From a13f86e07d377c9a23a1271c4255d31d2be3d898 Mon Sep 17 00:00:00 2001 From: Grzegorz Siewruk Date: Thu, 13 Jun 2024 14:25:50 +0200 Subject: [PATCH] sca endpoint --- .../api/cicd/controller/CICDController.java | 13 ++++++++++ .../mixeway/api/cicd/service/CICDService.java | 12 ++++++++++ .../UpdateCiOperationsService.java | 8 +++++++ .../apiclient/CheckmarxApiClient.java | 6 ++++- .../opensource/OpenSourceScanService.java | 24 ++++++++++++++++--- 5 files changed, 59 insertions(+), 4 deletions(-) diff --git a/src/main/java/io/mixeway/api/cicd/controller/CICDController.java b/src/main/java/io/mixeway/api/cicd/controller/CICDController.java index f07a8960..2c493814 100644 --- a/src/main/java/io/mixeway/api/cicd/controller/CICDController.java +++ b/src/main/java/io/mixeway/api/cicd/controller/CICDController.java @@ -2,6 +2,7 @@ import io.mixeway.api.cicd.model.GitleaksReport; import io.mixeway.api.cicd.model.LoadSCA; +import io.mixeway.api.cicd.model.ProjectMetadata; import io.mixeway.api.cicd.service.CICDService; import io.mixeway.api.cioperations.model.LoadVulnModel; import io.mixeway.api.cioperations.model.ZapReportModel; @@ -127,4 +128,16 @@ public ResponseEntity loadGitleaksReport(@RequestBody GitleaksReport gitleaks Principal principal) throws UnknownHostException { return cicdService.loadGitleaksReport(gitleaksReport, codeProjectid, principal); } + + /** + * Validate State of security for given CodeProject and Branch + */ + @CrossOrigin(origins="*") + @PreAuthorize("hasAuthority('ROLE_API')") + @PostMapping(value = "/asset/{id}/sca",produces = "application/json") + public ResponseEntity loadScaVulns(@RequestBody ProjectMetadata projectMetadata, + @PathVariable("id") long codeProjectid, + Principal principal) throws IOException, UnrecoverableKeyException, CertificateException, NoSuchAlgorithmException, KeyStoreException, KeyManagementException { + return cicdService.loadScaVulns(projectMetadata, codeProjectid, principal); + } } diff --git a/src/main/java/io/mixeway/api/cicd/service/CICDService.java b/src/main/java/io/mixeway/api/cicd/service/CICDService.java index 9a3cdfbb..8cca3e49 100644 --- a/src/main/java/io/mixeway/api/cicd/service/CICDService.java +++ b/src/main/java/io/mixeway/api/cicd/service/CICDService.java @@ -2,6 +2,7 @@ import io.mixeway.api.cicd.model.GitleaksReport; import io.mixeway.api.cicd.model.LoadSCA; +import io.mixeway.api.cicd.model.ProjectMetadata; import io.mixeway.api.cioperations.model.ZapReportModel; import io.mixeway.api.protocol.OpenSourceConfig; import io.mixeway.api.protocol.cioperations.GetInfoRequest; @@ -228,4 +229,15 @@ public ResponseEntity loadGitleaksReport(GitleaksReport gitleaksReport, long return new ResponseEntity<>(HttpStatus.BAD_REQUEST); } + + public ResponseEntity loadScaVulns(ProjectMetadata projectMetadata, long codeProjectid, Principal principal) throws UnrecoverableKeyException, CertificateException, NoSuchAlgorithmException, KeyStoreException, IOException, KeyManagementException { + Optional codeProject = findCodeProjectService.findById(codeProjectid); + if (codeProject.isPresent() && permissionFactory.canUserAccessProject(principal, codeProject.get().getProject())){ + log.info("[CICD] Received info about SCA scan for {} [{}]", codeProject.get().getName(), codeProject.get().getRepoUrl()); + openSourceScanService.loadVulnerabilities(codeProject.get(), projectMetadata, principal); + } else { + return new ResponseEntity<>(HttpStatus.NOT_FOUND); + } + return new ResponseEntity<>(HttpStatus.BAD_REQUEST); + } } diff --git a/src/main/java/io/mixeway/domain/service/cioperations/UpdateCiOperationsService.java b/src/main/java/io/mixeway/domain/service/cioperations/UpdateCiOperationsService.java index ae454942..79467fd5 100644 --- a/src/main/java/io/mixeway/domain/service/cioperations/UpdateCiOperationsService.java +++ b/src/main/java/io/mixeway/domain/service/cioperations/UpdateCiOperationsService.java @@ -5,6 +5,7 @@ */ package io.mixeway.domain.service.cioperations; +import io.mixeway.api.cicd.model.ProjectMetadata; import io.mixeway.api.cioperations.model.CIVulnManageResponse; import io.mixeway.api.cioperations.service.CiOperationsService; import io.mixeway.config.Constants; @@ -30,6 +31,7 @@ public class UpdateCiOperationsService { private final SecurityQualityGateway securityQualityGateway; private final CiOperationsRepository ciOperationsRepository; private final VulnTemplate vulnTemplate; + private final GetOrCreateCiOperationsService getOrCreateCiOperationsService; @Transactional @@ -44,6 +46,12 @@ public void updateCiOperationsForOpenSource(CodeProject codeProject){ } } @Transactional + public void updateCiOperationsForOpenSource(CodeProject codeProject, ProjectMetadata projectMetadata){ + SecurityGatewayEntry gateway = securityQualityGateway.buildGatewayResponse(vulnTemplate.projectVulnerabilityRepository.findByCodeProject(codeProject)); + Optional ciOperations = ciOperationsRepository.findByCodeProjectAndCommitId(codeProject, projectMetadata.getCommitId()); + CiOperations operations = getOrCreateCiOperationsService.create(projectMetadata,codeProject); + } + @Transactional public void updateCiOperationsForSAST(CodeProject codeProject){ SecurityGatewayEntry gateway = securityQualityGateway.buildGatewayResponse(vulnTemplate.projectVulnerabilityRepository.findByCodeProject(codeProject)); Optional ciOperations = ciOperationsRepository.findByCodeProjectAndCommitId(codeProject,codeProject.getCommitid()); diff --git a/src/main/java/io/mixeway/scanmanager/integrations/checkmarx/apiclient/CheckmarxApiClient.java b/src/main/java/io/mixeway/scanmanager/integrations/checkmarx/apiclient/CheckmarxApiClient.java index c0a5343b..701a6859 100644 --- a/src/main/java/io/mixeway/scanmanager/integrations/checkmarx/apiclient/CheckmarxApiClient.java +++ b/src/main/java/io/mixeway/scanmanager/integrations/checkmarx/apiclient/CheckmarxApiClient.java @@ -29,6 +29,7 @@ import org.springframework.util.LinkedMultiValueMap; import org.springframework.util.MultiValueMap; import org.springframework.web.client.HttpClientErrorException; +import org.springframework.web.client.HttpServerErrorException; import org.springframework.web.client.ResourceAccessException; import org.springframework.web.client.RestTemplate; @@ -437,8 +438,11 @@ private boolean createScan(Scanner scanner, CodeProject codeProject) throws Cert log.info("[Checkmarx] Successfull Created and started scan for {}", codeProject.getName()); return true; } - } catch (HttpClientErrorException e){ + } catch (HttpClientErrorException | HttpServerErrorException e){ log.error("[Checkmarx] Error creating scan - {}", e.getStatusCode()); + codeProject.setRunning(false); + codeProjectRepository.save(codeProject); + } catch (ResourceAccessException e) { log.error("[Checkmarx] Error creating the scan - checkmarx not avaliable"); } diff --git a/src/main/java/io/mixeway/scanmanager/service/opensource/OpenSourceScanService.java b/src/main/java/io/mixeway/scanmanager/service/opensource/OpenSourceScanService.java index 1f6e9482..5aedce58 100644 --- a/src/main/java/io/mixeway/scanmanager/service/opensource/OpenSourceScanService.java +++ b/src/main/java/io/mixeway/scanmanager/service/opensource/OpenSourceScanService.java @@ -1,12 +1,15 @@ package io.mixeway.scanmanager.service.opensource; +import io.mixeway.api.cicd.model.ProjectMetadata; import io.mixeway.api.protocol.OpenSourceConfig; +import io.mixeway.config.Constants; import io.mixeway.db.entity.*; import io.mixeway.domain.service.cioperations.UpdateCiOperationsService; import io.mixeway.domain.service.opensource.CreateOpenSourceConfigService; import io.mixeway.domain.service.project.FindProjectService; import io.mixeway.domain.service.projectvulnerability.DeleteProjectVulnerabilityService; import io.mixeway.domain.service.projectvulnerability.GetProjectVulnerabilitiesService; +import io.mixeway.domain.service.scan.CreateScanService; import io.mixeway.domain.service.scanmanager.code.GetOrCreateCodeProjectBranchService; import io.mixeway.domain.service.scanner.GetScannerService; import io.mixeway.domain.service.softwarepackage.GetOrCreateSoftwarePacketService; @@ -47,6 +50,7 @@ public class OpenSourceScanService { private final GetProjectVulnerabilitiesService getProjectVulnerabilitiesService; private final GetOrCreateSoftwarePacketService getOrCreateSoftwarePacketService; private final GetOrCreateCodeProjectBranchService getOrCreateCodeProjectBranchService; + private final CreateScanService createScanService; /** * Method witch get information about configured OpenSource scanner which is proper for particular project @@ -78,8 +82,17 @@ public ResponseEntity getOpenSourceScannerConfiguration(Long i * @param codeProjectToVerify CodeProject to load opensource vulnerabilities */ @Transactional() - public void loadVulnerabilities(CodeProject codeProjectToVerify) throws CertificateException, UnrecoverableKeyException, NoSuchAlgorithmException, KeyManagementException, KeyStoreException, IOException { - CodeProjectBranch codeProjectBranch = getOrCreateCodeProjectBranchService.getOrCreateCodeProjectBranch(codeProjectToVerify, codeProjectToVerify.getBranch()); + public void loadVulnerabilities(CodeProject codeProjectToVerify, ProjectMetadata projectMetadata, Principal principal) throws CertificateException, UnrecoverableKeyException, NoSuchAlgorithmException, KeyManagementException, KeyStoreException, IOException { + CodeProjectBranch codeProjectBranch; + if (projectMetadata != null){ + codeProjectBranch = getOrCreateCodeProjectBranchService + .getOrCreateCodeProjectBranch( + codeProjectToVerify, + projectMetadata.getBranch() + ); + } else { + codeProjectBranch = getOrCreateCodeProjectBranchService.getOrCreateCodeProjectBranch(codeProjectToVerify, codeProjectToVerify.getBranch()); + } for (OpenSourceScanClient openSourceScanClient : openSourceScanClients){ if (openSourceScanClient.canProcessRequest(codeProjectToVerify)){ List oldVulns = getProjectVulnerabilitiesService.getOldVulnsForCodeProjectAndSourceForBranch(codeProjectToVerify,vulnTemplate.SOURCE_OPENSOURCE, codeProjectBranch ); @@ -89,7 +102,12 @@ public void loadVulnerabilities(CodeProject codeProjectToVerify) throws Certific vulnTemplate.projectVulnerabilityRepository.updateVulnStateForBranch(vulnsToUpdate, vulnTemplate.STATUS_REMOVED.getId(), codeProjectBranch.getId()); openSourceScanClient.loadVulnerabilities(codeProjectToVerify, codeProjectBranch); - updateCiOperations.updateCiOperationsForOpenSource(codeProjectToVerify); + if (projectMetadata != null ){ + updateCiOperations.updateCiOperationsForOpenSource(codeProjectToVerify, projectMetadata); + createScanService.createCodeScan(codeProjectToVerify, codeProjectBranch.getName(), projectMetadata.getCommitId(), Constants.SCA_LABEL,principal); + } else { + updateCiOperations.updateCiOperationsForOpenSource(codeProjectToVerify); + } //vulnTemplate.projectVulnerabilityRepository.deleteByStatusAndCodeProjectAndVulnerabilitySourceAndCodeProjectBranch(vulnTemplate.STATUS_REMOVED, codeProjectToVerify, vulnTemplate.SOURCE_OPENSOURCE, codeProjectBranch); break; }