Search in sources :

Example 6 with CxConfig

use of com.checkmarx.sdk.dto.sast.CxConfig in project cx-flow by checkmarx-ltd.

the class BitbucketCloudController method checkForConfigAsCode.

private void checkForConfigAsCode(ScanRequest request) {
    CxConfig cxConfig = bitbucketService.getCxConfigOverride(request);
    configOverrider.overrideScanRequestProperties(cxConfig, request);
}
Also used : CxConfig(com.checkmarx.sdk.dto.sast.CxConfig)

Example 7 with CxConfig

use of com.checkmarx.sdk.dto.sast.CxConfig in project cx-flow by checkmarx-ltd.

the class GitHubController method pullRequest.

/**
 * Pull Request event submitted (JSON)
 */
@PostMapping(value = { "/{product}", "/" }, headers = PULL)
public ResponseEntity<EventResponse> pullRequest(@RequestBody String body, @RequestHeader(value = SIGNATURE) String signature, @PathVariable(value = "product", required = false) String product, ControllerRequest controllerRequest) {
    String uid = helperService.getShortUid();
    MDC.put(FlowConstants.MAIN_MDC_ENTRY, uid);
    log.info("Processing GitHub PULL request");
    PullEvent event;
    ObjectMapper mapper = new ObjectMapper();
    Integer installationId = null;
    controllerRequest = ensureNotNull(controllerRequest);
    try {
        event = mapper.readValue(body, PullEvent.class);
    } catch (IOException e) {
        throw new MachinaRuntimeException(e);
    }
    gitHubService.initConfigProviderOnPullEvent(uid, event);
    // verify message signature
    verifyHmacSignature(body, signature, controllerRequest);
    try {
        String action = event.getAction();
        // synchronize - happens when user pushes code into a branch for which a pull request exists
        if (!action.equalsIgnoreCase("opened") && !action.equalsIgnoreCase("reopened") && !action.equalsIgnoreCase("synchronize")) {
            log.info("Pull requested not processed.  Status was not opened ({})", action);
            return ResponseEntity.status(HttpStatus.OK).body(EventResponse.builder().message("No processing occurred for updates to Pull Request").success(true).build());
        }
        Repository repository = event.getRepository();
        String app = repository.getName();
        if (!ScanUtils.empty(controllerRequest.getApplication())) {
            app = controllerRequest.getApplication();
        }
        // By default, when a pull request is opened, use the current source control provider as a bug tracker
        // (GitHub in this case). Bug tracker from the config is not used, because we only want to notify the user
        // that their code has some issues. I.e. we don't want to open real issues in the "official" bug tracker yet.
        BugTracker.Type bugType = BugTracker.Type.GITHUBPULL;
        // However, if the bug tracker is overridden in the query string, use the override value.
        if (!ScanUtils.empty(controllerRequest.getBug())) {
            bugType = ScanUtils.getBugTypeEnum(controllerRequest.getBug(), flowProperties.getBugTrackerImpl());
        }
        if (controllerRequest.getAppOnly() != null) {
            flowProperties.setTrackApplicationOnly(controllerRequest.getAppOnly());
        }
        if (ScanUtils.empty(product)) {
            product = ScanRequest.Product.CX.getProduct();
        }
        ScanRequest.Product p = ScanRequest.Product.valueOf(product.toUpperCase(Locale.ROOT));
        PullRequest pullRequest = event.getPullRequest();
        String currentBranch = pullRequest.getHead().getRef();
        String targetBranch = pullRequest.getBase().getRef();
        List<String> branches = getBranches(controllerRequest, flowProperties);
        BugTracker bt = ScanUtils.getBugTracker(controllerRequest.getAssignee(), bugType, jiraProperties, controllerRequest.getBug());
        FilterConfiguration filter = filterFactory.getFilter(controllerRequest, flowProperties);
        Map<FindingSeverity, Integer> thresholdMap = getThresholds(controllerRequest);
        // build request object
        String gitUrl = Optional.ofNullable(pullRequest.getHead().getRepo()).map(Repo::getCloneUrl).orElse(repository.getCloneUrl());
        String token;
        String gitAuthUrl;
        log.info("Using url: {}", gitUrl);
        if (event.getInstallation() != null && event.getInstallation().getId() != null) {
            installationId = event.getInstallation().getId();
            token = gitHubAppAuthService.getInstallationToken(installationId);
            token = FlowConstants.GITHUB_APP_CLONE_USER.concat(":").concat(token);
        } else {
            token = scmConfigOverrider.determineConfigToken(properties, controllerRequest.getScmInstance());
        }
        gitAuthUrl = gitAuthUrlGenerator.addCredToUrl(ScanRequest.Repository.GITHUB, gitUrl, token);
        ScanRequest request = ScanRequest.builder().application(app).product(p).project(controllerRequest.getProject()).team(controllerRequest.getTeam()).namespace(pullRequest.getHead().getRepo().getOwner().getLogin().replace(" ", "_")).repoName(repository.getName()).repoUrl(repository.getCloneUrl()).repoUrlWithAuth(gitAuthUrl).repoType(ScanRequest.Repository.GITHUB).branch(currentBranch).defaultBranch(repository.getDefaultBranch()).refs(Constants.CX_BRANCH_PREFIX.concat(currentBranch)).mergeNoteUri(pullRequest.getIssueUrl().concat("/comments")).mergeTargetBranch(targetBranch).email(null).scanPreset(controllerRequest.getPreset()).incremental(controllerRequest.getIncremental()).excludeFolders(controllerRequest.getExcludeFolders()).excludeFiles(controllerRequest.getExcludeFiles()).bugTracker(bt).filter(filter).thresholds(thresholdMap).organizationId(getOrganizationid(repository)).gitUrl(gitUrl).hash(pullRequest.getHead().getSha()).build();
        setScmInstance(controllerRequest, request);
        // Check if an installation Id is provided and store it for later use
        if (installationId != null) {
            request.putAdditionalMetadata(FlowConstants.GITHUB_APP_INSTALLATION_ID, installationId.toString());
        }
        /*Check for Config as code (cx.config) and override*/
        CxConfig cxConfig = gitHubService.getCxConfigOverride(request);
        request = configOverrider.overrideScanRequestProperties(cxConfig, request);
        request.putAdditionalMetadata(HTMLHelper.WEB_HOOK_PAYLOAD, body);
        request.putAdditionalMetadata("statuses_url", pullRequest.getStatusesUrl());
        request.setId(uid);
        // only initiate scan/automation if target branch is applicable
        if (helperService.isBranch2Scan(request, branches)) {
            flowService.initiateAutomation(request);
        }
    } catch (IllegalArgumentException e) {
        return getBadRequestMessage(e, controllerRequest, product);
    }
    return getSuccessMessage();
}
Also used : FilterConfiguration(com.checkmarx.sdk.dto.filtering.FilterConfiguration) CxConfig(com.checkmarx.sdk.dto.sast.CxConfig) IOException(java.io.IOException) BugTracker(com.checkmarx.flow.dto.BugTracker) ScanRequest(com.checkmarx.flow.dto.ScanRequest) MachinaRuntimeException(com.checkmarx.flow.exception.MachinaRuntimeException) ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper)

Example 8 with CxConfig

use of com.checkmarx.sdk.dto.sast.CxConfig in project cx-flow by checkmarx-ltd.

the class GitHubController method deleteBranchRequest.

/**
 * Delete Request event submitted (JSON), along with the Product (cx for example)
 */
@PostMapping(value = { "/{product}", "/" }, headers = DELETE)
public ResponseEntity<EventResponse> deleteBranchRequest(@RequestBody String body, @RequestHeader(value = SIGNATURE) String signature, @PathVariable(value = "product", required = false) String product, @RequestParam(value = "application", required = false) String application, @RequestParam(value = "project", required = false) String project, @RequestParam(value = "team", required = false) String team) {
    String uid = helperService.getShortUid();
    MDC.put(FlowConstants.MAIN_MDC_ENTRY, uid);
    log.info("Processing GitHub DELETE Branch request");
    DeleteEvent event;
    ObjectMapper mapper = new ObjectMapper();
    try {
        event = mapper.readValue(body, DeleteEvent.class);
    } catch (NullPointerException | IOException | IllegalArgumentException e) {
        throw new MachinaRuntimeException(e);
    }
    if (flowProperties == null) {
        log.error("Properties have null values");
        throw new MachinaRuntimeException();
    }
    // verify message signature
    verifyHmacSignature(body, signature, null);
    if (!event.getRefType().equalsIgnoreCase("branch")) {
        log.error("Nothing to do for delete tag");
        return ResponseEntity.status(HttpStatus.OK).body(EventResponse.builder().message("Nothing to do for delete tag").success(true).build());
    }
    String app = event.getRepository().getName();
    if (!ScanUtils.empty(application)) {
        app = application;
    }
    if (ScanUtils.empty(product)) {
        product = ScanRequest.Product.CX.getProduct();
    }
    ScanRequest.Product p = ScanRequest.Product.valueOf(product.toUpperCase(Locale.ROOT));
    String currentBranch = ScanUtils.getBranchFromRef(event.getRef());
    Repository repository = event.getRepository();
    String namespace;
    if (StringUtils.isBlank(repository.getOwner().getName())) {
        namespace = repository.getOwner().getLogin();
    } else {
        namespace = repository.getOwner().getName().replace(" ", "_");
    }
    ScanRequest request = ScanRequest.builder().application(app).product(p).project(project).team(team).namespace(namespace).repoName(repository.getName()).repoUrl(repository.getCloneUrl()).repoType(ScanRequest.Repository.NA).branch(currentBranch).defaultBranch(repository.getDefaultBranch()).refs(event.getRef()).build();
    request.setScanPresetOverride(false);
    CxConfig cxConfig = gitHubService.getCxConfigOverride(request);
    request = configOverrider.overrideScanRequestProperties(cxConfig, request);
    // Check if an installation Id is provided and store it for later use
    if (event.getInstallation() != null && event.getInstallation().getId() != null) {
        request.putAdditionalMetadata(FlowConstants.GITHUB_APP_INSTALLATION_ID, event.getInstallation().getId().toString());
    }
    // deletes a project which is not in the middle of a scan, otherwise it will not be deleted
    flowService.deleteProject(request);
    final String MESSAGE = "Branch deletion event was handled successfully.";
    log.info(MESSAGE);
    return ResponseEntity.status(HttpStatus.OK).body(EventResponse.builder().message(MESSAGE).success(true).build());
}
Also used : ScanRequest(com.checkmarx.flow.dto.ScanRequest) MachinaRuntimeException(com.checkmarx.flow.exception.MachinaRuntimeException) CxConfig(com.checkmarx.sdk.dto.sast.CxConfig) IOException(java.io.IOException) ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper)

Example 9 with CxConfig

use of com.checkmarx.sdk.dto.sast.CxConfig in project cx-flow by checkmarx-ltd.

the class GitHubController method pushRequest.

/**
 * Push Request event submitted (JSON), along with the Product (cx for example)
 */
@PostMapping(value = { "/{product}", "/" }, headers = PUSH)
public ResponseEntity<EventResponse> pushRequest(@RequestBody String body, @RequestHeader(value = SIGNATURE) String signature, @PathVariable(value = "product", required = false) String product, ControllerRequest controllerRequest) {
    String uid = helperService.getShortUid();
    MDC.put(FlowConstants.MAIN_MDC_ENTRY, uid);
    log.info("Processing GitHub PUSH request");
    PushEvent event;
    Integer installationId = null;
    ObjectMapper mapper = new ObjectMapper();
    controllerRequest = ensureNotNull(controllerRequest);
    try {
        event = mapper.readValue(body, PushEvent.class);
    } catch (NullPointerException | IOException | IllegalArgumentException e) {
        throw new MachinaRuntimeException(e);
    }
    // Delete event is triggering a push event that needs to be ignored
    if (event.getDeleted() != null && event.getDeleted()) {
        log.info("Push event is associated with a Delete branch event...ignoring request");
        return getSuccessMessage();
    }
    gitHubService.initConfigProviderOnPushEvent(uid, event);
    if (flowProperties == null) {
        log.error("Properties have null values");
        throw new MachinaRuntimeException();
    }
    // verify message signature
    verifyHmacSignature(body, signature, controllerRequest);
    try {
        String app = event.getRepository().getName();
        if (!ScanUtils.empty(controllerRequest.getApplication())) {
            app = controllerRequest.getApplication();
        }
        // If user has pushed their changes into an important branch (e.g. master) and the code has some issues,
        // use the bug tracker from the config. As a result, "real" issues will be opened in the bug tracker and
        // not just notifications for the user. The "push" case also includes merging a pull request.
        // See the comment for the pullRequest method for further details.
        // However, if the bug tracker is overridden in the query string, use the override value.
        setBugTracker(flowProperties, controllerRequest);
        BugTracker.Type bugType = ScanUtils.getBugTypeEnum(controllerRequest.getBug(), flowProperties.getBugTrackerImpl());
        if (controllerRequest.getAppOnly() != null) {
            flowProperties.setTrackApplicationOnly(controllerRequest.getAppOnly());
        }
        if (ScanUtils.empty(product)) {
            product = ScanRequest.Product.CX.getProduct();
        }
        ScanRequest.Product p = ScanRequest.Product.valueOf(product.toUpperCase(Locale.ROOT));
        // determine branch (without refs)
        String currentBranch = ScanUtils.getBranchFromRef(event.getRef());
        List<String> branches = getBranches(controllerRequest, flowProperties);
        BugTracker bt = ScanUtils.getBugTracker(controllerRequest.getAssignee(), bugType, jiraProperties, controllerRequest.getBug());
        FilterConfiguration filter = filterFactory.getFilter(controllerRequest, flowProperties);
        Map<FindingSeverity, Integer> thresholdMap = getThresholds(controllerRequest);
        // build request object
        Repository repository = event.getRepository();
        String gitUrl = repository.getCloneUrl();
        String token;
        String gitAuthUrl;
        log.info("Using url: {}", gitUrl);
        if (event.getInstallation() != null && event.getInstallation().getId() != null) {
            installationId = event.getInstallation().getId();
            token = gitHubAppAuthService.getInstallationToken(installationId);
            token = FlowConstants.GITHUB_APP_CLONE_USER.concat(":").concat(token);
        } else {
            token = scmConfigOverrider.determineConfigToken(properties, controllerRequest.getScmInstance());
            if (ScanUtils.empty(token)) {
                log.error("No token was provided for Github");
                throw new MachinaRuntimeException();
            }
        }
        gitAuthUrl = gitAuthUrlGenerator.addCredToUrl(ScanRequest.Repository.GITHUB, gitUrl, token);
        ScanRequest request = ScanRequest.builder().application(app).product(p).project(controllerRequest.getProject()).team(controllerRequest.getTeam()).namespace(repository.getOwner().getName().replace(" ", "_")).repoName(repository.getName()).repoUrl(repository.getCloneUrl()).repoUrlWithAuth(gitAuthUrl).repoType(ScanRequest.Repository.GITHUB).branch(currentBranch).defaultBranch(repository.getDefaultBranch()).refs(event.getRef()).email(determineEmails(event)).scanPreset(controllerRequest.getPreset()).incremental(controllerRequest.getIncremental()).excludeFolders(controllerRequest.getExcludeFolders()).excludeFiles(controllerRequest.getExcludeFiles()).bugTracker(bt).filter(filter).thresholds(thresholdMap).organizationId(getOrganizationid(repository)).gitUrl(gitUrl).hash(event.getAfter()).build();
        setScmInstance(controllerRequest, request);
        // Check if an installation Id is provided and store it for later use
        if (installationId != null) {
            request.putAdditionalMetadata(FlowConstants.GITHUB_APP_INSTALLATION_ID, installationId.toString());
        }
        /*Check for Config as code (cx.config) and override*/
        CxConfig cxConfig = gitHubService.getCxConfigOverride(request);
        request = configOverrider.overrideScanRequestProperties(cxConfig, request);
        request.putAdditionalMetadata(HTMLHelper.WEB_HOOK_PAYLOAD, body);
        request.setId(uid);
        // only initiate scan/automation if branch is applicable
        if (helperService.isBranch2Scan(request, branches)) {
            flowService.initiateAutomation(request);
        }
    } catch (IllegalArgumentException e) {
        return getBadRequestMessage(e, controllerRequest, product);
    }
    return getSuccessMessage();
}
Also used : FilterConfiguration(com.checkmarx.sdk.dto.filtering.FilterConfiguration) CxConfig(com.checkmarx.sdk.dto.sast.CxConfig) IOException(java.io.IOException) BugTracker(com.checkmarx.flow.dto.BugTracker) ScanRequest(com.checkmarx.flow.dto.ScanRequest) MachinaRuntimeException(com.checkmarx.flow.exception.MachinaRuntimeException) ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper)

Example 10 with CxConfig

use of com.checkmarx.sdk.dto.sast.CxConfig in project cx-flow by checkmarx-ltd.

the class CxFlowRunner method getCxConfigOverride.

/**
 * Load a config-as-code file from the specified directory.
 *
 * @param path the path of the directory containing the config-as-code file
 * @param name the name of the config-as-code file
 * @return the config-as-code configuration
 */
private CxConfig getCxConfigOverride(String path, String name) {
    log.debug("getCxConfigOverride: path: {}", path);
    CxConfig config = null;
    File file = FileSystems.getDefault().getPath(path, name).toFile();
    if (file.exists()) {
        log.debug("Loading config-as-code from {}", file);
        config = com.checkmarx.sdk.utils.ScanUtils.getConfigAsCode(file);
    }
    return config;
}
Also used : CxConfig(com.checkmarx.sdk.dto.sast.CxConfig) File(java.io.File)

Aggregations

CxConfig (com.checkmarx.sdk.dto.sast.CxConfig)22 ScanRequest (com.checkmarx.flow.dto.ScanRequest)11 BugTracker (com.checkmarx.flow.dto.BugTracker)6 File (java.io.File)6 Test (org.junit.Test)6 FilterConfiguration (com.checkmarx.sdk.dto.filtering.FilterConfiguration)4 ObjectMapper (com.fasterxml.jackson.databind.ObjectMapper)4 IOException (java.io.IOException)4 MachinaRuntimeException (com.checkmarx.flow.exception.MachinaRuntimeException)3 JSONObject (org.json.JSONObject)3 SpringBootTest (org.springframework.boot.test.context.SpringBootTest)2 IfProfileValue (org.springframework.test.annotation.IfProfileValue)2 CxProperties (com.checkmarx.sdk.config.CxProperties)1 ScanResults (com.checkmarx.sdk.dto.ScanResults)1 When (io.cucumber.java.en.When)1 ArrayList (java.util.ArrayList)1 HttpHeaders (org.springframework.http.HttpHeaders)1