github.com/ouraigua/jenkins-library@v0.0.0-20231028010029-fbeaf2f3aa9b/cmd/checkmarxExecuteScan_generated.go (about) 1 // Code generated by piper's step-generator. DO NOT EDIT. 2 3 package cmd 4 5 import ( 6 "fmt" 7 "os" 8 "path/filepath" 9 "reflect" 10 "strings" 11 "time" 12 13 "github.com/SAP/jenkins-library/pkg/config" 14 "github.com/SAP/jenkins-library/pkg/gcs" 15 "github.com/SAP/jenkins-library/pkg/log" 16 "github.com/SAP/jenkins-library/pkg/piperenv" 17 "github.com/SAP/jenkins-library/pkg/splunk" 18 "github.com/SAP/jenkins-library/pkg/telemetry" 19 "github.com/SAP/jenkins-library/pkg/validation" 20 "github.com/bmatcuk/doublestar" 21 "github.com/spf13/cobra" 22 ) 23 24 type checkmarxExecuteScanOptions struct { 25 Assignees []string `json:"assignees,omitempty"` 26 AvoidDuplicateProjectScans bool `json:"avoidDuplicateProjectScans,omitempty"` 27 FilterPattern string `json:"filterPattern,omitempty"` 28 FullScanCycle string `json:"fullScanCycle,omitempty"` 29 FullScansScheduled bool `json:"fullScansScheduled,omitempty"` 30 GeneratePdfReport bool `json:"generatePdfReport,omitempty"` 31 GithubAPIURL string `json:"githubApiUrl,omitempty"` 32 GithubToken string `json:"githubToken,omitempty"` 33 Incremental bool `json:"incremental,omitempty"` 34 MaxRetries int `json:"maxRetries,omitempty"` 35 Owner string `json:"owner,omitempty"` 36 Password string `json:"password,omitempty"` 37 Preset string `json:"preset,omitempty"` 38 ProjectName string `json:"projectName,omitempty"` 39 PullRequestName string `json:"pullRequestName,omitempty"` 40 Repository string `json:"repository,omitempty"` 41 ServerURL string `json:"serverUrl,omitempty"` 42 EngineConfigurationID string `json:"engineConfigurationID,omitempty"` 43 TeamID string `json:"teamId,omitempty"` 44 TeamName string `json:"teamName,omitempty"` 45 Username string `json:"username,omitempty"` 46 VerifyOnly bool `json:"verifyOnly,omitempty"` 47 VulnerabilityThresholdEnabled bool `json:"vulnerabilityThresholdEnabled,omitempty"` 48 VulnerabilityThresholdHigh int `json:"vulnerabilityThresholdHigh,omitempty"` 49 VulnerabilityThresholdMedium int `json:"vulnerabilityThresholdMedium,omitempty"` 50 VulnerabilityThresholdLow int `json:"vulnerabilityThresholdLow,omitempty"` 51 VulnerabilityThresholdLowPerQuery bool `json:"vulnerabilityThresholdLowPerQuery,omitempty"` 52 VulnerabilityThresholdLowPerQueryMax int `json:"vulnerabilityThresholdLowPerQueryMax,omitempty"` 53 VulnerabilityThresholdResult string `json:"vulnerabilityThresholdResult,omitempty" validate:"possible-values=FAILURE"` 54 VulnerabilityThresholdUnit string `json:"vulnerabilityThresholdUnit,omitempty"` 55 IsOptimizedAndScheduled bool `json:"isOptimizedAndScheduled,omitempty"` 56 CreateResultIssue bool `json:"createResultIssue,omitempty"` 57 ConvertToSarif bool `json:"convertToSarif,omitempty"` 58 } 59 60 type checkmarxExecuteScanInflux struct { 61 step_data struct { 62 fields struct { 63 checkmarx bool 64 } 65 tags struct { 66 } 67 } 68 checkmarx_data struct { 69 fields struct { 70 high_issues int 71 high_not_false_positive int 72 high_not_exploitable int 73 high_confirmed int 74 high_urgent int 75 high_proposed_not_exploitable int 76 high_to_verify int 77 medium_issues int 78 medium_not_false_positive int 79 medium_not_exploitable int 80 medium_confirmed int 81 medium_urgent int 82 medium_proposed_not_exploitable int 83 medium_to_verify int 84 low_issues int 85 low_not_false_positive int 86 low_not_exploitable int 87 low_confirmed int 88 low_urgent int 89 low_proposed_not_exploitable int 90 low_to_verify int 91 information_issues int 92 information_not_false_positive int 93 information_not_exploitable int 94 information_confirmed int 95 information_urgent int 96 information_proposed_not_exploitable int 97 information_to_verify int 98 lines_of_code_scanned int 99 files_scanned int 100 initiator_name string 101 owner string 102 scan_id string 103 project_id string 104 projectName string 105 team string 106 team_full_path_on_report_date string 107 scan_start string 108 scan_time string 109 checkmarx_version string 110 scan_type string 111 preset string 112 deep_link string 113 report_creation_time string 114 } 115 tags struct { 116 } 117 } 118 } 119 120 func (i *checkmarxExecuteScanInflux) persist(path, resourceName string) { 121 measurementContent := []struct { 122 measurement string 123 valType string 124 name string 125 value interface{} 126 }{ 127 {valType: config.InfluxField, measurement: "step_data", name: "checkmarx", value: i.step_data.fields.checkmarx}, 128 {valType: config.InfluxField, measurement: "checkmarx_data", name: "high_issues", value: i.checkmarx_data.fields.high_issues}, 129 {valType: config.InfluxField, measurement: "checkmarx_data", name: "high_not_false_positive", value: i.checkmarx_data.fields.high_not_false_positive}, 130 {valType: config.InfluxField, measurement: "checkmarx_data", name: "high_not_exploitable", value: i.checkmarx_data.fields.high_not_exploitable}, 131 {valType: config.InfluxField, measurement: "checkmarx_data", name: "high_confirmed", value: i.checkmarx_data.fields.high_confirmed}, 132 {valType: config.InfluxField, measurement: "checkmarx_data", name: "high_urgent", value: i.checkmarx_data.fields.high_urgent}, 133 {valType: config.InfluxField, measurement: "checkmarx_data", name: "high_proposed_not_exploitable", value: i.checkmarx_data.fields.high_proposed_not_exploitable}, 134 {valType: config.InfluxField, measurement: "checkmarx_data", name: "high_to_verify", value: i.checkmarx_data.fields.high_to_verify}, 135 {valType: config.InfluxField, measurement: "checkmarx_data", name: "medium_issues", value: i.checkmarx_data.fields.medium_issues}, 136 {valType: config.InfluxField, measurement: "checkmarx_data", name: "medium_not_false_positive", value: i.checkmarx_data.fields.medium_not_false_positive}, 137 {valType: config.InfluxField, measurement: "checkmarx_data", name: "medium_not_exploitable", value: i.checkmarx_data.fields.medium_not_exploitable}, 138 {valType: config.InfluxField, measurement: "checkmarx_data", name: "medium_confirmed", value: i.checkmarx_data.fields.medium_confirmed}, 139 {valType: config.InfluxField, measurement: "checkmarx_data", name: "medium_urgent", value: i.checkmarx_data.fields.medium_urgent}, 140 {valType: config.InfluxField, measurement: "checkmarx_data", name: "medium_proposed_not_exploitable", value: i.checkmarx_data.fields.medium_proposed_not_exploitable}, 141 {valType: config.InfluxField, measurement: "checkmarx_data", name: "medium_to_verify", value: i.checkmarx_data.fields.medium_to_verify}, 142 {valType: config.InfluxField, measurement: "checkmarx_data", name: "low_issues", value: i.checkmarx_data.fields.low_issues}, 143 {valType: config.InfluxField, measurement: "checkmarx_data", name: "low_not_false_positive", value: i.checkmarx_data.fields.low_not_false_positive}, 144 {valType: config.InfluxField, measurement: "checkmarx_data", name: "low_not_exploitable", value: i.checkmarx_data.fields.low_not_exploitable}, 145 {valType: config.InfluxField, measurement: "checkmarx_data", name: "low_confirmed", value: i.checkmarx_data.fields.low_confirmed}, 146 {valType: config.InfluxField, measurement: "checkmarx_data", name: "low_urgent", value: i.checkmarx_data.fields.low_urgent}, 147 {valType: config.InfluxField, measurement: "checkmarx_data", name: "low_proposed_not_exploitable", value: i.checkmarx_data.fields.low_proposed_not_exploitable}, 148 {valType: config.InfluxField, measurement: "checkmarx_data", name: "low_to_verify", value: i.checkmarx_data.fields.low_to_verify}, 149 {valType: config.InfluxField, measurement: "checkmarx_data", name: "information_issues", value: i.checkmarx_data.fields.information_issues}, 150 {valType: config.InfluxField, measurement: "checkmarx_data", name: "information_not_false_positive", value: i.checkmarx_data.fields.information_not_false_positive}, 151 {valType: config.InfluxField, measurement: "checkmarx_data", name: "information_not_exploitable", value: i.checkmarx_data.fields.information_not_exploitable}, 152 {valType: config.InfluxField, measurement: "checkmarx_data", name: "information_confirmed", value: i.checkmarx_data.fields.information_confirmed}, 153 {valType: config.InfluxField, measurement: "checkmarx_data", name: "information_urgent", value: i.checkmarx_data.fields.information_urgent}, 154 {valType: config.InfluxField, measurement: "checkmarx_data", name: "information_proposed_not_exploitable", value: i.checkmarx_data.fields.information_proposed_not_exploitable}, 155 {valType: config.InfluxField, measurement: "checkmarx_data", name: "information_to_verify", value: i.checkmarx_data.fields.information_to_verify}, 156 {valType: config.InfluxField, measurement: "checkmarx_data", name: "lines_of_code_scanned", value: i.checkmarx_data.fields.lines_of_code_scanned}, 157 {valType: config.InfluxField, measurement: "checkmarx_data", name: "files_scanned", value: i.checkmarx_data.fields.files_scanned}, 158 {valType: config.InfluxField, measurement: "checkmarx_data", name: "initiator_name", value: i.checkmarx_data.fields.initiator_name}, 159 {valType: config.InfluxField, measurement: "checkmarx_data", name: "owner", value: i.checkmarx_data.fields.owner}, 160 {valType: config.InfluxField, measurement: "checkmarx_data", name: "scan_id", value: i.checkmarx_data.fields.scan_id}, 161 {valType: config.InfluxField, measurement: "checkmarx_data", name: "project_id", value: i.checkmarx_data.fields.project_id}, 162 {valType: config.InfluxField, measurement: "checkmarx_data", name: "projectName", value: i.checkmarx_data.fields.projectName}, 163 {valType: config.InfluxField, measurement: "checkmarx_data", name: "team", value: i.checkmarx_data.fields.team}, 164 {valType: config.InfluxField, measurement: "checkmarx_data", name: "team_full_path_on_report_date", value: i.checkmarx_data.fields.team_full_path_on_report_date}, 165 {valType: config.InfluxField, measurement: "checkmarx_data", name: "scan_start", value: i.checkmarx_data.fields.scan_start}, 166 {valType: config.InfluxField, measurement: "checkmarx_data", name: "scan_time", value: i.checkmarx_data.fields.scan_time}, 167 {valType: config.InfluxField, measurement: "checkmarx_data", name: "checkmarx_version", value: i.checkmarx_data.fields.checkmarx_version}, 168 {valType: config.InfluxField, measurement: "checkmarx_data", name: "scan_type", value: i.checkmarx_data.fields.scan_type}, 169 {valType: config.InfluxField, measurement: "checkmarx_data", name: "preset", value: i.checkmarx_data.fields.preset}, 170 {valType: config.InfluxField, measurement: "checkmarx_data", name: "deep_link", value: i.checkmarx_data.fields.deep_link}, 171 {valType: config.InfluxField, measurement: "checkmarx_data", name: "report_creation_time", value: i.checkmarx_data.fields.report_creation_time}, 172 } 173 174 errCount := 0 175 for _, metric := range measurementContent { 176 err := piperenv.SetResourceParameter(path, resourceName, filepath.Join(metric.measurement, fmt.Sprintf("%vs", metric.valType), metric.name), metric.value) 177 if err != nil { 178 log.Entry().WithError(err).Error("Error persisting influx environment.") 179 errCount++ 180 } 181 } 182 if errCount > 0 { 183 log.Entry().Error("failed to persist Influx environment") 184 } 185 } 186 187 type checkmarxExecuteScanReports struct { 188 } 189 190 func (p *checkmarxExecuteScanReports) persist(stepConfig checkmarxExecuteScanOptions, gcpJsonKeyFilePath string, gcsBucketId string, gcsFolderPath string, gcsSubFolder string) { 191 if gcsBucketId == "" { 192 log.Entry().Info("persisting reports to GCS is disabled, because gcsBucketId is empty") 193 return 194 } 195 log.Entry().Info("Uploading reports to Google Cloud Storage...") 196 content := []gcs.ReportOutputParam{ 197 {FilePattern: "**/piper_checkmarx_report.html", ParamRef: "", StepResultType: "checkmarx"}, 198 {FilePattern: "**/CxSASTResults_*.xml", ParamRef: "", StepResultType: "checkmarx"}, 199 {FilePattern: "**/ScanReport.*", ParamRef: "", StepResultType: "checkmarx"}, 200 {FilePattern: "**/toolrun_checkmarx_*.json", ParamRef: "", StepResultType: "checkmarx"}, 201 } 202 envVars := []gcs.EnvVar{ 203 {Name: "GOOGLE_APPLICATION_CREDENTIALS", Value: gcpJsonKeyFilePath, Modified: false}, 204 } 205 gcsClient, err := gcs.NewClient(gcs.WithEnvVars(envVars)) 206 if err != nil { 207 log.Entry().Errorf("creation of GCS client failed: %v", err) 208 return 209 } 210 defer gcsClient.Close() 211 structVal := reflect.ValueOf(&stepConfig).Elem() 212 inputParameters := map[string]string{} 213 for i := 0; i < structVal.NumField(); i++ { 214 field := structVal.Type().Field(i) 215 if field.Type.String() == "string" { 216 paramName := strings.Split(field.Tag.Get("json"), ",") 217 paramValue, _ := structVal.Field(i).Interface().(string) 218 inputParameters[paramName[0]] = paramValue 219 } 220 } 221 if err := gcs.PersistReportsToGCS(gcsClient, content, inputParameters, gcsFolderPath, gcsBucketId, gcsSubFolder, doublestar.Glob, os.Stat); err != nil { 222 log.Entry().Errorf("failed to persist reports: %v", err) 223 } 224 } 225 226 // CheckmarxExecuteScanCommand Checkmarx is the recommended tool for security scans of JavaScript, iOS, Swift and Ruby code. 227 func CheckmarxExecuteScanCommand() *cobra.Command { 228 const STEP_NAME = "checkmarxExecuteScan" 229 230 metadata := checkmarxExecuteScanMetadata() 231 var stepConfig checkmarxExecuteScanOptions 232 var startTime time.Time 233 var influx checkmarxExecuteScanInflux 234 var reports checkmarxExecuteScanReports 235 var logCollector *log.CollectorHook 236 var splunkClient *splunk.Splunk 237 telemetryClient := &telemetry.Telemetry{} 238 239 var createCheckmarxExecuteScanCmd = &cobra.Command{ 240 Use: STEP_NAME, 241 Short: "Checkmarx is the recommended tool for security scans of JavaScript, iOS, Swift and Ruby code.", 242 Long: `Checkmarx is a Static Application Security Testing (SAST) tool to analyze i.e. Java- or TypeScript, Swift, Golang, Ruby code, 243 and many other programming languages for security flaws based on a set of provided rules/queries that can be customized and extended. 244 245 This step by default enforces a specific audit baseline for findings and therefore ensures that: 246 247 * No 'To Verify' High and Medium issues exist in your project 248 * Total number of High and Medium 'Confirmed' or 'Urgent' issues is zero 249 * 10% of all Low issues are 'Confirmed' or 'Not Exploitable' 250 251 You can adapt above thresholds specifically using the provided configuration parameters and i.e. check for ` + "`" + `absolute` + "`" + ` 252 thresholds instead of ` + "`" + `percentage` + "`" + ` whereas we strongly recommend you to stay with the defaults provided.`, 253 PreRunE: func(cmd *cobra.Command, _ []string) error { 254 startTime = time.Now() 255 log.SetStepName(STEP_NAME) 256 log.SetVerbose(GeneralConfig.Verbose) 257 258 GeneralConfig.GitHubAccessTokens = ResolveAccessTokens(GeneralConfig.GitHubTokens) 259 260 path, _ := os.Getwd() 261 fatalHook := &log.FatalHook{CorrelationID: GeneralConfig.CorrelationID, Path: path} 262 log.RegisterHook(fatalHook) 263 264 err := PrepareConfig(cmd, &metadata, STEP_NAME, &stepConfig, config.OpenPiperFile) 265 if err != nil { 266 log.SetErrorCategory(log.ErrorConfiguration) 267 return err 268 } 269 log.RegisterSecret(stepConfig.GithubToken) 270 log.RegisterSecret(stepConfig.Password) 271 log.RegisterSecret(stepConfig.Username) 272 273 if len(GeneralConfig.HookConfig.SentryConfig.Dsn) > 0 { 274 sentryHook := log.NewSentryHook(GeneralConfig.HookConfig.SentryConfig.Dsn, GeneralConfig.CorrelationID) 275 log.RegisterHook(&sentryHook) 276 } 277 278 if len(GeneralConfig.HookConfig.SplunkConfig.Dsn) > 0 { 279 splunkClient = &splunk.Splunk{} 280 logCollector = &log.CollectorHook{CorrelationID: GeneralConfig.CorrelationID} 281 log.RegisterHook(logCollector) 282 } 283 284 if err = log.RegisterANSHookIfConfigured(GeneralConfig.CorrelationID); err != nil { 285 log.Entry().WithError(err).Warn("failed to set up SAP Alert Notification Service log hook") 286 } 287 288 validation, err := validation.New(validation.WithJSONNamesForStructFields(), validation.WithPredefinedErrorMessages()) 289 if err != nil { 290 return err 291 } 292 if err = validation.ValidateStruct(stepConfig); err != nil { 293 log.SetErrorCategory(log.ErrorConfiguration) 294 return err 295 } 296 297 return nil 298 }, 299 Run: func(_ *cobra.Command, _ []string) { 300 stepTelemetryData := telemetry.CustomData{} 301 stepTelemetryData.ErrorCode = "1" 302 handler := func() { 303 influx.persist(GeneralConfig.EnvRootPath, "influx") 304 reports.persist(stepConfig, GeneralConfig.GCPJsonKeyFilePath, GeneralConfig.GCSBucketId, GeneralConfig.GCSFolderPath, GeneralConfig.GCSSubFolder) 305 config.RemoveVaultSecretFiles() 306 stepTelemetryData.Duration = fmt.Sprintf("%v", time.Since(startTime).Milliseconds()) 307 stepTelemetryData.ErrorCategory = log.GetErrorCategory().String() 308 stepTelemetryData.PiperCommitHash = GitCommit 309 telemetryClient.SetData(&stepTelemetryData) 310 telemetryClient.Send() 311 if len(GeneralConfig.HookConfig.SplunkConfig.Dsn) > 0 { 312 splunkClient.Initialize(GeneralConfig.CorrelationID, 313 GeneralConfig.HookConfig.SplunkConfig.Dsn, 314 GeneralConfig.HookConfig.SplunkConfig.Token, 315 GeneralConfig.HookConfig.SplunkConfig.Index, 316 GeneralConfig.HookConfig.SplunkConfig.SendLogs) 317 splunkClient.Send(telemetryClient.GetData(), logCollector) 318 } 319 if len(GeneralConfig.HookConfig.SplunkConfig.ProdCriblEndpoint) > 0 { 320 splunkClient.Initialize(GeneralConfig.CorrelationID, 321 GeneralConfig.HookConfig.SplunkConfig.ProdCriblEndpoint, 322 GeneralConfig.HookConfig.SplunkConfig.ProdCriblToken, 323 GeneralConfig.HookConfig.SplunkConfig.ProdCriblIndex, 324 GeneralConfig.HookConfig.SplunkConfig.SendLogs) 325 splunkClient.Send(telemetryClient.GetData(), logCollector) 326 } 327 } 328 log.DeferExitHandler(handler) 329 defer handler() 330 telemetryClient.Initialize(GeneralConfig.NoTelemetry, STEP_NAME) 331 checkmarxExecuteScan(stepConfig, &stepTelemetryData, &influx) 332 stepTelemetryData.ErrorCode = "0" 333 log.Entry().Info("SUCCESS") 334 }, 335 } 336 337 addCheckmarxExecuteScanFlags(createCheckmarxExecuteScanCmd, &stepConfig) 338 return createCheckmarxExecuteScanCmd 339 } 340 341 func addCheckmarxExecuteScanFlags(cmd *cobra.Command, stepConfig *checkmarxExecuteScanOptions) { 342 cmd.Flags().StringSliceVar(&stepConfig.Assignees, "assignees", []string{``}, "Defines the assignees for the Github Issue created/updated with the results of the scan as a list of login names.") 343 cmd.Flags().BoolVar(&stepConfig.AvoidDuplicateProjectScans, "avoidDuplicateProjectScans", true, "Tell Checkmarx to skip the scan if no code change is detected") 344 cmd.Flags().StringVar(&stepConfig.FilterPattern, "filterPattern", `!**/node_modules/**, !**/.xmake/**, !**/*_test.go, !**/vendor/**/*.go, **/*.html, **/*.xml, **/*.go, **/*.py, **/*.js, **/*.scala, **/*.ts`, "The filter pattern used to zip the files relevant for scanning, patterns can be negated by setting an exclamation mark in front i.e. `!test/*.js` would avoid adding any javascript files located in the test directory") 345 cmd.Flags().StringVar(&stepConfig.FullScanCycle, "fullScanCycle", `5`, "Indicates how often a full scan should happen between the incremental scans when activated") 346 cmd.Flags().BoolVar(&stepConfig.FullScansScheduled, "fullScansScheduled", true, "Whether full scans are to be scheduled or not. Should be used in relation with `incremental` and `fullScanCycle`") 347 cmd.Flags().BoolVar(&stepConfig.GeneratePdfReport, "generatePdfReport", true, "Whether to generate a PDF report of the analysis results or not") 348 cmd.Flags().StringVar(&stepConfig.GithubAPIURL, "githubApiUrl", `https://api.github.com`, "Set the GitHub API URL.") 349 cmd.Flags().StringVar(&stepConfig.GithubToken, "githubToken", os.Getenv("PIPER_githubToken"), "GitHub personal access token as per https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line") 350 cmd.Flags().BoolVar(&stepConfig.Incremental, "incremental", true, "Whether incremental scans are to be applied which optimizes the scan time but might reduce detection capabilities. Therefore full scans are still required from time to time and should be scheduled via `fullScansScheduled` and `fullScanCycle`") 351 cmd.Flags().IntVar(&stepConfig.MaxRetries, "maxRetries", 3, "Maximum number of HTTP request retries upon intermittend connetion interrupts") 352 cmd.Flags().StringVar(&stepConfig.Owner, "owner", os.Getenv("PIPER_owner"), "Set the GitHub organization.") 353 cmd.Flags().StringVar(&stepConfig.Password, "password", os.Getenv("PIPER_password"), "The password to authenticate") 354 cmd.Flags().StringVar(&stepConfig.Preset, "preset", os.Getenv("PIPER_preset"), "The preset to use for scanning, if not set explicitly the step will attempt to look up the project's setting based on the availability of `checkmarxCredentialsId`") 355 cmd.Flags().StringVar(&stepConfig.ProjectName, "projectName", os.Getenv("PIPER_projectName"), "The name of the Checkmarx project to scan into") 356 cmd.Flags().StringVar(&stepConfig.PullRequestName, "pullRequestName", os.Getenv("PIPER_pullRequestName"), "Used to supply the name for the newly created PR project branch when being used in pull request scenarios") 357 cmd.Flags().StringVar(&stepConfig.Repository, "repository", os.Getenv("PIPER_repository"), "Set the GitHub repository.") 358 cmd.Flags().StringVar(&stepConfig.ServerURL, "serverUrl", os.Getenv("PIPER_serverUrl"), "The URL pointing to the root of the Checkmarx server to be used") 359 cmd.Flags().StringVar(&stepConfig.EngineConfigurationID, "engineConfigurationID", os.Getenv("PIPER_engineConfigurationID"), "The engine configuration ID to be used, if not set explicitly the project's default will be used") 360 cmd.Flags().StringVar(&stepConfig.TeamID, "teamId", os.Getenv("PIPER_teamId"), "The group ID related to your team which can be obtained via the Pipeline Syntax plugin as described in the `Details` section") 361 cmd.Flags().StringVar(&stepConfig.TeamName, "teamName", os.Getenv("PIPER_teamName"), "The full name of the team to assign newly created projects to which is preferred to teamId") 362 cmd.Flags().StringVar(&stepConfig.Username, "username", os.Getenv("PIPER_username"), "The username to authenticate") 363 cmd.Flags().BoolVar(&stepConfig.VerifyOnly, "verifyOnly", false, "Whether the step shall only apply verification checks or whether it does a full scan and check cycle") 364 cmd.Flags().BoolVar(&stepConfig.VulnerabilityThresholdEnabled, "vulnerabilityThresholdEnabled", true, "Whether the thresholds are enabled or not. If enabled the build will be set to `vulnerabilityThresholdResult` in case a specific threshold value is exceeded") 365 cmd.Flags().IntVar(&stepConfig.VulnerabilityThresholdHigh, "vulnerabilityThresholdHigh", 100, "The specific threshold for high severity findings") 366 cmd.Flags().IntVar(&stepConfig.VulnerabilityThresholdMedium, "vulnerabilityThresholdMedium", 100, "The specific threshold for medium severity findings") 367 cmd.Flags().IntVar(&stepConfig.VulnerabilityThresholdLow, "vulnerabilityThresholdLow", 10, "The specific threshold for low severity findings") 368 cmd.Flags().BoolVar(&stepConfig.VulnerabilityThresholdLowPerQuery, "vulnerabilityThresholdLowPerQuery", false, "Flag to activate/deactivate the threshold of low severity findings per query") 369 cmd.Flags().IntVar(&stepConfig.VulnerabilityThresholdLowPerQueryMax, "vulnerabilityThresholdLowPerQueryMax", 10, "Upper threshold of low severity findings per query (in absolute number)") 370 cmd.Flags().StringVar(&stepConfig.VulnerabilityThresholdResult, "vulnerabilityThresholdResult", `FAILURE`, "The result of the build in case thresholds are enabled and exceeded") 371 cmd.Flags().StringVar(&stepConfig.VulnerabilityThresholdUnit, "vulnerabilityThresholdUnit", `percentage`, "The unit for the threshold to apply.") 372 cmd.Flags().BoolVar(&stepConfig.IsOptimizedAndScheduled, "isOptimizedAndScheduled", false, "Whether the pipeline runs in optimized mode and the current execution is a scheduled one") 373 cmd.Flags().BoolVar(&stepConfig.CreateResultIssue, "createResultIssue", false, "Activate creation of a result issue in GitHub.") 374 cmd.Flags().BoolVar(&stepConfig.ConvertToSarif, "convertToSarif", true, "Convert the Checkmarx XML scan results to the open SARIF standard.") 375 376 cmd.MarkFlagRequired("password") 377 cmd.MarkFlagRequired("projectName") 378 cmd.MarkFlagRequired("serverUrl") 379 cmd.MarkFlagRequired("username") 380 } 381 382 // retrieve step metadata 383 func checkmarxExecuteScanMetadata() config.StepData { 384 var theMetaData = config.StepData{ 385 Metadata: config.StepMetadata{ 386 Name: "checkmarxExecuteScan", 387 Aliases: []config.Alias{}, 388 Description: "Checkmarx is the recommended tool for security scans of JavaScript, iOS, Swift and Ruby code.", 389 }, 390 Spec: config.StepSpec{ 391 Inputs: config.StepInputs{ 392 Secrets: []config.StepSecrets{ 393 {Name: "checkmarxCredentialsId", Description: "Jenkins 'Username with password' credentials ID containing username and password to communicate with the Checkmarx backend.", Type: "jenkins"}, 394 {Name: "githubTokenCredentialsId", Description: "Jenkins 'Secret text' credentials ID containing token to authenticate to GitHub.", Type: "jenkins"}, 395 }, 396 Resources: []config.StepResources{ 397 {Name: "checkmarx", Type: "stash"}, 398 }, 399 Parameters: []config.StepParameters{ 400 { 401 Name: "assignees", 402 ResourceRef: []config.ResourceReference{}, 403 Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, 404 Type: "[]string", 405 Mandatory: false, 406 Aliases: []config.Alias{}, 407 Default: []string{``}, 408 }, 409 { 410 Name: "avoidDuplicateProjectScans", 411 ResourceRef: []config.ResourceReference{}, 412 Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, 413 Type: "bool", 414 Mandatory: false, 415 Aliases: []config.Alias{{Name: "notForceScan"}}, 416 Default: true, 417 }, 418 { 419 Name: "filterPattern", 420 ResourceRef: []config.ResourceReference{}, 421 Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, 422 Type: "string", 423 Mandatory: false, 424 Aliases: []config.Alias{}, 425 Default: `!**/node_modules/**, !**/.xmake/**, !**/*_test.go, !**/vendor/**/*.go, **/*.html, **/*.xml, **/*.go, **/*.py, **/*.js, **/*.scala, **/*.ts`, 426 }, 427 { 428 Name: "fullScanCycle", 429 ResourceRef: []config.ResourceReference{}, 430 Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, 431 Type: "string", 432 Mandatory: false, 433 Aliases: []config.Alias{}, 434 Default: `5`, 435 }, 436 { 437 Name: "fullScansScheduled", 438 ResourceRef: []config.ResourceReference{}, 439 Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, 440 Type: "bool", 441 Mandatory: false, 442 Aliases: []config.Alias{}, 443 Default: true, 444 }, 445 { 446 Name: "generatePdfReport", 447 ResourceRef: []config.ResourceReference{}, 448 Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, 449 Type: "bool", 450 Mandatory: false, 451 Aliases: []config.Alias{}, 452 Default: true, 453 }, 454 { 455 Name: "githubApiUrl", 456 ResourceRef: []config.ResourceReference{}, 457 Scope: []string{"GENERAL", "PARAMETERS", "STAGES", "STEPS"}, 458 Type: "string", 459 Mandatory: false, 460 Aliases: []config.Alias{}, 461 Default: `https://api.github.com`, 462 }, 463 { 464 Name: "githubToken", 465 ResourceRef: []config.ResourceReference{ 466 { 467 Name: "githubTokenCredentialsId", 468 Type: "secret", 469 }, 470 471 { 472 Name: "githubVaultSecretName", 473 Type: "vaultSecret", 474 Default: "github", 475 }, 476 }, 477 Scope: []string{"GENERAL", "PARAMETERS", "STAGES", "STEPS"}, 478 Type: "string", 479 Mandatory: false, 480 Aliases: []config.Alias{{Name: "access_token"}}, 481 Default: os.Getenv("PIPER_githubToken"), 482 }, 483 { 484 Name: "incremental", 485 ResourceRef: []config.ResourceReference{}, 486 Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, 487 Type: "bool", 488 Mandatory: false, 489 Aliases: []config.Alias{}, 490 Default: true, 491 }, 492 { 493 Name: "maxRetries", 494 ResourceRef: []config.ResourceReference{}, 495 Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, 496 Type: "int", 497 Mandatory: false, 498 Aliases: []config.Alias{}, 499 Default: 3, 500 }, 501 { 502 Name: "owner", 503 ResourceRef: []config.ResourceReference{ 504 { 505 Name: "commonPipelineEnvironment", 506 Param: "github/owner", 507 }, 508 }, 509 Scope: []string{"GENERAL", "PARAMETERS", "STAGES", "STEPS"}, 510 Type: "string", 511 Mandatory: false, 512 Aliases: []config.Alias{{Name: "githubOrg"}}, 513 Default: os.Getenv("PIPER_owner"), 514 }, 515 { 516 Name: "password", 517 ResourceRef: []config.ResourceReference{ 518 { 519 Name: "checkmarxCredentialsId", 520 Param: "password", 521 Type: "secret", 522 }, 523 524 { 525 Name: "checkmarxVaultSecretName", 526 Type: "vaultSecret", 527 Default: "checkmarx", 528 }, 529 }, 530 Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, 531 Type: "string", 532 Mandatory: true, 533 Aliases: []config.Alias{}, 534 Default: os.Getenv("PIPER_password"), 535 }, 536 { 537 Name: "preset", 538 ResourceRef: []config.ResourceReference{}, 539 Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, 540 Type: "string", 541 Mandatory: false, 542 Aliases: []config.Alias{}, 543 Default: os.Getenv("PIPER_preset"), 544 }, 545 { 546 Name: "projectName", 547 ResourceRef: []config.ResourceReference{}, 548 Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, 549 Type: "string", 550 Mandatory: true, 551 Aliases: []config.Alias{{Name: "checkmarxProject"}, {Name: "checkMarxProjectName", Deprecated: true}}, 552 Default: os.Getenv("PIPER_projectName"), 553 }, 554 { 555 Name: "pullRequestName", 556 ResourceRef: []config.ResourceReference{}, 557 Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, 558 Type: "string", 559 Mandatory: false, 560 Aliases: []config.Alias{}, 561 Default: os.Getenv("PIPER_pullRequestName"), 562 }, 563 { 564 Name: "repository", 565 ResourceRef: []config.ResourceReference{ 566 { 567 Name: "commonPipelineEnvironment", 568 Param: "github/repository", 569 }, 570 }, 571 Scope: []string{"GENERAL", "PARAMETERS", "STAGES", "STEPS"}, 572 Type: "string", 573 Mandatory: false, 574 Aliases: []config.Alias{{Name: "githubRepo"}}, 575 Default: os.Getenv("PIPER_repository"), 576 }, 577 { 578 Name: "serverUrl", 579 ResourceRef: []config.ResourceReference{}, 580 Scope: []string{"GENERAL", "PARAMETERS", "STAGES", "STEPS"}, 581 Type: "string", 582 Mandatory: true, 583 Aliases: []config.Alias{{Name: "checkmarxServerUrl"}}, 584 Default: os.Getenv("PIPER_serverUrl"), 585 }, 586 { 587 Name: "engineConfigurationID", 588 ResourceRef: []config.ResourceReference{}, 589 Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, 590 Type: "string", 591 Mandatory: false, 592 Aliases: []config.Alias{{Name: "sourceEncoding"}}, 593 Default: os.Getenv("PIPER_engineConfigurationID"), 594 }, 595 { 596 Name: "teamId", 597 ResourceRef: []config.ResourceReference{}, 598 Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, 599 Type: "string", 600 Mandatory: false, 601 Aliases: []config.Alias{{Name: "checkmarxGroupId"}, {Name: "groupId", Deprecated: true}}, 602 Default: os.Getenv("PIPER_teamId"), 603 }, 604 { 605 Name: "teamName", 606 ResourceRef: []config.ResourceReference{}, 607 Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, 608 Type: "string", 609 Mandatory: false, 610 Aliases: []config.Alias{}, 611 Default: os.Getenv("PIPER_teamName"), 612 }, 613 { 614 Name: "username", 615 ResourceRef: []config.ResourceReference{ 616 { 617 Name: "checkmarxCredentialsId", 618 Param: "username", 619 Type: "secret", 620 }, 621 622 { 623 Name: "checkmarxVaultSecretName", 624 Type: "vaultSecret", 625 Default: "checkmarx", 626 }, 627 }, 628 Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, 629 Type: "string", 630 Mandatory: true, 631 Aliases: []config.Alias{}, 632 Default: os.Getenv("PIPER_username"), 633 }, 634 { 635 Name: "verifyOnly", 636 ResourceRef: []config.ResourceReference{}, 637 Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, 638 Type: "bool", 639 Mandatory: false, 640 Aliases: []config.Alias{}, 641 Default: false, 642 }, 643 { 644 Name: "vulnerabilityThresholdEnabled", 645 ResourceRef: []config.ResourceReference{}, 646 Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, 647 Type: "bool", 648 Mandatory: false, 649 Aliases: []config.Alias{}, 650 Default: true, 651 }, 652 { 653 Name: "vulnerabilityThresholdHigh", 654 ResourceRef: []config.ResourceReference{}, 655 Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, 656 Type: "int", 657 Mandatory: false, 658 Aliases: []config.Alias{}, 659 Default: 100, 660 }, 661 { 662 Name: "vulnerabilityThresholdMedium", 663 ResourceRef: []config.ResourceReference{}, 664 Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, 665 Type: "int", 666 Mandatory: false, 667 Aliases: []config.Alias{}, 668 Default: 100, 669 }, 670 { 671 Name: "vulnerabilityThresholdLow", 672 ResourceRef: []config.ResourceReference{}, 673 Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, 674 Type: "int", 675 Mandatory: false, 676 Aliases: []config.Alias{}, 677 Default: 10, 678 }, 679 { 680 Name: "vulnerabilityThresholdLowPerQuery", 681 ResourceRef: []config.ResourceReference{}, 682 Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, 683 Type: "bool", 684 Mandatory: false, 685 Aliases: []config.Alias{}, 686 Default: false, 687 }, 688 { 689 Name: "vulnerabilityThresholdLowPerQueryMax", 690 ResourceRef: []config.ResourceReference{}, 691 Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, 692 Type: "int", 693 Mandatory: false, 694 Aliases: []config.Alias{}, 695 Default: 10, 696 }, 697 { 698 Name: "vulnerabilityThresholdResult", 699 ResourceRef: []config.ResourceReference{}, 700 Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, 701 Type: "string", 702 Mandatory: false, 703 Aliases: []config.Alias{}, 704 Default: `FAILURE`, 705 }, 706 { 707 Name: "vulnerabilityThresholdUnit", 708 ResourceRef: []config.ResourceReference{}, 709 Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, 710 Type: "string", 711 Mandatory: false, 712 Aliases: []config.Alias{}, 713 Default: `percentage`, 714 }, 715 { 716 Name: "isOptimizedAndScheduled", 717 ResourceRef: []config.ResourceReference{ 718 { 719 Name: "commonPipelineEnvironment", 720 Param: "custom/isOptimizedAndScheduled", 721 }, 722 }, 723 Scope: []string{"PARAMETERS"}, 724 Type: "bool", 725 Mandatory: false, 726 Aliases: []config.Alias{}, 727 Default: false, 728 }, 729 { 730 Name: "createResultIssue", 731 ResourceRef: []config.ResourceReference{ 732 { 733 Name: "commonPipelineEnvironment", 734 Param: "custom/isOptimizedAndScheduled", 735 }, 736 }, 737 Scope: []string{"GENERAL", "PARAMETERS", "STAGES", "STEPS"}, 738 Type: "bool", 739 Mandatory: false, 740 Aliases: []config.Alias{}, 741 Default: false, 742 }, 743 { 744 Name: "convertToSarif", 745 ResourceRef: []config.ResourceReference{}, 746 Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, 747 Type: "bool", 748 Mandatory: false, 749 Aliases: []config.Alias{}, 750 Default: true, 751 }, 752 }, 753 }, 754 Outputs: config.StepOutputs{ 755 Resources: []config.StepResources{ 756 { 757 Name: "influx", 758 Type: "influx", 759 Parameters: []map[string]interface{}{ 760 {"name": "step_data", "fields": []map[string]string{{"name": "checkmarx"}}}, 761 {"name": "checkmarx_data", "fields": []map[string]string{{"name": "high_issues"}, {"name": "high_not_false_positive"}, {"name": "high_not_exploitable"}, {"name": "high_confirmed"}, {"name": "high_urgent"}, {"name": "high_proposed_not_exploitable"}, {"name": "high_to_verify"}, {"name": "medium_issues"}, {"name": "medium_not_false_positive"}, {"name": "medium_not_exploitable"}, {"name": "medium_confirmed"}, {"name": "medium_urgent"}, {"name": "medium_proposed_not_exploitable"}, {"name": "medium_to_verify"}, {"name": "low_issues"}, {"name": "low_not_false_positive"}, {"name": "low_not_exploitable"}, {"name": "low_confirmed"}, {"name": "low_urgent"}, {"name": "low_proposed_not_exploitable"}, {"name": "low_to_verify"}, {"name": "information_issues"}, {"name": "information_not_false_positive"}, {"name": "information_not_exploitable"}, {"name": "information_confirmed"}, {"name": "information_urgent"}, {"name": "information_proposed_not_exploitable"}, {"name": "information_to_verify"}, {"name": "lines_of_code_scanned"}, {"name": "files_scanned"}, {"name": "initiator_name"}, {"name": "owner"}, {"name": "scan_id"}, {"name": "project_id"}, {"name": "projectName"}, {"name": "team"}, {"name": "team_full_path_on_report_date"}, {"name": "scan_start"}, {"name": "scan_time"}, {"name": "checkmarx_version"}, {"name": "scan_type"}, {"name": "preset"}, {"name": "deep_link"}, {"name": "report_creation_time"}}}, 762 }, 763 }, 764 { 765 Name: "reports", 766 Type: "reports", 767 Parameters: []map[string]interface{}{ 768 {"filePattern": "**/piper_checkmarx_report.html", "type": "checkmarx"}, 769 {"filePattern": "**/CxSASTResults_*.xml", "type": "checkmarx"}, 770 {"filePattern": "**/ScanReport.*", "type": "checkmarx"}, 771 {"filePattern": "**/toolrun_checkmarx_*.json", "type": "checkmarx"}, 772 }, 773 }, 774 }, 775 }, 776 }, 777 } 778 return theMetaData 779 }