Search in sources :

Example 36 with ScanRequest

use of com.checkmarx.flow.dto.ScanRequest in project cx-flow by checkmarx-ltd.

the class PostRequestData method latestScanResults.

@GetMapping(value = "/scanresults", produces = "application/json")
public ScanResults latestScanResults(// Mandatory parameters
@RequestParam(value = "project") String project, @RequestHeader(value = TOKEN_HEADER) String token, // Optional parameters
@RequestParam(value = "team", required = false) String team, @RequestParam(value = "application", required = false) String application, @RequestParam(value = "severity", required = false) List<String> severity, @RequestParam(value = "cwe", required = false) List<String> cwe, @RequestParam(value = "category", required = false) List<String> category, @RequestParam(value = "status", required = false) List<String> status, @RequestParam(value = "assignee", required = false) String assignee, @RequestParam(value = "override", required = false) String override, @RequestParam(value = "bug", required = false) String bug) {
    String uid = helperService.getShortUid();
    MDC.put(FlowConstants.MAIN_MDC_ENTRY, uid);
    // Validate shared API token from header
    validateToken(token);
    // This primes the shard when Shard Manager is turned on
    if (cxProperties.getEnableShardManager()) {
        ShardSession shard = sessionTracker.getShardSession();
        // ensures this gets fixed like this: /CxServer/CHECKMARX
        if (team.charAt(0) != '/') {
            team = ("/" + team);
        }
        shard.setTeam(team);
        shard.setProject(project);
    }
    // Create bug tracker
    BugTracker bugTracker = getBugTracker(assignee, bug);
    // Create filters if available
    ControllerRequest request = new ControllerRequest(severity, cwe, category, status, null);
    FilterConfiguration filter = filterFactory.getFilter(request, properties);
    // Create the scan request
    ScanRequest scanRequest = ScanRequest.builder().application(ScanUtils.empty(application) ? project : application).product(// Default product: CX
    ScanRequest.Product.CX).project(project).team(team).bugTracker(bugTracker).filter(filter).build();
    scanRequest.setId(uid);
    // If an override blob/file is provided, substitute these values
    if (!ScanUtils.empty(override)) {
        FlowOverride ovr = ScanUtils.getMachinaOverride(override);
        scanRequest = configOverrider.overrideScanRequestProperties(ovr, scanRequest);
    }
    // Fetch the Checkmarx Scan Results based on given ScanRequest.
    // The cxProject parameter is null because the required project metadata
    // is already contained in the scanRequest parameter.
    ScanResults scanResults = CxScannerService.getScanner(cxgoScanner, sastScanner).getLatestScanResults(scanRequest);
    log.debug("ScanResults {}", scanResults);
    return scanResults;
}
Also used : ScanRequest(com.checkmarx.flow.dto.ScanRequest) ShardSession(com.checkmarx.sdk.ShardManager.ShardSession) ScanResults(com.checkmarx.sdk.dto.ScanResults) FilterConfiguration(com.checkmarx.sdk.dto.filtering.FilterConfiguration) BugTracker(com.checkmarx.flow.dto.BugTracker) ControllerRequest(com.checkmarx.flow.dto.ControllerRequest) FlowOverride(com.checkmarx.flow.dto.FlowOverride)

Example 37 with ScanRequest

use of com.checkmarx.flow.dto.ScanRequest in project cx-flow by checkmarx-ltd.

the class PostRequestData method scanPostback.

@PostMapping(value = "/postbackAction/{scanID}")
public ResponseEntity<EventResponse> scanPostback(@RequestBody String postBackData, @PathVariable(value = "scanID") String scanID) {
    log.debug("Handling post-back from SAST");
    int maxNumberOfTokens = 100;
    PostRequestData prd = new PostRequestData();
    String token = " ";
    String bugTracker = properties.getBugTracker();
    // 
    // / Decode the scan details.
    // 
    StringTokenizer postData = new StringTokenizer(postBackData, "&");
    int iteration = 0;
    while (postData.hasMoreTokens() && iteration < maxNumberOfTokens) {
        String strToken = postData.nextToken();
        if (strToken.length() > 6 && strToken.startsWith("token=")) {
            token = strToken.substring(6);
        }
        if (strToken.length() > 13 && strToken.startsWith("scancomments=")) {
            String scanDetails = strToken.substring(13);
            try {
                String postRequest = URLDecoder.decode(scanDetails, "UTF-8");
                decodePostBackReq(postRequest, prd);
            } catch (Exception e) {
                log.error("Error decoding scan details");
            }
        }
        iteration++;
    }
    validateToken(token);
    try {
        String product = "CX";
        ScanRequest.Product p = ScanRequest.Product.valueOf(product.toUpperCase(Locale.ROOT));
        ScanRequest scanRequest = ScanRequest.builder().namespace(prd.namespace).repoName(prd.repoName).project(prd.project).team(prd.team).repoType(ScanRequest.Repository.GITHUB).product(p).branch(prd.branch).build();
        // There won't be a scan ID on the post-back, so we need to fake it in the
        // event shard support is turned on (very likely if using post-back support).
        String uid = helperService.getShortUid();
        MDC.put(FlowConstants.MAIN_MDC_ENTRY, uid);
        ScanRequestConverter src = sastScanner.getScanRequestConverter();
        src.setShardPropertiesIfExists(scanRequest, prd.team);
        // Now go ahead and process the scan as normal.
        ScanResults scanResults = cxService.getReportContentByScanId(Integer.parseInt(scanID), scanRequest.getFilter());
        scanRequest.putAdditionalMetadata("statuses_url", prd.pullRequestURL);
        scanRequest.setMergeNoteUri(prd.mergeNoteUri);
        BugTracker bt = ScanUtils.getBugTracker(null, prd.bugType, jiraProperties, bugTracker);
        scanRequest.setBugTracker(bt);
        scanResults.setSastScanId(Integer.parseInt(scanID));
        resultsService.publishCombinedResults(scanRequest, scanResults);
    } catch (Exception e) {
        log.error("Error posting SAST scan results", e);
    }
    return ResponseEntity.status(HttpStatus.OK).body(EventResponse.builder().message("Scan Results Successfully Processed").success(true).build());
}
Also used : ScanRequest(com.checkmarx.flow.dto.ScanRequest) ScanResults(com.checkmarx.sdk.dto.ScanResults) ScanRequestConverter(com.checkmarx.flow.sastscanning.ScanRequestConverter) BugTracker(com.checkmarx.flow.dto.BugTracker) InvalidTokenException(com.checkmarx.flow.exception.InvalidTokenException)

Example 38 with ScanRequest

use of com.checkmarx.flow.dto.ScanRequest in project cx-flow by checkmarx-ltd.

the class BitbucketServerMergeHandler method execute.

@Override
public ResponseEntity<EventResponse> execute(String uid) {
    try {
        BugTracker.Type bugType = BugTracker.Type.BITBUCKETSERVERPULL;
        if (!ScanUtils.empty(controllerRequest.getBug())) {
            bugType = ScanUtils.getBugTypeEnum(controllerRequest.getBug(), configProvider.getFlowProperties().getBugTrackerImpl());
        }
        Optional.ofNullable(controllerRequest.getAppOnly()).ifPresent(configProvider.getFlowProperties()::setTrackApplicationOnly);
        ScanRequest.Product p = ScanRequest.Product.valueOf(product.toUpperCase(Locale.ROOT));
        List<String> branches = webhookUtils.getBranches(controllerRequest, configProvider.getFlowProperties());
        BugTracker bt = ScanUtils.getBugTracker(controllerRequest.getAssignee(), bugType, configProvider.getJiraProperties(), controllerRequest.getBug());
        FilterConfiguration filter = configProvider.getFilterFactory().getFilter(controllerRequest, configProvider.getFlowProperties());
        String gitUrl = getGitUrl();
        String gitAuthUrl = getGitAuthUrl(gitUrl);
        String repoSelfUrl = getRepoSelfUrl(toProjectKey, toSlug);
        String mergeEndpoint = repoSelfUrl.concat(MERGE_COMMENT);
        mergeEndpoint = mergeEndpoint.replace("{id}", pullRequestId);
        String buildStatusEndpoint = configProvider.getBitBucketProperties().getUrl().concat(BUILD_STATUS);
        buildStatusEndpoint = buildStatusEndpoint.replace("{commit}", fromRefLatestCommit);
        String blockerCommentUrl = repoSelfUrl.concat(BLOCKER_COMMENT);
        blockerCommentUrl = blockerCommentUrl.replace("{id}", pullRequestId);
        ScanRequest request = ScanRequest.builder().application(application).product(p).project(controllerRequest.getProject()).team(controllerRequest.getTeam()).namespace(getNamespace()).repoName(repositoryName).repoUrl(gitUrl).repoUrlWithAuth(gitAuthUrl).repoType(ScanRequest.Repository.BITBUCKETSERVER).branch(currentBranch).mergeTargetBranch(targetBranch).mergeNoteUri(mergeEndpoint).refs(refId).email(null).incremental(controllerRequest.getIncremental()).scanPreset(controllerRequest.getPreset()).excludeFolders(controllerRequest.getExcludeFolders()).excludeFiles(controllerRequest.getExcludeFiles()).bugTracker(bt).filter(filter).hash(fromRefLatestCommit).build();
        webhookUtils.setScmInstance(controllerRequest, request);
        setBrowseUrl(request);
        fillRequestWithCommonAdditionalData(request, toProjectKey, toSlug, webhookPayload);
        checkForConfigAsCode(request);
        request.putAdditionalMetadata("buildStatusUrl", buildStatusEndpoint);
        request.putAdditionalMetadata("cxBaseUrl", configProvider.getCxScannerService().getProperties().getBaseUrl());
        request.putAdditionalMetadata("blocker-comment-url", blockerCommentUrl);
        request.setId(uid);
        // only initiate scan/automation if target branch is applicable
        if (configProvider.getHelperService().isBranch2Scan(request, branches)) {
            configProvider.getFlowService().initiateAutomation(request);
        }
    } catch (IllegalArgumentException e) {
        log.debug("Error occurred while processing the request " + e);
        return webhookUtils.getBadRequestMessage(e, controllerRequest, product);
    }
    return webhookUtils.getSuccessMessage();
}
Also used : ScanRequest(com.checkmarx.flow.dto.ScanRequest) FilterConfiguration(com.checkmarx.sdk.dto.filtering.FilterConfiguration) BugTracker(com.checkmarx.flow.dto.BugTracker)

Example 39 with ScanRequest

use of com.checkmarx.flow.dto.ScanRequest in project cx-flow by checkmarx-ltd.

the class JiraService method process.

Map<String, List<String>> process(ScanResults results, ScanRequest request, ScanDetails scanDetails) throws JiraClientException {
    Map<String, ScanResults.XIssue> map;
    Map<String, Issue> jiraMap;
    List<Issue> issuesParent;
    List<Issue> issuesGrandParent;
    List<String> newIssues = new ArrayList<>();
    List<String> updatedIssues = new ArrayList<>();
    List<String> closedIssues = new ArrayList<>();
    String filterScanner = "";
    if (CliMode.SCAN.equals(request.getCliMode())) {
        if (null != results.getScaResults()) {
            filterScanner = JIRA_ISSUE_LABEL_SCA;
        }
        if (null != results.getXIssues()) {
            if (filterScanner.isEmpty()) {
                filterScanner = JIRA_ISSUE_LABEL_SAST;
            } else {
                filterScanner = filterScanner + "," + JIRA_ISSUE_LABEL_SAST;
            }
        }
    }
    codeBashingService.createLessonsMap();
    getAndModifyRequestApplication(request);
    String jiraProjectKey = determineJiraProjectKey(request);
    request.getBugTracker().setProjectKey(jiraProjectKey);
    loadCustomFields(request.getBugTracker().getProjectKey(), request.getBugTracker().getIssueType());
    if (this.jiraProperties.isChild()) {
        ScanRequest parent = new ScanRequest(request);
        ScanRequest grandparent = new ScanRequest(request);
        BugTracker bugTracker;
        bugTracker = parent.getBugTracker();
        bugTracker.setProjectKey(parentUrl);
        parent.setBugTracker(bugTracker);
        issuesParent = this.getIssues(parent, filterScanner);
        if (grandParentUrl.length() == 0) {
            log.info("Grandparent field is empty");
            issuesGrandParent = null;
        } else {
            BugTracker bugTrackerGrandParenet;
            bugTrackerGrandParenet = grandparent.getBugTracker();
            bugTrackerGrandParenet.setProjectKey(grandParentUrl);
            grandparent.setBugTracker(bugTrackerGrandParenet);
            issuesGrandParent = this.getIssues(grandparent, filterScanner);
        }
    } else {
        issuesParent = null;
        issuesGrandParent = null;
    }
    log.info("Processing Results and publishing findings to Jira");
    map = this.getIssueMap(results, request);
    setMapWithScanResults(map, nonPublishedScanResultsMap);
    jiraMap = this.getJiraIssueMap(this.getIssues(request, filterScanner));
    for (Map.Entry<String, ScanResults.XIssue> xIssue : map.entrySet()) {
        String issueCurrentKey = xIssue.getKey();
        try {
            ScanResults.XIssue currentIssue = xIssue.getValue();
            codeBashingService.addCodebashingUrlToIssue(currentIssue);
            /*Issue already exists -> update and comment*/
            if (jiraMap.containsKey(issueCurrentKey)) {
                Issue issue = jiraMap.get(issueCurrentKey);
                if (xIssue.getValue().isAllFalsePositive()) {
                    // All issues are false positive, so issue should be closed
                    log.debug("All issues are false positives");
                    Issue fpIssue;
                    fpIssue = checkForFalsePositiveIssuesInList(request, xIssue, currentIssue, issue);
                    closeIssueInCaseOfIssueIsInOpenState(request, closedIssues, fpIssue);
                } else /*Ignore any with label indicating false positive*/
                if (!issue.getLabels().contains(jiraProperties.getFalsePositiveLabel())) {
                    updateIssueAndAddToNewIssuesList(request, updatedIssues, xIssue, currentIssue, issue);
                } else {
                    log.info("Skipping issue marked as false-positive or has False Positive state with key {}", issueCurrentKey);
                }
            } else {
                /*Create the new issue*/
                if (!currentIssue.isAllFalsePositive() && (!jiraProperties.isChild() || (!parentCheck(issueCurrentKey, issuesParent) && !grandparentCheck(issueCurrentKey, issuesGrandParent)))) {
                    if (jiraProperties.isChild()) {
                        log.info("Issue not found in parent creating issue for child");
                    }
                    createIssueAndAddToNewIssuesList(request, newIssues, xIssue, currentIssue);
                }
            }
        } catch (RestClientException e) {
            log.error("Error occurred while processing issue with key {}", issueCurrentKey, e);
            throw new JiraClientException();
        }
        log.debug("Issue: {} successfully updated. Removing it from dynamic scan results map", xIssue.getValue());
        nonPublishedScanResultsMap.remove(issueCurrentKey);
    }
    /*Check if an issue exists in Jira but not within results and close if not*/
    closeIssueInCaseNotWithinResults(request, map, jiraMap, closedIssues);
    ImmutableMap<String, List<String>> ticketsMap = ImmutableMap.of(JiraConstants.NEW_TICKET, newIssues, JiraConstants.UPDATED_TICKET, updatedIssues, JiraConstants.CLOSED_TICKET, closedIssues);
    logJiraTickets(request, scanDetails, ticketsMap);
    setCurrentNewIssuesList(newIssues);
    setCurrentUpdatedIssuesList(updatedIssues);
    setCurrentClosedIssuesList(closedIssues);
    return ticketsMap;
}
Also used : ScanResults(com.checkmarx.sdk.dto.ScanResults) JiraClientException(com.checkmarx.flow.exception.JiraClientException) BugTracker(com.checkmarx.flow.dto.BugTracker) ScanRequest(com.checkmarx.flow.dto.ScanRequest) ImmutableMap(com.google.common.collect.ImmutableMap) ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap)

Example 40 with ScanRequest

use of com.checkmarx.flow.dto.ScanRequest in project cx-flow by checkmarx-ltd.

the class IastService method createIssue.

private void createIssue(ScanRequest request, Scan scan) throws IOException {
    try {
        final ScanVulnerabilities scanVulnerabilities = iastServiceRequests.apiScanVulnerabilities(scan.getScanId());
        List<VulnerabilityInfo> vulnerabilities = scanVulnerabilities.getVulnerabilities();
        for (VulnerabilityInfo vulnerability : vulnerabilities) {
            if (vulnerability.getNewCount() != 0) {
                final List<ResultInfo> scansResultsQuery = iastServiceRequests.apiScanResults(scan.getScanId(), vulnerability.getId());
                final List<ResultInfo> scansResultQueryList = scansResultsQuery.stream().filter(scansResultQuery -> scansResultQuery.isNewResult() && filterSeverity(scansResultQuery)).collect(Collectors.toList());
                for (ResultInfo scansResultQuery : scansResultQueryList) {
                    createIssue(scanVulnerabilities, request, scansResultQuery, vulnerability, scan);
                }
            }
        }
        thresholdsSeverity(scanVulnerabilities);
    } catch (NotImplementedException e) {
        throw new NotImplementedException(request.getBugTracker().getType().getType() + ". That bug tracker not implemented.");
    } catch (IOException e) {
        throw new IOException("Can't send api request", e);
    }
}
Also used : ADOProperties(com.checkmarx.flow.config.ADOProperties) Issue(com.checkmarx.flow.dto.Issue) ScanRequest(com.checkmarx.flow.dto.ScanRequest) NotImplementedException(org.apache.commons.lang3.NotImplementedException) ScanResults(com.checkmarx.sdk.dto.ScanResults) LocalDateTime(java.time.LocalDateTime) Autowired(org.springframework.beans.factory.annotation.Autowired) HashMap(java.util.HashMap) IssueTracker(com.checkmarx.flow.custom.IssueTracker) IastProperties(com.checkmarx.flow.config.IastProperties) VulnerabilityInfo(com.checkmarx.flow.dto.iast.manager.dto.VulnerabilityInfo) AtomicInteger(java.util.concurrent.atomic.AtomicInteger) Service(org.springframework.stereotype.Service) Map(java.util.Map) VulnerabilityDescription(com.checkmarx.flow.dto.iast.manager.dto.description.VulnerabilityDescription) ScanVulnerabilities(com.checkmarx.flow.dto.iast.manager.dto.ScanVulnerabilities) com.checkmarx.flow.exception(com.checkmarx.flow.exception) IOException(java.io.IOException) ResultInfo(com.checkmarx.flow.dto.iast.manager.dto.ResultInfo) Scan(com.checkmarx.flow.dto.iast.manager.dto.Scan) Collectors(java.util.stream.Collectors) FileNotFoundException(java.io.FileNotFoundException) Slf4j(lombok.extern.slf4j.Slf4j) List(java.util.List) Constants(com.checkmarx.sdk.config.Constants) GitHubIssueTracker(com.checkmarx.flow.custom.GitHubIssueTracker) ScanUtils(com.checkmarx.flow.utils.ScanUtils) GitLabIssueTracker(com.checkmarx.flow.custom.GitLabIssueTracker) Pattern(java.util.regex.Pattern) Severity(com.checkmarx.flow.dto.iast.ql.utils.Severity) ADOIssueTracker(com.checkmarx.flow.custom.ADOIssueTracker) ScanVulnerabilities(com.checkmarx.flow.dto.iast.manager.dto.ScanVulnerabilities) NotImplementedException(org.apache.commons.lang3.NotImplementedException) IOException(java.io.IOException) ResultInfo(com.checkmarx.flow.dto.iast.manager.dto.ResultInfo) VulnerabilityInfo(com.checkmarx.flow.dto.iast.manager.dto.VulnerabilityInfo)

Aggregations

ScanRequest (com.checkmarx.flow.dto.ScanRequest)68 BugTracker (com.checkmarx.flow.dto.BugTracker)24 ScanResults (com.checkmarx.sdk.dto.ScanResults)20 When (io.cucumber.java.en.When)14 FilterConfiguration (com.checkmarx.sdk.dto.filtering.FilterConfiguration)12 MachinaException (com.checkmarx.flow.exception.MachinaException)11 CxConfig (com.checkmarx.sdk.dto.sast.CxConfig)11 Test (org.junit.Test)11 File (java.io.File)10 SpringBootTest (org.springframework.boot.test.context.SpringBootTest)7 Issue (com.checkmarx.flow.dto.Issue)5 MachinaRuntimeException (com.checkmarx.flow.exception.MachinaRuntimeException)5 IOException (java.io.IOException)5 ExecutionException (java.util.concurrent.ExecutionException)5 TimeoutException (java.util.concurrent.TimeoutException)5 ParameterizedTest (org.junit.jupiter.params.ParameterizedTest)4 IfProfileValue (org.springframework.test.annotation.IfProfileValue)4 EventResponse (com.checkmarx.flow.dto.EventResponse)3 ObjectMapper (com.fasterxml.jackson.databind.ObjectMapper)3 FlowProperties (com.checkmarx.flow.config.FlowProperties)2