kics reports

Author: siewer

src/main/java/io/mixeway/api/cicd/controller/CICDController.java

@@ -1,6 +1,7 @@
 package io.mixeway.api.cicd.controller;
 
 import io.mixeway.api.cicd.model.GitleaksReport;
+import io.mixeway.api.cicd.model.KicsReport;
 import io.mixeway.api.cicd.model.LoadSCA;
 import io.mixeway.api.cicd.model.ProjectMetadata;
 import io.mixeway.api.cicd.service.CICDService;
@@ -140,4 +141,16 @@ public ResponseEntity<?> loadScaVulns(@RequestBody ProjectMetadata projectMetada
                                           Principal principal) throws IOException, UnrecoverableKeyException, CertificateException, NoSuchAlgorithmException, KeyStoreException, KeyManagementException {
         return cicdService.loadScaVulns(projectMetadata, codeProjectid, principal);
     }
+
+    /**
+     * Validate State of security for given CodeProject and Branch
+     */
+    @CrossOrigin(origins="*")
+    @PreAuthorize("hasAuthority('ROLE_API')")
+    @PostMapping(value = "/asset/{id}/kics",produces = "application/json")
+    public ResponseEntity<?> loadKicsReport(@RequestBody KicsReport kicsReport,
+                                                @PathVariable("id") long codeProjectid,
+                                                Principal principal) throws UnknownHostException {
+        return cicdService.loadKicsReport(kicsReport, codeProjectid, principal);
+    }
 }

src/main/java/io/mixeway/api/cicd/model/KicsFile.java

@@ -0,0 +1,20 @@
+package io.mixeway.api.cicd.model;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+import lombok.Setter;
+
+@Getter
+@Setter
+@NoArgsConstructor
+public class KicsFile {
+    @JsonProperty("file_name")
+    String name;
+    @JsonProperty("line")
+    int line;
+    @JsonProperty("expected_value")
+    String expectedValue;
+    @JsonProperty("actual_value")
+    String actualValue;
+}

src/main/java/io/mixeway/api/cicd/model/KicsQuery.java

@@ -0,0 +1,25 @@
+package io.mixeway.api.cicd.model;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+import lombok.Setter;
+
+import java.util.List;
+
+@Getter
+@Setter
+@NoArgsConstructor
+public class KicsQuery {
+    @JsonProperty("query_name")
+    String name;
+    @JsonProperty("severity")
+    String severity;
+    @JsonProperty("category")
+    String category;
+    @JsonProperty("description")
+    String description;
+    @JsonProperty("files")
+    List<KicsFile> files;
+
+}

src/main/java/io/mixeway/api/cicd/model/KicsReport.java

@@ -0,0 +1,18 @@
+package io.mixeway.api.cicd.model;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+import lombok.Setter;
+
+import java.util.List;
+
+@Getter
+@Setter
+@NoArgsConstructor
+public class KicsReport {
+    ProjectMetadata projectMetadata;
+    KicsReportEntry findings;
+
+
+}

src/main/java/io/mixeway/api/cicd/model/KicsReportEntry.java

@@ -0,0 +1,20 @@
+package io.mixeway.api.cicd.model;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+import lombok.Setter;
+
+import java.util.List;
+
+@Getter
+@Setter
+@NoArgsConstructor
+public class KicsReportEntry {
+    @JsonProperty("total_counter")
+    int total;
+    @JsonProperty("queries")
+    List<KicsQuery> queries;
+
+
+}

src/main/java/io/mixeway/api/cicd/service/CICDService.java

@@ -1,6 +1,7 @@
 package io.mixeway.api.cicd.service;
 
 import io.mixeway.api.cicd.model.GitleaksReport;
+import io.mixeway.api.cicd.model.KicsReport;
 import io.mixeway.api.cicd.model.LoadSCA;
 import io.mixeway.api.cicd.model.ProjectMetadata;
 import io.mixeway.api.cioperations.model.ZapReportModel;
@@ -240,4 +241,19 @@ public ResponseEntity<?> loadScaVulns(ProjectMetadata projectMetadata, long code
         }
         return new ResponseEntity<>(HttpStatus.BAD_REQUEST);
     }
+
+    public ResponseEntity<?> loadKicsReport(KicsReport kicsReport, long codeProjectid, Principal principal) {
+        Optional<CodeProject> codeProject = findCodeProjectService.findById(codeProjectid);
+        if (codeProject.isPresent() && permissionFactory.canUserAccessProject(principal, codeProject.get().getProject())){
+            log.info("[CICD] Received KICS raport that contains {} findings for {} [{}]", kicsReport.getFindings().getTotal(), codeProject.get().getName(), codeProject.get().getRepoUrl());
+            if (kicsReport.getFindings().getTotal() > 0 ){
+                codeScanService.loadKicsReport(kicsReport, codeProject.get(), principal);
+            } else {
+                codeScanService.loadVulnsFromCICDToCodeProject(codeProject.get(), new ArrayList<>(), ScannerType.IAC);
+            }
+        } else {
+            return new ResponseEntity<>(HttpStatus.NOT_FOUND);
+        }
+        return new ResponseEntity<>(HttpStatus.BAD_REQUEST);
+    }
 }

src/main/java/io/mixeway/scanmanager/service/code/CodeScanService.java

@@ -1,7 +1,6 @@
 package io.mixeway.scanmanager.service.code;
 
-import io.mixeway.api.cicd.model.GitleaksReport;
-import io.mixeway.api.cicd.model.GitleaksReportEntry;
+import io.mixeway.api.cicd.model.*;
 import io.mixeway.config.Constants;
 import io.mixeway.db.entity.*;
 import io.mixeway.db.entity.Scanner;
@@ -506,4 +505,43 @@ public void loadGitleaksReport(GitleaksReport gitleaksReport, CodeProject codePr
         updateCiOperations.putScanOnAPipeline(operations, scan, securityQualityGateway.buildGatewayResponse(vulnToPersist));
 
     }
+
+    public void loadKicsReport(KicsReport kicsReport, CodeProject codeProject, Principal principal) {
+        CodeProjectBranch codeProjectBranch = getOrCreateCodeProjectBranchService
+                .getOrCreateCodeProjectBranch(
+                        codeProject,
+                        kicsReport.getProjectMetadata().getBranch()
+                );
+        List<ProjectVulnerability> oldVulnsForCodeProject = getProjectVulnerabilitiesService
+                .getOldVulnsForCodeProjectAndSourceForBranch(
+                        codeProject,
+                        vulnTemplate.SOURCE_IAC,
+                        codeProjectBranch
+                );
+        List<ProjectVulnerability> vulnToPersist = new ArrayList<>();
+            for (KicsQuery query : kicsReport.getFindings().getQueries()){
+                Vulnerability vulnerability = vulnTemplate.createOrGetVulnerabilityService.createOrGetVulnerability(query.getName());
+
+                for (KicsFile file : query.getFiles()){
+                    String description = query.getDescription() +
+                            "\n\n" +
+                            "Category: " +
+                            query.getCategory() +
+                            "\n" +
+                            "Evidence: " +
+                            file.getActualValue();
+                    ProjectVulnerability projectVulnerability = new ProjectVulnerability(codeProject,codeProject,vulnerability, description,file.getExpectedValue(),
+                            Constants.VULN_CRITICALITY_CRITICAL,null,file.getName()+":"+file.getLine(),
+                            "", vulnTemplate.SOURCE_IAC, null,codeProjectBranch );
+
+                    vulnToPersist.add(projectVulnerability);
+                }
+            }
+
+        vulnTemplate.vulnerabilityPersistList(oldVulnsForCodeProject, vulnToPersist);
+        Scan scan = createScanService.createCodeScan(codeProject, codeProjectBranch.getName(), kicsReport.getProjectMetadata().getCommitId(),
+                Constants.IAC_LABEL, principal);
+        CiOperations operations = createCiOperationsService.create(kicsReport.getProjectMetadata(), codeProject);
+        updateCiOperations.putScanOnAPipeline(operations, scan, securityQualityGateway.buildGatewayResponse(vulnToPersist));
+    }
 }