Search in sources :

Example 6 with EngineFilterConfiguration

use of com.checkmarx.sdk.dto.filtering.EngineFilterConfiguration in project cx-flow by checkmarx-ltd.

the class OsaScannerService method cxOsaParseResults.

public void cxOsaParseResults(ScanRequest request, File file, File libs) throws ExitThrowable {
    try {
        List<Filter> simpleFilters = Optional.ofNullable(request).map(ScanRequest::getFilter).map(FilterConfiguration::getSastFilters).map(EngineFilterConfiguration::getSimpleFilters).orElse(null);
        ScanResults results = cxService.getOsaReportContent(file, libs, simpleFilters);
        resultsService.processResults(request, results, scanDetails);
        if (flowProperties.isBreakBuild() && results != null && results.getXIssues() != null && !results.getXIssues().isEmpty()) {
            log.error(ERROR_BREAK_MSG);
            exit(ExitCode.BUILD_INTERRUPTED);
        }
    } catch (MachinaException | CheckmarxException e) {
        log.error("Error occurred while processing results file(s)", e);
        exit(3);
    }
}
Also used : Filter(com.checkmarx.sdk.dto.sast.Filter) ScanResults(com.checkmarx.sdk.dto.ScanResults) MachinaException(com.checkmarx.flow.exception.MachinaException) CheckmarxException(com.checkmarx.sdk.exception.CheckmarxException) EngineFilterConfiguration(com.checkmarx.sdk.dto.filtering.EngineFilterConfiguration) FilterConfiguration(com.checkmarx.sdk.dto.filtering.FilterConfiguration)

Example 7 with EngineFilterConfiguration

use of com.checkmarx.sdk.dto.filtering.EngineFilterConfiguration in project checkmarx-spring-boot-java-sdk by checkmarx-ltd.

the class CxService method getIssues.

/**
 * @param filter determines which SAST findings will be mapped into XIssue-s.
 * @param cxIssueList list that will be populated during this method execution.
 * @param cxResults SAST-specific scan results based on SAST XML report.
 */
private Map<String, Integer> getIssues(FilterConfiguration filter, String session, List<ScanResults.XIssue> cxIssueList, CxXMLResultsType cxResults) {
    Map<String, Integer> summary = new HashMap<>();
    EngineFilterConfiguration sastFilters = Optional.ofNullable(filter).map(FilterConfiguration::getSastFilters).orElse(null);
    for (QueryType result : cxResults.getQuery()) {
        ScanResults.XIssue.XIssueBuilder xIssueBuilder = ScanResults.XIssue.builder();
        /*Top node of each issue*/
        for (ResultType resultType : result.getResult()) {
            FilterInput filterInput = filterInputFactory.createFilterInputForCxSast(result, resultType);
            if (filterValidator.passesFilter(filterInput, sastFilters)) {
                boolean falsePositive = false;
                if (!resultType.getFalsePositive().equalsIgnoreCase("FALSE")) {
                    falsePositive = true;
                }
                /*Map issue details*/
                xIssueBuilder.cwe(result.getCweId());
                xIssueBuilder.language(result.getLanguage());
                xIssueBuilder.severity(result.getSeverity());
                xIssueBuilder.vulnerability(result.getName());
                xIssueBuilder.file(resultType.getFileName());
                xIssueBuilder.severity(resultType.getSeverity());
                xIssueBuilder.link(resultType.getDeepLink());
                xIssueBuilder.vulnerabilityStatus(cxProperties.getStateFullName(resultType.getState()));
                xIssueBuilder.queryId(result.getId());
                xIssueBuilder.groupBySeverity(cxProperties.getGroupBySeverity());
                // Add additional details
                Map<String, Object> additionalDetails = getAdditionalIssueDetails(result, resultType);
                xIssueBuilder.additionalDetails(additionalDetails);
                Map<Integer, ScanResults.IssueDetails> details = new HashMap<>();
                try {
                    /* Call the CX SOAP Service to get Issue Description*/
                    if (session != null) {
                        try {
                            xIssueBuilder.description(this.getIssueDescription(session, Long.parseLong(cxResults.getScanId()), Long.parseLong(resultType.getPath().getPathId())));
                        } catch (HttpStatusCodeException e) {
                            xIssueBuilder.description("");
                        }
                    } else {
                        xIssueBuilder.description("");
                    }
                    String snippet = resultType.getPath().getPathNode().get(0).getSnippet().getLine().getCode();
                    snippet = StringUtils.truncate(snippet, cxProperties.getCodeSnippetLength());
                    ScanResults.IssueDetails issueDetails = new ScanResults.IssueDetails().codeSnippet(snippet).comment(resultType.getRemark()).falsePositive(falsePositive);
                    details.put(Integer.parseInt(resultType.getPath().getPathNode().get(0).getLine()), issueDetails);
                    xIssueBuilder.similarityId(resultType.getPath().getSimilarityId());
                } catch (NullPointerException e) {
                    log.warn("Problem grabbing snippet.  Snippet may not exist for finding for Node ID");
                    /*Defaulting to initial line number with no snippet*/
                    ScanResults.IssueDetails issueDetails = new ScanResults.IssueDetails().codeSnippet(null).comment(resultType.getRemark()).falsePositive(falsePositive);
                    details.put(Integer.parseInt(resultType.getLine()), issueDetails);
                }
                xIssueBuilder.details(details);
                ScanResults.XIssue issue = xIssueBuilder.build();
                prepareIssuesRemoveDuplicates(cxIssueList, resultType, details, falsePositive, issue, summary);
            }
        }
    }
    return summary;
}
Also used : ScanResults(com.checkmarx.sdk.dto.ScanResults) HttpStatusCodeException(org.springframework.web.client.HttpStatusCodeException) FilterInput(com.checkmarx.sdk.dto.filtering.FilterInput) JSONObject(org.json.JSONObject) EngineFilterConfiguration(com.checkmarx.sdk.dto.filtering.EngineFilterConfiguration)

Example 8 with EngineFilterConfiguration

use of com.checkmarx.sdk.dto.filtering.EngineFilterConfiguration in project checkmarx-spring-boot-java-sdk by checkmarx-ltd.

the class FilterValidatorTest method verifySimpleFilterResult.

private static void verifySimpleFilterResult(List<Filter> filters, String severity, String status, String state, String name, String cweId, boolean expectedResult) {
    ResultType finding = createFinding(status, state);
    QueryType findingGroup = createFindingGroup(severity, name, cweId);
    FilterValidator filterValidator = new FilterValidator();
    EngineFilterConfiguration filterConfiguration = EngineFilterConfiguration.builder().simpleFilters(filters).build();
    FilterInputFactory filterInputFactory = new FilterInputFactory(new CxProperties());
    FilterInput filterInput = filterInputFactory.createFilterInputForCxSast(findingGroup, finding);
    boolean passes = filterValidator.passesFilter(filterInput, filterConfiguration);
    assertEquals(expectedResult, passes, "Unexpected simple filtering result.");
}
Also used : FilterInput(com.checkmarx.sdk.dto.filtering.FilterInput) FilterInputFactory(com.checkmarx.sdk.service.FilterInputFactory) CxProperties(com.checkmarx.sdk.config.CxProperties) ResultType(com.checkmarx.sdk.dto.cx.xml.ResultType) EngineFilterConfiguration(com.checkmarx.sdk.dto.filtering.EngineFilterConfiguration) QueryType(com.checkmarx.sdk.dto.cx.xml.QueryType) FilterValidator(com.checkmarx.sdk.service.FilterValidator)

Example 9 with EngineFilterConfiguration

use of com.checkmarx.sdk.dto.filtering.EngineFilterConfiguration in project checkmarx-spring-boot-java-sdk by checkmarx-ltd.

the class ScaScanner method extractFilterConfigFrom.

private static EngineFilterConfiguration extractFilterConfigFrom(ScanParams scanParams) {
    EngineFilterConfiguration result = Optional.ofNullable(scanParams).map(ScanParams::getFilterConfiguration).map(FilterConfiguration::getScaFilters).orElse(null);
    String message = (result == null ? "No SCA filter configuration was found in {}" : "Found SCA filter configuration in {}");
    log.debug(message, ScanParams.class.getSimpleName());
    return result;
}
Also used : ScanParams(com.checkmarx.sdk.dto.ast.ScanParams) EngineFilterConfiguration(com.checkmarx.sdk.dto.filtering.EngineFilterConfiguration)

Aggregations

EngineFilterConfiguration (com.checkmarx.sdk.dto.filtering.EngineFilterConfiguration)9 FilterInput (com.checkmarx.sdk.dto.filtering.FilterInput)4 CxProperties (com.checkmarx.sdk.config.CxProperties)3 QueryType (com.checkmarx.sdk.dto.cx.xml.QueryType)3 ResultType (com.checkmarx.sdk.dto.cx.xml.ResultType)3 FilterInputFactory (com.checkmarx.sdk.service.FilterInputFactory)3 FilterValidator (com.checkmarx.sdk.service.FilterValidator)3 ScanResults (com.checkmarx.sdk.dto.ScanResults)2 FilterConfiguration (com.checkmarx.sdk.dto.filtering.FilterConfiguration)2 Filter (com.checkmarx.sdk.dto.sast.Filter)2 Script (groovy.lang.Script)2 ControllerRequest (com.checkmarx.flow.dto.ControllerRequest)1 MachinaException (com.checkmarx.flow.exception.MachinaException)1 ScanParams (com.checkmarx.sdk.dto.ast.ScanParams)1 Finding (com.checkmarx.sdk.dto.sca.report.Finding)1 CheckmarxException (com.checkmarx.sdk.exception.CheckmarxException)1 CheckmarxRuntimeException (com.checkmarx.sdk.exception.CheckmarxRuntimeException)1 GroovyRuntimeException (groovy.lang.GroovyRuntimeException)1 ArrayList (java.util.ArrayList)1 JSONObject (org.json.JSONObject)1