diff --git a/pom.xml b/pom.xml index 7dab8e9..9af5bb8 100644 --- a/pom.xml +++ b/pom.xml @@ -5,7 +5,7 @@ checkmarx.com com.checkmarx.sonar.cxplugin sonar-plugin - 2023.3.4 + 2024.3.3 Checkmarx plugin Checkmarx plugin @@ -266,7 +266,7 @@ com.checkmarx cx-client-common - 2020.2.4.NO.SCA + 2024.3.28 commons-io @@ -336,6 +336,10 @@ org.codehaus.plexus plexus-archiver + + jakarta.xml.bind + jakarta.xml.bind-api + @@ -354,6 +358,36 @@ plexus-archiver 4.8.0 + + javax.xml.bind + jaxb-api + 2.3.1 + + + org.glassfish.jaxb + jaxb-core + 3.0.2 + + + org.apache.maven + maven-model + 3.9.0 + + + com.sun.xml.bind + jaxb-impl + 3.0.2 + + + org.glassfish.jaxb + jaxb-runtime + 2.3.2 + + + xpp3 + xpp3 + 1.1.4c + diff --git a/src/main/java/com/checkmarx/sonar/measures/ComputeSastMeasures.java b/src/main/java/com/checkmarx/sonar/measures/ComputeSastMeasures.java index 1bf69bb..d2cd869 100644 --- a/src/main/java/com/checkmarx/sonar/measures/ComputeSastMeasures.java +++ b/src/main/java/com/checkmarx/sonar/measures/ComputeSastMeasures.java @@ -16,10 +16,10 @@ public class ComputeSastMeasures implements MeasureComputer { @Override public MeasureComputerDefinition define(MeasureComputerDefinitionContext def) { return def.newDefinitionBuilder() - .setInputMetrics(SONAR_PROJECT_HAVE_SAST_RESULTS.key(), SAST_HIGH_VULNERABILITIES.key(), SAST_MEDIUM_VULNERABILITIES.key(), SAST_LOW_VULNERABILITIES.key(),SAST_TOTAL_VULNERABILITIES.key(), - SAST_NEW_HIGH_VULNERABILITIES.key(), SAST_NEW_MEDIUM_VULNERABILITIES.key(), SAST_NEW_LOW_VULNERABILITIES.key(), SAST_TOTAL_NEW_VULNERABILITIES.key(), SAST_SCAN_DETAILS.key()) - .setOutputMetrics(SONAR_PROJECT_HAVE_SAST_RESULTS.key(), SAST_HIGH_VULNERABILITIES.key(), SAST_MEDIUM_VULNERABILITIES.key(), SAST_LOW_VULNERABILITIES.key(),SAST_TOTAL_VULNERABILITIES.key(), - SAST_NEW_HIGH_VULNERABILITIES.key(), SAST_NEW_MEDIUM_VULNERABILITIES.key(), SAST_NEW_LOW_VULNERABILITIES.key(), SAST_TOTAL_NEW_VULNERABILITIES.key(), SAST_SCAN_DETAILS.key()) + .setInputMetrics(SONAR_PROJECT_HAVE_SAST_RESULTS.key(),SAST_CRITICAL_VULNERABILITIES.key() ,SAST_HIGH_VULNERABILITIES.key(), SAST_MEDIUM_VULNERABILITIES.key(), SAST_LOW_VULNERABILITIES.key(),SAST_TOTAL_VULNERABILITIES.key(), + SAST_NEW_CRITICAL_VULNERABILITIES.key(),SAST_NEW_HIGH_VULNERABILITIES.key(), SAST_NEW_MEDIUM_VULNERABILITIES.key(), SAST_NEW_LOW_VULNERABILITIES.key(), SAST_TOTAL_NEW_VULNERABILITIES.key(), SAST_SCAN_DETAILS.key()) + .setOutputMetrics(SONAR_PROJECT_HAVE_SAST_RESULTS.key(),SAST_CRITICAL_VULNERABILITIES.key() , SAST_HIGH_VULNERABILITIES.key(), SAST_MEDIUM_VULNERABILITIES.key(), SAST_LOW_VULNERABILITIES.key(),SAST_TOTAL_VULNERABILITIES.key(), + SAST_NEW_CRITICAL_VULNERABILITIES.key(),SAST_NEW_HIGH_VULNERABILITIES.key(), SAST_NEW_MEDIUM_VULNERABILITIES.key(), SAST_NEW_LOW_VULNERABILITIES.key(), SAST_TOTAL_NEW_VULNERABILITIES.key(), SAST_SCAN_DETAILS.key()) .build(); } @@ -27,24 +27,28 @@ public MeasureComputerDefinition define(MeasureComputerDefinitionContext def) { public void compute(MeasureComputerContext context) { if (context.getComponent().getType() != Component.Type.FILE) { if(isResult(context)){ - int sumHigh = sumMetric(SAST_HIGH_VULNERABILITIES, context); + int sumCritical = sumMetric(SAST_CRITICAL_VULNERABILITIES, context); + int sumHigh = sumMetric(SAST_HIGH_VULNERABILITIES, context); int sumMedium = sumMetric(SAST_MEDIUM_VULNERABILITIES, context); int sumLow = sumMetric(SAST_LOW_VULNERABILITIES, context); + int sumNewCritical = sumMetric(SAST_NEW_CRITICAL_VULNERABILITIES, context); int sumNewHigh = sumMetric(SAST_NEW_HIGH_VULNERABILITIES, context); int sumNewMedium = sumMetric(SAST_NEW_MEDIUM_VULNERABILITIES, context); int sumNewLow = sumMetric(SAST_NEW_LOW_VULNERABILITIES, context); //compute fails without adding this measure context.addMeasure(SONAR_PROJECT_HAVE_SAST_RESULTS.key(), sumMetric(SONAR_PROJECT_HAVE_SAST_RESULTS, context)); - + + context.addMeasure(SAST_CRITICAL_VULNERABILITIES.key(), sumCritical); context.addMeasure(SAST_HIGH_VULNERABILITIES.key(), sumHigh); context.addMeasure(SAST_MEDIUM_VULNERABILITIES.key(), sumMedium); context.addMeasure(SAST_LOW_VULNERABILITIES.key(), sumLow); - context.addMeasure(SAST_TOTAL_VULNERABILITIES.key(), sumHigh + sumMedium + sumLow); + context.addMeasure(SAST_TOTAL_VULNERABILITIES.key(), sumCritical + sumHigh + sumMedium + sumLow); + context.addMeasure(SAST_NEW_CRITICAL_VULNERABILITIES.key(), sumNewCritical); context.addMeasure(SAST_NEW_HIGH_VULNERABILITIES.key(), sumNewHigh); context.addMeasure(SAST_NEW_MEDIUM_VULNERABILITIES.key(), sumNewMedium); context.addMeasure(SAST_NEW_LOW_VULNERABILITIES.key(), sumNewLow); - context.addMeasure(SAST_TOTAL_NEW_VULNERABILITIES.key(), sumNewHigh + sumNewMedium + sumNewLow); + context.addMeasure(SAST_TOTAL_NEW_VULNERABILITIES.key(), sumNewCritical + sumNewHigh + sumNewMedium + sumNewLow); } } } diff --git a/src/main/java/com/checkmarx/sonar/measures/SastMetrics.java b/src/main/java/com/checkmarx/sonar/measures/SastMetrics.java index 3c901f1..c0499fa 100644 --- a/src/main/java/com/checkmarx/sonar/measures/SastMetrics.java +++ b/src/main/java/com/checkmarx/sonar/measures/SastMetrics.java @@ -19,56 +19,70 @@ public class SastMetrics implements Metrics { public static String SAST_BASE_KEY = "cx.sast.result"; public static String NON_COMMENTIOG_LINES_OF_CODE = "Non commenting lines of code"; - public static final Metric SAST_HIGH_VULNERABILITIES = new Metric.Builder(SAST_BASE_KEY + ".high", "Checkmarx - 1. High Vulnerabilities", Metric.ValueType.INT) + public static final Metric SAST_CRITICAL_VULNERABILITIES = new Metric.Builder(SAST_BASE_KEY + ".critical", "Checkmarx - 1. Critical Vulnerabilities", Metric.ValueType.INT) + .setDescription(NON_COMMENTIOG_LINES_OF_CODE) + .setDirection(Metric.DIRECTION_WORST) + .setQualitative(false) + .setDomain(CX_SAST_DOMAIN) + .create(); + + public static final Metric SAST_HIGH_VULNERABILITIES = new Metric.Builder(SAST_BASE_KEY + ".high", "Checkmarx - 2. High Vulnerabilities", Metric.ValueType.INT) .setDescription(NON_COMMENTIOG_LINES_OF_CODE) .setDirection(Metric.DIRECTION_WORST) .setQualitative(false) .setDomain(CX_SAST_DOMAIN) .create(); - public static final Metric SAST_MEDIUM_VULNERABILITIES = new Metric.Builder(SAST_BASE_KEY + ".medium", "Checkmarx - 2. Medium Vulnerabilities", Metric.ValueType.INT) + public static final Metric SAST_MEDIUM_VULNERABILITIES = new Metric.Builder(SAST_BASE_KEY + ".medium", "Checkmarx - 3. Medium Vulnerabilities", Metric.ValueType.INT) .setDescription(NON_COMMENTIOG_LINES_OF_CODE) .setDirection(Metric.DIRECTION_WORST) .setQualitative(false) .setDomain(CX_SAST_DOMAIN) .create(); - public static final Metric SAST_LOW_VULNERABILITIES = new Metric.Builder(SAST_BASE_KEY + ".low", "Checkmarx - 3. Low Vulnerabilities", Metric.ValueType.INT) + public static final Metric SAST_LOW_VULNERABILITIES = new Metric.Builder(SAST_BASE_KEY + ".low", "Checkmarx - 4. Low Vulnerabilities", Metric.ValueType.INT) .setDescription(NON_COMMENTIOG_LINES_OF_CODE) .setDirection(Metric.DIRECTION_WORST) .setQualitative(false) .setDomain(CX_SAST_DOMAIN) .create(); - public static final Metric SAST_TOTAL_VULNERABILITIES = new Metric.Builder(SAST_BASE_KEY + ".total", "Checkmarx - 4. Total Vulnerabilities", Metric.ValueType.INT) + public static final Metric SAST_TOTAL_VULNERABILITIES = new Metric.Builder(SAST_BASE_KEY + ".total", "Checkmarx - 5. Total Vulnerabilities", Metric.ValueType.INT) .setDescription(NON_COMMENTIOG_LINES_OF_CODE) .setDirection(Metric.DIRECTION_WORST) .setQualitative(false) .setDomain(CX_SAST_DOMAIN) .create(); - public static final Metric SAST_NEW_HIGH_VULNERABILITIES = new Metric.Builder(SAST_BASE_KEY + "new.high", "Checkmarx - 5. New High Vulnerabilities", Metric.ValueType.INT) + public static final Metric SAST_NEW_CRITICAL_VULNERABILITIES = new Metric.Builder(SAST_BASE_KEY + "new.critical", "Checkmarx - 6. New Critical Vulnerabilities", Metric.ValueType.INT) + .setDescription(NON_COMMENTIOG_LINES_OF_CODE) + .setDirection(Metric.DIRECTION_WORST) + .setQualitative(false) + .setDomain(CX_SAST_DOMAIN) + .create(); + + public static final Metric SAST_NEW_HIGH_VULNERABILITIES = new Metric.Builder(SAST_BASE_KEY + "new.high", "Checkmarx - 7. New High Vulnerabilities", Metric.ValueType.INT) .setDescription(NON_COMMENTIOG_LINES_OF_CODE) .setDirection(Metric.DIRECTION_WORST) .setQualitative(false) .setDomain(CX_SAST_DOMAIN) .create(); - public static final Metric SAST_NEW_MEDIUM_VULNERABILITIES = new Metric.Builder(SAST_BASE_KEY + "new.medium", "Checkmarx - 6. New Medium Vulnerabilities", Metric.ValueType.INT) + public static final Metric SAST_NEW_MEDIUM_VULNERABILITIES = new Metric.Builder(SAST_BASE_KEY + "new.medium", "Checkmarx - 8. New Medium Vulnerabilities", Metric.ValueType.INT) .setDescription(NON_COMMENTIOG_LINES_OF_CODE) .setDirection(Metric.DIRECTION_WORST) .setQualitative(false) .setDomain(CX_SAST_DOMAIN) .create(); - public static final Metric SAST_NEW_LOW_VULNERABILITIES = new Metric.Builder(SAST_BASE_KEY + "new.low", "Checkmarx - 7. New Low Vulnerabilities", Metric.ValueType.INT) + public static final Metric SAST_NEW_LOW_VULNERABILITIES = new Metric.Builder(SAST_BASE_KEY + "new.low", "Checkmarx - 9. New Low Vulnerabilities", Metric.ValueType.INT) .setDescription(NON_COMMENTIOG_LINES_OF_CODE) .setDirection(Metric.DIRECTION_WORST) .setQualitative(false) .setDomain(CX_SAST_DOMAIN) .create(); - public static final Metric SAST_TOTAL_NEW_VULNERABILITIES = new Metric.Builder(SAST_BASE_KEY + ".new.total", "Checkmarx - 8. Total New Vulnerabilities", Metric.ValueType.INT) + public static final Metric SAST_TOTAL_NEW_VULNERABILITIES = new Metric.Builder(SAST_BASE_KEY + ".new.total", "Checkmarx - 10. Total New Vulnerabilities", Metric.ValueType.INT) .setDescription(NON_COMMENTIOG_LINES_OF_CODE) .setDirection(Metric.DIRECTION_WORST) .setQualitative(false) @@ -98,9 +112,10 @@ public class SastMetrics implements Metrics { @Override public List getMetrics() { - return asList(SAST_HIGH_VULNERABILITIES, SAST_MEDIUM_VULNERABILITIES, SAST_LOW_VULNERABILITIES, SAST_TOTAL_VULNERABILITIES, - SAST_NEW_HIGH_VULNERABILITIES, SAST_NEW_MEDIUM_VULNERABILITIES, SAST_NEW_LOW_VULNERABILITIES, SAST_TOTAL_NEW_VULNERABILITIES, - SONAR_PROJECT_HAVE_SAST_RESULTS, SAST_SCAN_DETAILS, SAST_SCAN_QUERIES); + return asList(SAST_CRITICAL_VULNERABILITIES, SAST_HIGH_VULNERABILITIES, SAST_MEDIUM_VULNERABILITIES, + SAST_LOW_VULNERABILITIES, SAST_TOTAL_VULNERABILITIES, SAST_NEW_CRITICAL_VULNERABILITIES, + SAST_NEW_HIGH_VULNERABILITIES, SAST_NEW_MEDIUM_VULNERABILITIES, SAST_NEW_LOW_VULNERABILITIES, + SAST_TOTAL_NEW_VULNERABILITIES, SONAR_PROJECT_HAVE_SAST_RESULTS, SAST_SCAN_DETAILS, SAST_SCAN_QUERIES); } } diff --git a/src/main/java/com/checkmarx/sonar/sensor/CheckmarxSensor.java b/src/main/java/com/checkmarx/sonar/sensor/CheckmarxSensor.java index f3d9b2d..3b50aba 100644 --- a/src/main/java/com/checkmarx/sonar/sensor/CheckmarxSensor.java +++ b/src/main/java/com/checkmarx/sonar/sensor/CheckmarxSensor.java @@ -28,7 +28,7 @@ import com.checkmarx.sonar.settings.CxProperties; import com.checkmarx.sonar.web.HttpHelper; import com.checkmarx.sonar.web.ProxyParams; -import com.cx.restclient.CxShragaClient; +import com.cx.restclient.CxClientDelegator; import com.cx.restclient.configuration.CxScanConfig; import com.cx.restclient.exception.CxClientException; import com.cx.restclient.sast.dto.CxXMLResults; @@ -36,6 +36,7 @@ import com.cx.restclient.sast.utils.SASTUtils; import com.fasterxml.jackson.core.JsonProcessingException; import com.fasterxml.jackson.databind.ObjectMapper; +import com.checkmarx.sonar.cxrules.CxSonarConstants; /** * Created by: Zoharby. @@ -47,8 +48,9 @@ public class CheckmarxSensor implements Sensor { private PluginVersionProvider versionProvider = new PluginVersionProvider(); private ObjectMapper mapper = new ObjectMapper(); private SastResultsCollector sastResultsCollector = new SastResultsCollector(); - private CxShragaClient shraga = null; + private CxClientDelegator shraga = null; + static { System.setProperty("https.protocols", "TLSv1,TLSv1.1,TLSv1.2"); } @@ -62,7 +64,7 @@ public void describe(SensorDescriptor descriptor) { public void execute(SensorContext context) { logger.info(versionProvider.appendVersionToMsg("Retrieving Checkmarx scan results for current module")); logger.info("Getting Checkmarx configuration data from sonar Database."); - + Double version = 9.0; try { CxConfigHelper configHelper = new CxConfigHelper(logger); String cxProject = configHelper.getSonarProperty(context, CxProperties.CXPROJECT_KEY); @@ -79,13 +81,27 @@ public void execute(SensorContext context) { logger.info("Connecting to {}", config.getUrl()); ProxyParams proxyParam = HttpHelper.getProxyParam(); if (proxyParam == null) { - shraga = new CxShragaClient(config, false, logger); + shraga = new CxClientDelegator(config, logger); } else { - shraga = new CxShragaClient(config, logger, proxyParam.getHost(), proxyParam.getPort(), proxyParam.getUser(), proxyParam.getPssd(), true); + shraga = new CxClientDelegator( + proxyParam.getHost() + ":" + proxyParam.getPort(), + proxyParam.getUser(), + proxyParam.getPssd(), + CxSonarConstants.CX_SONAR_ORIGIN, + true, + logger); } shraga.init(); - SASTResults latestSASTResults = shraga.getLatestSASTResults(); + SASTResults latestSASTResults = shraga.getLatestScanResults().getSastResults(); + if (config.getCxVersion() != null && config.getCxVersion().getVersion() != null) { + String[] sastVersionSplit = config.getCxVersion().getVersion().split("\\."); + version = Double.parseDouble(sastVersionSplit[0] + "." + sastVersionSplit[1]); + if (version >= 9.7) { + logger.info("Checkmarx Critical vulnerabilities: " + latestSASTResults.getCritical()); + logger.info("Checkmarx New-Critical vulnerabilities: " + latestSASTResults.getNewCritical()); + } + } logger.info("Checkmarx High vulnerabilities: " + latestSASTResults.getHigh()); logger.info("Checkmarx New-High vulnerabilities: " + latestSASTResults.getNewHigh()); logger.info("Checkmarx Medium vulnerabilities: " + latestSASTResults.getMedium()); diff --git a/src/main/java/com/checkmarx/sonar/sensor/dto/FileQueries.java b/src/main/java/com/checkmarx/sonar/sensor/dto/FileQueries.java index dc586d6..56b8734 100644 --- a/src/main/java/com/checkmarx/sonar/sensor/dto/FileQueries.java +++ b/src/main/java/com/checkmarx/sonar/sensor/dto/FileQueries.java @@ -10,7 +10,9 @@ */ public class FileQueries { - @JsonProperty("highVulnerabilityQueries") + @JsonProperty("criticalVulnerabilityQueries") + private List criticalVulnerabilityQueries; + @JsonProperty("highVulnerabilityQueries") private List highVulnerabilityQueries; @JsonProperty("mediumVulnerabilityQuries") private List mediumVulnerabilityQuries; @@ -20,12 +22,21 @@ public class FileQueries { public FileQueries() { } - public FileQueries(List highVulnerabilityNonIssues, List mediumVulnerabilityNonIssues, List lowVulnerabilityNonIssues) { - this.highVulnerabilityQueries = highVulnerabilityNonIssues; + public FileQueries(List criticalVulnerabilityNonIssues,List highVulnerabilityNonIssues, List mediumVulnerabilityNonIssues, List lowVulnerabilityNonIssues) { + this.criticalVulnerabilityQueries = criticalVulnerabilityNonIssues; + this.highVulnerabilityQueries = highVulnerabilityNonIssues; this.mediumVulnerabilityQuries = mediumVulnerabilityNonIssues; this.lowVulnerabilityQueries = lowVulnerabilityNonIssues; } + public List getCriticalVulnerabilityQueries() { + return criticalVulnerabilityQueries; + } + + public void setCriticalVulnerabilityQueries(List criticalVulnerabilityQueries) { + this.criticalVulnerabilityQueries = criticalVulnerabilityQueries; + } + public List getHighVulnerabilityQueries() { return highVulnerabilityQueries; } diff --git a/src/main/java/com/checkmarx/sonar/sensor/dto/SastSeverity.java b/src/main/java/com/checkmarx/sonar/sensor/dto/SastSeverity.java index f7ed678..4393f1a 100644 --- a/src/main/java/com/checkmarx/sonar/sensor/dto/SastSeverity.java +++ b/src/main/java/com/checkmarx/sonar/sensor/dto/SastSeverity.java @@ -8,7 +8,8 @@ */ public enum SastSeverity { - SAST_HIGH(3, "High", Severity.CRITICAL), + SAST_CRITICAL(4, "Critical",Severity.BLOCKER), + SAST_HIGH(3, "High", Severity.CRITICAL), SAST_MEDIUM(2, "Medium", Severity.MAJOR), SAST_LOW(1, "Low", Severity.MINOR), SAST_INFO(0, "Info", Severity.INFO); diff --git a/src/main/java/com/checkmarx/sonar/sensor/execution/FileMetricsCounter.java b/src/main/java/com/checkmarx/sonar/sensor/execution/FileMetricsCounter.java index f417914..083c382 100644 --- a/src/main/java/com/checkmarx/sonar/sensor/execution/FileMetricsCounter.java +++ b/src/main/java/com/checkmarx/sonar/sensor/execution/FileMetricsCounter.java @@ -6,6 +6,7 @@ */ class FileMetricsCounter { + private int critical = 0; private int high = 0; private int medium = 0; private int low = 0; @@ -14,6 +15,11 @@ class FileMetricsCounter { FileMetricsCounter() { } + void incrementCritical() { + ++ this.critical; + incrementSum(); + } + void incrementHigh() { ++ this.high; incrementSum(); @@ -33,6 +39,10 @@ private void incrementSum() { ++ this.sumVulnerabilities; } + public int getCritical() { + return critical; + } + public int getHigh() { return high; } diff --git a/src/main/java/com/checkmarx/sonar/sensor/execution/FileQueriesCollector.java b/src/main/java/com/checkmarx/sonar/sensor/execution/FileQueriesCollector.java index e3a3435..095d425 100644 --- a/src/main/java/com/checkmarx/sonar/sensor/execution/FileQueriesCollector.java +++ b/src/main/java/com/checkmarx/sonar/sensor/execution/FileQueriesCollector.java @@ -14,11 +14,18 @@ */ public class FileQueriesCollector { - private HashMap highVulnerabilityQueries = new HashMap<>(); + private HashMap criticalVulnerabilityQueries = new HashMap<>(); + private HashMap highVulnerabilityQueries = new HashMap<>(); private HashMap mediumVulnerabilityQueries = new HashMap<>(); private HashMap lowVulnerabilityQueries = new HashMap<>(); - + void addCriticalQuery(String queryName){ + if(criticalVulnerabilityQueries.get(queryName) != null){ + criticalVulnerabilityQueries.put(queryName, criticalVulnerabilityQueries.get(queryName) + 1); + }else { + criticalVulnerabilityQueries.put(queryName, 1); + } + } void addHighQuery(String queryName){ if(highVulnerabilityQueries.get(queryName) != null){ highVulnerabilityQueries.put(queryName, highVulnerabilityQueries.get(queryName) + 1); @@ -43,6 +50,10 @@ void addLowQuery(String queryName){ } } + public HashMap getCriticalVulnerabilityQueries() { + return criticalVulnerabilityQueries; + } + public HashMap getHighVulnerabilityQueries() { return highVulnerabilityQueries; } @@ -56,7 +67,7 @@ public HashMap getLowVulnerabilityQueries() { } FileQueries getAsFileQueriesObject(){ - return new FileQueries(getAsQueryDataList(highVulnerabilityQueries), getAsQueryDataList(mediumVulnerabilityQueries), getAsQueryDataList(lowVulnerabilityQueries)); + return new FileQueries(getAsQueryDataList(criticalVulnerabilityQueries),getAsQueryDataList(highVulnerabilityQueries), getAsQueryDataList(mediumVulnerabilityQueries), getAsQueryDataList(lowVulnerabilityQueries)); } //changing from hashmap to querydata list to improve json readability in ui diff --git a/src/main/java/com/checkmarx/sonar/sensor/execution/SastResultsCollector.java b/src/main/java/com/checkmarx/sonar/sensor/execution/SastResultsCollector.java index 9f19e33..29cf8f8 100644 --- a/src/main/java/com/checkmarx/sonar/sensor/execution/SastResultsCollector.java +++ b/src/main/java/com/checkmarx/sonar/sensor/execution/SastResultsCollector.java @@ -1,8 +1,10 @@ package com.checkmarx.sonar.sensor.execution; +import static com.checkmarx.sonar.measures.SastMetrics.SAST_CRITICAL_VULNERABILITIES; import static com.checkmarx.sonar.measures.SastMetrics.SAST_HIGH_VULNERABILITIES; import static com.checkmarx.sonar.measures.SastMetrics.SAST_LOW_VULNERABILITIES; import static com.checkmarx.sonar.measures.SastMetrics.SAST_MEDIUM_VULNERABILITIES; +import static com.checkmarx.sonar.measures.SastMetrics.SAST_NEW_CRITICAL_VULNERABILITIES; import static com.checkmarx.sonar.measures.SastMetrics.SAST_NEW_HIGH_VULNERABILITIES; import static com.checkmarx.sonar.measures.SastMetrics.SAST_NEW_LOW_VULNERABILITIES; import static com.checkmarx.sonar.measures.SastMetrics.SAST_NEW_MEDIUM_VULNERABILITIES; @@ -197,6 +199,9 @@ private void updateQueryToCurrFile(CxResultToSonarResult nonIssueResult) { return; } switch (severity) { + case SAST_CRITICAL: + currFileQueriesCollector.addCriticalQuery(nonIssueResult.getQuery().getName()); + break; case SAST_HIGH: currFileQueriesCollector.addHighQuery(nonIssueResult.getQuery().getName()); break; @@ -220,6 +225,12 @@ private void updateCurrFileVulnerabilities(CxResultToSonarResult result) { boolean isNew = "New".equals(result.getResultData().getStatus()); switch (severity) { + case SAST_CRITICAL: + currFileSumVulnerabilityCounter.incrementCritical(); + if (isNew) { + currFileNewVulnerabilityCounter.incrementCritical(); + } + break; case SAST_HIGH: currFileSumVulnerabilityCounter.incrementHigh(); if (isNew) { @@ -258,6 +269,9 @@ private void saveCxCustomMetrics(SensorContext context, InputFile file) { private void addSumVulnerabilitiesMetrics(SensorContext context, InputFile file) { if (currFileSumVulnerabilityCounter.getSumVulnerabilities() > 0) { addMetric(context, file, SAST_TOTAL_VULNERABILITIES, currFileSumVulnerabilityCounter.getSumVulnerabilities()); + if (currFileSumVulnerabilityCounter.getCritical() != 0) { + addMetric(context, file, SAST_CRITICAL_VULNERABILITIES, currFileSumVulnerabilityCounter.getCritical()); + } if (currFileSumVulnerabilityCounter.getHigh() != 0) { addMetric(context, file, SAST_HIGH_VULNERABILITIES, currFileSumVulnerabilityCounter.getHigh()); } @@ -273,6 +287,9 @@ private void addSumVulnerabilitiesMetrics(SensorContext context, InputFile file) private void addNewVulnerabilitiesMetrics(SensorContext context, InputFile file) { if (currFileNewVulnerabilityCounter.getSumVulnerabilities() != 0) { addMetric(context, file, SAST_TOTAL_NEW_VULNERABILITIES, currFileNewVulnerabilityCounter.getSumVulnerabilities()); + if (currFileNewVulnerabilityCounter.getCritical() != 0) { + addMetric(context, file, SAST_NEW_CRITICAL_VULNERABILITIES, currFileNewVulnerabilityCounter.getCritical()); + } if (currFileNewVulnerabilityCounter.getHigh() != 0) { addMetric(context, file, SAST_NEW_HIGH_VULNERABILITIES, currFileNewVulnerabilityCounter.getHigh()); } diff --git a/src/main/java/com/checkmarx/sonar/sensor/utils/CxConfigHelper.java b/src/main/java/com/checkmarx/sonar/sensor/utils/CxConfigHelper.java index 3021538..e434037 100644 --- a/src/main/java/com/checkmarx/sonar/sensor/utils/CxConfigHelper.java +++ b/src/main/java/com/checkmarx/sonar/sensor/utils/CxConfigHelper.java @@ -13,9 +13,10 @@ import com.checkmarx.sonar.settings.PropertyApiClient; import com.checkmarx.sonar.web.HttpHelper; import com.checkmarx.sonar.web.ProxyParams; -import com.cx.restclient.CxShragaClient; import com.cx.restclient.configuration.CxScanConfig; +import com.cx.restclient.dto.ProxyConfig; import com.cx.restclient.exception.CxClientException; +import com.cx.restclient.CxSASTClient; import com.fasterxml.jackson.databind.ObjectMapper; import org.apache.commons.codec.binary.Base64; import org.apache.commons.lang3.StringUtils; @@ -27,9 +28,20 @@ import org.apache.http.client.utils.HttpClientUtils; import org.apache.http.impl.client.HttpClientBuilder; import org.apache.http.util.EntityUtils; +import org.slf4j.LoggerFactory; import org.slf4j.Logger; import org.sonar.api.batch.sensor.SensorContext; import org.sonar.api.config.Configuration; +import java.io.InputStream; + +import javax.xml.parsers.DocumentBuilderFactory; +import javax.xml.parsers.DocumentBuilder; +import org.w3c.dom.Document; +import org.w3c.dom.Element; +import org.w3c.dom.NodeList; +import java.io.File; +import java.io.IOException; +import org.w3c.dom.Element; import javax.crypto.SecretKey; import java.io.BufferedReader; @@ -143,7 +155,6 @@ public CxScanConfig getScanConfig(CxFullCredentials cxFullCredentials, SensorCon CxScanConfig scanConfig = new CxScanConfig(); scanConfig.setCxOrigin(CxSonarConstants.CX_SONAR_ORIGIN); scanConfig.setSastEnabled(true); - scanConfig.setOsaEnabled(false); scanConfig.setSynchronous(true); scanConfig.setDisableCertificateValidation(true); scanConfig.setUrl(cxFullCredentials.getCxServerUrl()); @@ -151,6 +162,13 @@ public CxScanConfig getScanConfig(CxFullCredentials cxFullCredentials, SensorCon scanConfig.setPassword(cxFullCredentials.getCxPassword()); scanConfig.setPresetId(1); String cxProject = getSonarProperty(context, CxProperties.CXPROJECT_KEY); + + //String pomFilePath = "../pom.xml"; + + String pluginVersion = getPluginVersion(); + log.info("plugin Version: {}", pluginVersion); + scanConfig.setPluginVersion(pluginVersion); + try { ProjectDetails projectDetails = getProjectAndTeamDetails(cxProject, cxFullCredentials); scanConfig.setProjectName(projectDetails.getProjectName()); @@ -162,6 +180,34 @@ public CxScanConfig getScanConfig(CxFullCredentials cxFullCredentials, SensorCon } return scanConfig; } + + private String getPluginVersion() { + String version = null; + try { + // Load the pom.xml from the classpath + InputStream is = getClass().getClassLoader().getResourceAsStream("META-INF/maven/checkmarx.com/com.checkmarx.sonar.cxplugin/pom.xml"); + + if (is != null) { + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document doc = builder.parse(is); + doc.getDocumentElement().normalize(); + + NodeList versionList = doc.getElementsByTagName("version"); + log.info("version List: {}", versionList.getLength()); + if (versionList.getLength() > 0) { + Element versionElement = (Element) versionList.item(0); + version = versionElement.getTextContent(); + log.info("version Element: {}", version); + } + } else { + log.error("pom.xml not found in the classpath"); + } + } catch (Exception e) { + log.error("Error while reading plugin version", e); + } + return version; + } private String getPropertyValue(String responseJson) { @@ -303,32 +349,29 @@ private static String createStringFromResponse(org.apache.http.HttpResponse resp private String getTeamId(String teamName, CxFullCredentials cxFullCredentials) throws IOException { String teamId; - try { - CxShragaClient shraga; - ProxyParams proxyParam = HttpHelper.getProxyParam(); - if (proxyParam == null) { - shraga = new CxShragaClient( - cxFullCredentials.getCxServerUrl().trim(), + Logger logger = LoggerFactory.getLogger(CxConfigHelper.class); + CxScanConfig config = new CxScanConfig(cxFullCredentials.getCxServerUrl().trim(), cxFullCredentials.getCxUsername(), cxFullCredentials.getCxPassword(), CxSonarConstants.CX_SONAR_ORIGIN, - true, - false, - log); - } else { - shraga = new CxShragaClient( - cxFullCredentials.getCxServerUrl().trim(), - cxFullCredentials.getCxUsername(), - cxFullCredentials.getCxPassword(), - CxSonarConstants.CX_SONAR_ORIGIN, - true, - log, - true, - proxyParam.getHost(), + true); + + try { + CxSASTClient shraga; + ProxyParams proxyParam = HttpHelper.getProxyParam(); + if (proxyParam != null) { + String proxyHost = proxyParam.getHost(); + ProxyConfig proxyConfig = new ProxyConfig( + proxyHost, proxyParam.getPort(), proxyParam.getUser(), - proxyParam.getPssd()); - } + proxyParam.getPssd(), + proxyHost.toLowerCase().startsWith("https")); + + + config.setProxyConfig(proxyConfig); + } + shraga = new CxSASTClient(config, logger); shraga.login(); diff --git a/src/main/java/com/checkmarx/sonar/web/CxConfigRestEndPoint.java b/src/main/java/com/checkmarx/sonar/web/CxConfigRestEndPoint.java index d9ed3e2..353de2c 100644 --- a/src/main/java/com/checkmarx/sonar/web/CxConfigRestEndPoint.java +++ b/src/main/java/com/checkmarx/sonar/web/CxConfigRestEndPoint.java @@ -4,9 +4,11 @@ import com.checkmarx.sonar.dto.CxFullCredentials; import com.checkmarx.sonar.dto.RestEndpointContext; import com.checkmarx.sonar.sensor.utils.CxConfigHelper; -import com.cx.restclient.CxShragaClient; import com.cx.restclient.exception.CxClientException; +import com.cx.restclient.CxSASTClient; +import com.cx.restclient.dto.ProxyConfig; import com.cx.restclient.sast.dto.Project; +import com.cx.restclient.configuration.CxScanConfig; import com.fasterxml.jackson.databind.ObjectMapper; import org.apache.http.Header; import org.apache.http.conn.ssl.TrustAllStrategy; @@ -55,9 +57,9 @@ public class CxConfigRestEndPoint implements WebService { private static final String ERROR_MESSAGE = "errorMsg"; private Logger logger = LoggerFactory.getLogger(CxConfigRestEndPoint.class); - - private CxShragaClient shraga; - + + private CxSASTClient shraga; + private final ObjectMapper objectMapper = new ObjectMapper(); private static final String PROJECTS = "projects"; private static final String PROJECT_PATH = "/project"; @@ -99,16 +101,24 @@ public void handle(Request request, Response response) { ((HttpsURLConnection) urlConn).setHostnameVerifier(getHostnameVerifier()); } + CxScanConfig config = new CxScanConfig(cxFullCredentials.getCxServerUrl().trim(), + cxFullCredentials.getCxUsername(), + cxFullCredentials.getCxPassword(), + CxSonarConstants.CX_SONAR_ORIGIN, + true); + ProxyParams proxyParam = HttpHelper.getProxyParam(); - if (proxyParam == null) { - shraga = new CxShragaClient(cxFullCredentials.getCxServerUrl().trim(), cxFullCredentials.getCxUsername(), - cxFullCredentials.getCxPassword(), CxSonarConstants.CX_SONAR_ORIGIN, true, false, logger); - } else { - shraga = new CxShragaClient(cxFullCredentials.getCxServerUrl().trim(), cxFullCredentials.getCxUsername(), - cxFullCredentials.getCxPassword(), CxSonarConstants.CX_SONAR_ORIGIN, true, logger, true, - proxyParam.getHost(), proxyParam.getPort(), proxyParam.getUser(), proxyParam.getPssd()); + if (proxyParam != null) { + String proxyHost = proxyParam.getHost(); + ProxyConfig proxyConfig = new ProxyConfig( + proxyHost, + proxyParam.getPort(), + proxyParam.getUser(), + proxyParam.getPssd(), + proxyHost.toLowerCase().startsWith("https")); + config.setProxyConfig(proxyConfig); } - // final String cxVersion = shraga.getCxVersion(); + shraga = new CxSASTClient(config, logger); shraga.login(); urlConn.connect(); diff --git a/src/main/resources/static/cx_report.js b/src/main/resources/static/cx_report.js index 32278b2..3eb3f12 100644 --- a/src/main/resources/static/cx_report.js +++ b/src/main/resources/static/cx_report.js @@ -17,6 +17,7 @@ window.registerExtension('checkmarx/cx_report', function (options) { var sastScanResultsLink; //counts + var criticalCount; var highCount; var medCount; var lowCount; @@ -55,6 +56,7 @@ window.registerExtension('checkmarx/cx_report', function (options) { var queryPagesCounter = 0; //query lists + var criticalCveList = []; var highCveList = []; var medCveList = []; var lowCveList = []; @@ -82,9 +84,11 @@ window.registerExtension('checkmarx/cx_report', function (options) { var osaLowCveList = hardcodedCve.Low;*/ var SEVERITY = { - HIGH: {value: 0, name: "high"}, - MED: {value: 1, name: "medium"}, - LOW: {value: 2, name: "low"}, + CRITICAL: {value: 0, name: "critical"}, + HIGH: {value: 1, name: "high"}, + MED: {value: 2, name: "medium"}, + LOW: {value: 3, name: "low"}, + OSA_HIGH: {value: 3, name: "high"}, OSA_MED: {value: 4, name: "medium"}, OSA_LOW: {value: 5, name: "low"} @@ -126,6 +130,7 @@ window.registerExtension('checkmarx/cx_report', function (options) { } function initDataAndLoadUi() { + return metricRequest('cx.sast.result.high').then(function (responseHigh) { highCount = getValue(responseHigh); return metricRequest('cx.sast.result.medium') @@ -134,6 +139,9 @@ window.registerExtension('checkmarx/cx_report', function (options) { return metricRequest('cx.sast.result.low') }).then(function (responseLow) { lowCount = getValue(responseLow); + return metricRequest('cx.sast.result.critical') + }).then(function (responseCritical) { + criticalCount = getValue(responseCritical); return metricRequest('cx.sast.result.details') }).then(function (responseDetails) { var details = getValue(responseDetails); @@ -218,6 +226,9 @@ window.registerExtension('checkmarx/cx_report', function (options) { })} function addQueriesToSummery(queriesJson) { + if(queriesJson.criticalVulnerabilityQueries.length > 0){ + addQueriesToArray(queriesJson.criticalVulnerabilityQueries, criticalCveList); + } if(queriesJson.highVulnerabilityQueries.length > 0){ addQueriesToArray(queriesJson.highVulnerabilityQueries, highCveList); } @@ -254,14 +265,19 @@ window.registerExtension('checkmarx/cx_report', function (options) { //link document.getElementById("sast-summary-html-link").setAttribute("href", sastScanResultsLink); document.getElementById("sast-code-viewer-link").setAttribute("href", sastScanResultsLink); - //set bars height and count + if(criticalCount != null && criticalCount > 0){ + document.getElementById("bar-count-critical").innerHTML = criticalCount; + } document.getElementById("bar-count-high").innerHTML = highCount; document.getElementById("bar-count-med").innerHTML = medCount; document.getElementById("bar-count-low").innerHTML = lowCount; - var maxCount = Math.max(highCount, medCount, lowCount); + var maxCount = Math.max(criticalCount ,highCount, medCount, lowCount); var maxHeight = maxCount * 100 / 90; + if(criticalCount != null && criticalCount > 0){ + document.getElementById("bar-critical").setAttribute("style", "height:" + criticalCount * 100 / maxHeight + "%"); + } document.getElementById("bar-high").setAttribute("style", "height:" + highCount * 100 / maxHeight + "%"); document.getElementById("bar-med").setAttribute("style", "height:" + medCount * 100 / maxHeight + "%"); document.getElementById("bar-low").setAttribute("style", "height:" + lowCount * 100 / maxHeight + "%"); @@ -339,9 +355,12 @@ window.registerExtension('checkmarx/cx_report', function (options) { try { //generate full reports - if (highCount == 0 && medCount == 0 && lowCount == 0) { + if (criticalCount == 0 && highCount == 0 && medCount == 0 && lowCount == 0) { document.getElementById("sast-full").setAttribute("style", "display: none"); } else { + if (criticalCount > 0) { + generateCveTable(SEVERITY.CRITICAL); + } if (highCount > 0) { generateCveTable(SEVERITY.HIGH); } @@ -410,22 +429,24 @@ window.registerExtension('checkmarx/cx_report', function (options) { var severityNameTtl; var severityCountTtl; - var svgHighIcon = 'Med'; - var svgMedIcon = 'Low'; + var svgCriticalIcon = ''; + var svgHighIcon = 'High'; + var svgMedIcon = 'Medium'; var svgLowIcon = 'Low'; switch (severity) { + case SEVERITY.CRITICAL: + svgIcon = svgCriticalIcon; + severityNameTtl = "Critical"; + severityCountTtl = criticalCount; + break; + case SEVERITY.HIGH: svgIcon = svgHighIcon; severityNameTtl = "High"; severityCountTtl = highCount; break; - case SEVERITY.OSA_HIGH: - svgIcon = svgHighIcon; - severityNameTtl = "High"; - severityCountTtl = osaHighCount; - break; case SEVERITY.MED: svgIcon = svgMedIcon; @@ -433,11 +454,6 @@ window.registerExtension('checkmarx/cx_report', function (options) { severityCountTtl = medCount; break; - case SEVERITY.OSA_MED: - svgIcon = svgMedIcon; - severityNameTtl = "Medium"; - severityCountTtl = osaMedCount; - break; case SEVERITY.LOW: svgIcon = svgLowIcon; @@ -445,11 +461,6 @@ window.registerExtension('checkmarx/cx_report', function (options) { severityCountTtl = lowCount; break; - case SEVERITY.OSA_LOW: - svgIcon = svgLowIcon; - severityNameTtl = "Low"; - severityCountTtl = osaLowCount; - break; } return '' + @@ -469,6 +480,13 @@ window.registerExtension('checkmarx/cx_report', function (options) { var tableElementId = ""; switch (severity) { + + case SEVERITY.CRITICAL: + severityCount = criticalCount; + severityCveList = hashedObjArrayToJsonArray(criticalCveList); + tableElementId = "sast-cve-table-critical"; + break; + case SEVERITY.HIGH: severityCount = highCount; severityCveList = hashedObjArrayToJsonArray(highCveList); @@ -619,6 +637,7 @@ window.registerExtension('checkmarx/cx_report', function (options) { function generateCveTable(severity) { switch (severity) { + case SEVERITY.CRITICAL: case SEVERITY.HIGH: case SEVERITY.MED: case SEVERITY.LOW: @@ -677,12 +696,36 @@ window.registerExtension('checkmarx/cx_report', function (options) { function getHtml() { - var div = document.createElement('div'); + + div.className = "cxCompleteReport"; div.id = "cxReport"; - - + var condition = criticalCount > 0 ; + var criticalsection = condition ? + " "+ + "
  • "+ + " "+ + "
    <\/div>"+ + " <\/span>"+ + "
    "+ + "
    "+ + " " + + " " + + " " + + " " + + " " + + " " + + " " + + " " + + " "+ + " <\/div>"+ + "
    Critical -<\/div>"+ + "
    <\/div>"+ + " <\/div>"+ + " <\/li>"+ + "" : " "; + div.innerHTML = "
    "+ @@ -744,6 +787,8 @@ window.registerExtension('checkmarx/cx_report', function (options) { "
    <\/div>"+ "
      "+ ""+ + criticalsection + + " "+ "
    • "+ " "+ @@ -794,7 +839,7 @@ window.registerExtension('checkmarx/cx_report', function (options) { "
      <\/div>"+ " <\/div>"+ " <\/li>"+ - ""+ + ""+ " "+ "
    • "+ " "+ @@ -1342,6 +1387,9 @@ window.registerExtension('checkmarx/cx_report', function (options) { " <\/div>"+ " <\/div>"+ " <\/div>"+ + "
      "+ + ""+ + " <\/div>"+ "
      "+ ""+ " <\/div>"+