zip over id

Author: siewer

src/main/java/io/mixeway/api/cicd/controller/CICDController.java

@@ -106,6 +106,13 @@ public ResponseEntity<Status> loadVulnsZap (@RequestBody ZapReportModel loadVuln
                                                 Principal principal) throws Exception {
         return cicdService.loadVulnZap(loadVulnModel,ciid,principal);
     }
+    @PreAuthorize("hasAuthority('ROLE_API')")
+    @PostMapping(value="/loadvulns/zap/{id}")
+    public ResponseEntity<Status> loadVulnsZap (@RequestBody ZapReportModel loadVulnModel,
+                                                @PathVariable(value = "id") Long id,
+                                                Principal principal) throws Exception {
+        return cicdService.loadVulnZapId(loadVulnModel,id,principal);
+    }
 
     /**
      * Validate State of security for given CodeProject and Branch

src/main/java/io/mixeway/api/cicd/service/CICDService.java

@@ -169,6 +169,16 @@ public ResponseEntity<Status> loadVulnZap(ZapReportModel loadVulnModel, String c
         return webAppScanService.prepareAndLoadZapVulns(loadVulnModel,ciid,principal);
     }
 
+    /**
+     * ZAP reports
+     */
+
+    @Transactional
+    public ResponseEntity<Status> loadVulnZapId(ZapReportModel loadVulnModel, Long id, Principal principal) throws ParseException {
+        log.info("ZAP DAST JSON report received for ID {}", id);
+        return webAppScanService.prepareAndLoadZapVulnsId(loadVulnModel,id,principal);
+    }
+
     public ResponseEntity<SecurityGatewayResponse> validate(LoadSCA loadSCA, Principal principal) throws UnknownHostException {
         Optional<CodeProject> codeProject = findCodeProjectService.findById(loadSCA.getCodeProjectId());
         if (codeProject.isPresent() && permissionFactory.canUserAccessProject(principal, codeProject.get().getProject())) {

src/main/java/io/mixeway/scanmanager/service/webapp/WebAppScanService.java

@@ -23,6 +23,7 @@
 import io.mixeway.utils.Status;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.log4j.Log4j2;
+import org.checkerframework.checker.nullness.Opt;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.stereotype.Service;
@@ -274,6 +275,24 @@ public ResponseEntity<Status> prepareAndLoadZapVulns(ZapReportModel loadVulnMode
         }
     }
 
+    public ResponseEntity<Status> prepareAndLoadZapVulnsId(ZapReportModel loadVulnModel, Long id, Principal principal) throws ParseException {
+        Optional<WebApp> webAppOptional = findWebAppService.findById(id);
+        if (loadVulnModel.getSite() != null && webAppOptional.isPresent()) {
+            WebApp webApp = webAppOptional.get();
+            List<ProjectVulnerability> oldVulns = vulnTemplate.projectVulnerabilityRepository.findByWebApp(webApp);
+            List<ProjectVulnerability> newVulns = ZapMapper(loadVulnModel,webApp);
+            zapVulnsRemove(oldVulns);
+            vulnTemplate.vulnerabilityPersistList(oldVulns, newVulns);
+            vulnTemplate.projectVulnerabilityRepository.deleteByStatus(vulnTemplate.STATUS_REMOVED);
+            log.info("[ZAP DAST] vulnerabilities loaded/updated/removed for webapp url {}",webApp.getUrl());
+            return new ResponseEntity<>(HttpStatus.OK);
+        }
+        else {
+            log.error("Malformed ZAP DAST JSON report.");
+            return new ResponseEntity<>(HttpStatus.BAD_REQUEST);
+        }
+    }
+
     public void createWebAppsForProject(Project project, RoutingDomain routingDomain) {
         Vulnerability vulnerability = vulnTemplate.vulnerabilityRepository.findByName(Constants.VULNERABILITY_HTTP_SERVER_DETECTED).orElse(null);
         if (vulnerability != null) {