Search in sources :

Example 1 with VulnerabilityInfo

use of com.checkmarx.flow.dto.iast.manager.dto.VulnerabilityInfo in project cx-flow by checkmarx-ltd.

the class IastService method thresholdsSeverity.

/**
 * create an exception if the severity thresholds are exceeded
 */
private void thresholdsSeverity(ScanVulnerabilities scanVulnerabilities) {
    Map<Severity, AtomicInteger> thresholdsSeverity = new HashMap<>(7);
    for (Severity severity : Severity.values()) {
        thresholdsSeverity.put(severity, new AtomicInteger(0));
    }
    boolean throwThresholdsSeverity = false;
    for (int i = 0; i < scanVulnerabilities.getVulnerabilities().size(); i++) {
        VulnerabilityInfo vulnerabilityInfo = scanVulnerabilities.getVulnerabilities().get(i);
        int countSeverityVulnerabilities = thresholdsSeverity.get(vulnerabilityInfo.getHighestSeverity()).incrementAndGet();
        Integer countPossibleVulnerability = iastProperties.getThresholdsSeverity().get(vulnerabilityInfo.getHighestSeverity());
        if (countPossibleVulnerability != -1 && countSeverityVulnerabilities >= countPossibleVulnerability) {
            throwThresholdsSeverity = true;
        }
    }
    if (throwThresholdsSeverity) {
        log.warn("\nThresholds severity are exceeded. " + "\n High:   " + thresholdsSeverity.get(Severity.HIGH).incrementAndGet() + " / " + iastProperties.getThresholdsSeverity().get(Severity.HIGH) + "\n Medium: " + thresholdsSeverity.get(Severity.MEDIUM).incrementAndGet() + " / " + iastProperties.getThresholdsSeverity().get(Severity.MEDIUM) + "\n Low:    " + thresholdsSeverity.get(Severity.LOW).incrementAndGet() + " / " + iastProperties.getThresholdsSeverity().get(Severity.LOW) + "\n Info:   " + thresholdsSeverity.get(Severity.INFO).incrementAndGet() + " / " + iastProperties.getThresholdsSeverity().get(Severity.INFO));
        throw new IastThresholdsSeverityException();
    }
}
Also used : AtomicInteger(java.util.concurrent.atomic.AtomicInteger) AtomicInteger(java.util.concurrent.atomic.AtomicInteger) HashMap(java.util.HashMap) Severity(com.checkmarx.flow.dto.iast.ql.utils.Severity) VulnerabilityInfo(com.checkmarx.flow.dto.iast.manager.dto.VulnerabilityInfo)

Example 2 with VulnerabilityInfo

use of com.checkmarx.flow.dto.iast.manager.dto.VulnerabilityInfo in project cx-flow by checkmarx-ltd.

the class IastService method createIssue.

private void createIssue(ScanRequest request, Scan scan) throws IOException {
    try {
        final ScanVulnerabilities scanVulnerabilities = iastServiceRequests.apiScanVulnerabilities(scan.getScanId());
        List<VulnerabilityInfo> vulnerabilities = scanVulnerabilities.getVulnerabilities();
        for (VulnerabilityInfo vulnerability : vulnerabilities) {
            if (vulnerability.getNewCount() != 0) {
                final List<ResultInfo> scansResultsQuery = iastServiceRequests.apiScanResults(scan.getScanId(), vulnerability.getId());
                final List<ResultInfo> scansResultQueryList = scansResultsQuery.stream().filter(scansResultQuery -> scansResultQuery.isNewResult() && filterSeverity(scansResultQuery)).collect(Collectors.toList());
                for (ResultInfo scansResultQuery : scansResultQueryList) {
                    createIssue(scanVulnerabilities, request, scansResultQuery, vulnerability, scan);
                }
            }
        }
        thresholdsSeverity(scanVulnerabilities);
    } catch (NotImplementedException e) {
        throw new NotImplementedException(request.getBugTracker().getType().getType() + ". That bug tracker not implemented.");
    } catch (IOException e) {
        throw new IOException("Can't send api request", e);
    }
}
Also used : ADOProperties(com.checkmarx.flow.config.ADOProperties) Issue(com.checkmarx.flow.dto.Issue) ScanRequest(com.checkmarx.flow.dto.ScanRequest) NotImplementedException(org.apache.commons.lang3.NotImplementedException) ScanResults(com.checkmarx.sdk.dto.ScanResults) LocalDateTime(java.time.LocalDateTime) Autowired(org.springframework.beans.factory.annotation.Autowired) HashMap(java.util.HashMap) IssueTracker(com.checkmarx.flow.custom.IssueTracker) IastProperties(com.checkmarx.flow.config.IastProperties) VulnerabilityInfo(com.checkmarx.flow.dto.iast.manager.dto.VulnerabilityInfo) AtomicInteger(java.util.concurrent.atomic.AtomicInteger) Service(org.springframework.stereotype.Service) Map(java.util.Map) VulnerabilityDescription(com.checkmarx.flow.dto.iast.manager.dto.description.VulnerabilityDescription) ScanVulnerabilities(com.checkmarx.flow.dto.iast.manager.dto.ScanVulnerabilities) com.checkmarx.flow.exception(com.checkmarx.flow.exception) IOException(java.io.IOException) ResultInfo(com.checkmarx.flow.dto.iast.manager.dto.ResultInfo) Scan(com.checkmarx.flow.dto.iast.manager.dto.Scan) Collectors(java.util.stream.Collectors) FileNotFoundException(java.io.FileNotFoundException) Slf4j(lombok.extern.slf4j.Slf4j) List(java.util.List) Constants(com.checkmarx.sdk.config.Constants) GitHubIssueTracker(com.checkmarx.flow.custom.GitHubIssueTracker) ScanUtils(com.checkmarx.flow.utils.ScanUtils) GitLabIssueTracker(com.checkmarx.flow.custom.GitLabIssueTracker) Pattern(java.util.regex.Pattern) Severity(com.checkmarx.flow.dto.iast.ql.utils.Severity) ADOIssueTracker(com.checkmarx.flow.custom.ADOIssueTracker) ScanVulnerabilities(com.checkmarx.flow.dto.iast.manager.dto.ScanVulnerabilities) NotImplementedException(org.apache.commons.lang3.NotImplementedException) IOException(java.io.IOException) ResultInfo(com.checkmarx.flow.dto.iast.manager.dto.ResultInfo) VulnerabilityInfo(com.checkmarx.flow.dto.iast.manager.dto.VulnerabilityInfo)

Aggregations

VulnerabilityInfo (com.checkmarx.flow.dto.iast.manager.dto.VulnerabilityInfo)2 Severity (com.checkmarx.flow.dto.iast.ql.utils.Severity)2 HashMap (java.util.HashMap)2 AtomicInteger (java.util.concurrent.atomic.AtomicInteger)2 ADOProperties (com.checkmarx.flow.config.ADOProperties)1 IastProperties (com.checkmarx.flow.config.IastProperties)1 ADOIssueTracker (com.checkmarx.flow.custom.ADOIssueTracker)1 GitHubIssueTracker (com.checkmarx.flow.custom.GitHubIssueTracker)1 GitLabIssueTracker (com.checkmarx.flow.custom.GitLabIssueTracker)1 IssueTracker (com.checkmarx.flow.custom.IssueTracker)1 Issue (com.checkmarx.flow.dto.Issue)1 ScanRequest (com.checkmarx.flow.dto.ScanRequest)1 ResultInfo (com.checkmarx.flow.dto.iast.manager.dto.ResultInfo)1 Scan (com.checkmarx.flow.dto.iast.manager.dto.Scan)1 ScanVulnerabilities (com.checkmarx.flow.dto.iast.manager.dto.ScanVulnerabilities)1 VulnerabilityDescription (com.checkmarx.flow.dto.iast.manager.dto.description.VulnerabilityDescription)1 com.checkmarx.flow.exception (com.checkmarx.flow.exception)1 ScanUtils (com.checkmarx.flow.utils.ScanUtils)1 Constants (com.checkmarx.sdk.config.Constants)1 ScanResults (com.checkmarx.sdk.dto.ScanResults)1