Examples with FalsePositiveMetaData com.mercedesbenz.sechub.domain.scan.project.FalsePositiveMetaData used on opensource projects

Search in sources :

Example 1 with FalsePositiveMetaData

use of com.mercedesbenz.sechub.domain.scan.project.FalsePositiveMetaData in project sechub by mercedes-benz.

the class SerecoFalsePositiveFinderTest method code_scan_triggers_codescan_strategy_and_uses_its_result.

@Test
public void code_scan_triggers_codescan_strategy_and_uses_its_result() {
    /* prepare */
    /* @formatter:off */
    SerecoVulnerability vulnerability = TestSerecoVulnerabilityBuilder.builder().name("name1").codeScan().location("location1").source("source1").relevantPart("relevant1").callsCode().callsCode().callsCode().location("location2").source("source2").relevantPart("relevant2").end().build();
    /* @formatter:on */
    FalsePositiveMetaData metaData = fetchFirstEntryMetaDataOfExample3();
    when(codeScanStrategy.isFalsePositive(vulnerability, metaData)).thenReturn(yesItIsAFalsePositive);
    /* execute */
    boolean strategyResult = finderToTest.isFound(vulnerability, metaData);
    /* test */
    verify(codeScanStrategy).isFalsePositive(vulnerability, metaData);
    assertEquals(yesItIsAFalsePositive, strategyResult);
}
Also used : FalsePositiveMetaData(com.mercedesbenz.sechub.domain.scan.project.FalsePositiveMetaData) SerecoVulnerability(com.mercedesbenz.sechub.sereco.metadata.SerecoVulnerability) Test(org.junit.Test)

Example 2 with FalsePositiveMetaData

use of com.mercedesbenz.sechub.domain.scan.project.FalsePositiveMetaData in project sechub by mercedes-benz.

the class SerecoFalsePositiveFinderTest method webscan_triggers_not_codescanstrategy.

@Test
public void webscan_triggers_not_codescanstrategy() {
    /* prepare */
    /* @formatter:off */
    SerecoVulnerability vulnerability = TestSerecoVulnerabilityBuilder.builder().name("name1").webScan().end().build();
    /* @formatter:on */
    FalsePositiveMetaData metaData = fetchFirstEntryMetaDataOfExample3();
    /* execute */
    finderToTest.isFound(vulnerability, metaData);
    /* test */
    verify(codeScanStrategy, never()).isFalsePositive(vulnerability, metaData);
}
Also used : FalsePositiveMetaData(com.mercedesbenz.sechub.domain.scan.project.FalsePositiveMetaData) SerecoVulnerability(com.mercedesbenz.sechub.sereco.metadata.SerecoVulnerability) Test(org.junit.Test)

Example 3 with FalsePositiveMetaData

use of com.mercedesbenz.sechub.domain.scan.project.FalsePositiveMetaData in project sechub by mercedes-benz.

the class SerecoFalsePositiveMarkerTest method a_webscan_triggers_NOT_falsePositiveFinder_for_fp_setting_for_codescan.

@Test
public void a_webscan_triggers_NOT_falsePositiveFinder_for_fp_setting_for_codescan() {
    /* prepare */
    FalsePositiveMetaData metaData = addEntryAndReturnMetaData(projectConfig, ScanType.CODE_SCAN);
    config.setData(projectConfig.toJSON());
    List<SerecoVulnerability> all = new ArrayList<>();
    SerecoVulnerability v1 = addVulnerability(all, ScanType.WEB_SCAN);
    /* execute */
    markerToTest.markFalsePositives(PROJECT_ID, all);
    /* test */
    verify(falsePositiveFinder, never()).isFound(v1, metaData);
}
Also used : FalsePositiveMetaData(com.mercedesbenz.sechub.domain.scan.project.FalsePositiveMetaData) SerecoVulnerability(com.mercedesbenz.sechub.sereco.metadata.SerecoVulnerability) ArrayList(java.util.ArrayList) Test(org.junit.Test)

Example 4 with FalsePositiveMetaData

use of com.mercedesbenz.sechub.domain.scan.project.FalsePositiveMetaData in project sechub by mercedes-benz.

the class FalsePositiveRestControllerRestDocTest method user_fetches_false_positive_configuration.

@Test
@UseCaseRestDoc(useCase = UseCaseUserFetchesFalsePositiveConfigurationOfProject.class)
public void user_fetches_false_positive_configuration() throws Exception {
    /* prepare */
    String apiEndpoint = https(PORT_USED).buildUserFetchesFalsePositiveConfigurationOfProject(PROJECT_ID.pathElement());
    Class<? extends Annotation> useCase = UseCaseUserFetchesFalsePositiveConfigurationOfProject.class;
    int findingId = 42;
    UUID jobUUID = UUID.fromString("f1d02a9d-5e1b-4f52-99e5-401854ccf936");
    FalsePositiveProjectConfiguration config = new FalsePositiveProjectConfiguration();
    List<FalsePositiveEntry> fpList = config.getFalsePositives();
    FalsePositiveEntry entry = new FalsePositiveEntry();
    entry.setAuthor("developer1");
    entry.setCreated(new Date(1591962795187L));
    FalsePositiveJobData jobData1 = new FalsePositiveJobData();
    jobData1.setComment("Only used in documentation build not in deployment");
    jobData1.setJobUUID(jobUUID);
    jobData1.setFindingId(findingId);
    entry.setJobData(jobData1);
    FalsePositiveMetaData metaData = new FalsePositiveMetaData();
    metaData.setCweId(Integer.valueOf(36));
    FalsePositiveCodeMetaData code = new FalsePositiveCodeMetaData();
    FalsePositiveCodePartMetaData start = new FalsePositiveCodePartMetaData();
    start.setLocation("java/com/mercedesbenz/sechub/docgen/AsciidocGenerator.java");
    start.setRelevantPart("args");
    start.setSourceCode("\tpublic static void main(String[] args) throws Exception {");
    code.setStart(start);
    FalsePositiveCodePartMetaData end = new FalsePositiveCodePartMetaData();
    end.setLocation("java/com/mercedesbenz/sechub/docgen/AsciidocGenerator.java");
    end.setRelevantPart("File");
    end.setSourceCode("\t\tFile documentsGenFolder = new File(path);");
    code.setEnd(end);
    metaData.setCode(code);
    metaData.setScanType(ScanType.CODE_SCAN);
    metaData.setSeverity(Severity.MEDIUM);
    metaData.setName("Absolute Path Traversal");
    entry.setMetaData(metaData);
    fpList.add(entry);
    when(falsePositiveJobDataService.fetchFalsePositivesProjectConfiguration(PROJECT1_ID)).thenReturn(config);
    /* execute + test @formatter:off */
    String metaDataPath = PROPERTY_FALSE_POSITIVES + "[]." + FalsePositiveEntry.PROPERTY_METADATA;
    String codeMetaDataPath = metaDataPath + "." + FalsePositiveMetaData.PROPERTY_CODE;
    this.mockMvc.perform(get(apiEndpoint, PROJECT1_ID)).andExpect(status().isOk()).andDo(defineRestService().with().useCaseData(useCase).tag(RestDocFactory.extractTag(apiEndpoint)).responseSchema(OpenApiSchema.FALSE_POSITVES.getSchema()).and().document(responseFields(fieldWithPath(PROPERTY_FALSE_POSITIVES).description("Job data list containing false positive setup based on former jobs"), fieldWithPath(PROPERTY_FALSE_POSITIVES + "[]." + FalsePositiveEntry.PROPERTY_AUTHOR).description("User id of author who created false positive"), fieldWithPath(PROPERTY_FALSE_POSITIVES + "[]." + FalsePositiveEntry.PROPERTY_CREATED).description("Creation timestamp"), fieldWithPath(metaDataPath).description("Meta data for this false positive"), fieldWithPath(metaDataPath + "." + FalsePositiveMetaData.PROPERTY_SCANTYPE).description("Scan type - e.g. codeScan"), fieldWithPath(metaDataPath + "." + FalsePositiveMetaData.PROPERTY_NAME).description("Name of origin finding marked as false positive"), fieldWithPath(metaDataPath + "." + FalsePositiveMetaData.PROPERTY_CWE_ID).type(JsonFieldType.NUMBER).optional().description("CWE (common weakness enumeration). For code scans this is always set."), fieldWithPath(metaDataPath + "." + FalsePositiveMetaData.PROPERTY_CVE_ID).type(JsonFieldType.STRING).optional().description("CVE (common vulnerability and exposures). For infra scans this is always set."), fieldWithPath(metaDataPath + "." + FalsePositiveMetaData.PROPERTY_OWASP).type(JsonFieldType.STRING).optional().description("OWASP At least this field must be set for web scans when no cwe identifier is defined."), fieldWithPath(metaDataPath + "." + FalsePositiveMetaData.PROPERTY_SEVERITY).description("Severity of origin report entry marked as false positive"), fieldWithPath(codeMetaDataPath).optional().description("Code part. Only available for scan type 'codeScan'"), fieldWithPath(codeMetaDataPath + "." + FalsePositiveCodeMetaData.PROPERTY_START).description("entry point"), fieldWithPath(codeMetaDataPath + "." + FalsePositiveCodeMetaData.PROPERTY_START + "." + FalsePositiveCodePartMetaData.PROPERTY_LOCATION).description("location of code"), fieldWithPath(codeMetaDataPath + "." + FalsePositiveCodeMetaData.PROPERTY_START + "." + FalsePositiveCodePartMetaData.PROPERTY_RELEVANT_PART).description("relevant part of source vulnerability"), fieldWithPath(codeMetaDataPath + "." + FalsePositiveCodeMetaData.PROPERTY_START + "." + FalsePositiveCodePartMetaData.PROPERTY_SOURCE_CODE).description("source code"), fieldWithPath(codeMetaDataPath + "." + FalsePositiveCodeMetaData.PROPERTY_END).optional().description("end point (sink)"), fieldWithPath(codeMetaDataPath + "." + FalsePositiveCodeMetaData.PROPERTY_END + "." + FalsePositiveCodePartMetaData.PROPERTY_LOCATION).description("location of code"), fieldWithPath(codeMetaDataPath + "." + FalsePositiveCodeMetaData.PROPERTY_END + "." + FalsePositiveCodePartMetaData.PROPERTY_RELEVANT_PART).description("relevant part of source vulnerability"), fieldWithPath(codeMetaDataPath + "." + FalsePositiveCodeMetaData.PROPERTY_END + "." + FalsePositiveCodePartMetaData.PROPERTY_SOURCE_CODE).description("source code"), fieldWithPath(PROPERTY_FALSE_POSITIVES + "[]." + FalsePositiveEntry.PROPERTY_JOBDATA).description("Job data parts, can be used as key to identify false positives"), fieldWithPath(PROPERTY_FALSE_POSITIVES + "[]." + FalsePositiveEntry.PROPERTY_JOBDATA + "." + PROPERTY_JOBUUID).description("SecHub job uuid where finding was"), fieldWithPath(PROPERTY_FALSE_POSITIVES + "[]." + FalsePositiveEntry.PROPERTY_JOBDATA + "." + PROPERTY_FINDINGID).description("SecHub finding identifier - identifies problem inside the job which shall be markeda as a false positive. *ATTENTION*: at the moment only code scan false positive handling is supported. Infra and web scan findings will lead to a non accepted error!"), fieldWithPath(PROPERTY_FALSE_POSITIVES + "[]." + FalsePositiveEntry.PROPERTY_JOBDATA + "." + PROPERTY_COMMENT).optional().description("A comment from author describing why this was marked as a false positive")), pathParameters(parameterWithName(PROJECT_ID.paramName()).description("The project id"))));
/* @formatter:on */
}
Also used : FalsePositiveMetaData(com.mercedesbenz.sechub.domain.scan.project.FalsePositiveMetaData) FalsePositiveJobData(com.mercedesbenz.sechub.domain.scan.project.FalsePositiveJobData) UseCaseUserFetchesFalsePositiveConfigurationOfProject(com.mercedesbenz.sechub.sharedkernel.usecases.user.execute.UseCaseUserFetchesFalsePositiveConfigurationOfProject) Date(java.util.Date) FalsePositiveEntry(com.mercedesbenz.sechub.domain.scan.project.FalsePositiveEntry) FalsePositiveCodeMetaData(com.mercedesbenz.sechub.domain.scan.project.FalsePositiveCodeMetaData) UUID(java.util.UUID) FalsePositiveProjectConfiguration(com.mercedesbenz.sechub.domain.scan.project.FalsePositiveProjectConfiguration) FalsePositiveCodePartMetaData(com.mercedesbenz.sechub.domain.scan.project.FalsePositiveCodePartMetaData) UseCaseRestDoc(com.mercedesbenz.sechub.sharedkernel.usecases.UseCaseRestDoc) WebMvcTest(org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest) Test(org.junit.Test)

Example 5 with FalsePositiveMetaData

use of com.mercedesbenz.sechub.domain.scan.project.FalsePositiveMetaData in project sechub by mercedes-benz.

the class SerecoFalsePositiveMarker method isFalsePositive.

private boolean isFalsePositive(SerecoVulnerability vulnerability, FalsePositiveEntry entry) {
    FalsePositiveMetaData metaData = entry.getMetaData();
    ScanType scanType = metaData.getScanType();
    if (scanType != vulnerability.getScanType()) {
        /* not same type - fast exit */
        return false;
    }
    if (scanType == null) {
        /* just in case ... */
        return false;
    }
    switch(scanType) {
        case CODE_SCAN:
        case WEB_SCAN:
            return falsePositiveFinder.isFound(vulnerability, metaData);
        default:
            LOG.error("Cannot handle scan type {} - not implemented!", scanType);
            return false;
    }
}
Also used : FalsePositiveMetaData(com.mercedesbenz.sechub.domain.scan.project.FalsePositiveMetaData) ScanType(com.mercedesbenz.sechub.commons.model.ScanType)

Aggregations

FalsePositiveMetaData (com.mercedesbenz.sechub.domain.scan.project.FalsePositiveMetaData)18 Test (org.junit.Test)13 SerecoVulnerability (com.mercedesbenz.sechub.sereco.metadata.SerecoVulnerability)12 FalsePositiveEntry (com.mercedesbenz.sechub.domain.scan.project.FalsePositiveEntry)4 ArrayList (java.util.ArrayList)4 FalsePositiveProjectConfiguration (com.mercedesbenz.sechub.domain.scan.project.FalsePositiveProjectConfiguration)3 ScanType (com.mercedesbenz.sechub.commons.model.ScanType)1 FalsePositiveCodeMetaData (com.mercedesbenz.sechub.domain.scan.project.FalsePositiveCodeMetaData)1 FalsePositiveCodePartMetaData (com.mercedesbenz.sechub.domain.scan.project.FalsePositiveCodePartMetaData)1 FalsePositiveJobData (com.mercedesbenz.sechub.domain.scan.project.FalsePositiveJobData)1 FalsePositiveWebMetaData (com.mercedesbenz.sechub.domain.scan.project.FalsePositiveWebMetaData)1 FalsePositiveWebRequestMetaData (com.mercedesbenz.sechub.domain.scan.project.FalsePositiveWebRequestMetaData)1 FalsePositiveWebResponseMetaData (com.mercedesbenz.sechub.domain.scan.project.FalsePositiveWebResponseMetaData)1 UseCaseRestDoc (com.mercedesbenz.sechub.sharedkernel.usecases.UseCaseRestDoc)1 UseCaseUserFetchesFalsePositiveConfigurationOfProject (com.mercedesbenz.sechub.sharedkernel.usecases.user.execute.UseCaseUserFetchesFalsePositiveConfigurationOfProject)1 Date (java.util.Date)1 UUID (java.util.UUID)1 WebMvcTest (org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial