use of com.checkmarx.sdk.dto.ScanResults in project checkmarx-spring-boot-java-sdk by checkmarx-ltd.
the class CxServiceTest method getReportContent.
@Test
public void getReportContent() {
properties.setOffline(true);
File file = new File(getClass().getClassLoader().getResource("ScanReport.xml").getFile());
try {
ScanResults results = service.getReportContent(file, null);
assertNotNull(results);
List<ScanResults.XIssue> issues = results.getXIssues().stream().filter(x -> x.getFalsePositiveCount() > 0).collect(Collectors.toList());
assertEquals(2, issues.size());
assertEquals("Command_Injection", issues.get(0).getVulnerability());
List<ScanResults.XIssue> sqlIssues = results.getXIssues().stream().filter(x -> x.getVulnerability().equalsIgnoreCase("SQL_INJECTION") && x.getSeverity().equalsIgnoreCase("HIGH")).collect(Collectors.toList());
assertEquals(3, sqlIssues.size());
} catch (CheckmarxException e) {
fail("Unexpected Exception");
}
}
use of com.checkmarx.sdk.dto.ScanResults in project checkmarx-spring-boot-java-sdk by checkmarx-ltd.
the class GoScanner method getReportContentByScanId.
@Override
public ScanResults getReportContentByScanId(Integer scanId, FilterConfiguration filter) throws CheckmarxException {
ScanResults.ScanResultsBuilder results = ScanResults.builder();
Scan scan = getScanDetails(scanId);
Integer projectId = scan.getProjectId();
Integer buId = scan.getBusinessUnitId();
Integer appId = scan.getApplicationId();
GoScanResults resultFromAllEngines = getScanResults(scanId);
List<ScanResults.XIssue> xIssues = new ArrayList<>();
// SAST
List<SASTScanResult> mainResultInfos = Optional.ofNullable(resultFromAllEngines).map(GoScanResults::getSast).orElse(null);
if (mainResultInfos != null) {
Map<String, OdScanResultItem> additionalResultInfos = getScanResultsPage(projectId, scanId);
Map<String, Integer> issuesBySeverity = new HashMap<>();
log.debug("SAST finding count before filtering: {}", mainResultInfos.size());
log.info("Processing SAST results");
mainResultInfos.stream().filter(applySastFilter(additionalResultInfos, filter)).forEach(mainResultInfo -> handleSastIssue(xIssues, mainResultInfo, additionalResultInfos, projectId, scanId, issuesBySeverity));
CxScanSummary scanSummary = getCxScanSummary(scan);
Map<String, Object> flowSummary = new HashMap<>();
flowSummary.put(Constants.SUMMARY_KEY, issuesBySeverity);
flowSummary.put(Constants.SCAN_ID_KEY, scanId);
results.additionalDetails(flowSummary);
results.scanSummary(scanSummary);
}
// SCA
List<SCAScanResult> rawScanResults = Optional.ofNullable(resultFromAllEngines).map(GoScanResults::getSca).orElse(null);
if (rawScanResults != null) {
logRawScaScanResults(rawScanResults);
List<Finding> findings = new ArrayList<>();
List<Package> packages = new ArrayList<>();
log.info("Processing SCA results");
rawScanResults.stream().filter(rawScanResult -> !rawScanResult.isIgnored()).filter(applyScaFilter(filter)).forEach(rawScanResult -> handleScaIssue(xIssues, findings, packages, rawScanResult));
logFindings(findings);
logPackages(packages);
SCAResults scaResults = new SCAResults();
scaResults.setFindings(findings);
scaResults.setPackages(packages);
if (!rawScanResults.isEmpty()) {
scaResults.setScanId(rawScanResults.get(0).getScanId().toString());
}
Summary summary = getScaScanSummary(scan);
scaResults.setSummary(summary);
String urlTemplate = cxGoProperties.getPortalUrl().concat(SCA_DEEP_LINK);
String scaDeepLink = String.format(urlTemplate, buId, appId, projectId, scanId);
scaResults.setWebReportLink(scaDeepLink);
results.scaResults(scaResults);
}
results.xIssues(xIssues);
results.projectId(projectId.toString());
String urlTemplate = cxGoProperties.getPortalUrl().concat(DEEP_LINK);
String deepLink = String.format(urlTemplate, buId, appId, projectId, scanId);
results.link(deepLink);
return results.build();
}
use of com.checkmarx.sdk.dto.ScanResults in project checkmarx-spring-boot-java-sdk by checkmarx-ltd.
the class CxService method getReportContent.
/**
* Retrieve the report by reportId, mapped to ScanResults DTO, applying filtering as requested
*/
@Override
public ScanResults getReportContent(Integer reportId, FilterConfiguration filter) throws CheckmarxException {
HttpHeaders headers = authClient.createAuthHeaders();
headers.setContentType(MediaType.APPLICATION_XML);
HttpEntity httpEntity = new HttpEntity<>(headers);
String session = null;
try {
/* login to legacy SOAP CX Client to retrieve description */
session = authClient.getLegacySession();
} catch (InvalidCredentialsException e) {
log.error("Error occurring while logging into Legacy SOAP based WebService - issue description will remain blank");
}
log.info("Retrieving report contents of report Id {} in XML format", reportId);
try {
ResponseEntity<String> resultsXML = restTemplate.exchange(cxProperties.getUrl().concat(REPORT_DOWNLOAD), HttpMethod.GET, httpEntity, String.class, reportId);
String xml = resultsXML.getBody();
log.debug(REPORT_LENGTH_MESSAGE, xml.length());
log.debug("Headers: {}", resultsXML.getHeaders().toSingleValueMap());
log.info("Report downloaded for report Id {}", reportId);
/*Remove any chars before the start xml tag*/
xml = xml.trim().replaceFirst("^([\\W]+)<", "<");
log.debug(REPORT_LENGTH_MESSAGE, xml.length());
String xml2 = ScanUtils.cleanStringUTF8_2(xml);
log.trace("XML2: {}", xml2);
InputStream xmlStream = new ByteArrayInputStream(Objects.requireNonNull(xml2.getBytes()));
/* protect against XXE */
JAXBContext jc = JAXBContext.newInstance(CxXMLResultsType.class);
XMLInputFactory xif = XMLInputFactory.newInstance();
xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);
xif.setProperty(XMLInputFactory.IS_NAMESPACE_AWARE, false);
List<ScanResults.XIssue> xIssueList = new ArrayList<>();
CxXMLResultsType cxResults;
try {
XMLStreamReader xsr = xif.createXMLStreamReader(xmlStream);
Unmarshaller unmarshaller = jc.createUnmarshaller();
cxResults = (CxXMLResultsType) unmarshaller.unmarshal(xsr);
} catch (UnmarshalException e) {
log.warn("Issue occurred performing unmashall step - trying again {}", ExceptionUtils.getMessage(e));
if (resultsXML.getBody() != null) {
log.error("Writing raw response from CX to {}", "CX_".concat(String.valueOf(reportId)));
ScanUtils.writeByte("CX_".concat(String.valueOf(reportId)), resultsXML.getBody().getBytes());
xml2 = ScanUtils.cleanStringUTF8(xml);
xmlStream = new ByteArrayInputStream(Objects.requireNonNull(xml2.getBytes()));
XMLStreamReader xsr = xif.createXMLStreamReader(xmlStream);
Unmarshaller unmarshaller = jc.createUnmarshaller();
cxResults = (CxXMLResultsType) unmarshaller.unmarshal(xsr);
} else {
log.error("CX Response for report {} was null", reportId);
throw new CheckmarxException("CX report was empty (null)");
}
}
ScanResults.ScanResultsBuilder cxScanBuilder = ScanResults.builder();
cxScanBuilder.projectId(cxResults.getProjectId());
cxScanBuilder.team(cxResults.getTeam());
cxScanBuilder.project(cxResults.getProjectName());
cxScanBuilder.link(cxResults.getDeepLink());
cxScanBuilder.files(cxResults.getFilesScanned());
cxScanBuilder.loc(cxResults.getLinesOfCodeScanned());
cxScanBuilder.scanType(cxResults.getScanType());
Map<String, Integer> summary = getIssues(filter, session, xIssueList, cxResults);
cxScanBuilder.xIssues(xIssueList);
cxScanBuilder.additionalDetails(getAdditionalScanDetails(cxResults));
CxScanSummary scanSummary = getScanSummaryByScanId(Integer.valueOf(cxResults.getScanId()));
cxScanBuilder.scanSummary(scanSummary);
ScanResults results = cxScanBuilder.build();
// Add the summary map (severity, count)
results.getAdditionalDetails().put(Constants.SUMMARY_KEY, summary);
if (cxProperties.getPreserveXml()) {
results.setOutput(xml);
}
return results;
} catch (HttpStatusCodeException e) {
log.error("HTTP Status Code of {} while getting downloading report contents of report Id {}", e.getStatusCode(), reportId);
log.error(ExceptionUtils.getStackTrace(e));
throw new CheckmarxException("Error while processing scan results for report Id {}".concat(reportId.toString()));
} catch (XMLStreamException | JAXBException e) {
log.error(ERROR_WITH_XML_REPORT);
log.error(ExceptionUtils.getStackTrace(e));
throw new CheckmarxException(ERROR_PROCESSING_RESULTS.concat(reportId.toString()));
} catch (NullPointerException e) {
log.info("Null Error");
log.error(ExceptionUtils.getStackTrace(e));
throw new CheckmarxException(ERROR_PROCESSING_RESULTS.concat(reportId.toString()));
}
}
use of com.checkmarx.sdk.dto.ScanResults in project checkmarx-spring-boot-java-sdk by checkmarx-ltd.
the class CxService method getReportContent.
/**
* Parse CX report file, mapped to ScanResults DTO, applying filtering as requested
*/
public ScanResults getReportContent(File file, FilterConfiguration filter) throws CheckmarxException {
if (file == null) {
throw new CheckmarxException("File not provided for processing of results");
}
String session = null;
try {
if (!cxProperties.getOffline()) {
session = authClient.getLegacySession();
}
} catch (InvalidCredentialsException e) {
log.error("Error occurring while logging into Legacy SOAP based WebService - issue description will remain blank");
}
try {
/* protect against XXE */
JAXBContext jc = JAXBContext.newInstance(CxXMLResultsType.class);
XMLInputFactory xif = XMLInputFactory.newInstance();
xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);
xif.setProperty(XMLInputFactory.IS_NAMESPACE_AWARE, false);
Unmarshaller unmarshaller = jc.createUnmarshaller();
List<ScanResults.XIssue> issueList = new ArrayList<>();
CxXMLResultsType cxResults = (CxXMLResultsType) unmarshaller.unmarshal(file);
ScanResults.ScanResultsBuilder cxScanBuilder = ScanResults.builder();
cxScanBuilder.projectId(cxResults.getProjectId());
cxScanBuilder.team(cxResults.getTeam());
cxScanBuilder.project(cxResults.getProjectName());
cxScanBuilder.link(cxResults.getDeepLink());
cxScanBuilder.files(cxResults.getFilesScanned());
cxScanBuilder.loc(cxResults.getLinesOfCodeScanned());
cxScanBuilder.scanType(cxResults.getScanType());
Map<String, Integer> summary = getIssues(filter, session, issueList, cxResults);
cxScanBuilder.xIssues(issueList);
cxScanBuilder.additionalDetails(getAdditionalScanDetails(cxResults));
ScanResults results = cxScanBuilder.build();
if (!cxProperties.getOffline() && !ScanUtils.empty(cxResults.getScanId())) {
CxScanSummary scanSummary = getScanSummaryByScanId(Integer.valueOf(cxResults.getScanId()));
results.setScanSummary(scanSummary);
}
results.getAdditionalDetails().put(Constants.SUMMARY_KEY, summary);
return results;
} catch (JAXBException e) {
log.error(ERROR_WITH_XML_REPORT);
log.error(ExceptionUtils.getStackTrace(e));
throw new CheckmarxException(ERROR_PROCESSING_SCAN_RESULTS);
} catch (NullPointerException e) {
log.info("Null error");
log.error(ExceptionUtils.getStackTrace(e));
throw new CheckmarxException(ERROR_PROCESSING_SCAN_RESULTS);
}
}
use of com.checkmarx.sdk.dto.ScanResults in project checkmarx-spring-boot-java-sdk by checkmarx-ltd.
the class CxGoServiceIT method completeScanFlow.
@Test
// works only on Windows
@Ignore
public void completeScanFlow() throws CheckmarxException {
login();
if (StringUtils.isNotEmpty(properties.getClientSecret())) {
String teamId = service.getTeamId(properties.getTeam());
Integer projectId = service.getProjectId(teamId, GO_PROJECT_NAME);
CxScanParams params = new CxScanParams();
params.setProjectName(GO_PROJECT_NAME);
params.setTeamId(teamId);
params.setProjectId(projectId);
params.setGitUrl("https://github.com/Custodela/Riches.git");
params.setBranch("refs/heads/master");
params.setSourceType(CxScanParams.Type.GIT);
// run the scan and wait for it to finish
Integer x = service.createScan(params, "CxFlow Scan");
service.waitForScanCompletion(x);
FilterConfiguration filterConfiguration = FilterConfiguration.fromSimpleFilters(Collections.singletonList(new Filter(Filter.Type.SEVERITY, "High")));
// generate the results
ScanResults results = service.getReportContentByScanId(x, filterConfiguration);
assertNotNull(results);
}
}
Aggregations