Thresholds violation and issue tracking not working on GitLab pineline, empty finding counts.

[LouisLowy]

Description

I've configured the thresholds on medium and low with gitlab issue tracker in gitlab pipeline, but only scans were executed. what am I missing in my config?

Expected Behavior

from my understanding, with "bug-tracker", "break-build" configured, scan result should be presented by gitlab issue, also with thresholds set, the build would also failed if exceeded.

Actual Behavior

it seems like theres only the scan being executed, no issue being opened, no build failed, just the scan happend. the ThresholdValidatorImpl picked up the thresholds settings but no finding counts, even though ResultsService actually shows the scan results exceeded.

Reproduction

Detail the steps taken to reproduce the issue

Where applicable, please include (exclude sensitive information):

• Code of Files to reproduce the issue

gitlab-ci.yml file

stages:
  - scan

checkmarx-scan:
  stage: scan
  variables:
    CHECKMARX_INCREMENTAL: "false"
    CHECKMARX_USERNAME: "xxxxxxx"
    CHECKMARX_BASE_URL: "http://xxx.xxx.xxx.xxx/"
    CHECKMARX_PASSWORD: "xxxxxxx"
    GITLAB_TOKEN: xxxxxxxxx
    GITLAB_URL: "xxxxxxx"
    GITLAB_API_URL: "xxxxxxx"
    GITLAB_FALSE_POSITIVE_LABEL: "false-positive"
    GITLAB_BLOCK_MERGE: "true"
    GITLAB_ERROR_MERGE: "true"
    CX_PROJECT: "xxx"
    CHECKMARX_VERSION: "9.6"
    CHECKMARX_SETTINGS_OVERRIDE: "true"
    CHECKMARX_CONFIGURATION: "Default Configuration"
    CHECKMARX_SCAN_PRESET: "Checkmarx Default"
    CX_FLOW_ENABLED_VULNERABILITY_SCANNERS: sast
    CX_TEAM: "/CxServer"
    CX_FLOW_BREAK_BUILD: "true"
    SECURITY_DASHBOARD_ON_MR: "true"
    PARAMS: ""
  script:
    - java -jar "C:/CxFlow/cx-flow-1.7.03.jar"
          --scan 
          --cx-flow.bug-tracker="GitLab"
          --cx-flow.filter-serverity="Low"
          --cx-flow.thresholds.high=3
          --cx-flow.thresholds.medium=3
          --cx-flow.thresholds.low=3
          --logging.level.org.springframework.web.client=TRACE
          --logging.level.com.checkmarx.flow.custom=TRACE
          --app="${CI_PROJECT_NAME}" 
          --namespace="${CI_PROJECT_NAMESPACE}" 
          --repo-name="${CI_PROJECT_NAME}" 
          --repo-url="${CI_REPOSITORY_URL}" 
          --cx-team="${CX_TEAM}" 
          --cx-project="${CX_PROJECT}" 
          --branch="${CI_COMMIT_BRANCH}"
          --spring.profiles.active="${CX_FLOW_ENABLED_VULNERABILITY_SCANNERS}"
          --break-build="${CX_FLOW_BREAK_BUILD}"  
          --f=. 
          ${PARAMS}
  allow_failure: true

• Log files

2024-09-12 16:59:47.019  INFO 8108 --- [           main] c.c.f.s.ResultsService                    [ElhTNKdT] : Issue tracking is custom bean implementation
2024-09-12 16:59:47.025  INFO 8108 --- [           main] c.c.f.c.GitLabIssueTracker                [ElhTNKdT] : Initializing GitLab processing
2024-09-12 16:59:47.026 DEBUG 8108 --- [           main] c.c.f.c.GitLabIssueTracker                [ElhTNKdT] : Searching repo by query: trydis
2024-09-12 16:59:47.026 DEBUG 8108 --- [           main] o.s.w.c.RestTemplate                      [ElhTNKdT] : HTTP GET https://git.xxx.com.tw/api/v4/projects?search=xxxx&pagination=keyset&per_page=100&order_by=id&sort=asc&id_after=0
2024-09-12 16:59:47.026 DEBUG 8108 --- [           main] o.s.w.c.RestTemplate                      [ElhTNKdT] : Accept=[text/plain, application/json, application/*+json, */*]
2024-09-12 16:59:47.284 DEBUG 8108 --- [           main] o.s.w.c.RestTemplate                      [ElhTNKdT] : Response 200 OK
2024-09-12 16:59:47.284 DEBUG 8108 --- [           main] o.s.w.c.RestTemplate                      [ElhTNKdT] : Reading to [java.lang.String] as "application/json"
2024-09-12 16:59:47.285 DEBUG 8108 --- [           main] c.c.f.c.GitLabIssueTracker                [ElhTNKdT] : Projects found: 1. Looking for exact match.
2024-09-12 16:59:47.286 DEBUG 8108 --- [           main] c.c.f.c.GitLabIssueTracker                [ElhTNKdT] : Checking xxx/xxx... match!
2024-09-12 16:59:47.286 DEBUG 8108 --- [           main] c.c.f.c.GitLabIssueTracker                [ElhTNKdT] : Using GitLab project ID: 6195
2024-09-12 16:59:47.286  INFO 8108 --- [           main] c.c.f.s.IssueService                      [ElhTNKdT] : Processing Issues with custom bean GitLab
2024-09-12 16:59:47.286  INFO 8108 --- [           main] c.c.f.c.GitLabIssueTracker                [ElhTNKdT] : Executing getIssues GitLab API call
2024-09-12 16:59:47.286 DEBUG 8108 --- [           main] o.s.w.c.RestTemplate                      [ElhTNKdT] : HTTP GET https://git.xxx.com.tw/api/v4/projects/6195/issues?per_page=100
2024-09-12 16:59:47.287 DEBUG 8108 --- [           main] o.s.w.c.RestTemplate                      [ElhTNKdT] : Accept=[application/json, application/*+json]
2024-09-12 16:59:47.361 DEBUG 8108 --- [           main] o.s.w.c.RestTemplate                      [ElhTNKdT] : Response 200 OK
2024-09-12 16:59:47.362 DEBUG 8108 --- [           main] o.s.w.c.RestTemplate                      [ElhTNKdT] : Reading to [com.checkmarx.flow.dto.gitlab.Issue[]]
2024-09-12 16:59:47.370  INFO 8108 --- [           main] c.c.f.c.GitLabIssueTracker                [ElhTNKdT] : Finalizing GitLab Processing
2024-09-12 16:59:47.370  INFO 8108 --- [           main] c.c.f.s.ResultsService                    [ElhTNKdT] : ######## Checkmarx Scan Results Summary ########
2024-09-12 16:59:47.371  INFO 8108 --- [           main] c.c.f.s.ResultsService                    [ElhTNKdT] : Team: /CxServer
2024-09-12 16:59:47.371  INFO 8108 --- [           main] c.c.f.s.ResultsService                    [ElhTNKdT] : Project: Louis_GitLab_Runner
[202](https://git.xxx.com.tw/xxx/xxx/-/jobs/229144#L202)4-09-12 16:59:47.371  INFO 8108 --- [           main] c.c.f.s.ResultsService                    [ElhTNKdT] : Scan-Id: 1000086
2024-09-12 16:59:47.371  INFO 8108 --- [           main] c.c.f.s.ResultsService                    [ElhTNKdT] : High vulnerabilities: 0
2024-09-12 16:59:47.371  INFO 8108 --- [           main] c.c.f.s.ResultsService                    [ElhTNKdT] : Medium vulnerabilities: 5
2024-09-12 16:59:47.371  INFO 8108 --- [           main] c.c.f.s.ResultsService                    [ElhTNKdT] : Low vulnerabilities: 5
2024-09-12 16:59:47.372  INFO 8108 --- [           main] c.c.f.s.ResultsService                    [ElhTNKdT] : Info vulnerabilities: 7
2024-09-12 16:59:47.372  INFO 8108 --- [           main] c.c.f.s.ResultsService                    [ElhTNKdT] : To view results use following link: http://xxx/CxWebClient/ViewerMain.aspx?scanid=1000086&projectid=28
2024-09-12 16:59:47.372  INFO 8108 --- [           main] c.c.f.s.ResultsService                    [ElhTNKdT] : ################################################
2024-09-12 16:59:47.373  INFO 8108 --- [           main] c.c.f.s.ThresholdValidatorImpl            [ElhTNKdT] : Checking Thresholds exists. sast thresholds: true. sca thresholds: false
2024-09-12 16:59:47.379  INFO 8108 --- [           main] c.c.f.s.ThresholdValidatorImpl            [ElhTNKdT] : Using CxSAST thresholds: {"HIGH":3,"LOW":3,"MEDIUM":3}
2024-09-12 16:59:47.380  INFO 8108 --- [           main] c.c.f.s.ThresholdValidatorImpl            [ElhTNKdT] : **Finding counts: {}**
2024-09-12 16:59:47.380  INFO 8108 --- [           main] c.c.f.s.ThresholdValidatorImpl            [ElhTNKdT] : No thresholds were exceeded.
2024-09-12 16:59:47.381  INFO 8108 --- [           main] c.c.f.CxFlowRunner                        [ElhTNKdT] : Build succeeded. all checks passed
2024-09-12 16:59:47.381  INFO 8108 --- [           main] c.c.f.CxFlowRunner                        [ElhTNKdT] : Completed Successfully
2024-09-12 16:59:47.382  INFO 8108 --- [           main] c.c.f.CxFlowRunner                        [ElhTNKdT] : Finished with exit code: 0
Cleaning up project directory and file based variables
00:00
Job succeeded

• Application settings

• Screenshots

Environment Details

CxSAST 9.6.5 CxFlow 1.7.03 JDK 17.0.12 GitLab runner 17.3.1

Provide any information relating to the environment the issue was identified in - include applicable version and additional runtime information (include OS or other underlying infrastructure)

[ziyi-bear]

Hi we also facing the same issue but our scan only use sast, and we have try upgrade gitlab and cx-flow to latest not working

Reproduction

Detail the steps taken to reproduce the issue

Where applicable, please include (exclude sensitive information):

• Code of Files to reproduce the issue
• Log files

  2024-10-17 11:18:22.629 DEBUG 15 --- [           main] o.s.w.HttpLogging                         [agEmyYpd] : HTTP GET https://gitlab.dgbas.gov.tw/api/v4/projects?search=sfund&pagination=keyset&per_page=100&order_by=id&sort=asc&id_after=0
  2024-10-17 11:18:22.630 DEBUG 15 --- [           main] o.s.w.HttpLogging                         [agEmyYpd] : Accept=[text/plain, application/json, application/*+json, */*]
  2024-10-17 11:18:26.516 DEBUG 15 --- [           main] o.s.w.HttpLogging                         [agEmyYpd] : Response 200 OK
  2024-10-17 11:18:26.517 DEBUG 15 --- [           main] o.s.w.HttpLogging                         [agEmyYpd] : Reading to [java.lang.String] as "application/json"
  2024-10-17 11:18:26.521  INFO 15 --- [           main] c.c.f.s.IssueService                      [agEmyYpd] : Processing Issues with custom bean GitLab
  2024-10-17 11:18:26.522  INFO 15 --- [           main] c.c.f.c.GitLabIssueTracker                [agEmyYpd] : Executing getIssues GitLab API call
  2024-10-17 11:18:26.523 DEBUG 15 --- [           main] o.s.w.HttpLogging                         [agEmyYpd] : HTTP GET https://gitlab.dgbas.gov.tw/api/v4/projects/1/issues?per_page=100
  2024-10-17 11:18:26.524 DEBUG 15 --- [           main] o.s.w.HttpLogging                         [agEmyYpd] : Accept=[application/json, application/*+json]
  2024-10-17 11:18:27.415 DEBUG 15 --- [           main] o.s.w.HttpLogging                         [agEmyYpd] : Response 200 OK
  2024-10-17 11:18:27.416 DEBUG 15 --- [           main] o.s.w.HttpLogging                         [agEmyYpd] : Reading to [com.checkmarx.flow.dto.gitlab.Issue[]]
  2024-10-17 11:18:27.444  INFO 15 --- [           main] c.c.f.c.GitLabIssueTracker                [agEmyYpd] : Finalizing GitLab Processing
  2024-10-17 11:18:27.444  INFO 15 --- [           main] c.c.f.s.ResultsService                    [agEmyYpd] : ######## Checkmarx Scan Results Summary ########
  2024-10-17 11:18:27.445  INFO 15 --- [           main] c.c.f.s.ResultsService                    [agEmyYpd] : Team: /CxServer/SP/Company/XBA
  2024-10-17 11:18:27.445  INFO 15 --- [           main] c.c.f.s.ResultsService                    [agEmyYpd] : Project: sfund-main
  2024-10-17 11:18:27.445  INFO 15 --- [           main] c.c.f.s.ResultsService                    [agEmyYpd] : Scan-Id: 1034975
  2024-10-17 11:18:27.445  INFO 15 --- [           main] c.c.f.s.ResultsService                    [agEmyYpd] : High vulnerabilities: 57
  2024-10-17 11:18:27.445  INFO 15 --- [           main] c.c.f.s.ResultsService                    [agEmyYpd] : Medium vulnerabilities: 10670
  2024-10-17 11:18:27.445  INFO 15 --- [           main] c.c.f.s.ResultsService                    [agEmyYpd] : Low vulnerabilities: 96373
  2024-10-17 11:18:27.445  INFO 15 --- [           main] c.c.f.s.ResultsService                    [agEmyYpd] : Info vulnerabilities: 7000
  2024-10-17 11:18:27.445  INFO 15 --- [           main] c.c.f.s.ResultsService                    [agEmyYpd] : To view results use following link: http://172.16.250.21/CxWebClient/ViewerMain.aspx?scanid=1034975&projectid=292
  2024-10-17 11:18:27.445  INFO 15 --- [           main] c.c.f.s.ResultsService                    [agEmyYpd] : ################################################
  2024-10-17 11:18:27.446  INFO 15 --- [           main] c.c.f.s.ThresholdValidatorImpl            [agEmyYpd] : Checking Thresholds exists. sast thresholds: true. sca thresholds: false
  2024-10-17 11:18:27.447 TRACE 15 --- [           main] o.s.b.f.s.DefaultListableBeanFactory      [agEmyYpd] : Returning cached instance of singleton bean 'sastScanner'
  2024-10-17 11:18:27.454  INFO 15 --- [           main] c.c.f.s.ThresholdValidatorImpl            [agEmyYpd] : Using CxSAST thresholds: {"HIGH":10,"MEDIUM":10,"LOW":10}
  2024-10-17 11:18:27.457  INFO 15 --- [           main] c.c.f.s.ThresholdValidatorImpl            [agEmyYpd] : Finding counts: {}
  2024-10-17 11:18:27.458  INFO 15 --- [           main] c.c.f.s.ThresholdValidatorImpl            [agEmyYpd] : No thresholds were exceeded.
  2024-10-17 11:18:27.458 TRACE 15 --- [           main] o.s.b.f.s.DefaultListableBeanFactory      [agEmyYpd] : Returning cached instance of singleton bean 'SCAScanner'
  2024-10-17 11:18:27.458 TRACE 15 --- [           main] o.s.b.f.s.DefaultListableBeanFactory      [agEmyYpd] : Returning cached instance of singleton bean 'cxGoScanner'
  2024-10-17 11:18:27.458  INFO 15 --- [           main] c.c.f.CxFlowRunner                        [agEmyYpd] : Build succeeded. all checks passed
  2024-10-17 11:18:27.458  INFO 15 --- [           main] c.c.f.CxFlowRunner                        [agEmyYpd] : Completed Successfully
  2024-10-17 11:18:27.459  INFO 15 --- [           main] c.c.f.CxFlowRunner                        [agEmyYpd] : Finished with exit code: 0
  2024-10-17 11:18:27.461 DEBUG 15 --- [ionShutdownHook] s.c.a.AnnotationConfigApplicationContext  [] : Closing 

• Application settings .gitlab-ci.yml

  
  variables:
  GITLAB_URL: "${CI_SERVER_URL}"
  GITLAB_API_URL: "${CI_API_V4_URL}"
  CHECKMARX_DOCKER_IMAGE: "cx-flow"
  CX_FLOW_BUG_TRACKER: "GitLab"
  CX_FLOW_BUG_TRACKER_IMPL: ${CX_FLOW_BUG_TRACKER}
  CX_FLOW_EXE: "java -jar /app/cx-flow.jar"
  CX_PROJECT: "$CI_PROJECT_NAME-$CI_COMMIT_REF_NAME"
  CHECKMARX_VERSION: "9.0"
  CHECKMARX_SETTINGS_OVERRIDE: "true"
  # CHECKMARX_EXCLUDE_FILES: "*.gif,*.jpg,*.jpeg,*.ttf,*.xls,*.xlsx,*.jar,*.doc,*.docx,*.7z,*.zip,*.jasper,*.jrxml,*.exe,*.py"
  # CHECKMARX_EXCLUDE_FOLDERS: ""
  CHECKMARX_CONFIGURATION: "Default Configuration"
  CHECKMARX_SCAN_PRESET: "OWASP TOP 10 - 2021"
  CX_FLOW_FILTER_SEVERITY: "High"
  CX_FLOW_FILTER_CATEGORY: ""
  CX_FLOW_FILTER_CWE: ""
  CX_FLOW_FILTER_STATUS: ""
  CX_FLOW_FILTER_STATE: ""
  CX_FLOW_ENABLED_VULNERABILITY_SCANNERS: sast
  CX_FLOW_ZIP_EXCLUDE: '\.git/.*, .*\.png, .*\.ttf, .*\.jasper, .*\.jrxml, .*\.zip, .*\.exe, .*\.py, .*\.xlsx, .*\.xls, .*\.7z'
  # CX_FLOW_ZIP_EXCLUDE: '.jar,^.*\.(jpg|jpeg|ttf|xls|xlsx|jar|doc|docx|7z|zip|jasper|jrxml|exe|py|gif|)$'
  CX_FLOW_BREAK_BUILD: "true"
  GITLAB_BLOCK_MERGE: "false"
  GITLAB_ERROR_MERGE: "false"
  SECURITY_DASHBOARD_ON_MR: "false"
  PARAMS: ""

checkmarx-scan: stage: test rules:

• if: '$CX_FLOW_BUG_TRACKER != "GitLabDashboard" && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH' image: name: checkmarx/${CHECKMARX_DOCKER_IMAGE} entrypoint: [""] needs: [] variables: CHECKMARX_INCREMENTAL: "true" CXFLOW_THRESHOLDS_HIGH: 10 CXFLOW_THRESHOLDS_LOW: 10 CXFLOW_THRESHOLDS_MEDIUM: 10 timeout: 24h script:
• ${CX_FLOW_EXE} --scan --app="${CI_PROJECT_NAME}" --namespace="${CI_PROJECT_NAMESPACE}" --repo-name="${CI_PROJECT_NAME}" --repo-url="${CI_REPOSITORY_URL}" --cx-team="${CX_TEAM}" --cx-project="${CX_PROJECT}" --branch="${CI_COMMIT_BRANCH}" --spring.profiles.active="${CX_FLOW_ENABLED_VULNERABILITY_SCANNERS}" --logging.level.org.springframework.web.client.RestTemplate=INFO --logging.level.com.checkmarx.flow.service=INFO --logging.level.org.apache.http.wire=INFO --checkmarx.scan-queuing=true --checkmarx.scan-resubmit=true --checkmarx.scan-timeout=920 --checkmarx.report-timeout=40000000 --f=. ${PARAMS} artifacts: paths:
  • "*.zip" when: always

    
    > - Screenshots

Environment Details

CxSAST 9.5.5.1007 HF14 CxFlow 1.7.04 GitLab runner 17.4.1

[Kiri487]

Hi, I have encountered the same issue before, but after I set the language of the Checkmarx Web Portal to English (United States), it worked normally. Perhaps you can give it a try.

(However, I have encountered another issue where the vulnerability count calculated by ThresholdValidatorImpl is inconsistent with that of ResultsService, and I still haven't found the reason.)