diff --git a/pom.xml b/pom.xml
index 86fe958..753e5c3 100644
--- a/pom.xml
+++ b/pom.xml
@@ -5,7 +5,7 @@
checkmarx.com
com.checkmarx.sonar.cxplugin
sonar-plugin
- 2021.2.1
+ 2021.2.3
Checkmarx plugin
Checkmarx plugin
diff --git a/src/main/java/com/checkmarx/sonar/measures/SastMetrics.java b/src/main/java/com/checkmarx/sonar/measures/SastMetrics.java
index a53c5bc..3c901f1 100644
--- a/src/main/java/com/checkmarx/sonar/measures/SastMetrics.java
+++ b/src/main/java/com/checkmarx/sonar/measures/SastMetrics.java
@@ -19,92 +19,88 @@ public class SastMetrics implements Metrics {
public static String SAST_BASE_KEY = "cx.sast.result";
public static String NON_COMMENTIOG_LINES_OF_CODE = "Non commenting lines of code";
- public static final Metric SAST_HIGH_VULNERABILITIES = new Metric.Builder(SAST_BASE_KEY+".high", "Checkmarx - 1. High Vulnerabilities", Metric.ValueType.INT)
+ public static final Metric SAST_HIGH_VULNERABILITIES = new Metric.Builder(SAST_BASE_KEY + ".high", "Checkmarx - 1. High Vulnerabilities", Metric.ValueType.INT)
.setDescription(NON_COMMENTIOG_LINES_OF_CODE)
.setDirection(Metric.DIRECTION_WORST)
.setQualitative(false)
.setDomain(CX_SAST_DOMAIN)
.create();
- public static final Metric SAST_MEDIUM_VULNERABILITIES = new Metric.Builder(SAST_BASE_KEY+".medium", "Checkmarx - 2. Medium Vulnerabilities", Metric.ValueType.INT)
+ public static final Metric SAST_MEDIUM_VULNERABILITIES = new Metric.Builder(SAST_BASE_KEY + ".medium", "Checkmarx - 2. Medium Vulnerabilities", Metric.ValueType.INT)
.setDescription(NON_COMMENTIOG_LINES_OF_CODE)
.setDirection(Metric.DIRECTION_WORST)
.setQualitative(false)
.setDomain(CX_SAST_DOMAIN)
.create();
- public static final Metric SAST_LOW_VULNERABILITIES = new Metric.Builder(SAST_BASE_KEY +".low", "Checkmarx - 3. Low Vulnerabilities", Metric.ValueType.INT)
+ public static final Metric SAST_LOW_VULNERABILITIES = new Metric.Builder(SAST_BASE_KEY + ".low", "Checkmarx - 3. Low Vulnerabilities", Metric.ValueType.INT)
.setDescription(NON_COMMENTIOG_LINES_OF_CODE)
.setDirection(Metric.DIRECTION_WORST)
.setQualitative(false)
.setDomain(CX_SAST_DOMAIN)
.create();
-
-
- public static final Metric SAST_TOTAL_VULNERABILITIES = new Metric.Builder(SAST_BASE_KEY +".total", "Checkmarx - 4. Total Vulnerabilities", Metric.ValueType.INT)
+ public static final Metric SAST_TOTAL_VULNERABILITIES = new Metric.Builder(SAST_BASE_KEY + ".total", "Checkmarx - 4. Total Vulnerabilities", Metric.ValueType.INT)
.setDescription(NON_COMMENTIOG_LINES_OF_CODE)
.setDirection(Metric.DIRECTION_WORST)
.setQualitative(false)
.setDomain(CX_SAST_DOMAIN)
.create();
- public static final Metric SAST_NEW_HIGH_VULNERABILITIES = new Metric.Builder(SAST_BASE_KEY+"new.high", "Checkmarx - 5. New High Vulnerabilities", Metric.ValueType.INT)
+ public static final Metric SAST_NEW_HIGH_VULNERABILITIES = new Metric.Builder(SAST_BASE_KEY + "new.high", "Checkmarx - 5. New High Vulnerabilities", Metric.ValueType.INT)
.setDescription(NON_COMMENTIOG_LINES_OF_CODE)
.setDirection(Metric.DIRECTION_WORST)
.setQualitative(false)
.setDomain(CX_SAST_DOMAIN)
.create();
- public static final Metric SAST_NEW_MEDIUM_VULNERABILITIES = new Metric.Builder(SAST_BASE_KEY+"new.medium", "Checkmarx - 6. New Medium Vulnerabilities", Metric.ValueType.INT)
+ public static final Metric SAST_NEW_MEDIUM_VULNERABILITIES = new Metric.Builder(SAST_BASE_KEY + "new.medium", "Checkmarx - 6. New Medium Vulnerabilities", Metric.ValueType.INT)
.setDescription(NON_COMMENTIOG_LINES_OF_CODE)
.setDirection(Metric.DIRECTION_WORST)
.setQualitative(false)
.setDomain(CX_SAST_DOMAIN)
.create();
- public static final Metric SAST_NEW_LOW_VULNERABILITIES = new Metric.Builder(SAST_BASE_KEY +"new.low", "Checkmarx - 7. New Low Vulnerabilities", Metric.ValueType.INT)
+ public static final Metric SAST_NEW_LOW_VULNERABILITIES = new Metric.Builder(SAST_BASE_KEY + "new.low", "Checkmarx - 7. New Low Vulnerabilities", Metric.ValueType.INT)
.setDescription(NON_COMMENTIOG_LINES_OF_CODE)
.setDirection(Metric.DIRECTION_WORST)
.setQualitative(false)
.setDomain(CX_SAST_DOMAIN)
.create();
- public static final Metric SAST_TOTAL_NEW_VULNERABILITIES = new Metric.Builder(SAST_BASE_KEY +".new.total", "Checkmarx - 8. Total New Vulnerabilities", Metric.ValueType.INT)
+ public static final Metric SAST_TOTAL_NEW_VULNERABILITIES = new Metric.Builder(SAST_BASE_KEY + ".new.total", "Checkmarx - 8. Total New Vulnerabilities", Metric.ValueType.INT)
.setDescription(NON_COMMENTIOG_LINES_OF_CODE)
.setDirection(Metric.DIRECTION_WORST)
.setQualitative(false)
.setDomain(CX_SAST_DOMAIN)
.create();
- public static final Metric SONAR_PROJECT_HAVE_SAST_RESULTS = new Metric.Builder(SAST_BASE_KEY +".have_results", "Sonar project have sast results", Metric.ValueType.INT)
+ public static final Metric SONAR_PROJECT_HAVE_SAST_RESULTS = new Metric.Builder(SAST_BASE_KEY + ".have_results", "Sonar project have sast results", Metric.ValueType.INT)
.setDescription("Sonar project have sast results")
.setQualitative(false)
.setHidden(true)
.setDomain(CX_SAST_DOMAIN)
.create();
-
- public static final Metric SAST_SCAN_DETAILS = new Metric.Builder(SAST_BASE_KEY +".details", "Checkmarx sast scan details", Metric.ValueType.STRING)
+ public static final Metric SAST_SCAN_DETAILS = new Metric.Builder(SAST_BASE_KEY + ".details", "Checkmarx sast scan details", Metric.ValueType.STRING)
.setDescription("Additional scan details")
.setQualitative(true)
.setHidden(true)
.setDomain(CX_SAST_DOMAIN)
.create();
- public static final Metric SAST_SCAN_QUERIES = new Metric.Builder(SAST_BASE_KEY +".queries", "Checkmarx queries that are presented in sonar.", Metric.ValueType.STRING)
+ public static final Metric SAST_SCAN_QUERIES = new Metric.Builder(SAST_BASE_KEY + ".queries", "Checkmarx queries that are presented in sonar.", Metric.ValueType.STRING)
.setDescription("Checkmarx queries that are presented as issues in sonar.")
.setQualitative(true)
.setHidden(true)
.setDomain(CX_SAST_DOMAIN)
.create();
-
-
@Override
public List getMetrics() {
return asList(SAST_HIGH_VULNERABILITIES, SAST_MEDIUM_VULNERABILITIES, SAST_LOW_VULNERABILITIES, SAST_TOTAL_VULNERABILITIES,
SAST_NEW_HIGH_VULNERABILITIES, SAST_NEW_MEDIUM_VULNERABILITIES, SAST_NEW_LOW_VULNERABILITIES, SAST_TOTAL_NEW_VULNERABILITIES,
SONAR_PROJECT_HAVE_SAST_RESULTS, SAST_SCAN_DETAILS, SAST_SCAN_QUERIES);
}
+
}
diff --git a/src/main/java/com/checkmarx/sonar/sensor/CheckmarxSensor.java b/src/main/java/com/checkmarx/sonar/sensor/CheckmarxSensor.java
index 3f427b6..999179b 100644
--- a/src/main/java/com/checkmarx/sonar/sensor/CheckmarxSensor.java
+++ b/src/main/java/com/checkmarx/sonar/sensor/CheckmarxSensor.java
@@ -24,6 +24,7 @@
import org.slf4j.LoggerFactory;
import org.sonar.api.batch.fs.FileSystem;
import org.sonar.api.batch.fs.InputFile;
+import org.sonar.api.batch.fs.internal.DefaultInputFile;
import org.sonar.api.batch.sensor.Sensor;
import org.sonar.api.batch.sensor.SensorContext;
import org.sonar.api.batch.sensor.SensorDescriptor;
@@ -116,6 +117,10 @@ private void notifyComputeSatMeasuresSonarProjectHaveSastResults(SensorContext c
Iterable mainfiles = getMainFiles(context);
for (InputFile file : mainfiles) {
context.newMeasure().on(file).forMetric(SONAR_PROJECT_HAVE_SAST_RESULTS).withValue(1).save();
+ String prjPath = ((DefaultInputFile) file).getProjectRelativePath();
+ String mdlPath = ((DefaultInputFile) file).getModuleRelativePath();
+ String absPath = ((DefaultInputFile) file).absolutePath();
+ logger.info("[CHECKMARX] Sonar project have SAST results metric on file:\nProject path: " + prjPath + "\nModule path: " + mdlPath + "\nAbsolute path: " + absPath);
}
}
@@ -135,6 +140,7 @@ private Iterable getMainFiles(SensorContext context) {
private void saveSastForDetailReport(SensorContext context, SastReportData sastReportData) throws JsonProcessingException {
String scanDetails = mapper.writeValueAsString(sastReportData);
context.newMeasure().on(context.module()).forMetric(SAST_SCAN_DETAILS).withValue(scanDetails).save();
+ logger.info("[CHECKMARX] Scan report details: " + scanDetails);
}
private com.cx.restclient.sast.dto.CxXMLResults convertToXMLResult(byte[] cxReport) throws IOException, JAXBException, CxClientException {
diff --git a/src/main/java/com/checkmarx/sonar/sensor/execution/SastResultsCollector.java b/src/main/java/com/checkmarx/sonar/sensor/execution/SastResultsCollector.java
index 46a2d34..b93bfd4 100644
--- a/src/main/java/com/checkmarx/sonar/sensor/execution/SastResultsCollector.java
+++ b/src/main/java/com/checkmarx/sonar/sensor/execution/SastResultsCollector.java
@@ -12,6 +12,7 @@
import com.fasterxml.jackson.databind.ObjectMapper;
import org.sonar.api.batch.fs.FileSystem;
import org.sonar.api.batch.fs.InputFile;
+import org.sonar.api.batch.fs.internal.DefaultInputFile;
import org.sonar.api.batch.rule.ActiveRule;
import org.sonar.api.batch.rule.ActiveRules;
import org.sonar.api.batch.sensor.SensorContext;
@@ -62,7 +63,7 @@ public void collectVulnerabilitiesAndSaveToMetrics(SensorContext context, CxRepo
ActiveRule rule = findRuleAndHandleErrors(activeRules, result.getQuery());
SastSeverity sastSeverity = getSastSeverity(result);
- if(!checkValidity(result,rule,sastSeverity)){
+ if (!checkValidity(result, rule, sastSeverity)) {
continue;
}
@@ -85,7 +86,7 @@ public void collectVulnerabilitiesAndSaveToMetrics(SensorContext context, CxRepo
}//files loop
}
- private boolean checkValidity(CxResultToSonarResult result,ActiveRule rule,SastSeverity sastSeverity){
+ private boolean checkValidity(CxResultToSonarResult result, ActiveRule rule, SastSeverity sastSeverity) {
if ("1".equals(result.getResultData().getState())) {
//continue if result state is "Not Exploitable"
return false;
@@ -102,181 +103,183 @@ private boolean checkValidity(CxResultToSonarResult result,ActiveRule rule,SastS
return true;
}
- private void init(SensorContext context){
+ private void init(SensorContext context) {
mainFiles = getMainFiles(context);
activeRules = context.activeRules();
setRemediationEffortPerVulnerability(context);
}
- private Iterable getMainFiles(SensorContext context){
+ private Iterable getMainFiles(SensorContext context) {
FileSystem fs = context.fileSystem();
- if(fs == null){
+ if (fs == null) {
logger.error("File system was not provided.");
return new ArrayList<>();
}
Iterable mainFiles = fs.inputFiles(fs.predicates().hasType(InputFile.Type.MAIN));
- if(mainFiles == null){
+ if (mainFiles == null) {
logger.info("File system has no Main folder.");
return new ArrayList<>();
}
return mainFiles;
}
- private SastSeverity getSastSeverity(CxResultToSonarResult result){
- SastSeverity sastSeverity = SastSeverity.fromName(result.getResultData().getSeverity());
- if(sastSeverity == null){
- int index = result.getQuery().getSeverityIndex() != null ? Integer.valueOf(result.getQuery().getSeverityIndex()):null;
- sastSeverity = SastSeverity.fromId(index);
- }
- return sastSeverity;
+ private SastSeverity getSastSeverity(CxResultToSonarResult result) {
+ SastSeverity sastSeverity = SastSeverity.fromName(result.getResultData().getSeverity());
+ if (sastSeverity == null) {
+ int index = result.getQuery().getSeverityIndex() != null ? Integer.valueOf(result.getQuery().getSeverityIndex()) : null;
+ sastSeverity = SastSeverity.fromId(index);
}
+ return sastSeverity;
+ }
- private void setRemediationEffortPerVulnerability(SensorContext context){
- String remediationEffortInSonarDb = context.settings().getString(CxProperties.CX_REMEDIATION_EFFORT);
- if((remediationEffortInSonarDb != null) && !remediationEffortInSonarDb.equals("0")){
- try {
- remediationEffortPerVulnerability = Double.valueOf(remediationEffortInSonarDb);
- }catch (Exception ignored)
- {}
+ private void setRemediationEffortPerVulnerability(SensorContext context) {
+ String remediationEffortInSonarDb = context.settings().getString(CxProperties.CX_REMEDIATION_EFFORT);
+ if ((remediationEffortInSonarDb != null) && !remediationEffortInSonarDb.equals("0")) {
+ try {
+ remediationEffortPerVulnerability = Double.valueOf(remediationEffortInSonarDb);
+ } catch (Exception ignored) {
}
}
+ }
- private ActiveRule findRuleAndHandleErrors(ActiveRules activeRules, CxXMLResults.Query query){
- CXProgrammingLanguage language = CXProgrammingLanguage.fromLanguageName(query.getLanguage());
- if(language == null){
- logger.error("Unknown language: " + query.getLanguage() + "for query: " + query.getName());
- return null;
- }
-
- Collection rules = activeRules.findByRepository(language.getSonarRuleRepository());
- ActiveRule rule = null;
- for(ActiveRule currRule : rules) {
- if (currRule.ruleKey().rule().equals("checkmarx_" + query.getId())) {
- rule = currRule;
- break;
- }
- }
+ private ActiveRule findRuleAndHandleErrors(ActiveRules activeRules, CxXMLResults.Query query) {
+ CXProgrammingLanguage language = CXProgrammingLanguage.fromLanguageName(query.getLanguage());
+ if (language == null) {
+ logger.error("Unknown language: " + query.getLanguage() + "for query: " + query.getName());
+ return null;
+ }
- if(rule == null){
- logger.info("Rule: " + "checkmarx_" + query.getId() + " is not active or not existing. It will not appear in Checkmarx scan results.");
- logger.info("If rule exists in " + language.getSonarRuleRepository() + " rule repository, you can update it to your quality profile.");
+ Collection rules = activeRules.findByRepository(language.getSonarRuleRepository());
+ ActiveRule rule = null;
+ for (ActiveRule currRule : rules) {
+ if (currRule.ruleKey().rule().equals("checkmarx_" + query.getId())) {
+ rule = currRule;
+ break;
}
-
- return rule;
}
- private void updateQueryToCurrFile(CxResultToSonarResult nonIssueResult){
- SastSeverity severity = SastSeverity.fromName(nonIssueResult.getResultData().getSeverity());
- if(severity == null){
- logger.error("Result for query " + nonIssueResult.getQuery().getName() + " has no severity. Checkmarx result may be incomplete.");
- return;
- }
- switch (severity) {
- case SAST_HIGH:
- currFileQueriesCollector.addHighQuery(nonIssueResult.getQuery().getName());
- break;
- case SAST_MEDIUM:
- currFileQueriesCollector.addMediumQuery(nonIssueResult.getQuery().getName());
- break;
- case SAST_LOW:
- currFileQueriesCollector.addLowQuery(nonIssueResult.getQuery().getName());
- break;
- default:
- break;
- }
+ if (rule == null) {
+ logger.info("Rule: " + "checkmarx_" + query.getId() + " is not active or not existing. It will not appear in Checkmarx scan results.");
+ logger.info("If rule exists in " + language.getSonarRuleRepository() + " rule repository, you can update it to your quality profile.");
}
- private void updateCurrFileVulnerabilities(CxResultToSonarResult result){
- SastSeverity severity = SastSeverity.fromName(result.getResultData().getSeverity());
- if(severity == null){
- logger.error("Result for query " + result.getQuery().getName() + " has no severity. Checkmarx result may be incomplete.");
- return;
- }
- boolean isNew = "New".equals(result.getResultData().getStatus());
+ return rule;
+ }
- switch (severity) {
- case SAST_HIGH:
- currFileSumVulnerabilityCounter.incrementHigh();
- if (isNew) {
- currFileNewVulnerabilityCounter.incrementHigh();
- }
- break;
- case SAST_MEDIUM:
- currFileSumVulnerabilityCounter.incrementMedium();
- if (isNew) {
- currFileNewVulnerabilityCounter.incrementMedium();
- }
- break;
- case SAST_LOW:
- currFileSumVulnerabilityCounter.incrementLow();
- if (isNew) {
- currFileNewVulnerabilityCounter.incrementLow();
- }
- break;
- default:
- break;
- }
+ private void updateQueryToCurrFile(CxResultToSonarResult nonIssueResult) {
+ SastSeverity severity = SastSeverity.fromName(nonIssueResult.getResultData().getSeverity());
+ if (severity == null) {
+ logger.error("Result for query " + nonIssueResult.getQuery().getName() + " has no severity. Checkmarx result may be incomplete.");
+ return;
}
-
- private void saveCxCustomMetrics(SensorContext context, InputFile file){
- try {
- addSumVulnerabilitiesMetrics(context, file);
- addNewVulnerabilitiesMetrics(context, file);
- } catch (Exception e) {
- String errMsg = "Error saving Checkmarx vulnerabilities to to file: " + file.absolutePath() + "\nError: " + e.getMessage() +
- "\nPresented scan measures and report might be incomplete.";
- logger.error(errMsg);
- context.newAnalysisError().onFile(file).message(errMsg);
- }
+ switch (severity) {
+ case SAST_HIGH:
+ currFileQueriesCollector.addHighQuery(nonIssueResult.getQuery().getName());
+ break;
+ case SAST_MEDIUM:
+ currFileQueriesCollector.addMediumQuery(nonIssueResult.getQuery().getName());
+ break;
+ case SAST_LOW:
+ currFileQueriesCollector.addLowQuery(nonIssueResult.getQuery().getName());
+ break;
+ default:
+ break;
}
+ }
- private void addSumVulnerabilitiesMetrics(SensorContext context, InputFile file){
- if(currFileSumVulnerabilityCounter.getSumVulnerabilities() > 0) {
- addMetric(context, file, SAST_TOTAL_VULNERABILITIES, currFileSumVulnerabilityCounter.getSumVulnerabilities());
- if (currFileSumVulnerabilityCounter.getHigh() != 0) {
- addMetric(context, file, SAST_HIGH_VULNERABILITIES, currFileSumVulnerabilityCounter.getHigh());
- }
- if (currFileSumVulnerabilityCounter.getMedium() != 0) {
- addMetric(context, file, SAST_MEDIUM_VULNERABILITIES, currFileSumVulnerabilityCounter.getMedium());
- }
- if (currFileSumVulnerabilityCounter.getLow() != 0) {
- addMetric(context, file, SAST_LOW_VULNERABILITIES, currFileSumVulnerabilityCounter.getLow());
- }
- }
+ private void updateCurrFileVulnerabilities(CxResultToSonarResult result) {
+ SastSeverity severity = SastSeverity.fromName(result.getResultData().getSeverity());
+ if (severity == null) {
+ logger.error("Result for query " + result.getQuery().getName() + " has no severity. Checkmarx result may be incomplete.");
+ return;
}
+ boolean isNew = "New".equals(result.getResultData().getStatus());
- private void addNewVulnerabilitiesMetrics(SensorContext context, InputFile file){
- if(currFileNewVulnerabilityCounter.getSumVulnerabilities() != 0 ) {
- addMetric(context, file, SAST_TOTAL_NEW_VULNERABILITIES, currFileNewVulnerabilityCounter.getSumVulnerabilities());
- if(currFileNewVulnerabilityCounter.getHigh() != 0) {
- addMetric(context, file, SAST_NEW_HIGH_VULNERABILITIES, currFileNewVulnerabilityCounter.getHigh());
+ switch (severity) {
+ case SAST_HIGH:
+ currFileSumVulnerabilityCounter.incrementHigh();
+ if (isNew) {
+ currFileNewVulnerabilityCounter.incrementHigh();
}
- if(currFileNewVulnerabilityCounter.getMedium() != 0) {
- addMetric(context, file, SAST_NEW_MEDIUM_VULNERABILITIES, currFileNewVulnerabilityCounter.getMedium());
+ break;
+ case SAST_MEDIUM:
+ currFileSumVulnerabilityCounter.incrementMedium();
+ if (isNew) {
+ currFileNewVulnerabilityCounter.incrementMedium();
}
- if(currFileNewVulnerabilityCounter.getLow() != 0) {
- addMetric(context, file, SAST_NEW_LOW_VULNERABILITIES, currFileNewVulnerabilityCounter.getLow());
+ break;
+ case SAST_LOW:
+ currFileSumVulnerabilityCounter.incrementLow();
+ if (isNew) {
+ currFileNewVulnerabilityCounter.incrementLow();
}
- }
+ break;
+ default:
+ break;
}
+ }
- private void addMetric(final SensorContext context, final InputFile inputFile, final Metric metric, int value) {
- context. newMeasure().forMetric(metric).on(inputFile).withValue(value).save();
+ private void saveCxCustomMetrics(SensorContext context, InputFile file) {
+ try {
+ addSumVulnerabilitiesMetrics(context, file);
+ addNewVulnerabilitiesMetrics(context, file);
+ } catch (Exception e) {
+ String errMsg = "Error saving Checkmarx vulnerabilities to to file: " + file.absolutePath() + "\nError: " + e.getMessage() +
+ "\nPresented scan measures and report might be incomplete.";
+ logger.error(errMsg);
+ context.newAnalysisError().onFile(file).message(errMsg);
}
+ }
- private void saveCxQueriesMeasure(SensorContext context, InputFile file){
- FileQueries fileQueries = currFileQueriesCollector.getAsFileQueriesObject();
- String json = "";
- try {
- json = mapper.writeValueAsString(fileQueries);
- }catch (JsonProcessingException e) {
- logger.error("Error parsing Checkmarx queries du to exception: "+ e.getMessage());
- logger.error("Details report may be incomplete.");
+ private void addSumVulnerabilitiesMetrics(SensorContext context, InputFile file) {
+ if (currFileSumVulnerabilityCounter.getSumVulnerabilities() > 0) {
+ addMetric(context, file, SAST_TOTAL_VULNERABILITIES, currFileSumVulnerabilityCounter.getSumVulnerabilities());
+ if (currFileSumVulnerabilityCounter.getHigh() != 0) {
+ addMetric(context, file, SAST_HIGH_VULNERABILITIES, currFileSumVulnerabilityCounter.getHigh());
+ }
+ if (currFileSumVulnerabilityCounter.getMedium() != 0) {
+ addMetric(context, file, SAST_MEDIUM_VULNERABILITIES, currFileSumVulnerabilityCounter.getMedium());
+ }
+ if (currFileSumVulnerabilityCounter.getLow() != 0) {
+ addMetric(context, file, SAST_LOW_VULNERABILITIES, currFileSumVulnerabilityCounter.getLow());
+ }
+ }
+ }
+
+ private void addNewVulnerabilitiesMetrics(SensorContext context, InputFile file) {
+ if (currFileNewVulnerabilityCounter.getSumVulnerabilities() != 0) {
+ addMetric(context, file, SAST_TOTAL_NEW_VULNERABILITIES, currFileNewVulnerabilityCounter.getSumVulnerabilities());
+ if (currFileNewVulnerabilityCounter.getHigh() != 0) {
+ addMetric(context, file, SAST_NEW_HIGH_VULNERABILITIES, currFileNewVulnerabilityCounter.getHigh());
+ }
+ if (currFileNewVulnerabilityCounter.getMedium() != 0) {
+ addMetric(context, file, SAST_NEW_MEDIUM_VULNERABILITIES, currFileNewVulnerabilityCounter.getMedium());
}
- context. newMeasure().forMetric(SAST_SCAN_QUERIES).on(file).withValue(json).save();
+ if (currFileNewVulnerabilityCounter.getLow() != 0) {
+ addMetric(context, file, SAST_NEW_LOW_VULNERABILITIES, currFileNewVulnerabilityCounter.getLow());
+ }
+ }
+ }
+
+ private void addMetric(final SensorContext context, final InputFile inputFile, final Metric metric, int value) {
+ context.newMeasure().forMetric(metric).on(inputFile).withValue(value).save();
+ logger.info("[CHECKMARX] Added measure, metric: " + metric.getName() + ", File: " + ((DefaultInputFile) inputFile).getProjectRelativePath());
+ }
+
+ private void saveCxQueriesMeasure(SensorContext context, InputFile file) {
+ FileQueries fileQueries = currFileQueriesCollector.getAsFileQueriesObject();
+ String json = "";
+ try {
+ json = mapper.writeValueAsString(fileQueries);
+ } catch (JsonProcessingException e) {
+ logger.error("Error parsing Checkmarx queries du to exception: " + e.getMessage());
+ logger.error("Details report may be incomplete.");
}
+ context.newMeasure().forMetric(SAST_SCAN_QUERIES).on(file).withValue(json).save();
+ logger.info("[CHECKMARX] Added query measure, metric: " + SAST_SCAN_QUERIES.getName() + ", File: " + ((DefaultInputFile) file).getProjectRelativePath());
+ }
}
diff --git a/src/main/java/com/checkmarx/sonar/sensor/utils/CxConfigHelper.java b/src/main/java/com/checkmarx/sonar/sensor/utils/CxConfigHelper.java
index 412d0b3..595035f 100644
--- a/src/main/java/com/checkmarx/sonar/sensor/utils/CxConfigHelper.java
+++ b/src/main/java/com/checkmarx/sonar/sensor/utils/CxConfigHelper.java
@@ -230,6 +230,7 @@ private String getSonarPropertyHttp(String propertyName, Configuration config) {
String authHeader = "Basic " + auth;
retRequest.setHeader(HttpHeaders.AUTHORIZATION, authHeader);
+ log.debug("Executing Sonar auth-request, URL: " + propertyHttpURL);
retResponse = client.execute(retRequest);
if (isOk(retResponse)) {
return createStringFromResponse(retResponse);
@@ -237,7 +238,6 @@ private String getSonarPropertyHttp(String propertyName, Configuration config) {
}
return "";
} catch (IOException e) {
- log.error("");
return null;
} finally {
if (response != null) {
@@ -248,9 +248,11 @@ private String getSonarPropertyHttp(String propertyName, Configuration config) {
private boolean isOk(HttpResponse response) {
try {
- if (response.getStatusLine().getStatusCode() != 200) {
+ int code = response.getStatusLine().getStatusCode();
+ if (code != 200) {
HttpEntity entity = response.getEntity();
- String responseString = EntityUtils.toString(entity, "UTF-8");
+ String resStr = EntityUtils.toString(entity, "UTF-8");
+ log.error("Failed request, Code: '" + code + "', Body: '" + resStr + "'.");
return false;
}
} catch (IOException e) {
@@ -330,6 +332,7 @@ public void updateCredentials(RestEndpointContext context, CxFullCredentials cre
if (StringUtils.isNotEmpty(credentials.getCxPassword())) {
String encryptedPassword = encrypt(credentials.getCxPassword());
+ log.debug("Updating encrypted password: " + encryptedPassword);
storedCredentials.setCxPassword(encryptedPassword);
}
diff --git a/src/main/java/com/checkmarx/sonar/settings/CredentialMigration.java b/src/main/java/com/checkmarx/sonar/settings/CredentialMigration.java
index 483a0fa..abbdb40 100644
--- a/src/main/java/com/checkmarx/sonar/settings/CredentialMigration.java
+++ b/src/main/java/com/checkmarx/sonar/settings/CredentialMigration.java
@@ -67,11 +67,15 @@ public void ensureLatestFormat() throws IOException {
String credentialsJson = objectMapper.writeValueAsString(credentialsToSave);
client.setProperty(CxProperties.CREDENTIALS_KEY, credentialsJson);
-
- client.deleteProperty(LEGACY_CREDENTIALS_KEY);
} catch (Exception e) {
logger.error("Fail to migrate credentials, message: " + e.getMessage());
return;
+ } finally {
+ try {
+ client.deleteProperty(LEGACY_CREDENTIALS_KEY);
+ } catch (Exception ex) {
+ logger.error("Failed to delete legacy credentials");
+ }
}
logger.info("Migration completed successfully.");