search

checkmarx-ltd / cx-flow

Checkmarx Scan and Result Orchestration
Apache License 2.0
88 stars 87 forks source link

Config As Code: engineConfiguration ignored #549

Closed brenwhyte closed 3 years ago

brenwhyte commented 3 years ago

Description

When trying to override the engineConfiguration via cx.config with Multi-language Scan it's ignored and the Default Configuration is used.

Expected Behavior

That a new scan is created with Multi-language Scan enabled or an existing project gets updated with the same.

Actual Behavior

engineConfiguration is ignored and the Default is chosen.

Reproduction

GitLab webhook setup.

server:
  port: 8080
logging:
  file: flow.log
  level:
    com:
       checkmarx:
          flow:
             cmd: TRACE
             service: TRACE
             controller: TRACE
    org:
       apache:
          http:
             wire: TRACE
       springframework:
          web:
             client:
                RestTemplate: TRACE

cxflow:
  bug-tracker: GitLab
  bug-tracker-impl:
    - GitLab
  branches:
  - master
  - main
  - merge_request
  filter-severity:
  # - High
  filter-category:
  #- SQL_Injection
  #- Stored_XSS
  #- Reflected_XSS_All_Clients
  filter-cwe:
  filter-status:
  # - Urgent
  # - Confirmed
  # - To Verify
  mitre-url: https://cwe.mitre.org/data/definitions/%s.html
  #wiki-url: https://custodela.atlassian.net/wiki/spaces/AS/pages/79462432/Remediation+Guidance
  codebash-url: *snip*
  enabled-vulnerability-scanners:
    - sast

checkmarx:
  version: 9.0
  username: 
  password: 
  client-id: resource_owner_client
  client-secret:
  scope: access_control_api sast_rest_api
  base-url: *snip*
  multi-tenant: true
  configuration: Default Configuration
  preserve-xml: true
  team: 
  url: ${checkmarx.base-url}/cxrestapi
  scan-preset: Checkmarx Default
  incremental: true
  settings-override: true
  #WSDL Config
  portal-url: ${checkmarx.base-url}/cxwebinterface/Portal/CxWebService.asmx
  sdk-url: ${checkmarx.base-url}/cxwebinterface/SDK/CxSDKWebService.asmx
  portal-wsdl: ${checkmarx.base-url}/Portal/CxWebService.asmx?wsdl
  sdk-wsdl: ${checkmarx.base-url}/SDK/CxSDKWebService.asmx?wsdl

gitlab:
  webhook-token: 
  token: 
  url: https://gitlab.com
  api-url: https://gitlab.com/api/v4
  false-positive-label: false-positive
  block-merge: false
  cx-summary: true

^^ I enabled settings-override: true to see if that helped.

cx.config

{
  "version": 1.0,
  "team": "/CxServer/<team-name>",
  "sast": {
    "engineConfiguration": "Multi-language Scan",
    "forceScan": "true"
  }
}

CxFlow logging is set to Trace. Here we see the output of the engine configuration being set to id": 1 and "Default Configuration"

*snip*
2020-11-26 17:15:32.185 DEBUG 1 --- [      flow-web2] org.apache.http.wire                     : http-outgoing-2 << "Date: Thu, 26 Nov 2020 17:15:04 GMT[\r][\n]"
--
2020-11-26 17:15:32.185 DEBUG 1 --- [      flow-web2] org.apache.http.wire                     : http-outgoing-2 << "Content-Length: 233[\r][\n]"
2020-11-26 17:15:32.185 DEBUG 1 --- [      flow-web2] org.apache.http.wire                     : http-outgoing-2 << "[\r][\n]"
2020-11-26 17:15:32.185 DEBUG 1 --- [      flow-web2] org.apache.http.wire                     : http-outgoing-2 << "[[\r][\n]"
2020-11-26 17:15:32.185 DEBUG 1 --- [      flow-web2] org.apache.http.wire                     : http-outgoing-2 << "  {[\r][\n]"
2020-11-26 17:15:32.185 DEBUG 1 --- [      flow-web2] org.apache.http.wire                     : http-outgoing-2 << "    "id": 1,[\r][\n]"
2020-11-26 17:15:32.185 DEBUG 1 --- [      flow-web2] org.apache.http.wire                     : http-outgoing-2 << "    "name": "Default Configuration"[\r][\n]"
2020-11-26 17:15:32.185 DEBUG 1 --- [      flow-web2] org.apache.http.wire                     : http-outgoing-2 << "  },[\r][\n]"
2020-11-26 17:15:32.185 DEBUG 1 --- [      flow-web2] org.apache.http.wire                     : http-outgoing-2 << "  {[\r][\n]"
2020-11-26 17:15:32.185 DEBUG 1 --- [      flow-web2] org.apache.http.wire                     : http-outgoing-2 << "    "id": 2,[\r][\n]"
2020-11-26 17:15:32.185 DEBUG 1 --- [      flow-web2] org.apache.http.wire                     : http-outgoing-2 << "    "name": "Japanese (Shift-JIS)"[\r][\n]"
2020-11-26 17:15:32.185 DEBUG 1 --- [      flow-web2] org.apache.http.wire                     : http-outgoing-2 << "  },[\r][\n]"
2020-11-26 17:15:32.185 DEBUG 1 --- [      flow-web2] org.apache.http.wire                     : http-outgoing-2 << "  {[\r][\n]"
2020-11-26 17:15:32.186 DEBUG 1 --- [      flow-web2] org.apache.http.wire                     : http-outgoing-2 << "    "id": 3,[\r][\n]"
2020-11-26 17:15:32.186 DEBUG 1 --- [      flow-web2] org.apache.http.wire                     : http-outgoing-2 << "    "name": "Korean"[\r][\n]"
2020-11-26 17:15:32.186 DEBUG 1 --- [      flow-web2] org.apache.http.wire                     : http-outgoing-2 << "  },[\r][\n]"
2020-11-26 17:15:32.186 DEBUG 1 --- [      flow-web2] org.apache.http.wire                     : http-outgoing-2 << "  {[\r][\n]"
2020-11-26 17:15:32.186 DEBUG 1 --- [      flow-web2] org.apache.http.wire                     : http-outgoing-2 << "    "id": 5,[\r][\n]"
2020-11-26 17:15:32.186 DEBUG 1 --- [      flow-web2] org.apache.http.wire                     : http-outgoing-2 << "    "name": "Multi-language Scan"[\r][\n]"
2020-11-26 17:15:32.186 DEBUG 1 --- [      flow-web2] org.apache.http.wire                     : http-outgoing-2 << "  }[\r][\n]"
2020-11-26 17:15:32.186 DEBUG 1 --- [      flow-web2] org.apache.http.wire                     : http-outgoing-2 << "]"
2020-11-26 17:15:32.186 DEBUG 1 --- [      flow-web2] o.s.web.client.RestTemplate              : Response 200 OK
2020-11-26 17:15:32.186 DEBUG 1 --- [      flow-web2] o.s.web.client.RestTemplate              : Reading to [com.checkmarx.sdk.dto.cx.CxScanEngine[]]
2020-11-26 17:15:32.188  INFO 1 --- [      flow-web2] c.c.sdk.service.ScanSettingsClientImpl   : Found xml/engine configuration Default Configuration with ID 1
2020-11-26 17:15:32.189  INFO 1 --- [      flow-web2] c.c.sdk.service.ScanSettingsClientImpl   : Creating ScanSettings for project Id 427
*snip*

I've added the "forceScan": "true" to ensure that a setting under sast is getting passed through, and sure enough that one is.

Here we see forcescan is enabled for this project:

*snip*
2020-11-26 17:15:32.920 DEBUG 1 --- [      flow-web2] o.s.web.client.RestTemplate              : Writing [CxScan(projectId=427, isIncremental=false, isPublic=true, forceScan=true, comment=CxFlow Automated Scan)] as "application/json"
--
2020-11-26 17:15:32.921 DEBUG 1 --- [      flow-web2] org.apache.http.wire                     : http-outgoing-2 >> "POST /cxrestapi/sast/scans HTTP/1.1[\r][\n]"
2020-11-26 17:15:32.921 DEBUG 1 --- [      flow-web2] org.apache.http.wire                     : http-outgoing-2 >> "Accept: text/plain, application/json, application/*+json, */*[\r][\n]"
2020-11-26 17:15:32.921 DEBUG 1 --- [      flow-web2] org.apache.http.wire                     : http-outgoing-2 >> "Authorization: Bearer *snip*"
2020-11-26 17:15:32.921 DEBUG 1 --- [      flow-web2] org.apache.http.wire                     : http-outgoing-2 >> "Content-Type: application/json[\r][\n]"
2020-11-26 17:15:32.921 DEBUG 1 --- [      flow-web2] org.apache.http.wire                     : http-outgoing-2 >> "cxOrigin: CxFlow[\r][\n]"
2020-11-26 17:15:32.921 DEBUG 1 --- [      flow-web2] org.apache.http.wire                     : http-outgoing-2 >> "Content-Length: 106[\r][\n]"
2020-11-26 17:15:32.921 DEBUG 1 --- [      flow-web2] org.apache.http.wire                     : http-outgoing-2 >> "Host: *snip*.checkmarx.net[\r][\n]"
2020-11-26 17:15:32.921 DEBUG 1 --- [      flow-web2] org.apache.http.wire                     : http-outgoing-2 >> "Connection: Keep-Alive[\r][\n]"
2020-11-26 17:15:32.921 DEBUG 1 --- [      flow-web2] org.apache.http.wire                     : http-outgoing-2 >> "User-Agent: Apache-HttpClient/4.5.10 (Java/1.8.0_252)[\r][\n]"
2020-11-26 17:15:32.921 DEBUG 1 --- [      flow-web2] org.apache.http.wire                     : http-outgoing-2 >> "Accept-Encoding: gzip,deflate[\r][\n]"
2020-11-26 17:15:32.921 DEBUG 1 --- [      flow-web2] org.apache.http.wire                     : http-outgoing-2 >> "[\r][\n]"
2020-11-26 17:15:32.921 DEBUG 1 --- [      flow-web2] org.apache.http.wire                     : http-outgoing-2 >> "{     "projectId": 427,     "isIncremental": false,     "isPublic": true,     "forceScan": true,     "comment": "CxFlow Automated Scan" }"
*snip*

Environment Details

GitLab.com Gold Checkmarx v9.2.0 HF3 cxflow 1.6.13

AvivCx commented 3 years ago

Hi @brenwhyte. Can you please refer to this property: new scan override property Try to set it to 'true' to override scan configuration

brenwhyte commented 3 years ago

Thanks @AvivCX

I'm setting that in CxFlow's application.yaml right? I've already set that to true as you can see in the example above. I've tried with and without it, no difference.

AvivCx commented 3 years ago

ok, thanks @brenwhyte , we will look into this

brenwhyte commented 3 years ago

Thanks @AvivCX!