Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ASA-9110 #228

Merged
merged 9 commits into from
Sep 24, 2024
Merged

ASA-9110 #228

merged 9 commits into from
Sep 24, 2024

Conversation

vishalhcl-5960
Copy link
Collaborator

Active subscription check before the execution of scan.

github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 5, 2024
View reviewed changes
src/main/java/com/hcl/appscan/jenkins/plugin/scanners/StaticAnalyzer.java Outdated
@@ -249,5 +254,13 @@
}
return FormValidation.ok();
}

public FormValidation doCheckTarget(@RelativePath("..") @QueryParameter String credentials, @AncestorInPath ItemGroup<?> context, @QueryParameter String presenceId) {

Check warning

Code scanning / Jenkins Security Scan

Stapler: Missing permission check Warning

Potential missing permission check in DescriptorImpl#doCheckTarget
src/main/java/com/hcl/appscan/jenkins/plugin/scanners/StaticAnalyzer.java Outdated
@@ -249,5 +254,13 @@
}
return FormValidation.ok();
}

public FormValidation doCheckTarget(@RelativePath("..") @QueryParameter String credentials, @AncestorInPath ItemGroup<?> context, @QueryParameter String presenceId) {

Check warning

Code scanning / Jenkins Security Scan

Stapler: Missing POST/RequirePOST annotation Warning

Potential CSRF vulnerability: If DescriptorImpl#doCheckTarget connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST
mattmurp
mattmurp reviewed Sep 5, 2024
View reviewed changes
src/main/resources/com/hcl/appscan/jenkins/plugin/Messages.properties Outdated
@@ -33,6 +33,9 @@ warning.asoc.certificates = Allowing Untrusted Connections is not applied to thi
error.application.empty.ui = Application list is empty. Please check the credentials for service connection.
error.url.validation.ui = Unless this is a private network, please verify your domain.
error.url.validation = An error occurred while validating the Starting URL: {0}.
error.dast.subscription.validation= You don't have a valid DAST subscription.
error.sast.subscription.validation= You don't have a valid SAST subscription.
error.sca.subscription.validation= You don't have a valid SCA subscription.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest combining these 3 strings into a single string that takes an input. For example:
error.subscription.invalid=You don't have a valid {0} subscription.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, I will use only 2 statements, one for the backend validation message & other for the UI.

kripajoym
kripajoym reviewed Sep 7, 2024
View reviewed changes
src/main/java/com/hcl/appscan/jenkins/plugin/scanners/StaticAnalyzer.java Outdated
@@ -249,5 +254,13 @@ public FormValidation doCheckIncludeSCAUploadDirect(@QueryParameter String inclu
}
return FormValidation.ok();
}

public FormValidation doCheckTarget(@RelativePath("..") @QueryParameter String credentials, @AncestorInPath ItemGroup<?> context, @QueryParameter String presenceId) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why you need Presence in the check ?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed the unused arguments.

github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 11, 2024
View reviewed changes
src/main/java/com/hcl/appscan/jenkins/plugin/scanners/SoftwareCompositionAnalyzer.java
@@ -60,8 +65,11 @@
return "Software Composition Analysis (SCA)";
}

public FormValidation doCheckTarget(@QueryParameter String target, @RelativePath("..") @QueryParameter String credentials, @AncestorInPath ItemGroup<?> context) {
public FormValidation doCheckTarget(@RelativePath("..") @QueryParameter String credentials, @AncestorInPath ItemGroup<?> context) {

Check warning

Code scanning / Jenkins Security Scan

Stapler: Missing permission check Warning

Potential missing permission check in DescriptorImpl#doCheckTarget
src/main/java/com/hcl/appscan/jenkins/plugin/scanners/SoftwareCompositionAnalyzer.java
@@ -60,8 +65,11 @@
return "Software Composition Analysis (SCA)";
}

public FormValidation doCheckTarget(@QueryParameter String target, @RelativePath("..") @QueryParameter String credentials, @AncestorInPath ItemGroup<?> context) {
public FormValidation doCheckTarget(@RelativePath("..") @QueryParameter String credentials, @AncestorInPath ItemGroup<?> context) {

Check warning

Code scanning / Jenkins Security Scan

Stapler: Missing POST/RequirePOST annotation Warning

Potential CSRF vulnerability: If DescriptorImpl#doCheckTarget connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST
mattmurp
mattmurp reviewed Sep 11, 2024
View reviewed changes
src/main/java/com/hcl/appscan/jenkins/plugin/scanners/StaticAnalyzer.java Outdated
@@ -192,7 +196,9 @@ public void validateSettings(JenkinsAuthenticationProvider authProvider, Map<Str
progress.setStatus(new Message(Message.WARNING, Messages.warning_include_sca_AppScan360()));
properties.remove(CoreConstants.INCLUDE_SCA);
}
} else if(properties.containsKey(CoreConstants.INCLUDE_SCA) && !ServiceUtil.hasScaEntitlement(authProvider)) {
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason this was made an "if" as opposed to the previous "else if"? I think we want it to be "else if" because with this change, an AppScan 360 user will get 2 warning about SCA.

Copy link
Collaborator Author

@vishalhcl-5960 vishalhcl-5960 Sep 12, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, got the scenario, reverting the changes.

mattmurp
mattmurp reviewed Sep 11, 2024
View reviewed changes
src/main/resources/com/hcl/appscan/jenkins/plugin/Messages.properties Outdated
@@ -33,6 +33,8 @@ warning.asoc.certificates = Allowing Untrusted Connections is not applied to thi
error.application.empty.ui = Application list is empty. Please check the credentials for service connection.
error.url.validation.ui = Unless this is a private network, please verify your domain.
error.url.validation = An error occurred while validating the Starting URL: {0}.
error.active.subscription.validation = You do not have a valid {0} subscription.
error.active.subscription.validation.ui = You do not have subscription for selected scan type.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you update this string to be:
"You do not have a subscription for the selected scan type."

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay, sure Matt.

@vishalhcl-5960 vishalhcl-5960 merged commit 5524dca into master Sep 24, 2024
3 checks passed
@vishalhcl-5960 vishalhcl-5960 deleted the ASA-9110 branch September 24, 2024 16:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mattmurp mattmurp mattmurp left review comments

@kripajoym kripajoym kripajoym approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@vishalhcl-5960 @mattmurp @kripajoym