search

checkmarx-ltd / cx-flow

Checkmarx Scan and Result Orchestration
Apache License 2.0
88 stars 87 forks source link

SAST scan order for SCAResolver with Exploitable Path doesn't wait for a scan to complete when bug tracker is set to NONE #1190

Open nleach999 opened 1 year ago

nleach999 commented 1 year ago

Description

Related to issue #1131

Exploitable Path has the requirement of a single SAST scan containing Exploitable Path queries. CxFlow does execute the SAST scan first. When the Bug Tracker is set to NONE, CxFlow does not wait for the SAST scan to complete. This causes SCAResolver to omit Exploitable Path data.

Expected Behavior

Regardless of the bug tracker, the orchestration should be that the SAST scan completes when SCAResolver is used and Exploitable Path is enabled. I expect the orchestration of the scan order to behave the same as if I submit the scan via the SCA UI. The SCA UI waits for Exploitable Path data before showing the scan is complete.

Actual Behavior

CxFlow doesn't wait for the SAST scan to complete. SCAResolver reports this error:

cxflow-webhook_1  | 2023-02-17 19:26:12.013 DEBUG 17 --- [      flow-web4] c.c.s.s.s.ScaScanner                      [MJw7BTT9] :  ---> System.Exception: the results for  project 23 do not exists or are too old
cxflow-webhook_1  | 2023-02-17 19:26:12.013 DEBUG 17 --- [      flow-web4] c.c.s.s.s.ScaScanner                      [MJw7BTT9] :    at Lumo.SastCorrelationInfra.SastServerProvider.ValidateResultExistence(RestClient client, String authToken, String projectId)
cxflow-webhook_1  | 2023-02-17 19:26:12.013 DEBUG 17 --- [      flow-web4] c.c.s.s.s.ScaScanner                      [MJw7BTT9] :    --- End of inner exception stack trace ---
cxflow-webhook_1  | 2023-02-17 19:26:12.013 DEBUG 17 --- [      flow-web4] c.c.s.s.s.ScaScanner                      [MJw7BTT9] :    at Lumo.SastCorrelationInfra.SastServerProvider.TryGetExploitablePathResultsAsync(SastServerSettings settings, Action`1 results)

Reproduction

  1. Ensure your SAST instance has no scans in the project that will be created from the webhook execution.
  2. Execute a webhook scan with cx-flow.bug-tracker set to NONE.

Environment Details

CxFlow 1.6.39

itsKedar commented 1 year ago

Hi @nleach999

When bug-tacker is set to NONE, a feature of Cx-Flow that does not wait for scan to finish is used by many customers. Can we identify this issue as a limitation for ScaResolver integration with Cx-Flow? We can document this behavior if it is okay with you.

Thanks