Enable use without scb (#98)

Enable use without scb

Author: J12934

scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoLoopException.java

@@ -0,0 +1,29 @@
+/*
+ *
+ *  SecureCodeBox (SCB)
+ *  Copyright 2015-2018 iteratec GmbH
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  	http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ * /
+ */
+package io.securecodebox.persistence;
+
+public class DefectDojoLoopException extends RuntimeException{
+    public DefectDojoLoopException(String message) {
+        super(message);
+    }
+
+    public DefectDojoLoopException(String message, Throwable cause) {
+        super(message, cause);
+    }
+}

scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoService.java

@@ -18,8 +18,8 @@
  */
 package io.securecodebox.persistence;
 
-
 import io.securecodebox.persistence.models.*;
+
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Value;
@@ -43,7 +43,10 @@
 import java.time.LocalDate;
 import java.time.format.DateTimeFormatter;
 import java.util.Arrays;
+import java.util.LinkedList;
+import java.util.List;
 import java.util.Optional;
+import java.util.Iterator;
 
 @Component
 @ConditionalOnProperty(name = "securecodebox.persistence.defectdojo.enabled", havingValue = "true")
@@ -181,8 +184,13 @@ public EngagementResponse createEngagement(EngagementPayload engagementPayload)
             throw new DefectDojoPersistenceException("Failed to create Engagement for SecurityTest", e);
         }
     }
-
     public ImportScanResponse createFindings(String rawResult, long engagementId, long lead, String currentDate,String defectDojoScanName) {
+        return createFindings(rawResult, engagementId, lead, currentDate,defectDojoScanName, "");
+    }
+    /**
+     * Till version 1.5.4. testName (in defectdojo _test_type_) must be defectDojoScanName, afterwards, you can have somethings else
+     */
+    public ImportScanResponse createFindings(String rawResult, long engagementId, long lead, String currentDate,String defectDojoScanName, String testName) {
         RestTemplate restTemplate = new RestTemplate();
         HttpHeaders headers = getHeaders();
         headers.setContentType(MediaType.MULTIPART_FORM_DATA);
@@ -193,7 +201,12 @@ public ImportScanResponse createFindings(String rawResult, long engagementId, lo
         mvn.add("lead", Long.toString(lead));
         mvn.add("scan_date", currentDate);
         mvn.add("scan_type", defectDojoScanName);
-
+        mvn.add("close_old_findings", "true");
+        mvn.add("skip_duplicates", "false");
+        
+        if(!testName.isEmpty())
+            mvn.add("test_type", testName);
+        
         try {
             ByteArrayResource contentsAsResource = new ByteArrayResource(rawResult.getBytes(StandardCharsets.UTF_8)) {
                 @Override
@@ -214,10 +227,10 @@ public String getFilename() {
         }
     }
     public ImportScanResponse createFindingsForEngagementName(String engagementName, String rawResults, String defectDojoScanName, long productId, long lead){
-        return createFindingsForEngagementName(engagementName, rawResults, defectDojoScanName, productId, lead, new EngagementPayload());
+        return createFindingsForEngagementName(engagementName, rawResults, defectDojoScanName, productId, lead, new EngagementPayload(), "");
     }
 
-    public ImportScanResponse createFindingsForEngagementName(String engagementName, String rawResults, String defectDojoScanName, long productId, long lead, EngagementPayload engagementPayload){
+    public ImportScanResponse createFindingsForEngagementName(String engagementName, String rawResults, String defectDojoScanName, long productId, long lead, EngagementPayload engagementPayload, String testName){
         Long engagementId = getEngagementIdByEngagementName(engagementName, productId).orElseGet(() -> {
             engagementPayload.setName(engagementName);
             engagementPayload.setProduct(productId);
@@ -227,9 +240,28 @@ public ImportScanResponse createFindingsForEngagementName(String engagementName,
             return createEngagement(engagementPayload).getId();
         });
 
-        return createFindings(rawResults, engagementId, lead, currentDate(), defectDojoScanName);
+        return createFindings(rawResults, engagementId, lead, currentDate(), defectDojoScanName, testName);
     }
 
+    public ImportScanResponse createFindingsForEngagementName(String engagementName, String rawResults, String defectDojoScanName, String productName, long lead, EngagementPayload engagementPayload, String testName){
+        long productId = 0;
+        try {
+            productId = retrieveProductId(productName);
+        } catch(DefectDojoProductNotFound e) {
+            LOG.debug("Given product does not exists");
+        }
+        if(productId == 0) {
+            ProductResponse productResponse = createProduct(productName);
+            productId = productResponse.getId();
+        }
+        
+        return createFindingsForEngagementName(engagementName, rawResults, defectDojoScanName, productId, lead, engagementPayload, testName);
+    }
+
+    private Optional<Long> getEngagementIdByEngagementName(String engagementName, String productName){
+        long productId = retrieveProductId(productName);
+        return getEngagementIdByEngagementName(engagementName, productId, 0L);
+    }
     private Optional<Long> getEngagementIdByEngagementName(String engagementName, long productId){
         return getEngagementIdByEngagementName(engagementName, productId, 0L);
     }
@@ -257,4 +289,136 @@ private Optional<Long> getEngagementIdByEngagementName(String engagementName, lo
         LOG.warn("Engagement with name '{}' not found.", engagementName);
         return Optional.empty();
     }
+    public ProductResponse createProduct(String productName) {
+        RestTemplate restTemplate = new RestTemplate();
+        ProductPayload productPayload = new ProductPayload(productName, "Description missing");
+        HttpEntity<ProductPayload> payload = new HttpEntity<>(productPayload, getHeaders());
+
+        try {
+            ResponseEntity<ProductResponse> response = restTemplate.exchange(defectDojoUrl + "/api/v2/products/", HttpMethod.POST, payload, ProductResponse.class);
+            return response.getBody();
+        } catch (HttpClientErrorException e) {
+            LOG.warn("Failed to create product {}", e);
+            LOG.warn("Failure response body. {}", e.getResponseBodyAsString());
+            throw new DefectDojoPersistenceException("Failed to create product", e);
+        }
+    }
+
+    public void deleteUnusedBranches(List<String> existingBranches, String producName) {
+        long productId = retrieveProductId(producName);
+        deleteUnusedBranches(existingBranches, productId);
+    } 
+
+    /**
+     * Deletes engagements based on branch tag
+     * Be aware that the branch tag MUST be set, otherwise all engagments will be deleted
+     */
+    public void deleteUnusedBranches(List<String> existingBranches, long productId) {
+        RestTemplate restTemplate = new RestTemplate();
+        
+        //get existing branches
+        List<EngagementResponse> engagementPayloads = getEngagementsForProduct(productId, 0);
+        for(EngagementResponse engagementPayload : engagementPayloads) {
+            boolean branchExists = false;
+            for(String existingBranchName : existingBranches) {
+                if(existingBranchName.equals(engagementPayload.getBanch())) {
+                    branchExists = true;
+                    break;
+                }
+            }
+            if(!branchExists) {
+                deleteEnageament(engagementPayload.getId());
+                LOG.info("Deleted engagement with id " + engagementPayload.getId() + ", branch " + engagementPayload.getBanch());
+            }
+        }
+    }
+
+    private List<EngagementResponse> getEngagementsForProduct(long productId, long offset) throws DefectDojoLoopException{
+        if(offset > 9999) {
+            throw new DefectDojoLoopException("offset engagement products too much!");
+        }
+        UriComponentsBuilder builder = UriComponentsBuilder.fromHttpUrl(defectDojoUrl + "/api/v2/engagements")
+                .queryParam("product", Long.toString(productId))
+                .queryParam("limit", Long.toString(50L))
+                .queryParam("offset", Long.toString(offset));
+
+        RestTemplate restTemplate = new RestTemplate();
+        HttpEntity engagementRequest = new HttpEntity(getHeaders());
+
+        ResponseEntity<DefectDojoResponse<EngagementResponse>> engagementResponse = restTemplate.exchange(builder.toUriString(), HttpMethod.GET, engagementRequest, new ParameterizedTypeReference<DefectDojoResponse<EngagementResponse>>(){});
+        List<EngagementResponse> engagementPayloads = new LinkedList<EngagementResponse>();
+        for(EngagementResponse engagement : engagementResponse.getBody().getResults()){
+            engagementPayloads.add(engagement);
+        }
+        if(engagementResponse.getBody().getNext() != null){
+            engagementPayloads.addAll(getEngagementsForProduct(productId, offset + 1));;
+        }
+        return engagementPayloads;
+    }    
+    public void deleteEnageament(long engagementId){
+        RestTemplate restTemplate = new RestTemplate();
+
+        String uri = defectDojoUrl + "/api/v2/engagements/" + engagementId + "/?id=" + engagementId;
+        HttpEntity request = new HttpEntity(getHeaders());
+        try {
+            ResponseEntity<DefectDojoResponse> response = restTemplate.exchange(uri, HttpMethod.GET, request, DefectDojoResponse.class);
+        } catch (HttpClientErrorException e) {
+            LOG.warn("Failed to delete engagment {}, engagementId: " + engagementId, e);
+            LOG.warn("Failure response body. {}", e.getResponseBodyAsString());
+            throw new DefectDojoPersistenceException("Failed to delete product", e);
+        }
+    }
+
+    /* options is created as follows:
+        MultiValueMap<String, String> mvn = new LinkedMultiValueMap<>();
+        mvn.add("engagement", Long.toString(engagementId));
+     */
+    private List<Finding> getCurrentFindings(long engagementId, LinkedMultiValueMap<String, String> options){
+        RestTemplate restTemplate = new RestTemplate();
+
+        UriComponentsBuilder builder = UriComponentsBuilder.fromHttpUrl(defectDojoUrl + "/api/v2/findings/")
+                .queryParam("active", "true")
+                .queryParam("false_p", "false")
+                .queryParam("duplicate", "false")
+                .queryParam("test__engagement", Long.toString(engagementId));
+
+        if(options != null) {
+            builder = prepareParameters(options, builder);
+        }
+
+        HttpEntity request = new HttpEntity(getHeaders());
+        try {
+            ResponseEntity<DefectDojoResponse<Finding>> response = restTemplate.exchange(builder.toUriString(), HttpMethod.GET, request, new ParameterizedTypeReference<DefectDojoResponse<Finding>>(){});
+            List<Finding> findings = new LinkedList<Finding>();
+            for(Finding finding : response.getBody().getResults()){
+                findings.add(finding);
+            }
+            return findings;
+        } catch (HttpClientErrorException e) {
+            LOG.warn("Failed to get findings {}, engagementId: " + engagementId, e);
+            LOG.warn("Failure response body. {}", e.getResponseBodyAsString());
+            throw new DefectDojoPersistenceException("Failed to get findings", e);
+        }
+    }
+    private UriComponentsBuilder prepareParameters(LinkedMultiValueMap<String, String> queryParameters, UriComponentsBuilder builder) {
+        Iterator<String> it = queryParameters.keySet().iterator();
+     
+        while(it.hasNext()){
+            String theKey = (String)it.next();
+            builder.replaceQueryParam(theKey, queryParameters.getFirst(theKey));
+        }
+        return builder;
+    }    
+
+    public List<Finding> receiveNonHandeldFindings(String productName, String engagementName, String minimumServerity, LinkedMultiValueMap<String, String> options){
+        Long engagementId = getEngagementIdByEngagementName(engagementName, productName).orElse(0L);
+        //getCurrentFindings
+        List<Finding> findings = new LinkedList<Finding>();
+        for (String serverity : Finding.getServeritiesAndHigherServerities(minimumServerity)) {
+            LinkedMultiValueMap<String, String> optionTemp = options.clone();
+            optionTemp.add("serverity", serverity);    
+            findings.addAll(getCurrentFindings(engagementId, optionTemp));
+        }
+        return findings;
+    }
 }

scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/DefectDojoProduct.java

@@ -21,4 +21,11 @@ public class DefectDojoProduct {
 
     @JsonProperty("authorized_users")
     List<String> authorizedUsers;
+
+    public DefectDojoProduct() {}
+
+    public DefectDojoProduct(String productName, String productDescription) {
+        name = productName;
+        description = productDescription;
+    }
 }

scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/EngagementPayload.java

@@ -63,7 +63,7 @@ public class EngagementPayload {
     protected String commitHash;
 
     @JsonProperty("branch_tag")
-    protected String branch;
+    public String branch;
 
     @JsonProperty("source_code_management_uri")
     protected String repo;
@@ -80,6 +80,9 @@ public class EngagementPayload {
     @JsonProperty
     protected String description;
 
+    @JsonProperty("deduplication_on_engagement")
+    protected boolean deduplicationOnEngagement;
+
     /**
      * Currently only contains the statuses relevant to us.
      * If you need others, feel free to add them ;)

scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/EngagementResponse.java

@@ -27,6 +27,9 @@ public class EngagementResponse {
     @JsonProperty
     protected String name;
 
+    @JsonProperty("branch_tag")
+    protected String branch;
+
     public long getId() {
         return id;
     }
@@ -42,4 +45,12 @@ public String getName() {
     public void setName(String name) {
         this.name = name;
     }
+
+    public String getBanch() {
+        return branch;
+    }
+
+    public void setBranch(String branch) {
+        this.branch = branch;
+    }
 }