From 771f4d70dea8851b8720992c99971dd9bed65e74 Mon Sep 17 00:00:00 2001 From: satyamchaurasiapersistent <102941840+satyamchaurasiapersistent@users.noreply.github.com> Date: Tue, 10 Dec 2024 11:45:54 +0530 Subject: [PATCH] Added code for text and markdown. (#1411) Co-authored-by: Satyam Chaurasia --- docs/Configuration.md | 1 + .../flow/config/SarifProperties.java | 4 ++ .../flow/custom/SarifIssueTracker.java | 57 ++++++++++++------- 3 files changed, 43 insertions(+), 19 deletions(-) diff --git a/docs/Configuration.md b/docs/Configuration.md index 09f57b3c9..2432f6101 100644 --- a/docs/Configuration.md +++ b/docs/Configuration.md @@ -995,6 +995,7 @@ sarif: | Configuration | Default | Description | |------------------------|-----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | `hassnippet` | false | In Checkmarx CX-Flow, when the hasSnippet flag is set to true, the tool displays relevant code snippets under the "Region" section of the UI. These snippets provide a portion of the code where potential vulnerabilities are detected, giving developers context to better understand the issue. This feature helps in identifying the exact location of security concerns, streamlining the remediation process by offering precise, actionable insights directly within the code. | +| `enableTextNHelpSame` |false | In Checkmarx CX-Flow, when the enableTextNHelpSame flag is set to true, sarif report will have same value in help and text under rules section. | | `enableOriginalUriBaseIds` | false | In Checkmarx CX-Flow, when the enableOriginalUriBaseIds flag is set to true, Sarif report will have modules details scanned in project. | | `srcRootPath` | %SRCROOT% | In Checkmarx CX-Flow, when the srcRootPath has value, It will display same root path in report. | diff --git a/src/main/java/com/checkmarx/flow/config/SarifProperties.java b/src/main/java/com/checkmarx/flow/config/SarifProperties.java index d74734d46..f71020186 100644 --- a/src/main/java/com/checkmarx/flow/config/SarifProperties.java +++ b/src/main/java/com/checkmarx/flow/config/SarifProperties.java @@ -42,6 +42,10 @@ public class SarifProperties { private Map severityMap = new HashMap<>(); private Map securitySeverityMap = new HashMap<>(); + @Getter + @Setter + private boolean enableTextNHelpSame = false; + @PostConstruct private void loadSeverityMap(){ severityMap.put("High", "error"); diff --git a/src/main/java/com/checkmarx/flow/custom/SarifIssueTracker.java b/src/main/java/com/checkmarx/flow/custom/SarifIssueTracker.java index 32fa772bb..ce4d2a57c 100644 --- a/src/main/java/com/checkmarx/flow/custom/SarifIssueTracker.java +++ b/src/main/java/com/checkmarx/flow/custom/SarifIssueTracker.java @@ -187,25 +187,44 @@ private void generateSastResults(ScanResults results, List r .collect(Collectors.toCollection(() -> new TreeSet<>(Comparator.comparing(ScanResults.XIssue::getVulnerability)))) .stream().toList(); - // Build the collection of the rules objects (Vulnerabilities) - sastScanrules = filteredByVulns.stream().map(i -> Rule.builder() - .id(i.getVulnerability()) - .name(i.getVulnerability() + "_CX") - .shortDescription(ShortDescription.builder().text(i.getVulnerability()).build()) - .fullDescription(FullDescription.builder().text(i.getVulnerability()).build()) - .help(Help.builder() - .markdown(String.format("[%s Details](%s)
" + - "[Results](%s)", - i.getVulnerability(), - (i.getAdditionalDetails().get(RECOMMENDED_FIX) == null) ? "" : i.getAdditionalDetails().get(RECOMMENDED_FIX), - i.getLink())) - .text((String) ((i.getAdditionalDetails().get(RECOMMENDED_FIX) == null) ? "Fix not available." : i.getAdditionalDetails().get(RECOMMENDED_FIX))) - .build()) - .properties(Properties.builder() - .tags(Arrays.asList("security", "external/cwe/cwe-".concat(i.getCwe()))) - .securitySeverity(properties.getSecuritySeverityMap().get(i.getSeverity()) != null ? properties.getSecuritySeverityMap().get(i.getSeverity()) : DEFAULT_SEVERITY) - .build()) - .build()).collect(Collectors.toList()); + if(properties.isEnableTextNHelpSame()){ + sastScanrules = filteredByVulns.stream().map(i -> Rule.builder() + .id(i.getVulnerability()) + .name(i.getVulnerability()+"_CX") + .shortDescription(ShortDescription.builder().text(i.getVulnerability()).build()) + .fullDescription(FullDescription.builder().text(i.getVulnerability()).build()) + .help(Help.builder() + .markdown((String)((i.getAdditionalDetails().get(RECOMMENDED_FIX)==null) ? "Fix not available.":i.getAdditionalDetails().get(RECOMMENDED_FIX))) + .text((String)((i.getAdditionalDetails().get(RECOMMENDED_FIX)==null) ? "Fix not available.":i.getAdditionalDetails().get(RECOMMENDED_FIX))) + .build()) + .properties(Properties.builder() + .tags(Arrays.asList("security", "external/cwe/cwe-".concat(i.getCwe()))) + .securitySeverity(properties.getSecuritySeverityMap().get(i.getSeverity()) != null ? properties.getSecuritySeverityMap().get(i.getSeverity()) : DEFAULT_SEVERITY) + .build()) + .build()).collect(Collectors.toList()); + }else{ + // Build the collection of the rules objects (Vulnerabilities) + sastScanrules = filteredByVulns.stream().map(i -> Rule.builder() + .id(i.getVulnerability()) + .name(i.getVulnerability()+"_CX") + .shortDescription(ShortDescription.builder().text(i.getVulnerability()).build()) + .fullDescription(FullDescription.builder().text(i.getVulnerability()).build()) + .help(Help.builder() + .markdown(String.format("[%s Details](%s)
" + + "[Results](%s)", + i.getVulnerability(), + (i.getAdditionalDetails().get(RECOMMENDED_FIX)==null) ? "":i.getAdditionalDetails().get(RECOMMENDED_FIX), + i.getLink())) + .text((String)((i.getAdditionalDetails().get(RECOMMENDED_FIX)==null) ? "Fix not available.":i.getAdditionalDetails().get(RECOMMENDED_FIX))) + .build()) + .properties(Properties.builder() + .tags(Arrays.asList("security", "external/cwe/cwe-".concat(i.getCwe()))) + .securitySeverity(properties.getSecuritySeverityMap().get(i.getSeverity()) != null ? properties.getSecuritySeverityMap().get(i.getSeverity()) : DEFAULT_SEVERITY) + .build()) + .build()).collect(Collectors.toList()); + + } + //All issues to create the results/locations that are not all false positive AtomicInteger count = new AtomicInteger(); filteredXIssues.forEach(