Integration april 23 (#124)

* Made the changes done in jackson-fix branch for fixing high vulnerabilities in CLI plugin

* Incremented the version

* Implemented Post Scan Action

* Removed local changes to refer own cx-client-common version. The cx-client-common version also need to be updated with correct version

* Update pom.xml

Updated cx-config-provider version - 1.0.14

* Updated parameter name

* Solved Sca Scantimeout error and removed the compulsory Sca Resolver additional parameter

* Updated code for sca report generation

* Added code for asynchronous mode and exploitable path params

* Updated if condition for Sca alone exploitable path

* Updated client-common versions

* Updated CLI Version

* Updated Scalocation path for sca resolver additional params

* made sca report format as mandatory

* Getting " --cxserver, --cxuser, --cxpassword, --cxprojectname" option value, if absent in sca resolver additional param in SAST+SCA scan

* Updated CLI version

* Updated error message for sca report path.

* Resolved sast+sca scan error while sca scan with sca resolver

* Updated cxprojectid in scaresolver params

* Updated CLI version

---------

Co-authored-by: [email protected] <[email protected]>
Co-authored-by: RahulPiddeCheckmarx <[email protected]>
Co-authored-by: Nidhi Jaiswal <[email protected]>

pom.xml

@@ -6,7 +6,7 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>com.cx.plugin</groupId>
     <artifactId>CxConsolePlugin</artifactId>
-    <version>1.1.21</version>
+    <version>1.1.26</version>
     <packaging>jar</packaging>
 
     <repositories>
@@ -24,6 +24,8 @@
             <name>libs-snapshot</name>
             <url>~/.m2</url>
         </repository>
+
+
     </repositories>
 
     <properties>
@@ -132,7 +134,7 @@
         <dependency>
             <groupId>com.checkmarx</groupId>
             <artifactId>cx-client-common</artifactId>
-            <version>2022.4.4</version>
+            <version>2023.2.5</version>
             <!-- Remove these excludes once latest FSA is used -->
             <exclusions>
 				<exclusion>
@@ -208,7 +210,7 @@
         <dependency>
 				<groupId>org.json</groupId>
 				<artifactId>json</artifactId>
-				<version>20220924</version>
+				<version>20230227</version>
 			</dependency>
 			<dependency>
 			    <groupId>com.google.guava</groupId>
@@ -241,7 +243,17 @@
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-databind</artifactId>
-            <version>2.14.0</version>
+            <version>2.15.0-rc1</version>
+        </dependency>
+         <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-core</artifactId>
+            <version>2.15.0-rc1</version>
+        </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.dataformat</groupId>
+            <artifactId>jackson-dataformat-yaml</artifactId>
+            <version>2.15.0-rc1</version>
         </dependency>
         <dependency>
             <groupId>org.springframework</groupId>
@@ -277,11 +289,7 @@
             <artifactId>netty-codec</artifactId>
             <version>4.1.86.Final</version>
         </dependency>     
-        <dependency>
-    		<groupId>org.yaml</groupId>
-    		<artifactId>snakeyaml</artifactId>
-    		<version>1.33</version>
-		</dependency>
+
         <dependency>
     		<groupId>org.jsoup</groupId>
     		<artifactId>jsoup</artifactId>
@@ -318,7 +326,7 @@
         <dependency>
             <groupId>com.checkmarx</groupId>
             <artifactId>cx-config-provider</artifactId>
-            <version>1.0.13</version>
+            <version>1.0.14</version>
             <exclusions>
                 <exclusion>
                     <groupId>commons-io</groupId>

src/main/java/com/cx/plugin/cli/CxConsoleLauncher.java

@@ -23,6 +23,7 @@
 import org.apache.logging.log4j.core.config.ConfigurationSource;
 import org.apache.logging.log4j.core.config.Configurator;
 import org.apache.logging.slf4j.Log4jLoggerFactory;
+import org.awaitility.core.ConditionTimeoutException;
 
 import javax.naming.ConfigurationException;
 import java.io.File;
@@ -86,8 +87,7 @@ public static void main(String[] args) {
         } catch (CxClientException | IOException | InterruptedException e) {
             log.error("CLI process terminated, error: " + e.getMessage());
             exitCode = ErrorParsingHelper.parseError(e.getMessage());
-        }
-
+        } 
         System.exit(exitCode);
     }
 
@@ -200,6 +200,7 @@ private static int execute(Command command, CommandLine commandLine)
             }
         } else {
             getScanResultExceptionIfExists(results);
+            log.info("Scan is Running in Asynchronous mode. Not waiting for scan to finish.");
         }
 
         return exitCode;

src/main/java/com/cx/plugin/cli/constants/ArgDescriptions.java

@@ -84,6 +84,7 @@ private ArgDescriptions() {
     static final String XML_REPORT = "Name or path to results report, by type. Optional. Not supported in AsyncScan mode.";
     static final String CSV_REPORT = "Name or path to results report, by type. Optional. Not supported in AsyncScan mode.";
     static final String RTF_REPORT = "Name or path to results report, by type. Optional. Not supported in AsyncScan mode.";
+    static final String SCA_REPORT_PATH = "Path to SCA results report, by type. Optional. Not supported in AsyncScan mode.";
     static final String IS_INCREMENTAL = "Run incremental scan instead of a full scan. Scans only new and modified files, relative to project's last scan(-Incremental will disable any -ForceScan setting). Optional.";
     static final String IS_FORCE_SCAN = "Force scan on source code, which has not been changed since the last scan of the same project (not compatible with -Incremental option). Optional.";
     static final String IS_PRIVATE = "Scan will not be visible to other users. Optional";
@@ -154,6 +155,8 @@ private ArgDescriptions() {
     static final String ENABLE_SAST_BRANCHING = "Enable to create child project";
     static final String MASTER_BRANCH_PROJ_NAME = "Master branch project name";
 
+    static final String POST_SCAN_ACTION = "Post Scan Action name that is to be performed automatically after a scan.";
+
     static final String PERIODIC_FULL_SCAN = "Run a full scan after X incremental scans . Scans all files, (-Incremental should be enable). Optional.";    
 
 }

src/main/java/com/cx/plugin/cli/constants/Command.java

@@ -126,6 +126,7 @@ public static Options getOptions() {
 
         options.addOption(GENERATE_SCA_REPORT, false, ArgDescriptions.GENERATE_SCA_REPORT);
         options.addOption(SCA_REPORT_FORMAT, true, ArgDescriptions.SCA_REPORT_FORMAT);
+        options.addOption(SCA_REPORT_PATH, true, ArgDescriptions.SCA_REPORT_PATH);
 
         options.addOption(IS_INCREMENTAL, false, ArgDescriptions.IS_INCREMENTAL);
         options.addOption(IS_FORCE_SCAN, false, ArgDescriptions.IS_FORCE_SCAN);
@@ -179,6 +180,8 @@ public static Options getOptions() {
 
         options.addOption(ENABLE_SAST_BRANCHING, false, ArgDescriptions.ENABLE_SAST_BRANCHING);
         options.addOption(MASTER_BRANCH_PROJ_NAME, true, ArgDescriptions.MASTER_BRANCH_PROJ_NAME);
+
+        options.addOption(POST_SCAN_ACTION, true, ArgDescriptions.POST_SCAN_ACTION);
 
         options.addOption(PERIODIC_FULL_SCAN, true, ArgDescriptions.PERIODIC_FULL_SCAN);
 

src/main/java/com/cx/plugin/cli/constants/Parameters.java

@@ -62,6 +62,7 @@ private Parameters() {
 
     public static final String GENERATE_SCA_REPORT = "generateScaReport";
     public static final String SCA_REPORT_FORMAT = "scareportformat";
+    public static final String SCA_REPORT_PATH = "scareportpath";
 
     public static final String RTF_REPORT = "reportrtf";
     public static final String IS_INCREMENTAL = "incremental";
@@ -117,6 +118,7 @@ private Parameters() {
     public static final String ENABLE_SAST_BRANCHING = "enablesastbranching";
     public static final String MASTER_BRANCH_PROJ_NAME = "masterbranchprojname";
 
+    public static final String POST_SCAN_ACTION = "postscanaction";
 
     public static final String PERIODIC_FULL_SCAN = "periodicfullscan";
 

src/main/java/com/cx/plugin/cli/utils/CxConfigHelper.java

@@ -161,7 +161,11 @@ public CxScanConfig resolveConfiguration(Command command, CommandLine cmd) throw
                 if (cmd.hasOption(SCA_TIMEOUT)) {
                     scanConfig.setSCAScanTimeoutInMinutes(Integer.valueOf(cmd.getOptionValue(SCA_TIMEOUT)));
                 }
-            } else {
+            }
+            else {
+            	if(cmd.hasOption(SCA_ENABLED) &&  cmd.hasOption(SCA_TIMEOUT)) {
+            			scanConfig.setSCAScanTimeoutInMinutes(Integer.valueOf(cmd.getOptionValue(SCA_TIMEOUT)));
+            	}
                 scanConfig.setProjectName(extractProjectName(cmd.getOptionValue(FULL_PROJECT_PATH), false));
                 scanConfig.setTeamPath(extractTeamPath(cmd.getOptionValue(FULL_PROJECT_PATH), false));
             }
@@ -175,12 +179,23 @@ public CxScanConfig resolveConfiguration(Command command, CommandLine cmd) throw
         scanConfig.setSastFilterPattern(sastFilterPattern);
         scanConfig.setScanComment(cmd.getOptionValue(SCAN_COMMENT));
         setScanReports(scanConfig);
+        String reportPath = getReportPath(SCA_REPORT_PATH);
+        if(reportPath != null && !reportPath.isEmpty()) {
+        	File reportDir = new File(reportPath);
+        	scanConfig.setReportsDir(reportDir);
+        }
         scanConfig.setGenerateScaReport(cmd.hasOption(GENERATE_SCA_REPORT));        
         scanConfig.setScaReportFormat(cmd.getOptionValue(SCA_REPORT_FORMAT));
-        if(scanConfig.isGenerateScaReport())
+        if(scanConfig.isGenerateScaReport()) {
         	throwForInvalidScaReportFormat(scanConfig.getScaReportFormat());
+    			if (!cmd.hasOption(SCA_REPORT_PATH)) {
+    				throw new CLIParsingException("scareportpath command line option must be specified.");
+    			}
+        }
 
         scanConfig.setIncremental(cmd.hasOption(IS_INCREMENTAL));
+        String postScanAction = cmd.getOptionValue(POST_SCAN_ACTION);
+        	scanConfig.setPostScanName(postScanAction);
         scanConfig.setForceScan(cmd.hasOption(IS_FORCE_SCAN));        
 		scanConfig.setEnableSASTBranching(cmd.hasOption(ENABLE_SAST_BRANCHING));
 		if (cmd.hasOption(ENABLE_SAST_BRANCHING)) {
@@ -672,6 +687,8 @@ private void setScaSpecificConfig(CxScanConfig scanConfig) throws CLIParsingExce
             sca.setEnableScaResolver(true);
             String pathToResolver = getRequiredParam(commandLine, PATH_TO_RESOLVER, null);
             String additionalParams = getRequiredParam(commandLine, SCA_RESOLVER_ADD_PARAMETERS, null);
+            additionalParams = checkMissingMandatoryAdditionalParams(commandLine, additionalParams);
+            log.debug("SCA Resolver Additional Parameters: " + additionalParams);
             validateSCAResolverParams();
             sca.setPathToScaResolver(pathToResolver);
             sca.setScaResolverAddParameters(additionalParams);
@@ -717,7 +734,16 @@ private void configureScaWithSastDetails(AstScaConfig sca) throws CLIParsingExce
 
         //SCA alone scan
         if ((!commandLine.hasOption(SCA_ENABLED))) {
-            if (exploitablePathParamsIncomplete(serverURL, user, password, projectId, projectName)) {
+			if (commandLine.hasOption(SAST_PROJECT_NAME) || commandLine.hasOption(SAST_PROJECT_ID)) {
+				if (exploitablePathParamsIncomplete(serverURL, user, password, projectId, projectName)) {
+					serverURL = StringUtils.isEmpty(serverURL) ? getOptionalParam(SERVER_URL, "") : serverURL;
+					user = StringUtils.isEmpty(user) ? getOptionalParam(USER_NAME, "") : user;
+					password = StringUtils.isEmpty(password) ? getOptionalParam(USER_PASSWORD, "") : password;
+					projectName = StringUtils.isEmpty(projectName) ? getOptionalParam(FULL_PROJECT_PATH, "")
+							: projectName;
+				}
+			}
+            if (exploitablePathParamsIncomplete(serverURL, user, password, projectId, projectName)) {      	
                 if (!exploitablePathParamsEmpty(serverURL, user, password, projectId, projectName))
                     throw new CLIParsingException(
                             "[CxConsole] For SCA exploitable path, CxSAST server details like url, user, password and full project path or project id are required. Received partial parameters.");
@@ -1131,6 +1157,67 @@ private static String getRequiredParam(CommandLine cmdLine, String cmdLineOption
         return result;
     }
 
+	public static String checkMissingMandatoryAdditionalParams(CommandLine cmdLine, String addParams)
+			throws CLIParsingException {
+		if (addParams == null)
+			addParams = "";
+		if (!addParams.contains("-n ")) {
+			String projectName = cmdLine.getOptionValue(FULL_PROJECT_PATH);
+			if (StringUtils.isNotEmpty(projectName)) {
+				projectName = projectName.trim();
+				addParams += " -n " + projectName;
+			} else
+				throw new CLIParsingException("projectname command line option must be specified");
+		}
+		if (!addParams.contains("-s ")) {
+			String locationPath = cmdLine.getOptionValue(LOCATION_PATH);
+			String scaLocationPath = cmdLine.getOptionValue(SCA_LOCATION_PATH);
+			if (StringUtils.isNotEmpty(locationPath)) {
+				locationPath = locationPath.trim();
+				addParams += " -s " + locationPath;
+			} else if (StringUtils.isNotEmpty(scaLocationPath)) {
+				scaLocationPath = scaLocationPath.trim();
+				addParams += " -s " + scaLocationPath;
+			} else
+				throw new CLIParsingException("locationpath command line option must be specified");
+		}
+		if (cmdLine.hasOption(SCA_ENABLED)
+				&& (addParams.contains("--cxprojectname ") || addParams.contains("--cxprojectid "))) {
+			if (!addParams.contains("--cxserver ")) {
+				String cxserver = cmdLine.getOptionValue(SERVER_URL);
+				if (StringUtils.isNotEmpty(cxserver)) {
+					cxserver = cxserver.trim();
+					addParams += " --cxserver " + cxserver;
+				} else
+					throw new CLIParsingException("cxserver command line option must be specified");
+			}
+			if (!addParams.contains("--cxuser ")) {
+				String cxuser = cmdLine.getOptionValue(USER_NAME);
+				if (StringUtils.isNotEmpty(cxuser)) {
+					cxuser = cxuser.trim();
+					addParams += " --cxuser " + cxuser;
+				} else
+					throw new CLIParsingException("cxuser command line option must be specified");
+			}
+			if (!addParams.contains("--cxpassword ")) {
+				String cxpassword = cmdLine.getOptionValue(USER_PASSWORD);
+				if (StringUtils.isNotEmpty(cxpassword)) {
+					cxpassword = cxpassword.trim();
+					addParams += " --cxpassword " + cxpassword;
+				} else
+					throw new CLIParsingException("cxpassword command line option must be specified");
+			}
+		} else if (addParams.contains("--cxprojectname ") || addParams.contains("--cxprojectid ")) {
+			if (!addParams.contains("--cxserver ") || !addParams.contains("--cxuser ")
+					|| !addParams.contains("--cxpassword ")) {
+				throw new CLIParsingException(
+						"--cxserver, --cxuser, --cxpassword and --cxprojectname must be specified to use Exploitable Path.");
+			}
+
+		}
+		return addParams;
+	}
+
     private static String normalizeUrl(String rawValue) {
         return rawValue.startsWith("http") ? rawValue : "http://" + rawValue;
     }