Search in sources :

Example 1 with Finding

use of com.checkmarx.sdk.dto.sca.report.Finding in project cx-flow by checkmarx-ltd.

the class SarifIssueTracker method generateScaResults.

private void generateScaResults(ScanResults results, List<SarifVulnerability> run) {
    List<Rule> scaScanrules = Lists.newArrayList();
    List<Result> scaScanresultList = Lists.newArrayList();
    Map<String, List<Finding>> findingsMap = results.getScaResults().getFindings().stream().collect(Collectors.groupingBy(Finding::getPackageId));
    List<Package> packages = new ArrayList<>(results.getScaResults().getPackages());
    Map<String, Package> map = new HashMap<>();
    for (Package p : packages) map.put(p.getId(), p);
    for (Map.Entry<String, List<Finding>> entry : findingsMap.entrySet()) {
        String key = entry.getKey();
        StringBuilder markDownValue = new StringBuilder();
        markDownValue.append(String.format(MARKDOWN_TABLE_FORMAT, "CVE Name", "Description", "Score", "References")).append("\r");
        markDownValue.append(String.format(MARKDOWN_TABLE_FORMAT, "---", "---", "---", "---")).append("\r");
        List<Finding> val = entry.getValue();
        List<String> tags = new ArrayList<>();
        val.forEach(v -> {
            markDownValue.append(String.format(MARKDOWN_TABLE_FORMAT, v.getCveName(), v.getDescription(), v.getScore(), v.getReferences())).append("\r");
            if (!tags.contains(String.valueOf(v.getScore())))
                tags.add(String.valueOf(v.getScore()));
        });
        tags.replaceAll(s -> "CVSS-" + s);
        tags.add("security");
        Rule rule = Rule.builder().id(key).shortDescription(ShortDescription.builder().text(key).build()).fullDescription(FullDescription.builder().text(key).build()).help(Help.builder().markdown(String.valueOf(markDownValue).replace("\n", " ").replace("[", "").replace("]", "")).text(String.valueOf(markDownValue).replace("\n", " ")).build()).properties(Properties.builder().tags(tags).build()).build();
        List<Location> locations = Lists.newArrayList();
        List<String> locationString = Lists.newArrayList();
        map.get(key).getLocations().forEach(k -> {
            if (!locationString.contains(k)) {
                locationString.add(k);
            }
        });
        locations.add(Location.builder().physicalLocation(PhysicalLocation.builder().artifactLocation(ArtifactLocation.builder().uri(locationString.stream().map(String::valueOf).collect(Collectors.joining(","))).build()).build()).build());
        // Build collection of the results -> locations
        scaScanresultList.add(Result.builder().level(properties.getSeverityMap().get(map.get(key).getSeverity()) != null ? properties.getSeverityMap().get(map.get(key).getSeverity().toString()) : DEFAULT_LEVEL).locations(locations).message(Message.builder().text(key).build()).ruleId(key).build());
        scaScanrules.add(rule);
    }
    run.add(SarifVulnerability.builder().tool(Tool.builder().driver(Driver.builder().name(properties.getScaScannerName()).organization(properties.getScaOrganization()).semanticVersion(properties.getSemanticVersion()).rules(scaScanrules).build()).build()).results(scaScanresultList).build());
}
Also used : Finding(com.checkmarx.sdk.dto.sca.report.Finding) Package(com.checkmarx.sdk.dto.sca.report.Package)

Example 2 with Finding

use of com.checkmarx.sdk.dto.sca.report.Finding in project cx-flow by checkmarx-ltd.

the class GitLabSecurityDashboard method getScaResultsDashboard.

private void getScaResultsDashboard(ScanRequest request, ScanResults results) throws MachinaException {
    List<Vulnerability> vulns = new ArrayList<>();
    Scanner scanner = Scanner.builder().id("Checkmarx-SCA").name("Checkmarx-SCA").build();
    List<Finding> findings = results.getScaResults().getFindings();
    List<Package> packages = new ArrayList<>(results.getScaResults().getPackages());
    Map<String, Package> map = new HashMap<>();
    for (Package p : packages) map.put(p.getId(), p);
    for (Finding finding : findings) {
        // for each finding, get the associated package list.
        // for each object of the associated list, check the occurences of locations
        // if multiple locations exist, construct multiple objects.
        // if only single location exist, construct single object
        Package indPackage = map.get(finding.getPackageId());
        for (String loc : indPackage.getLocations()) {
            vulns.add(Vulnerability.builder().category("dependency_scanning").id(UUID.nameUUIDFromBytes(finding.getPackageId().concat("@").concat(loc).concat(":").concat(finding.getCveName()).getBytes()).toString()).name(finding.getPackageId().concat("@").concat(loc).concat(":").concat(finding.getCveName())).message(finding.getPackageId().concat("@").concat(loc).concat(":").concat(finding.getCveName())).description(finding.getDescription()).severity(String.valueOf(finding.getSeverity())).confidence(String.valueOf(finding.getSeverity())).solution(finding.getFixResolutionText()).location(Location.builder().file(loc).dependency(Dependency.builder().pkg(Name.builder().dependencyname(finding.getPackageId()).build()).version(finding.getPackageId().split("-")[finding.getPackageId().split("-").length - 1]).build()).build()).identifiers(getScaIdentifiers(results.getScaResults(), finding)).scanner(scanner).build());
        }
    }
    SecurityDashboard report = SecurityDashboard.builder().vulnerabilities(vulns).build();
    writeJsonOutput(request, report, log);
}
Also used : Finding(com.checkmarx.sdk.dto.sca.report.Finding) Package(com.checkmarx.sdk.dto.sca.report.Package)

Example 3 with Finding

use of com.checkmarx.sdk.dto.sca.report.Finding in project cx-flow by checkmarx-ltd.

the class GetResultsAnalyticsTestSteps method addFinding.

private static void addFinding(Integer countFindingsPerSeverity, Map<Filter.Severity, Integer> findingCounts, List<Finding> findings, Severity severity, Filter.Severity filterSeverity) {
    for (int i = 0; i < countFindingsPerSeverity; i++) {
        Finding fnd = new Finding();
        fnd.setSeverity(severity);
        fnd.setPackageId("");
        findings.add(fnd);
    }
    findingCounts.put(filterSeverity, countFindingsPerSeverity);
}
Also used : Finding(com.checkmarx.sdk.dto.sca.report.Finding)

Example 4 with Finding

use of com.checkmarx.sdk.dto.sca.report.Finding in project cx-flow by checkmarx-ltd.

the class AnalyticsSteps method createFakeSCAScanResults.

private static ScanResults createFakeSCAScanResults(Map<FindingSeverity, Integer> findingsPerSeverity, int scanId) {
    Map<Filter.Severity, Integer> findingCounts = new HashMap<>();
    SCAResults scaResults = new SCAResults();
    scaResults.setScanId("" + scanId);
    List<Finding> findings = new LinkedList<>();
    addFinding(findingsPerSeverity.get(FindingSeverity.HIGH), findingCounts, findings, Severity.HIGH, Filter.Severity.HIGH);
    addFinding(findingsPerSeverity.get(FindingSeverity.MEDIUM), findingCounts, findings, Severity.MEDIUM, Filter.Severity.MEDIUM);
    addFinding(findingsPerSeverity.get(FindingSeverity.LOW), findingCounts, findings, Severity.LOW, Filter.Severity.LOW);
    Summary summary = new Summary();
    summary.setFindingCounts(findingCounts);
    scaResults.setFindings(findings);
    scaResults.setSummary(summary);
    scaResults.setPackages(new LinkedList<>());
    return ScanResults.builder().scaResults(scaResults).xIssues(new ArrayList<>()).build();
}
Also used : Finding(com.checkmarx.sdk.dto.sca.report.Finding) Summary(com.checkmarx.sdk.dto.sca.Summary) CxScanSummary(com.checkmarx.sdk.dto.cx.CxScanSummary) FindingSeverity(com.checkmarx.flow.config.FindingSeverity) Severity(com.checkmarx.sdk.dto.scansummary.Severity) SCAResults(com.checkmarx.sdk.dto.sca.SCAResults)

Example 5 with Finding

use of com.checkmarx.sdk.dto.sca.report.Finding in project cx-flow by checkmarx-ltd.

the class ScaThresholdsSteps method max_findings_score_threshold_score.

@When("max findings score is {word} threshold-score")
public void max_findings_score_threshold_score(String scoreType) {
    Double findingsScore = generateScoreThresholds(scoreType);
    scaResults = new SCAResults();
    scaResults.setScanId("2");
    Summary summary = new Summary();
    summary.setRiskScore(findingsScore);
    List<Finding> findings = new ArrayList<>();
    Stream<com.checkmarx.sdk.dto.sast.Filter.Severity> severityStream = Arrays.stream(Filter.Severity.values());
    Arrays.stream(Severity.values()).forEach(severity -> populateFindings(findings, severity, 10));
    scaResults.setFindings(findings);
    Map<Filter.Severity, Integer> findingCounts = severityStream.collect(Collectors.toMap(Function.identity(), v -> 10));
    summary.setFindingCounts(findingCounts);
    scaResults.setSummary(summary);
}
Also used : ArgumentMatchers.any(org.mockito.ArgumentMatchers.any) TestUtils(com.checkmarx.flow.cucumber.common.utils.TestUtils) java.util(java.util) Then(io.cucumber.java.en.Then) ScanResults(com.checkmarx.sdk.dto.ScanResults) FlowProperties(com.checkmarx.flow.config.FlowProperties) Function(java.util.function.Function) ThresholdValidator(com.checkmarx.flow.service.ThresholdValidator) And(io.cucumber.java.en.And) BugTracker(com.checkmarx.flow.dto.BugTracker) CxFlowApplication(com.checkmarx.flow.CxFlowApplication) Given(io.cucumber.java.en.Given) PullRequestReport(com.checkmarx.flow.dto.report.PullRequestReport) Assertions.assertEquals(org.junit.jupiter.api.Assertions.assertEquals) ScaScanner(com.checkmarx.sdk.service.scanner.ScaScanner) ThresholdValidatorImpl(com.checkmarx.flow.service.ThresholdValidatorImpl) RepoProperties(com.checkmarx.flow.config.RepoProperties) Filter(com.checkmarx.sdk.dto.sast.Filter) When(io.cucumber.java.en.When) ScaProperties(com.checkmarx.sdk.config.ScaProperties) CxFlowMocksConfig(com.checkmarx.test.flow.config.CxFlowMocksConfig) Mockito.when(org.mockito.Mockito.when) IntegrationTestContext(com.checkmarx.flow.cucumber.integration.cli.IntegrationTestContext) Summary(com.checkmarx.sdk.dto.sca.Summary) Collectors(java.util.stream.Collectors) InvocationTargetException(java.lang.reflect.InvocationTargetException) SCAResults(com.checkmarx.sdk.dto.sca.SCAResults) Slf4j(lombok.extern.slf4j.Slf4j) Stream(java.util.stream.Stream) ExitThrowable(com.checkmarx.flow.exception.ExitThrowable) SpringBootTest(org.springframework.boot.test.context.SpringBootTest) Severity(com.checkmarx.sdk.dto.scansummary.Severity) Finding(com.checkmarx.sdk.dto.sca.report.Finding) Before(io.cucumber.java.Before) AstScaResults(com.checkmarx.sdk.dto.AstScaResults) Assert(org.junit.Assert) Severity(com.checkmarx.sdk.dto.scansummary.Severity) SCAResults(com.checkmarx.sdk.dto.sca.SCAResults) Finding(com.checkmarx.sdk.dto.sca.report.Finding) Summary(com.checkmarx.sdk.dto.sca.Summary) When(io.cucumber.java.en.When)

Aggregations

Finding (com.checkmarx.sdk.dto.sca.report.Finding)15 Package (com.checkmarx.sdk.dto.sca.report.Package)6 ScanResults (com.checkmarx.sdk.dto.ScanResults)5 SCAResults (com.checkmarx.sdk.dto.sca.SCAResults)5 Summary (com.checkmarx.sdk.dto.sca.Summary)5 Severity (com.checkmarx.sdk.dto.scansummary.Severity)4 CxScanSummary (com.checkmarx.sdk.dto.cx.CxScanSummary)3 Filter (com.checkmarx.sdk.dto.sast.Filter)3 CxFlowApplication (com.checkmarx.flow.CxFlowApplication)2 FindingSeverity (com.checkmarx.flow.config.FindingSeverity)2 FlowProperties (com.checkmarx.flow.config.FlowProperties)2 RepoProperties (com.checkmarx.flow.config.RepoProperties)2 TestUtils (com.checkmarx.flow.cucumber.common.utils.TestUtils)2 IntegrationTestContext (com.checkmarx.flow.cucumber.integration.cli.IntegrationTestContext)2 BugTracker (com.checkmarx.flow.dto.BugTracker)2 PullRequestReport (com.checkmarx.flow.dto.report.PullRequestReport)2 ExitThrowable (com.checkmarx.flow.exception.ExitThrowable)2 ThresholdValidator (com.checkmarx.flow.service.ThresholdValidator)2 ThresholdValidatorImpl (com.checkmarx.flow.service.ThresholdValidatorImpl)2 ScaProperties (com.checkmarx.sdk.config.ScaProperties)2