CxOne: support Critical severity (#5418)

thtri · web-flow · commit e778c5bfa22d · 2025-07-24T14:22:05.000+02:00
diff --git a/cmd/checkmarxOneExecuteScan.go b/cmd/checkmarxOneExecuteScan.go
@@ -808,6 +808,7 @@ func (c *checkmarxOneExecuteScanHelper) getDetailedResults(scan *checkmarxOne.Sc
 	resultMap["Preset"] = scanmeta.PresetName
 	resultMap["DeepLink"] = fmt.Sprintf("%v/projects/%v/overview?branch=%v", c.config.ServerURL, c.Project.ProjectID, url.QueryEscape(scan.Branch))
 	resultMap["ReportCreationTime"] = time.Now().String()
+	resultMap["Critical"] = map[string]int{}
 	resultMap["High"] = map[string]int{}
 	resultMap["Medium"] = map[string]int{}
 	resultMap["Low"] = map[string]int{}
@@ -817,6 +818,8 @@ func (c *checkmarxOneExecuteScanHelper) getDetailedResults(scan *checkmarxOne.Sc
 		for _, result := range *results {
 			key := "Information"
 			switch result.Severity {
+			case "CRITICAL":
+				key = "Critical"
 			case "HIGH":
 				key = "High"
 			case "MEDIUM":
@@ -1075,20 +1078,29 @@ func (c *checkmarxOneExecuteScanHelper) enforceThresholds(results *map[string]in
 	insecureResults := []string{}
 	insecure := false
 
+	cxCriticalThreshold := c.config.VulnerabilityThresholdCritical
 	cxHighThreshold := c.config.VulnerabilityThresholdHigh
 	cxMediumThreshold := c.config.VulnerabilityThresholdMedium
 	cxLowThreshold := c.config.VulnerabilityThresholdLow
 	cxLowThresholdPerQuery := c.config.VulnerabilityThresholdLowPerQuery
 	cxLowThresholdPerQueryMax := c.config.VulnerabilityThresholdLowPerQueryMax
+	criticalValue := (*results)["Critical"].(map[string]int)["NotFalsePositive"]
 	highValue := (*results)["High"].(map[string]int)["NotFalsePositive"]
 	mediumValue := (*results)["Medium"].(map[string]int)["NotFalsePositive"]
 	lowValue := (*results)["Low"].(map[string]int)["NotFalsePositive"]
 	var unit string
+	criticalViolation := ""
 	highViolation := ""
 	mediumViolation := ""
 	lowViolation := ""
 	if c.config.VulnerabilityThresholdUnit == "percentage" {
 		unit = "%"
+		criticalAudited := (*results)["Critical"].(map[string]int)["Issues"] - (*results)["Critical"].(map[string]int)["NotFalsePositive"]
+		criticalOverall := (*results)["Critical"].(map[string]int)["Issues"]
+		if criticalOverall == 0 {
+			criticalAudited = 1
+			criticalOverall = 1
+		}
 		highAudited := (*results)["High"].(map[string]int)["Issues"] - (*results)["High"].(map[string]int)["NotFalsePositive"]
 		highOverall := (*results)["High"].(map[string]int)["Issues"]
 		if highOverall == 0 {
@@ -1107,10 +1119,15 @@ func (c *checkmarxOneExecuteScanHelper) enforceThresholds(results *map[string]in
 			lowAudited = 1
 			lowOverall = 1
 		}
+		criticalValue = int(float32(criticalAudited) / float32(criticalOverall) * 100.0)
 		highValue = int(float32(highAudited) / float32(highOverall) * 100.0)
 		mediumValue = int(float32(mediumAudited) / float32(mediumOverall) * 100.0)
 		lowValue = int(float32(lowAudited) / float32(lowOverall) * 100.0)
 
+		if criticalValue < cxCriticalThreshold {
+			insecure = true
+			criticalViolation = fmt.Sprintf("<-- %v %v deviation", cxCriticalThreshold-criticalValue, unit)
+		}
 		if highValue < cxHighThreshold {
 			insecure = true
 			highViolation = fmt.Sprintf("<-- %v %v deviation", cxHighThreshold-highValue, unit)
@@ -1148,6 +1165,10 @@ func (c *checkmarxOneExecuteScanHelper) enforceThresholds(results *map[string]in
 	}
 	if c.config.VulnerabilityThresholdUnit == "absolute" {
 		unit = " findings"
+		if criticalValue > cxCriticalThreshold {
+			insecure = true
+			criticalViolation = fmt.Sprintf("<-- %v%v deviation", criticalValue-cxCriticalThreshold, unit)
+		}
 		if highValue > cxHighThreshold {
 			insecure = true
 			highViolation = fmt.Sprintf("<-- %v%v deviation", highValue-cxHighThreshold, unit)
@@ -1162,9 +1183,17 @@ func (c *checkmarxOneExecuteScanHelper) enforceThresholds(results *map[string]in
 		}
 	}
 
+	criticalText := fmt.Sprintf("Critical %v%v %v", criticalValue, unit, criticalViolation)
 	highText := fmt.Sprintf("High %v%v %v", highValue, unit, highViolation)
 	mediumText := fmt.Sprintf("Medium %v%v %v", mediumValue, unit, mediumViolation)
 	lowText := fmt.Sprintf("Low %v%v %v", lowValue, unit, lowViolation)
+	if len(criticalViolation) > 0 {
+		insecureResults = append(insecureResults, criticalText)
+		log.Entry().Error(criticalText)
+	} else {
+		neutralResults = append(neutralResults, criticalText)
+		log.Entry().Info(criticalText)
+	}
 	if len(highViolation) > 0 {
 		insecureResults = append(insecureResults, highText)
 		log.Entry().Error(highText)
@@ -1191,6 +1220,13 @@ func (c *checkmarxOneExecuteScanHelper) enforceThresholds(results *map[string]in
 }
 
 func (c *checkmarxOneExecuteScanHelper) reportToInflux(results *map[string]interface{}) {
+	c.influx.checkmarxOne_data.fields.critical_issues = (*results)["Critical"].(map[string]int)["Issues"]
+	c.influx.checkmarxOne_data.fields.critical_not_false_postive = (*results)["Critical"].(map[string]int)["NotFalsePositive"]
+	c.influx.checkmarxOne_data.fields.critical_not_exploitable = (*results)["Critical"].(map[string]int)["NotExploitable"]
+	c.influx.checkmarxOne_data.fields.critical_confirmed = (*results)["Critical"].(map[string]int)["Confirmed"]
+	c.influx.checkmarxOne_data.fields.critical_urgent = (*results)["Critical"].(map[string]int)["Urgent"]
+	c.influx.checkmarxOne_data.fields.critical_proposed_not_exploitable = (*results)["Critical"].(map[string]int)["ProposedNotExploitable"]
+	c.influx.checkmarxOne_data.fields.critical_to_verify = (*results)["Critical"].(map[string]int)["ToVerify"]
 
 	c.influx.checkmarxOne_data.fields.high_issues = (*results)["High"].(map[string]int)["Issues"]
 	c.influx.checkmarxOne_data.fields.high_not_false_postive = (*results)["High"].(map[string]int)["NotFalsePositive"]
diff --git a/cmd/checkmarxOneExecuteScan_generated.go b/cmd/checkmarxOneExecuteScan_generated.go
diff --git a/pkg/checkmarxone/checkmarxone.go b/pkg/checkmarxone/checkmarxone.go
@@ -1356,6 +1356,7 @@ func (sys *SystemInstance) RequestNewReportV2(scanID, reportType string) (string
 		"filters": map[string][]string{
 			"scanners": {"sast"},
 			"severities": {
+				"critical",
 				"high",
 				"medium",
 				"low",
diff --git a/pkg/checkmarxone/reporting.go b/pkg/checkmarxone/reporting.go
@@ -94,6 +94,13 @@ func CreateCustomReport(data *map[string]interface{}, insecure, neutral []string
 		WithCounter: false,
 	}
 	detailRows := []reporting.OverviewRow{
+		{Description: "Critical issues", Details: fmt.Sprint((*data)["Critical"].(map[string]int)["Issues"])},
+		{Description: "Critical not false positive issues", Details: fmt.Sprint((*data)["Critical"].(map[string]int)["NotFalsePositive"])},
+		{Description: "Critical not exploitable issues", Details: fmt.Sprint((*data)["Critical"].(map[string]int)["NotExploitable"])},
+		{Description: "Critical confirmed issues", Details: fmt.Sprint((*data)["Critical"].(map[string]int)["Confirmed"])},
+		{Description: "Critical urgent issues", Details: fmt.Sprint((*data)["Critical"].(map[string]int)["Urgent"])},
+		{Description: "Critical proposed not exploitable issues", Details: fmt.Sprint((*data)["Critical"].(map[string]int)["ProposedNotExploitable"])},
+		{Description: "Critical to verify issues", Details: fmt.Sprint((*data)["Critical"].(map[string]int)["ToVerify"])},
 		{Description: "High issues", Details: fmt.Sprint((*data)["High"].(map[string]int)["Issues"])},
 		{Description: "High not false positive issues", Details: fmt.Sprint((*data)["High"].(map[string]int)["NotFalsePositive"])},
 		{Description: "High not exploitable issues", Details: fmt.Sprint((*data)["High"].(map[string]int)["NotExploitable"])},
@@ -152,6 +159,13 @@ func CreateJSONHeaderReport(data *map[string]interface{}) CheckmarxOneReportData
 	}
 
 	findings := []Finding{}
+	// Critical
+	criticalFindings := Finding{}
+	criticalFindings.ClassificationName = "Critical"
+	criticalFindings.Total = (*data)["Critical"].(map[string]int)["Issues"]
+	criticalAudited := (*data)["Critical"].(map[string]int)["Issues"] - (*data)["Critical"].(map[string]int)["NotFalsePositive"]
+	criticalFindings.Audited = &criticalAudited
+	findings = append(findings, criticalFindings)
 	// High
 	highFindings := Finding{}
 	highFindings.ClassificationName = "High"
diff --git a/pkg/checkmarxone/reporting_test.go b/pkg/checkmarxone/reporting_test.go
@@ -21,13 +21,20 @@ func TestCreateJSONReport(t *testing.T) {
 	resultMap["ProjectId"] = `f5702f86-b396-417f-82e2-4949a55d5382`
 	resultMap["ScanId"] = `21e40b36-0dd7-48e5-9768-da1a8f36c907`
 
+	resultMap["Critical"] = map[string]int{}
 	resultMap["High"] = map[string]int{}
 	resultMap["Medium"] = map[string]int{}
 	resultMap["Low"] = map[string]int{}
 	resultMap["Information"] = map[string]int{}
+
 	submap := map[string]int{}
 	submap["Issues"] = 10
 	submap["NotFalsePositive"] = 10
+	resultMap["Critical"] = submap
+
+	submap = map[string]int{}
+	submap["Issues"] = 10
+	submap["NotFalsePositive"] = 10
 	resultMap["High"] = submap
 
 	submap = map[string]int{}
@@ -74,7 +81,7 @@ func TestCreateJSONReport(t *testing.T) {
 	assert.Equal(t, "v1", reportingData.ToolVersion)
 	assert.Equal(t, "Incremental", reportingData.ScanType)
 
-	lowList := (*reportingData.Findings)[2].LowPerQuery
+	lowList := (*reportingData.Findings)[3].LowPerQuery
 	lowListLen := len(*lowList)
 	assert.Equal(t, 2, lowListLen)
 
diff --git a/resources/metadata/checkmarxOneExecuteScan.yaml b/resources/metadata/checkmarxOneExecuteScan.yaml
