From c339f32d9795fab2edee21041fc6bf4b9856b418 Mon Sep 17 00:00:00 2001 From: thtri Date: Fri, 21 Jul 2023 06:46:25 +0200 Subject: [PATCH] fix(checkmarxOne): changed json report (#4478) * fix(checkmarxOne): changed json report --- cmd/checkmarxOneExecuteScan.go | 4 +- cmd/checkmarxOneExecuteScan_generated.go | 6 +- pkg/checkmarxone/reporting.go | 114 ++++++++++-------- pkg/checkmarxone/reporting_test.go | 67 ++-------- .../metadata/checkmarxOneExecuteScan.yaml | 2 +- 5 files changed, 80 insertions(+), 113 deletions(-) diff --git a/cmd/checkmarxOneExecuteScan.go b/cmd/checkmarxOneExecuteScan.go index 30f6023e31..4ce451cedc 100644 --- a/cmd/checkmarxOneExecuteScan.go +++ b/cmd/checkmarxOneExecuteScan.go @@ -670,7 +670,7 @@ func (c *checkmarxOneExecuteScanHelper) getDetailedResults(scan *checkmarxOne.Sc resultMap["LinesOfCodeScanned"] = scanmeta.LOC resultMap["FilesScanned"] = scanmeta.FileCount - resultMap["CheckmarxVersion"] = "Cx1 Gap: No API for this" + resultMap["ToolVersion"] = "Cx1 Gap: No API for this" if scanmeta.IsIncremental { resultMap["ScanType"] = "Incremental" @@ -1076,7 +1076,7 @@ func (c *checkmarxOneExecuteScanHelper) reportToInflux(results *map[string]inter c.influx.checkmarxOne_data.fields.scan_time = (*results)["ScanTime"].(string) c.influx.checkmarxOne_data.fields.lines_of_code_scanned = (*results)["LinesOfCodeScanned"].(int) c.influx.checkmarxOne_data.fields.files_scanned = (*results)["FilesScanned"].(int) - c.influx.checkmarxOne_data.fields.checkmarxOne_version = (*results)["CheckmarxVersion"].(string) + c.influx.checkmarxOne_data.fields.tool_version = (*results)["ToolVersion"].(string) c.influx.checkmarxOne_data.fields.scan_type = (*results)["ScanType"].(string) c.influx.checkmarxOne_data.fields.preset = (*results)["Preset"].(string) c.influx.checkmarxOne_data.fields.deep_link = (*results)["DeepLink"].(string) diff --git a/cmd/checkmarxOneExecuteScan_generated.go b/cmd/checkmarxOneExecuteScan_generated.go index 02477456d9..dfcc4d6fca 100644 --- a/cmd/checkmarxOneExecuteScan_generated.go +++ b/cmd/checkmarxOneExecuteScan_generated.go @@ -111,7 +111,7 @@ type checkmarxOneExecuteScanInflux struct { group_full_path_on_report_date string scan_start string scan_time string - checkmarxOne_version string + tool_version string scan_type string preset string deep_link string @@ -169,7 +169,7 @@ func (i *checkmarxOneExecuteScanInflux) persist(path, resourceName string) { {valType: config.InfluxField, measurement: "checkmarxOne_data", name: "group_full_path_on_report_date", value: i.checkmarxOne_data.fields.group_full_path_on_report_date}, {valType: config.InfluxField, measurement: "checkmarxOne_data", name: "scan_start", value: i.checkmarxOne_data.fields.scan_start}, {valType: config.InfluxField, measurement: "checkmarxOne_data", name: "scan_time", value: i.checkmarxOne_data.fields.scan_time}, - {valType: config.InfluxField, measurement: "checkmarxOne_data", name: "checkmarxOne_version", value: i.checkmarxOne_data.fields.checkmarxOne_version}, + {valType: config.InfluxField, measurement: "checkmarxOne_data", name: "tool_version", value: i.checkmarxOne_data.fields.tool_version}, {valType: config.InfluxField, measurement: "checkmarxOne_data", name: "scan_type", value: i.checkmarxOne_data.fields.scan_type}, {valType: config.InfluxField, measurement: "checkmarxOne_data", name: "preset", value: i.checkmarxOne_data.fields.preset}, {valType: config.InfluxField, measurement: "checkmarxOne_data", name: "deep_link", value: i.checkmarxOne_data.fields.deep_link}, @@ -832,7 +832,7 @@ func checkmarxOneExecuteScanMetadata() config.StepData { Type: "influx", Parameters: []map[string]interface{}{ {"name": "step_data", "fields": []map[string]string{{"name": "checkmarxOne"}}}, - {"name": "checkmarxOne_data", "fields": []map[string]string{{"name": "high_issues"}, {"name": "high_not_false_postive"}, {"name": "high_not_exploitable"}, {"name": "high_confirmed"}, {"name": "high_urgent"}, {"name": "high_proposed_not_exploitable"}, {"name": "high_to_verify"}, {"name": "medium_issues"}, {"name": "medium_not_false_postive"}, {"name": "medium_not_exploitable"}, {"name": "medium_confirmed"}, {"name": "medium_urgent"}, {"name": "medium_proposed_not_exploitable"}, {"name": "medium_to_verify"}, {"name": "low_issues"}, {"name": "low_not_false_postive"}, {"name": "low_not_exploitable"}, {"name": "low_confirmed"}, {"name": "low_urgent"}, {"name": "low_proposed_not_exploitable"}, {"name": "low_to_verify"}, {"name": "information_issues"}, {"name": "information_not_false_postive"}, {"name": "information_not_exploitable"}, {"name": "information_confirmed"}, {"name": "information_urgent"}, {"name": "information_proposed_not_exploitable"}, {"name": "information_to_verify"}, {"name": "lines_of_code_scanned"}, {"name": "files_scanned"}, {"name": "initiator_name"}, {"name": "owner"}, {"name": "scan_id"}, {"name": "project_id"}, {"name": "projectName"}, {"name": "group"}, {"name": "group_full_path_on_report_date"}, {"name": "scan_start"}, {"name": "scan_time"}, {"name": "checkmarxOne_version"}, {"name": "scan_type"}, {"name": "preset"}, {"name": "deep_link"}, {"name": "report_creation_time"}}}, + {"name": "checkmarxOne_data", "fields": []map[string]string{{"name": "high_issues"}, {"name": "high_not_false_postive"}, {"name": "high_not_exploitable"}, {"name": "high_confirmed"}, {"name": "high_urgent"}, {"name": "high_proposed_not_exploitable"}, {"name": "high_to_verify"}, {"name": "medium_issues"}, {"name": "medium_not_false_postive"}, {"name": "medium_not_exploitable"}, {"name": "medium_confirmed"}, {"name": "medium_urgent"}, {"name": "medium_proposed_not_exploitable"}, {"name": "medium_to_verify"}, {"name": "low_issues"}, {"name": "low_not_false_postive"}, {"name": "low_not_exploitable"}, {"name": "low_confirmed"}, {"name": "low_urgent"}, {"name": "low_proposed_not_exploitable"}, {"name": "low_to_verify"}, {"name": "information_issues"}, {"name": "information_not_false_postive"}, {"name": "information_not_exploitable"}, {"name": "information_confirmed"}, {"name": "information_urgent"}, {"name": "information_proposed_not_exploitable"}, {"name": "information_to_verify"}, {"name": "lines_of_code_scanned"}, {"name": "files_scanned"}, {"name": "initiator_name"}, {"name": "owner"}, {"name": "scan_id"}, {"name": "project_id"}, {"name": "projectName"}, {"name": "group"}, {"name": "group_full_path_on_report_date"}, {"name": "scan_start"}, {"name": "scan_time"}, {"name": "tool_version"}, {"name": "scan_type"}, {"name": "preset"}, {"name": "deep_link"}, {"name": "report_creation_time"}}}, }, }, { diff --git a/pkg/checkmarxone/reporting.go b/pkg/checkmarxone/reporting.go index a8fbd72042..944ab67c4f 100644 --- a/pkg/checkmarxone/reporting.go +++ b/pkg/checkmarxone/reporting.go @@ -5,7 +5,6 @@ import ( "crypto/sha1" "encoding/json" "fmt" - "math" "path/filepath" "strings" "time" @@ -19,32 +18,32 @@ import ( ) type CheckmarxOneReportData struct { - ToolName string `json:"toolName"` - ProjectName string `json:"projectName"` - ProjectID string `json:"projectID"` - ScanID string `json:"scanID"` - GroupName string `json:"groupName"` - GroupPath string `json:"groupPath"` - DeepLink string `json:"deepLink"` - Preset string `json:"preset"` - CheckmarxVersion string `json:"checkmarxVersion"` - ScanType string `json:"scanType"` - HighTotal int `json:"highTotal"` - HighAudited int `json:"highAudited"` - MediumTotal int `json:"mediumTotal"` - MediumAudited int `json:"mediumAudited"` - LowTotal int `json:"lowTotal"` - LowAudited int `json:"lowAudited"` - InformationTotal int `json:"informationTotal"` - InformationAudited int `json:"informationAudited"` - IsLowPerQueryAudited bool `json:"isLowPerQueryAudited"` - LowPerQuery *[]LowPerQuery `json:"lowPerQuery"` + ToolName string `json:"toolName"` + ToolVersion string `json:"toolVersion"` + ProjectName string `json:"projectName"` + ProjectID string `json:"projectID"` + ScanID string `json:"scanID"` + ApplicationName string `json:"applicationName"` + ApplicationID string `json:"applicationID"` + GroupName string `json:"groupName"` + GroupID string `json:"groupID"` + DeepLink string `json:"deepLink"` + Preset string `json:"preset"` + ScanType string `json:"scanType"` + Findings *[]Finding `json:"findings"` +} + +type Finding struct { + ClassificationName string `json:"classificationName"` + Total int `json:"total,omitempty"` + Audited *int `json:"audited,omitempty"` + LowPerQuery *[]LowPerQuery `json:"categories,omitempty"` } type LowPerQuery struct { - QueryName string `json:"query"` - Audited int `json:"audited"` + QueryName string `json:"name"` Total int `json:"total"` + Audited int `json:"audited"` } func CreateCustomReport(data *map[string]interface{}, insecure, neutral []string) reporting.ScanReport { @@ -66,7 +65,7 @@ func CreateCustomReport(data *map[string]interface{}, insecure, neutral []string {Description: "Report creation time", Details: fmt.Sprint((*data)["ReportCreationTime"])}, {Description: "Lines of code scanned", Details: fmt.Sprint((*data)["LinesOfCodeScanned)"])}, {Description: "Files scanned", Details: fmt.Sprint((*data)["FilesScanned)"])}, - {Description: "Checkmarx version", Details: fmt.Sprint((*data)["CheckmarxVersion"])}, + {Description: "Tool version", Details: fmt.Sprint((*data)["ToolVersion"])}, {Description: "Deep link", Details: deepLink}, }, Overview: []reporting.OverviewRow{}, @@ -138,33 +137,38 @@ func CreateCustomReport(data *map[string]interface{}, insecure, neutral []string func CreateJSONHeaderReport(data *map[string]interface{}) CheckmarxOneReportData { checkmarxReportData := CheckmarxOneReportData{ - ToolName: `checkmarxone`, - ProjectName: fmt.Sprint((*data)["ProjectName"]), - GroupName: fmt.Sprint((*data)["Group"]), - GroupPath: fmt.Sprint((*data)["GroupFullPathOnReportDate"]), - DeepLink: fmt.Sprint((*data)["DeepLink"]), - Preset: fmt.Sprint((*data)["Preset"]), - CheckmarxVersion: fmt.Sprint((*data)["CheckmarxVersion"]), - ScanType: fmt.Sprint((*data)["ScanType"]), - ProjectID: fmt.Sprint((*data)["ProjectId"]), - ScanID: fmt.Sprint((*data)["ScanId"]), + ToolName: `CheckmarxOne`, + ProjectName: fmt.Sprint((*data)["ProjectName"]), + GroupID: fmt.Sprint((*data)["Group"]), + GroupName: fmt.Sprint((*data)["GroupFullPathOnReportDate"]), + DeepLink: fmt.Sprint((*data)["DeepLink"]), + Preset: fmt.Sprint((*data)["Preset"]), + ToolVersion: fmt.Sprint((*data)["ToolVersion"]), + ScanType: fmt.Sprint((*data)["ScanType"]), + ProjectID: fmt.Sprint((*data)["ProjectId"]), + ScanID: fmt.Sprint((*data)["ScanId"]), } - checkmarxReportData.HighAudited = (*data)["High"].(map[string]int)["Issues"] - (*data)["High"].(map[string]int)["NotFalsePositive"] - checkmarxReportData.HighTotal = (*data)["High"].(map[string]int)["Issues"] - - checkmarxReportData.MediumAudited = (*data)["Medium"].(map[string]int)["Issues"] - (*data)["Medium"].(map[string]int)["NotFalsePositive"] - checkmarxReportData.MediumTotal = (*data)["Medium"].(map[string]int)["Issues"] - - checkmarxReportData.LowAudited = (*data)["Low"].(map[string]int)["Confirmed"] + (*data)["Low"].(map[string]int)["NotExploitable"] - checkmarxReportData.LowTotal = (*data)["Low"].(map[string]int)["Issues"] - - checkmarxReportData.InformationAudited = (*data)["Information"].(map[string]int)["Confirmed"] + (*data)["Information"].(map[string]int)["NotExploitable"] - checkmarxReportData.InformationTotal = (*data)["Information"].(map[string]int)["Issues"] - - lowPerQueryList := []LowPerQuery{} - checkmarxReportData.IsLowPerQueryAudited = true + findings := []Finding{} + // High + highFindings := Finding{} + highFindings.ClassificationName = "High" + highFindings.Total = (*data)["High"].(map[string]int)["Issues"] + highAudited := (*data)["High"].(map[string]int)["Issues"] - (*data)["High"].(map[string]int)["NotFalsePositive"] + highFindings.Audited = &highAudited + findings = append(findings, highFindings) + // Medium + mediumFindings := Finding{} + mediumFindings.ClassificationName = "Medium" + mediumFindings.Total = (*data)["Medium"].(map[string]int)["Issues"] + mediumAudited := (*data)["Medium"].(map[string]int)["Issues"] - (*data)["Medium"].(map[string]int)["NotFalsePositive"] + mediumFindings.Audited = &mediumAudited + findings = append(findings, mediumFindings) + // Low + lowFindings := Finding{} + lowFindings.ClassificationName = "Low" if _, ok := (*data)["LowPerQuery"]; ok { + lowPerQueryList := []LowPerQuery{} lowPerQueryMap := (*data)["LowPerQuery"].(map[string]map[string]int) for queryName, resultsLowQuery := range lowPerQueryMap { audited := resultsLowQuery["Confirmed"] + resultsLowQuery["NotExploitable"] @@ -173,14 +177,18 @@ func CreateJSONHeaderReport(data *map[string]interface{}) CheckmarxOneReportData lowPerQuery.QueryName = queryName lowPerQuery.Audited = audited lowPerQuery.Total = total - lowAuditedRequiredPerQuery := int(math.Ceil(0.10 * float64(total))) - if audited < lowAuditedRequiredPerQuery && audited < 10 { - checkmarxReportData.IsLowPerQueryAudited = false - } lowPerQueryList = append(lowPerQueryList, lowPerQuery) } + lowFindings.LowPerQuery = &lowPerQueryList + findings = append(findings, lowFindings) + } else { + lowFindings.Total = (*data)["Low"].(map[string]int)["Issues"] + lowAudited := (*data)["Low"].(map[string]int)["Confirmed"] + (*data)["Low"].(map[string]int)["NotExploitable"] + lowFindings.Audited = &lowAudited + findings = append(findings, lowFindings) } - checkmarxReportData.LowPerQuery = &lowPerQueryList + + checkmarxReportData.Findings = &findings return checkmarxReportData } diff --git a/pkg/checkmarxone/reporting_test.go b/pkg/checkmarxone/reporting_test.go index b32805ab27..74e4faf55a 100644 --- a/pkg/checkmarxone/reporting_test.go +++ b/pkg/checkmarxone/reporting_test.go @@ -14,7 +14,7 @@ func TestCreateJSONReport(t *testing.T) { resultMap["GroupFullPathOnReportDate"] = `test-group-path` resultMap["DeepLink"] = `https://cx1.sap/projects/f5702f86-b396-417f-82e2-4949a55d5382/scans?branch=master&page=1&id=21e40b36-0dd7-48e5-9768-da1a8f36c907` resultMap["Preset"] = `Checkmarx Default` - resultMap["CheckmarxVersion"] = `v1` + resultMap["ToolVersion"] = `v1` resultMap["ScanType"] = `Incremental` resultMap["ProjectId"] = `f5702f86-b396-417f-82e2-4949a55d5382` resultMap["ScanId"] = `21e40b36-0dd7-48e5-9768-da1a8f36c907` @@ -64,39 +64,22 @@ func TestCreateJSONReport(t *testing.T) { assert.Equal(t, "21e40b36-0dd7-48e5-9768-da1a8f36c907", reportingData.ScanID) assert.Equal(t, "ssba", reportingData.ProjectName) assert.Equal(t, "f5702f86-b396-417f-82e2-4949a55d5382", reportingData.ProjectID) - assert.Equal(t, "test-group", reportingData.GroupName) - assert.Equal(t, "test-group-path", reportingData.GroupPath) - assert.Equal(t, "checkmarxone", reportingData.ToolName) + assert.Equal(t, "test-group", reportingData.GroupID) + assert.Equal(t, "test-group-path", reportingData.GroupName) + assert.Equal(t, "CheckmarxOne", reportingData.ToolName) assert.Equal(t, "https://cx1.sap/projects/f5702f86-b396-417f-82e2-4949a55d5382/scans?branch=master&page=1&id=21e40b36-0dd7-48e5-9768-da1a8f36c907", reportingData.DeepLink) assert.Equal(t, "Checkmarx Default", reportingData.Preset) - assert.Equal(t, "v1", reportingData.CheckmarxVersion) + assert.Equal(t, "v1", reportingData.ToolVersion) assert.Equal(t, "Incremental", reportingData.ScanType) - assert.Equal(t, 10, reportingData.HighTotal) - assert.Equal(t, 0, reportingData.HighAudited) - assert.Equal(t, 4, reportingData.MediumTotal) - assert.Equal(t, 4, reportingData.MediumAudited) - assert.Equal(t, 2, reportingData.LowTotal) - assert.Equal(t, 2, reportingData.LowAudited) - assert.Equal(t, 5, reportingData.InformationTotal) - assert.Equal(t, 0, reportingData.InformationAudited) - assert.Equal(t, false, reportingData.IsLowPerQueryAudited) - assert.Equal(t, 2, len(*reportingData.LowPerQuery)) - if (*reportingData.LowPerQuery)[0].QueryName == "Low_Query_Name_1" { - assert.Equal(t, "Low_Query_Name_1", (*reportingData.LowPerQuery)[0].QueryName) - assert.Equal(t, 0, (*reportingData.LowPerQuery)[0].Audited) - assert.Equal(t, 4, (*reportingData.LowPerQuery)[0].Total) - assert.Equal(t, "Low_Query_Name_2", (*reportingData.LowPerQuery)[1].QueryName) - assert.Equal(t, 5, (*reportingData.LowPerQuery)[1].Audited) - assert.Equal(t, 5, (*reportingData.LowPerQuery)[1].Total) - } else { - assert.Equal(t, "Low_Query_Name_1", (*reportingData.LowPerQuery)[1].QueryName) - assert.Equal(t, 0, (*reportingData.LowPerQuery)[1].Audited) - assert.Equal(t, 4, (*reportingData.LowPerQuery)[1].Total) - assert.Equal(t, "Low_Query_Name_2", (*reportingData.LowPerQuery)[0].QueryName) - assert.Equal(t, 5, (*reportingData.LowPerQuery)[0].Audited) - assert.Equal(t, 5, (*reportingData.LowPerQuery)[0].Total) - } + lowList := (*reportingData.Findings)[2].LowPerQuery + assert.Equal(t, 2, len(*lowList)) + assert.Equal(t, "Low_Query_Name_1", (*lowList)[0].QueryName) + assert.Equal(t, 0, (*lowList)[0].Audited) + assert.Equal(t, 4, (*lowList)[0].Total) + assert.Equal(t, "Low_Query_Name_2", (*lowList)[1].QueryName) + assert.Equal(t, 5, (*lowList)[1].Audited) + assert.Equal(t, 5, (*lowList)[1].Total) lowPerQuery = map[string]map[string]int{} submap = map[string]int{} @@ -112,28 +95,4 @@ func TestCreateJSONReport(t *testing.T) { lowPerQuery["Low_Query_Name_2"] = submap resultMap["LowPerQuery"] = lowPerQuery - reportingData = CreateJSONHeaderReport(&resultMap) - assert.Equal(t, true, reportingData.IsLowPerQueryAudited) - - lowPerQuery = map[string]map[string]int{} - submap = map[string]int{} - submap["Issues"] = 200 - submap["Confirmed"] = 3 - submap["NotExploitable"] = 2 - lowPerQuery["Low_Query_Name_1"] = submap - - resultMap["LowPerQuery"] = lowPerQuery - reportingData = CreateJSONHeaderReport(&resultMap) - assert.Equal(t, false, reportingData.IsLowPerQueryAudited) - - lowPerQuery = map[string]map[string]int{} - submap = map[string]int{} - submap["Issues"] = 200 - submap["Confirmed"] = 5 - submap["NotExploitable"] = 5 - lowPerQuery["Low_Query_Name_1"] = submap - - resultMap["LowPerQuery"] = lowPerQuery - reportingData = CreateJSONHeaderReport(&resultMap) - assert.Equal(t, true, reportingData.IsLowPerQueryAudited) } diff --git a/resources/metadata/checkmarxOneExecuteScan.yaml b/resources/metadata/checkmarxOneExecuteScan.yaml index f44ec5b8a5..ff08b25263 100644 --- a/resources/metadata/checkmarxOneExecuteScan.yaml +++ b/resources/metadata/checkmarxOneExecuteScan.yaml @@ -469,7 +469,7 @@ spec: - name: group_full_path_on_report_date - name: scan_start - name: scan_time - - name: checkmarxOne_version + - name: tool_version - name: scan_type - name: preset - name: deep_link