use of com.mercedesbenz.sechub.domain.scan.ReportTransformationResult in project sechub by mercedes-benz.
the class SerecoProductResultTransformer method transform.
@Override
public ReportTransformationResult transform(ProductResult serecoProductResult) throws SecHubExecutionException {
String origin = serecoProductResult.getResult();
String projectId = serecoProductResult.getProjectId();
UUID sechubJobUUID = serecoProductResult.getSecHubJobUUID();
SerecoMetaData data = JSONConverter.get().fromJSON(SerecoMetaData.class, origin);
falsePositiveMarker.markFalsePositives(projectId, data.getVulnerabilities());
ReportTransformationResult transformerResult = new ReportTransformationResult();
transformerResult.setReportVersion(SecHubReportVersion.VERSION_1_0.getVersionAsString());
transformerResult.setJobUUID(sechubJobUUID);
List<SecHubFinding> findings = transformerResult.getResult().getFindings();
int findingId = 0;
for (SerecoVulnerability vulnerability : data.getVulnerabilities()) {
findingId++;
if (vulnerability.isFalsePositive()) {
/*
* we do not add false positives to report - so we store only real positives.
* False positive data is still available in SeReCo results and so in admin scan
* logs,
*/
continue;
}
SecHubFinding finding = new SecHubFinding();
handleClassifications(finding, vulnerability, serecoProductResult.getSecHubJobUUID());
finding.setDescription(vulnerability.getDescription());
finding.setName(vulnerability.getType());
finding.setSolution(vulnerability.getSolution());
finding.setId(findingId);
finding.setSeverity(transformSeverity(vulnerability.getSeverity()));
if (showProductLineResultLink) {
finding.setProductResultLink(vulnerability.getProductResultLink());
}
ScanType scanType = vulnerability.getScanType();
finding.setType(scanType);
if (scanType == null) {
// this should normally only happen for artificial vulnerability which
// were added for SecHub failures (a legacy feature which will be removed in
// future).
scanType = ScanType.UNKNOWN;
LOG.debug("Finding:{} '{}' has no scan type set. Use {} as fallback.", findingId, vulnerability.getType(), scanType);
}
switch(scanType) {
case CODE_SCAN:
finding.setCode(convert(vulnerability.getCode()));
break;
case INFRA_SCAN:
break;
case WEB_SCAN:
appendWebData(sechubJobUUID, vulnerability, finding);
break;
default:
break;
}
findings.add(finding);
}
handleAnnotations(sechubJobUUID, data, transformerResult);
/* when status is not set already, no failure has appeared and we mark as OK */
if (transformerResult.getStatus() == null) {
transformerResult.setStatus(SecHubStatus.SUCCESS);
}
return transformerResult;
}
use of com.mercedesbenz.sechub.domain.scan.ReportTransformationResult in project sechub by mercedes-benz.
the class SerecoProductResultTransformerTest method one_vulnerability_in_meta_results_in_one_finding.
@Test
public void one_vulnerability_in_meta_results_in_one_finding() throws Exception {
/* prepare */
String converted = createMetaDataWithOneVulnerabilityFound();
/* execute */
ReportTransformationResult result = transformerToTest.transform(createProductResult(converted));
/* test */
AssertSecHubResult.assertSecHubResult(result.getResult()).hasFindings(1);
}
use of com.mercedesbenz.sechub.domain.scan.ReportTransformationResult in project sechub by mercedes-benz.
the class SerecoProductResultTransformerTest method transformation_of_id_finding_description_severity_and_name_are_done.
@Test
public void transformation_of_id_finding_description_severity_and_name_are_done() throws Exception {
/* prepare */
String converted = createMetaDataWithOneVulnerabilityFound();
/* execute */
ReportTransformationResult result = transformerToTest.transform(createProductResult(converted));
/* @formatter:off */
for (SecHubFinding f : result.getResult().getFindings()) {
assertEquals(ScanType.WEB_SCAN, f.getType());
}
AssertSecHubResult.assertSecHubResult(result.getResult()).hasFindingWithId(1).hasDescription("desc1").hasSeverity(com.mercedesbenz.sechub.commons.model.Severity.MEDIUM).hasName("type1");
/* @formatter:on */
}
Aggregations