Merge branch 'master' into snyk-upgrade-8228f5d01fd268cabdccb8a06e6272ae

Author: J12934

.github/release-drafter.yml

@@ -13,6 +13,8 @@ categories:
       label: 'docs'
     - title: '📌 Dependencies'
       label: 'dependencies'
+    - title: '⛩ DefectDojo'
+      label: 'defectdojo'
 change-template: '- $TITLE @$AUTHOR (#$NUMBER)'
 exclude-labels:
     - 'skip-changelog'

dependency-check-suppression.xml

@@ -45,20 +45,12 @@
         <cve>CVE-2019-0232</cve>
     </suppress>
 
-    <suppress until="2020-01-01Z">
+    <suppress>
         <!--
-        Introduced through: spring-security-core-5.2.0.RELEASE.jar
+        False Positive.
+        Does not apply to our Spring Version: https://pivotal.io/security/cve-2018-1258
         -->
         <cve>CVE-2018-1258</cve>
-
-        <!--
-        Not fixable until camunda-spin updates its jackson dependency
-        Introduced through: camunda-spin-dataformat-all-1.6.3.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml
-        -->
-        <cve>CVE-2019-14379</cve>
-        <cve>CVE-2018-19362</cve>
-        <cve>CVE-2018-19361</cve>
-        <cve>CVE-2018-19360</cve>
     </suppress>
 
 </suppressions>

pom.xml

@@ -57,7 +57,7 @@
             please see org.camunda.bpm.springboot.project:camunda-bpm-spring-boot-starter-root
          -->
         <camunda.version>7.10.0</camunda.version>
-        <camunda.spring.boot.starter.version>3.2.7</camunda.spring.boot.starter.version>
+        <camunda.spring.boot.starter.version>3.2.8</camunda.spring.boot.starter.version>
         <!-- END IMPORTANT -->
 
         <spring-boot.version>2.2.2.RELEASE</spring-boot.version>
@@ -256,7 +256,7 @@
                     <plugin>
                         <groupId>org.owasp</groupId>
                         <artifactId>dependency-check-maven</artifactId>
-                        <version>5.2.2</version>
+                        <version>5.2.4</version>
                         <configuration>
                             <failBuildOnCVSS>8</failBuildOnCVSS>
                             <format>ALL</format>

scb-engine/pom.xml

@@ -35,6 +35,12 @@
             <version>2.2.2.RELEASE</version>
         </dependency>
 
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-core</artifactId>
+            <version>5.2.1.RELEASE</version>
+        </dependency>
+
         <dependency>
             <groupId>io.springfox</groupId>
             <artifactId>springfox-swagger2</artifactId>
@@ -65,6 +71,7 @@
         <dependency>
             <groupId>org.camunda.spin</groupId>
             <artifactId>camunda-spin-dataformat-all</artifactId>
+            <version>1.7.5</version>
         </dependency>
 
         <dependency>
@@ -83,6 +90,22 @@
             <artifactId>tomcat-jdbc</artifactId>
         </dependency>
 
+        <dependency>
+            <groupId>org.apache.tomcat.embed</groupId>
+            <artifactId>tomcat-embed-core</artifactId>
+            <version>9.0.30</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.tomcat.embed</groupId>
+            <artifactId>tomcat-embed-el</artifactId>
+            <version>9.0.30</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.tomcat.embed</groupId>
+            <artifactId>tomcat-embed-websocket</artifactId>
+            <version>9.0.30</version>
+        </dependency>
+
         <dependency>
             <groupId>io.securecodebox.persistenceproviders</groupId>
             <artifactId>empty-persistenceprovider</artifactId>

scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoPersistenceProvider.java

@@ -150,27 +150,39 @@ private List<String> getRawResults(SecurityTest securityTest) throws DefectDojoP
     }
 
     private List<String> getGenericResults(SecurityTest securityTest) {
-        final String CSV_HEADER = "date,title,cweid,url,severity,description,mitigation,impact,references,active,verified,falsepositive,duplicate";
+        final String CSV_HEADER = "date,title,cweid,url,severity,description,mitigation,impact,references,active," +
+                "verified,falsepositive,duplicate";
 
         List<Finding> findings = securityTest.getReport().getFindings();
 
         String genericFindingsCsv = Stream.concat(
                 Stream.of(CSV_HEADER),
-                findings.stream().map(finding -> MessageFormat.format(
-                        "{0},{1},,{2},{3},{4},,,,,,{5},{6}",
-                        currentDate(),
-                        finding.getName().replace(",", "  "),
-                        finding.getLocation().replace(",", "  "),
-                        finding.getSeverity(),
-                        finding.getDescription().replace(",", "  "),
-                        finding.isFalsePositive(),
-                        "false"
-                ))
+                findings.stream()
+                        .map(finding -> checkIfNameOrDescriptionIsNotNull(finding))
+                        .map(finding -> MessageFormat.format(
+                                "{0},{1},,{2},{3},{4},,,,,,{5},{6}",
+                                currentDate(),
+                                finding.getName().replace(",", "  "),
+                                finding.getLocation().replace(",", "  "),
+                                finding.getSeverity(),
+                                finding.getDescription().replace(",", "  "),
+                                finding.isFalsePositive(),
+                                "false"
+                        ))
         ).collect(Collectors.joining("\n"));
 
         return Collections.singletonList(genericFindingsCsv);
     }
 
+    private Finding checkIfNameOrDescriptionIsNotNull(Finding finding) {
+        if (null == finding.getName()) {
+            finding.setName("");
+        } else if (null == finding.getDescription()) {
+            finding.setDescription("");
+        }
+        return finding;
+    }
+
     private EngagementResponse createEngagement(SecurityTest securityTest) {
         EngagementPayload engagementPayload = new EngagementPayload();
         engagementPayload.setProduct(defectDojoService.retrieveProductId(securityTest.getContext()));

scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoService.java

@@ -256,35 +256,88 @@ public String getFilename() {
     }
     /**
      * When DefectDojo >= 1.5.4 is used, testType can be given. Add testName in case DefectDojo >= 1.5.4 is used
+     * Using testName for each branch leads to multiple issues in DefectDojo, so it is not recommended
      */
     private Optional<Long> getTestIdByEngagementName(long engagementId, String testName, long offset) {
         UriComponentsBuilder builder = UriComponentsBuilder.fromHttpUrl(defectDojoUrl + "/api/v2/tests")
                 .queryParam("engagement", Long.toString(engagementId))
                 .queryParam("limit", Long.toString(50L))
                 .queryParam("offset", Long.toString(offset));
-        if(testName!= null) builder.queryParam("testType", testName);
+        if(testName != null && !testName.isEmpty()) {
+            builder.queryParam("testType", testName);
+        }
 
         RestTemplate restTemplate = new RestTemplate();
         HttpEntity engagementRequest = new HttpEntity(getHeaders());
 
         ResponseEntity<DefectDojoResponse<TestResponse>> response = restTemplate.exchange(builder.toUriString(), HttpMethod.GET, engagementRequest, new ParameterizedTypeReference<DefectDojoResponse<TestResponse>>(){});
 
         Optional<Long> testResponseId = null;
-        for(TestResponse test : response.getBody().getResults()){
-            if(testName == null || test.getTitle().equals(testName)){
+        Optional<Long> latestTestResponseId = Optional.empty();
+        for(TestResponse test : response.getBody().getResults()) {
+            if(testName == null || (test.getTitle() != null && test.getTitle().equals(testName))) {
                 testResponseId = Optional.of(test.getId());
             }
+            if(!latestTestResponseId.isPresent() || latestTestResponseId.get() < test.getId()) {
+                latestTestResponseId = Optional.of(test.getId());
+            }
+
         }
         if(testResponseId != null) {
             return testResponseId;
         }
 
-        if(response.getBody().getNext() != null){
+        if(response.getBody().getNext() != null) {
             return getTestIdByEngagementName(engagementId, testName, offset + 1);
         }
+        LOG.info("Test with name '{}' not found, using latest.", testName);
+        return latestTestResponseId;
+    }
+    /*
+    * Be aware that using latest might results in "conflicting" "latest" in case a new test is added while requesting latest
+    */
+    public Optional<Long> getLatestTestIdByEngagementName(String engagementName, String productName, String testName, long offset) {
+        Optional<Long> optionalEngagementId = getEngagementIdByEngagementName(engagementName, productName);
+        if(!optionalEngagementId.isPresent()) {
+            LOG.warn("engagementName with name '{}' not found.", engagementName);
+            return Optional.empty();
+        }
+        Long engagementId = optionalEngagementId.get();
+        UriComponentsBuilder builder = UriComponentsBuilder.fromHttpUrl(defectDojoUrl + "/api/v2/tests")
+                .queryParam("engagement", Long.toString(engagementId))
+                .queryParam("limit", Long.toString(50L))
+                .queryParam("offset", Long.toString(offset));
+        if(testName != null) builder.queryParam("testType", testName);
+
+        RestTemplate restTemplate = new RestTemplate();
+        HttpEntity engagementRequest = new HttpEntity(getHeaders());
+
+        ResponseEntity<DefectDojoResponse<TestResponse>> response = restTemplate.exchange(builder.toUriString(), HttpMethod.GET, engagementRequest, new ParameterizedTypeReference<DefectDojoResponse<TestResponse>>(){});
+
+        Optional<Long> testResponseId = null;
+        for(TestResponse test : response.getBody().getResults()){
+            if(testResponseId == null || test.getId() > testResponseId.get()) {
+                testResponseId = Optional.of(test.getId());
+            }
+        }
+                
+        if(response.getBody().getNext() != null){
+            Optional<Long> subOptionalTestResponseId = getTestIdByEngagementName(engagementId, testName, offset + 1);
+            if(testResponseId == null ||
+                (subOptionalTestResponseId.isPresent()) && 
+                subOptionalTestResponseId.get() > testResponseId.get() 
+            ) {
+                testResponseId = subOptionalTestResponseId;
+            }
+        }
+        if(testResponseId != null) {
+            return testResponseId;
+        }
+
         LOG.warn("Test with name '{}' not found.", testName);
         return Optional.empty();
     }
+
     private EngagementResponse createTest(TestPayload testPayload) {
         RestTemplate restTemplate = new RestTemplate();
 
@@ -542,8 +595,13 @@ private UriComponentsBuilder prepareParameters(LinkedMultiValueMap<String, Strin
     }    
 
     public List<Finding> receiveNonHandledFindings(String productName, String engagementName, String minimumSeverity, LinkedMultiValueMap<String, String> options){
+        List<Finding> findings = new LinkedList<>();
         Long engagementId = getEngagementIdByEngagementName(engagementName, productName).orElse(0L);
-        options.add("severity", minimumSeverity);
-        return getCurrentFindings(engagementId, options);
+        for(String severity : Finding.getServeritiesAndHigherServerities(minimumSeverity)) {
+            options.remove("severity");
+            options.add("severity", severity);
+            findings.addAll(getCurrentFindings(engagementId, options));
+        }
+        return findings;
     }
 }

scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/Finding.java

@@ -65,6 +65,7 @@ enum FindingSeverities {
 
     }
     public static final LinkedList<String> findingServerities = new LinkedList<String>(){{
+        add("Informational");
         add("Low");
         add("Medium");
         add("High");

scb-scanprocesses/combined-nmap-ssh-process/src/main/java/io/securecodebox/scanprocess/NmapToSshTransformListener.java

@@ -13,7 +13,7 @@
 @Component
 public class NmapToSshTransformListener extends TransformFindingsToTargetsListener {
 
-    public void notify(DelegateExecution delegateExecution) throws Exception{
+    public void notify(DelegateExecution delegateExecution) throws Exception {
 
         List<Finding> findings = ProcessVariableHelper.readListFromValue(
                 (String) delegateExecution.getVariable(DefaultFields.PROCESS_FINDINGS.name()),
@@ -31,16 +31,26 @@ public void notify(DelegateExecution delegateExecution) throws Exception{
                     String port = finding.getAttribute(OpenPortAttributes.port).toString();
 
                     Target target = new Target();
+                    target.setName("SSH Scan for " + hostname);
                     target.setLocation(hostname + ":" + port);
 
                     return target;
                 }).collect(Collectors.toList());
 
         LOG.info("Created Targets out of Findings: " + newTargets);
 
-        delegateExecution.setVariable(DefaultFields.PROCESS_TARGETS.name(),
-                ProcessVariableHelper.generateObjectValue(newTargets)
-        );
+        if (!newTargets.isEmpty() && newTargets.size() > 0) {
+            // define the new SSH targets, based on the nmap port scan results
+            delegateExecution.setVariable(DefaultFields.PROCESS_TARGETS.name(),
+                    ProcessVariableHelper.generateObjectValue(newTargets)
+            );
+        }
+        else {
+            // if no new target had been found clear the target parameter (and skip the ssh scan)
+            delegateExecution.setVariable(DefaultFields.PROCESS_TARGETS.name(),
+                    ""
+            );
+        }
     }
 
 }