Example 26 with SecHubFinding
use of com.mercedesbenz.sechub.commons.model.SecHubFinding in project sechub by mercedes-benz.
the class FalsePositiveMetaDataFactoryTest method createWebFinding.
private SecHubFinding createWebFinding() {
SecHubFinding finding = createTestFinding();
SecHubReportWeb web = new SecHubReportWeb();
finding.setWeb(web);
finding.setType(ScanType.WEB_SCAN);
SecHubReportWebRequest request = web.getRequest();
request.setMethod("method1");
request.setTarget("target1");
request.setProtocol("protocol1");
request.setVersion("version1");
SecHubReportWebResponse response = web.getResponse();
response.setStatusCode(4211);
// attack
SecHubReportWebEvidence evidence = new SecHubReportWebEvidence();
evidence.setSnippet("evidence-snippet1");
web.getAttack().setEvidence(evidence);
web.getAttack().setVector("attack-vector1");
return finding;
}
Also used :
SecHubReportWebEvidence(com.mercedesbenz.sechub.commons.model.web.SecHubReportWebEvidence)
SecHubReportWebRequest(com.mercedesbenz.sechub.commons.model.web.SecHubReportWebRequest)
SecHubFinding(com.mercedesbenz.sechub.commons.model.SecHubFinding)
SecHubReportWeb(com.mercedesbenz.sechub.commons.model.web.SecHubReportWeb)
SecHubReportWebResponse(com.mercedesbenz.sechub.commons.model.web.SecHubReportWebResponse)
Example 27 with SecHubFinding
use of com.mercedesbenz.sechub.commons.model.SecHubFinding in project sechub by mercedes-benz.
the class FalsePositiveMetaDataFactoryTest method createCodeFinding.
private SecHubFinding createCodeFinding() {
SecHubFinding finding = createTestFinding();
SecHubCodeCallStack codeStart = new SecHubCodeCallStack();
codeStart.setRelevantPart("relevant-part-start");
codeStart.setLocation("location-start");
codeStart.setSource("source-start");
codeStart.setSource("source-start");
SecHubCodeCallStack codeMiddle = new SecHubCodeCallStack();
codeMiddle.setRelevantPart("relevant-part-middle");
SecHubCodeCallStack codeEnd = new SecHubCodeCallStack();
codeEnd.setRelevantPart("relevant-part-end");
codeEnd.setLocation("location-end");
codeEnd.setSource("source-end");
codeStart.setCalls(codeMiddle);
codeMiddle.setCalls(codeEnd);
finding.setCode(codeStart);
finding.setType(ScanType.CODE_SCAN);
return finding;
}
Also used :
SecHubFinding(com.mercedesbenz.sechub.commons.model.SecHubFinding)
SecHubCodeCallStack(com.mercedesbenz.sechub.commons.model.SecHubCodeCallStack)
Example 28 with SecHubFinding
use of com.mercedesbenz.sechub.commons.model.SecHubFinding in project sechub by mercedes-benz.
the class SerecoProductResultTransformer method transform.
@Override
public ReportTransformationResult transform(ProductResult serecoProductResult) throws SecHubExecutionException {
String origin = serecoProductResult.getResult();
String projectId = serecoProductResult.getProjectId();
UUID sechubJobUUID = serecoProductResult.getSecHubJobUUID();
SerecoMetaData data = JSONConverter.get().fromJSON(SerecoMetaData.class, origin);
falsePositiveMarker.markFalsePositives(projectId, data.getVulnerabilities());
ReportTransformationResult transformerResult = new ReportTransformationResult();
transformerResult.setReportVersion(SecHubReportVersion.VERSION_1_0.getVersionAsString());
transformerResult.setJobUUID(sechubJobUUID);
List<SecHubFinding> findings = transformerResult.getResult().getFindings();
int findingId = 0;
for (SerecoVulnerability vulnerability : data.getVulnerabilities()) {
findingId++;
if (vulnerability.isFalsePositive()) {
/*
* we do not add false positives to report - so we store only real positives.
* False positive data is still available in SeReCo results and so in admin scan
* logs,
*/
continue;
}
SecHubFinding finding = new SecHubFinding();
handleClassifications(finding, vulnerability, serecoProductResult.getSecHubJobUUID());
finding.setDescription(vulnerability.getDescription());
finding.setName(vulnerability.getType());
finding.setSolution(vulnerability.getSolution());
finding.setId(findingId);
finding.setSeverity(transformSeverity(vulnerability.getSeverity()));
if (showProductLineResultLink) {
finding.setProductResultLink(vulnerability.getProductResultLink());
}
ScanType scanType = vulnerability.getScanType();
finding.setType(scanType);
if (scanType == null) {
// this should normally only happen for artificial vulnerability which
// were added for SecHub failures (a legacy feature which will be removed in
// future).
scanType = ScanType.UNKNOWN;
LOG.debug("Finding:{} '{}' has no scan type set. Use {} as fallback.", findingId, vulnerability.getType(), scanType);
}
switch(scanType) {
case CODE_SCAN:
finding.setCode(convert(vulnerability.getCode()));
break;
case INFRA_SCAN:
break;
case WEB_SCAN:
appendWebData(sechubJobUUID, vulnerability, finding);
break;
default:
break;
}
findings.add(finding);
}
handleAnnotations(sechubJobUUID, data, transformerResult);
/* when status is not set already, no failure has appeared and we mark as OK */
if (transformerResult.getStatus() == null) {
transformerResult.setStatus(SecHubStatus.SUCCESS);
}
return transformerResult;
}
Also used :
ScanType(com.mercedesbenz.sechub.commons.model.ScanType)
SerecoVulnerability(com.mercedesbenz.sechub.sereco.metadata.SerecoVulnerability)
SecHubFinding(com.mercedesbenz.sechub.commons.model.SecHubFinding)
ReportTransformationResult(com.mercedesbenz.sechub.domain.scan.ReportTransformationResult)
UUID(java.util.UUID)
SerecoMetaData(com.mercedesbenz.sechub.sereco.metadata.SerecoMetaData)
Example 29 with SecHubFinding
use of com.mercedesbenz.sechub.commons.model.SecHubFinding in project sechub by mercedes-benz.
the class SerecoProductResultTransformerTest method transformation_of_id_finding_description_severity_and_name_are_done.
@Test
public void transformation_of_id_finding_description_severity_and_name_are_done() throws Exception {
/* prepare */
String converted = createMetaDataWithOneVulnerabilityFound();
/* execute */
ReportTransformationResult result = transformerToTest.transform(createProductResult(converted));
/* @formatter:off */
for (SecHubFinding f : result.getResult().getFindings()) {
assertEquals(ScanType.WEB_SCAN, f.getType());
}
AssertSecHubResult.assertSecHubResult(result.getResult()).hasFindingWithId(1).hasDescription("desc1").hasSeverity(com.mercedesbenz.sechub.commons.model.Severity.MEDIUM).hasName("type1");
/* @formatter:on */
}
Also used :
SecHubFinding(com.mercedesbenz.sechub.commons.model.SecHubFinding)
ReportTransformationResult(com.mercedesbenz.sechub.domain.scan.ReportTransformationResult)
Test(org.junit.Test)
Aggregations
SecHubFinding (com.mercedesbenz.sechub.commons.model.SecHubFinding)29
Test (org.junit.jupiter.api.Test)12
SecHubResult (com.mercedesbenz.sechub.commons.model.SecHubResult)8
SecHubCodeCallStack (com.mercedesbenz.sechub.commons.model.SecHubCodeCallStack)6
Test (org.junit.Test)6
ReportTransformationResult (com.mercedesbenz.sechub.domain.scan.ReportTransformationResult)3
SecHubReportModel (com.mercedesbenz.sechub.commons.model.SecHubReportModel)2
ArrayList (java.util.ArrayList)2
HashMap (java.util.HashMap)2
List (java.util.List)2
UUID (java.util.UUID)2
ScanType (com.mercedesbenz.sechub.commons.model.ScanType)1
SecHubMessage (com.mercedesbenz.sechub.commons.model.SecHubMessage)1
Severity (com.mercedesbenz.sechub.commons.model.Severity)1
TrafficLight (com.mercedesbenz.sechub.commons.model.TrafficLight)1
SecHubReportWeb (com.mercedesbenz.sechub.commons.model.web.SecHubReportWeb)1
SecHubReportWebEvidence (com.mercedesbenz.sechub.commons.model.web.SecHubReportWebEvidence)1
SecHubReportWebRequest (com.mercedesbenz.sechub.commons.model.web.SecHubReportWebRequest)1
SecHubReportWebResponse (com.mercedesbenz.sechub.commons.model.web.SecHubReportWebResponse)1
AssertSecHubResult (com.mercedesbenz.sechub.domain.scan.AssertSecHubResult)1
