Search in sources :

Example 6 with Package

use of com.checkmarx.sdk.dto.sca.report.Package in project checkmarx-spring-boot-java-sdk by checkmarx-ltd.

the class GoScanner method toPackage.

private static Package toPackage(SCAScanResult scaResult) {
    Package pkg = new Package();
    pkg.setId(scaResult.getPackageId());
    pkg.setVersion(scaResult.getFixResolutionText());
    pkg.setName(scaResult.getPackageId());
    return pkg;
}
Also used : Package(com.checkmarx.sdk.dto.sca.report.Package)

Example 7 with Package

use of com.checkmarx.sdk.dto.sca.report.Package in project checkmarx-spring-boot-java-sdk by checkmarx-ltd.

the class GoScanner method getReportContentByScanId.

@Override
public ScanResults getReportContentByScanId(Integer scanId, FilterConfiguration filter) throws CheckmarxException {
    ScanResults.ScanResultsBuilder results = ScanResults.builder();
    Scan scan = getScanDetails(scanId);
    Integer projectId = scan.getProjectId();
    Integer buId = scan.getBusinessUnitId();
    Integer appId = scan.getApplicationId();
    GoScanResults resultFromAllEngines = getScanResults(scanId);
    List<ScanResults.XIssue> xIssues = new ArrayList<>();
    // SAST
    List<SASTScanResult> mainResultInfos = Optional.ofNullable(resultFromAllEngines).map(GoScanResults::getSast).orElse(null);
    if (mainResultInfos != null) {
        Map<String, OdScanResultItem> additionalResultInfos = getScanResultsPage(projectId, scanId);
        Map<String, Integer> issuesBySeverity = new HashMap<>();
        log.debug("SAST finding count before filtering: {}", mainResultInfos.size());
        log.info("Processing SAST results");
        mainResultInfos.stream().filter(applySastFilter(additionalResultInfos, filter)).forEach(mainResultInfo -> handleSastIssue(xIssues, mainResultInfo, additionalResultInfos, projectId, scanId, issuesBySeverity));
        CxScanSummary scanSummary = getCxScanSummary(scan);
        Map<String, Object> flowSummary = new HashMap<>();
        flowSummary.put(Constants.SUMMARY_KEY, issuesBySeverity);
        flowSummary.put(Constants.SCAN_ID_KEY, scanId);
        results.additionalDetails(flowSummary);
        results.scanSummary(scanSummary);
    }
    // SCA
    List<SCAScanResult> rawScanResults = Optional.ofNullable(resultFromAllEngines).map(GoScanResults::getSca).orElse(null);
    if (rawScanResults != null) {
        logRawScaScanResults(rawScanResults);
        List<Finding> findings = new ArrayList<>();
        List<Package> packages = new ArrayList<>();
        log.info("Processing SCA results");
        rawScanResults.stream().filter(rawScanResult -> !rawScanResult.isIgnored()).filter(applyScaFilter(filter)).forEach(rawScanResult -> handleScaIssue(xIssues, findings, packages, rawScanResult));
        logFindings(findings);
        logPackages(packages);
        SCAResults scaResults = new SCAResults();
        scaResults.setFindings(findings);
        scaResults.setPackages(packages);
        if (!rawScanResults.isEmpty()) {
            scaResults.setScanId(rawScanResults.get(0).getScanId().toString());
        }
        Summary summary = getScaScanSummary(scan);
        scaResults.setSummary(summary);
        String urlTemplate = cxGoProperties.getPortalUrl().concat(SCA_DEEP_LINK);
        String scaDeepLink = String.format(urlTemplate, buId, appId, projectId, scanId);
        scaResults.setWebReportLink(scaDeepLink);
        results.scaResults(scaResults);
    }
    results.xIssues(xIssues);
    results.projectId(projectId.toString());
    String urlTemplate = cxGoProperties.getPortalUrl().concat(DEEP_LINK);
    String deepLink = String.format(urlTemplate, buId, appId, projectId, scanId);
    results.link(deepLink);
    return results.build();
}
Also used : ScanResults(com.checkmarx.sdk.dto.ScanResults) SCAResults(com.checkmarx.sdk.dto.sca.SCAResults) CxScanSummary(com.checkmarx.sdk.dto.cx.CxScanSummary) Finding(com.checkmarx.sdk.dto.sca.report.Finding) Summary(com.checkmarx.sdk.dto.sca.Summary) CxScanSummary(com.checkmarx.sdk.dto.cx.CxScanSummary) JSONObject(org.json.JSONObject) Package(com.checkmarx.sdk.dto.sca.report.Package)

Example 8 with Package

use of com.checkmarx.sdk.dto.sca.report.Package in project checkmarx-spring-boot-java-sdk by checkmarx-ltd.

the class GoScanner method handleScaIssue.

/**
 * Creates and adds a new item to each of the input lists based on scaResult properties.
 */
private void handleScaIssue(List<ScanResults.XIssue> xIssues, List<Finding> findings, List<Package> packages, SCAScanResult scaResult) {
    Finding finding = toFinding(scaResult);
    findings.add(finding);
    Package pkg = toPackage(scaResult);
    packages.add(pkg);
    ScanResults.ScaDetails scaDetail = ScanResults.ScaDetails.builder().finding(finding).vulnerabilityLink("N/A").vulnerabilityPackage(pkg).build();
    List<ScanResults.ScaDetails> scaDetails = Collections.singletonList(scaDetail);
    xIssues.add(ScanResults.XIssue.builder().similarityId(finding.getSimilarityId()).severity(finding.getSeverity().toString()).description(finding.getDescription()).scaDetails(scaDetails).build());
}
Also used : ScanResults(com.checkmarx.sdk.dto.ScanResults) Finding(com.checkmarx.sdk.dto.sca.report.Finding) Package(com.checkmarx.sdk.dto.sca.report.Package)

Example 9 with Package

use of com.checkmarx.sdk.dto.sca.report.Package in project cx-flow by checkmarx-ltd.

the class SonarQubeIssueTracker method generateScaResults.

private void generateScaResults(ScanResults results, List<Issue> sonarIssues) {
    // Sonar Report for Sca Result
    Map<String, List<Finding>> findingsMap = results.getScaResults().getFindings().stream().collect(Collectors.groupingBy(Finding::getPackageId));
    List<Package> packages = new ArrayList<>(results.getScaResults().getPackages());
    Map<String, Package> map = new HashMap<>();
    for (Package p : packages) map.put(p.getId(), p);
    for (Map.Entry<String, List<Finding>> entry : findingsMap.entrySet()) {
        String key = entry.getKey();
        Package vulnerablePackage = map.get(key);
        StringBuilder messageBuilder = new StringBuilder();
        List<Finding> val = entry.getValue();
        List<String> tags = new ArrayList<>();
        val.forEach(v -> {
            vulnerablePackage.getLocations().forEach(k -> {
                messageBuilder.append("Package:").append(v.getPackageId()).append(",").append("Description:").append(v.getDescription()).append(",").append("Score:").append(v.getScore());
                sonarIssues.add(Issue.builder().engineId(properties.getScaScannerName()).ruleId(v.getId()).severity(properties.getSeverityMap().get(v.getSeverity()) != null ? properties.getSeverityMap().get(v.getSeverity()) : DEFAULT_LEVEL).type("VULNERABILITY").primaryLocation(ILocation.builder().filePath(k).message(messageBuilder.toString()).textRange(TextRange.builder().startLine(1).endLine(1).build()).build()).build());
            });
        });
    }
}
Also used : Finding(com.checkmarx.sdk.dto.sca.report.Finding) Package(com.checkmarx.sdk.dto.sca.report.Package)

Example 10 with Package

use of com.checkmarx.sdk.dto.sca.report.Package in project cx-flow by checkmarx-ltd.

the class ScanUtils method getScaSummaryIssueKey.

/**
 * @param request   The scanRequest object
 * @param issue     The scanResults issue
 * @param extraTags Extra tags array. Jira issue prefix/postfix are on the [0], [1] positions
 * @return  Issue key according to the bug type parameter
 */
public static String getScaSummaryIssueKey(ScanRequest request, ScanResults.XIssue issue, String... extraTags) {
    ScanResults.ScaDetails scaDetails = issue.getScaDetails().get(0);
    String bugType = request.getBugTracker().getType().getType();
    switch(bugType) {
        case "JIRA":
            String issuePrefix = extraTags[0];
            String issuePostfix = extraTags[1];
            Finding detailsFindings = scaDetails.getFinding();
            Package vulnerabilityPackage = scaDetails.getVulnerabilityPackage();
            return anyEmpty(request.getNamespace(), request.getRepoName(), request.getBranch()) ? getJiraScaSummaryIssueKeyWithoutBranch(request, issuePrefix, issuePostfix, detailsFindings, vulnerabilityPackage) : getJiraScaSummaryIssueKey(request, issuePrefix, issuePostfix, detailsFindings, vulnerabilityPackage);
        case "CUSTOM":
            return anyEmpty(request.getBranch(), request.getNamespace(), request.getRepoName()) ? getCustomScaSummaryIssueKeyWithoutBranch(request, scaDetails) : getCustomScaSummaryIssueKey(request, scaDetails);
        default:
            throw new NotImplementedException("Summary issue key wasn't implemented yet for bug type: {}", bugType);
    }
}
Also used : ScanResults(com.checkmarx.sdk.dto.ScanResults) Finding(com.checkmarx.sdk.dto.sca.report.Finding) NotImplementedException(org.apache.commons.lang3.NotImplementedException) Package(com.checkmarx.sdk.dto.sca.report.Package)

Aggregations

Package (com.checkmarx.sdk.dto.sca.report.Package)10 Finding (com.checkmarx.sdk.dto.sca.report.Finding)6 ScanResults (com.checkmarx.sdk.dto.ScanResults)3 Severity (com.checkmarx.sdk.dto.scansummary.Severity)2 ScannerRuntimeException (com.checkmarx.sdk.exception.ScannerRuntimeException)2 IOException (java.io.IOException)2 ModelMapper (org.modelmapper.ModelMapper)2 CxScanSummary (com.checkmarx.sdk.dto.cx.CxScanSummary)1 SCAResults (com.checkmarx.sdk.dto.sca.SCAResults)1 Summary (com.checkmarx.sdk.dto.sca.Summary)1 CheckmarxException (com.checkmarx.sdk.exception.CheckmarxException)1 CxHTTPClientException (com.checkmarx.sdk.exception.CxHTTPClientException)1 UnsupportedEncodingException (java.io.UnsupportedEncodingException)1 JAXBException (javax.xml.bind.JAXBException)1 NotImplementedException (org.apache.commons.lang3.NotImplementedException)1 JSONObject (org.json.JSONObject)1