use of com.checkmarx.flow.dto.ScanRequest in project cx-flow by checkmarx-ltd.
the class PostRequestData method latestScanResults.
@GetMapping(value = "/scanresults", produces = "application/json")
public ScanResults latestScanResults(// Mandatory parameters
@RequestParam(value = "project") String project, @RequestHeader(value = TOKEN_HEADER) String token, // Optional parameters
@RequestParam(value = "team", required = false) String team, @RequestParam(value = "application", required = false) String application, @RequestParam(value = "severity", required = false) List<String> severity, @RequestParam(value = "cwe", required = false) List<String> cwe, @RequestParam(value = "category", required = false) List<String> category, @RequestParam(value = "status", required = false) List<String> status, @RequestParam(value = "assignee", required = false) String assignee, @RequestParam(value = "override", required = false) String override, @RequestParam(value = "bug", required = false) String bug) {
String uid = helperService.getShortUid();
MDC.put(FlowConstants.MAIN_MDC_ENTRY, uid);
// Validate shared API token from header
validateToken(token);
// This primes the shard when Shard Manager is turned on
if (cxProperties.getEnableShardManager()) {
ShardSession shard = sessionTracker.getShardSession();
// ensures this gets fixed like this: /CxServer/CHECKMARX
if (team.charAt(0) != '/') {
team = ("/" + team);
}
shard.setTeam(team);
shard.setProject(project);
}
// Create bug tracker
BugTracker bugTracker = getBugTracker(assignee, bug);
// Create filters if available
ControllerRequest request = new ControllerRequest(severity, cwe, category, status, null);
FilterConfiguration filter = filterFactory.getFilter(request, properties);
// Create the scan request
ScanRequest scanRequest = ScanRequest.builder().application(ScanUtils.empty(application) ? project : application).product(// Default product: CX
ScanRequest.Product.CX).project(project).team(team).bugTracker(bugTracker).filter(filter).build();
scanRequest.setId(uid);
// If an override blob/file is provided, substitute these values
if (!ScanUtils.empty(override)) {
FlowOverride ovr = ScanUtils.getMachinaOverride(override);
scanRequest = configOverrider.overrideScanRequestProperties(ovr, scanRequest);
}
// Fetch the Checkmarx Scan Results based on given ScanRequest.
// The cxProject parameter is null because the required project metadata
// is already contained in the scanRequest parameter.
ScanResults scanResults = CxScannerService.getScanner(cxgoScanner, sastScanner).getLatestScanResults(scanRequest);
log.debug("ScanResults {}", scanResults);
return scanResults;
}
use of com.checkmarx.flow.dto.ScanRequest in project cx-flow by checkmarx-ltd.
the class PostRequestData method scanPostback.
@PostMapping(value = "/postbackAction/{scanID}")
public ResponseEntity<EventResponse> scanPostback(@RequestBody String postBackData, @PathVariable(value = "scanID") String scanID) {
log.debug("Handling post-back from SAST");
int maxNumberOfTokens = 100;
PostRequestData prd = new PostRequestData();
String token = " ";
String bugTracker = properties.getBugTracker();
//
// / Decode the scan details.
//
StringTokenizer postData = new StringTokenizer(postBackData, "&");
int iteration = 0;
while (postData.hasMoreTokens() && iteration < maxNumberOfTokens) {
String strToken = postData.nextToken();
if (strToken.length() > 6 && strToken.startsWith("token=")) {
token = strToken.substring(6);
}
if (strToken.length() > 13 && strToken.startsWith("scancomments=")) {
String scanDetails = strToken.substring(13);
try {
String postRequest = URLDecoder.decode(scanDetails, "UTF-8");
decodePostBackReq(postRequest, prd);
} catch (Exception e) {
log.error("Error decoding scan details");
}
}
iteration++;
}
validateToken(token);
try {
String product = "CX";
ScanRequest.Product p = ScanRequest.Product.valueOf(product.toUpperCase(Locale.ROOT));
ScanRequest scanRequest = ScanRequest.builder().namespace(prd.namespace).repoName(prd.repoName).project(prd.project).team(prd.team).repoType(ScanRequest.Repository.GITHUB).product(p).branch(prd.branch).build();
// There won't be a scan ID on the post-back, so we need to fake it in the
// event shard support is turned on (very likely if using post-back support).
String uid = helperService.getShortUid();
MDC.put(FlowConstants.MAIN_MDC_ENTRY, uid);
ScanRequestConverter src = sastScanner.getScanRequestConverter();
src.setShardPropertiesIfExists(scanRequest, prd.team);
// Now go ahead and process the scan as normal.
ScanResults scanResults = cxService.getReportContentByScanId(Integer.parseInt(scanID), scanRequest.getFilter());
scanRequest.putAdditionalMetadata("statuses_url", prd.pullRequestURL);
scanRequest.setMergeNoteUri(prd.mergeNoteUri);
BugTracker bt = ScanUtils.getBugTracker(null, prd.bugType, jiraProperties, bugTracker);
scanRequest.setBugTracker(bt);
scanResults.setSastScanId(Integer.parseInt(scanID));
resultsService.publishCombinedResults(scanRequest, scanResults);
} catch (Exception e) {
log.error("Error posting SAST scan results", e);
}
return ResponseEntity.status(HttpStatus.OK).body(EventResponse.builder().message("Scan Results Successfully Processed").success(true).build());
}
use of com.checkmarx.flow.dto.ScanRequest in project cx-flow by checkmarx-ltd.
the class BitbucketServerMergeHandler method execute.
@Override
public ResponseEntity<EventResponse> execute(String uid) {
try {
BugTracker.Type bugType = BugTracker.Type.BITBUCKETSERVERPULL;
if (!ScanUtils.empty(controllerRequest.getBug())) {
bugType = ScanUtils.getBugTypeEnum(controllerRequest.getBug(), configProvider.getFlowProperties().getBugTrackerImpl());
}
Optional.ofNullable(controllerRequest.getAppOnly()).ifPresent(configProvider.getFlowProperties()::setTrackApplicationOnly);
ScanRequest.Product p = ScanRequest.Product.valueOf(product.toUpperCase(Locale.ROOT));
List<String> branches = webhookUtils.getBranches(controllerRequest, configProvider.getFlowProperties());
BugTracker bt = ScanUtils.getBugTracker(controllerRequest.getAssignee(), bugType, configProvider.getJiraProperties(), controllerRequest.getBug());
FilterConfiguration filter = configProvider.getFilterFactory().getFilter(controllerRequest, configProvider.getFlowProperties());
String gitUrl = getGitUrl();
String gitAuthUrl = getGitAuthUrl(gitUrl);
String repoSelfUrl = getRepoSelfUrl(toProjectKey, toSlug);
String mergeEndpoint = repoSelfUrl.concat(MERGE_COMMENT);
mergeEndpoint = mergeEndpoint.replace("{id}", pullRequestId);
String buildStatusEndpoint = configProvider.getBitBucketProperties().getUrl().concat(BUILD_STATUS);
buildStatusEndpoint = buildStatusEndpoint.replace("{commit}", fromRefLatestCommit);
String blockerCommentUrl = repoSelfUrl.concat(BLOCKER_COMMENT);
blockerCommentUrl = blockerCommentUrl.replace("{id}", pullRequestId);
ScanRequest request = ScanRequest.builder().application(application).product(p).project(controllerRequest.getProject()).team(controllerRequest.getTeam()).namespace(getNamespace()).repoName(repositoryName).repoUrl(gitUrl).repoUrlWithAuth(gitAuthUrl).repoType(ScanRequest.Repository.BITBUCKETSERVER).branch(currentBranch).mergeTargetBranch(targetBranch).mergeNoteUri(mergeEndpoint).refs(refId).email(null).incremental(controllerRequest.getIncremental()).scanPreset(controllerRequest.getPreset()).excludeFolders(controllerRequest.getExcludeFolders()).excludeFiles(controllerRequest.getExcludeFiles()).bugTracker(bt).filter(filter).hash(fromRefLatestCommit).build();
webhookUtils.setScmInstance(controllerRequest, request);
setBrowseUrl(request);
fillRequestWithCommonAdditionalData(request, toProjectKey, toSlug, webhookPayload);
checkForConfigAsCode(request);
request.putAdditionalMetadata("buildStatusUrl", buildStatusEndpoint);
request.putAdditionalMetadata("cxBaseUrl", configProvider.getCxScannerService().getProperties().getBaseUrl());
request.putAdditionalMetadata("blocker-comment-url", blockerCommentUrl);
request.setId(uid);
// only initiate scan/automation if target branch is applicable
if (configProvider.getHelperService().isBranch2Scan(request, branches)) {
configProvider.getFlowService().initiateAutomation(request);
}
} catch (IllegalArgumentException e) {
log.debug("Error occurred while processing the request " + e);
return webhookUtils.getBadRequestMessage(e, controllerRequest, product);
}
return webhookUtils.getSuccessMessage();
}
use of com.checkmarx.flow.dto.ScanRequest in project cx-flow by checkmarx-ltd.
the class JiraService method process.
Map<String, List<String>> process(ScanResults results, ScanRequest request, ScanDetails scanDetails) throws JiraClientException {
Map<String, ScanResults.XIssue> map;
Map<String, Issue> jiraMap;
List<Issue> issuesParent;
List<Issue> issuesGrandParent;
List<String> newIssues = new ArrayList<>();
List<String> updatedIssues = new ArrayList<>();
List<String> closedIssues = new ArrayList<>();
String filterScanner = "";
if (CliMode.SCAN.equals(request.getCliMode())) {
if (null != results.getScaResults()) {
filterScanner = JIRA_ISSUE_LABEL_SCA;
}
if (null != results.getXIssues()) {
if (filterScanner.isEmpty()) {
filterScanner = JIRA_ISSUE_LABEL_SAST;
} else {
filterScanner = filterScanner + "," + JIRA_ISSUE_LABEL_SAST;
}
}
}
codeBashingService.createLessonsMap();
getAndModifyRequestApplication(request);
String jiraProjectKey = determineJiraProjectKey(request);
request.getBugTracker().setProjectKey(jiraProjectKey);
loadCustomFields(request.getBugTracker().getProjectKey(), request.getBugTracker().getIssueType());
if (this.jiraProperties.isChild()) {
ScanRequest parent = new ScanRequest(request);
ScanRequest grandparent = new ScanRequest(request);
BugTracker bugTracker;
bugTracker = parent.getBugTracker();
bugTracker.setProjectKey(parentUrl);
parent.setBugTracker(bugTracker);
issuesParent = this.getIssues(parent, filterScanner);
if (grandParentUrl.length() == 0) {
log.info("Grandparent field is empty");
issuesGrandParent = null;
} else {
BugTracker bugTrackerGrandParenet;
bugTrackerGrandParenet = grandparent.getBugTracker();
bugTrackerGrandParenet.setProjectKey(grandParentUrl);
grandparent.setBugTracker(bugTrackerGrandParenet);
issuesGrandParent = this.getIssues(grandparent, filterScanner);
}
} else {
issuesParent = null;
issuesGrandParent = null;
}
log.info("Processing Results and publishing findings to Jira");
map = this.getIssueMap(results, request);
setMapWithScanResults(map, nonPublishedScanResultsMap);
jiraMap = this.getJiraIssueMap(this.getIssues(request, filterScanner));
for (Map.Entry<String, ScanResults.XIssue> xIssue : map.entrySet()) {
String issueCurrentKey = xIssue.getKey();
try {
ScanResults.XIssue currentIssue = xIssue.getValue();
codeBashingService.addCodebashingUrlToIssue(currentIssue);
/*Issue already exists -> update and comment*/
if (jiraMap.containsKey(issueCurrentKey)) {
Issue issue = jiraMap.get(issueCurrentKey);
if (xIssue.getValue().isAllFalsePositive()) {
// All issues are false positive, so issue should be closed
log.debug("All issues are false positives");
Issue fpIssue;
fpIssue = checkForFalsePositiveIssuesInList(request, xIssue, currentIssue, issue);
closeIssueInCaseOfIssueIsInOpenState(request, closedIssues, fpIssue);
} else /*Ignore any with label indicating false positive*/
if (!issue.getLabels().contains(jiraProperties.getFalsePositiveLabel())) {
updateIssueAndAddToNewIssuesList(request, updatedIssues, xIssue, currentIssue, issue);
} else {
log.info("Skipping issue marked as false-positive or has False Positive state with key {}", issueCurrentKey);
}
} else {
/*Create the new issue*/
if (!currentIssue.isAllFalsePositive() && (!jiraProperties.isChild() || (!parentCheck(issueCurrentKey, issuesParent) && !grandparentCheck(issueCurrentKey, issuesGrandParent)))) {
if (jiraProperties.isChild()) {
log.info("Issue not found in parent creating issue for child");
}
createIssueAndAddToNewIssuesList(request, newIssues, xIssue, currentIssue);
}
}
} catch (RestClientException e) {
log.error("Error occurred while processing issue with key {}", issueCurrentKey, e);
throw new JiraClientException();
}
log.debug("Issue: {} successfully updated. Removing it from dynamic scan results map", xIssue.getValue());
nonPublishedScanResultsMap.remove(issueCurrentKey);
}
/*Check if an issue exists in Jira but not within results and close if not*/
closeIssueInCaseNotWithinResults(request, map, jiraMap, closedIssues);
ImmutableMap<String, List<String>> ticketsMap = ImmutableMap.of(JiraConstants.NEW_TICKET, newIssues, JiraConstants.UPDATED_TICKET, updatedIssues, JiraConstants.CLOSED_TICKET, closedIssues);
logJiraTickets(request, scanDetails, ticketsMap);
setCurrentNewIssuesList(newIssues);
setCurrentUpdatedIssuesList(updatedIssues);
setCurrentClosedIssuesList(closedIssues);
return ticketsMap;
}
use of com.checkmarx.flow.dto.ScanRequest in project cx-flow by checkmarx-ltd.
the class IastService method createIssue.
private void createIssue(ScanRequest request, Scan scan) throws IOException {
try {
final ScanVulnerabilities scanVulnerabilities = iastServiceRequests.apiScanVulnerabilities(scan.getScanId());
List<VulnerabilityInfo> vulnerabilities = scanVulnerabilities.getVulnerabilities();
for (VulnerabilityInfo vulnerability : vulnerabilities) {
if (vulnerability.getNewCount() != 0) {
final List<ResultInfo> scansResultsQuery = iastServiceRequests.apiScanResults(scan.getScanId(), vulnerability.getId());
final List<ResultInfo> scansResultQueryList = scansResultsQuery.stream().filter(scansResultQuery -> scansResultQuery.isNewResult() && filterSeverity(scansResultQuery)).collect(Collectors.toList());
for (ResultInfo scansResultQuery : scansResultQueryList) {
createIssue(scanVulnerabilities, request, scansResultQuery, vulnerability, scan);
}
}
}
thresholdsSeverity(scanVulnerabilities);
} catch (NotImplementedException e) {
throw new NotImplementedException(request.getBugTracker().getType().getType() + ". That bug tracker not implemented.");
} catch (IOException e) {
throw new IOException("Can't send api request", e);
}
}
Aggregations