Merge pull request #402 from checkmarx-ltd/develop

CXFLW-979 Opting Out of Bitbucket comment notifications during
checkmarx-ltd · May 14, 2024 · fd52d57 · fd52d57
2 parents 07863d1 + 32ea645
commit fd52d57
Show file tree

Hide file tree

Showing 15 changed files with 105 additions and 17 deletions.
diff --git a/pom.xml b/pom.xml
@@ -10,7 +10,7 @@
 	</parent>
 	<groupId>com.github.checkmarx-ltd</groupId>
 	<artifactId>cx-spring-boot-sdk</artifactId>
-	<version>0.6.6</version>
+	<version>0.6.7</version>
 
 
 	<name>cx-spring-boot-sdk</name>

diff --git a/src/main/java/com/checkmarx/sdk/dto/ast/PackageSeverity.java b/src/main/java/com/checkmarx/sdk/dto/ast/PackageSeverity.java
@@ -4,5 +4,6 @@ public enum PackageSeverity {
     NONE,
     LOW,
     MEDIUM,
-    HIGH
+    HIGH,
+    CRITICAL
 }
diff --git a/src/main/java/com/checkmarx/sdk/dto/cx/CxScanSummary.java b/src/main/java/com/checkmarx/sdk/dto/cx/CxScanSummary.java
@@ -2,6 +2,8 @@
 
 import java.time.LocalDateTime;
 import java.util.Map;
+
+import com.checkmarx.sdk.config.CxProperties;
 import com.fasterxml.jackson.annotation.JsonInclude;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.annotation.JsonPropertyOrder;
@@ -16,6 +18,8 @@
 })
 public class CxScanSummary {
 
+    @JsonProperty("criticalSeverity")
+    private Integer criticalSeverity;
     @JsonProperty("highSeverity")
     private Integer highSeverity;
     @JsonProperty("mediumSeverity")
@@ -30,13 +34,23 @@ public class CxScanSummary {
     public CxScanSummary() { }
 
     public CxScanSummary(Map<String, Integer> summary) {
+        criticalSeverity = summary.getOrDefault("Critical", 0);
         highSeverity = summary.getOrDefault("High", 0);
         mediumSeverity = summary.getOrDefault("Medium", 0);
         lowSeverity = summary.getOrDefault("Low", 0);
         infoSeverity = summary.getOrDefault("Info", 0);
         LocalDateTime now = LocalDateTime.now();
         statisticsCalculationDate = now.toString();
     }
+
+    public Integer getCriticalSeverity() {
+        return criticalSeverity;
+    }
+
+    public void setCriticalSeverity(Integer criticalSeverity) {
+        this.criticalSeverity = criticalSeverity;
+    }
+
     public Integer getHighSeverity() {
         return highSeverity;
     }
@@ -79,6 +93,6 @@ public void setStatisticsCalculationDate(String statisticsCalculationDate) {
 
     @Override
     public String toString() {
-        return String.format("high: %s, medium: %s, low: %s, info: %s", highSeverity, mediumSeverity, lowSeverity, infoSeverity);
+            return String.format("critical:%s, high: %s, medium: %s, low: %s, info: %s",criticalSeverity, highSeverity, mediumSeverity, lowSeverity, infoSeverity);
     }
 }
diff --git a/src/main/java/com/checkmarx/sdk/dto/cxgo/SASTScanResult.java b/src/main/java/com/checkmarx/sdk/dto/cxgo/SASTScanResult.java
@@ -249,6 +249,7 @@ public void setStatus(String s) {
     }
 
     public enum Severity {
+        CRITICAL("CRITICAL"),
         HIGH("HIGH"),
         MEDIUM("MEDIUM"),
         LOW("LOW"),

diff --git a/src/main/java/com/checkmarx/sdk/dto/sast/CxConfig.java b/src/main/java/com/checkmarx/sdk/dto/sast/CxConfig.java
@@ -21,6 +21,10 @@ public class CxConfig implements Serializable {
     private Double version;
     @JsonProperty("active")
     private Boolean active = true;
+
+    @JsonProperty("scanSubmittedComment")
+    private Boolean scanSubmittedComment = true;
+
     @JsonProperty("host")
     private String host;
     @JsonProperty("credential")
@@ -79,6 +83,16 @@ public void setActive(Boolean active) {
         this.active = active;
     }
 
+    @JsonProperty("scanSubmittedComment")
+    public Boolean getScanSubmittedComment() {
+        return scanSubmittedComment;
+    }
+
+    @JsonProperty("scanSubmittedComment")
+    public void setScanSubmittedComment(Boolean scanSubmittedComment) {
+        this.scanSubmittedComment = scanSubmittedComment;
+    }
+
     @JsonProperty("cxHost")
     public String getCxHost() {
         return host;

diff --git a/src/main/java/com/checkmarx/sdk/dto/sca/SCAResults.java b/src/main/java/com/checkmarx/sdk/dto/sca/SCAResults.java
@@ -33,7 +33,7 @@ public void calculateVulnerableAndOutdatedPackages() {
         int sum;
         if (this.packages != null) {
             for (Package pckg : this.packages) {
-                sum = pckg.getHighVulnerabilityCount() + pckg.getMediumVulnerabilityCount() + pckg.getLowVulnerabilityCount();
+                sum = pckg.getCriticalVulnerabilityCount()+pckg.getHighVulnerabilityCount() + pckg.getMediumVulnerabilityCount() + pckg.getLowVulnerabilityCount();
                 if (sum == 0) {
                     this.nonVulnerableLibraries++;
                 } else if (sum > 0 && pckg.isOutdated()) {

diff --git a/src/main/java/com/checkmarx/sdk/dto/sca/report/Package.java b/src/main/java/com/checkmarx/sdk/dto/sca/report/Package.java
@@ -23,7 +23,7 @@ public class Package implements Serializable {
      * The current values are [Filename, Sha1]. Not considered an enum in SCA API.
      */
     private String matchType;
-
+    private int criticalVulnerabilityCount;
     private int highVulnerabilityCount;
     private int mediumVulnerabilityCount;
     private int lowVulnerabilityCount;

diff --git a/src/main/java/com/checkmarx/sdk/dto/sca/report/PackageSeverity.java b/src/main/java/com/checkmarx/sdk/dto/sca/report/PackageSeverity.java
@@ -8,5 +8,6 @@ public enum PackageSeverity {
 
     LOW,
     MEDIUM,
-    HIGH
+    HIGH,
+    CRITICAL
 }
diff --git a/src/main/java/com/checkmarx/sdk/dto/sca/report/ScaSummaryBaseFormat.java b/src/main/java/com/checkmarx/sdk/dto/sca/report/ScaSummaryBaseFormat.java
@@ -9,26 +9,28 @@ public class ScaSummaryBaseFormat implements Serializable {
     private String createdOn;
     private double riskScore;
     private int totalOutdatedPackages;
+    private int criticalVulnerabilityCount = 0;
     private int highVulnerabilityCount = 0;
     private int mediumVulnerabilityCount = 0;
     private int lowVulnerabilityCount = 0;
 
     public ScaSummaryBaseFormat() {
     }
 
-    public ScaSummaryBaseFormat(int totalPackages, int directPackages, String createdOn, double riskScore, int totalOutdatedPackages, int highVulnerabilityCount, int mediumVulnerabilityCount, int lowVulnerabilityCount) {
+    public ScaSummaryBaseFormat(int totalPackages, int directPackages, String createdOn, double riskScore, int totalOutdatedPackages, int criticalVulnerabilityCount,int highVulnerabilityCount, int mediumVulnerabilityCount, int lowVulnerabilityCount) {
         this.totalPackages = totalPackages;
         this.directPackages = directPackages;
         this.createdOn = createdOn;
         this.riskScore = riskScore;
         this.totalOutdatedPackages = totalOutdatedPackages;
+        this.criticalVulnerabilityCount = criticalVulnerabilityCount;
         this.highVulnerabilityCount = highVulnerabilityCount;
         this.mediumVulnerabilityCount = mediumVulnerabilityCount;
         this.lowVulnerabilityCount = lowVulnerabilityCount;
     }
 
     public int getTotalOkLibraries() {
-        int totalOk = (totalPackages - (highVulnerabilityCount + mediumVulnerabilityCount + lowVulnerabilityCount));
+        int totalOk = (totalPackages - (criticalVulnerabilityCount+highVulnerabilityCount + mediumVulnerabilityCount + lowVulnerabilityCount));
         totalOk = Math.max(totalOk, 0);
         return totalOk;
     }
@@ -96,4 +98,11 @@ public int getLowVulnerabilityCount() {
     public void setLowVulnerabilityCount(int lowVulnerabilityCount) {
         this.lowVulnerabilityCount = lowVulnerabilityCount;
     }
+    public int getCriticalVulnerabilityCount() {
+        return criticalVulnerabilityCount;
+    }
+
+    public void setCriticalVulnerabilityCount(int criticalVulnerabilityCount) {
+        this.criticalVulnerabilityCount = criticalVulnerabilityCount;
+    }
 }
diff --git a/src/main/java/com/checkmarx/sdk/dto/sca/xml/PackageType.java b/src/main/java/com/checkmarx/sdk/dto/sca/xml/PackageType.java
@@ -61,6 +61,7 @@
     "version",
     "licenses",
     "matchType",
+    "CriticalVulnerabilityCount",
     "highVulnerabilityCount",
     "mediumVulnerabilityCount",
     "lowVulnerabilityCount",
@@ -93,6 +94,8 @@ public class PackageType {
     protected LicensesType licenses;
     @XmlElement(name = "MatchType", required = true)
     protected String matchType;
+    @XmlElement(name = "CriticalVulnerabilityCount")
+    protected byte criticalVulnerabilityCount;
     @XmlElement(name = "HighVulnerabilityCount")
     protected byte highVulnerabilityCount;
     @XmlElement(name = "MediumVulnerabilityCount")
@@ -252,6 +255,17 @@ public String getMatchType() {
     public void setMatchType(String value) {
         this.matchType = value;
     }
+    /**
+     * Gets the value of the criticalVulnerabilityCount property.
+     *
+     */
+    public byte getCriticalVulnerabilityCount() {
+        return criticalVulnerabilityCount;
+    }
+
+    public void setCriticalVulnerabilityCount(byte criticalVulnerabilityCount) {
+        this.criticalVulnerabilityCount = criticalVulnerabilityCount;
+    }
 
     /**
      * Gets the value of the highVulnerabilityCount property.

diff --git a/src/main/java/com/checkmarx/sdk/dto/sca/xml/RiskReportSummaryType.java b/src/main/java/com/checkmarx/sdk/dto/sca/xml/RiskReportSummaryType.java
@@ -26,6 +26,7 @@
  *         &lt;element name="ProjectId" type="{http://www.w3.org/2001/XMLSchema}string"/>
  *         &lt;element name="ProjectName" type="{http://www.w3.org/2001/XMLSchema}string"/>
  *         &lt;element name="ProjectCreatedOn" type="{http://www.w3.org/2001/XMLSchema}dateTime"/>
+ *         &lt;element name="CriticalVulnerabilityCount" type="{http://www.w3.org/2001/XMLSchema}byte"/>
  *         &lt;element name="HighVulnerabilityCount" type="{http://www.w3.org/2001/XMLSchema}byte"/>
  *         &lt;element name="MediumVulnerabilityCount" type="{http://www.w3.org/2001/XMLSchema}byte"/>
  *         &lt;element name="LowVulnerabilityCount" type="{http://www.w3.org/2001/XMLSchema}byte"/>
@@ -61,6 +62,7 @@
     "projectId",
     "projectName",
     "projectCreatedOn",
+    "CriticalVulnerabilityCount",
     "highVulnerabilityCount",
     "mediumVulnerabilityCount",
     "lowVulnerabilityCount",
@@ -70,7 +72,7 @@
     "riskScore",
     "totalOutdatedPackages",
     "vulnerablePackages",
-    "totalPackagesWithLegalRisk",
+    "totalPackagesWithLegalRisk", "criticalVulnerablePackages",
     "highVulnerablePackages",
     "mediumVulnerablePackages",
     "lowVulnerablePackages",
@@ -94,6 +96,8 @@ public class RiskReportSummaryType {
     @XmlElement(name = "ProjectCreatedOn", required = true)
     @XmlSchemaType(name = "dateTime")
     protected XMLGregorianCalendar projectCreatedOn;
+    @XmlElement(name = "CriticalVulnerabilityCount")
+    protected byte criticalVulnerabilityCount;
     @XmlElement(name = "HighVulnerabilityCount")
     protected byte highVulnerabilityCount;
     @XmlElement(name = "MediumVulnerabilityCount")
@@ -410,6 +414,14 @@ public byte getHighVulnerablePackages() {
         return highVulnerablePackages;
     }
 
+    public byte getCriticalVulnerabilityCount() {
+        return criticalVulnerabilityCount;
+    }
+
+    public void setCriticalVulnerabilityCount(byte criticalVulnerabilityCount) {
+        this.criticalVulnerabilityCount = criticalVulnerabilityCount;
+    }
+
     /**
      * Sets the value of the highVulnerablePackages property.
      * 

diff --git a/src/main/java/com/checkmarx/sdk/dto/scansummary/Severity.java b/src/main/java/com/checkmarx/sdk/dto/scansummary/Severity.java
@@ -3,5 +3,6 @@
 public enum Severity {
     LOW,
     MEDIUM,
-    HIGH
+    HIGH,
+    CRITICAL
 }
diff --git a/src/main/java/com/checkmarx/sdk/service/CxService.java b/src/main/java/com/checkmarx/sdk/service/CxService.java
@@ -4,7 +4,6 @@
 import com.checkmarx.sdk.config.CxProperties;
 import com.checkmarx.sdk.config.CxPropertiesBase;
 import com.checkmarx.sdk.dto.cx.preandpostaction.CustomTaskByName;
-import com.checkmarx.sdk.dto.cx.preandpostaction.ListCustomeObj;
 import com.checkmarx.sdk.dto.cx.preandpostaction.ScanSettings;
 import com.checkmarx.sdk.dto.cx.projectdetails.ProjectFieldDetails;
 import com.checkmarx.sdk.dto.sast.Filter;
@@ -55,9 +54,7 @@
 import java.net.*;
 import java.nio.file.Files;
 import java.nio.charset.StandardCharsets;
-import java.nio.file.Path;
 import java.nio.file.Paths;
-import java.text.SimpleDateFormat;
 import java.time.LocalDateTime;
 import java.time.format.DateTimeFormatter;
 import java.time.format.DateTimeParseException;
@@ -118,6 +115,7 @@ public class CxService implements CxClient {
     private static final String ROLE_LDAP_MAPPINGS = "/auth/LDAPRoleMappings?ldapServerId={id}";
     private static final String ROLE_LDAP_MAPPINGS_DELETE = "/auth/LDAPRoleMappings/{id}";
     private static final String LDAP_SERVER = "/auth/LDAPServers";
+    private static final String VERSION  = "/system/version";
     private static final String ODATA_SCAN_SIMILARITY_IDS = "/cxwebinterface/odata/v1/Scans({id})?$select=Id&$expand=Results($select=SimilarityId)";
     private static final String PROJECTS = "/projects";
     private static final String PROJECT = "/projects/{id}";
@@ -624,7 +622,6 @@ public ScanResults getReportContent(Integer reportId, FilterConfiguration filter
             } else {
                 scanSummary = getScanSummaryByScanId(Integer.valueOf(cxResults.getScanId()));
             }
-            log.debug("scanSummary: {}", scanSummary);
             cxScanBuilder.scanSummary(scanSummary);
             ScanResults results = cxScanBuilder.build();
             //Add the summary map (severity, count)
@@ -2222,6 +2219,7 @@ public String branchNameNormalizer(String branchName){
     public Integer createScan(CxScanParams params, String comment) throws CheckmarxException{
         log.info("Creating scan...");
         log.debug("Creating scan with params: {} and comment: \"{}\"", params, comment);
+        getAndUpdateSASTVersion();
         validateScanParams(params);
         String teamId = determineTeamId(params);
         Integer projectId = determineProjectId(params, teamId);
@@ -3163,6 +3161,24 @@ public Integer getLdapServerId(String serverName) throws CheckmarxException {
         }
     }
 
+    public void getAndUpdateSASTVersion() {
+        try{
+            HttpEntity<Object> requestEntity = new HttpEntity<>(authClient.createAuthHeaders());
+            ResponseEntity<String> response = restTemplate.exchange(cxProperties.getUrl().concat(VERSION), HttpMethod.GET, requestEntity, String.class);
+            JSONObject obj = new JSONObject(Objects.requireNonNull(response.getBody()));
+            String versionName = obj.getString("version");
+            Double version=Double.parseDouble(versionName.split("\\.",3)[0]+"."+ versionName.split("\\.",3)[1]);
+            log.info("using SAST version :{}",version);
+            cxProperties.setVersion(version);
+        } catch (HttpStatusCodeException e) {
+            log.error("Error occurred while SAST version, http error {}", e.getStatusCode());
+            log.error(ExceptionUtils.getStackTrace(e));
+        } catch (JSONException e) {
+            log.error("Error occurred while processing JSON");
+            log.error(ExceptionUtils.getStackTrace(e));
+        }
+    }
+
     private void validateScanParams(CxScanParams params) throws CheckmarxException {
         log.debug(params.toString());
         if(ScanUtils.empty(params.getProjectName())){

diff --git a/src/main/java/com/checkmarx/sdk/utils/CxRepoFileHelper.java b/src/main/java/com/checkmarx/sdk/utils/CxRepoFileHelper.java
@@ -13,6 +13,7 @@
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.io.FileUtils;
 import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.lang3.SystemUtils;
 import org.apache.commons.lang3.exception.ExceptionUtils;
 import org.eclipse.jgit.api.Git;
 import org.eclipse.jgit.api.errors.GitAPIException;
@@ -23,12 +24,12 @@
 import java.io.IOException;
 import java.net.URI;
 import java.net.URISyntaxException;
-import java.nio.file.Files;
-import java.nio.file.Path;
-import java.nio.file.Paths;
+import java.nio.file.*;
+import java.nio.file.attribute.BasicFileAttributes;
 import java.nio.file.attribute.DosFileAttributeView;
 import java.nio.file.attribute.PosixFilePermission;
 import java.util.*;
+import java.util.regex.Pattern;
 
 @Slf4j
 public class CxRepoFileHelper {

diff --git a/src/main/java/com/checkmarx/sdk/utils/scanner/client/ScaClientHelper.java b/src/main/java/com/checkmarx/sdk/utils/scanner/client/ScaClientHelper.java
@@ -1131,6 +1131,7 @@ private List<Package> getScaPackages(PackagesType packagesType, List<Package> pa
             packge.setName(packageTypeList.get(count).getName());
             packge.setVersion(packageTypeList.get(count).getVersion());
             packge.setMatchType(packageTypeList.get(count).getMatchType());
+            packge.setCriticalVulnerabilityCount(packageTypeList.get(count).getCriticalVulnerabilityCount());
             packge.setHighVulnerabilityCount(packageTypeList.get(count).getHighVulnerabilityCount());
             packge.setLowVulnerabilityCount(packageTypeList.get(count).getLowVulnerabilityCount());
             packge.setMediumVulnerabilityCount(packageTypeList.get(count).getMediumVulnerabilityCount());
@@ -1253,6 +1254,7 @@ private ScaSummaryBaseFormat getScaSummaryReport(RiskReportSummaryType riskRepor
         scaSummaryBaseFormat.setTotalPackages(riskReportSummaryType.getTotalPackages());
         scaSummaryBaseFormat.setTotalOutdatedPackages(riskReportSummaryType.getTotalOutdatedPackages());
         scaSummaryBaseFormat.setCreatedOn(riskReportSummaryType.getCreatedOn().toString());
+        scaSummaryBaseFormat.setCriticalVulnerabilityCount(riskReportSummaryType.getCriticalVulnerabilityCount());
         scaSummaryBaseFormat.setHighVulnerabilityCount(riskReportSummaryType.getHighVulnerabilityCount());
         scaSummaryBaseFormat.setLowVulnerabilityCount(riskReportSummaryType.getLowVulnerabilityCount());
         scaSummaryBaseFormat.setMediumVulnerabilityCount(riskReportSummaryType.getMediumVulnerabilityCount());
@@ -1562,6 +1564,7 @@ private  Map<String, String> getScaScanTags() throws IOException {
 
     protected Map<Filter.Severity, Integer> getFindingCountMap(ScaSummaryBaseFormat summary) {
         EnumMap<Filter.Severity, Integer> result = new EnumMap<>(Filter.Severity.class);
+        result.put(Filter.Severity.CRITICAL,summary.getCriticalVulnerabilityCount());
         result.put(Filter.Severity.HIGH, summary.getHighVulnerabilityCount());
         result.put(Filter.Severity.MEDIUM, summary.getMediumVulnerabilityCount());
         result.put(Filter.Severity.LOW, summary.getLowVulnerabilityCount());
@@ -1725,6 +1728,7 @@ private void printSummary(ScaSummaryBaseFormat summary, String scanId) {
             log.info("----CxSCA risk report summary----");
             log.info("Created on: {}", summary.getCreatedOn());
             log.info("Direct packages: {}", summary.getDirectPackages());
+            log.info("Critical vulnerabilities: {}",summary.getCriticalVulnerabilityCount());
             log.info("High vulnerabilities: {}", summary.getHighVulnerabilityCount());
             log.info("Medium vulnerabilities: {}", summary.getMediumVulnerabilityCount());
             log.info("Low vulnerabilities: {}", summary.getLowVulnerabilityCount());
-Original file line number
+Diff line change
@@ Expand Up / @@ -4,5 +4,6 @@ public enum PackageSeverity { @@
         NONE,
         LOW,
         MEDIUM,
-        HIGH
+        HIGH,
+        CRITICAL
     }