From aa7b276a4399f50e9b9806b13af1f0c63fb250b7 Mon Sep 17 00:00:00 2001 From: sarahCx Date: Mon, 29 Jul 2024 15:54:21 +0300 Subject: [PATCH 1/5] add api security risks to threshold check, and add test --- internal/commands/scan.go | 21 +++++++++++++++++---- test/integration/scan_test.go | 14 ++++++++++++++ 2 files changed, 31 insertions(+), 4 deletions(-) diff --git a/internal/commands/scan.go b/internal/commands/scan.go index 533b8d936..5b8a17a1d 100644 --- a/internal/commands/scan.go +++ b/internal/commands/scan.go @@ -14,6 +14,7 @@ import ( "path" "path/filepath" "reflect" + "slices" "strconv" "strings" "time" @@ -1648,7 +1649,7 @@ func runCreateScanCommand( return err } - err = applyThreshold(cmd, resultsWrapper, scanResponseModel, thresholdMap) + err = applyThreshold(cmd, resultsWrapper, scanResponseModel, thresholdMap, risksOverviewWrapper) if err != nil { return err } @@ -1900,6 +1901,7 @@ func applyThreshold( resultsWrapper wrappers.ResultsWrapper, scanResponseModel *wrappers.ScanResponseModel, thresholdMap map[string]int, + risksOverviewWrapper wrappers.RisksOverviewWrapper, ) error { if len(thresholdMap) == 0 { return nil @@ -1911,7 +1913,7 @@ func applyThreshold( params[commonParams.SastRedundancyFlag] = "" } - summaryMap, err := getSummaryThresholdMap(resultsWrapper, scanResponseModel, params) + summaryMap, err := getSummaryThresholdMap(resultsWrapper, scanResponseModel, params, risksOverviewWrapper) if err != nil { return err } @@ -1994,21 +1996,32 @@ func parseThresholdLimit(limit string) (engineName string, intLimit int, err err return engineName, intLimit, err } -func getSummaryThresholdMap(resultsWrapper wrappers.ResultsWrapper, scan *wrappers.ScanResponseModel, params map[string]string) ( +func getSummaryThresholdMap(resultsWrapper wrappers.ResultsWrapper, scan *wrappers.ScanResponseModel, params map[string]string, risksOverviewWrapper wrappers.RisksOverviewWrapper) ( map[string]int, error, ) { + summaryMap := make(map[string]int) results, err := ReadResults(resultsWrapper, scan, params) if err != nil { return nil, err } - summaryMap := make(map[string]int) for _, result := range results.Results { if isExploitable(result.State) { key := strings.ToLower(fmt.Sprintf("%s-%s", strings.Replace(result.Type, commonParams.KicsType, commonParams.IacType, 1), result.Severity)) summaryMap[key]++ } } + + if slices.Contains(scan.Engines, commonParams.APISecType) { + log.Println(scan.Engines) + apiSecRisks, err := getResultsForAPISecScanner(risksOverviewWrapper, scan.ID) + if err != nil { + return nil, err + } + summaryMap["api-security-high"] = apiSecRisks.Risks[1] + summaryMap["api-security-medium"] = apiSecRisks.Risks[2] + summaryMap["api-security-low"] = apiSecRisks.Risks[3] + } return summaryMap, nil } diff --git a/test/integration/scan_test.go b/test/integration/scan_test.go index 6d688e67c..bddd0e976 100644 --- a/test/integration/scan_test.go +++ b/test/integration/scan_test.go @@ -660,6 +660,20 @@ func TestScanCreateWithThreshold(t *testing.T) { assert.NilError(t, err, "") } +func TestScansAPISecThresholdShouldBlock(t *testing.T) { + createASTIntegrationTestCommand(t) + testArgs := []string{ + "scan", "create", + flag(params.ProjectName), "my-project", + flag(params.SourcesFlag), "data/sources.zip", + flag(params.BranchFlag), "dummy_branch", + flag(params.ScanInfoFormatFlag), printer.FormatJSON, + flag(params.ScanTypes), "sast, api-security", + flag(params.Threshold), "api-security-high=1", + } + _, _ = executeCommand(t, testArgs...) +} + // Create a scan with the sources // Assert the scan completes func TestScanCreateWithThresholdParseError(t *testing.T) { From 82b76dd96ec1a0a582e64b1b8b5f0d371586b24f Mon Sep 17 00:00:00 2001 From: sarahCx Date: Wed, 31 Jul 2024 10:26:28 +0300 Subject: [PATCH 2/5] remove log --- internal/commands/scan.go | 1 - 1 file changed, 1 deletion(-) diff --git a/internal/commands/scan.go b/internal/commands/scan.go index 5b8a17a1d..40e46845b 100644 --- a/internal/commands/scan.go +++ b/internal/commands/scan.go @@ -2013,7 +2013,6 @@ func getSummaryThresholdMap(resultsWrapper wrappers.ResultsWrapper, scan *wrappe } if slices.Contains(scan.Engines, commonParams.APISecType) { - log.Println(scan.Engines) apiSecRisks, err := getResultsForAPISecScanner(risksOverviewWrapper, scan.ID) if err != nil { return nil, err From 8317ef2aa41552751acc62c927cc8021061e7e21 Mon Sep 17 00:00:00 2001 From: sarahCx Date: Tue, 6 Aug 2024 15:26:31 +0300 Subject: [PATCH 3/5] fix merge --- internal/commands/scan.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/internal/commands/scan.go b/internal/commands/scan.go index cf2bf190b..cf2c742f6 100644 --- a/internal/commands/scan.go +++ b/internal/commands/scan.go @@ -1649,7 +1649,7 @@ func runCreateScanCommand( return err } - err = applyThreshold(cmd, resultsWrapper, scanResponseModel, thresholdMap, risksOverviewWrapper) + err = applyThreshold(cmd, resultsWrapper, exportWrapper, scanResponseModel, thresholdMap, risksOverviewWrapper) if err != nil { return err @@ -1915,7 +1915,7 @@ func applyThreshold( params[commonParams.SastRedundancyFlag] = "" } - summaryMap, err := getSummaryThresholdMap(resultsWrapper, scanResponseModel, params, risksOverviewWrapper) + summaryMap, err := getSummaryThresholdMap(resultsWrapper, exportWrapper, scanResponseModel, params, risksOverviewWrapper) if err != nil { return err @@ -1999,12 +1999,12 @@ func parseThresholdLimit(limit string) (engineName string, intLimit int, err err return engineName, intLimit, err } -func getSummaryThresholdMap(resultsWrapper wrappers.ResultsWrapper, scan *wrappers.ScanResponseModel, params map[string]string, risksOverviewWrapper wrappers.RisksOverviewWrapper) ( +func getSummaryThresholdMap(resultsWrapper wrappers.ResultsWrapper, exportWrapper wrappers.ExportWrapper, scan *wrappers.ScanResponseModel, params map[string]string, risksOverviewWrapper wrappers.RisksOverviewWrapper) ( map[string]int, error, ) { summaryMap := make(map[string]int) - results, err := ReadResults(resultsWrapper, scan, params) + results, err := ReadResults(resultsWrapper, exportWrapper, scan, params) if err != nil { return nil, err From aa0157aaa9ab009310ae8a02845479c8658b4187 Mon Sep 17 00:00:00 2001 From: sarahCx Date: Tue, 6 Aug 2024 17:22:28 +0300 Subject: [PATCH 4/5] Fix lint error --- internal/commands/scan.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/internal/commands/scan.go b/internal/commands/scan.go index cf2c742f6..3572deefe 100644 --- a/internal/commands/scan.go +++ b/internal/commands/scan.go @@ -1999,7 +1999,11 @@ func parseThresholdLimit(limit string) (engineName string, intLimit int, err err return engineName, intLimit, err } -func getSummaryThresholdMap(resultsWrapper wrappers.ResultsWrapper, exportWrapper wrappers.ExportWrapper, scan *wrappers.ScanResponseModel, params map[string]string, risksOverviewWrapper wrappers.RisksOverviewWrapper) ( +func getSummaryThresholdMap(resultsWrapper wrappers.ResultsWrapper, + exportWrapper wrappers.ExportWrapper, + scan *wrappers.ScanResponseModel, + params map[string]string, + risksOverviewWrapper wrappers.RisksOverviewWrapper) ( map[string]int, error, ) { From c4fab79fbfcebc184a066dcfecd4dcb65414cd04 Mon Sep 17 00:00:00 2001 From: sarahCx Date: Tue, 6 Aug 2024 22:34:43 +0300 Subject: [PATCH 5/5] Fix lint error --- internal/commands/scan.go | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/internal/commands/scan.go b/internal/commands/scan.go index 3572deefe..e39a16b13 100644 --- a/internal/commands/scan.go +++ b/internal/commands/scan.go @@ -1999,14 +1999,13 @@ func parseThresholdLimit(limit string) (engineName string, intLimit int, err err return engineName, intLimit, err } -func getSummaryThresholdMap(resultsWrapper wrappers.ResultsWrapper, - exportWrapper wrappers.ExportWrapper, - scan *wrappers.ScanResponseModel, - params map[string]string, - risksOverviewWrapper wrappers.RisksOverviewWrapper) ( - map[string]int, - error, -) { +func getSummaryThresholdMap( + resultsWrapper wrappers.ResultsWrapper, + exportWrapper wrappers.ExportWrapper, + scan *wrappers.ScanResponseModel, + params map[string]string, + risksOverviewWrapper wrappers.RisksOverviewWrapper, +) (map[string]int, error) { summaryMap := make(map[string]int) results, err := ReadResults(resultsWrapper, exportWrapper, scan, params)