Skip to content

Commit

Permalink
Added Critical Severity for SAST and SCA (#1350)
Browse files Browse the repository at this point in the history
* Added Critical Severity for SAST and SCA

* Update testcases

* Update config.yml

* Updated Test cases as getting medium count 13

* Update Architecture.md
  • Loading branch information
itsKedar authored May 28, 2024
1 parent 0dbdf40 commit 7c8e121
Show file tree
Hide file tree
Showing 15 changed files with 87 additions and 54 deletions.
8 changes: 4 additions & 4 deletions .circleci/config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -630,9 +630,9 @@ workflows:
- CxGo-integration-tests:
requires:
- deploy-cxflow
# - CodeBashing-integration-tests:
# - CodeBashing-integration-tests:
# requires:
# - deploy-cxflow
# - deploy-cxflow
- publish-github-pre-release:
filters:
branches:
Expand Down Expand Up @@ -670,7 +670,7 @@ workflows:
- SAST-CLI-integration-tests
- SCA-CLI-integration-tests
- CxGo-integration-tests
# - CodeBashing-integration-tests
# - CodeBashing-integration-tests
- cleanup:
cluster-name: eks-cxflow-ci
namespace: cxflow-${CIRCLE_SHA1::7}
Expand Down Expand Up @@ -700,4 +700,4 @@ workflows:
branches:
only: develop
jobs:
- clean-eks
- clean-eks
2 changes: 1 addition & 1 deletion build-11.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ import org.gradle.api.tasks.testing.Test
buildscript {
ext {

CxSBSDK = "0.6.6"
CxSBSDK = "0.6.7"
ConfigProviderVersion = '1.0.14'
//cxVersion = "8.90.5"
springBootVersion = '3.2.4'
Expand Down
2 changes: 1 addition & 1 deletion build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ import org.gradle.api.tasks.testing.Test
buildscript {
ext {

CxSBSDK = "0.6.6"
CxSBSDK = "0.6.7"
ConfigProviderVersion = '1.0.14'
//cxVersion = "8.90.5"
springBootVersion = '3.2.4'
Expand Down
1 change: 1 addition & 0 deletions docs/Architecture.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
* [Backlog](#backlog)
* [Build/Release](#build)


## <a name="webhook">Web Service (WebHook)</a>
[[/Images/arch1.png|Architecture diagram displaying the flow from repository through CxFlow to CxSAST and Issue Tracking software]]
## <a name="overview">Overview</a>
Expand Down
81 changes: 41 additions & 40 deletions docs/Configuration.md

Large diffs are not rendered by default.

2 changes: 2 additions & 0 deletions docs/CxSAST-Version-9.X.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ checkmarx:
base-url: http://cx.local
multi-tenant: true
configuration: Default Configuration
enabled-zip-scan: false
cx-branch: true
scan-preset: Checkmarx Default
team: /CxServer/Checkmarx/CxFlow
Expand Down Expand Up @@ -86,6 +87,7 @@ checkmarx:
configuration: Default Configuration
cx-branch: true
#scan-preset: Checkmarx Defaul
enabled-zip-scan: false
preserve-xml: true
team: /CxServer/Checkmarx/CxFlow
url: ${checkmarx.base-url}/cxrestapi
Expand Down
5 changes: 4 additions & 1 deletion docs/Frequently-Asked-Questions.md
Original file line number Diff line number Diff line change
Expand Up @@ -107,4 +107,7 @@ Overrides can be used to assign the same name to multiple projects. Alternative
Yes, this can be performed with overrides & [Config As Code](https://github.com/checkmarx-ltd/cx-flow/wiki/Config-As-Code)

## <a name="applicationxml">Q: Why cxflow spring boot fails to start application if application.xml is present in source code in GitLab pipeline ?</a>
Plesae pass command line parameter --spring.config.name=myproject in .gitlab-ci.yml file
Please pass command line parameter --spring.config.name=myproject in .gitlab-ci.yml file

## <a name="applicationxml">Q: How to make scan compatible with Windows os if project have windows reserved keyword or folder with windows invalid characters ?</a>
Please exclude files which contains windows reserved keyword or folder with windows invalid characters using excludeFiles parameter.
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
package com.checkmarx.flow.config;

public enum FindingSeverity {
HIGH, MEDIUM, LOW, INFO
CRITICAL,HIGH, MEDIUM, LOW, INFO
}
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ public class ControllerRequest {
private List<String> excludeFolders;
private String override;
private String scmInstance;
private Integer thresholdCritical;
private Integer thresholdHigh;
private Integer thresholdMedium;
private Integer thresholdLow;
Expand Down
2 changes: 2 additions & 0 deletions src/main/java/com/checkmarx/flow/dto/FlowOverride.java
Original file line number Diff line number Diff line change
Expand Up @@ -139,6 +139,8 @@ public String toString() {
@Getter
@Setter
public class Thresholds {
@JsonProperty("CRITICAL")
public Integer critical = null;
@JsonProperty("HIGH")
public Integer high = null;
@JsonProperty("MEDIUM")
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -501,6 +501,9 @@ private static void overrideJiraBugProperties(FlowOverride override, BugTracker

private static Map<FindingSeverity, Integer> getThresholdsMap(FlowOverride.Thresholds thresholds) {
Map<FindingSeverity, Integer> map = new EnumMap<>(FindingSeverity.class);
if (thresholds.getCritical() != null) {
map.put(FindingSeverity.CRITICAL, thresholds.getCritical());
}
if (thresholds.getHigh() != null) {
map.put(FindingSeverity.HIGH, thresholds.getHigh());
}
Expand Down
21 changes: 17 additions & 4 deletions src/main/java/com/checkmarx/flow/service/ResultsService.java
Original file line number Diff line number Diff line change
Expand Up @@ -196,11 +196,24 @@ public void processResults(ScanRequest request, ScanResults results, ScanDetails
}
}
if (results != null && results.getScanSummary() != null) {
log.info("####Checkmarx Scan Results Summary####");
log.info("Team: {}, Project: {}, Scan-Id: {}", request.getTeam(), request.getProject(), results.getAdditionalDetails().get("scanId"));
log.info(String.format("The vulnerabilities found for the scan are: %s", results.getScanSummary()));
log.info("######## Checkmarx Scan Results Summary ########");
log.info("Team: {}", request.getTeam());
log.info("Project: {}",request.getProject());
log.info("Scan-Id: {}",results.getAdditionalDetails().get("scanId"));
if(cxScannerService.getProperties().getVersion()>=9.7){
log.info("Critical vulnerabilities: {}",results.getScanSummary().getCriticalSeverity());
log.info("High vulnerabilities: {}", results.getScanSummary().getHighSeverity());
log.info("Medium vulnerabilities: {}", results.getScanSummary().getMediumSeverity());
log.info("Low vulnerabilities: {}", results.getScanSummary().getLowSeverity());
log.info("Info vulnerabilities: {}", results.getScanSummary().getInfoSeverity());
}else{
log.info("High vulnerabilities: {}", results.getScanSummary().getHighSeverity());
log.info("Medium vulnerabilities: {}", results.getScanSummary().getMediumSeverity());
log.info("Low vulnerabilities: {}", results.getScanSummary().getLowSeverity());
log.info("Info vulnerabilities: {}", results.getScanSummary().getInfoSeverity());
}
log.info("To view results use following link: {}", results.getLink());
log.info("######################################");
log.info("################################################");
}
if(request.isSbom())
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -156,6 +156,9 @@ private Map<Severity, Integer> convertSeverityMap(Map<FindingSeverity, Integer>

thresholds.entrySet().forEach(entry -> {
switch(entry.getKey()) {
case CRITICAL:
thresholdsSca.put(Severity.CRITICAL, entry.getValue());
break;
case HIGH:
thresholdsSca.put(Severity.HIGH, entry.getValue());
break;
Expand Down Expand Up @@ -277,17 +280,20 @@ private static Map<Severity, Integer> getScaFindingsCountsPerDirectDependencynDe

if(isDirectDependency && !isDevDependency){
log.debug("Calculating Direct Dependency Values.");
countsSeverityMap.put(Severity.CRITICAL, scanResults.getScaResults().getPackages().stream().filter(Package::isIsDirectDependency).mapToInt(Package::getCriticalVulnerabilityCount).sum());
countsSeverityMap.put(Severity.HIGH, scanResults.getScaResults().getPackages().stream().filter(Package::isIsDirectDependency).mapToInt(Package::getHighVulnerabilityCount).sum());
countsSeverityMap.put(Severity.MEDIUM, scanResults.getScaResults().getPackages().stream().filter(Package::isIsDirectDependency).mapToInt(Package::getMediumVulnerabilityCount).sum());
countsSeverityMap.put(Severity.LOW, scanResults.getScaResults().getPackages().stream().filter(Package::isIsDirectDependency).mapToInt(Package::getLowVulnerabilityCount).sum());

}else if(!isDirectDependency && isDevDependency){
log.debug("Calculating Non Development Dependency Values.");
countsSeverityMap.put(Severity.CRITICAL, scanResults.getScaResults().getPackages().stream().filter(o -> !o.isIsDevelopmentDependency()).mapToInt(Package::getCriticalVulnerabilityCount).sum());
countsSeverityMap.put(Severity.HIGH, scanResults.getScaResults().getPackages().stream().filter(o -> !o.isIsDevelopmentDependency()).mapToInt(Package::getHighVulnerabilityCount).sum());
countsSeverityMap.put(Severity.MEDIUM, scanResults.getScaResults().getPackages().stream().filter(o -> !o.isIsDevelopmentDependency()).mapToInt(Package::getMediumVulnerabilityCount).sum());
countsSeverityMap.put(Severity.LOW, scanResults.getScaResults().getPackages().stream().filter(o -> !o.isIsDevelopmentDependency()).mapToInt(Package::getLowVulnerabilityCount).sum());
}else {
log.debug("Calculating Direct and development Dependency Values.");
countsSeverityMap.put(Severity.CRITICAL, scanResults.getScaResults().getPackages().stream().filter(o -> o.isIsDirectDependency() && !o.isIsDevelopmentDependency()).mapToInt(Package::getCriticalVulnerabilityCount).sum());
countsSeverityMap.put(Severity.HIGH, scanResults.getScaResults().getPackages().stream().filter(o -> o.isIsDirectDependency() && !o.isIsDevelopmentDependency()).mapToInt(Package::getHighVulnerabilityCount).sum());
countsSeverityMap.put(Severity.MEDIUM, scanResults.getScaResults().getPackages().stream().filter(o -> o.isIsDirectDependency() && !o.isIsDevelopmentDependency()).mapToInt(Package::getMediumVulnerabilityCount).sum());
countsSeverityMap.put(Severity.LOW, scanResults.getScaResults().getPackages().stream().filter(o -> o.isIsDirectDependency() && !o.isIsDevelopmentDependency()).mapToInt(Package::getLowVulnerabilityCount).sum());
Expand Down
2 changes: 1 addition & 1 deletion src/main/java/com/checkmarx/flow/utils/ScanUtils.java
Original file line number Diff line number Diff line change
Expand Up @@ -164,7 +164,7 @@ public static List<ScanResults.XIssue> scaToXIssues(SCAResults scaResults) {
List<ScanResults.XIssue> issueList = new ArrayList<>();

List<Finding> findings = scaResults.getFindings();
EnumSet.range(Filter.Severity.HIGH, Filter.Severity.LOW)
EnumSet.range(Filter.Severity.CRITICAL, Filter.Severity.LOW)
.forEach(s -> {
List<Finding> findingsListBySeverity = getFindingsListBySeverity(findings, s);
Map<String, List<Finding>> packageMap = findingsListBySeverity.stream()
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -161,6 +161,7 @@ private void setDefaultFindings(){
List<Map<String, String>> findings= new ArrayList<>();
Map<String, String> map = new HashMap<>();
map.put("name", DEFAULT_FINDINGS_CONFIG);
map.put("critical",DEFAULT_THRESHOLDS_LIMIT);
map.put("high", DEFAULT_THRESHOLDS_LIMIT);
map.put("medium", DEFAULT_THRESHOLDS_LIMIT);
map.put("low", DEFAULT_THRESHOLDS_LIMIT);
Expand Down Expand Up @@ -284,7 +285,7 @@ private SCAResults getFakeSCAResults(String findingsName) {
Map<String, String> specMap = findingsDefs.stream()
.filter(findingsDef -> findingsDef.get("name").equals(findingsName)).findAny().get();

EnumSet.allOf(Severity.class).forEach(severity -> {
EnumSet.range(Severity.LOW,Severity.HIGH).forEach(severity -> {
String spec = specMap.get(severity.name().toLowerCase());
log.info("{}-spec: {}", severity, spec);

Expand Down

0 comments on commit 7c8e121

Please sign in to comment.