Merge remote-tracking branch 'origin/develop' into upgrade-to-camunda-7.9

Author: MartinLang1

scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoPersistenceProvider.java

@@ -27,6 +27,7 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.stereotype.Component;
 
@@ -47,6 +48,9 @@
 public class DefectDojoPersistenceProvider implements PersistenceProvider {
     private static final Logger LOG = LoggerFactory.getLogger(DefectDojoPersistenceProvider.class);
 
+    @Value("${securecodebox.persistence.defectdojo.optional:false}")
+    protected boolean isOptional;
+
     @Autowired
     DefectDojoService defectDojoService;
 
@@ -66,26 +70,38 @@ public void persist(SecurityTest securityTest) throws PersistenceException {
         LOG.debug("Starting defectdojo persistence provider");
         LOG.debug("RawFindings: {}", securityTest.getReport().getRawFindings());
 
+        try {
+            persistInDefectDojo(securityTest);
+        } catch (Exception e) {
+            // ignore error if defect dojo provider is set to optional
+            if(isOptional) {
+                LOG.error("Failed to persist security test in defect dojo", e);
+                return;
+            } else throw e;
+        }
+    }
+
+    private void persistInDefectDojo(SecurityTest securityTest) throws PersistenceException {
         checkConnection();
         checkToolTypes();
 
         EngagementResponse res = createEngagement(securityTest);
-        String engagementUrl = res.getUrl();
-        LOG.debug("Created engagement: '{}'", engagementUrl);
+        long engagementId = res.getId();
+        LOG.debug("Created engagement: '{}'", engagementId);
 
         String username = securityTest.getMetaData().get(DefectDojoMetaFields.DEFECT_DOJO_USER.name());
-        String userUrl = defectDojoService.getUserUrl(username);
+        long userUrl = defectDojoService.retrieveUserId(username);
 
         List<String> results = getDefectDojoScanName(securityTest.getName()).equals("Generic Findings Import") ? getGenericResults(securityTest) : getRawResults(securityTest);
-            for (String result : results) {
-                defectDojoService.createFindings(
-                        result,
-                        engagementUrl,
-                        userUrl,
-                        currentDate(),
-                        getDefectDojoScanName(securityTest.getName())
-                );
-            }
+        for (String result : results) {
+            defectDojoService.createFindings(
+                    result,
+                    engagementId,
+                    userUrl,
+                    currentDate(),
+                    getDefectDojoScanName(securityTest.getName())
+            );
+        }
     }
 
     static final String GIT_SERVER_NAME = "Git Server";
@@ -157,25 +173,25 @@ private List<String> getGenericResults(SecurityTest securityTest) {
 
     private EngagementResponse createEngagement(SecurityTest securityTest) {
         EngagementPayload engagementPayload = new EngagementPayload();
-        engagementPayload.setProduct(defectDojoService.getProductUrl(securityTest.getContext()));
+        engagementPayload.setProduct(defectDojoService.retrieveProductId(securityTest.getContext()));
 
         if(securityTest.getMetaData() == null){
             securityTest.setMetaData(new HashMap<>());
         }
 
         engagementPayload.setName(securityTest.getMetaData().get(CommonMetaFields.SCB_ENGAGEMENT_TITLE.name()) != null ?
                 securityTest.getMetaData().get(CommonMetaFields.SCB_ENGAGEMENT_TITLE.name()) : getDefectDojoScanName(securityTest.getName()));
-        engagementPayload.setLead(defectDojoService.getUserUrl(securityTest.getMetaData().get(DefectDojoMetaFields.DEFECT_DOJO_USER.name())));
+        engagementPayload.setLead(defectDojoService.retrieveUserId(securityTest.getMetaData().get(DefectDojoMetaFields.DEFECT_DOJO_USER.name())));
         engagementPayload.setDescription(descriptionGenerator.generate(securityTest));
         engagementPayload.setBranch(securityTest.getMetaData().get(CommonMetaFields.SCB_BRANCH.name()));
         engagementPayload.setBuildID(securityTest.getMetaData().get(CommonMetaFields.SCB_BUILD_ID.name()));
         engagementPayload.setCommitHash(securityTest.getMetaData().get(CommonMetaFields.SCB_COMMIT_HASH.name()));
         engagementPayload.setRepo(securityTest.getMetaData().get(CommonMetaFields.SCB_REPO.name()));
         engagementPayload.setTracker(securityTest.getMetaData().get(CommonMetaFields.SCB_TRACKER.name()));
 
-        engagementPayload.setBuildServer(defectDojoService.getToolConfiguration(securityTest.getMetaData().get(CommonMetaFields.SCB_BUILD_SERVER.name()), BUILD_SERVER_NAME));
-        engagementPayload.setScmServer(defectDojoService.getToolConfiguration(securityTest.getMetaData().get(CommonMetaFields.SCB_SCM_SERVER.name()), GIT_SERVER_NAME));
-        engagementPayload.setOrchestrationEngine(defectDojoService.getToolConfiguration("https://github.com/secureCodeBox", SECURITY_TEST_SERVER_NAME));
+        engagementPayload.setBuildServer(defectDojoService.retrieveOrCreateToolConfiguration(securityTest.getMetaData().get(CommonMetaFields.SCB_BUILD_SERVER.name()), BUILD_SERVER_NAME));
+        engagementPayload.setScmServer(defectDojoService.retrieveOrCreateToolConfiguration(securityTest.getMetaData().get(CommonMetaFields.SCB_SCM_SERVER.name()), GIT_SERVER_NAME));
+        engagementPayload.setOrchestrationEngine(defectDojoService.retrieveOrCreateToolConfiguration("https://github.com/secureCodeBox", SECURITY_TEST_SERVER_NAME));
 
         engagementPayload.setTargetStart(currentDate());
         engagementPayload.setTargetEnd(currentDate());
@@ -196,6 +212,9 @@ protected static String getDefectDojoScanName(String securityTestName) {
         scannerDefectDojoMapping.put("nmap", "Nmap Scan");
         scannerDefectDojoMapping.put("zap", "ZAP Scan");
 
+        // Map amass-nmap raw results to be imported as Nmap Results
+        scannerDefectDojoMapping.put("amass-nmap", "Nmap Scan");
+
         // Nikto is a supported tool as well but currently not accessible for supported import.
         // Nikto thus will use Generic Findings Import.
 

scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoService.java

@@ -82,7 +82,7 @@ public void createToolType(String name, String description){
         restTemplate.exchange(defectDojoUrl + "/api/v2/tool_types/", HttpMethod.POST, toolPayload, ToolType.class);
     }
 
-    public String getUserUrl(String username){
+    public Long retrieveUserId(String username){
         RestTemplate restTemplate = new RestTemplate();
 
         if(username == null){
@@ -93,57 +93,66 @@ public String getUserUrl(String username){
         HttpEntity userRequest = new HttpEntity(getHeaders());
         ResponseEntity<DefectDojoResponse<DefectDojoUser>> userResponse = restTemplate.exchange(uri, HttpMethod.GET, userRequest, new ParameterizedTypeReference<DefectDojoResponse<DefectDojoUser>>(){});
         if(userResponse.getBody().getCount() == 1){
-            return userResponse.getBody().getResults().get(0).getUrl();
+            return userResponse.getBody().getResults().get(0).getId();
         }
         else {
             throw new DefectDojoUserNotFound(MessageFormat.format("Could not find user: \"{0}\" in DefectDojo", username));
         }
     }
 
-    public String getProductUrl(String product){
+    public long retrieveProductId(String product){
         RestTemplate restTemplate = new RestTemplate();
 
         String uri = defectDojoUrl + "/api/v2/products/?name=" + product;
         HttpEntity productRequest = new HttpEntity(getHeaders());
         ResponseEntity<DefectDojoResponse<DefectDojoProduct>> productResponse = restTemplate.exchange(uri, HttpMethod.GET, productRequest, new ParameterizedTypeReference<DefectDojoResponse<DefectDojoProduct>>(){});
         if(productResponse.getBody().getCount() == 1){
-            return productResponse.getBody().getResults().get(0).getUrl();
+            return productResponse.getBody().getResults().get(0).getId();
         }
         else {
             throw new DefectDojoProductNotFound(MessageFormat.format("Could not find product: \"{0}\" in DefectDojo", product));
         }
     }
 
-    public String getToolConfiguration(String toolUrl, String toolType){
-        RestTemplate restTemplate = new RestTemplate();
-
+    public Long retrieveOrCreateToolConfiguration(String toolUrl, String toolType){
         if (toolUrl == null){
             return null;
         }
 
-        String uri = defectDojoUrl + "/api/v2/tool_configurations/?url=" + toolUrl;
-        HttpEntity toolRequest = new HttpEntity(getHeaders());
-        ResponseEntity<DefectDojoResponse<ToolConfig>> toolResponse = restTemplate.exchange(uri, HttpMethod.GET, toolRequest, new ParameterizedTypeReference<DefectDojoResponse<ToolConfig>>(){});
+        ResponseEntity<DefectDojoResponse<ToolConfig>> toolResponse = retrieveToolConfiguration(toolUrl);
         if(toolResponse.getBody().getCount() > 0){
-            return toolResponse.getBody().getResults().get(0).getUrl();
+            LOG.info("Tool configuration already exists. Returning existing configuration.");
+            return toolResponse.getBody().getResults().get(0).getId();
         }
         else {
-            HttpEntity toolTypeRequest = new HttpEntity(getHeaders());
-            String toolTypeRequestUri = defectDojoUrl + "/api/v2/tool_types/?name=" + toolType;
-            ResponseEntity<DefectDojoResponse<ToolType>> toolTypeResponse = restTemplate.exchange(toolTypeRequestUri, HttpMethod.GET, toolTypeRequest, new ParameterizedTypeReference<DefectDojoResponse<ToolType>>(){});
-            String toolTypeUri = toolTypeResponse.getBody().getResults().get(0).getUrl();
+            LOG.info("Tool configuration does not exist yet. Creating new configuration.");
+            createToolConfiguration(toolUrl, toolType);
+            return retrieveToolConfiguration(toolUrl).getBody().getResults().get(0).getId();
+        }
+    }
+
+    private ResponseEntity<DefectDojoResponse<ToolConfig>> retrieveToolConfiguration(String toolUrl) {
+        RestTemplate restTemplate = new RestTemplate();
+        String uri = defectDojoUrl + "/api/v2/tool_configurations/?name=" + toolUrl;
+        HttpEntity toolRequest = new HttpEntity(getHeaders());
+        return restTemplate.exchange(uri, HttpMethod.GET, toolRequest, new ParameterizedTypeReference<DefectDojoResponse<ToolConfig>>(){});
+    }
 
-            ToolConfig toolConfig = new ToolConfig();
-            toolConfig.setName(toolUrl);
-            toolConfig.setToolType(toolTypeUri);
-            toolConfig.setConfigUrl(toolUrl);
-            toolConfig.setDescription(toolType);
+    private void createToolConfiguration(String toolUrl, String toolType) {
+        HttpEntity toolTypeRequest = new HttpEntity(getHeaders());
+        String toolTypeRequestUri = defectDojoUrl + "/api/v2/tool_types/?name=" + toolType;
+        RestTemplate restTemplate = new RestTemplate();
+        ResponseEntity<DefectDojoResponse<ToolType>> toolTypeResponse = restTemplate.exchange(toolTypeRequestUri, HttpMethod.GET, toolTypeRequest, new ParameterizedTypeReference<DefectDojoResponse<ToolType>>(){});
+        String toolTypeId = toolTypeResponse.getBody().getResults().get(0).getId();
 
-            HttpEntity<ToolConfig> toolPayload = new HttpEntity<>(toolConfig, getHeaders());
-            restTemplate.exchange(defectDojoUrl + "/api/v2/tool_configurations/", HttpMethod.POST, toolPayload, ToolConfig.class);
-            return getToolConfiguration(toolUrl, toolType);
+        ToolConfig toolConfig = new ToolConfig();
+        toolConfig.setName(toolUrl);
+        toolConfig.setToolType(toolTypeId);
+        toolConfig.setConfigUrl(toolUrl);
+        toolConfig.setDescription(toolType);
 
-        }
+        HttpEntity<ToolConfig> toolPayload = new HttpEntity<>(toolConfig, getHeaders());
+        restTemplate.exchange(defectDojoUrl + "/api/v2/tool_configurations/", HttpMethod.POST, toolPayload, ToolConfig.class);
     }
 
     public EngagementResponse createEngagement(EngagementPayload engagementPayload) {
@@ -161,15 +170,15 @@ public EngagementResponse createEngagement(EngagementPayload engagementPayload)
         }
     }
 
-    public ImportScanResponse createFindings(String rawResult, String engagementUrl, String lead, String currentDate,String defectDojoScanName) {
+    public ImportScanResponse createFindings(String rawResult, long engagementId, long lead, String currentDate,String defectDojoScanName) {
         RestTemplate restTemplate = new RestTemplate();
         HttpHeaders headers = getHeaders();
         headers.setContentType(MediaType.MULTIPART_FORM_DATA);
         restTemplate.setMessageConverters(Arrays.asList(new FormHttpMessageConverter(), new ResourceHttpMessageConverter(), new MappingJackson2HttpMessageConverter()));
 
         MultiValueMap<String, Object> mvn = new LinkedMultiValueMap<>();
-        mvn.add("engagement", engagementUrl);
-        mvn.add("lead", lead);
+        mvn.add("engagement", Long.toString(engagementId));
+        mvn.add("lead", Long.toString(lead));
         mvn.add("scan_date", currentDate);
         mvn.add("scan_type", defectDojoScanName);
 

scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/DefectDojoProduct.java

@@ -8,7 +8,7 @@
 @Data
 public class DefectDojoProduct {
     @JsonProperty
-    String url;
+    long id;
 
     @JsonProperty
     String name;

scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/DefectDojoUser.java

@@ -4,7 +4,7 @@
 
 public class DefectDojoUser {
     @JsonProperty
-    String url;
+    Long id;
 
     @JsonProperty
     String username;
@@ -15,12 +15,12 @@ public class DefectDojoUser {
     @JsonProperty("last_name")
     String lastName;
 
-    public String getUrl() {
-        return url;
+    public Long getId() {
+        return id;
     }
 
-    public void setUrl(String url) {
-        this.url = url;
+    public void setId(Long id) {
+        this.id = id;
     }
 
     public String getUsername() {

scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/EngagementPayload.java

@@ -31,7 +31,7 @@ public class EngagementPayload {
     protected String name;
 
     @JsonProperty
-    protected String product;
+    protected long product;
 
     @JsonProperty("target_start")
     protected String targetStart;
@@ -40,7 +40,7 @@ public class EngagementPayload {
     protected String targetEnd;
 
     @JsonProperty
-    protected String lead;
+    protected Long lead;
 
     @JsonProperty("engagement_type")
     protected String engagementType = "CI/CD";
@@ -67,13 +67,13 @@ public class EngagementPayload {
     protected String repo;
 
     @JsonProperty("build_server")
-    protected String buildServer;
+    protected Long buildServer;
 
     @JsonProperty("source_code_management_server")
-    protected String scmServer;
+    protected Long scmServer;
 
     @JsonProperty("orchestration_engine")
-    protected String orchestrationEngine;
+    protected Long orchestrationEngine;
 
     @JsonProperty
     protected String description;

scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/EngagementResponse.java

@@ -22,13 +22,13 @@
 
 public class EngagementResponse {
     @JsonProperty
-    protected String url;
+    protected long id;
 
-    public String getUrl() {
-        return url;
+    public long getId() {
+        return id;
     }
 
-    public void setUrl(String url) {
-        this.url = url;
+    public void setId(long id) {
+        this.id = id;
     }
 }

scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/ToolConfig.java

@@ -3,6 +3,9 @@
 import com.fasterxml.jackson.annotation.JsonProperty;
 
 public class ToolConfig {
+    @JsonProperty
+    long id;
+
     @JsonProperty
     String url;
 
@@ -18,6 +21,14 @@ public class ToolConfig {
     @JsonProperty
     String description;
 
+    public long getId() {
+        return id;
+    }
+
+    public void setId(long id) {
+        this.id = id;
+    }
+
     public String getDescription() {
         return description;
     }

scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/ToolType.java

@@ -4,20 +4,20 @@
 
 public class ToolType {
     @JsonProperty
-    String url;
+    String id;
 
     @JsonProperty
     String name;
 
     @JsonProperty
     String description;
 
-    public String getUrl() {
-        return url;
+    public String getId() {
+        return id;
     }
 
-    public void setUrl(String url) {
-        this.url = url;
+    public void setId(String id) {
+        this.id = id;
     }
 
     public String getName() {