Merge pull request #2974 from mercedes-benz/develop

Merge `develop` into `master` for cx-wrapper release
mercedes-benz · Mar 6, 2024 · 0076cf7 · 0076cf7
2 parents 9772801 + 9118c3e
commit 0076cf7
Show file tree

Hide file tree

Showing 11 changed files with 366 additions and 10 deletions.
diff --git a/gradle/build-versioning.gradle b/gradle/build-versioning.gradle
@@ -147,27 +147,82 @@ def buildVersionFiles(){
     // ------------------------
     // - PDS tools
     // ------------------------
-    def pdsToolsVersionInfo = versionData.defineVersion("PDS-Tools",buildVersionString(pdsToolsVersionCommitTag, hasChanged,buildNumber),pdsToolsVersionCommitTag)
+
+    // Get latest tagged pds-tools version
+    def latestPDSToolsTagCmd = [
+      'sh',
+      '-c',
+      'git tag -l --sort=-creatordate | grep -e \'^v.*-pds-tools$\' | head -1'
+    ]
+    def latestPDSToolsTag = latestPDSToolsTagCmd.execute().text.trim()
+    def latestPDSToolsVersion = latestPDSToolsTag - 'v'
+    latestPDSToolsVersion = latestPDSToolsVersion - "-pds-tools"
+
+    def pdsToolsVersionInfo = versionData.defineVersion("PDS-Tools",buildVersionString(pdsToolsVersionCommitTag, hasChanged,buildNumber),latestPDSToolsVersion)
 
     // ------------------------
     // - Libraries
     // ------------------------
-    def librariesVersionInfo =  versionData.defineVersion("Libraries",buildVersionString(librariesVersionCommitTag, hasChanged,buildNumber),librariesVersionCommitTag)
+
+    // Get latest tagged libraries version
+    def latestLibrariesTagCmd = [
+      'sh',
+      '-c',
+      'git tag -l --sort=-creatordate | grep -e \'^v.*-libraries$\' | head -1'
+    ]
+    def latestLibrariesTag = latestLibrariesTagCmd.execute().text.trim()
+    def latestLibrariesVersion = latestLibrariesTag - 'v'
+    latestLibrariesVersion = latestLibrariesVersion - "-libraries"
+
+    def librariesVersionInfo =  versionData.defineVersion("Libraries",buildVersionString(librariesVersionCommitTag, hasChanged,buildNumber),latestLibrariesVersion)
 
     // ------------------------
     // - Checkmarx wrapper
     // ------------------------
-    def checkmarxWrapperVersionInfo = versionData.defineVersion("Checkmarx Wrapper",buildVersionString(checkmarxWrapperVersionCommitTag, hasChanged, buildNumber),checkmarxWrapperVersionCommitTag)
+
+    // Get latest tagged checkmarx-wrapper version
+    def latestCxWrapperTagCmd = [
+      'sh',
+      '-c',
+      'git tag -l --sort=-creatordate | grep -e \'^v.*-checkmarx-wrapper$\' | head -1'
+    ]
+    def latestCxWrapperTag = latestCxWrapperTagCmd.execute().text.trim()
+    def latestCxWrapperVersion = latestCxWrapperTag - 'v'
+    latestCxWrapperVersion = latestCxWrapperVersion - "-checkmarx-wrapper"
+
+    def checkmarxWrapperVersionInfo = versionData.defineVersion("Checkmarx Wrapper",buildVersionString(checkmarxWrapperVersionCommitTag, hasChanged, buildNumber),latestCxWrapperVersion)
 
     // ------------------------
     // - OWASP-ZAP wrapper
     // ------------------------
-    def owaspzapWrapperVersionInfo = versionData.defineVersion("OWASP-ZAP Wrapper",buildVersionString(owaspzapWrapperVersionCommitTag, hasChanged, buildNumber),owaspzapWrapperVersionCommitTag)
+
+    // Get latest tagged owaspzap-wrapper version
+    def latestZapWrapperTagCmd = [
+      'sh',
+      '-c',
+      'git tag -l --sort=-creatordate | grep -e \'^v.*-zap-wrapper$\' | head -1'
+    ]
+    def latestZapWrapperTag = latestZapWrapperTagCmd.execute().text.trim()
+    def latestZapWrapperVersion = latestZapWrapperTag - 'v'
+    latestZapWrapperVersion = latestZapWrapperVersion - "-owaspzap-wrapper"
+
+    def owaspzapWrapperVersionInfo = versionData.defineVersion("OWASP-ZAP Wrapper",buildVersionString(owaspzapWrapperVersionCommitTag, hasChanged, buildNumber),latestZapWrapperVersion)
 
     // ------------------------
     // - XRAY wrapper
     // ------------------------
-    def xrayWrapperVersionInfo = versionData.defineVersion("XRAY Wrapper",buildVersionString(xrayWrapperVersionCommitTag, hasChanged, buildNumber),xrayWrapperVersionCommitTag)
+
+    // Get latest tagged xray-wrapper version
+    def latestXrayWrapperTagCmd = [
+      'sh',
+      '-c',
+      'git tag -l --sort=-creatordate | grep -e \'^v.*-xray-wrapper$\' | head -1'
+    ]
+    def latestXrayWrapperTag = latestXrayWrapperTagCmd.execute().text.trim()
+    def latestXrayWrapperVersion = latestXrayWrapperTag - 'v'
+    latestXrayWrapperVersion = latestXrayWrapperVersion - "-xray-wrapper"
+
+    def xrayWrapperVersionInfo = versionData.defineVersion("XRAY Wrapper",buildVersionString(xrayWrapperVersionCommitTag, hasChanged, buildNumber),latestXrayWrapperVersion)
 
 
     def stop = new Date()

diff --git a/...com/mercedesbenz/sechub/integrationtest/scenario20/PDSSecretScanJobScenario20IntTest.java b/...com/mercedesbenz/sechub/integrationtest/scenario20/PDSSecretScanJobScenario20IntTest.java
@@ -59,6 +59,7 @@ public void run_pds_secret_scan_and_download_report_via_rest_mark_finding_0_as_f
     	          hasId(expectedFindingId).
     	          hasScanType(ScanType.SECRET_SCAN).
     	          hasDescription("generic-api-key has detected secret for file UnSAFE_Bank/Backend/docker-compose.yml.").
+    	          hasName("Generic API Key").
     	          codeCall(0).
     	              hasColumn(14).
     	              hasLine(12).

diff --git a/.../src/main/java/com/mercedesbenz/sechub/sereco/importer/GitleaksSarifImportWorkaround.java b/.../src/main/java/com/mercedesbenz/sechub/sereco/importer/GitleaksSarifImportWorkaround.java
@@ -0,0 +1,39 @@
+// SPDX-License-Identifier: MIT
+package com.mercedesbenz.sechub.sereco.importer;
+
+import org.springframework.stereotype.Component;
+
+import de.jcup.sarif_2_1_0.model.ReportingDescriptor;
+import de.jcup.sarif_2_1_0.model.Run;
+import de.jcup.sarif_2_1_0.model.Tool;
+import de.jcup.sarif_2_1_0.model.ToolComponent;
+
+@Component
+public class GitleaksSarifImportWorkaround implements SarifImportProductWorkaround {
+
+    @Override
+    public String resolveType(ReportingDescriptor rule, Run run) {
+        if (rule == null) {
+            return null;
+        }
+        if (isGitleaksRun(run)) {
+            return rule.getName();
+        }
+        return null;
+    }
+
+    private boolean isGitleaksRun(Run run) {
+        if (run == null) {
+            return false;
+        }
+        Tool tool = run.getTool();
+        if (tool == null) {
+            return false;
+        }
+        ToolComponent driver = tool.getDriver();
+        if (driver == null) {
+            return false;
+        }
+        return "gitleaks".equalsIgnoreCase(driver.getName());
+    }
+}
diff --git a/...o/src/main/java/com/mercedesbenz/sechub/sereco/importer/SarifImportProductWorkaround.java b/...o/src/main/java/com/mercedesbenz/sechub/sereco/importer/SarifImportProductWorkaround.java
@@ -0,0 +1,20 @@
+// SPDX-License-Identifier: MIT
+package com.mercedesbenz.sechub.sereco.importer;
+
+import de.jcup.sarif_2_1_0.model.ReportingDescriptor;
+import de.jcup.sarif_2_1_0.model.Run;
+
+public interface SarifImportProductWorkaround {
+
+    /**
+     * Resolve type from SARIF rule and SARIF run.
+     *
+     * @param rule
+     * @param run
+     * @return Resolve type or <code>null</code> if type could not be resolved by
+     *         this workaround.
+     */
+    public default String resolveType(ReportingDescriptor rule, Run run) {
+        return null;
+    }
+}
diff --git a/...ain/java/com/mercedesbenz/sechub/sereco/importer/SarifImportProductWorkaroundSupport.java b/...ain/java/com/mercedesbenz/sechub/sereco/importer/SarifImportProductWorkaroundSupport.java
@@ -0,0 +1,39 @@
+// SPDX-License-Identifier: MIT
+package com.mercedesbenz.sechub.sereco.importer;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
+
+import de.jcup.sarif_2_1_0.model.ReportingDescriptor;
+import de.jcup.sarif_2_1_0.model.Run;
+
+/**
+ * Support to handle any kind of workaround for SARIF imports.
+ */
+@Component
+public class SarifImportProductWorkaroundSupport {
+
+    @Autowired
+    List<SarifImportProductWorkaround> workarounds = new ArrayList<>();
+
+    /**
+     * Resolve type from SARIF rule and SARIF run.
+     *
+     * @param rule
+     * @param run
+     * @return Resolved type or <code>null</code> if type could not be resolved by
+     *         any available workaround.
+     */
+    public String resolveType(ReportingDescriptor rule, Run run) {
+        for (SarifImportProductWorkaround workaround : workarounds) {
+            String resolvedType = workaround.resolveType(rule, run);
+            if (resolvedType != null) {
+                return resolvedType;
+            }
+        }
+        return null;
+    }
+}
diff --git a/sechub-sereco/src/main/java/com/mercedesbenz/sechub/sereco/importer/SarifV1JSONImporter.java b/sechub-sereco/src/main/java/com/mercedesbenz/sechub/sereco/importer/SarifV1JSONImporter.java
@@ -11,6 +11,7 @@
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 
 import com.mercedesbenz.sechub.commons.core.util.SimpleStringUtils;
@@ -67,6 +68,9 @@ public class SarifV1JSONImporter extends AbstractProductResultImporter {
     SarifSchema210ImportExportSupport sarifSchema210ImportExportSupport;
     SarifSchema210LogicSupport sarifSchema210LogicSupport;
 
+    @Autowired
+    protected SarifImportProductWorkaroundSupport workaroundSupport;
+
     public SarifV1JSONImporter() {
         sarifSchema210ImportExportSupport = new SarifSchema210ImportExportSupport();
         sarifSchema210LogicSupport = new SarifSchema210LogicSupport();
@@ -343,10 +347,14 @@ private String resolveType(ReportingDescriptor rule, Run run) {
         if (rule == null) {
             return "error:rule==null!";
         }
-        String type = null;
-        MultiformatMessageString shortDescription = rule.getShortDescription();
-        if (shortDescription != null) {
-            type = shortDescription.getText();
+
+        String type = workaroundSupport.resolveType(rule, run);
+
+        if (type == null) {
+            MultiformatMessageString shortDescription = rule.getShortDescription();
+            if (shortDescription != null) {
+                type = shortDescription.getText();
+            }
         }
 
         if (type == null) {

diff --git a/.../test/java/com/mercedesbenz/sechub/sereco/importer/GitleaksSarifImportWorkaroundTest.java b/.../test/java/com/mercedesbenz/sechub/sereco/importer/GitleaksSarifImportWorkaroundTest.java
@@ -0,0 +1,104 @@
+// SPDX-License-Identifier: MIT
+package com.mercedesbenz.sechub.sereco.importer;
+
+import static org.junit.Assert.assertNull;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+import org.junit.jupiter.api.Test;
+
+import de.jcup.sarif_2_1_0.model.ReportingDescriptor;
+import de.jcup.sarif_2_1_0.model.Run;
+import de.jcup.sarif_2_1_0.model.Tool;
+import de.jcup.sarif_2_1_0.model.ToolComponent;
+
+class GitleaksSarifImportWorkaroundTest {
+
+    private GitleaksSarifImportWorkaround workaroundToTest = new GitleaksSarifImportWorkaround();
+
+    @Test
+    void rule_is_null_results_in_resolved_type_is_null() {
+        /* execute */
+        String resolvedType = workaroundToTest.resolveType(null, new Run());
+
+        /* test */
+        assertNull(resolvedType);
+    }
+
+    @Test
+    void run_is_null_results_in_resolved_type_is_null() {
+        /* execute */
+        String resolvedType = workaroundToTest.resolveType(new ReportingDescriptor(), null);
+
+        /* test */
+        assertNull(resolvedType);
+    }
+
+    @Test
+    void run_tool_is_null_results_in_resolved_type_is_null() {
+        /* prepare */
+        Run run = new Run();
+        run.setTool(null);
+
+        /* execute */
+        String resolvedType = workaroundToTest.resolveType(new ReportingDescriptor(), run);
+
+        /* test */
+        assertNull(resolvedType);
+    }
+
+    @Test
+    void run_tool_driver_is_null_results_in_resolved_type_is_null() {
+        /* prepare */
+        Run run = new Run();
+        Tool tool = new Tool();
+        tool.setDriver(null);
+        run.setTool(tool);
+
+        /* execute */
+        String resolvedType = workaroundToTest.resolveType(new ReportingDescriptor(), run);
+
+        /* test */
+        assertNull(resolvedType);
+    }
+
+    @Test
+    void run_tool_driver_name_is_gitleaks_results_in_resolved_type_is_rule_name() {
+        /* prepare */
+        Run run = new Run();
+        Tool tool = new Tool();
+        ToolComponent driver = new ToolComponent();
+        driver.setName("gitleaks");
+        tool.setDriver(driver);
+        run.setTool(tool);
+
+        ReportingDescriptor rule = new ReportingDescriptor();
+        rule.setName("GitHub Personal Access Token");
+
+        /* execute */
+        String resolvedType = workaroundToTest.resolveType(rule, run);
+
+        /* test */
+        assertEquals(rule.getName(), resolvedType);
+    }
+
+    @Test
+    void run_tool_driver_name_is_NOT_gitleaks_results_in_resolved_type_is_null() {
+        /* prepare */
+        Run run = new Run();
+        Tool tool = new Tool();
+        ToolComponent driver = new ToolComponent();
+        driver.setName("random-name");
+        tool.setDriver(driver);
+        run.setTool(tool);
+
+        ReportingDescriptor rule = new ReportingDescriptor();
+        rule.setName("GitHub Personal Access Token");
+
+        /* execute */
+        String resolvedType = workaroundToTest.resolveType(rule, run);
+
+        /* test */
+        assertNull(resolvedType);
+    }
+
+}