Search in sources :

Example 1 with Severity

use of com.checkmarx.sdk.dto.scansummary.Severity in project cx-flow by checkmarx-ltd.

the class ThresholdValidatorImpl method isAllowedSca.

private boolean isAllowedSca(ScanResults scanResults, ScanRequest request) {
    log.debug("Checking if CxSCA pull request merge is allowed.");
    Map<Severity, Integer> scaThresholdsSeverity = getScaEffectiveThresholdsSeverity(request);
    Double scaThresholdsScore = getScaEffectiveThresholdsScore(request);
    boolean isAllowedSca;
    // isPolicyViolated flag gets the top priority whether to the break build or not
    SCAResults scaResults = scanResults.getScaResults();
    if (scaResults.isPolicyViolated()) {
        printViolatedPoliciesNames(scaResults.getViolatedPolicies());
        isAllowedSca = false;
    } else {
        writeMapToLog(scaThresholdsSeverity, "Using CxSCA thresholds severity");
        writeMapToLog(scaThresholdsScore, "Using CxSCA thresholds score");
        isAllowedSca = !isAnyScaThresholdsExceeded(scanResults, scaThresholdsSeverity, scaThresholdsScore);
        logIsAllowed(isAllowedSca);
    }
    return isAllowedSca;
}
Also used : FindingSeverity(com.checkmarx.flow.config.FindingSeverity) Severity(com.checkmarx.sdk.dto.scansummary.Severity) SCAResults(com.checkmarx.sdk.dto.sca.SCAResults)

Example 2 with Severity

use of com.checkmarx.sdk.dto.scansummary.Severity in project cx-flow by checkmarx-ltd.

the class ThresholdValidatorImpl method isAnyScaThresholdsExceeded.

private static boolean isAnyScaThresholdsExceeded(ScanResults scanResults, Map<Severity, Integer> scaThresholds, Double scaThresholdsScore) {
    boolean isExceeded = isExceedsScaThresholdsScore(scanResults, scaThresholdsScore);
    Map<Severity, Integer> scaFindingsCountsPerSeverity = getScaFindingsCountsPerSeverity(scanResults);
    for (Map.Entry<Severity, Integer> entry : scaFindingsCountsPerSeverity.entrySet()) {
        Severity severity = entry.getKey();
        Integer thresholdCount = scaThresholds.get(severity);
        if (thresholdCount == null) {
            continue;
        }
        Integer findingsCount = entry.getValue();
        if (findingsCount > thresholdCount) {
            isExceeded = true;
            logScaThresholdExceedsCounts(true, severity, thresholdCount, findingsCount);
        // Don't break here, because we want to log validation for all the thresholds.
        } else {
            logScaThresholdExceedsCounts(false, severity, thresholdCount, findingsCount);
        }
    }
    return isExceeded;
}
Also used : FindingSeverity(com.checkmarx.flow.config.FindingSeverity) Severity(com.checkmarx.sdk.dto.scansummary.Severity)

Example 3 with Severity

use of com.checkmarx.sdk.dto.scansummary.Severity in project cx-flow by checkmarx-ltd.

the class ScaThresholdsSteps method max_findings_score_threshold_score.

@When("max findings score is {word} threshold-score")
public void max_findings_score_threshold_score(String scoreType) {
    Double findingsScore = generateScoreThresholds(scoreType);
    scaResults = new SCAResults();
    scaResults.setScanId("2");
    Summary summary = new Summary();
    summary.setRiskScore(findingsScore);
    List<Finding> findings = new ArrayList<>();
    Stream<com.checkmarx.sdk.dto.sast.Filter.Severity> severityStream = Arrays.stream(Filter.Severity.values());
    Arrays.stream(Severity.values()).forEach(severity -> populateFindings(findings, severity, 10));
    scaResults.setFindings(findings);
    Map<Filter.Severity, Integer> findingCounts = severityStream.collect(Collectors.toMap(Function.identity(), v -> 10));
    summary.setFindingCounts(findingCounts);
    scaResults.setSummary(summary);
}
Also used : ArgumentMatchers.any(org.mockito.ArgumentMatchers.any) TestUtils(com.checkmarx.flow.cucumber.common.utils.TestUtils) java.util(java.util) Then(io.cucumber.java.en.Then) ScanResults(com.checkmarx.sdk.dto.ScanResults) FlowProperties(com.checkmarx.flow.config.FlowProperties) Function(java.util.function.Function) ThresholdValidator(com.checkmarx.flow.service.ThresholdValidator) And(io.cucumber.java.en.And) BugTracker(com.checkmarx.flow.dto.BugTracker) CxFlowApplication(com.checkmarx.flow.CxFlowApplication) Given(io.cucumber.java.en.Given) PullRequestReport(com.checkmarx.flow.dto.report.PullRequestReport) Assertions.assertEquals(org.junit.jupiter.api.Assertions.assertEquals) ScaScanner(com.checkmarx.sdk.service.scanner.ScaScanner) ThresholdValidatorImpl(com.checkmarx.flow.service.ThresholdValidatorImpl) RepoProperties(com.checkmarx.flow.config.RepoProperties) Filter(com.checkmarx.sdk.dto.sast.Filter) When(io.cucumber.java.en.When) ScaProperties(com.checkmarx.sdk.config.ScaProperties) CxFlowMocksConfig(com.checkmarx.test.flow.config.CxFlowMocksConfig) Mockito.when(org.mockito.Mockito.when) IntegrationTestContext(com.checkmarx.flow.cucumber.integration.cli.IntegrationTestContext) Summary(com.checkmarx.sdk.dto.sca.Summary) Collectors(java.util.stream.Collectors) InvocationTargetException(java.lang.reflect.InvocationTargetException) SCAResults(com.checkmarx.sdk.dto.sca.SCAResults) Slf4j(lombok.extern.slf4j.Slf4j) Stream(java.util.stream.Stream) ExitThrowable(com.checkmarx.flow.exception.ExitThrowable) SpringBootTest(org.springframework.boot.test.context.SpringBootTest) Severity(com.checkmarx.sdk.dto.scansummary.Severity) Finding(com.checkmarx.sdk.dto.sca.report.Finding) Before(io.cucumber.java.Before) AstScaResults(com.checkmarx.sdk.dto.AstScaResults) Assert(org.junit.Assert) Severity(com.checkmarx.sdk.dto.scansummary.Severity) SCAResults(com.checkmarx.sdk.dto.sca.SCAResults) Finding(com.checkmarx.sdk.dto.sca.report.Finding) Summary(com.checkmarx.sdk.dto.sca.Summary) When(io.cucumber.java.en.When)

Example 4 with Severity

use of com.checkmarx.sdk.dto.scansummary.Severity in project checkmarx-spring-boot-java-sdk by checkmarx-ltd.

the class ScaClientHelper method getScaFindings.

private List<Finding> getScaFindings(VulnerabilitiesType vulnerabilitiesType) {
    Finding finding = new Finding();
    List<Finding> findingList = new ArrayList<>();
    List<String> references = new ArrayList<>();
    List<String> reference = new ArrayList<>();
    for (int count = 0; count < vulnerabilitiesType.getVulnerability().size(); count++) {
        finding.setId(vulnerabilitiesType.getVulnerability().get(count).getId());
        finding.setCveName(vulnerabilitiesType.getVulnerability().get(count).getCveName());
        finding.setScore(vulnerabilitiesType.getVulnerability().get(count).getScore());
        references = vulnerabilitiesType.getVulnerability().get(count).getReferences().getReference();
        reference = new ArrayList<>();
        for (int referenceCount = 0; referenceCount < references.size(); referenceCount++) {
            reference.add(references.get(referenceCount));
            finding.setReferences(reference);
        }
        Severity severity = scaToScanResultSeverity(vulnerabilitiesType.getVulnerability().get(count).getSeverity());
        finding.setSeverity(severity);
        finding.setPublishDate(vulnerabilitiesType.getVulnerability().get(count).getPublishDate().toString());
        finding.setCveName(vulnerabilitiesType.getVulnerability().get(count).getCveName());
        finding.setDescription(vulnerabilitiesType.getVulnerability().get(count).getDescription());
        finding.setRecommendations(vulnerabilitiesType.getVulnerability().get(count).getRecommendations());
        finding.setPackageId(vulnerabilitiesType.getVulnerability().get(count).getPackageId());
        finding.setIgnored(Boolean.parseBoolean(vulnerabilitiesType.getVulnerability().get(count).getIsIgnored()));
        finding.setViolatingPolicy(Boolean.parseBoolean(vulnerabilitiesType.getVulnerability().get(count).getIsViolatingPolicy()));
        finding.setFixResolutionText(String.valueOf(vulnerabilitiesType.getVulnerability().get(count).getFixResolutionText()));
        findingList.add(finding);
        finding = new Finding();
    }
    return findingList;
}
Also used : Severity(com.checkmarx.sdk.dto.scansummary.Severity)

Example 5 with Severity

use of com.checkmarx.sdk.dto.scansummary.Severity in project checkmarx-spring-boot-java-sdk by checkmarx-ltd.

the class AstClientHelper method setFindingCountsPerSeverity.

private static void setFindingCountsPerSeverity(List<SeverityCounter> nativeCounters, AstSummaryResults target) {
    if (nativeCounters == null) {
        return;
    }
    for (SeverityCounter counter : nativeCounters) {
        Severity parsedSeverity = EnumUtils.getEnum(Severity.class, counter.getSeverity());
        int value = counter.getCounter();
        if (parsedSeverity != null) {
            if (parsedSeverity == Severity.HIGH) {
                target.setHighVulnerabilityCount(value);
            } else if (parsedSeverity == Severity.MEDIUM) {
                target.setMediumVulnerabilityCount(value);
            } else if (parsedSeverity == Severity.LOW) {
                target.setLowVulnerabilityCount(value);
            }
        }
    }
}
Also used : Severity(com.checkmarx.sdk.dto.scansummary.Severity)

Aggregations

Severity (com.checkmarx.sdk.dto.scansummary.Severity)6 SCAResults (com.checkmarx.sdk.dto.sca.SCAResults)3 CxFlowApplication (com.checkmarx.flow.CxFlowApplication)2 FindingSeverity (com.checkmarx.flow.config.FindingSeverity)2 FlowProperties (com.checkmarx.flow.config.FlowProperties)2 RepoProperties (com.checkmarx.flow.config.RepoProperties)2 TestUtils (com.checkmarx.flow.cucumber.common.utils.TestUtils)2 IntegrationTestContext (com.checkmarx.flow.cucumber.integration.cli.IntegrationTestContext)2 BugTracker (com.checkmarx.flow.dto.BugTracker)2 PullRequestReport (com.checkmarx.flow.dto.report.PullRequestReport)2 ExitThrowable (com.checkmarx.flow.exception.ExitThrowable)2 ThresholdValidator (com.checkmarx.flow.service.ThresholdValidator)2 ThresholdValidatorImpl (com.checkmarx.flow.service.ThresholdValidatorImpl)2 ScaProperties (com.checkmarx.sdk.config.ScaProperties)2 AstScaResults (com.checkmarx.sdk.dto.AstScaResults)2 ScanResults (com.checkmarx.sdk.dto.ScanResults)2 Filter (com.checkmarx.sdk.dto.sast.Filter)2 Summary (com.checkmarx.sdk.dto.sca.Summary)2 Finding (com.checkmarx.sdk.dto.sca.report.Finding)2 ScaScanner (com.checkmarx.sdk.service.scanner.ScaScanner)2