.getApplication();
        }
        BugTracker.Type bugType = BugTracker.Type.ADOPULL;
        if (StringUtils.isNotEmpty(controllerRequest.getBug())) {
            bugType = ScanUtils.getBugTypeEnum(controllerRequest.getBug(), flowProperties.getBugTrackerImpl());
        }
        if (controllerRequest.getAppOnly() != null) {
            flowProperties.setTrackApplicationOnly(controllerRequest.getAppOnly());
        }
        initAdoSpecificParams(adoDetailsRequest);
        if (StringUtils.isEmpty(product)) {
            product = ScanRequest.Product.CX.getProduct();
        }
        ScanRequest.Product p = ScanRequest.Product.valueOf(product.toUpperCase(Locale.ROOT));
        String ref = resource.getSourceRefName();
        String currentBranch = ScanUtils.getBranchFromRef(ref);
        String targetBranch = ScanUtils.getBranchFromRef(resource.getTargetRefName());
        List<String> branches = getBranches(controllerRequest, flowProperties);
        BugTracker bt = ScanUtils.getBugTracker(controllerRequest.getAssignee(), bugType, jiraProperties, controllerRequest.getBug());
        FilterConfiguration filter = filterFactory.getFilter(controllerRequest, flowProperties);
        Map<FindingSeverity, Integer> thresholdMap = getThresholds(controllerRequest);
        // build request object
        String gitUrl = repository.getWebUrl();
        String token = scmConfigOverrider.determineConfigToken(properties, controllerRequest.getScmInstance());
        log.info("Using url: {}", gitUrl);
        String gitAuthUrl = gitAuthUrlGenerator.addCredToUrl(ScanRequest.Repository.ADO, gitUrl, token);
        ScanRequest request = ScanRequest.builder().application(app).product(p).project(controllerRequest.getProject()).team(controllerRequest.getTeam()).namespace(determineNamespace(resourceContainers)).repoName(repository.getName()).repoUrl(gitUrl).repoUrlWithAuth(gitAuthUrl).repoType(ScanRequest.Repository.ADO).branch(currentBranch).refs(ref).mergeNoteUri(pullUrl.concat("/threads")).mergeTargetBranch(targetBranch).email(null).scanPreset(controllerRequest.getPreset()).incremental(controllerRequest.getIncremental()).excludeFolders(controllerRequest.getExcludeFolders()).excludeFiles(controllerRequest.getExcludeFiles()).bugTracker(bt).filter(filter).thresholds(thresholdMap).organizationId(determineNamespace(resourceContainers)).gitUrl(gitUrl).build();
        setScmInstance(controllerRequest, request);
        request.putAdditionalMetadata(ADOService.PROJECT_SELF_URL, getTheProjectURL(body.getResourceContainers()));
        fillRequestWithAdditionalData(request, repository, body.toString());
        checkForConfigAsCode(request, getConfigBranch(request, resource, action));
        request.putAdditionalMetadata("statuses_url", pullUrl.concat("/statuses"));
        addMetadataToScanRequest(adoDetailsRequest, request);
        request.setId(uid);
        // only initiate scan/automation if target branch is applicable
        if (helperService.isBranch2Scan(request, branches)) {
            flowService.initiateAutomation(request);
        }
    } catch (IllegalArgumentException e) {
        return getBadRequestMessage(e, controllerRequest, product);
    }
    return getSuccessMessage();
}
Also used : FilterConfiguration(com.checkmarx.sdk.dto.filtering.FilterConfiguration) BugTracker(com.checkmarx.flow.dto.BugTracker) ScanRequest(com.checkmarx.flow.dto.ScanRequest)

Example 35 with ScanRequest

use of com.checkmarx.flow.dto.ScanRequest in project cx-flow by checkmarx-ltd.

the class ADOController method pushRequest.

/**
 * Push Request event submitted (JSON), along with the Product (cx for example)
 */
@PostMapping(value = { "/{product}/ado/push", "/ado/push" })
public ResponseEntity<EventResponse> pushRequest(@RequestBody PushEvent body, @RequestHeader(value = AUTHORIZATION) String auth, @PathVariable(value = "product", required = false) String product, ControllerRequest controllerRequest, AdoDetailsRequest adoDetailsRequest) {
    // TODO handle different state (Active/Closed)
    String uid = helperService.getShortUid();
    MDC.put(FlowConstants.MAIN_MDC_ENTRY, uid);
    log.info("Processing Azure Push request");
    Action action = Action.PUSH;
    controllerRequest = ensureNotNull(controllerRequest);
    validateBasicAuth(auth, controllerRequest);
    adoDetailsRequest = ensureDetailsNotNull(adoDetailsRequest);
    ResourceContainers resourceContainers = body.getResourceContainers();
    try {
        Resource resource = body.getResource();
        Repository repository = resource.getRepository();
        String app = repository.getName();
        if (repository.getName().startsWith(properties.getTestRepository())) {
            log.info("Handling ADO Test Event");
            return ResponseEntity.status(HttpStatus.OK).body(EventResponse.builder().message("Test Event").success(true).build());
        }
        if (StringUtils.isNotEmpty(controllerRequest.getApplication())) {
            app = controllerRequest.getApplication();
        }
        // set the default bug tracker as per yml
        setBugTracker(flowProperties, controllerRequest);
        BugTracker.Type bugType = ScanUtils.getBugTypeEnum(controllerRequest.getBug(), flowProperties.getBugTrackerImpl());
        initAdoSpecificParams(adoDetailsRequest);
        if (controllerRequest.getAppOnly() != null) {
            flowProperties.setTrackApplicationOnly(controllerRequest.getAppOnly());
        }
        if (StringUtils.isEmpty(product)) {
            product = ScanRequest.Product.CX.getProduct();
        }
        ScanRequest.Product p = ScanRequest.Product.valueOf(product.toUpperCase(Locale.ROOT));
        // determine branch (without refs)
        String ref = resource.getRefUpdates().get(0).getName();
        String currentBranch = ScanUtils.getBranchFromRef(ref);
        List<String> branches = getBranches(controllerRequest, flowProperties);
        BugTracker bt = ScanUtils.getBugTracker(controllerRequest.getAssignee(), bugType, jiraProperties, controllerRequest.getBug());
        FilterConfiguration filter = filterFactory.getFilter(controllerRequest, flowProperties);
        Map<FindingSeverity, Integer> thresholdMap = getThresholds(controllerRequest);
        List<String> emails = determineEmails(resource);
        // build request object
        String gitUrl = repository.getRemoteUrl();
        log.debug("Using url: {}", gitUrl);
        String configToken = scmConfigOverrider.determineConfigToken(properties, controllerRequest.getScmInstance());
        String gitAuthUrl = gitAuthUrlGenerator.addCredToUrl(ScanRequest.Repository.ADO, gitUrl, configToken);
        String defaultBranch = ScanUtils.getBranchFromRef(Optional.ofNullable(repository.getDefaultBranch()).orElse(ref));
        ScanRequest request = ScanRequest.builder().application(app).product(p).project(controllerRequest.getProject()).team(controllerRequest.getTeam()).namespace(determineNamespace(resourceContainers)).altProject(determineAzureProject(repository)).repoName(repository.getName()).repoUrl(gitUrl).repoUrlWithAuth(gitAuthUrl).repoType(ScanRequest.Repository.ADO).branch(currentBranch).defaultBranch(defaultBranch).refs(ref).email(emails).scanPreset(controllerRequest.getPreset()).incremental(controllerRequest.getIncremental()).excludeFolders(controllerRequest.getExcludeFolders()).excludeFiles(controllerRequest.getExcludeFiles()).bugTracker(bt).filter(filter).thresholds(thresholdMap).organizationId(determineNamespace(resourceContainers)).gitUrl(gitUrl).build();
        setScmInstance(controllerRequest, request);
        request.putAdditionalMetadata(ADOService.PROJECT_SELF_URL, getTheProjectURL(body.getResourceContainers()));
        addMetadataToScanRequest(adoDetailsRequest, request);
        fillRequestWithAdditionalData(request, repository, body.toString());
        // if an override blob/file is provided, substitute these values
        checkForConfigAsCode(request, getConfigBranch(request, resource, action));
        request.setId(uid);
        // only initiate scan/automation if target branch is applicable
        if (helperService.isBranch2Scan(request, branches)) {
            flowService.initiateAutomation(request);
        } else if (isDeleteBranchEvent(resource) && properties.getDeleteCxProject()) {
            flowService.deleteProject(request);
        }
    } catch (IllegalArgumentException e) {
        return getBadRequestMessage(e, controllerRequest, product);
    }
    return getSuccessMessage();
}
Also used : FilterConfiguration(com.checkmarx.sdk.dto.filtering.FilterConfiguration) BugTracker(com.checkmarx.flow.dto.BugTracker) ScanRequest(com.checkmarx.flow.dto.ScanRequest)

Aggregations

ScanRequest (com.checkmarx.flow.dto.ScanRequest)68 BugTracker (com.checkmarx.flow.dto.BugTracker)24 ScanResults (com.checkmarx.sdk.dto.ScanResults)20 When (io.cucumber.java.en.When)14 FilterConfiguration (com.checkmarx.sdk.dto.filtering.FilterConfiguration)12 MachinaException (com.checkmarx.flow.exception.MachinaException)11 CxConfig (com.checkmarx.sdk.dto.sast.CxConfig)11 Test (org.junit.Test)11 File (java.io.File)10 SpringBootTest (org.springframework.boot.test.context.SpringBootTest)7 Issue (com.checkmarx.flow.dto.Issue)5 MachinaRuntimeException (com.checkmarx.flow.exception.MachinaRuntimeException)5 IOException (java.io.IOException)5 ExecutionException (java.util.concurrent.ExecutionException)5 TimeoutException (java.util.concurrent.TimeoutException)5 ParameterizedTest (org.junit.jupiter.params.ParameterizedTest)4 IfProfileValue (org.springframework.test.annotation.IfProfileValue)4 EventResponse (com.checkmarx.flow.dto.EventResponse)3 ObjectMapper (com.fasterxml.jackson.databind.ObjectMapper)3 FlowProperties (com.checkmarx.flow.config.FlowProperties)2