1
0
mirror of https://github.com/SAP/jenkins-library.git synced 2025-01-18 05:18:24 +02:00

fix(cxOne): fix SARIF duplicated entries and branch name (#4904)

* Initial in progress

* compiling but not yet functional

* Missed file

* updated checkmarxone step

* Working up to fetching a project then breaks

* Missed file

* Breaks when retrieving projects+proxy set

* Create project & run scan working, now polling

* Fixed polling

* added back the zipfile remove command

* Fixed polling again

* Generates and downloads PDF report

* Updated and working, prep for refactor

* Added compliance steps

* Cleanup, reporting, added groovy connector

* fixed groovy file

* checkmarxone to checkmarxOne

* checkmarxone to checkmarxOne

* split credentials (id+secret, apikey), renamed pullrequestname to branch, groovy fix

* Fixed filenames & yaml

* missed the metadata_generated.go

* added json to sarif conversion

* fix:type in new checkmarxone package

* fix:type in new checkmarxone package

* removed test logs, added temp error log for creds

* extra debugging to fix crash

* improved auth logging, fixed query parse issue

* fixed bug with group fetch when using oauth user

* CWE can be -1 if not defined, can't be uint

* Query also had CweID

* Disabled predicates-fetch in sarif generation

* Removing leftover info log message

* Better error handling

* fixed default preset configuration

* removing .bat files - sorry

* Cleanup per initial review

* refactoring per Gist, fixed project find, add apps

* small fix - sorry for commit noise while testing

* Fixing issues with incremental scans.

* removing maxretries

* Updated per PR feedback, further changes todo toda

* JSON Report changes and reporting cleanup

* removing .bat (again?)

* adding docs, groovy unit test, linter fixes

* Started adding tests maybe 15% covered

* fix(checkmarxOne): test cases for pkg and reporting

* fix(checkmarxOne):fix formatting

* feat(checkmarxone): update interface with missing method

* feat(checkmarxone):change runStep signature to be able to inject dependency

* feat(checkmarxone): add tests for step (wip)

* Adding a bit more coverage

* feat(checkmarxOne): fix code review

* feat(checkmarxOne): fix code review

* feat(checkmarxOne): fix code review

* feat(checkmarxOne): fix integration test PR

* adding scan-summary bug workaround, reportgen fail

* enforceThresholds fix when no results passed in

* fixed gap when preset empty in yaml & project conf

* fixed another gap in preset selection

* fix 0-result panic

* fail when no preset is set anywhere

* removed comment

* initial project-under-app support

* fixing sarif reportgen

* some cleanup of error messages

* post-merge test fixes

* revert previous upstream merge

* adding "incremental" to "full" triggers

* wrong boolean

* project-in-application api change prep

* Fixing SARIF report without preset access

* fix sarif deeplink

* removing comments

* fix(cxone):formatting

* fix(cxone):formatting

* small sarif fixes

* fixed merge

* attempt at pulling git source repo branch

* fix(cxone):new endpoint for project creation

---------

Co-authored-by: thtri <trinhthanhhai@gmail.com>
Co-authored-by: Thanh-Hai Trinh <thanh.hai.trinh@sap.com>
This commit is contained in:
michaelkubiaczyk 2024-04-22 18:21:02 +02:00 committed by GitHub
parent 265105efa1
commit 7a3024c697
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 43 additions and 2 deletions

View File

@ -419,6 +419,9 @@ func (c *checkmarxOneExecuteScanHelper) CreateScanRequest(incremental bool, uplo
} }
branch := c.config.Branch branch := c.config.Branch
if len(branch) == 0 && len(c.config.GitBranch) > 0 {
branch = c.config.GitBranch
}
if len(c.config.PullRequestName) > 0 { if len(c.config.PullRequestName) > 0 {
branch = fmt.Sprintf("%v-%v", c.config.PullRequestName, c.config.Branch) branch = fmt.Sprintf("%v-%v", c.config.PullRequestName, c.config.Branch)
} }

View File

@ -32,6 +32,7 @@ type checkmarxOneExecuteScanOptions struct {
GithubToken string `json:"githubToken,omitempty"` GithubToken string `json:"githubToken,omitempty"`
Incremental bool `json:"incremental,omitempty"` Incremental bool `json:"incremental,omitempty"`
Owner string `json:"owner,omitempty"` Owner string `json:"owner,omitempty"`
GitBranch string `json:"gitBranch,omitempty"`
ClientSecret string `json:"clientSecret,omitempty"` ClientSecret string `json:"clientSecret,omitempty"`
APIKey string `json:"APIKey,omitempty"` APIKey string `json:"APIKey,omitempty"`
Preset string `json:"preset,omitempty"` Preset string `json:"preset,omitempty"`
@ -356,6 +357,7 @@ func addCheckmarxOneExecuteScanFlags(cmd *cobra.Command, stepConfig *checkmarxOn
cmd.Flags().StringVar(&stepConfig.GithubToken, "githubToken", os.Getenv("PIPER_githubToken"), "GitHub personal access token as per https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line") cmd.Flags().StringVar(&stepConfig.GithubToken, "githubToken", os.Getenv("PIPER_githubToken"), "GitHub personal access token as per https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line")
cmd.Flags().BoolVar(&stepConfig.Incremental, "incremental", true, "Whether incremental scans are to be applied which optimizes the scan time but might reduce detection capabilities. Therefore full scans are still required from time to time and should be scheduled via `fullScansScheduled` and `fullScanCycle`") cmd.Flags().BoolVar(&stepConfig.Incremental, "incremental", true, "Whether incremental scans are to be applied which optimizes the scan time but might reduce detection capabilities. Therefore full scans are still required from time to time and should be scheduled via `fullScansScheduled` and `fullScanCycle`")
cmd.Flags().StringVar(&stepConfig.Owner, "owner", os.Getenv("PIPER_owner"), "Set the GitHub organization.") cmd.Flags().StringVar(&stepConfig.Owner, "owner", os.Getenv("PIPER_owner"), "Set the GitHub organization.")
cmd.Flags().StringVar(&stepConfig.GitBranch, "gitBranch", os.Getenv("PIPER_gitBranch"), "Set the GitHub repository branch.")
cmd.Flags().StringVar(&stepConfig.ClientSecret, "clientSecret", os.Getenv("PIPER_clientSecret"), "The clientSecret to authenticate using a service account") cmd.Flags().StringVar(&stepConfig.ClientSecret, "clientSecret", os.Getenv("PIPER_clientSecret"), "The clientSecret to authenticate using a service account")
cmd.Flags().StringVar(&stepConfig.APIKey, "APIKey", os.Getenv("PIPER_APIKey"), "The APIKey to authenticate") cmd.Flags().StringVar(&stepConfig.APIKey, "APIKey", os.Getenv("PIPER_APIKey"), "The APIKey to authenticate")
cmd.Flags().StringVar(&stepConfig.Preset, "preset", os.Getenv("PIPER_preset"), "The preset to use for scanning, if not set explicitly the step will attempt to look up the project's setting based on the availability of `checkmarxOneCredentialsId`") cmd.Flags().StringVar(&stepConfig.Preset, "preset", os.Getenv("PIPER_preset"), "The preset to use for scanning, if not set explicitly the step will attempt to look up the project's setting based on the availability of `checkmarxOneCredentialsId`")
@ -521,6 +523,20 @@ func checkmarxOneExecuteScanMetadata() config.StepData {
Aliases: []config.Alias{{Name: "githubOrg"}}, Aliases: []config.Alias{{Name: "githubOrg"}},
Default: os.Getenv("PIPER_owner"), Default: os.Getenv("PIPER_owner"),
}, },
{
Name: "gitBranch",
ResourceRef: []config.ResourceReference{
{
Name: "commonPipelineEnvironment",
Param: "github/branch",
},
},
Scope: []string{"GENERAL", "PARAMETERS", "STAGES", "STEPS"},
Type: "string",
Mandatory: false,
Aliases: []config.Alias{},
Default: os.Getenv("PIPER_gitBranch"),
},
{ {
Name: "clientSecret", Name: "clientSecret",
ResourceRef: []config.ResourceReference{ ResourceRef: []config.ResourceReference{

View File

@ -20,6 +20,7 @@ func ConvertCxJSONToSarif(sys System, serverURL string, scanResults *[]ScanResul
sarif.Version = "2.1.0" sarif.Version = "2.1.0"
var checkmarxRun format.Runs var checkmarxRun format.Runs
checkmarxRun.ColumnKind = "utf16CodeUnits" checkmarxRun.ColumnKind = "utf16CodeUnits"
checkmarxRun.Results = make([]format.Results, 0)
sarif.Runs = append(sarif.Runs, checkmarxRun) sarif.Runs = append(sarif.Runs, checkmarxRun)
rulesArray := []format.SarifRule{} rulesArray := []format.SarifRule{}
@ -226,7 +227,17 @@ func ConvertCxJSONToSarif(sys System, serverURL string, scanResults *[]ScanResul
if r.VulnerabilityDetails.CweId != 0 { if r.VulnerabilityDetails.CweId != 0 {
rule.Properties.Tags = append(rule.Properties.Tags, fmt.Sprintf("external/cwe/cwe-%d", r.VulnerabilityDetails.CweId)) rule.Properties.Tags = append(rule.Properties.Tags, fmt.Sprintf("external/cwe/cwe-%d", r.VulnerabilityDetails.CweId))
} }
rulesArray = append(rulesArray, rule)
match := false
for _, r := range rulesArray {
if r.ID == rule.ID {
match = true
break
}
}
if !match {
rulesArray = append(rulesArray, rule)
}
} }
// Handle driver object // Handle driver object
@ -237,7 +248,7 @@ func ConvertCxJSONToSarif(sys System, serverURL string, scanResults *[]ScanResul
// TODO: a way to fetch/store the version // TODO: a way to fetch/store the version
tool.Driver.Version = "1" //strings.Split(cxxml.CheckmarxVersion, "V ") tool.Driver.Version = "1" //strings.Split(cxxml.CheckmarxVersion, "V ")
tool.Driver.InformationUri = "https://checkmarx.com/resource/documents/en/34965-68571-viewing-results.html" tool.Driver.InformationUri = "https://checkmarx.com/resource/documents/en/34965-165898-results-details-per-scanner.html"
tool.Driver.Rules = rulesArray tool.Driver.Rules = rulesArray
sarif.Runs[0].Tool = tool sarif.Runs[0].Tool = tool

View File

@ -127,6 +127,17 @@ spec:
- STAGES - STAGES
- STEPS - STEPS
type: string type: string
- name: gitBranch
description: "Set the GitHub repository branch."
resourceRef:
- name: commonPipelineEnvironment
param: github/branch
scope:
- GENERAL
- PARAMETERS
- STAGES
- STEPS
type: string
- name: clientSecret - name: clientSecret
type: string type: string
description: The clientSecret to authenticate using a service account description: The clientSecret to authenticate using a service account