Search in sources :

Example 1 with FilterInput

use of com.checkmarx.sdk.dto.filtering.FilterInput in project checkmarx-spring-boot-java-sdk by checkmarx-ltd.

the class FilterValidatorTest method verifyScriptResult.

private static void verifyScriptResult(Script script, String severity, String status, String state, String name, String cweId, boolean expectedResult) {
    ResultType finding = createFinding(status, state);
    QueryType findingGroup = createFindingGroup(severity, name, cweId);
    EngineFilterConfiguration filterConfiguration = createFilterConfiguration(script);
    FilterValidator validator = new FilterValidator();
    FilterInputFactory filterInputFactory = new FilterInputFactory(new CxProperties());
    FilterInput filterInput = filterInputFactory.createFilterInputForCxSast(findingGroup, finding);
    boolean actualResult = validator.passesFilter(filterInput, filterConfiguration);
    assertEquals(expectedResult, actualResult, "Unexpected script filtering result.");
}
Also used : FilterInput(com.checkmarx.sdk.dto.filtering.FilterInput) FilterInputFactory(com.checkmarx.sdk.service.FilterInputFactory) CxProperties(com.checkmarx.sdk.config.CxProperties) ResultType(com.checkmarx.sdk.dto.cx.xml.ResultType) EngineFilterConfiguration(com.checkmarx.sdk.dto.filtering.EngineFilterConfiguration) QueryType(com.checkmarx.sdk.dto.cx.xml.QueryType) FilterValidator(com.checkmarx.sdk.service.FilterValidator)

Example 2 with FilterInput

use of com.checkmarx.sdk.dto.filtering.FilterInput in project checkmarx-spring-boot-java-sdk by checkmarx-ltd.

the class FilterValidatorTest method validateExpectedError.

private void validateExpectedError(String scriptWithUnknownObject) {
    Script script = parse(scriptWithUnknownObject);
    QueryType findingGroup = createFindingGroup(SEVERITY_LOW, NAME1, CWE1);
    ResultType finding = createFinding(STATUS_NEW, STATE_URGENT_ID);
    EngineFilterConfiguration filterConfiguration = createFilterConfiguration(script);
    FilterValidator validator = new FilterValidator();
    try {
        FilterInputFactory filterInputFactory = new FilterInputFactory(new CxProperties());
        FilterInput filterInput = filterInputFactory.createFilterInputForCxSast(findingGroup, finding);
        validator.passesFilter(filterInput, filterConfiguration);
    } catch (Exception e) {
        assertTrue(e instanceof CheckmarxRuntimeException, String.format("Expected %s to be thrown.", CheckmarxRuntimeException.class));
        assertTrue(e.getCause() instanceof GroovyRuntimeException, String.format("Expected exception cause to be %s", GroovyRuntimeException.class));
    }
}
Also used : Script(groovy.lang.Script) FilterInput(com.checkmarx.sdk.dto.filtering.FilterInput) FilterInputFactory(com.checkmarx.sdk.service.FilterInputFactory) GroovyRuntimeException(groovy.lang.GroovyRuntimeException) CxProperties(com.checkmarx.sdk.config.CxProperties) CheckmarxRuntimeException(com.checkmarx.sdk.exception.CheckmarxRuntimeException) ResultType(com.checkmarx.sdk.dto.cx.xml.ResultType) EngineFilterConfiguration(com.checkmarx.sdk.dto.filtering.EngineFilterConfiguration) QueryType(com.checkmarx.sdk.dto.cx.xml.QueryType) FilterValidator(com.checkmarx.sdk.service.FilterValidator) GroovyRuntimeException(groovy.lang.GroovyRuntimeException) CheckmarxRuntimeException(com.checkmarx.sdk.exception.CheckmarxRuntimeException)

Example 3 with FilterInput

use of com.checkmarx.sdk.dto.filtering.FilterInput in project checkmarx-spring-boot-java-sdk by checkmarx-ltd.

the class CxService method getIssues.

/**
 * @param filter determines which SAST findings will be mapped into XIssue-s.
 * @param cxIssueList list that will be populated during this method execution.
 * @param cxResults SAST-specific scan results based on SAST XML report.
 */
private Map<String, Integer> getIssues(FilterConfiguration filter, String session, List<ScanResults.XIssue> cxIssueList, CxXMLResultsType cxResults) {
    Map<String, Integer> summary = new HashMap<>();
    EngineFilterConfiguration sastFilters = Optional.ofNullable(filter).map(FilterConfiguration::getSastFilters).orElse(null);
    for (QueryType result : cxResults.getQuery()) {
        ScanResults.XIssue.XIssueBuilder xIssueBuilder = ScanResults.XIssue.builder();
        /*Top node of each issue*/
        for (ResultType resultType : result.getResult()) {
            FilterInput filterInput = filterInputFactory.createFilterInputForCxSast(result, resultType);
            if (filterValidator.passesFilter(filterInput, sastFilters)) {
                boolean falsePositive = false;
                if (!resultType.getFalsePositive().equalsIgnoreCase("FALSE")) {
                    falsePositive = true;
                }
                /*Map issue details*/
                xIssueBuilder.cwe(result.getCweId());
                xIssueBuilder.language(result.getLanguage());
                xIssueBuilder.severity(result.getSeverity());
                xIssueBuilder.vulnerability(result.getName());
                xIssueBuilder.file(resultType.getFileName());
                xIssueBuilder.severity(resultType.getSeverity());
                xIssueBuilder.link(resultType.getDeepLink());
                xIssueBuilder.vulnerabilityStatus(cxProperties.getStateFullName(resultType.getState()));
                xIssueBuilder.queryId(result.getId());
                xIssueBuilder.groupBySeverity(cxProperties.getGroupBySeverity());
                // Add additional details
                Map<String, Object> additionalDetails = getAdditionalIssueDetails(result, resultType);
                xIssueBuilder.additionalDetails(additionalDetails);
                Map<Integer, ScanResults.IssueDetails> details = new HashMap<>();
                try {
                    /* Call the CX SOAP Service to get Issue Description*/
                    if (session != null) {
                        try {
                            xIssueBuilder.description(this.getIssueDescription(session, Long.parseLong(cxResults.getScanId()), Long.parseLong(resultType.getPath().getPathId())));
                        } catch (HttpStatusCodeException e) {
                            xIssueBuilder.description("");
                        }
                    } else {
                        xIssueBuilder.description("");
                    }
                    String snippet = resultType.getPath().getPathNode().get(0).getSnippet().getLine().getCode();
                    snippet = StringUtils.truncate(snippet, cxProperties.getCodeSnippetLength());
                    ScanResults.IssueDetails issueDetails = new ScanResults.IssueDetails().codeSnippet(snippet).comment(resultType.getRemark()).falsePositive(falsePositive);
                    details.put(Integer.parseInt(resultType.getPath().getPathNode().get(0).getLine()), issueDetails);
                    xIssueBuilder.similarityId(resultType.getPath().getSimilarityId());
                } catch (NullPointerException e) {
                    log.warn("Problem grabbing snippet.  Snippet may not exist for finding for Node ID");
                    /*Defaulting to initial line number with no snippet*/
                    ScanResults.IssueDetails issueDetails = new ScanResults.IssueDetails().codeSnippet(null).comment(resultType.getRemark()).falsePositive(falsePositive);
                    details.put(Integer.parseInt(resultType.getLine()), issueDetails);
                }
                xIssueBuilder.details(details);
                ScanResults.XIssue issue = xIssueBuilder.build();
                prepareIssuesRemoveDuplicates(cxIssueList, resultType, details, falsePositive, issue, summary);
            }
        }
    }
    return summary;
}
Also used : ScanResults(com.checkmarx.sdk.dto.ScanResults) HttpStatusCodeException(org.springframework.web.client.HttpStatusCodeException) FilterInput(com.checkmarx.sdk.dto.filtering.FilterInput) JSONObject(org.json.JSONObject) EngineFilterConfiguration(com.checkmarx.sdk.dto.filtering.EngineFilterConfiguration)

Example 4 with FilterInput

use of com.checkmarx.sdk.dto.filtering.FilterInput in project checkmarx-spring-boot-java-sdk by checkmarx-ltd.

the class FilterValidatorTest method verifySimpleFilterResult.

private static void verifySimpleFilterResult(List<Filter> filters, String severity, String status, String state, String name, String cweId, boolean expectedResult) {
    ResultType finding = createFinding(status, state);
    QueryType findingGroup = createFindingGroup(severity, name, cweId);
    FilterValidator filterValidator = new FilterValidator();
    EngineFilterConfiguration filterConfiguration = EngineFilterConfiguration.builder().simpleFilters(filters).build();
    FilterInputFactory filterInputFactory = new FilterInputFactory(new CxProperties());
    FilterInput filterInput = filterInputFactory.createFilterInputForCxSast(findingGroup, finding);
    boolean passes = filterValidator.passesFilter(filterInput, filterConfiguration);
    assertEquals(expectedResult, passes, "Unexpected simple filtering result.");
}
Also used : FilterInput(com.checkmarx.sdk.dto.filtering.FilterInput) FilterInputFactory(com.checkmarx.sdk.service.FilterInputFactory) CxProperties(com.checkmarx.sdk.config.CxProperties) ResultType(com.checkmarx.sdk.dto.cx.xml.ResultType) EngineFilterConfiguration(com.checkmarx.sdk.dto.filtering.EngineFilterConfiguration) QueryType(com.checkmarx.sdk.dto.cx.xml.QueryType) FilterValidator(com.checkmarx.sdk.service.FilterValidator)

Aggregations

EngineFilterConfiguration (com.checkmarx.sdk.dto.filtering.EngineFilterConfiguration)4 FilterInput (com.checkmarx.sdk.dto.filtering.FilterInput)4 CxProperties (com.checkmarx.sdk.config.CxProperties)3 QueryType (com.checkmarx.sdk.dto.cx.xml.QueryType)3 ResultType (com.checkmarx.sdk.dto.cx.xml.ResultType)3 FilterInputFactory (com.checkmarx.sdk.service.FilterInputFactory)3 FilterValidator (com.checkmarx.sdk.service.FilterValidator)3 ScanResults (com.checkmarx.sdk.dto.ScanResults)1 CheckmarxRuntimeException (com.checkmarx.sdk.exception.CheckmarxRuntimeException)1 GroovyRuntimeException (groovy.lang.GroovyRuntimeException)1 Script (groovy.lang.Script)1 JSONObject (org.json.JSONObject)1 HttpStatusCodeException (org.springframework.web.client.HttpStatusCodeException)1