Skip to content

Commit

Permalink
Merge pull request #7 from checkmarx-ltd/2024_Q4_IntegrationBranch_Cr…
Browse files Browse the repository at this point in the history 
…iticalSeverity

Critical Severity
  • Loading branch information
@swatiawate1
swatiawate1 authored Oct 31, 2024
2 parents 3582799 + aacbea4 commit 6fc24b1
Show file tree
Hide file tree
Showing 4 changed files with 141 additions and 36 deletions.
56 changes: 31 additions & 25 deletions pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>com.checkmarx.maven</groupId>
<artifactId>checkmarx-maven-plugin</artifactId>
<version>2022.2.3</version>
<version>2024.4.3</version>
<packaging>maven-plugin</packaging>
<name>Checkmarx Maven Plugin</name>
<description>Enables a maven project to integrate with Checkmarx SAST scan.</description>
Expand All @@ -23,10 +23,10 @@

<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<log4j.version>1.2.17</log4j.version>
<slf4j.version>1.7.5</slf4j.version>
<log4j.version>2.17.2</log4j.version>
<slf4j.version>1.8.0-beta2</slf4j.version>
<cxf.version>2.2.3</cxf.version>
<common.client.version>2022.1.10</common.client.version>
<common.client.version>2024.3.28</common.client.version>

<sonar.projectKey>checkmarx-ltd_checkmarx-plugin</sonar.projectKey>
<sonar.organization>checkmarx-ltd</sonar.organization>
Expand All @@ -38,29 +38,35 @@
<dependency>
<groupId>org.apache.maven</groupId>
<artifactId>maven-plugin-api</artifactId>
<version>3.5.0</version>
<version>3.9.9</version>
</dependency>
<!-- for annotations -->
<dependency>
<groupId>org.apache.maven.plugin-tools</groupId>
<artifactId>maven-plugin-annotations</artifactId>
<version>3.5.2</version>
<version>3.15.0</version>
<scope>provided</scope>
</dependency>
<!--
<dependency>
<groupId>org.apache.maven</groupId>
<artifactId>maven-project</artifactId>
<version>2.2.1</version>
</dependency> -->
<dependency>
<groupId>org.apache.maven</groupId>
<artifactId>maven-core</artifactId>
<version>3.9.9</version>
</dependency>
<dependency>
<groupId>org.apache.maven.reporting</groupId>
<artifactId>maven-reporting-api</artifactId>
<version>3.0</version>
<version>4.0.0</version>
</dependency>
<dependency>
<groupId>org.apache.maven.reporting</groupId>
<artifactId>maven-reporting-impl</artifactId>
<version>3.0.0</version>
<version>4.0.0-M15</version>
<exclusions>
<exclusion>
<artifactId>httpclient</artifactId>
Expand Down Expand Up @@ -93,7 +99,7 @@
<dependency>
<groupId>org.codehaus.plexus</groupId>
<artifactId>plexus-archiver</artifactId>
<version>3.7.0</version>
<version>4.10.0</version>
<exclusions>
<exclusion>
<artifactId>commons-compress</artifactId>
Expand All @@ -104,12 +110,12 @@
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-compress</artifactId>
<version>1.21</version>
<version>1.27.1</version>
</dependency>
<dependency>
<groupId>org.codehaus.plexus</groupId>
<artifactId>plexus-utils</artifactId>
<version>3.1.0</version>
<version>4.0.2</version>
</dependency>
<!-- Logger -->
<dependency>
Expand All @@ -120,7 +126,7 @@
<dependency>
<groupId>com.checkmarx</groupId>
<artifactId>cx-client-common</artifactId>
<version>${common.client.version}</version>
<version>2024.3.28</version>
<exclusions>
<exclusion>
<artifactId>guava</artifactId>
Expand Down Expand Up @@ -148,12 +154,12 @@
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>2.11.0</version>
<version>2.17.0</version>
</dependency>
<dependency>
<groupId>com.github.junrar</groupId>
<artifactId>junrar</artifactId>
<version>7.5.1</version>
<version>7.5.5</version>
</dependency>
<dependency>
<groupId>org.freemarker</groupId>
Expand All @@ -163,12 +169,12 @@
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.13.2.2</version>
<version>2.18.0</version>
</dependency>
<dependency>
<groupId>commons-collections</groupId>
<artifactId>commons-collections</artifactId>
<version>3.2.2</version>
<groupId>org.apache.commons</groupId>
<artifactId>commons-collections4</artifactId>
<version>4.5.0-M2</version>
</dependency>

</dependencies>
Expand All @@ -188,7 +194,7 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-deploy-plugin</artifactId>
<version>2.8.2</version>
<version>3.1.3</version>
</plugin>
</plugins>
</pluginManagement>
Expand Down Expand Up @@ -218,7 +224,7 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.7.0</version>
<version>3.13.0</version>
<configuration>
<source>1.7</source>
<target>1.7</target>
Expand All @@ -231,7 +237,7 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-plugin-plugin</artifactId>
<version>3.3</version>
<version>3.15.0</version>
</plugin>
</plugins>
</reporting>
Expand All @@ -243,7 +249,7 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>2.10.4</version>
<version>3.10.1</version>
<executions>
<execution>
<id>attach-javadocs</id>
Expand All @@ -256,7 +262,7 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-source-plugin</artifactId>
<version>3.0.1</version>
<version>4.0.0-beta-1</version>
<executions>
<execution>
<id>attach-sources</id>
Expand All @@ -269,7 +275,7 @@
<plugin>
<groupId>org.sonatype.plugins</groupId>
<artifactId>nexus-staging-maven-plugin</artifactId>
<version>1.6.7</version>
<version>1.7.0</version>
<extensions>true</extensions>
<configuration>
<serverId>ossrh</serverId>
Expand All @@ -280,7 +286,7 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-gpg-plugin</artifactId>
<version>1.5</version>
<version>3.2.7</version>
<configuration>
<executable>C:\Program Files (x86)\GNU\GnuPG\gpg2.exe</executable>
<passphrase>Checkmarx123456</passphrase>
Expand Down
31 changes: 26 additions & 5 deletions src/main/java/com/cx/plugin/CxScanPlugin.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -125,6 +125,13 @@ public class CxScanPlugin extends AbstractMojo {
@Parameter(defaultValue = "true", property = "cx.generatePDFReport")
private boolean generatePDFReport;

/**
* Configure a threshold for the Critical Severity Vulnerabilities.
* The build will fail if the sum of Critical Severity Vulnerabilities is larger than the threshold.
* Leave empty to ignore threshold.
*/
@Parameter(defaultValue = "-1", property = "cx.criticalSeveritiesThreshold")
private int criticalSeveritiesThreshold;

/**
* Configure a threshold for the High Severity Vulnerabilities.
Expand Down Expand Up @@ -274,6 +281,7 @@ public void execute() throws MojoExecutionException, MojoFailureException
}
//resolve configuration
CxScanConfig config = resolveConfigurationMap();
config.setPluginVersion(pluginVersion);
CxClientDelegator delegator = CommonClientFactory.getClientDelegatorInstance(config, log);

//print configuration
Expand Down Expand Up @@ -464,11 +472,24 @@ private CxScanConfig resolveConfigurationMap() throws MojoExecutionException {
scanConfig.setScanComment(comment);
scanConfig.setIncremental(isIncrementalScan);
scanConfig.setSynchronous(isSynchronous);
boolean thresholdEnabled = (highSeveritiesThreshold > 0 || mediumSeveritiesThreshold > 0 || lowSeveritiesThreshold > 0);//todo check null
boolean thresholdEnabled = (criticalSeveritiesThreshold >= 0 || highSeveritiesThreshold >= 0 || mediumSeveritiesThreshold >= 0 || lowSeveritiesThreshold >= 0);//todo check null
scanConfig.setSastThresholdsEnabled(thresholdEnabled);
scanConfig.setSastHighThreshold(highSeveritiesThreshold);
scanConfig.setSastMediumThreshold(mediumSeveritiesThreshold);
scanConfig.setSastLowThreshold(lowSeveritiesThreshold);
if (criticalSeveritiesThreshold >= 0) {
scanConfig.setSastCriticalThreshold(criticalSeveritiesThreshold);
}

if (highSeveritiesThreshold >= 0) {
scanConfig.setSastHighThreshold(highSeveritiesThreshold);
}

if (mediumSeveritiesThreshold >= 0) {
scanConfig.setSastMediumThreshold(mediumSeveritiesThreshold);
}

if (lowSeveritiesThreshold >= 0) {
scanConfig.setSastLowThreshold(lowSeveritiesThreshold);
}

scanConfig.setGeneratePDFReport(generatePDFReport);

for (String folder : folderExclusions){
Expand All @@ -483,7 +504,7 @@ private CxScanConfig resolveConfigurationMap() throws MojoExecutionException {
if(osaEnabled){
scanConfig.addScannerType(ScannerType.OSA);
}
boolean osaThresholdEnabled = (osaHighSeveritiesThreshold > 0 || osaMediumSeveritiesThreshold > 0 || osaLowSeveritiesThreshold > 0);//todo check null
boolean osaThresholdEnabled = (osaHighSeveritiesThreshold >= 0 || osaMediumSeveritiesThreshold >= 0 || osaLowSeveritiesThreshold >= 0);//todo check null
scanConfig.setOsaGenerateJsonReport(osaGenerateJsonReport);
scanConfig.setOsaThresholdsEnabled(osaThresholdEnabled);
scanConfig.setOsaHighThreshold(osaHighSeveritiesThreshold);
Expand Down
48 changes: 42 additions & 6 deletions src/main/java/com/cx/plugin/utils/CxPluginUtils.java
View file
Original file line number Diff line number Diff line change
@@ -1,23 +1,26 @@
package com.cx.plugin.utils;


import com.cx.plugin.utils.SASTUtils;
import com.cx.restclient.configuration.CxScanConfig;
import com.cx.restclient.dto.ScanResults;
import org.apache.commons.lang3.StringUtils;
import org.apache.maven.model.Resource;
import org.apache.maven.plugin.MojoExecutionException;
import org.apache.maven.plugin.MojoFailureException;
import org.apache.maven.plugins.annotations.Component;
import org.apache.maven.project.MavenProject;
import org.codehaus.plexus.archiver.zip.ZipArchiver;
import org.slf4j.Logger;
import org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher;

import java.io.File;
import java.io.FilenameFilter;
import java.io.IOException;
import java.net.URL;
import java.util.Arrays;
import java.util.List;
import java.util.Properties;

import static com.cx.plugin.CxScanPlugin.SOURCES_ZIP_NAME;

/**
Expand Down Expand Up @@ -70,11 +73,21 @@ public static void printConfiguration(CxScanConfig config, String[] osaIgnoreSco
log.info("Generate PDF report: " + config.getGeneratePDFReport());
log.info("Policy violations enabled: " + config.getEnablePolicyViolations());
log.info("CxSAST thresholds enabled: " + config.getSastThresholdsEnabled());
if (config.getSastThresholdsEnabled()) {
log.info("CxSAST high threshold: " + (config.getSastHighThreshold() == null ? "[No Threshold]" : config.getSastHighThreshold()));
log.info("CxSAST medium threshold: " + (config.getSastMediumThreshold() == null ? "[No Threshold]" : config.getSastMediumThreshold()));
log.info("CxSAST low threshold: " + (config.getSastLowThreshold() == null ? "[No Threshold]" : config.getSastLowThreshold()));
}
if (config.getSastThresholdsEnabled()) {
Double version = getSASTVersion(config, log);
// Check if SAST version supports critical threshold
if (version >= 9.7) {
log.info("CxSAST critical threshold: " + (config.getSastCriticalThreshold() == null ? "[No Threshold]"
: config.getSastCriticalThreshold()));
}

log.info("CxSAST high threshold: "
+ (config.getSastHighThreshold() == null ? "[No Threshold]" : config.getSastHighThreshold()));
log.info("CxSAST medium threshold: "
+ (config.getSastMediumThreshold() == null ? "[No Threshold]" : config.getSastMediumThreshold()));
log.info("CxSAST low threshold: "
+ (config.getSastLowThreshold() == null ? "[No Threshold]" : config.getSastLowThreshold()));
}
log.info("CxOSA enabled: " + config.isOsaEnabled());
if (config.isOsaEnabled()) {
log.info("osaIgnoreScopes: " + Arrays.toString(osaIgnoreScopes));
Expand All @@ -89,17 +102,40 @@ public static void printConfiguration(CxScanConfig config, String[] osaIgnoreSco
//todo check log.info("fileExclusions: " + Arrays.toString(fileExclusions));
}

private static Double getSASTVersion(CxScanConfig config, Logger log) {
String cxServerUrl = config.getUrl();
String cxUser = config.getUsername();
String cxPass = config.getPassword();
Double version = 9.0;
String sastVersion;
// Fetch SAST version using API call
try {
sastVersion = SASTUtils.loginToServer(new URL(cxServerUrl), cxUser, cxPass);
String[] sastVersionSplit = sastVersion.split("\\.");
if(sastVersionSplit != null && sastVersionSplit.length > 1) {
version = Double.parseDouble(sastVersionSplit[0] + "." + sastVersionSplit[1]);
}
} catch (Exception e) {
log.error(e.getMessage());
}
return version;
}

public static void printBuildFailure(String thDescription, ScanResults ret, Logger log) throws MojoFailureException
{
StringBuilder builder = new StringBuilder();
builder.append("********************************************");
builder.append(" The Build Failed for the Following Reasons: ");
builder.append("\n");
builder.append("********************************************");
builder.append("\n");
appendError(ret.getGeneralException(), builder);
builder.append("\n");

String[] lines = thDescription.split("\\n");
for (String s : lines) {
builder.append(s);
builder.append("\n");
}
builder.append("-----------------------------------------------------------------------------------------\n");

Expand Down
42 changes: 42 additions & 0 deletions src/main/java/com/cx/plugin/utils/SASTUtils.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
package com.cx.plugin.utils;

import java.net.MalformedURLException;
import java.net.URL;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import com.cx.plugin.CxScanPlugin;
import com.cx.restclient.CxClientDelegator;
import com.cx.restclient.configuration.CxScanConfig;
import com.cx.restclient.dto.ScannerType;
import com.cx.restclient.exception.CxClientException;
import com.cx.restclient.sast.utils.LegacyClient;

public class SASTUtils {

public static LegacyClient getInstance(CxScanConfig config, Logger log)
throws MalformedURLException, CxClientException {
return new LegacyClient(config, log) {
};
}

private static final Logger log = LoggerFactory.getLogger(SASTUtils.class);
private CxClientDelegator clientDelegator;

public static String loginToServer(URL url, String username, String pssd) {
String version = null;
String result = "";
try {
CxScanConfig scanConfig = new CxScanConfig(url.toString().trim(), username, pssd,
CxScanPlugin.PLUGIN_ORIGIN, true);
scanConfig.addScannerType(ScannerType.SAST);
LegacyClient clientCommon = getInstance(scanConfig, log);
version = clientCommon.login(true);
return version;
} catch (Exception ex) {
result = ex.getMessage();
return version;
}
}
}

0 comments on commit 6fc24b1

Please sign in to comment.