From f22b4032aa9850b50e7690095cb2669f478e2213 Mon Sep 17 00:00:00 2001 From: Grzegorz Siewruk Date: Wed, 3 Jul 2024 13:51:23 +0200 Subject: [PATCH] checkmarx api --- .../api/cicd/controller/CICDController.java | 11 ++++++ .../mixeway/api/cicd/service/CICDService.java | 12 ++++++ .../apiclient/CheckmarxApiClient.java | 39 +++++++++++++++++++ .../checkmarx/model/CxSetGitRepo.java | 9 +++++ .../service/code/CodeScanClient.java | 1 + .../service/code/CodeScanService.java | 35 +++++++++++++++++ 6 files changed, 107 insertions(+) diff --git a/src/main/java/io/mixeway/api/cicd/controller/CICDController.java b/src/main/java/io/mixeway/api/cicd/controller/CICDController.java index fd763466..4b4f240c 100644 --- a/src/main/java/io/mixeway/api/cicd/controller/CICDController.java +++ b/src/main/java/io/mixeway/api/cicd/controller/CICDController.java @@ -153,4 +153,15 @@ public ResponseEntity loadKicsReport(@RequestBody KicsReport kicsReport, Principal principal) throws UnknownHostException { return cicdService.loadKicsReport(kicsReport, codeProjectid, principal); } + /** + * Validate State of security for given CodeProject and Branch + */ + @CrossOrigin(origins="*") + @PreAuthorize("hasAuthority('ROLE_API')") + @PostMapping(value = "/asset/{id}/checkmarx/start",produces = "application/json") + public ResponseEntity startCheckmarxScan(@RequestBody ProjectMetadata projectMetadat, + @PathVariable("id") long codeProjectid, + Principal principal) throws UnknownHostException { + return cicdService.startCheckmarxScan(projectMetadat, codeProjectid, principal); + } } diff --git a/src/main/java/io/mixeway/api/cicd/service/CICDService.java b/src/main/java/io/mixeway/api/cicd/service/CICDService.java index be3e81e2..d2387508 100644 --- a/src/main/java/io/mixeway/api/cicd/service/CICDService.java +++ b/src/main/java/io/mixeway/api/cicd/service/CICDService.java @@ -256,4 +256,16 @@ public ResponseEntity loadKicsReport(KicsReport kicsReport, long codeProjecti } return new ResponseEntity<>(HttpStatus.BAD_REQUEST); } + + public ResponseEntity startCheckmarxScan(ProjectMetadata projectMetadat, long codeProjectid, Principal principal) { + Optional codeProject = findCodeProjectService.findById(codeProjectid); + if (codeProject.isPresent() && permissionFactory.canUserAccessProject(principal, codeProject.get().getProject())){ + CodeProjectBranch codeProjectBranch = getOrCreateCodeProjectBranchService.getOrCreateCodeProjectBranch(codeProject.get(), projectMetadat.getBranch()); + log.info("[CICD] Starting SAST scan for {} [{}]", codeProject.get().getName(), codeProject.get().getRepoUrl()); + codeScanService.runScan(codeProject.get(),codeProjectBranch, projectMetadat, principal); + } else { + return new ResponseEntity<>(HttpStatus.NOT_FOUND); + } + return new ResponseEntity<>(HttpStatus.BAD_REQUEST); + } } diff --git a/src/main/java/io/mixeway/scanmanager/integrations/checkmarx/apiclient/CheckmarxApiClient.java b/src/main/java/io/mixeway/scanmanager/integrations/checkmarx/apiclient/CheckmarxApiClient.java index 701a6859..0198e2fb 100644 --- a/src/main/java/io/mixeway/scanmanager/integrations/checkmarx/apiclient/CheckmarxApiClient.java +++ b/src/main/java/io/mixeway/scanmanager/integrations/checkmarx/apiclient/CheckmarxApiClient.java @@ -97,6 +97,23 @@ public Boolean runScan(CodeProject codeProject) throws CertificateException, Unr } } + @Override + public Boolean runScan(CodeProject codeProject, CodeProjectBranch codeProjectBranch) throws CertificateException, UnrecoverableKeyException, NoSuchAlgorithmException, KeyManagementException, KeyStoreException, IOException, JSONException, ParseException { + Optional cxSast = scannerRepository.findByScannerType(scannerTypeRepository.findByNameIgnoreCase(Constants.SCANNER_TYPE_CHECKMARX)).stream().findFirst(); + boolean hasToCreateProject = codeProject.getVersionIdAll() == 0 && codeProject.getRemoteid() ==0; + if (cxSast.isPresent()){ + if (hasToCreateProject){ + createProject(cxSast.get(),codeProject); + } + setGitRepositoryForProject(cxSast.get(),codeProject, codeProjectBranch); + + return createScan(cxSast.get(),codeProject); + } else { + log.error("[Checkmarx] Checkmarx detected but no scanener found"); + return false; + } + } + /** * condition has to be fixed */ @@ -226,6 +243,28 @@ private void setGitRepositoryForProject(Scanner scanner, CodeProject codeProject log.error("[Checkmarx] Error setting GIT repo for project {} - {}",codeProject.getName(), e.getLocalizedMessage()); } } + /** + * configure granch and git URL for + * @param scanner + * @param codeProject + */ + private void setGitRepositoryForProject(Scanner scanner, CodeProject codeProject, CodeProjectBranch codeProjectBranch) throws CertificateException, UnrecoverableKeyException, NoSuchAlgorithmException, KeyManagementException, JSONException, KeyStoreException, ParseException, IOException { + CodeRequestHelper codeRequestHelper = prepareRestTemplate(scanner); + String passwordString = getPasswordStringForCodeProejct(codeProject); + HttpEntity cxSetGitRepoHttpEntity = new HttpEntity<>(new CxSetGitRepo(codeProject, passwordString, codeProjectBranch), codeRequestHelper.getHttpEntity().getHeaders()); + ObjectMapper mapper = new ObjectMapper(); + log.debug("[Checkmarx] Setting git repo {}", mapper.writeValueAsString(cxSetGitRepoHttpEntity)); + codeRequestHelper.setHttpEntity(cxSetGitRepoHttpEntity); + try { + int remoteId = (codeProject.getRemoteid() == 0) ? codeProject.getVersionIdAll() : (codeProject.getVersionIdAll() == 0) ? codeProject.getRemoteid() : codeProject.getVersionIdAll(); + ResponseEntity response = codeRequestHelper + .getRestTemplate() + .exchange(scanner.getApiUrl() + Constants.CX_GET_PROJECTS_API + "/" + remoteId + "/sourceCode/remoteSettings/git", HttpMethod.POST, codeRequestHelper.getHttpEntity(), String.class); + log.info("[Checkmarx] Setting GIT repo for {} result {}", codeProject.getName(), response.getStatusCode()); + } catch (Exception e){ + log.error("[Checkmarx] Error setting GIT repo for project {} - {}",codeProject.getName(), e.getLocalizedMessage()); + } + } /** * get auth string for particular project: diff --git a/src/main/java/io/mixeway/scanmanager/integrations/checkmarx/model/CxSetGitRepo.java b/src/main/java/io/mixeway/scanmanager/integrations/checkmarx/model/CxSetGitRepo.java index efd79e6d..e7c0a545 100644 --- a/src/main/java/io/mixeway/scanmanager/integrations/checkmarx/model/CxSetGitRepo.java +++ b/src/main/java/io/mixeway/scanmanager/integrations/checkmarx/model/CxSetGitRepo.java @@ -6,6 +6,7 @@ package io.mixeway.scanmanager.integrations.checkmarx.model; import io.mixeway.db.entity.CodeProject; +import io.mixeway.db.entity.CodeProjectBranch; import lombok.AllArgsConstructor; import lombok.Getter; import lombok.NoArgsConstructor; @@ -33,5 +34,13 @@ public CxSetGitRepo(CodeProject codeProject, String pass){ this.branch = "refs/heads/" + codeProject.getBranch(); } } + public CxSetGitRepo(CodeProject codeProject, String pass, CodeProjectBranch codeProjectBranch){ + if (pass != null){ + this.url ="https://"+pass+"@"+codeProject.getRepoUrl().split("://")[1]; + } else { + this.url = codeProject.getRepoUrl(); + } + this.branch = "refs/heads/" + codeProjectBranch.getName(); + } } diff --git a/src/main/java/io/mixeway/scanmanager/service/code/CodeScanClient.java b/src/main/java/io/mixeway/scanmanager/service/code/CodeScanClient.java index 730f1faa..6d545ff2 100644 --- a/src/main/java/io/mixeway/scanmanager/service/code/CodeScanClient.java +++ b/src/main/java/io/mixeway/scanmanager/service/code/CodeScanClient.java @@ -20,6 +20,7 @@ public interface CodeScanClient { void loadVulnerabilities(Scanner scanner, String urlToGetNext, Boolean single, CodeProject codeProject, List codeVulns, CodeProjectBranch codeProjectBranch) throws ParseException, JSONException, CertificateException, UnrecoverableKeyException, NoSuchAlgorithmException, KeyManagementException, KeyStoreException, IOException, URISyntaxException; Boolean runScan(CodeProject codeProject) throws CertificateException, UnrecoverableKeyException, NoSuchAlgorithmException, KeyManagementException, KeyStoreException, IOException, JSONException, ParseException; + Boolean runScan(CodeProject codeProject, CodeProjectBranch codeProjectBranch) throws CertificateException, UnrecoverableKeyException, NoSuchAlgorithmException, KeyManagementException, KeyStoreException, IOException, JSONException, ParseException; boolean isScanDone(CodeProject cp) throws CertificateException, UnrecoverableKeyException, NoSuchAlgorithmException, KeyManagementException, KeyStoreException, IOException, ParseException, JSONException; boolean canProcessRequest(CodeProject cp); boolean canProcessRequest(Scanner scanner); diff --git a/src/main/java/io/mixeway/scanmanager/service/code/CodeScanService.java b/src/main/java/io/mixeway/scanmanager/service/code/CodeScanService.java index 6abf631c..e926dd3e 100644 --- a/src/main/java/io/mixeway/scanmanager/service/code/CodeScanService.java +++ b/src/main/java/io/mixeway/scanmanager/service/code/CodeScanService.java @@ -261,6 +261,41 @@ public void runFromQueue() { } } + /** + * Get the CodeProjects and CodeGroups with inQueue=true + * Verify if scan can be run and then runs it. + */ + @Transactional + public void runScan(CodeProject codeProject, CodeProjectBranch codeProjectBranch, ProjectMetadata projectMetadata, Principal principal) { + Optional codeScanner = getScannerService.getCodeScanners(); + if (codeScanner.isPresent() && codeScanner.get().getStatus()) { + try { + if (operateOnCodeProject.canScanCodeProject(codeProject)) { + for (CodeScanClient codeScanClient : codeScanClients) { + if (codeScanClient.canProcessRequest(codeProject)) { + log.info("[CodeScan] Starting scan form CICD [scope {}] {}", codeProject.getName(), codeProject.getName()); + codeProject = updateCodeProjectService.removeFromQueueAndStart(codeProject); + codeScanClient.runScan( codeProject, codeProjectBranch); + Scan scan = createScanService.createCodeScan(codeProject, projectMetadata.getBranch(), + projectMetadata.getCommitId(),Constants.SAST_LABEL,principal ); + CiOperations operations = createCiOperationsService.create(projectMetadata, codeProject); + updateCiOperations.putScanOnAPipeline(operations, scan, securityQualityGateway.buildGatewayResponse(new ArrayList<>())); + + // TODO: create codescan + } + } + } + } catch (IndexOutOfBoundsException ex) { + log.debug("Fortify configuration missing"); + } catch (HttpClientErrorException ex) { + log.warn("HttpClientErrorException with code [{}] during cloud scan job synchro ", ex.getStatusCode().toString()); + } catch (ParseException | JSONException | CertificateException | UnrecoverableKeyException | NoSuchAlgorithmException | KeyManagementException | KeyStoreException | IOException e) { + log.warn("Exception came up during running scan {}", e.getLocalizedMessage()); + e.printStackTrace(); + } + } + } + /** * Method which run scan for given parameters