use of com.checkmarx.sdk.dto.ScanResults in project cx-flow by checkmarx-ltd.
the class IssueService method process.
public void process(ScanResults results, ScanRequest request) throws MachinaException {
Map<String, ScanResults.XIssue> xMap;
Map<String, Issue> iMap;
List<String> newIssues = new ArrayList<>();
List<String> updatedIssues = new ArrayList<>();
List<String> closedIssues = new ArrayList<>();
BugTracker bugTracker = request.getBugTracker();
String customBean = bugTracker.getCustomBean();
if (!bugTracker.getType().equals(BugTracker.Type.CUSTOM) && !ScanUtils.empty(customBean)) {
throw new MachinaException("A valid custom bean must be used here.");
}
try {
IssueTracker tracker = (IssueTracker) context.getBean(customBean);
tracker.init(request, results);
String fpLabel = tracker.getFalsePositiveLabel();
codeBashingService.createLessonsMap();
log.info("Processing Issues with custom bean {}", customBean);
List<Issue> issues = tracker.getIssues(request);
if (issues == null) {
issues = Collections.emptyList();
}
xMap = this.getXIssueMap(tracker, results, request);
iMap = this.getIssueMap(tracker, issues, request);
for (Map.Entry<String, ScanResults.XIssue> xIssue : xMap.entrySet()) {
try {
String fileUrl;
ScanResults.XIssue currentIssue = xIssue.getValue();
codeBashingService.addCodebashingUrlToIssue(currentIssue);
/*Issue already exists -> update and comment*/
if (iMap.containsKey(xIssue.getKey())) {
Issue i = iMap.get(xIssue.getKey());
if (xIssue.getValue().isAllFalsePositive()) {
// All issues are false positive, so issue should be closed
Issue fpIssue;
log.debug("All issues are false positives");
if (properties.isListFalsePositives()) {
// Update the ticket if flag is set
log.debug("Issue is being updated to reflect false positive references. Updating issue with key {}", xIssue.getKey());
tracker.updateIssue(i, currentIssue, request);
}
if (tracker.isIssueOpened(i, request)) {
/*Close the issue if in an open state*/
log.info("Closing issue with key {}", i.getId());
tracker.closeIssue(i, request);
closedIssues.add(i.getId());
}
} else if (!i.getLabels().contains(fpLabel)) {
/*Ignore any with label indicating false positive*/
log.info("Issue still exists. Updating issue with key {}", xIssue.getKey());
fileUrl = ScanUtils.getFileUrl(request, currentIssue.getFilename());
currentIssue.setGitUrl(fileUrl);
Issue updatedIssue = tracker.updateIssue(i, currentIssue, request);
if (updatedIssue != null) {
updatedIssues.add(updatedIssue.getId());
log.debug("Update completed for issue #{}", updatedIssue.getId());
}
} else {
log.info("Skipping issue marked as false positive with key {}", xIssue.getKey());
}
} else {
/*Create the new issue*/
if (!xIssue.getValue().isAllFalsePositive()) {
fileUrl = ScanUtils.getFileUrl(request, currentIssue.getFilename());
xIssue.getValue().setGitUrl(fileUrl);
log.info("Creating new issue with key {}", xIssue.getKey());
Issue newIssue = tracker.createIssue(xIssue.getValue(), request);
if (newIssue != null) {
newIssues.add(newIssue.getId());
log.info("New issue created. #{}", newIssue.getId());
}
}
}
} catch (HttpClientErrorException e) {
log.error("Error occurred while processing issue with key {}", xIssue.getKey(), e);
}
}
/*Check if an issue exists in GitLab but not within results and close if not*/
for (Map.Entry<String, Issue> issueMap : iMap.entrySet()) {
String key = issueMap.getKey();
Issue issue = issueMap.getValue();
try {
if (!xMap.containsKey(key) && tracker.isIssueOpened(issue, request)) {
/*Close the issue*/
tracker.closeIssue(issue, request);
closedIssues.add(issue.getId());
log.info("Closing issue #{} with key {}", issue.getId(), key);
}
} catch (HttpClientErrorException e) {
log.error("Error occurred while processing issue with key {}", key, e);
}
}
Map<String, List<String>> issuesMap = new HashMap<>();
issuesMap.put("new", newIssues);
issuesMap.put("updated", updatedIssues);
issuesMap.put("closed", closedIssues);
tracker.complete(request, results);
} catch (BeansException e) {
log.error("Specified bug tracker bean was not found or properly loaded.", e);
throw new MachinaRuntimeException();
} catch (ClassCastException e) {
log.error("Bean must implement the IssueTracker Interface", e);
throw new MachinaRuntimeException();
}
}
use of com.checkmarx.sdk.dto.ScanResults in project cx-flow by checkmarx-ltd.
the class FlowService method runScanRequest.
private void runScanRequest(ScanRequest scanRequest, List<VulnerabilityScanner> scanners) {
ScanResults combinedResults = new ScanResults();
scanners.forEach(scanner -> {
try {
ScanResults scanResults = scanner.scan(scanRequest);
combinedResults.mergeWith(scanResults);
} catch (Exception continueOtherScanners) {
log.warn("Scan failed. Continuing with other scanners.");
}
});
resultsService.publishCombinedResults(scanRequest, combinedResults);
}
use of com.checkmarx.sdk.dto.ScanResults in project cx-flow by checkmarx-ltd.
the class SarifIssueTracker method generateSastResults.
private void generateSastResults(ScanResults results, List<SarifVulnerability> run) {
List<Rule> sastScanrules;
List<Result> sastScanresultList = Lists.newArrayList();
List<ScanResults.XIssue> filteredXIssues = results.getXIssues().stream().filter(x -> x.getVulnerability() != null).filter(x -> !x.isAllFalsePositive()).collect(Collectors.toList());
// Distinct list of Vulns (Rules)
List<ScanResults.XIssue> filteredByVulns = results.getXIssues().stream().filter(x -> x.getVulnerability() != null).collect(Collectors.toCollection(() -> new TreeSet<>(Comparator.comparing(ScanResults.XIssue::getVulnerability)))).stream().filter(x -> !x.isAllFalsePositive()).collect(Collectors.toList());
// Build the collection of the rules objects (Vulnerabilities)
sastScanrules = filteredByVulns.stream().map(i -> Rule.builder().id(i.getVulnerability()).name(i.getVulnerability()).shortDescription(ShortDescription.builder().text(i.getVulnerability()).build()).fullDescription(FullDescription.builder().text(i.getVulnerability()).build()).help(Help.builder().markdown(String.format("[%s Details](%s) <br />" + "[Results](%s)", i.getVulnerability(), (i.getAdditionalDetails().get(RECOMMENDED_FIX) == null) ? "" : i.getAdditionalDetails().get(RECOMMENDED_FIX), i.getLink())).text((String) ((i.getAdditionalDetails().get(RECOMMENDED_FIX) == null) ? "Fix not available." : i.getAdditionalDetails().get(RECOMMENDED_FIX))).build()).properties(Properties.builder().tags(Arrays.asList("security", "external/cwe/cwe-".concat(i.getCwe()))).securitySeverity(properties.getSecuritySeverityMap().get(i.getSeverity()) != null ? properties.getSecuritySeverityMap().get(i.getSeverity()) : DEFAULT_SEVERITY).build()).build()).collect(Collectors.toList());
// All issues to create the results/locations that are not all false positive
AtomicInteger count = new AtomicInteger();
filteredXIssues.forEach(issue -> {
int i = count.getAndIncrement();
List<Location> locations = Lists.newArrayList();
issue.getDetails().forEach((k, v) -> {
k = (k == 0) ? 1 : k;
/* Sarif format does not support 0 as line number */
if (!v.isFalsePositive()) {
locations.add(Location.builder().physicalLocation(PhysicalLocation.builder().artifactLocation(ArtifactLocation.builder().uri(issue.getFilename()).uriBaseId("%SRCROOT%").index(i).build()).region(Region.builder().startLine(k).endLine(k).build()).build()).message(Message.builder().text(StringUtils.isEmpty(v.getCodeSnippet()) ? "Code Snippet" : v.getCodeSnippet()).build()).build());
}
});
List<ThreadFlowLocation> threadFlowLocations = Lists.newArrayList();
locations.forEach(location -> {
threadFlowLocations.add(ThreadFlowLocation.builder().location(location).build());
});
List<ThreadFlow> threadFlows = Lists.newArrayList();
threadFlows.add(ThreadFlow.builder().locations(threadFlowLocations).build());
List<CodeFlow> codeFlows = Lists.newArrayList();
codeFlows.add(CodeFlow.builder().threadFlows(threadFlows).build());
// Build collection of the results -> locations
sastScanresultList.add(Result.builder().level(properties.getSeverityMap().get(issue.getSeverity()) != null ? properties.getSeverityMap().get(issue.getSeverity()) : DEFAULT_LEVEL).locations(locations).codeFlows(codeFlows).message(Message.builder().text(StringUtils.isEmpty(issue.getDescription()) ? issue.getVulnerability() : issue.getDescription()).build()).ruleId(issue.getVulnerability()).build());
});
run.add(SarifVulnerability.builder().tool(Tool.builder().driver(Driver.builder().name(properties.getSastScannerName()).organization(properties.getSastOrganization()).semanticVersion(properties.getSemanticVersion()).rules(sastScanrules).build()).build()).results(sastScanresultList).build());
}
use of com.checkmarx.sdk.dto.ScanResults in project cx-flow by checkmarx-ltd.
the class CxFlowRunner method publishLatestScanResults.
private void publishLatestScanResults(ScanRequest request) throws ExitThrowable {
ScanResults scanResults = runOnActiveScanners(scanner -> scanner.getLatestScanResults(request));
processResults(request, scanResults);
}
use of com.checkmarx.sdk.dto.ScanResults in project cx-flow by checkmarx-ltd.
the class ScaFiltersSteps method scanResults.
@When("SCA runs a new scan on Filters-Tests-Repo which contains 8 vulnerabilities results")
public void scanResults() {
// scanRequest must be created after all the changes in scaProperties are done.
ScanRequest scanRequest = getBasicScanRequest(PROJECT_NAME, GIT_REPO_URL);
ScanResults scanResults = scaScanner.scan(scanRequest);
scaResults = Objects.requireNonNull(scanResults).getScaResults();
}
Aggregations