Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merge develop into master for release #3344

Merged
merged 76 commits into from
Aug 8, 2024
Merged
Changes from 1 commit
Commits
Show all changes
76 commits
Select commit Hold shift + click to select a range
41b36f0
chore(action): bind debug input to action debug
fty4 Jan 17, 2024
ecc46e5
Bump braces from 3.0.2 to 3.0.3 in /sechub-website
dependabot[bot] Jun 11, 2024
379fbe9
Bump ws from 8.16.0 to 8.17.1 in /sechub-website
dependabot[bot] Jun 18, 2024
5f6f809
First version of secret validation app #3141
winzj May 29, 2024
a16097a
Extend SarifV1JSONImporter to enable import of custom gitleaks proper…
winzj Jul 8, 2024
aadb93f
Merge pull request #3295 from mercedes-benz/master
haerter-tss Jul 10, 2024
523b01a
Added build and release steps
haerter-tss Jul 11, 2024
45653a5
Apply suggestions from code review
haerter-tss Jul 11, 2024
a9efbb4
Add PDS prepare mock #3297 (#3298)
lorriborri Jul 11, 2024
90cd88c
Documentation Update for Formatter set up
lorriborri Jul 11, 2024
f933347
SPDX headers added by SecHub release job @github-actions
haerter-tss Jul 10, 2024
ec4bfa1
docs update by SecHub release job @github-actions
haerter-tss Jul 10, 2024
ccd5ef0
Corrected release file
haerter-tss Jul 11, 2024
84b7bb0
Merge branch 'develop' into feature-3290-release-and-build-pds-prepare
haerter-tss Jul 12, 2024
c8de41b
Merge pull request #3296 from mercedes-benz/feature-3290-release-and-…
haerter-tss Jul 12, 2024
fe49964
Bump peter-evans/create-pull-request from 6.0.5 to 6.1.0
dependabot[bot] Jul 12, 2024
0c6c5c8
Fixed incorrect naming of wrapper
haerter-tss Jul 12, 2024
07c0326
Merge pull request #3301 from mercedes-benz/feature-3300-bug-in-prepa…
haerter-tss Jul 12, 2024
1b293f2
Corrected prepare wrapper version
haerter-tss Jul 15, 2024
27bfd05
Merge pull request #3303 from mercedes-benz/feature-3302-fix-prepare-…
haerter-tss Jul 15, 2024
4833b87
Generate client and models from sechub-openapi-java #3238 (#3305)
hamidonos Jul 15, 2024
634bd5b
cleanup empty files when remote-data-section #3307
sven-dmlr Jul 15, 2024
c19b4a0
Bump gradle/actions from 3.4.2 to 3.5.0
dependabot[bot] Jul 15, 2024
2379118
Bump actions/setup-go from 5.0.1 to 5.0.2
dependabot[bot] Jul 15, 2024
cd71667
Bump actions/setup-node from 4.0.0 to 4.0.3
dependabot[bot] Jul 15, 2024
f8b4c2a
Merge pull request #3308 from mercedes-benz/feature-3307-client-no-up…
sven-dmlr Jul 16, 2024
af0da40
Merge pull request #3214 from mercedes-benz/dependabot/npm_and_yarn/s…
sven-dmlr Jul 16, 2024
c4df985
Merge pull request #3230 from mercedes-benz/dependabot/npm_and_yarn/s…
sven-dmlr Jul 16, 2024
7271101
Merge pull request #3251 from mercedes-benz/dependabot/github_actions…
sven-dmlr Jul 16, 2024
1fe9d7b
Merge pull request #3309 from mercedes-benz/dependabot/github_actions…
sven-dmlr Jul 16, 2024
87cb4a5
Merge pull request #3310 from mercedes-benz/dependabot/github_actions…
sven-dmlr Jul 16, 2024
65593d3
Merge pull request #3311 from mercedes-benz/dependabot/github_actions…
sven-dmlr Jul 16, 2024
16ca294
PR review changes #3280
winzj Jul 17, 2024
dd83c4a
Merge branch 'develop' into feature-3141-implement-first-version-of-s…
winzj Jul 17, 2024
d3f04ae
Update gradle files after merge conflict #3280
winzj Jul 17, 2024
4a6e216
PR review changes part two #3280
winzj Jul 18, 2024
916ba1b
Fix renaming #3280
winzj Jul 19, 2024
39bcf40
Update gitleaks version and fix workaround for custom rules #3314
winzj Jul 22, 2024
d344b4f
Bump docker/login-action from 3.2.0 to 3.3.0
dependabot[bot] Jul 22, 2024
f191ce4
Add MIT headers #3280
winzj Jul 23, 2024
cd4c714
Merge pull request #3317 from mercedes-benz/dependabot/github_actions…
sven-dmlr Jul 23, 2024
69f7bd5
Merge pull request #2829 from fty4/chore/action/debug-actions-step-debug
sven-dmlr Jul 23, 2024
03832d4
Make configuration properties immutable #3280
winzj Jul 24, 2024
342ec41
Change string to file and add tests #3280
winzj Jul 24, 2024
f9c5051
added archive extraction parameters #3318
sven-dmlr Jul 24, 2024
c75ff37
Merge pull request #3315 from mercedes-benz/feature-3314-update-gitle…
winzj Jul 25, 2024
f48fab7
added missing var to envWhitelist #3324
sven-dmlr Jul 25, 2024
ec30774
added archive extraction parameters #3318
sven-dmlr Jul 26, 2024
9ff9734
variable passing fixed #3327
sven-dmlr Jul 29, 2024
1e12d19
added archive extraction parameters #3318
sven-dmlr Jul 29, 2024
30e6a31
variable passing fixed #3328
sven-dmlr Jul 30, 2024
5e293b6
added archive extraction parameters #3318
sven-dmlr Jul 30, 2024
cc56b3c
image scripts adapted #3224
sven-dmlr Jul 30, 2024
acfe8fd
eliminated multiple declarations of wrapper version #3302
sven-dmlr Jul 31, 2024
713b727
Merge pull request #3325 from mercedes-benz/feature-3318-pds-solution…
sven-dmlr Jul 31, 2024
6ac28ae
pds-solutions: eliminate multiply defined params #3329
sven-dmlr Jul 31, 2024
66ef642
Merge pull request #3330 from mercedes-benz/feature-3329-pds-solution…
sven-dmlr Jul 31, 2024
0b5359c
PR review changes #3280
winzj Aug 5, 2024
2a93245
Merge pull request #3280 from mercedes-benz/feature-3141-implement-fi…
winzj Aug 5, 2024
173dc36
SecHub data encryption #3250 (#3254)
de-jcup Aug 5, 2024
bc38eb2
Bump @nuxt/devtools from 1.0.8 to 1.3.9 in /sechub-website
dependabot[bot] Aug 5, 2024
3ba81b0
Bump actions/setup-java from 4.2.1 to 4.2.2
dependabot[bot] Aug 5, 2024
2f88375
Bump gradle/actions from 3.5.0 to 4
dependabot[bot] Aug 5, 2024
fa8455c
Improve documentation #3338
winzj Aug 6, 2024
df96a3d
Update documentation #3338
winzj Aug 6, 2024
440eb78
ArchUnit tests for SecHub
lorriborri Aug 7, 2024
6ac49c2
Changed default time for accepted outdated encryption pool entry #3342
de-jcup Aug 7, 2024
0ca3a79
Merge pull request #3343 from mercedes-benz/feature-3342-change-accep…
de-jcup Aug 7, 2024
68ec11d
Merge pull request #3337 from mercedes-benz/dependabot/github_actions…
sven-dmlr Aug 7, 2024
013af97
Merge pull request #3336 from mercedes-benz/dependabot/github_actions…
sven-dmlr Aug 7, 2024
a5c73c9
Merge pull request #3335 from mercedes-benz/dependabot/npm_and_yarn/s…
sven-dmlr Aug 7, 2024
1ff40b4
Bump nuxt from 3.10.3 to 3.12.4 in /sechub-website
dependabot[bot] Aug 7, 2024
a83ef1c
Merge pull request #3334 from mercedes-benz/dependabot/npm_and_yarn/s…
sven-dmlr Aug 7, 2024
9e69923
Renamed all methods of Text Reader/Writer classes + refactoring #3306
de-jcup Aug 7, 2024
e4307dc
Merge pull request #3340 from mercedes-benz/feature-3224-server-force…
sven-dmlr Aug 7, 2024
5e8ed8a
Merge pull request #3339 from mercedes-benz/feature-3338-update-docum…
winzj Aug 7, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Extend SarifV1JSONImporter to enable import of custom gitleaks proper…
…ties #3276

- extend workaround classes with te ability to resolve
  secret validation wrapper custom severities
- add necessary changes to SarifV1JSONImporter and added test cases with test report files
winzj committed Jul 8, 2024

Verified

This commit was signed with the committer’s verified signature.
commit a16097af7266b41e4c614676eadfaffd87e83c49
Original file line number Diff line number Diff line change
@@ -1,16 +1,12 @@
// SPDX-License-Identifier: MIT
package com.mercedesbenz.sechub.sereco.importer;

import java.util.List;
import java.util.Map;

import org.springframework.stereotype.Component;

import de.jcup.sarif_2_1_0.model.PartialFingerprints;
import de.jcup.sarif_2_1_0.model.ReportingDescriptor;
import de.jcup.sarif_2_1_0.model.Result;
import de.jcup.sarif_2_1_0.model.Run;
import de.jcup.sarif_2_1_0.model.Tool;
import de.jcup.sarif_2_1_0.model.ToolComponent;
import de.jcup.sarif_2_1_0.model.*;

@Component
public class GitleaksSarifImportWorkaround implements SarifImportProductWorkaround {
@@ -42,6 +38,38 @@ public String resolveFindingRevisionId(Result result, Run run) {
return null;
}

@Override
public String resolveCustomSechubSeverity(Result result, Run run) {
if (result == null) {
return null;
}
if (!isGitleaksRun(run)) {
return null;
}
List<Location> locations = result.getLocations();
if (locations == null || locations.isEmpty()) {
return null;
}
PhysicalLocation physicalLocation = locations.get(0).getPhysicalLocation();
if (physicalLocation == null) {
return null;
}
Region region = physicalLocation.getRegion();
if (region == null) {
return null;
}
PropertyBag properties = region.getProperties();
if (properties == null) {
return null;
}
Map<String, Object> additionalProperties = properties.getAdditionalProperties();
if (additionalProperties == null) {
return null;
}
String severityKey = SarifImporterKeys.SECRETSCAN_SECHUB_SEVERITY.getKey();
return (String) additionalProperties.get(severityKey);
}

private boolean isGitleaksRun(Run run) {
if (run == null) {
return false;
Original file line number Diff line number Diff line change
@@ -22,4 +22,8 @@ public default String resolveType(ReportingDescriptor rule, Run run) {
public default String resolveFindingRevisionId(Result result, Run run) {
return null;
}

public default String resolveCustomSechubSeverity(Result result, Run run) {
return null;
}
}
Original file line number Diff line number Diff line change
@@ -58,6 +58,16 @@ private <R, E> R visitAllWorkaroundsAndUseFirstResultNotNull(E element, Run run,
return null;
}

public String resolveCustomSechubSeverity(Result result, Run run) {
return visitAllWorkaroundsAndUseFirstResultNotNull(result, run, new WorkaroundVisitor<String, Result>() {

@Override
public String visit(Result element, Run run, SarifImportProductWorkaround workaround) {
return workaround.resolveCustomSechubSeverity(result, run);
}
});
}

public interface WorkaroundVisitor<R, E> {

public R visit(E element, Run run, SarifImportProductWorkaround workaround);
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
// SPDX-License-Identifier: MIT
package com.mercedesbenz.sechub.sereco.importer;

/*
* If this needs to get changed, make sure to change
* com.mercedesbenz.sechub.wrapper.secret.validator.support.SarifImporterKeys accordingly
*/
public enum SarifImporterKeys {

SECRETSCAN_SECHUB_SEVERITY("secretscan.sechub.severity", "The key for the sechub severity which is more precise than the SARIF Level enum."),

SECRETSCAN_VALIDATED_BY_URL("secretscan.validated.by.url", "The key for the URL the secret was validated with."),

;

private String key;
private String description;

private SarifImporterKeys(String key, String description) {
this.key = key;
this.description = description;
}

public String getKey() {
return key;
}

public String getDescription() {
return description;
}
}
Original file line number Diff line number Diff line change
@@ -285,8 +285,13 @@ private void handleWebRequest(Result result, SerecoWeb serecoWeb) {
}

private SerecoSeverity resolveSeverity(Result result, Run run) {
Level level = sarifSchema210LogicSupport.resolveLevel(result, run);
return mapToSeverity(level);
String customSecHubSeverity = workaroundSupport.resolveCustomSechubSeverity(result, run);
SerecoSeverity serecoSeverity = severityFromString(customSecHubSeverity);
if (serecoSeverity == null) {
Level level = sarifSchema210LogicSupport.resolveLevel(result, run);
return mapToSeverity(level);
}
return serecoSeverity;
}

private class ResultData {
@@ -523,6 +528,10 @@ private SerecoSeverity mapToSeverity(Level level) {
}
}

private SerecoSeverity severityFromString(String customSecHubSeverity) {
return SerecoSeverity.fromString(customSecHubSeverity);
}

@Override
public boolean isAbleToImportForProduct(ImportParameter param) {
/* first we do the simple check... */
Original file line number Diff line number Diff line change
@@ -36,6 +36,8 @@ class SarifV1JSONImporterTest {
private static String sarif_2_1_0_gosec2_9_5_example5_cosdescan;
private static String sarif_2_1_0_sarif_2_1_0_gitleaks_8_0;
private static String sarif_2_1_0_sarif_2_1_0_gitleaks_8_0_one_finding_with_revision_id;
private static String sarif_2_1_0_gitleaks_8_0_with_validator_severity_properties;
private static String sarif_2_1_0_gitleaks_8_0_with_invalid_validator_severity_properties;

private SarifV1JSONImporter importerToTest;

@@ -51,6 +53,9 @@ public static void before() {
sarif_2_1_0_owasp_zap = loadSarifTestFile("sarif_2.1.0_owasp_zap.json");
sarif_2_1_0_sarif_2_1_0_gitleaks_8_0 = loadSarifTestFile("sarif_2.1.0_gitleaks_8.0.json");
sarif_2_1_0_sarif_2_1_0_gitleaks_8_0_one_finding_with_revision_id = loadSarifTestFile("sarif_2.1.0_gitleaks_8.0-one-finding-with-revision.json");
sarif_2_1_0_gitleaks_8_0_with_validator_severity_properties = loadSarifTestFile("sarif_2.1.0_gitleaks_8.0-with-validator-severity-properties.json");
sarif_2_1_0_gitleaks_8_0_with_invalid_validator_severity_properties = loadSarifTestFile(
"sarif_2.1.0_gitleaks_8.0-with-invalid-validator-severity-properties.json");
}

@BeforeEach
@@ -319,6 +324,86 @@ void gitleaks_8_0_simple_example_secretscan__can_be_imported_and_revision_inform
/* @formatter:on */
}

@Test
void sarif_2_1_0_gitleaks_8_0_with_validator_severity_properties__can_be_imported_and_severities_are_available() throws Exception {
/* prepare */
importerToTest.workaroundSupport.workarounds.add(new GitleaksSarifImportWorkaround());
SerecoMetaData result = importerToTest.importResult(sarif_2_1_0_gitleaks_8_0_with_validator_severity_properties, ScanType.SECRET_SCAN);

/* execute */
List<SerecoVulnerability> vulnerabilities = result.getVulnerabilities();

/* test */
/* @formatter:off */
assertVulnerabilities(vulnerabilities).
hasVulnerabilities(6).
verifyVulnerability().
withSeverity(SerecoSeverity.INFO).
withCodeLocation("UnSAFE_Bank/Backend/docker-compose.yml", 12, 14).
containingSource("531486b2bf646636a6a1bba61e78ec4a4a54efbd").
done().
isContained().
verifyVulnerability().
withSeverity(SerecoSeverity.UNCLASSIFIED).
withCodeLocation("UnSAFE_Bank/Backend/src/api/application/config/database.php", 80, 7).
containingSource("531486b2bf646636a6a1bba61e78ec4a4a54efbd").
done().
isContained().
verifyVulnerability().
withSeverity(SerecoSeverity.LOW).
withCodeLocation("UnSAFE_Bank/Backend/web/src/app/thunks/Authentication/ForgotPassword/handleForgotPasswordGetOTPThunk.tsx", 32, 14).
containingSource("9bbc0d79e686e847bc305c9bd4cc2ea6").
done().
isContained().
verifyVulnerability().
withSeverity(SerecoSeverity.MEDIUM).
withCodeLocation("UnSAFE_Bank/Backend/web/src/app/thunks/OTP/handleGetOTPThunk.tsx", 31, 14).
containingSource("9bbc0d79e686e847bc305c9bd4cc2ea6").
done().
isContained().
verifyVulnerability().
withSeverity(SerecoSeverity.HIGH).
withCodeLocation("UnSAFE_Bank/iOS/Source Code/Podfile.lock", 23, 4).
containingSource("b3816fddcf28aa29d94b10ec305cd52be14c472b").
done().
isContained().
verifyVulnerability().
withSeverity(SerecoSeverity.CRITICAL).
withCodeLocation("UnSAFE_Bank/iOS/Source Code/Pods/Manifest.lock", 23, 4).
containingSource("b3816fddcf28aa29d94b10ec305cd52be14c472b").
done().
isContained();
/* @formatter:on */
}

@Test
void sarif_2_1_0_gitleaks_8_0_with_invalid_validator_severity_properties__can_be_imported_and_severities_are_set_to_sarif_default() throws Exception {
/* prepare */
importerToTest.workaroundSupport.workarounds.add(new GitleaksSarifImportWorkaround());
SerecoMetaData result = importerToTest.importResult(sarif_2_1_0_gitleaks_8_0_with_invalid_validator_severity_properties, ScanType.SECRET_SCAN);

/* execute */
List<SerecoVulnerability> vulnerabilities = result.getVulnerabilities();

/* test */
/* @formatter:off */
assertVulnerabilities(vulnerabilities).
hasVulnerabilities(2).
verifyVulnerability().
withSeverity(SerecoSeverity.MEDIUM).
withCodeLocation("UnSAFE_Bank/Backend/docker-compose.yml", 12, 14).
containingSource("531486b2bf646636a6a1bba61e78ec4a4a54efbd").
done().
isContained().
verifyVulnerability().
withSeverity(SerecoSeverity.MEDIUM).
withCodeLocation("UnSAFE_Bank/Backend/src/api/application/config/database.php", 80, 7).
containingSource("531486b2bf646636a6a1bba61e78ec4a4a54efbd").
done().
isContained();
/* @formatter:on */
}

@Test
void brakeman_sarif_report_can_be_imported() {
/* prepare */

Large diffs are not rendered by default.

Large diffs are not rendered by default.