Enforce non-incremental scans when optimized and scheduled (#3039)

* Enfore non-incremental scans when optimized * Update resources/metadata/checkmarx.yaml Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com> * Update generated file Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2025-10-30 23:57:50 +02:00 · 2021-08-10 11:27:28 +02:00
parent 90110c0702
commit 1ddd966249
4 changed files with 57 additions and 2 deletions
--- a/cmd/checkmarxExecuteScan.go
+++ b/cmd/checkmarxExecuteScan.go
@@ -247,7 +247,9 @@ func uploadAndScan(config checkmarxExecuteScanOptions, sys checkmarx.System, pro
 			return errors.Wrapf(err, "invalid configuration value for fullScanCycle %v, must be a positive int", config.FullScanCycle)
 		}

-		if incremental && config.FullScansScheduled && fullScanCycle > 0 && (getNumCoherentIncrementalScans(previousScans)+1)%fullScanCycle == 0 {
+		if config.IsOptimizedAndScheduled {
+			incremental = false
+		} else if incremental && config.FullScansScheduled && fullScanCycle > 0 && (getNumCoherentIncrementalScans(previousScans)+1)%fullScanCycle == 0 {
 			incremental = false
 		}

--- a/cmd/checkmarxExecuteScan_generated.go
+++ b/cmd/checkmarxExecuteScan_generated.go
@@ -40,6 +40,7 @@ type checkmarxExecuteScanOptions struct {
 	VulnerabilityThresholdMedium  int    `json:"vulnerabilityThresholdMedium,omitempty"`
 	VulnerabilityThresholdResult  string `json:"vulnerabilityThresholdResult,omitempty"`
 	VulnerabilityThresholdUnit    string `json:"vulnerabilityThresholdUnit,omitempty"`
+	IsOptimizedAndScheduled       bool   `json:"isOptimizedAndScheduled,omitempty"`
 }

 type checkmarxExecuteScanInflux struct {
@@ -281,6 +282,7 @@ func addCheckmarxExecuteScanFlags(cmd *cobra.Command, stepConfig *checkmarxExecu
 	cmd.Flags().IntVar(&stepConfig.VulnerabilityThresholdMedium, "vulnerabilityThresholdMedium", 100, "The specific threshold for medium severity findings")
 	cmd.Flags().StringVar(&stepConfig.VulnerabilityThresholdResult, "vulnerabilityThresholdResult", `FAILURE`, "The result of the build in case thresholds are enabled and exceeded")
 	cmd.Flags().StringVar(&stepConfig.VulnerabilityThresholdUnit, "vulnerabilityThresholdUnit", `percentage`, "The unit for the threshold to apply.")
+	cmd.Flags().BoolVar(&stepConfig.IsOptimizedAndScheduled, "isOptimizedAndScheduled", false, "Whether the pipeline runs in optimized mode and the current execution is a scheduled one")

 	cmd.MarkFlagRequired("password")
 	cmd.MarkFlagRequired("projectName")
@@ -536,6 +538,20 @@ func checkmarxExecuteScanMetadata() config.StepData {
 						Aliases:     []config.Alias{},
 						Default:     `percentage`,
 					},
+					{
+						Name: "isOptimizedAndScheduled",
+						ResourceRef: []config.ResourceReference{
+							{
+								Name:  "commonPipelineEnvironment",
+								Param: "custom/isOptimizedAndScheduled",
+							},
+						},
+						Scope:     []string{"PARAMETERS"},
+						Type:      "bool",
+						Mandatory: false,
+						Aliases:   []config.Alias{},
+						Default:   false,
+					},
 				},
 			},
 			Outputs: config.StepOutputs{
--- a/cmd/checkmarxExecuteScan_test.go
+++ b/cmd/checkmarxExecuteScan_test.go
@@ -5,7 +5,6 @@ import (
 	"bytes"
 	"encoding/json"
 	"fmt"
-	"github.com/bmatcuk/doublestar"
 	"io/ioutil"
 	"os"
 	"path/filepath"
@@ -14,6 +13,8 @@ import (
 	"testing"
 	"time"

+	"github.com/bmatcuk/doublestar"
+
 	"github.com/SAP/jenkins-library/pkg/checkmarx"
 	"github.com/stretchr/testify/assert"
 )
@@ -571,6 +572,34 @@ func TestRunScan_nonNumeralPreset(t *testing.T) {
 	assert.NoError(t, err, "error occurred but none expected")
 }

+func TestRunOptimizedScan(t *testing.T) {
+	t.Parallel()
+
+	sys := &systemMockForExistingProject{response: []byte(`<?xml version="1.0" encoding="utf-8"?><CxXMLResults />`)}
+	options := checkmarxExecuteScanOptions{IsOptimizedAndScheduled: true, ProjectName: "TestExisting", VulnerabilityThresholdUnit: "absolute", FullScanCycle: "1", Incremental: true, FullScansScheduled: true, Preset: "10048", TeamID: "16", VulnerabilityThresholdEnabled: true, GeneratePdfReport: true}
+	workspace, err := ioutil.TempDir("", "workspace1")
+	if err != nil {
+		t.Fatal("Failed to create temporary workspace directory")
+	}
+	// clean up tmp dir
+	defer os.RemoveAll(workspace)
+	err = ioutil.WriteFile(filepath.Join(workspace, "abcd.go"), []byte("abcd.go"), 0700)
+	assert.NoError(t, err)
+	options.FilterPattern = "**/abcd.go"
+
+	influx := checkmarxExecuteScanInflux{}
+
+	utilsMock := newCheckmarxExecuteScanUtilsMock()
+	utilsMock.workspace = workspace
+
+	err = runScan(options, sys, &influx, utilsMock)
+	assert.NoError(t, err, "error occurred but none expected")
+	assert.Equal(t, false, sys.isIncremental, "isIncremental has wrong value")
+	assert.Equal(t, true, sys.isPublic, "isPublic has wrong value")
+	assert.Equal(t, true, sys.forceScan, "forceScan has wrong value")
+	assert.Equal(t, true, sys.scanProjectCalled, "ScanProject was not invoked")
+}
+
 func TestSetPresetForProjectWithIDProvided(t *testing.T) {
 	t.Parallel()

--- a/resources/metadata/checkmarx.yaml
+++ b/resources/metadata/checkmarx.yaml
@@ -239,6 +239,14 @@ spec:
          - STAGES
          - STEPS
        default: percentage
+      - name: isOptimizedAndScheduled
+        type: bool
+        description: Whether the pipeline runs in optimized mode and the current execution is a scheduled one
+        resourceRef:
+          - name: commonPipelineEnvironment
+            param: custom/isOptimizedAndScheduled
+        scope:
+          - PARAMETERS
  outputs:
    resources:
      - name: influx