ASA 8404 (#218) #220
ASA 8404 (#218) #220
Conversation
Include-SCA implementation
There was a problem hiding this comment.
I understand that a lot of the changes here were made in order to run 2 scans at once (i.e. call the perform method twice). However, there is a lot of if/else/if/else logic that's hard to follow and there are a lot of classes (e.g. AppScanBuildStep, ResultsRetriever) that now have specific knowledge of different types of scans.
One solution to these problems would be to create a new type of scan that will run both a SAST and SCA scan.
| public boolean hasOptions() { | ||
| return m_hasOptions; | ||
| } | ||
|
|
There was a problem hiding this comment.
The methods getHasOptionsUploadDirect() and hasOptionsUploadDirect() do the same thing. Why do we have 2 methods? Also, upload direct is specific to SAST scans, so why are these methods being added to the Scanner base class that is used by DAST and SCA, as well?
There was a problem hiding this comment.
Okay sure, added the "hasOptionsUploadDirect()" methods in the StaticAnalyzer class.
| } | ||
|
|
||
| public boolean getHasOptions() { | ||
| return m_hasOptions; | ||
| } | ||
|
|
||
| public boolean hasOptions() { |
There was a problem hiding this comment.
This method returns the same thing as the existing method getHasOptions(). Why do we need it?
There was a problem hiding this comment.
"hasOptions" was used as a checker method in the jelly files. Now, using the getHasOptions() itself in the jelly files too.
| @@ -23,15 +23,29 @@ public abstract class Scanner extends AbstractDescribableImpl<Scanner> implement | |||
|
|
|||
| private String m_target; | |||
| private boolean m_hasOptions; | |||
| private boolean m_hasOptionsUploadDirect; | |||
There was a problem hiding this comment.
Why are we adding a SAST specific property to the base Scanner class?
There was a problem hiding this comment.
Moving this property to the StaticAnalyzer class.
| @@ -235,11 +236,33 @@ public boolean getPersonalScan() { | |||
| public DescriptorImpl getDescriptor() { | |||
| return (DescriptorImpl)super.getDescriptor(); | |||
| } | |||
|
|
|||
| //to execute SAST & SCA scans consecutively, 1st perform method call to execute SAST then after changing the scan type to SCA | |||
| private void includeSCAImplementation(AbstractBuild<?,?> build, Launcher launcher, BuildListener listener) throws IOException, InterruptedException { | |||
There was a problem hiding this comment.
These checks are all specific to StaticAnalyzer to see if we should only run SCA or if we should include SCA. I suggest moving all of these checks to the StaticAnalyzer.getProperties() method. If necessary, the getProperties() method can be overloaded with a version that takes in an IAuthenticationProvider for doing any checks that require it.
There was a problem hiding this comment.
Moved the validations in the respective scan classes by adding an "validations()" method in the abstract class.
| @@ -309,6 +338,8 @@ private void validations(boolean isAppScan360, Map<String, String> properties, I | |||
| if(isAppScan360) { | |||
| if (m_type.equals(Scanner.DYNAMIC_ANALYZER) && properties.containsKey(Scanner.PRESENCE_ID)) { | |||
| throw new AbortException(Messages.error_presence_AppScan360()); | |||
| } if(properties.containsKey(CoreConstants.INCLUDE_SCA)) { | |||
There was a problem hiding this comment.
Can all of these validations be moved to the getProperties() method of the individual scanners?
There was a problem hiding this comment.
Moved the validations in the respective scan classes by adding an "validations()" method in the abstract class.
| @@ -48,4 +61,55 @@ private boolean exceedsThreshold(String type, int threshold) { | |||
| return false; | |||
| } | |||
| } | |||
|
|
|||
There was a problem hiding this comment.
The additional code in this method requires the ResultsInspector to be aware of different types of scans. I suggest doing this differently. Some options would be:
- Subclassing the ResultsInspector (e.g. create a new CombinedResultsInspector).
- Using 2 ResultsInpector instances.
- Creating a new type of IResultsProvider that can handle 2 sets of results.
- Updating the existing NonCompliantIssuesResultProvider to handle 2 sets of results.
There was a problem hiding this comment.
I have created a new class "CombinedResultsInspector" which is being extended from the base "ResultsInspector" class.
| @@ -328,89 +364,122 @@ private void validations(boolean isAppScan360, Map<String, String> properties, I | |||
| throw new AbortException(Messages.error_url_validation(target)); | |||
| } | |||
| } | |||
|
|
|||
| private String updatedScanTypesForBuildSummaryName(String scanType) { | |||
There was a problem hiding this comment.
Rather than having the AppScanBuildStep figure out this logic, I suggest adding a new method to the Scanner class. Something like getShortName() that returns these values.
There was a problem hiding this comment.
If i add this method in the Scanner class from which i have to call this method in respective scan class. During the inlcudeSCA(SAST+SCA) execution, I have to call this method during runtime as i am utilizing the same properties in the SCA scan runtime.
There was a problem hiding this comment.
I can define this method in the Utils class of the SDK.
| super(target, hasOptions); | ||
| m_openSourceOnly=false; | ||
| m_sourceCodeOnly=false; | ||
| m_scanMethod=CoreConstants.CREATE_IRX; | ||
| m_scanSpeed=""; | ||
| } | ||
| m_includeSCAGenerateIRX="true"; |
There was a problem hiding this comment.
Is there a reason we need both m_includeSCAGenerateIRX and m_includeSCAUploadDirect? Shouldn't there just be m_includeSCA and m_uploadDirect?
There was a problem hiding this comment.
I think it is better to have two different names for these checkbox as the position of these checks are different in jelly file, it will hamper the value of the checkbox if one of the check is false.
| @@ -38,7 +40,9 @@ public String getTarget() { | |||
| } | |||
|
|
|||
| public abstract Map<String, String> getProperties(VariableResolver<String> resolver) throws AbortException; | |||
|
|
|||
|
|
|||
| public abstract void validations(IAuthenticationProvider authProvider, Map<String, String> properties, IProgress progress) throws AbortException; | |||
There was a problem hiding this comment.
The function name should be a verb, like "validate" or "validateSettings".
There was a problem hiding this comment.
Okay, Now, Using the "validateSettings()" method name.
| @@ -38,7 +40,9 @@ public String getTarget() { | |||
| } | |||
|
|
|||
| public abstract Map<String, String> getProperties(VariableResolver<String> resolver) throws AbortException; | |||
|
|
|||
|
|
|||
| public abstract void validations(IAuthenticationProvider authProvider, Map<String, String> properties, IProgress progress) throws AbortException; | |||
There was a problem hiding this comment.
In all instances, the IAuthenticationProvider is being passed in and then cast to a JenkinsAuthenticationProvider just to check if this is AppScan 360. Why not just pass a boolean here instead?
There was a problem hiding this comment.
In DynamicAnalyzer class we are doing the URL validity check & for that we need to call the getProxy() method from authProvider class. Instead of passing the IAuthenticationProvider, I will pass the JenkinsAuthenaticationProvider itself.
| @@ -196,8 +198,18 @@ public String upgradeLoginScenario(){ | |||
| } | |||
| } | |||
|
|
|||
| public void validations(IAuthenticationProvider authProvider, Map<String, String> properties, IProgress progress) throws AbortException { | |||
| if (((JenkinsAuthenticationProvider) authProvider).isAppScan360()) { | |||
There was a problem hiding this comment.
The 2 "if" conditions should be "anded" together rather than nesting them.
There was a problem hiding this comment.
okay, sure.
| @@ -10,14 +10,13 @@ | |||
|
|
|||
| import com.hcl.appscan.sdk.results.IResultsProvider; | |||
|
|
|||
| public class ResultsInspector { | |||
| public class ResultsInspector extends CombinedResultsInspector { | |||
There was a problem hiding this comment.
Why does the ResultsInspector extend the CombinedResultsInseptor? It seems this should be the other way around, where the CombinedResultsInspector adds to the logic of the ResultsInspector.
There was a problem hiding this comment.
Removed the CombinedResultsInspector class as we are now handling the results in the SDK.
| import java.util.List; | ||
| import java.util.Map; | ||
|
|
||
| public class CombinedResultsInspector { |
There was a problem hiding this comment.
The results inspector should not require knowledge of the scan type or issue types (there are mentions of totalCountSAST for example).
There was a problem hiding this comment.
Removed the CombinedResultsInspector class as we are now handling the results in the SDK.
| perform((Run<?,?>)build, launcher, listener); | ||
| return true; | ||
|
|
||
| //to execute SAST & SCA scans consecutively, 1st perform method call to execute SAST then after changing the scan type to SCA |
There was a problem hiding this comment.
Rather than having all of these checks for SCA and SAST and rather than trying to execute the perform() method twice, we should create a new scanner type in the SDK that will execute both a SAST scan and an SCA scan. That would eliminate the need for most, if not all, of these changes.
There was a problem hiding this comment.
SAST_SCA class had been made in the SDK to handle the SAST+SCA scans execution.
| @@ -151,7 +151,7 @@ public File getReport() { | |||
| } | |||
|
|
|||
| private String getReportName() { | |||
| String name = (getScanType() + FileUtil.getValidFilename(getName())).replaceAll(" ", ""); //$NON-NLS-1$ //$NON-NLS-2$ | |||
| String name = (FileUtil.getValidFilename(getName())).replaceAll(" ", ""); //$NON-NLS-1$ //$NON-NLS-2$ | |||
There was a problem hiding this comment.
The extra ( ) should be removed around the FileUtil.getValidFileName() call.
There was a problem hiding this comment.
sure, Matt.
| warning.sca= Note: AppScan on Cloud (ASoC) now performs SAST and SCA analysis as separate scans. To execute an open-source only scan, use the Software Composition Analysis (SCA) scan type. The open-source only option will be removed from SAST scans in a future release. | ||
| error.url.dynamic.unsupported= Either your A360 instance does not support dynamic scans or the starting URL is invalid: {0}. | ||
| warning.sca= AppScan on Cloud (ASoC) now performs SAST and SCA analysis as separate scans. To execute an open-source only scan, use the Software Composition Analysis (SCA) scan type. | ||
| warning.include.sca.AppScan360= Only SAST scan execution takes place as SCA is applicable for AppScan on Cloud only. |
There was a problem hiding this comment.
Can you run these new messages by Jen?
There was a problem hiding this comment.
I have reviewed the attached statement with Binoy, updating the warning message to "Only the SAST scan is being executed. SCA is only available with AppScan on Cloud and is not included in this job"
| @@ -28,31 +32,40 @@ public class StaticAnalyzer extends Scanner { | |||
| private static final String STATIC_ANALYZER = "Static Analyzer"; //$NON-NLS-1$ | |||
|
|
|||
| private boolean m_openSourceOnly; | |||
| private String m_includeSCAGenerateIRX; | |||
| private boolean m_additionalOptionsUploadDirect; | |||
| private boolean m_includeSCAUploadDirect; | |||
There was a problem hiding this comment.
I think we can simplify this with shorter variable names and we only need 2 new member variables:
private boolean m_includeSCA;
private boolean m_uploadDirect;
The value of m_includeSCAGenerateIRX is just m_includeSCA && !m_uploadDirect. Likewise, the value of m_includeSCAUploadDirect is just m_includeSCA && m_uploadDirect. So I don't think we need a third variable here.
There was a problem hiding this comment.
Matt, Are you referring that we should use the same name for both the checkbox(under "generateIRX" & "upload Files & folders" scan menthod) in config file?
- There is difference in the UI names for the both the checkboxes.
- Third variable is for the value of the optionalBlock checkbox under the "upload files & folders" scan method. We can remove that optionalBlock as it contains only 1 element into it.
There was a problem hiding this comment.
I have changed the variable name for the additional option under "upload Files & folders" scan method. New variable name would be "m_hasOptionsUploadDirect".
Also, changed the variable type of the "m_includeSCAUploadDirect" to String so that we have a parity between the both checkboxes of "includeSCA".
|
|
||
| @DataBoundSetter | ||
| public void setIncludeSCAGenerateIRX(String includeSCAGenerateIRX) { | ||
| if(getHasOptions() && includeSCAGenerateIRX.equals("true")) { |
There was a problem hiding this comment.
This can be simplified to:
return getHashOptions() && Boolean.parseBoolean(includeSCAGenerateIRX);
|
|
||
| @DataBoundSetter | ||
| public void setIncludeSCAUploadDirect(String includeSCAUploadDirect) { | ||
| if(m_hasOptionsUploadDirect && includeSCAUploadDirect.equals("true")) { |
There was a problem hiding this comment.
Should use Boolean.parseBoolean(string).
There was a problem hiding this comment.
Okay, sure.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
src/main/java/com/hcl/appscan/jenkins/plugin/scanners/StaticAnalyzer.java
Dismissed
Show dismissed
Hide dismissed
src/main/java/com/hcl/appscan/jenkins/plugin/scanners/StaticAnalyzer.java
Dismissed
Show dismissed
Hide dismissed
src/main/java/com/hcl/appscan/jenkins/plugin/scanners/StaticAnalyzer.java
Dismissed
Show dismissed
Hide dismissed
src/main/java/com/hcl/appscan/jenkins/plugin/scanners/StaticAnalyzer.java
Dismissed
Show dismissed
Hide dismissed
Include-SCA implementation