Cxone release supporting applications (#4548)

* Initial in progress * compiling but not yet functional * Missed file * updated checkmarxone step * Working up to fetching a project then breaks * Missed file * Breaks when retrieving projects+proxy set * Create project & run scan working, now polling * Fixed polling * added back the zipfile remove command * Fixed polling again * Generates and downloads PDF report * Updated and working, prep for refactor * Added compliance steps * Cleanup, reporting, added groovy connector * fixed groovy file * checkmarxone to checkmarxOne * checkmarxone to checkmarxOne * split credentials (id+secret, apikey), renamed pullrequestname to branch, groovy fix * Fixed filenames & yaml * missed the metadata_generated.go * added json to sarif conversion * fix:type in new checkmarxone package * fix:type in new checkmarxone package * removed test logs, added temp error log for creds * extra debugging to fix crash * improved auth logging, fixed query parse issue * fixed bug with group fetch when using oauth user * CWE can be -1 if not defined, can't be uint * Query also had CweID * Disabled predicates-fetch in sarif generation * Removing leftover info log message * Better error handling * fixed default preset configuration * removing .bat files - sorry * Cleanup per initial review * refactoring per Gist, fixed project find, add apps * small fix - sorry for commit noise while testing * Fixing issues with incremental scans. * removing maxretries * Updated per PR feedback, further changes todo toda * JSON Report changes and reporting cleanup * removing .bat (again?) * adding docs, groovy unit test, linter fixes * Started adding tests maybe 15% covered * fix(checkmarxOne): test cases for pkg and reporting * fix(checkmarxOne):fix formatting * feat(checkmarxone): update interface with missing method * feat(checkmarxone):change runStep signature to be able to inject dependency * feat(checkmarxone): add tests for step (wip) * Adding a bit more coverage * feat(checkmarxOne): fix code review * feat(checkmarxOne): fix code review * feat(checkmarxOne): fix code review * feat(checkmarxOne): fix integration test PR * adding scan-summary bug workaround, reportgen fail * enforceThresholds fix when no results passed in * fixed gap when preset empty in yaml & project conf * fixed another gap in preset selection * fix 0-result panic * fail when no preset is set anywhere * removed comment * initial project-under-app support * fixing sarif reportgen * some cleanup of error messages * post-merge test fixes * revert previous upstream merge * fix:formatting * fix(checkmarxOne):yamllint too many blank lines * fix(checkmarxOne):unit test * fix(checkmarxOne):generated code --------- Co-authored-by: thtri <trinhthanhhai@gmail.com> Co-authored-by: Thanh-Hai Trinh <thanh.hai.trinh@sap.com>
2025-11-06 09:09:19 +02:00 · 2023-09-05 21:49:27 +02:00
parent 0f04b5f6e1
commit bc8d5efe46
9 changed files with 141 additions and 36 deletions
--- a/pkg/checkmarxone/checkmarxone.go
+++ b/pkg/checkmarxone/checkmarxone.go
@@ -62,16 +62,17 @@ type Preset struct {
 // Project - Project Structure
 // Updated for Cx1
 type Project struct {
-	ProjectID   string            `json:"id"`
-	Name        string            `json:"name"`
-	CreatedAt   string            `json:"createdAt"`
-	UpdatedAt   string            `json:"updatedAt"`
-	Groups      []string          `json:"groups"`
-	Tags        map[string]string `json:"tags"`
-	RepoUrl     string            `json:"repoUrl"`
-	MainBranch  string            `json:"mainBranch"`
-	Origin      string            `json:"origin"`
-	Criticality int               `json:"criticality"`
+	ProjectID    string            `json:"id"`
+	Name         string            `json:"name"`
+	CreatedAt    string            `json:"createdAt"`
+	UpdatedAt    string            `json:"updatedAt"`
+	Groups       []string          `json:"groups"`
+	Applications []string          `json:"applicationIds"`
+	Tags         map[string]string `json:"tags"`
+	RepoUrl      string            `json:"repoUrl"`
+	MainBranch   string            `json:"mainBranch"`
+	Origin       string            `json:"origin"`
+	Criticality  int               `json:"criticality"`
 }

 // New for Cx1
@@ -290,6 +291,7 @@ type System interface {

 	CreateApplication(appname string) (Application, error)
 	GetApplicationByName(appname string) (Application, error)
+	GetApplicationByID(appId string) (Application, error)
 	UpdateApplication(app *Application) error

 	GetScan(scanID string) (Scan, error)
@@ -307,6 +309,7 @@ type System interface {

 	UploadProjectSourceCode(projectID string, zipFile string) (string, error)
 	CreateProject(projectName string, groupIDs []string) (Project, error)
+	CreateProjectInApplication(projectName, applicationID string, groupIDs []string) (Project, error)
 	GetPresets() ([]Preset, error)
 	GetProjectByID(projectID string) (Project, error)
 	GetProjectsByName(projectName string) ([]Project, error)
@@ -538,6 +541,21 @@ func (sys *SystemInstance) GetApplicationsByName(name string, limit uint64) ([]A
 	return ApplicationResponse.Applications, err
 }

+func (sys *SystemInstance) GetApplicationByID(appId string) (Application, error) {
+	sys.logger.Debugf("Get Cx1 Application by ID: %v", appId)
+
+	var ret Application
+
+	response, err := sendRequest(sys, http.MethodGet, fmt.Sprintf("/applications/%v", appId), nil, nil, []int{})
+
+	if err != nil {
+		return ret, err
+	}
+
+	err = json.Unmarshal(response, &ret)
+	return ret, err
+}
+
 func (sys *SystemInstance) GetApplicationByName(name string) (Application, error) {
 	apps, err := sys.GetApplicationsByName(name, 0)
 	if err != nil {
@@ -796,6 +814,33 @@ func (sys *SystemInstance) CreateProject(projectName string, groupIDs []string)
 	return project, err
 }

+func (sys *SystemInstance) CreateProjectInApplication(projectName, applicationID string, groupIDs []string) (Project, error) {
+	var project Project
+	jsonData := map[string]interface{}{
+		"name":        projectName,
+		"groups":      groupIDs,
+		"origin":      cxOrigin,
+		"criticality": 3, // default
+		// multiple additional parameters exist as options
+	}
+
+	jsonValue, err := json.Marshal(jsonData)
+	if err != nil {
+		return project, errors.Wrapf(err, "failed to marshal project data")
+	}
+
+	header := http.Header{}
+	header.Set("Content-Type", "application/json")
+
+	data, err := sendRequest(sys, http.MethodPost, fmt.Sprintf("/projects/application/%v", applicationID), bytes.NewBuffer(jsonValue), header, []int{})
+	if err != nil {
+		return project, errors.Wrapf(err, "failed to create project %v under %v", projectName, applicationID)
+	}
+
+	err = json.Unmarshal(data, &project)
+	return project, err
+}
+
 // New for Cx1
 func (sys *SystemInstance) GetUploadURI() (string, error) {
 	sys.logger.Debug("Retrieving upload URI")
--- a/pkg/checkmarxone/checkmarxone_test.go
+++ b/pkg/checkmarxone/checkmarxone_test.go
@@ -50,6 +50,7 @@ func (sm *senderMock) UploadFile(url, file, fieldName string, header http.Header
 	sm.urlCalled = url
 	sm.header = header
 	return &http.Response{StatusCode: sm.httpStatusCode, Body: io.NopCloser(bytes.NewReader([]byte(sm.responseBody)))}, nil
+
 }
 func (sm *senderMock) UploadRequest(method, url, file, fieldName string, header http.Header, cookies []*http.Cookie, uploadType string) (*http.Response, error) {
 	sm.httpMethod = http.MethodPost
--- a/pkg/checkmarxone/reporting.go
+++ b/pkg/checkmarxone/reporting.go
@@ -41,9 +41,9 @@ type Finding struct {
 }

 type LowPerQuery struct {
-	QueryName string `json:"name"`
-	Total     int    `json:"total"`
+	QueryName string `json:"query"`
 	Audited   int    `json:"audited"`
+	Total     int    `json:"total"`
 }

 func CreateCustomReport(data *map[string]interface{}, insecure, neutral []string) reporting.ScanReport {
@@ -137,16 +137,18 @@ func CreateCustomReport(data *map[string]interface{}, insecure, neutral []string

 func CreateJSONHeaderReport(data *map[string]interface{}) CheckmarxOneReportData {
 	checkmarxReportData := CheckmarxOneReportData{
-		ToolName:    `CheckmarxOne`,
-		ProjectName: fmt.Sprint((*data)["ProjectName"]),
-		GroupID:     fmt.Sprint((*data)["Group"]),
-		GroupName:   fmt.Sprint((*data)["GroupFullPathOnReportDate"]),
-		DeepLink:    fmt.Sprint((*data)["DeepLink"]),
-		Preset:      fmt.Sprint((*data)["Preset"]),
-		ToolVersion: fmt.Sprint((*data)["ToolVersion"]),
-		ScanType:    fmt.Sprint((*data)["ScanType"]),
-		ProjectID:   fmt.Sprint((*data)["ProjectId"]),
-		ScanID:      fmt.Sprint((*data)["ScanId"]),
+		ToolName:        `CheckmarxOne`,
+		ProjectName:     fmt.Sprint((*data)["ProjectName"]),
+		GroupID:         fmt.Sprint((*data)["Group"]),
+		GroupName:       fmt.Sprint((*data)["GroupFullPathOnReportDate"]),
+		ApplicationID:   fmt.Sprint((*data)["Application"]),
+		ApplicationName: fmt.Sprint((*data)["ApplicationFullPathOnReportDate"]),
+		DeepLink:        fmt.Sprint((*data)["DeepLink"]),
+		Preset:          fmt.Sprint((*data)["Preset"]),
+		ToolVersion:     fmt.Sprint((*data)["ToolVersion"]),
+		ScanType:        fmt.Sprint((*data)["ScanType"]),
+		ProjectID:       fmt.Sprint((*data)["ProjectId"]),
+		ScanID:          fmt.Sprint((*data)["ScanId"]),
 	}

 	findings := []Finding{}
--- a/pkg/checkmarxone/reporting_test.go
+++ b/pkg/checkmarxone/reporting_test.go
@@ -12,6 +12,8 @@ func TestCreateJSONReport(t *testing.T) {
 	resultMap["ProjectName"] = `ssba`
 	resultMap["Group"] = `test-group`
 	resultMap["GroupFullPathOnReportDate"] = `test-group-path`
+	resultMap["Application"] = `test-app`
+	resultMap["ApplicationFullPathOnReportDate"] = `test-app-path`
 	resultMap["DeepLink"] = `https://cx1.sap/projects/f5702f86-b396-417f-82e2-4949a55d5382/scans?branch=master&page=1&id=21e40b36-0dd7-48e5-9768-da1a8f36c907`
 	resultMap["Preset"] = `Checkmarx Default`
 	resultMap["ToolVersion"] = `v1`