Andrei Kireev
49f4c81344
Add new unified fields to Mend and Blackduck SARIF ( #4611 )
...
* Add new unified fields to Mend and Blackduck SARIF
* fmt project
---------
Co-authored-by: Dmitrii Pavlukhin <dmitrii.pavlukhin@sap.com>
2023-10-17 11:48:52 +02:00
Jordi van Liempt
0ba4c2206c
chore(deps): Replace io/ioutil package ( #4494 )
...
* update all deprecated ioutil usages
* forgotten changes
* add missing imports
* undo changing comment
* add missing 'os' import
* fix integration test
---------
Co-authored-by: I557621 <jordi.van.liempt@sap.com>
Co-authored-by: Gulom Alimov <gulomjon.alimov@sap.com>
2023-08-16 12:57:04 +02:00
Oliver Nocon
25216b3ef8
chore: update formatting ( #4111 )
2022-11-08 08:47:38 +01:00
Sven Merk
ea04a63412
fix(whitesourceExecuteScan): Fix processing of assessment ( #4059 )
...
* Fix potential nil reference
* Fix handling of assessed vulns
* Fix test code
* Add error detail
* Fix parsing
* Adding debug output
* Fix nil reference
* fix
* Add debug
* Update cmd/whitesourceExecuteScan.go
Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
* Update cmd/whitesourceExecuteScan.go
* Update cmd/whitesourceExecuteScan.go
* Fix fmt
Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2022-10-13 10:34:02 +00:00
Sven Merk
e8ba1b043d
Fix(detectExecuteScan): rework struct methods to meet interface requirements ( #4048 )
...
* Fixed struct methods to meet interface requirements
* Fix test and ruleID
* Small adjustments
* Readability of code
* Added testcases
* Code rework
* Fix fmt
* Mod
* Fix taxonomy
* Fix ruleIndex
* Fix taxonomies
* Fix format
* Remove name
* Fix Fortify and Checkmarx SARIF
* Fix fmt, address comments
* Addressing comments
* Fix fmt
2022-10-10 10:06:20 +02:00
Sven Merk
c81e741224
Refinement of SARIF generation for BD and WS ( #3942 )
...
* Fix docs and format
* Assessment format added
* Added sample file
* Added parsing
* Added packageurl implementation
* Slight refinement
* Refactored assessment options
* Adapted sample file
* First attempt of ws sbom gen
* Reworked SBOM generation
* Fix test code
* Add assessment handling
* Update dependencies
* Added golden test
* Small fix
* feat(fortify): Added a check for fortify binary in $PATH (#3925 )
* added check for fortifyupdate and sourceanalyzer bin
Co-authored-by: sumeet patil <sumeet.patil@sap.com>
* Modify SARIF
* Enhanced SARID contents
* Small refinement for hub detect
* Small adjustments
* Extend SARIF contents
* Consistency to Mend part
* Fix tests
* Fix merge
* Fix test
* Add debug log, enhance output
* Enhance meta info
* Fix libType for node
* Fix log entry
* Fix pointers and test
* Fix test
* Fix library types
* Fix test
* Extend libType mappings
Co-authored-by: Vinayak S <vinayaks439@gmail.com>
Co-authored-by: sumeet patil <sumeet.patil@sap.com>
2022-08-11 13:12:14 +02:00
Sven Merk
b3f37650a2
SBOM creation for Mend ( #3934 )
...
* Fix docs and format
* Assessment format added
* Added sample file
* Added parsing
* Added packageurl implementation
* Slight refinement
* Refactored assessment options
* Adapted sample file
* First attempt of ws sbom gen
* Reworked SBOM generation
* Fix test code
* Add assessment handling
* Update dependencies
* Added golden test
* Small fix
Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2022-08-09 13:56:01 +02:00
thtri
ef3e720464
Classify Fortify & Checkmarx findings into audit group / Common properties ( #3904 )
...
* fix(fortify): suppressed issues got "Unknown" category and state
* fix (fortify-sarif): classify findings into audit group
* fix(fortify-checkmarx-sarif): common properties bag for Fortify and Checkmarx (accepting the risk of empty value)
* fix (checkmarx-sarif): classify findings into audit group
* fix (sarif): formatting
2022-07-21 11:15:55 +02:00
xgoffin
c35d85fecc
feat(SARIF): ContextRegion is now a pointer, can be omitted. In checkmarxExecuteScan: threadflows now added, only first location saved ( #3844 )
2022-06-22 08:54:24 +02:00
xgoffin
0457601efd
feat(sarif): add GUID as part of properties, change ruleID ( #3838 )
2022-06-17 08:53:44 +02:00
xgoffin
c11110d791
feat(sarif): add a "conversion" object to SARIF files ( #3837 )
...
* feat(fortifyExecuteScan): add conversion object
* feat(checkmarxExecuteScan): add conversion object
2022-06-16 15:24:23 +02:00
xgoffin
5edb0d2566
feat(fortifyExecuteScan): implement a system to limit the number of API calls upon request failures ( #3818 )
...
* feat(fortifyExecuteScan): add a max number of retries for API calls in SARIF conversion
* feat(checkmarxExecuteScan): implement max number of retries on API call for descriptions in SARIF processing
* feat(checkmarx/fortify): extra logging line when failing an API request in SARIF conversion
* fix(fortifyExecuteScan): panic if undefined projectversion in sarif
* fix(fortifyExecuteScan): logging improvement
* fix(fortifyExecuteScan): wrong if condition caused crash
* fix(fortifyExecuteScan): do not log if retries hit -1, adjust logging
* fix(SARIF): commenting API calls for Checkmarx until a solution can be found for the API issues
* feat(SARIF): add omitempty to extensions
2022-06-09 10:32:08 +02:00
xgoffin
6a43e9f455
feat(fortifyExecuteScan): further improvements to the SARIF generation ( #3799 )
...
* feat(fortfiyExecuteScan): proper XML unescaping, added rulepacks to SARIF, added kingdom/type/subtype to tags
* feat(fortifyExecuteScan): proper handling of severity, kinds, levels in SARIF
* fix(fortifyExecuteScan): edge case when handling properties taht could lead to a crash
* fix(fortifyExecuteScan): ensure SARIF processing is done after latest FPR is processed by SSC
2022-05-24 13:40:49 +02:00
xgoffin
1fde2ce677
feat(checkmarxExecuteScan): improvements to SARIF file generation ( #3781 )
...
* feat(checkmarxExecuteScan): respect SARIF standard more closely
* fix(checkmarxExecuteScan): edge case where message would be empty in SARIF
* fix(checkmarxExecuteScan): better message handling to ensure field is populated
* feat(checkmarxExecuteScan): SARIF file readability
* feat(checkmarxExecuteScan): include the helpURL as part of the Help object
* fix(sarif): remove wrong structure addition
* feat(checkmarxExecuteScan): safer handling of version in SARIF file
* feat(checkmarxExecuteScan): add CWE number to tags
2022-05-19 14:57:13 +02:00
xgoffin
7d9f018529
feat(fortifyExecuteScan): SARIF generation improvements ( #3769 )
...
* feat(fpr_to_sarif & GHAS): adjustments to fit some rules
* feat(fortifyExecuteScan): fit GH ingestion rules better
* feat(fortifyExecuteScan): readability in SARIF report
* feat(fortifyExecuteScan): restore escaped chars in XML text
* feat(fortifyExecuteScan): properly replace threadflowlocations in each threadflow
* fix(fortifyExecuteScan): fixed missing threadflow in SARIF generation
* feat(fortifyExecuteScan): properly handle threadflows when a node has another node as Reason (node-in-node edge case)
* feat(fortifyExecuteScan): better sarif ruleID field
Co-authored-by: thtri <trinhthanhhai@gmail.com>
2022-05-11 17:05:51 +02:00
xgoffin
3c55d3c99c
feat(checkmarxExecuteScan): convert Checkmarx xml report to SARIF ( #3696 )
...
* feat(checkmarxExecuteScan): sarif conversion for Checkmarx XML reports
* feat(checkmarxExecuteScan): added taxonomies and similarityID
* fix(checkmarxExecuteScan): proper handling of ruleId and ruleIndex
* fix(sarif): mistype in checkmarx properties
* fix(checkmarxExecuteScan): fixed occasional panics when handling audit comment
* chore(sarif): proper variable naming
* chore(code): fix missing and unrecognized comments
* trigger PR
* fix(format): extra space
Co-authored-by: Sven Merk <33895725+nevskrem@users.noreply.github.com>
2022-04-04 16:12:35 +02:00
Sven Merk
f06890a9b2
SARIF format and GHIssue format improvements ( #3646 )
...
* Improve reporting
* Fix location
* Align casing
* Fix severity mapping
* Fix format
* Improve title
* Title format
* Fix severity
* Align title
* Fix schema reference
* Fix schema reference
* Fix fmt
* Fix fmt2
* Fix tests
* fix(sarif): proper handling of omitempty in SnippetSarif
* fix(fortifyExecuteScan): sarif format version
* Addressing comments
* Fix SARIF
* fix(sarif): omitempty handling
* fix(fortifyExecuteScan): pointer indirection
* Added TODOs for audit data
Co-authored-by: Xavier Goffin <x.goffin@sap.com>
Co-authored-by: xgoffin <86716549+xgoffin@users.noreply.github.com>
Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2022-03-22 14:47:19 +01:00
xgoffin
3f6e4b9e3b
feat(fortifyExecuteScan): added parameter to generated sarif file ( #3644 )
...
* fix(sarif): change format to fit omitempty cases better
* feat(fortifyExecuteScan): include category in sarif file
* fix(fortifyExecuteScan): access to undefined pointer in some cases
Co-authored-by: Sven Merk <33895725+nevskrem@users.noreply.github.com>
2022-03-17 13:09:15 +01:00
xgoffin
dfd2278639
feat(fortifyExecuteScan): full FPR to SARIF implementation ( #3604 )
...
* feat(FPRtoSARIF): boilerplate & comments
* Feat(Ingest): Build done, Vulnerabilities partway
* feat(Vulnerabilities): now entirely parsed
* feat(FprToSarif): integration in Piper step, full xml structure
* feat(fpr_to_sarif): base program. Need to replace names in messages
* feat(fpr_to_sarif): message substitution and custom definition integration
* fix(fpr_to_sarif): missing replacement in tools object
* fix(fpr_to_sarif): failing unit test
* Fix fortify folder creation for generating sarif
* deletion of unzip folder
* feat(fpr_to_sarif): better unit test
* fix(fpr_to_sarif): pr tests failing
* feat(fortifyExecuteScan): complete SARIF file generation
* fix(fpr_to_sarif): add extra check and test to prevent panics
* rebase onto master, fix ALL conflicts, adapt code and format
* fix missing added properties
* fix(SARIF): structure
* fix(whitesource): wrong sarif structures
* Update pkg/fortify/fpr_to_sarif.go
* Update pkg/format/sarif.go
* Update pkg/format/sarif.go
Co-authored-by: Sumeet PATIL <sumeet.patil@sap.com>
Co-authored-by: Sven Merk <33895725+nevskrem@users.noreply.github.com>
2022-03-14 11:26:05 +01:00
Sven Merk
a1988f6808
feat(whitesourceExecuteScan): GitHub issue creation + SARIF ( #3535 )
...
* Add GH issue creation + SARIF
* Code cleanup
* Fix fmt, add debug
* Code enhancements
* Fix
* Added debug info
* Rework UA log scan
* Fix code
* read UA version
* Fix nil reference
* Extraction
* Credentials
* Issue creation
* Error handling
* Fix issue creation
* query escape
* Query escape 2
* Revert
* Test avoid update
* HTTP client
* Add support for custom TLS certs
* Fix code
* Fix code 2
* Fix code 3
* Disable cert check
* Fix auth
* Remove implicit trust
* Skip verification
* Fix
* Fix client
* Fix HTTP auth
* Fix trusted certs
* Trim version
* Code
* Add token
* Added token handling to client
* Fix token
* Cleanup
* Fix token
* Token rework
* Fix code
* Kick out oauth client
* Kick out oauth client
* Transport wrapping
* Token
* Simplification
* Refactor
* Variation
* Check
* Fix
* Debug
* Switch client
* Variation
* Debug
* Switch to cert check
* Add debug
* Parse self
* Cleanup
* Update resources/metadata/whitesourceExecuteScan.yaml
* Add debug
* Expose subjects
* Patch
* Debug
* Debug2
* Debug3
* Fix logging response body
* Cleanup
* Cleanup
* Fix request body logging
* Cleanup import
* Fix import cycle
* Cleanup
* Fix fmt
* Fix NopCloser reference
* Regenerate
* Reintroduce
* Fix test
* Fix tests
* Correction
* Fix error
* Code fix
* Fix tests
* Add tests
* Fix code climate issues
* Code climate
* Code climate again
* Code climate again
* Fix fmt
* Fix fmt 2
Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2022-02-23 09:30:19 +01:00