Search in sources :

Example 16 with ScanResults

use of com.checkmarx.sdk.dto.ScanResults in project checkmarx-spring-boot-java-sdk by checkmarx-ltd.

the class CxServiceTest method getReportContent.

@Test
public void getReportContent() {
    properties.setOffline(true);
    File file = new File(getClass().getClassLoader().getResource("ScanReport.xml").getFile());
    try {
        ScanResults results = service.getReportContent(file, null);
        assertNotNull(results);
        List<ScanResults.XIssue> issues = results.getXIssues().stream().filter(x -> x.getFalsePositiveCount() > 0).collect(Collectors.toList());
        assertEquals(2, issues.size());
        assertEquals("Command_Injection", issues.get(0).getVulnerability());
        List<ScanResults.XIssue> sqlIssues = results.getXIssues().stream().filter(x -> x.getVulnerability().equalsIgnoreCase("SQL_INJECTION") && x.getSeverity().equalsIgnoreCase("HIGH")).collect(Collectors.toList());
        assertEquals(3, sqlIssues.size());
    } catch (CheckmarxException e) {
        fail("Unexpected Exception");
    }
}
Also used : ArgumentMatchers.any(org.mockito.ArgumentMatchers.any) CxProperties(com.checkmarx.sdk.config.CxProperties) ScanResults(com.checkmarx.sdk.dto.ScanResults) RunWith(org.junit.runner.RunWith) Autowired(org.springframework.beans.factory.annotation.Autowired) Import(org.springframework.context.annotation.Import) Test(org.junit.Test) Mockito.when(org.mockito.Mockito.when) Collectors(java.util.stream.Collectors) File(java.io.File) CheckmarxException(com.checkmarx.sdk.exception.CheckmarxException) HttpStatus(org.springframework.http.HttpStatus) HttpClientErrorException(org.springframework.web.client.HttpClientErrorException) List(java.util.List) SpringConfiguration(com.checkmarx.sdk.config.SpringConfiguration) SpringBootTest(org.springframework.boot.test.context.SpringBootTest) CxAuthService(com.checkmarx.sdk.service.CxAuthService) CxService(com.checkmarx.sdk.service.CxService) Qualifier(org.springframework.beans.factory.annotation.Qualifier) CxLegacyService(com.checkmarx.sdk.service.CxLegacyService) SpringRunner(org.springframework.test.context.junit4.SpringRunner) Assert(org.junit.Assert) RestTemplate(org.springframework.web.client.RestTemplate) MockBean(org.springframework.boot.test.mock.mockito.MockBean) ScanResults(com.checkmarx.sdk.dto.ScanResults) CheckmarxException(com.checkmarx.sdk.exception.CheckmarxException) File(java.io.File) Test(org.junit.Test) SpringBootTest(org.springframework.boot.test.context.SpringBootTest)

Example 17 with ScanResults

use of com.checkmarx.sdk.dto.ScanResults in project checkmarx-spring-boot-java-sdk by checkmarx-ltd.

the class GoScanner method getReportContentByScanId.

@Override
public ScanResults getReportContentByScanId(Integer scanId, FilterConfiguration filter) throws CheckmarxException {
    ScanResults.ScanResultsBuilder results = ScanResults.builder();
    Scan scan = getScanDetails(scanId);
    Integer projectId = scan.getProjectId();
    Integer buId = scan.getBusinessUnitId();
    Integer appId = scan.getApplicationId();
    GoScanResults resultFromAllEngines = getScanResults(scanId);
    List<ScanResults.XIssue> xIssues = new ArrayList<>();
    // SAST
    List<SASTScanResult> mainResultInfos = Optional.ofNullable(resultFromAllEngines).map(GoScanResults::getSast).orElse(null);
    if (mainResultInfos != null) {
        Map<String, OdScanResultItem> additionalResultInfos = getScanResultsPage(projectId, scanId);
        Map<String, Integer> issuesBySeverity = new HashMap<>();
        log.debug("SAST finding count before filtering: {}", mainResultInfos.size());
        log.info("Processing SAST results");
        mainResultInfos.stream().filter(applySastFilter(additionalResultInfos, filter)).forEach(mainResultInfo -> handleSastIssue(xIssues, mainResultInfo, additionalResultInfos, projectId, scanId, issuesBySeverity));
        CxScanSummary scanSummary = getCxScanSummary(scan);
        Map<String, Object> flowSummary = new HashMap<>();
        flowSummary.put(Constants.SUMMARY_KEY, issuesBySeverity);
        flowSummary.put(Constants.SCAN_ID_KEY, scanId);
        results.additionalDetails(flowSummary);
        results.scanSummary(scanSummary);
    }
    // SCA
    List<SCAScanResult> rawScanResults = Optional.ofNullable(resultFromAllEngines).map(GoScanResults::getSca).orElse(null);
    if (rawScanResults != null) {
        logRawScaScanResults(rawScanResults);
        List<Finding> findings = new ArrayList<>();
        List<Package> packages = new ArrayList<>();
        log.info("Processing SCA results");
        rawScanResults.stream().filter(rawScanResult -> !rawScanResult.isIgnored()).filter(applyScaFilter(filter)).forEach(rawScanResult -> handleScaIssue(xIssues, findings, packages, rawScanResult));
        logFindings(findings);
        logPackages(packages);
        SCAResults scaResults = new SCAResults();
        scaResults.setFindings(findings);
        scaResults.setPackages(packages);
        if (!rawScanResults.isEmpty()) {
            scaResults.setScanId(rawScanResults.get(0).getScanId().toString());
        }
        Summary summary = getScaScanSummary(scan);
        scaResults.setSummary(summary);
        String urlTemplate = cxGoProperties.getPortalUrl().concat(SCA_DEEP_LINK);
        String scaDeepLink = String.format(urlTemplate, buId, appId, projectId, scanId);
        scaResults.setWebReportLink(scaDeepLink);
        results.scaResults(scaResults);
    }
    results.xIssues(xIssues);
    results.projectId(projectId.toString());
    String urlTemplate = cxGoProperties.getPortalUrl().concat(DEEP_LINK);
    String deepLink = String.format(urlTemplate, buId, appId, projectId, scanId);
    results.link(deepLink);
    return results.build();
}
Also used : ScanResults(com.checkmarx.sdk.dto.ScanResults) SCAResults(com.checkmarx.sdk.dto.sca.SCAResults) CxScanSummary(com.checkmarx.sdk.dto.cx.CxScanSummary) Finding(com.checkmarx.sdk.dto.sca.report.Finding) Summary(com.checkmarx.sdk.dto.sca.Summary) CxScanSummary(com.checkmarx.sdk.dto.cx.CxScanSummary) JSONObject(org.json.JSONObject) Package(com.checkmarx.sdk.dto.sca.report.Package)

Example 18 with ScanResults

use of com.checkmarx.sdk.dto.ScanResults in project checkmarx-spring-boot-java-sdk by checkmarx-ltd.

the class CxService method getReportContent.

/**
 * Retrieve the report by reportId, mapped to ScanResults DTO, applying filtering as requested
 */
@Override
public ScanResults getReportContent(Integer reportId, FilterConfiguration filter) throws CheckmarxException {
    HttpHeaders headers = authClient.createAuthHeaders();
    headers.setContentType(MediaType.APPLICATION_XML);
    HttpEntity httpEntity = new HttpEntity<>(headers);
    String session = null;
    try {
        /* login to legacy SOAP CX Client to retrieve description */
        session = authClient.getLegacySession();
    } catch (InvalidCredentialsException e) {
        log.error("Error occurring while logging into Legacy SOAP based WebService - issue description will remain blank");
    }
    log.info("Retrieving report contents of report Id {} in XML format", reportId);
    try {
        ResponseEntity<String> resultsXML = restTemplate.exchange(cxProperties.getUrl().concat(REPORT_DOWNLOAD), HttpMethod.GET, httpEntity, String.class, reportId);
        String xml = resultsXML.getBody();
        log.debug(REPORT_LENGTH_MESSAGE, xml.length());
        log.debug("Headers: {}", resultsXML.getHeaders().toSingleValueMap());
        log.info("Report downloaded for report Id {}", reportId);
        /*Remove any chars before the start xml tag*/
        xml = xml.trim().replaceFirst("^([\\W]+)<", "<");
        log.debug(REPORT_LENGTH_MESSAGE, xml.length());
        String xml2 = ScanUtils.cleanStringUTF8_2(xml);
        log.trace("XML2: {}", xml2);
        InputStream xmlStream = new ByteArrayInputStream(Objects.requireNonNull(xml2.getBytes()));
        /* protect against XXE */
        JAXBContext jc = JAXBContext.newInstance(CxXMLResultsType.class);
        XMLInputFactory xif = XMLInputFactory.newInstance();
        xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
        xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);
        xif.setProperty(XMLInputFactory.IS_NAMESPACE_AWARE, false);
        List<ScanResults.XIssue> xIssueList = new ArrayList<>();
        CxXMLResultsType cxResults;
        try {
            XMLStreamReader xsr = xif.createXMLStreamReader(xmlStream);
            Unmarshaller unmarshaller = jc.createUnmarshaller();
            cxResults = (CxXMLResultsType) unmarshaller.unmarshal(xsr);
        } catch (UnmarshalException e) {
            log.warn("Issue occurred performing unmashall step - trying again {}", ExceptionUtils.getMessage(e));
            if (resultsXML.getBody() != null) {
                log.error("Writing raw response from CX to {}", "CX_".concat(String.valueOf(reportId)));
                ScanUtils.writeByte("CX_".concat(String.valueOf(reportId)), resultsXML.getBody().getBytes());
                xml2 = ScanUtils.cleanStringUTF8(xml);
                xmlStream = new ByteArrayInputStream(Objects.requireNonNull(xml2.getBytes()));
                XMLStreamReader xsr = xif.createXMLStreamReader(xmlStream);
                Unmarshaller unmarshaller = jc.createUnmarshaller();
                cxResults = (CxXMLResultsType) unmarshaller.unmarshal(xsr);
            } else {
                log.error("CX Response for report {} was null", reportId);
                throw new CheckmarxException("CX report was empty (null)");
            }
        }
        ScanResults.ScanResultsBuilder cxScanBuilder = ScanResults.builder();
        cxScanBuilder.projectId(cxResults.getProjectId());
        cxScanBuilder.team(cxResults.getTeam());
        cxScanBuilder.project(cxResults.getProjectName());
        cxScanBuilder.link(cxResults.getDeepLink());
        cxScanBuilder.files(cxResults.getFilesScanned());
        cxScanBuilder.loc(cxResults.getLinesOfCodeScanned());
        cxScanBuilder.scanType(cxResults.getScanType());
        Map<String, Integer> summary = getIssues(filter, session, xIssueList, cxResults);
        cxScanBuilder.xIssues(xIssueList);
        cxScanBuilder.additionalDetails(getAdditionalScanDetails(cxResults));
        CxScanSummary scanSummary = getScanSummaryByScanId(Integer.valueOf(cxResults.getScanId()));
        cxScanBuilder.scanSummary(scanSummary);
        ScanResults results = cxScanBuilder.build();
        // Add the summary map (severity, count)
        results.getAdditionalDetails().put(Constants.SUMMARY_KEY, summary);
        if (cxProperties.getPreserveXml()) {
            results.setOutput(xml);
        }
        return results;
    } catch (HttpStatusCodeException e) {
        log.error("HTTP Status Code of {} while getting downloading report contents of report Id {}", e.getStatusCode(), reportId);
        log.error(ExceptionUtils.getStackTrace(e));
        throw new CheckmarxException("Error while processing scan results for report Id {}".concat(reportId.toString()));
    } catch (XMLStreamException | JAXBException e) {
        log.error(ERROR_WITH_XML_REPORT);
        log.error(ExceptionUtils.getStackTrace(e));
        throw new CheckmarxException(ERROR_PROCESSING_RESULTS.concat(reportId.toString()));
    } catch (NullPointerException e) {
        log.info("Null Error");
        log.error(ExceptionUtils.getStackTrace(e));
        throw new CheckmarxException(ERROR_PROCESSING_RESULTS.concat(reportId.toString()));
    }
}
Also used : XMLStreamReader(javax.xml.stream.XMLStreamReader) ScanResults(com.checkmarx.sdk.dto.ScanResults) CheckmarxException(com.checkmarx.sdk.exception.CheckmarxException) JAXBContext(javax.xml.bind.JAXBContext) HttpStatusCodeException(org.springframework.web.client.HttpStatusCodeException) UnmarshalException(javax.xml.bind.UnmarshalException) Unmarshaller(javax.xml.bind.Unmarshaller) ByteArrayInputStream(java.io.ByteArrayInputStream) InputStream(java.io.InputStream) JAXBException(javax.xml.bind.JAXBException) XMLStreamException(javax.xml.stream.XMLStreamException) InvalidCredentialsException(com.checkmarx.sdk.exception.InvalidCredentialsException) ByteArrayInputStream(java.io.ByteArrayInputStream) XMLInputFactory(javax.xml.stream.XMLInputFactory)

Example 19 with ScanResults

use of com.checkmarx.sdk.dto.ScanResults in project checkmarx-spring-boot-java-sdk by checkmarx-ltd.

the class CxService method getReportContent.

/**
 * Parse CX report file, mapped to ScanResults DTO, applying filtering as requested
 */
public ScanResults getReportContent(File file, FilterConfiguration filter) throws CheckmarxException {
    if (file == null) {
        throw new CheckmarxException("File not provided for processing of results");
    }
    String session = null;
    try {
        if (!cxProperties.getOffline()) {
            session = authClient.getLegacySession();
        }
    } catch (InvalidCredentialsException e) {
        log.error("Error occurring while logging into Legacy SOAP based WebService - issue description will remain blank");
    }
    try {
        /* protect against XXE */
        JAXBContext jc = JAXBContext.newInstance(CxXMLResultsType.class);
        XMLInputFactory xif = XMLInputFactory.newInstance();
        xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
        xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);
        xif.setProperty(XMLInputFactory.IS_NAMESPACE_AWARE, false);
        Unmarshaller unmarshaller = jc.createUnmarshaller();
        List<ScanResults.XIssue> issueList = new ArrayList<>();
        CxXMLResultsType cxResults = (CxXMLResultsType) unmarshaller.unmarshal(file);
        ScanResults.ScanResultsBuilder cxScanBuilder = ScanResults.builder();
        cxScanBuilder.projectId(cxResults.getProjectId());
        cxScanBuilder.team(cxResults.getTeam());
        cxScanBuilder.project(cxResults.getProjectName());
        cxScanBuilder.link(cxResults.getDeepLink());
        cxScanBuilder.files(cxResults.getFilesScanned());
        cxScanBuilder.loc(cxResults.getLinesOfCodeScanned());
        cxScanBuilder.scanType(cxResults.getScanType());
        Map<String, Integer> summary = getIssues(filter, session, issueList, cxResults);
        cxScanBuilder.xIssues(issueList);
        cxScanBuilder.additionalDetails(getAdditionalScanDetails(cxResults));
        ScanResults results = cxScanBuilder.build();
        if (!cxProperties.getOffline() && !ScanUtils.empty(cxResults.getScanId())) {
            CxScanSummary scanSummary = getScanSummaryByScanId(Integer.valueOf(cxResults.getScanId()));
            results.setScanSummary(scanSummary);
        }
        results.getAdditionalDetails().put(Constants.SUMMARY_KEY, summary);
        return results;
    } catch (JAXBException e) {
        log.error(ERROR_WITH_XML_REPORT);
        log.error(ExceptionUtils.getStackTrace(e));
        throw new CheckmarxException(ERROR_PROCESSING_SCAN_RESULTS);
    } catch (NullPointerException e) {
        log.info("Null error");
        log.error(ExceptionUtils.getStackTrace(e));
        throw new CheckmarxException(ERROR_PROCESSING_SCAN_RESULTS);
    }
}
Also used : ScanResults(com.checkmarx.sdk.dto.ScanResults) CheckmarxException(com.checkmarx.sdk.exception.CheckmarxException) JAXBException(javax.xml.bind.JAXBException) JAXBContext(javax.xml.bind.JAXBContext) InvalidCredentialsException(com.checkmarx.sdk.exception.InvalidCredentialsException) Unmarshaller(javax.xml.bind.Unmarshaller) XMLInputFactory(javax.xml.stream.XMLInputFactory)

Example 20 with ScanResults

use of com.checkmarx.sdk.dto.ScanResults in project checkmarx-spring-boot-java-sdk by checkmarx-ltd.

the class CxGoServiceIT method completeScanFlow.

@Test
// works only on Windows
@Ignore
public void completeScanFlow() throws CheckmarxException {
    login();
    if (StringUtils.isNotEmpty(properties.getClientSecret())) {
        String teamId = service.getTeamId(properties.getTeam());
        Integer projectId = service.getProjectId(teamId, GO_PROJECT_NAME);
        CxScanParams params = new CxScanParams();
        params.setProjectName(GO_PROJECT_NAME);
        params.setTeamId(teamId);
        params.setProjectId(projectId);
        params.setGitUrl("https://github.com/Custodela/Riches.git");
        params.setBranch("refs/heads/master");
        params.setSourceType(CxScanParams.Type.GIT);
        // run the scan and wait for it to finish
        Integer x = service.createScan(params, "CxFlow Scan");
        service.waitForScanCompletion(x);
        FilterConfiguration filterConfiguration = FilterConfiguration.fromSimpleFilters(Collections.singletonList(new Filter(Filter.Type.SEVERITY, "High")));
        // generate the results
        ScanResults results = service.getReportContentByScanId(x, filterConfiguration);
        assertNotNull(results);
    }
}
Also used : CxScanParams(com.checkmarx.sdk.dto.cx.CxScanParams) Filter(com.checkmarx.sdk.dto.sast.Filter) ScanResults(com.checkmarx.sdk.dto.ScanResults) FilterConfiguration(com.checkmarx.sdk.dto.filtering.FilterConfiguration) Ignore(org.junit.Ignore) Test(org.junit.Test) SpringBootTest(org.springframework.boot.test.context.SpringBootTest)

Aggregations

ScanResults (com.checkmarx.sdk.dto.ScanResults)58 MachinaException (com.checkmarx.flow.exception.MachinaException)17 ScanRequest (com.checkmarx.flow.dto.ScanRequest)16 CheckmarxException (com.checkmarx.sdk.exception.CheckmarxException)14 When (io.cucumber.java.en.When)9 MachinaRuntimeException (com.checkmarx.flow.exception.MachinaRuntimeException)6 CxScanSummary (com.checkmarx.sdk.dto.cx.CxScanSummary)6 FilterConfiguration (com.checkmarx.sdk.dto.filtering.FilterConfiguration)6 ExecutionException (java.util.concurrent.ExecutionException)5 TimeoutException (java.util.concurrent.TimeoutException)5 BugTracker (com.checkmarx.flow.dto.BugTracker)4 ScanParams (com.checkmarx.sdk.dto.ast.ScanParams)4 Filter (com.checkmarx.sdk.dto.sast.Filter)4 Test (org.junit.Test)4 SpringBootTest (org.springframework.boot.test.context.SpringBootTest)4 JiraClientException (com.checkmarx.flow.exception.JiraClientException)3 CxScanParams (com.checkmarx.sdk.dto.cx.CxScanParams)3 Finding (com.checkmarx.sdk.dto.sca.report.Finding)3 Package (com.checkmarx.sdk.dto.sca.report.Package)3 IOException (java.io.IOException)3