Sonarqube filter params sdk 13.x #54
Conversation
|
👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎ This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored. |
.env.example
Outdated
| ENABLE_FINDINGS_INGESTION=true/false | ||
|
|
||
| # JUST FOR INFO: |
package-lock.json
Outdated
There was a problem hiding this comment.
This is a new file got committed. Is it required?
There was a problem hiding this comment.
Same as a yarn lock. Since we updated the package versions, we can have this.
src/ingestionConfig.ts
Outdated
| description: 'SonarQube Accounts', | ||
| defaultsToDisabled: false, | ||
| }, | ||
|
|
yarn.lock
Outdated
There was a problem hiding this comment.
is this file required to be modified?
There was a problem hiding this comment.
yes. I think since we have updated the version.
tsconfig.json
Outdated
| @@ -1,7 +1,8 @@ | |||
| { | |||
| "extends": "./node_modules/@jupiterone/integration-sdk-dev-tools/config/typescript", | |||
| "compilerOptions": { | |||
| "outDir": "dist" | |||
| "outDir": "dist", | |||
| "lib": ["dom"] | |||
There was a problem hiding this comment.
Without this change yarn test:ci was failing. Was not able to find some global variables. Which was basically coming from Dom Library.
|
| Findings | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Dependency: npm / fast-xml-parser@ 4.2.5 Vulnerability Information
|
||||||||||||||||
| Dependency Location https://github.com/JupiterOne/graph-sonarqube/blob/3f17bce98971aa6a7a0c795b354fa7f058b8c67b/yarn.lock |
Not a finding? Ignore it by adding a comment on the line with just the word noboost.
Scanner: boostsecurity - BoostSecurity osv-scanner
src/ingestionConfig.ts
Outdated
| [INGESTION_SOURCE_IDS.ACCOUNT]: { | ||
| title: 'Account', | ||
| description: 'SonarQube Accounts', | ||
| defaultsToDisabled: false, | ||
| }, |
There was a problem hiding this comment.
This ingestion source is not required, in general without account the rest of the steps wouldn't run, and we don't fetch anything so it's ok to always have it
src/instanceConfigFields.ts
Outdated
| severities: { | ||
| type: 'string', | ||
| mask: false, | ||
| optional: true, | ||
| }, | ||
| status: { | ||
| type: 'string', | ||
| mask: false, | ||
| optional: true, | ||
| }, | ||
| createdInLast: { | ||
| type: 'string', | ||
| mask: false, | ||
| optional: true, | ||
| }, | ||
| types: { | ||
| type: 'string', | ||
| mask: false, | ||
| optional: true, | ||
| }, |
There was a problem hiding this comment.
| severities: { | |
| type: 'string', | |
| mask: false, | |
| optional: true, | |
| }, | |
| status: { | |
| type: 'string', | |
| mask: false, | |
| optional: true, | |
| }, | |
| createdInLast: { | |
| type: 'string', | |
| mask: false, | |
| optional: true, | |
| }, | |
| types: { | |
| type: 'string', | |
| mask: false, | |
| optional: true, | |
| }, | |
| findingSeverities: { | |
| type: 'string', | |
| mask: false, | |
| optional: true, | |
| }, | |
| findingStatus: { | |
| type: 'string', | |
| mask: false, | |
| optional: true, | |
| }, | |
| findingsIngestSinceDays: { | |
| type: 'string', | |
| mask: false, | |
| optional: true, | |
| }, | |
| findingTypes: { | |
| type: 'string', | |
| mask: false, | |
| optional: true, | |
| }, |
.env.example
Outdated
| #To retrieve issues created during a time span before the current time (exclusive). Accepted units are 'y' for year, 'm' for month, 'w' for week and 'd' for day. If this parameter is set, createdAfter must not be set | ||
| # Example value: 1m2w (1 month 2 weeks) | ||
| CREATED_IN_LAST=10d # default value is 10 days |
There was a problem hiding this comment.
Please change this name to FINDINGS_INGEST_SINCE_DAYS and make it a number where options are 90, 180, 275, 365 (days). Then you can convert those to the format sonarqube expects when you send the request. This way we are not attached to using their format in our config.
Github example:
src/steps/finding/index.ts
Outdated
| function getSeverities(instanceConfig: SonarqubeIntegrationConfig) { | ||
| const { severities, apiVersion } = instanceConfig; | ||
| const severitiesSet = new Set( | ||
| severities?.split(',').map((severity) => FINDINGS_SEVERITIES[severity]), | ||
| ); | ||
|
|
||
| // V2 -> 10.4 or above version | ||
| if (apiVersion == APIVersion.V1) { | ||
| return severities ? severities.split(',') : V1_SEVERITIES_VALUES; | ||
| } | ||
| return severitiesSet.size === 0 | ||
| ? V2_SEVERITIES_VALUES | ||
| : Array.from(severitiesSet); | ||
| } |
There was a problem hiding this comment.
Can you validate the config for this in validateInvocation and parse it there instead? So when this step starts the config value is ready to use
Example: https://github.com/JupiterOne/integrations/blob/main/graph/graph-gitlab/src/config.ts#L70
src/steps/finding/index.ts
Outdated
| @@ -34,24 +95,38 @@ export async function fetchFindings({ | |||
| // We need to further filter our API calls in order to minimize the chances | |||
| // we'll hit the 10,000 limit impose by the API. We're currently filtering | |||
| // by project and severity. | |||
| for (const severity of severityList) { | |||
| for (const severity of severities) { | |||
src/steps/finding/index.ts
Outdated
| function getFilterParams( | ||
| instanceConfig: SonarqubeIntegrationConfig, | ||
| ): NodeJS.Dict<string | string[]> { | ||
| const { apiVersion, status, createdInLast, types } = instanceConfig; | ||
|
|
||
| let filterParams: NodeJS.Dict<string | string[]>; | ||
|
|
||
| if (apiVersion === APIVersion.V1) { | ||
| // V1 -> below 10.4 version | ||
| filterParams = { | ||
| status, | ||
| types, | ||
| }; | ||
| } else { | ||
| const statusesSet = new Set( | ||
| status?.split(',').map((status) => FINDING_STATUSES[status]), | ||
| ); | ||
| const typesSet = new Set( | ||
| types?.split(',').map((type) => FINDING_TYPES[type]), | ||
| ); | ||
| filterParams = { | ||
| issueStatuses: Array.from(statusesSet).join(','), | ||
| impactSoftwareQualities: Array.from(typesSet).join(','), | ||
| }; | ||
| } | ||
| filterParams['createdInLast'] = createdInLast || DEFAULT_CREATED_IN_LAST; | ||
| return filterParams; | ||
| } |
There was a problem hiding this comment.
Same as with severities, it should be validated and parsed in validateInvocation
src/types.ts
Outdated
| severities?: string; | ||
| status?: string; | ||
| createdInLast?: string; | ||
| types?: string; |
There was a problem hiding this comment.
| severities?: string; | |
| status?: string; | |
| createdInLast?: string; | |
| types?: string; | |
| findingSeverities?: string[]; | |
| findingStatus?: string[]; | |
| findingsIngestSinceDays?: number; | |
| findingTypes?: string[]; |
| @@ -21,6 +79,9 @@ export async function fetchFindings({ | |||
| }: IntegrationStepExecutionContext<SonarqubeIntegrationConfig>) { | |||
| const client = createSonarqubeClient(instance.config, logger); | |||
|
|
|||
| const severities = getSeverities(instance.config); | |||
| const filterParams = getFilterParams(instance.config); | |||
There was a problem hiding this comment.
can you make sure we don't send any of these if they come undefined in instanceConfig instead of using defaults? so only new instances use those filters
There was a problem hiding this comment.
I have removed the function getSeverities. For getFilterParams, we will use the values only if they are present; otherwise, we will not include anything in filterParams.
src/steps/account/index.ts
Outdated
| @@ -19,6 +24,7 @@ export const accountSteps: IntegrationStep<SonarqubeIntegrationConfig>[] = [ | |||
| { | |||
| id: Steps.ACCOUNT, | |||
| name: 'Fetch Account', | |||
| ingestionSourceId: INGESTION_SOURCE_IDS.ACCOUNT, | |||
src/steps/constants.ts
Outdated
| }; | ||
|
|
||
| export const INGESTION_SOURCE_IDS = { | ||
| ACCOUNT: 'accounts', |
src/steps/finding/index.ts
Outdated
| filterParams['createdInLast'] = | ||
| `${findingsIngestSinceDays || DEFAULT_FINDING_INGEST_SINCE_DAYS}d`; |
There was a problem hiding this comment.
we should also not filter by this if there's no config set for it
|
Report too large to display inline |
filter params added
JIra Ticket: IA-153