Search in sources :

Example 1 with ScanResults

use of com.checkmarx.sdk.dto.ScanResults in project cx-flow by checkmarx-ltd.

the class IssueService method process.

public void process(ScanResults results, ScanRequest request) throws MachinaException {
    Map<String, ScanResults.XIssue> xMap;
    Map<String, Issue> iMap;
    List<String> newIssues = new ArrayList<>();
    List<String> updatedIssues = new ArrayList<>();
    List<String> closedIssues = new ArrayList<>();
    BugTracker bugTracker = request.getBugTracker();
    String customBean = bugTracker.getCustomBean();
    if (!bugTracker.getType().equals(BugTracker.Type.CUSTOM) && !ScanUtils.empty(customBean)) {
        throw new MachinaException("A valid custom bean must be used here.");
    }
    try {
        IssueTracker tracker = (IssueTracker) context.getBean(customBean);
        tracker.init(request, results);
        String fpLabel = tracker.getFalsePositiveLabel();
        codeBashingService.createLessonsMap();
        log.info("Processing Issues with custom bean {}", customBean);
        List<Issue> issues = tracker.getIssues(request);
        if (issues == null) {
            issues = Collections.emptyList();
        }
        xMap = this.getXIssueMap(tracker, results, request);
        iMap = this.getIssueMap(tracker, issues, request);
        for (Map.Entry<String, ScanResults.XIssue> xIssue : xMap.entrySet()) {
            try {
                String fileUrl;
                ScanResults.XIssue currentIssue = xIssue.getValue();
                codeBashingService.addCodebashingUrlToIssue(currentIssue);
                /*Issue already exists -> update and comment*/
                if (iMap.containsKey(xIssue.getKey())) {
                    Issue i = iMap.get(xIssue.getKey());
                    if (xIssue.getValue().isAllFalsePositive()) {
                        // All issues are false positive, so issue should be closed
                        Issue fpIssue;
                        log.debug("All issues are false positives");
                        if (properties.isListFalsePositives()) {
                            // Update the ticket if flag is set
                            log.debug("Issue is being updated to reflect false positive references.  Updating issue with key {}", xIssue.getKey());
                            tracker.updateIssue(i, currentIssue, request);
                        }
                        if (tracker.isIssueOpened(i, request)) {
                            /*Close the issue if in an open state*/
                            log.info("Closing issue with key {}", i.getId());
                            tracker.closeIssue(i, request);
                            closedIssues.add(i.getId());
                        }
                    } else if (!i.getLabels().contains(fpLabel)) {
                        /*Ignore any with label indicating false positive*/
                        log.info("Issue still exists.  Updating issue with key {}", xIssue.getKey());
                        fileUrl = ScanUtils.getFileUrl(request, currentIssue.getFilename());
                        currentIssue.setGitUrl(fileUrl);
                        Issue updatedIssue = tracker.updateIssue(i, currentIssue, request);
                        if (updatedIssue != null) {
                            updatedIssues.add(updatedIssue.getId());
                            log.debug("Update completed for issue #{}", updatedIssue.getId());
                        }
                    } else {
                        log.info("Skipping issue marked as false positive with key {}", xIssue.getKey());
                    }
                } else {
                    /*Create the new issue*/
                    if (!xIssue.getValue().isAllFalsePositive()) {
                        fileUrl = ScanUtils.getFileUrl(request, currentIssue.getFilename());
                        xIssue.getValue().setGitUrl(fileUrl);
                        log.info("Creating new issue with key {}", xIssue.getKey());
                        Issue newIssue = tracker.createIssue(xIssue.getValue(), request);
                        if (newIssue != null) {
                            newIssues.add(newIssue.getId());
                            log.info("New issue created. #{}", newIssue.getId());
                        }
                    }
                }
            } catch (HttpClientErrorException e) {
                log.error("Error occurred while processing issue with key {}", xIssue.getKey(), e);
            }
        }
        /*Check if an issue exists in GitLab but not within results and close if not*/
        for (Map.Entry<String, Issue> issueMap : iMap.entrySet()) {
            String key = issueMap.getKey();
            Issue issue = issueMap.getValue();
            try {
                if (!xMap.containsKey(key) && tracker.isIssueOpened(issue, request)) {
                    /*Close the issue*/
                    tracker.closeIssue(issue, request);
                    closedIssues.add(issue.getId());
                    log.info("Closing issue #{} with key {}", issue.getId(), key);
                }
            } catch (HttpClientErrorException e) {
                log.error("Error occurred while processing issue with key {}", key, e);
            }
        }
        Map<String, List<String>> issuesMap = new HashMap<>();
        issuesMap.put("new", newIssues);
        issuesMap.put("updated", updatedIssues);
        issuesMap.put("closed", closedIssues);
        tracker.complete(request, results);
    } catch (BeansException e) {
        log.error("Specified bug tracker bean was not found or properly loaded.", e);
        throw new MachinaRuntimeException();
    } catch (ClassCastException e) {
        log.error("Bean must implement the IssueTracker Interface", e);
        throw new MachinaRuntimeException();
    }
}
Also used : Issue(com.checkmarx.flow.dto.Issue) HttpClientErrorException(org.springframework.web.client.HttpClientErrorException) IssueTracker(com.checkmarx.flow.custom.IssueTracker) ScanResults(com.checkmarx.sdk.dto.ScanResults) BugTracker(com.checkmarx.flow.dto.BugTracker) MachinaRuntimeException(com.checkmarx.flow.exception.MachinaRuntimeException) MachinaException(com.checkmarx.flow.exception.MachinaException) BeansException(org.springframework.beans.BeansException)

Example 2 with ScanResults

use of com.checkmarx.sdk.dto.ScanResults in project cx-flow by checkmarx-ltd.

the class FlowService method runScanRequest.

private void runScanRequest(ScanRequest scanRequest, List<VulnerabilityScanner> scanners) {
    ScanResults combinedResults = new ScanResults();
    scanners.forEach(scanner -> {
        try {
            ScanResults scanResults = scanner.scan(scanRequest);
            combinedResults.mergeWith(scanResults);
        } catch (Exception continueOtherScanners) {
            log.warn("Scan failed. Continuing with other scanners.");
        }
    });
    resultsService.publishCombinedResults(scanRequest, combinedResults);
}
Also used : ScanResults(com.checkmarx.sdk.dto.ScanResults) MachinaRuntimeException(com.checkmarx.flow.exception.MachinaRuntimeException)

Example 3 with ScanResults

use of com.checkmarx.sdk.dto.ScanResults in project cx-flow by checkmarx-ltd.

the class SarifIssueTracker method generateSastResults.

private void generateSastResults(ScanResults results, List<SarifVulnerability> run) {
    List<Rule> sastScanrules;
    List<Result> sastScanresultList = Lists.newArrayList();
    List<ScanResults.XIssue> filteredXIssues = results.getXIssues().stream().filter(x -> x.getVulnerability() != null).filter(x -> !x.isAllFalsePositive()).collect(Collectors.toList());
    // Distinct list of Vulns (Rules)
    List<ScanResults.XIssue> filteredByVulns = results.getXIssues().stream().filter(x -> x.getVulnerability() != null).collect(Collectors.toCollection(() -> new TreeSet<>(Comparator.comparing(ScanResults.XIssue::getVulnerability)))).stream().filter(x -> !x.isAllFalsePositive()).collect(Collectors.toList());
    // Build the collection of the rules objects (Vulnerabilities)
    sastScanrules = filteredByVulns.stream().map(i -> Rule.builder().id(i.getVulnerability()).name(i.getVulnerability()).shortDescription(ShortDescription.builder().text(i.getVulnerability()).build()).fullDescription(FullDescription.builder().text(i.getVulnerability()).build()).help(Help.builder().markdown(String.format("[%s Details](%s) <br />" + "[Results](%s)", i.getVulnerability(), (i.getAdditionalDetails().get(RECOMMENDED_FIX) == null) ? "" : i.getAdditionalDetails().get(RECOMMENDED_FIX), i.getLink())).text((String) ((i.getAdditionalDetails().get(RECOMMENDED_FIX) == null) ? "Fix not available." : i.getAdditionalDetails().get(RECOMMENDED_FIX))).build()).properties(Properties.builder().tags(Arrays.asList("security", "external/cwe/cwe-".concat(i.getCwe()))).securitySeverity(properties.getSecuritySeverityMap().get(i.getSeverity()) != null ? properties.getSecuritySeverityMap().get(i.getSeverity()) : DEFAULT_SEVERITY).build()).build()).collect(Collectors.toList());
    // All issues to create the results/locations that are not all false positive
    AtomicInteger count = new AtomicInteger();
    filteredXIssues.forEach(issue -> {
        int i = count.getAndIncrement();
        List<Location> locations = Lists.newArrayList();
        issue.getDetails().forEach((k, v) -> {
            k = (k == 0) ? 1 : k;
            /* Sarif format does not support 0 as line number */
            if (!v.isFalsePositive()) {
                locations.add(Location.builder().physicalLocation(PhysicalLocation.builder().artifactLocation(ArtifactLocation.builder().uri(issue.getFilename()).uriBaseId("%SRCROOT%").index(i).build()).region(Region.builder().startLine(k).endLine(k).build()).build()).message(Message.builder().text(StringUtils.isEmpty(v.getCodeSnippet()) ? "Code Snippet" : v.getCodeSnippet()).build()).build());
            }
        });
        List<ThreadFlowLocation> threadFlowLocations = Lists.newArrayList();
        locations.forEach(location -> {
            threadFlowLocations.add(ThreadFlowLocation.builder().location(location).build());
        });
        List<ThreadFlow> threadFlows = Lists.newArrayList();
        threadFlows.add(ThreadFlow.builder().locations(threadFlowLocations).build());
        List<CodeFlow> codeFlows = Lists.newArrayList();
        codeFlows.add(CodeFlow.builder().threadFlows(threadFlows).build());
        // Build collection of the results -> locations
        sastScanresultList.add(Result.builder().level(properties.getSeverityMap().get(issue.getSeverity()) != null ? properties.getSeverityMap().get(issue.getSeverity()) : DEFAULT_LEVEL).locations(locations).codeFlows(codeFlows).message(Message.builder().text(StringUtils.isEmpty(issue.getDescription()) ? issue.getVulnerability() : issue.getDescription()).build()).ruleId(issue.getVulnerability()).build());
    });
    run.add(SarifVulnerability.builder().tool(Tool.builder().driver(Driver.builder().name(properties.getSastScannerName()).organization(properties.getSastOrganization()).semanticVersion(properties.getSemanticVersion()).rules(sastScanrules).build()).build()).results(sastScanresultList).build());
}
Also used : ScanRequest(com.checkmarx.flow.dto.ScanRequest) JsonProperty(com.fasterxml.jackson.annotation.JsonProperty) SarifProperties(com.checkmarx.flow.config.SarifProperties) java.util(java.util) ScanResults(com.checkmarx.sdk.dto.ScanResults) FilenameFormatter(com.checkmarx.flow.service.FilenameFormatter) RequiredArgsConstructor(lombok.RequiredArgsConstructor) Collectors(java.util.stream.Collectors) Slf4j(lombok.extern.slf4j.Slf4j) Lists(com.google.common.collect.Lists) Package(com.checkmarx.sdk.dto.sca.report.Package) Builder(lombok.Builder) AtomicInteger(java.util.concurrent.atomic.AtomicInteger) Service(org.springframework.stereotype.Service) Data(lombok.Data) Finding(com.checkmarx.sdk.dto.sca.report.Finding) MachinaException(com.checkmarx.flow.exception.MachinaException) StringUtils(org.springframework.util.StringUtils) AtomicInteger(java.util.concurrent.atomic.AtomicInteger)

Example 4 with ScanResults

use of com.checkmarx.sdk.dto.ScanResults in project cx-flow by checkmarx-ltd.

the class CxFlowRunner method publishLatestScanResults.

private void publishLatestScanResults(ScanRequest request) throws ExitThrowable {
    ScanResults scanResults = runOnActiveScanners(scanner -> scanner.getLatestScanResults(request));
    processResults(request, scanResults);
}
Also used : ScanResults(com.checkmarx.sdk.dto.ScanResults)

Example 5 with ScanResults

use of com.checkmarx.sdk.dto.ScanResults in project cx-flow by checkmarx-ltd.

the class ScaFiltersSteps method scanResults.

@When("SCA runs a new scan on Filters-Tests-Repo which contains 8 vulnerabilities results")
public void scanResults() {
    // scanRequest must be created after all the changes in scaProperties are done.
    ScanRequest scanRequest = getBasicScanRequest(PROJECT_NAME, GIT_REPO_URL);
    ScanResults scanResults = scaScanner.scan(scanRequest);
    scaResults = Objects.requireNonNull(scanResults).getScaResults();
}
Also used : ScanRequest(com.checkmarx.flow.dto.ScanRequest) ScanResults(com.checkmarx.sdk.dto.ScanResults) When(io.cucumber.java.en.When)

Aggregations

ScanResults (com.checkmarx.sdk.dto.ScanResults)58 MachinaException (com.checkmarx.flow.exception.MachinaException)17 ScanRequest (com.checkmarx.flow.dto.ScanRequest)16 CheckmarxException (com.checkmarx.sdk.exception.CheckmarxException)14 When (io.cucumber.java.en.When)9 MachinaRuntimeException (com.checkmarx.flow.exception.MachinaRuntimeException)6 CxScanSummary (com.checkmarx.sdk.dto.cx.CxScanSummary)6 FilterConfiguration (com.checkmarx.sdk.dto.filtering.FilterConfiguration)6 ExecutionException (java.util.concurrent.ExecutionException)5 TimeoutException (java.util.concurrent.TimeoutException)5 BugTracker (com.checkmarx.flow.dto.BugTracker)4 ScanParams (com.checkmarx.sdk.dto.ast.ScanParams)4 Filter (com.checkmarx.sdk.dto.sast.Filter)4 Test (org.junit.Test)4 SpringBootTest (org.springframework.boot.test.context.SpringBootTest)4 JiraClientException (com.checkmarx.flow.exception.JiraClientException)3 CxScanParams (com.checkmarx.sdk.dto.cx.CxScanParams)3 Finding (com.checkmarx.sdk.dto.sca.report.Finding)3 Package (com.checkmarx.sdk.dto.sca.report.Package)3 IOException (java.io.IOException)3