SCA Support (#116) #117
SCA Support (#116) #117
Conversation
ASA-6458 Enhance Jenkins Plugin to support SAST-SCA separation.
|
|
There was a problem hiding this comment.
Can we create a new class of HttpClient to accomodate the changes required for the support of SCA?
| @@ -51,6 +51,7 @@ error.http=Response Code: {0}\nReason: {1} | |||
| error.login.type.deprectated=The specified login type is deprecated. Please use API key and secret. | |||
| error.getting.info=An error occurred getting information for {0} with id {1}. | |||
| error.url.validation = An error occurred while validating the URL. | |||
| warning.sca = Note: To scan open-source files, use the Software Composition Analysis (SCA) scan type. AppScan on Cloud is phasing out open source-only scanning with static analysis scans. | |||
There was a problem hiding this comment.
I would like to get this message reworded. The phrase "phasing out" makes it sound like we're removing SCA scanning altogether, which is not the case. Perhaps something like:
"Note: AppScan on Cloud (ASoC) now performs SAST and SCA analysis as separate scans. To execute an open-source only scan, use the Software Composition Analysis (SCA) scan type. The open-source only option will be removed from SAST scans in a future release."
| @@ -0,0 +1,101 @@ | |||
| package com.hcl.appscan.sdk.scanners.sca; | |||
There was a problem hiding this comment.
This class is almost identical to the existing SASTScan class. It would be better to extend SASTScan and adjust as needed than to copy the code into a new class.
There was a problem hiding this comment.
Okay, will do accordingly.
|
|
||
| @Override | ||
| public String getType() { | ||
| return "Sca"; |
There was a problem hiding this comment.
This should be a constant that returns "Software Composition Analysis".
There was a problem hiding this comment.
I am modifying it as "Software Composition Analyzer".
| @@ -47,6 +48,10 @@ public void run() throws ScannerException, InvalidTargetException { | |||
| if(target == null || !(new File(target).exists())) | |||
| throw new InvalidTargetException(Messages.getMessage(TARGET_INVALID, target)); | |||
|
|
|||
| if (getProperties().containsKey(OPEN_SOURCE_ONLY)){ | |||
There was a problem hiding this comment.
This check should not be here. Running an open-source only scan via the SDK is still a valid way to run a scan. This warning appears to be specific to the Jenkins plugin, so it should be in the Jenkins plugin code, not here where it will effect all clients that use the sdk.
| @@ -326,7 +326,7 @@ private List<String> getClientArgs(Map<String, String> properties) { | |||
| args.add(OPT_VERBOSE); | |||
| if(properties.containsKey(THIRD_PARTY) || System.getProperty(THIRD_PARTY) != null) | |||
| args.add(OPT_THIRD_PARTY); | |||
| if (properties.containsKey(OPEN_SOURCE_ONLY) || System.getProperty(OPEN_SOURCE_ONLY) != null) | |||
| if (properties.containsKey(OPEN_SOURCE_ONLY) || System.getProperty(OPEN_SOURCE_ONLY) != null || properties.get(CoreConstants.SCANNER_TYPE).equals("Sca")) | |||
There was a problem hiding this comment.
This should be checking a constant rather than the hardcoded string "Sca".
There was a problem hiding this comment.
Yeah Matt, declared a common constant in the Core Constant class.
| String request_url = m_authProvider.getServer() + String.format(API_SCANNER, type); | ||
| Map<String, String> request_headers = m_authProvider.getAuthorizationHeader(true); | ||
|
|
||
| Map<String, String> request_headers = m_authProvider.getAuthorizationHeader(true); |
There was a problem hiding this comment.
Eventually all scans will be using the v4 api, so we shouldn't be modifying this method to account for SCA explicitly. We should create 2 instances of this method. One for v2 and one for v4. The existing method should then make a determination as to which of those 2 methods it should execute. That would ideally be done through a private method that returns a boolean (e.g. shouldUseV4Api()). Today that method would just return if the scan type is SCA, but it could be modified easily later.
There was a problem hiding this comment.
Okay. For this, I have created 2 private methods of name "createAndExecuteScanUsingV2Api()" or "createAndExecuteScanUsingV4Api()" which will be using v2 or v4 APIs for the scan execution & the calling of these methods being made using shouldUseV4Api() method.
| * @return The response as a byte array. | ||
| * @throws IOException If an error occurs. | ||
| */ | ||
| public HttpResponse postFormV4(String url, Map<String, String> headerProperties, Map<String, String> params) |
There was a problem hiding this comment.
This should just be an overload of the post() method, not postFormV4(). I suggest removing all references to v4 from the javadoc, as well, since this is a class for making http requests. It has nothing to do with any specific version of any specific api.
Suggested changes
| } | ||
|
|
||
| private String createAndExecuteScanUsingV2Api(String type, Map<String, String> params) { |
There was a problem hiding this comment.
These 2 methods are almost identical to one another. The only difference is the specific api being used and the addition of a few headers. If those additional headers are valid when using the v2 api, this could be much simpler by getting the url based on the shouldUseV4Api() check and then everything else is the same.
There was a problem hiding this comment.
Matt, Made the changes accordingly.
* SCA support * remove the check for OSO from SDK
| setScanId(getServiceProvider().createAndExecuteScan(STATIC_ANALYZER, params)); | ||
| params.put(FILE_ID, fileId); | ||
|
|
||
| if(getType().equals(CoreConstants.SOFTWARE_COMPOSITION_ANALYZER)) { |
There was a problem hiding this comment.
I suggest breaking this if/else case out into a separate method. In the SCAScan, you can override the method to do what we need for SCA.
There was a problem hiding this comment.
Sure, made the changes accordingly.
* removed the SCA check from the analyzeIR() method
ASA-6458
Enhance Jenkins Plugin to support SAST-SCA separation.