checkmarx api

Author: siewer

src/main/java/io/mixeway/api/cicd/controller/CICDController.java

@@ -153,4 +153,15 @@ public ResponseEntity<?> loadKicsReport(@RequestBody KicsReport kicsReport,
                                                 Principal principal) throws UnknownHostException {
         return cicdService.loadKicsReport(kicsReport, codeProjectid, principal);
     }
+    /**
+     * Validate State of security for given CodeProject and Branch
+     */
+    @CrossOrigin(origins="*")
+    @PreAuthorize("hasAuthority('ROLE_API')")
+    @PostMapping(value = "/asset/{id}/checkmarx/start",produces = "application/json")
+    public ResponseEntity<?> startCheckmarxScan(@RequestBody ProjectMetadata projectMetadat,
+                                            @PathVariable("id") long codeProjectid,
+                                            Principal principal) throws UnknownHostException {
+        return cicdService.startCheckmarxScan(projectMetadat, codeProjectid, principal);
+    }
 }

src/main/java/io/mixeway/api/cicd/service/CICDService.java

@@ -256,4 +256,16 @@ public ResponseEntity<?> loadKicsReport(KicsReport kicsReport, long codeProjecti
         }
         return new ResponseEntity<>(HttpStatus.BAD_REQUEST);
     }
+
+    public ResponseEntity<?> startCheckmarxScan(ProjectMetadata projectMetadat, long codeProjectid, Principal principal) {
+        Optional<CodeProject> codeProject = findCodeProjectService.findById(codeProjectid);
+        if (codeProject.isPresent() && permissionFactory.canUserAccessProject(principal, codeProject.get().getProject())){
+            CodeProjectBranch codeProjectBranch = getOrCreateCodeProjectBranchService.getOrCreateCodeProjectBranch(codeProject.get(), projectMetadat.getBranch());
+            log.info("[CICD] Starting SAST scan for {} [{}]", codeProject.get().getName(), codeProject.get().getRepoUrl());
+            codeScanService.runScan(codeProject.get(),codeProjectBranch, projectMetadat, principal);
+        } else {
+            return new ResponseEntity<>(HttpStatus.NOT_FOUND);
+        }
+        return new ResponseEntity<>(HttpStatus.BAD_REQUEST);
+    }
 }

src/main/java/io/mixeway/scanmanager/integrations/checkmarx/apiclient/CheckmarxApiClient.java

@@ -97,6 +97,23 @@ public Boolean runScan(CodeProject codeProject) throws CertificateException, Unr
         }
     }
 
+    @Override
+    public Boolean runScan(CodeProject codeProject, CodeProjectBranch codeProjectBranch) throws CertificateException, UnrecoverableKeyException, NoSuchAlgorithmException, KeyManagementException, KeyStoreException, IOException, JSONException, ParseException {
+        Optional<Scanner> cxSast = scannerRepository.findByScannerType(scannerTypeRepository.findByNameIgnoreCase(Constants.SCANNER_TYPE_CHECKMARX)).stream().findFirst();
+        boolean hasToCreateProject = codeProject.getVersionIdAll() == 0 && codeProject.getRemoteid() ==0;
+        if (cxSast.isPresent()){
+            if (hasToCreateProject){
+                createProject(cxSast.get(),codeProject);
+            }
+            setGitRepositoryForProject(cxSast.get(),codeProject, codeProjectBranch);
+
+            return createScan(cxSast.get(),codeProject);
+        } else {
+            log.error("[Checkmarx] Checkmarx detected but no scanener found");
+            return false;
+        }
+    }
+
     /**
      * condition has to be fixed
      */
@@ -226,6 +243,28 @@ private void setGitRepositoryForProject(Scanner scanner, CodeProject codeProject
             log.error("[Checkmarx] Error setting GIT repo for project {} - {}",codeProject.getName(), e.getLocalizedMessage());
         }
     }
+    /**
+     * configure granch and git URL for
+     * @param scanner
+     * @param codeProject
+     */
+    private void setGitRepositoryForProject(Scanner scanner, CodeProject codeProject, CodeProjectBranch codeProjectBranch) throws CertificateException, UnrecoverableKeyException, NoSuchAlgorithmException, KeyManagementException, JSONException, KeyStoreException, ParseException, IOException {
+        CodeRequestHelper codeRequestHelper = prepareRestTemplate(scanner);
+        String passwordString = getPasswordStringForCodeProejct(codeProject);
+        HttpEntity<CxSetGitRepo> cxSetGitRepoHttpEntity = new HttpEntity<>(new CxSetGitRepo(codeProject, passwordString, codeProjectBranch), codeRequestHelper.getHttpEntity().getHeaders());
+        ObjectMapper mapper = new ObjectMapper();
+        log.debug("[Checkmarx] Setting git repo {}", mapper.writeValueAsString(cxSetGitRepoHttpEntity));
+        codeRequestHelper.setHttpEntity(cxSetGitRepoHttpEntity);
+        try {
+            int remoteId = (codeProject.getRemoteid() == 0) ? codeProject.getVersionIdAll() : (codeProject.getVersionIdAll() == 0) ? codeProject.getRemoteid() : codeProject.getVersionIdAll();
+            ResponseEntity<String> response = codeRequestHelper
+                    .getRestTemplate()
+                    .exchange(scanner.getApiUrl() + Constants.CX_GET_PROJECTS_API + "/" + remoteId + "/sourceCode/remoteSettings/git", HttpMethod.POST, codeRequestHelper.getHttpEntity(), String.class);
+            log.info("[Checkmarx] Setting GIT repo for {} result {}", codeProject.getName(), response.getStatusCode());
+        } catch (Exception e){
+            log.error("[Checkmarx] Error setting GIT repo for project {} - {}",codeProject.getName(), e.getLocalizedMessage());
+        }
+    }
 
     /**
      * get auth string for particular project:

src/main/java/io/mixeway/scanmanager/integrations/checkmarx/model/CxSetGitRepo.java

@@ -6,6 +6,7 @@
 package io.mixeway.scanmanager.integrations.checkmarx.model;
 
 import io.mixeway.db.entity.CodeProject;
+import io.mixeway.db.entity.CodeProjectBranch;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
 import lombok.NoArgsConstructor;
@@ -33,5 +34,13 @@ public CxSetGitRepo(CodeProject codeProject, String pass){
             this.branch = "refs/heads/" + codeProject.getBranch();
         }
     }
+    public CxSetGitRepo(CodeProject codeProject, String pass, CodeProjectBranch codeProjectBranch){
+        if (pass != null){
+            this.url ="https://"+pass+"@"+codeProject.getRepoUrl().split("://")[1];
+        } else {
+            this.url = codeProject.getRepoUrl();
+        }
+        this.branch = "refs/heads/" + codeProjectBranch.getName();
+    }
 
 }

src/main/java/io/mixeway/scanmanager/service/code/CodeScanClient.java

@@ -20,6 +20,7 @@
 public interface CodeScanClient {
     void loadVulnerabilities(Scanner scanner, String urlToGetNext, Boolean single, CodeProject codeProject, List<ProjectVulnerability> codeVulns, CodeProjectBranch codeProjectBranch) throws ParseException, JSONException, CertificateException, UnrecoverableKeyException, NoSuchAlgorithmException, KeyManagementException, KeyStoreException, IOException, URISyntaxException;
     Boolean runScan(CodeProject codeProject) throws CertificateException, UnrecoverableKeyException, NoSuchAlgorithmException, KeyManagementException, KeyStoreException, IOException, JSONException, ParseException;
+    Boolean runScan(CodeProject codeProject, CodeProjectBranch codeProjectBranch) throws CertificateException, UnrecoverableKeyException, NoSuchAlgorithmException, KeyManagementException, KeyStoreException, IOException, JSONException, ParseException;
     boolean isScanDone(CodeProject cp) throws CertificateException, UnrecoverableKeyException, NoSuchAlgorithmException, KeyManagementException, KeyStoreException, IOException, ParseException, JSONException;
     boolean canProcessRequest(CodeProject cp);
     boolean canProcessRequest(Scanner scanner);

src/main/java/io/mixeway/scanmanager/service/code/CodeScanService.java

@@ -261,6 +261,41 @@ public void runFromQueue() {
         }
     }
 
+    /**
+     * Get the CodeProjects and CodeGroups with inQueue=true
+     * Verify if scan can be run and then runs it.
+     */
+    @Transactional
+    public void runScan(CodeProject codeProject, CodeProjectBranch codeProjectBranch, ProjectMetadata projectMetadata, Principal principal) {
+        Optional<Scanner> codeScanner = getScannerService.getCodeScanners();
+        if (codeScanner.isPresent() && codeScanner.get().getStatus()) {
+            try {
+                if (operateOnCodeProject.canScanCodeProject(codeProject)) {
+                    for (CodeScanClient codeScanClient : codeScanClients) {
+                        if (codeScanClient.canProcessRequest(codeProject)) {
+                            log.info("[CodeScan] Starting scan form CICD [scope {}] {}", codeProject.getName(), codeProject.getName());
+                            codeProject = updateCodeProjectService.removeFromQueueAndStart(codeProject);
+                            codeScanClient.runScan( codeProject, codeProjectBranch);
+                            Scan scan = createScanService.createCodeScan(codeProject, projectMetadata.getBranch(),
+                                    projectMetadata.getCommitId(),Constants.SAST_LABEL,principal );
+                            CiOperations operations = createCiOperationsService.create(projectMetadata, codeProject);
+                            updateCiOperations.putScanOnAPipeline(operations, scan, securityQualityGateway.buildGatewayResponse(new ArrayList<>()));
+
+                            // TODO: create codescan
+                        }
+                    }
+                }
+            } catch (IndexOutOfBoundsException ex) {
+                log.debug("Fortify configuration missing");
+            } catch (HttpClientErrorException ex) {
+                log.warn("HttpClientErrorException with code [{}] during cloud scan job synchro ", ex.getStatusCode().toString());
+            } catch (ParseException | JSONException | CertificateException | UnrecoverableKeyException | NoSuchAlgorithmException | KeyManagementException | KeyStoreException | IOException e) {
+                log.warn("Exception came up during running scan {}", e.getLocalizedMessage());
+                e.printStackTrace();
+            }
+        }
+    }
+
 
     /**
      * Method which run scan for given parameters