Example 1 with FalsePositiveProjectConfiguration
use of com.mercedesbenz.sechub.domain.scan.project.FalsePositiveProjectConfiguration in project sechub by mercedes-benz.
the class SerecoFalsePositiveMarker method markFalsePositives.
public void markFalsePositives(String projectId, List<SerecoVulnerability> all) {
notEmpty(projectId, "project id may not be null or empty!");
if (all == null || all.isEmpty()) {
/* no vulnerabilities found */
return;
}
ScanProjectConfig config = scanProjectConfigService.get(projectId, ScanProjectConfigID.FALSE_POSITIVE_CONFIGURATION, false);
if (config == null) {
/* nothing configured */
return;
}
String data = config.getData();
FalsePositiveProjectConfiguration falsePositiveConfig = FalsePositiveProjectConfiguration.fromJSONString(data);
List<FalsePositiveEntry> falsePositives = falsePositiveConfig.getFalsePositives();
for (SerecoVulnerability vulnerability : all) {
handleVulnereability(falsePositives, vulnerability);
}
}
Also used :
FalsePositiveEntry(com.mercedesbenz.sechub.domain.scan.project.FalsePositiveEntry)
SerecoVulnerability(com.mercedesbenz.sechub.sereco.metadata.SerecoVulnerability)
ScanProjectConfig(com.mercedesbenz.sechub.domain.scan.project.ScanProjectConfig)
FalsePositiveProjectConfiguration(com.mercedesbenz.sechub.domain.scan.project.FalsePositiveProjectConfiguration)
Example 2 with FalsePositiveProjectConfiguration
use of com.mercedesbenz.sechub.domain.scan.project.FalsePositiveProjectConfiguration in project sechub by mercedes-benz.
the class FalsePositiveRestControllerRestDocTest method user_fetches_false_positive_configuration.
@Test
@UseCaseRestDoc(useCase = UseCaseUserFetchesFalsePositiveConfigurationOfProject.class)
public void user_fetches_false_positive_configuration() throws Exception {
/* prepare */
String apiEndpoint = https(PORT_USED).buildUserFetchesFalsePositiveConfigurationOfProject(PROJECT_ID.pathElement());
Class<? extends Annotation> useCase = UseCaseUserFetchesFalsePositiveConfigurationOfProject.class;
int findingId = 42;
UUID jobUUID = UUID.fromString("f1d02a9d-5e1b-4f52-99e5-401854ccf936");
FalsePositiveProjectConfiguration config = new FalsePositiveProjectConfiguration();
List<FalsePositiveEntry> fpList = config.getFalsePositives();
FalsePositiveEntry entry = new FalsePositiveEntry();
entry.setAuthor("developer1");
entry.setCreated(new Date(1591962795187L));
FalsePositiveJobData jobData1 = new FalsePositiveJobData();
jobData1.setComment("Only used in documentation build not in deployment");
jobData1.setJobUUID(jobUUID);
jobData1.setFindingId(findingId);
entry.setJobData(jobData1);
FalsePositiveMetaData metaData = new FalsePositiveMetaData();
metaData.setCweId(Integer.valueOf(36));
FalsePositiveCodeMetaData code = new FalsePositiveCodeMetaData();
FalsePositiveCodePartMetaData start = new FalsePositiveCodePartMetaData();
start.setLocation("java/com/mercedesbenz/sechub/docgen/AsciidocGenerator.java");
start.setRelevantPart("args");
start.setSourceCode("\tpublic static void main(String[] args) throws Exception {");
code.setStart(start);
FalsePositiveCodePartMetaData end = new FalsePositiveCodePartMetaData();
end.setLocation("java/com/mercedesbenz/sechub/docgen/AsciidocGenerator.java");
end.setRelevantPart("File");
end.setSourceCode("\t\tFile documentsGenFolder = new File(path);");
code.setEnd(end);
metaData.setCode(code);
metaData.setScanType(ScanType.CODE_SCAN);
metaData.setSeverity(Severity.MEDIUM);
metaData.setName("Absolute Path Traversal");
entry.setMetaData(metaData);
fpList.add(entry);
when(falsePositiveJobDataService.fetchFalsePositivesProjectConfiguration(PROJECT1_ID)).thenReturn(config);
/* execute + test @formatter:off */
String metaDataPath = PROPERTY_FALSE_POSITIVES + "[]." + FalsePositiveEntry.PROPERTY_METADATA;
String codeMetaDataPath = metaDataPath + "." + FalsePositiveMetaData.PROPERTY_CODE;
this.mockMvc.perform(get(apiEndpoint, PROJECT1_ID)).andExpect(status().isOk()).andDo(defineRestService().with().useCaseData(useCase).tag(RestDocFactory.extractTag(apiEndpoint)).responseSchema(OpenApiSchema.FALSE_POSITVES.getSchema()).and().document(responseFields(fieldWithPath(PROPERTY_FALSE_POSITIVES).description("Job data list containing false positive setup based on former jobs"), fieldWithPath(PROPERTY_FALSE_POSITIVES + "[]." + FalsePositiveEntry.PROPERTY_AUTHOR).description("User id of author who created false positive"), fieldWithPath(PROPERTY_FALSE_POSITIVES + "[]." + FalsePositiveEntry.PROPERTY_CREATED).description("Creation timestamp"), fieldWithPath(metaDataPath).description("Meta data for this false positive"), fieldWithPath(metaDataPath + "." + FalsePositiveMetaData.PROPERTY_SCANTYPE).description("Scan type - e.g. codeScan"), fieldWithPath(metaDataPath + "." + FalsePositiveMetaData.PROPERTY_NAME).description("Name of origin finding marked as false positive"), fieldWithPath(metaDataPath + "." + FalsePositiveMetaData.PROPERTY_CWE_ID).type(JsonFieldType.NUMBER).optional().description("CWE (common weakness enumeration). For code scans this is always set."), fieldWithPath(metaDataPath + "." + FalsePositiveMetaData.PROPERTY_CVE_ID).type(JsonFieldType.STRING).optional().description("CVE (common vulnerability and exposures). For infra scans this is always set."), fieldWithPath(metaDataPath + "." + FalsePositiveMetaData.PROPERTY_OWASP).type(JsonFieldType.STRING).optional().description("OWASP At least this field must be set for web scans when no cwe identifier is defined."), fieldWithPath(metaDataPath + "." + FalsePositiveMetaData.PROPERTY_SEVERITY).description("Severity of origin report entry marked as false positive"), fieldWithPath(codeMetaDataPath).optional().description("Code part. Only available for scan type 'codeScan'"), fieldWithPath(codeMetaDataPath + "." + FalsePositiveCodeMetaData.PROPERTY_START).description("entry point"), fieldWithPath(codeMetaDataPath + "." + FalsePositiveCodeMetaData.PROPERTY_START + "." + FalsePositiveCodePartMetaData.PROPERTY_LOCATION).description("location of code"), fieldWithPath(codeMetaDataPath + "." + FalsePositiveCodeMetaData.PROPERTY_START + "." + FalsePositiveCodePartMetaData.PROPERTY_RELEVANT_PART).description("relevant part of source vulnerability"), fieldWithPath(codeMetaDataPath + "." + FalsePositiveCodeMetaData.PROPERTY_START + "." + FalsePositiveCodePartMetaData.PROPERTY_SOURCE_CODE).description("source code"), fieldWithPath(codeMetaDataPath + "." + FalsePositiveCodeMetaData.PROPERTY_END).optional().description("end point (sink)"), fieldWithPath(codeMetaDataPath + "." + FalsePositiveCodeMetaData.PROPERTY_END + "." + FalsePositiveCodePartMetaData.PROPERTY_LOCATION).description("location of code"), fieldWithPath(codeMetaDataPath + "." + FalsePositiveCodeMetaData.PROPERTY_END + "." + FalsePositiveCodePartMetaData.PROPERTY_RELEVANT_PART).description("relevant part of source vulnerability"), fieldWithPath(codeMetaDataPath + "." + FalsePositiveCodeMetaData.PROPERTY_END + "." + FalsePositiveCodePartMetaData.PROPERTY_SOURCE_CODE).description("source code"), fieldWithPath(PROPERTY_FALSE_POSITIVES + "[]." + FalsePositiveEntry.PROPERTY_JOBDATA).description("Job data parts, can be used as key to identify false positives"), fieldWithPath(PROPERTY_FALSE_POSITIVES + "[]." + FalsePositiveEntry.PROPERTY_JOBDATA + "." + PROPERTY_JOBUUID).description("SecHub job uuid where finding was"), fieldWithPath(PROPERTY_FALSE_POSITIVES + "[]." + FalsePositiveEntry.PROPERTY_JOBDATA + "." + PROPERTY_FINDINGID).description("SecHub finding identifier - identifies problem inside the job which shall be markeda as a false positive. *ATTENTION*: at the moment only code scan false positive handling is supported. Infra and web scan findings will lead to a non accepted error!"), fieldWithPath(PROPERTY_FALSE_POSITIVES + "[]." + FalsePositiveEntry.PROPERTY_JOBDATA + "." + PROPERTY_COMMENT).optional().description("A comment from author describing why this was marked as a false positive")), pathParameters(parameterWithName(PROJECT_ID.paramName()).description("The project id"))));
/* @formatter:on */
}
Also used :
FalsePositiveMetaData(com.mercedesbenz.sechub.domain.scan.project.FalsePositiveMetaData)
FalsePositiveJobData(com.mercedesbenz.sechub.domain.scan.project.FalsePositiveJobData)
UseCaseUserFetchesFalsePositiveConfigurationOfProject(com.mercedesbenz.sechub.sharedkernel.usecases.user.execute.UseCaseUserFetchesFalsePositiveConfigurationOfProject)
Date(java.util.Date)
FalsePositiveEntry(com.mercedesbenz.sechub.domain.scan.project.FalsePositiveEntry)
FalsePositiveCodeMetaData(com.mercedesbenz.sechub.domain.scan.project.FalsePositiveCodeMetaData)
UUID(java.util.UUID)
FalsePositiveProjectConfiguration(com.mercedesbenz.sechub.domain.scan.project.FalsePositiveProjectConfiguration)
FalsePositiveCodePartMetaData(com.mercedesbenz.sechub.domain.scan.project.FalsePositiveCodePartMetaData)
UseCaseRestDoc(com.mercedesbenz.sechub.sharedkernel.usecases.UseCaseRestDoc)
WebMvcTest(org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest)
Test(org.junit.Test)
Example 3 with FalsePositiveProjectConfiguration
use of com.mercedesbenz.sechub.domain.scan.project.FalsePositiveProjectConfiguration in project sechub by mercedes-benz.
the class SerecoFalsePositiveCodeScanStrategyTest method fetchFirstEntryMetaDataOfExample3.
private FalsePositiveMetaData fetchFirstEntryMetaDataOfExample3() {
String json = ScanProductSerecoTestFileSupport.getTestfileSupport().loadTestFile("false_positives/scan_false_positive_config_example3.json");
FalsePositiveProjectConfiguration config = FalsePositiveProjectConfiguration.fromJSONString(json);
FalsePositiveEntry entry = config.getFalsePositives().get(0);
// sanity check, means correct entry...
assertEquals("entry-1", entry.getJobData().getComment());
FalsePositiveMetaData metaData = entry.getMetaData();
return metaData;
}
Also used :
FalsePositiveEntry(com.mercedesbenz.sechub.domain.scan.project.FalsePositiveEntry)
FalsePositiveMetaData(com.mercedesbenz.sechub.domain.scan.project.FalsePositiveMetaData)
FalsePositiveProjectConfiguration(com.mercedesbenz.sechub.domain.scan.project.FalsePositiveProjectConfiguration)
Example 4 with FalsePositiveProjectConfiguration
use of com.mercedesbenz.sechub.domain.scan.project.FalsePositiveProjectConfiguration in project sechub by mercedes-benz.
the class SerecoFalsePositiveFinderTest method fetchFirstEntryMetaDataOfExample3.
private FalsePositiveMetaData fetchFirstEntryMetaDataOfExample3() {
String json = ScanProductSerecoTestFileSupport.getTestfileSupport().loadTestFile("false_positives/scan_false_positive_config_example3.json");
FalsePositiveProjectConfiguration config = FalsePositiveProjectConfiguration.fromJSONString(json);
FalsePositiveEntry entry = config.getFalsePositives().get(0);
// sanity check, means correct entry...
assertEquals("entry-1", entry.getJobData().getComment());
FalsePositiveMetaData metaData = entry.getMetaData();
return metaData;
}
Also used :
FalsePositiveEntry(com.mercedesbenz.sechub.domain.scan.project.FalsePositiveEntry)
FalsePositiveMetaData(com.mercedesbenz.sechub.domain.scan.project.FalsePositiveMetaData)
FalsePositiveProjectConfiguration(com.mercedesbenz.sechub.domain.scan.project.FalsePositiveProjectConfiguration)
Example 5 with FalsePositiveProjectConfiguration
use of com.mercedesbenz.sechub.domain.scan.project.FalsePositiveProjectConfiguration in project sechub by mercedes-benz.
the class SerecoFalsePositiveMarkerTest method before.
@Before
public void before() throws Exception {
markerToTest = new SerecoFalsePositiveMarker();
scanProjectConfigService = mock(ScanProjectConfigService.class);
falsePositiveFinder = mock(SerecoFalsePositiveFinder.class);
config = new ScanProjectConfig(ScanProjectConfigID.FALSE_POSITIVE_CONFIGURATION, PROJECT_ID);
when(scanProjectConfigService.get(PROJECT_ID, ScanProjectConfigID.FALSE_POSITIVE_CONFIGURATION, false)).thenReturn(config);
markerToTest.scanProjectConfigService = scanProjectConfigService;
markerToTest.falsePositiveFinder = falsePositiveFinder;
projectConfig = new FalsePositiveProjectConfiguration();
}
Also used :
ScanProjectConfigService(com.mercedesbenz.sechub.domain.scan.project.ScanProjectConfigService)
ScanProjectConfig(com.mercedesbenz.sechub.domain.scan.project.ScanProjectConfig)
FalsePositiveProjectConfiguration(com.mercedesbenz.sechub.domain.scan.project.FalsePositiveProjectConfiguration)
Before(org.junit.Before)
Aggregations
FalsePositiveProjectConfiguration (com.mercedesbenz.sechub.domain.scan.project.FalsePositiveProjectConfiguration)5
FalsePositiveEntry (com.mercedesbenz.sechub.domain.scan.project.FalsePositiveEntry)4
FalsePositiveMetaData (com.mercedesbenz.sechub.domain.scan.project.FalsePositiveMetaData)3
ScanProjectConfig (com.mercedesbenz.sechub.domain.scan.project.ScanProjectConfig)2
FalsePositiveCodeMetaData (com.mercedesbenz.sechub.domain.scan.project.FalsePositiveCodeMetaData)1
FalsePositiveCodePartMetaData (com.mercedesbenz.sechub.domain.scan.project.FalsePositiveCodePartMetaData)1
FalsePositiveJobData (com.mercedesbenz.sechub.domain.scan.project.FalsePositiveJobData)1
ScanProjectConfigService (com.mercedesbenz.sechub.domain.scan.project.ScanProjectConfigService)1
SerecoVulnerability (com.mercedesbenz.sechub.sereco.metadata.SerecoVulnerability)1
UseCaseRestDoc (com.mercedesbenz.sechub.sharedkernel.usecases.UseCaseRestDoc)1
UseCaseUserFetchesFalsePositiveConfigurationOfProject (com.mercedesbenz.sechub.sharedkernel.usecases.user.execute.UseCaseUserFetchesFalsePositiveConfigurationOfProject)1
Date (java.util.Date)1
UUID (java.util.UUID)1
Before (org.junit.Before)1
Test (org.junit.Test)1
WebMvcTest (org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest)1
