Search in sources :

Example 6 with ReportTransformationResult

use of com.mercedesbenz.sechub.domain.scan.ReportTransformationResult in project sechub by mercedes-benz.

the class SerecoProductResultTransformer method transform.

@Override
public ReportTransformationResult transform(ProductResult serecoProductResult) throws SecHubExecutionException {
    String origin = serecoProductResult.getResult();
    String projectId = serecoProductResult.getProjectId();
    UUID sechubJobUUID = serecoProductResult.getSecHubJobUUID();
    SerecoMetaData data = JSONConverter.get().fromJSON(SerecoMetaData.class, origin);
    falsePositiveMarker.markFalsePositives(projectId, data.getVulnerabilities());
    ReportTransformationResult transformerResult = new ReportTransformationResult();
    transformerResult.setReportVersion(SecHubReportVersion.VERSION_1_0.getVersionAsString());
    transformerResult.setJobUUID(sechubJobUUID);
    List<SecHubFinding> findings = transformerResult.getResult().getFindings();
    int findingId = 0;
    for (SerecoVulnerability vulnerability : data.getVulnerabilities()) {
        findingId++;
        if (vulnerability.isFalsePositive()) {
            /*
                 * we do not add false positives to report - so we store only real positives.
                 * False positive data is still available in SeReCo results and so in admin scan
                 * logs,
                 */
            continue;
        }
        SecHubFinding finding = new SecHubFinding();
        handleClassifications(finding, vulnerability, serecoProductResult.getSecHubJobUUID());
        finding.setDescription(vulnerability.getDescription());
        finding.setName(vulnerability.getType());
        finding.setSolution(vulnerability.getSolution());
        finding.setId(findingId);
        finding.setSeverity(transformSeverity(vulnerability.getSeverity()));
        if (showProductLineResultLink) {
            finding.setProductResultLink(vulnerability.getProductResultLink());
        }
        ScanType scanType = vulnerability.getScanType();
        finding.setType(scanType);
        if (scanType == null) {
            // this should normally only happen for artificial vulnerability which
            // were added for SecHub failures (a legacy feature which will be removed in
            // future).
            scanType = ScanType.UNKNOWN;
            LOG.debug("Finding:{} '{}' has no scan type set. Use {} as fallback.", findingId, vulnerability.getType(), scanType);
        }
        switch(scanType) {
            case CODE_SCAN:
                finding.setCode(convert(vulnerability.getCode()));
                break;
            case INFRA_SCAN:
                break;
            case WEB_SCAN:
                appendWebData(sechubJobUUID, vulnerability, finding);
                break;
            default:
                break;
        }
        findings.add(finding);
    }
    handleAnnotations(sechubJobUUID, data, transformerResult);
    /* when status is not set already, no failure has appeared and we mark as OK */
    if (transformerResult.getStatus() == null) {
        transformerResult.setStatus(SecHubStatus.SUCCESS);
    }
    return transformerResult;
}
Also used : ScanType(com.mercedesbenz.sechub.commons.model.ScanType) SerecoVulnerability(com.mercedesbenz.sechub.sereco.metadata.SerecoVulnerability) SecHubFinding(com.mercedesbenz.sechub.commons.model.SecHubFinding) ReportTransformationResult(com.mercedesbenz.sechub.domain.scan.ReportTransformationResult) UUID(java.util.UUID) SerecoMetaData(com.mercedesbenz.sechub.sereco.metadata.SerecoMetaData)

Example 7 with ReportTransformationResult

use of com.mercedesbenz.sechub.domain.scan.ReportTransformationResult in project sechub by mercedes-benz.

the class SerecoProductResultTransformerTest method one_vulnerability_in_meta_results_in_one_finding.

@Test
public void one_vulnerability_in_meta_results_in_one_finding() throws Exception {
    /* prepare */
    String converted = createMetaDataWithOneVulnerabilityFound();
    /* execute */
    ReportTransformationResult result = transformerToTest.transform(createProductResult(converted));
    /* test */
    AssertSecHubResult.assertSecHubResult(result.getResult()).hasFindings(1);
}
Also used : ReportTransformationResult(com.mercedesbenz.sechub.domain.scan.ReportTransformationResult) Test(org.junit.Test)

Example 8 with ReportTransformationResult

use of com.mercedesbenz.sechub.domain.scan.ReportTransformationResult in project sechub by mercedes-benz.

the class SerecoProductResultTransformerTest method transformation_of_id_finding_description_severity_and_name_are_done.

@Test
public void transformation_of_id_finding_description_severity_and_name_are_done() throws Exception {
    /* prepare */
    String converted = createMetaDataWithOneVulnerabilityFound();
    /* execute */
    ReportTransformationResult result = transformerToTest.transform(createProductResult(converted));
    /* @formatter:off */
    for (SecHubFinding f : result.getResult().getFindings()) {
        assertEquals(ScanType.WEB_SCAN, f.getType());
    }
    AssertSecHubResult.assertSecHubResult(result.getResult()).hasFindingWithId(1).hasDescription("desc1").hasSeverity(com.mercedesbenz.sechub.commons.model.Severity.MEDIUM).hasName("type1");
/* @formatter:on */
}
Also used : SecHubFinding(com.mercedesbenz.sechub.commons.model.SecHubFinding) ReportTransformationResult(com.mercedesbenz.sechub.domain.scan.ReportTransformationResult) Test(org.junit.Test)

Aggregations

ReportTransformationResult (com.mercedesbenz.sechub.domain.scan.ReportTransformationResult)8 Test (org.junit.Test)4 SecHubFinding (com.mercedesbenz.sechub.commons.model.SecHubFinding)3 SecHubResult (com.mercedesbenz.sechub.commons.model.SecHubResult)2 SerecoMetaData (com.mercedesbenz.sechub.sereco.metadata.SerecoMetaData)2 UUID (java.util.UUID)2 ScanType (com.mercedesbenz.sechub.commons.model.ScanType)1 SecHubCodeCallStack (com.mercedesbenz.sechub.commons.model.SecHubCodeCallStack)1 TrafficLight (com.mercedesbenz.sechub.commons.model.TrafficLight)1 AssertSecHubResult (com.mercedesbenz.sechub.domain.scan.AssertSecHubResult)1 SecHubReportProductTransformerService (com.mercedesbenz.sechub.domain.scan.SecHubReportProductTransformerService)1 ProductResult (com.mercedesbenz.sechub.domain.scan.product.ProductResult)1 ReportProductExecutionService (com.mercedesbenz.sechub.domain.scan.product.ReportProductExecutionService)1 ProductExecutorConfigInfo (com.mercedesbenz.sechub.domain.scan.product.config.ProductExecutorConfigInfo)1 SerecoVulnerability (com.mercedesbenz.sechub.sereco.metadata.SerecoVulnerability)1 SecHubConfiguration (com.mercedesbenz.sechub.sharedkernel.configuration.SecHubConfiguration)1 SecHubExecutionContext (com.mercedesbenz.sechub.sharedkernel.execution.SecHubExecutionContext)1 SecHubExecutionException (com.mercedesbenz.sechub.sharedkernel.execution.SecHubExecutionException)1 Before (org.junit.Before)1 InvocationOnMock (org.mockito.invocation.InvocationOnMock)1