1
0
mirror of https://github.com/SAP/jenkins-library.git synced 2024-12-14 11:03:09 +02:00
sap-jenkins-library/resources/metadata/checkmarxOneExecuteScan.yaml
michaelkubiaczyk d12f01d90f
Adding support for CheckmarxOne platform (#4317)
* Initial in progress

* compiling but not yet functional

* Missed file

* updated checkmarxone step

* Working up to fetching a project then breaks

* Missed file

* Breaks when retrieving projects+proxy set

* Create project & run scan working, now polling

* Fixed polling

* added back the zipfile remove command

* Fixed polling again

* Generates and downloads PDF report

* Updated and working, prep for refactor

* Added compliance steps

* Cleanup, reporting, added groovy connector

* fixed groovy file

* checkmarxone to checkmarxOne

* checkmarxone to checkmarxOne

* split credentials (id+secret, apikey), renamed pullrequestname to branch, groovy fix

* Fixed filenames & yaml

* missed the metadata_generated.go

* added json to sarif conversion

* fix:type in new checkmarxone package

* fix:type in new checkmarxone package

* removed test logs, added temp error log for creds

* extra debugging to fix crash

* improved auth logging, fixed query parse issue

* fixed bug with group fetch when using oauth user

* CWE can be -1 if not defined, can't be uint

* Query also had CweID

* Disabled predicates-fetch in sarif generation

* Removing leftover info log message

* Better error handling

* fixed default preset configuration

* removing .bat files - sorry

* Cleanup per initial review

* refactoring per Gist, fixed project find, add apps

* small fix - sorry for commit noise while testing

* Fixing issues with incremental scans.

* removing maxretries

* Updated per PR feedback, further changes todo toda

* JSON Report changes and reporting cleanup

* removing .bat (again?)

* adding docs, groovy unit test, linter fixes

* Started adding tests maybe 15% covered

* fix(checkmarxOne): test cases for pkg and reporting

* fix(checkmarxOne):fix formatting

* feat(checkmarxone): update interface with missing method

* feat(checkmarxone):change runStep signature to be able to inject dependency

* feat(checkmarxone): add tests for step (wip)

* Adding a bit more coverage

* feat(checkmarxOne): fix code review

* feat(checkmarxOne): fix code review

* feat(checkmarxOne): fix code review

* feat(checkmarxOne): fix integration test PR

---------

Co-authored-by: thtri <trinhthanhhai@gmail.com>
Co-authored-by: Thanh-Hai Trinh <thanh.hai.trinh@sap.com>
2023-05-05 14:05:58 +02:00

488 lines
16 KiB
YAML

metadata:
name: checkmarxOneExecuteScan
description: checkmarxOne is the recommended tool for security scans of JavaScript, iOS, Swift and Ruby code.
longDescription: |-
checkmarxOne is a Static Application Security Testing (SAST) platform to analyze i.e. Java or TypeScript, Swift, Golang, Ruby code,
and many other programming languages for security flaws based on a set of provided rules/queries that can be customized and extended.
This step by default enforces a specific audit baseline for findings and therefore ensures that:
* No 'To Verify' High and Medium issues exist in your project
* Total number of High and Medium 'Confirmed' or 'Urgent' issues is zero
* 10% of all Low issues are 'Confirmed' or 'Not Exploitable'
You can adapt above thresholds specifically using the provided configuration parameters and i.e. check for `absolute`
thresholds instead of `percentage` whereas we strongly recommend you to stay with the defaults provided.
spec:
inputs:
secrets:
- name: checkmarxOneCredentialsId
description: Jenkins 'Username with password' credentials ID containing ClientID and ClientSecret to communicate with the checkmarxOne backend.
type: jenkins
- name: checkmarxOneAPIKey
description: Jenkins 'Secret Text' containing the APIKey to communicate with the checkmarxOne backend.
type: jenkins
- name: githubTokenCredentialsId
description: Jenkins 'Secret text' credentials ID containing token to authenticate to GitHub.
type: jenkins
resources:
- name: checkmarxOne
type: stash
params:
- name: assignees
description: Defines the assignees for the Github Issue created/updated with the results of the scan as a list of login names. [Not yet supported]
scope:
- PARAMETERS
- STAGES
- STEPS
type: "[]string"
default: []
- name: avoidDuplicateProjectScans
type: bool
description: Whether duplicate scans of the same project state shall be avoided or not [Not yet supported]
scope:
- PARAMETERS
- STAGES
- STEPS
default: true
- name: filterPattern
type: string
description: The filter pattern used to zip the files relevant for scanning, patterns can be negated by setting an exclamation mark in front i.e. `!test/*.js` would avoid adding any javascript files located in the test directory
scope:
- PARAMETERS
- STAGES
- STEPS
default:
"!**/node_modules/**, !**/.xmake/**, !**/*_test.go, !**/vendor/**/*.go,
**/*.html, **/*.xml, **/*.go, **/*.py, **/*.js, **/*.scala, **/*.ts"
- name: fullScanCycle
type: string
description: Indicates how often a full scan should happen between the incremental scans when activated
scope:
- PARAMETERS
- STAGES
- STEPS
default: 5
- name: fullScansScheduled
type: bool
description: Whether full scans are to be scheduled or not. Should be used in relation with `incremental` and `fullScanCycle`
scope:
- PARAMETERS
- STAGES
- STEPS
default: true
- name: generatePdfReport
type: bool
description: Whether to generate a PDF report of the analysis results or not
scope:
- PARAMETERS
- STAGES
- STEPS
default: true
- name: githubApiUrl
description: "Set the GitHub API URL."
scope:
- GENERAL
- PARAMETERS
- STAGES
- STEPS
type: string
default: "https://api.github.com"
- name: githubToken
description: "GitHub personal access token as per
https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line"
scope:
- GENERAL
- PARAMETERS
- STAGES
- STEPS
type: string
secret: true
aliases:
- name: access_token
resourceRef:
- name: githubTokenCredentialsId
type: secret
- type: vaultSecret
default: github
name: githubVaultSecretName
- name: incremental
type: bool
description: Whether incremental scans are to be applied which optimizes the scan time but might reduce detection capabilities. Therefore full scans are still required from time to time and should be scheduled via `fullScansScheduled` and `fullScanCycle`
scope:
- PARAMETERS
- STAGES
- STEPS
default: true
- name: owner
aliases:
- name: githubOrg
description: "Set the GitHub organization."
resourceRef:
- name: commonPipelineEnvironment
param: github/owner
scope:
- GENERAL
- PARAMETERS
- STAGES
- STEPS
type: string
- name: clientSecret
type: string
description: The clientSecret to authenticate using a service account
mandatory: true
scope:
- PARAMETERS
- STAGES
- STEPS
secret: true
resourceRef:
- name: checkmarxOneCredentialsId
type: secret
param: clientSecret
- type: vaultSecret
name: checkmarxOneVaultSecretName
default: checkmarxOne
- name: APIKey
type: string
description: The APIKey to authenticate
mandatory: true
scope:
- PARAMETERS
- STAGES
- STEPS
secret: true
resourceRef:
- name: checkmarxOneAPIKey
type: secret
param: APIKey
- type: vaultSecret
name: checkmarxOneVaultSecretName
default: checkmarxOne
- name: preset
type: string
description: The preset to use for scanning, if not set explicitly the step will attempt to look up the project's setting based on the availability of `checkmarxOneCredentialsId`
scope:
- PARAMETERS
- STAGES
- STEPS
- name: languageMode
type: string
description: Specifies whether the scan should be run for a 'single' language or 'multi' language, default 'multi'
scope:
- PARAMETERS
- STAGES
- STEPS
default: "multi"
- name: projectCriticality
type: string
description: The criticality of the checkmarxOne project, used during project creation
mandatory: true
scope:
- PARAMETERS
- STAGES
- STEPS
default: "3"
- name: projectName
type: string
description: The name of the checkmarxOne project to scan into
mandatory: true
scope:
- PARAMETERS
- STAGES
- STEPS
- name: branch
type: string
description: Used to supply the branch scanned in the repository, or a friendly-name set by the user
scope:
- PARAMETERS
- STAGES
- STEPS
mandatory: true
- name: pullRequestName
type: string
description: Used to supply the name for the newly created PR project branch when being used in pull request scenarios. This is supplied by the orchestrator.
scope:
- PARAMETERS
- STAGES
- STEPS
- name: repository
aliases:
- name: githubRepo
description: "Set the GitHub repository."
resourceRef:
- name: commonPipelineEnvironment
param: github/repository
scope:
- GENERAL
- PARAMETERS
- STAGES
- STEPS
type: string
- name: serverUrl
type: string
description: The URL pointing to the root of the checkmarxOne server to be used
mandatory: true
scope:
- GENERAL
- PARAMETERS
- STAGES
- STEPS
- name: iamUrl
type: string
description: The URL pointing to the access control root of the checkmarxOne IAM server to be used
mandatory: true
scope:
- GENERAL
- PARAMETERS
- STAGES
- STEPS
- name: tenant
type: string
description: The name of the checkmarxOne tenant to be used
mandatory: true
scope:
- GENERAL
- PARAMETERS
- STAGES
- STEPS
- name: sourceEncoding
type: string
description: The source encoding to be used, if not set explicitly the project's default will be used [Not yet supported]
scope:
- PARAMETERS
- STAGES
- STEPS
default: "1"
- name: groupName
type: string
description: The full name of the group to assign newly created projects to which is preferred to groupId
scope:
- PARAMETERS
- STAGES
- STEPS
- name: applicationName
type: string
description: The full name of the Checkmarx One application to which the newly created projects will be assigned
scope:
- PARAMETERS
- STAGES
- STEPS
- name: clientId
type: string
description: The username to authenticate
mandatory: true
scope:
- PARAMETERS
- STAGES
- STEPS
secret: true
resourceRef:
- name: checkmarxOneCredentialsId
type: secret
param: clientId
- type: vaultSecret
name: checkmarxOneVaultSecretName
default: checkmarxOne
- name: verifyOnly
type: bool
description: Whether the step shall only apply verification checks or whether it does a full scan and check cycle
scope:
- PARAMETERS
- STAGES
- STEPS
default: false
- name: vulnerabilityThresholdEnabled
type: bool
description: Whether the thresholds are enabled or not. If enabled the build will be set to `vulnerabilityThresholdResult` in case a specific threshold value is exceeded
scope:
- PARAMETERS
- STAGES
- STEPS
default: true
- name: vulnerabilityThresholdHigh
type: int
description: The specific threshold for high severity findings
scope:
- PARAMETERS
- STAGES
- STEPS
default: 100
- name: vulnerabilityThresholdMedium
type: int
description: The specific threshold for medium severity findings
scope:
- PARAMETERS
- STAGES
- STEPS
default: 100
- name: vulnerabilityThresholdLow
type: int
description: The specific threshold for low severity findings
scope:
- PARAMETERS
- STAGES
- STEPS
default: 10
- name: vulnerabilityThresholdLowPerQuery
type: bool
description: Flag to activate/deactivate the threshold of low severity findings per query
scope:
- PARAMETERS
- STAGES
- STEPS
default: false
- name: vulnerabilityThresholdLowPerQueryMax
type: int
description: Upper threshold of low severity findings per query (in absolute number)
scope:
- PARAMETERS
- STAGES
- STEPS
default: 10
- name: vulnerabilityThresholdResult
type: string
description: The result of the build in case thresholds are enabled and exceeded
scope:
- PARAMETERS
- STAGES
- STEPS
default: FAILURE
possibleValues:
- FAILURE
- name: vulnerabilityThresholdUnit
type: string
description: The unit for the threshold to apply.
scope:
- PARAMETERS
- STAGES
- STEPS
default: percentage
- name: isOptimizedAndScheduled
type: bool
description: Whether the pipeline runs in optimized mode and the current execution is a scheduled one
resourceRef:
- name: commonPipelineEnvironment
param: custom/isOptimizedAndScheduled
scope:
- PARAMETERS
- name: createResultIssue
type: bool
description: Activate creation of a result issue in GitHub.
longDescription: |
Whether the step creates a GitHub issue containing the scan results in the originating repo.
Since optimized pipelines are headless the creation is implicitly activated for scheduled runs.
resourceRef:
- name: commonPipelineEnvironment
param: custom/isOptimizedAndScheduled
scope:
- GENERAL
- PARAMETERS
- STAGES
- STEPS
default: false
- name: convertToSarif
type: bool
description: "Convert the checkmarxOne XML scan results to the open SARIF standard."
scope:
- PARAMETERS
- STAGES
- STEPS
default: true
outputs:
resources:
- name: influx
type: influx
params:
- name: step_data
fields:
- name: checkmarxOne
type: bool
- name: checkmarxOne_data
fields:
- name: high_issues
type: int
- name: high_not_false_postive
type: int
- name: high_not_exploitable
type: int
- name: high_confirmed
type: int
- name: high_urgent
type: int
- name: high_proposed_not_exploitable
type: int
- name: high_to_verify
type: int
- name: medium_issues
type: int
- name: medium_not_false_postive
type: int
- name: medium_not_exploitable
type: int
- name: medium_confirmed
type: int
- name: medium_urgent
type: int
- name: medium_proposed_not_exploitable
type: int
- name: medium_to_verify
type: int
- name: low_issues
type: int
- name: low_not_false_postive
type: int
- name: low_not_exploitable
type: int
- name: low_confirmed
type: int
- name: low_urgent
type: int
- name: low_proposed_not_exploitable
type: int
- name: low_to_verify
type: int
- name: information_issues
type: int
- name: information_not_false_postive
type: int
- name: information_not_exploitable
type: int
- name: information_confirmed
type: int
- name: information_urgent
type: int
- name: information_proposed_not_exploitable
type: int
- name: information_to_verify
type: int
- name: lines_of_code_scanned
type: int
- name: files_scanned
type: int
- name: initiator_name
- name: owner
- name: scan_id
- name: project_id
- name: projectName
- name: group
- name: group_full_path_on_report_date
- name: scan_start
- name: scan_time
- name: checkmarxOne_version
- name: scan_type
- name: preset
- name: deep_link
- name: report_creation_time
- name: reports
type: reports
params:
- filePattern: "**/piper_checkmarxone_report.html"
type: checkmarxone
- filePattern: "**/Cx1_SASTResults_*.xml"
type: checkmarxone
- filePattern: "**/ScanReport.*"
type: checkmarxone
- filePattern: "**/toolrun_checkmarxone_*.json"
type: checkmarxone