add default exclusions to OSA Scans, improve gitignore, start to supp…

…ort OSA Github issues
checkmarx-ts · Jun 16, 2020 · 837e6d5 · 837e6d5 · miguelfreitas93 · Jun 16, 2020
1 parent 9f52fc5
commit 837e6d5
Show file tree

Hide file tree

Showing 6 changed files with 31 additions and 21 deletions.
diff --git a/.gitignore b/.gitignore
@@ -8,4 +8,5 @@ cxcli.zip
 log.log
 report.xml
 report.json
-OSADependencies.json
+OSADependencies.json
+OsaReports
diff --git a/src/cli/osa.js b/src/cli/osa.js
@@ -2,8 +2,10 @@ const core = require('@actions/core')
 const path = require('path')
 const utils = require('../utils/utils.js')
 const inputs = require('../github/inputs.js')
+const cxexclusions = require('../utils/exclusions.js')
 const envs = process.env
 const GITHUB_WORKSPACE = envs.GITHUB_WORKSPACE
+const DEFAULT_FOLDER_EXCLUSIONS = cxexclusions.getOsaFolderExclusions()
 
 function getOsaCmd(server, action, skipIfFail) {
     if (utils.isValidUrl(server) && utils.isValidAction(action)) {
@@ -25,6 +27,11 @@ function getOsaCmd(server, action, skipIfFail) {
         let osaFilesInclude = inputs.getString(inputs.CX_OSA_FILES_INCLUDE, false)
         let osaFilesExclude = inputs.getString(inputs.CX_OSA_FILES_EXCLUDE, false)
         let osaPathExclude = inputs.getString(inputs.CX_OSA_PATH_EXCLUDE, false)
+        if (osaPathExclude != DEFAULT_FOLDER_EXCLUSIONS && osaPathExclude.length > 0) {
+            osaPathExclude = DEFAULT_FOLDER_EXCLUSIONS + "," + osaPathExclude.trim()
+        } else {
+            osaPathExclude = DEFAULT_FOLDER_EXCLUSIONS
+        }
         let osaReportHtml = inputs.getString(inputs.CX_OSA_REPORT_HTML, false)
         let osaReportPDF = inputs.getString(inputs.CX_OSA_REPORT_PDF, false)
         let osaDepth = inputs.getInt(inputs.CX_OSA_DEPTH, false)
@@ -36,7 +43,7 @@ function getOsaCmd(server, action, skipIfFail) {
             core.info(inputs.CX_GITHUB_ISSUES + ' : ' + cxGithubIssues)
             if (cxGithubIssues && cxGithubIssues != "false") {
                 if (!utils.isValidString(osaJson)) {
-                    osaJson = GITHUB_WORKSPACE + path.sep + "report.json"
+                    osaJson = GITHUB_WORKSPACE + path.sep + "OsaReports"
                     core.info(inputs.CX_OSA_JSON + ' will be the default: ' + osaJson)
                 } else {
                     core.info(inputs.CX_OSA_JSON + ' : ' + osaJson)

diff --git a/src/github/github.js b/src/github/github.js
@@ -1,6 +1,7 @@
 const core = require('@actions/core')
 const github = require('@actions/github')
-const report = require('../report/report')
+const sastreport = require('../report/sastreport')
+const osareport = require('../report/osareport')
 const inputs = require("./inputs")
 const utils = require('../utils/utils')
 const envs = process.env
@@ -11,7 +12,6 @@ const GITHUB_STATE_CLOSED = "closed"
 const GITHUB_EVENT_PUSH = "push"
 const GITHUB_EVENT_PULL_REQUEST = "pull_request"
 
-
 function getToken() {
     let token = ""
     let createGithubIssues = inputs.getBoolean(inputs.CX_GITHUB_ISSUES, false)
@@ -51,8 +51,8 @@ async function createIssues(cxAction) {
         const octokit = github.getOctokit(token)
         if (octokit) {
             if (cxAction == utils.SCAN) {
-                let xmlPath = report.getXmlReportPath(workspace)
-                let issues = report.getIssuesFromXml(xmlPath, repository, commitSha)
+                let xmlPath = sastreport.getXmlReportPath(workspace)
+                let issues = sastreport.getIssuesFromXml(xmlPath, repository, commitSha)
                 if (issues) {
                     let repositoryIssues = await getIssues(owner, repo, octokit)
                     let resolvedIssues = 0
@@ -62,13 +62,13 @@ async function createIssues(cxAction) {
                     for (let i = 0; i < issues.length; i++) {
                         let issue = issues[i]
 
-                        const title = report.getTitle(issue)
-                        const body = report.getBody(issue)
-                        let issueGithubLabels = report.getLabels(githubLabels, issue)
+                        const title = sastreport.getTitle(issue)
+                        const body = sastreport.getBody(issue)
+                        let issueGithubLabels = sastreport.getLabels(githubLabels, issue)
 
 
                         let state = GITHUB_STATE_OPEN
-                        if (issue.resultState == report.NOT_EXPLOITABLE) {
+                        if (issue.resultState == sastreport.NOT_EXPLOITABLE) {
                             state = GITHUB_STATE_CLOSED
                         }
 
@@ -106,7 +106,7 @@ async function createIssues(cxAction) {
                         }
                     }
 
-                    let summary = report.getSummary(issues, newIssues, recurrentIssues, resolvedIssues, reopenedIssues)
+                    let summary = sastreport.getSummary(issues, newIssues, recurrentIssues, resolvedIssues, reopenedIssues)
                     await createCommitComment(owner, repo, octokit, commitSha, summary, null, null)
                     if (event == GITHUB_EVENT_PULL_REQUEST) {
                         const pull_number = parseInt(envs.GITHUB_REF.replace("/merge", "").replace("refs/pull/", ""))

diff --git a/src/index.js b/src/index.js
@@ -75,7 +75,7 @@ async function run() {
             core.info("No " + inputs.CX_VERSION + " valid input provided : " + version + " version will be used instead of " + cxVersion.toString())
         }
 
-        if(action == utils.SCA_SCAN || action == utils.ASYNC_SCA_SCAN){
+        if (action == utils.SCA_SCAN || action == utils.ASYNC_SCA_SCAN) {
             //Force version for SCA
             version = "2020"
         }
@@ -173,15 +173,17 @@ async function run() {
 
         core.info("[END] Read Inputs...\n")
 
-        try {
-            await cxcli.downloadCli(version, skipIfFail)
-        } catch (e) {
-            return inputs.coreError(e.message, skipIfFail)
-        }
-        try {
-            let output = await cxcli.executeCommand(command, skipIfFail)
-        } catch (e) {
-            return inputs.coreError(e.message, skipIfFail)
+        if (envs.TEST) {
+            try {
+                await cxcli.downloadCli(version, skipIfFail)
+            } catch (e) {
+                return inputs.coreError(e.message, skipIfFail)
+            }
+            try {
+                let output = await cxcli.executeCommand(command, skipIfFail)
+            } catch (e) {
+                return inputs.coreError(e.message, skipIfFail)
+            }
         }
         if (cxAction == utils.SCAN || cxAction == utils.OSA_SCAN) {
             await cxgithub.createIssues(cxAction)

diff --git a/src/report/osareport.js b/src/report/osareport.js
diff --git a/src/report/report.js → src/report/sastreport.js b/src/report/report.js → src/report/sastreport.js
Library	Version	Risk Score	CVE	Recommendation
com.fasterxml.jackson.core:jackson-databind	2.10.2	8.8	CVE-2020-10969(https://nvd.nist.gov/vuln/detail/CVE-2020-10969)	Upgrade to 2.10.4com.fasterxml.jackson.core:jackson-databind
Results By Severity - Medium
Library	Version	Risk Score	CVE	Recommendation
------------	------------	------------	------------	------------
com.fasterxml.jackson.core:jackson-databind	2.10.2	9.8	CVE-2020-9548(https://nvd.nist.gov/vuln/detail/CVE-2020-9548)	Upgrade to 2.10.4
Results By Severity - Low
Library	Version	Risk Score	CVE	Recommendation
------------	------------	------------	------------	------------
com.fasterxml.jackson.core:jackson-databind	2.10.2	9.8	CVE-2020-9546(https://nvd.nist.gov/vuln/detail/CVE-2020-9546)	Upgrade to 2.10.4
Library	Version	Risk Score	CVE	Publish Date	Confidence Level	Newest Version	Newest Version Date	Versions Since Last Update	Recommendations
com.fasterxml.jackson.core:jackson-databind	2.10.2	8.8	CVE-2020-10969 (https://nvd.nist.gov/vuln/detail/CVE-2020-10969)	2020-03-26T13:15:00	100	2.10.4	2020-05-02T22:37:28	4	Upgrade to 2.10.4
com.fasterxml.jackson.core:jackson-databind	2.10.2	9.8	CVE-2020-8840 (https://nvd.nist.gov/vuln/detail/CVE-2020-8840)	2020-02-10T21:56:00	100	2.10.4	2020-05-02T22:37:28	4	Upgrade to 2.10.4
com.fasterxml.jackson.core:jackson-databind	2.10.2	9.8	CVE-2020-9547 (https://nvd.nist.gov/vuln/detail/CVE-2020-9547)	2020-03-02T04:15:00	100	2.10.4	2020-05-02T22:37:28	4	Upgrade to 2.10.4
com.fasterxml.jackson.core:jackson-databind	2.10.2	9.8	CVE-2020-11113 (https://nvd.nist.gov/vuln/detail/CVE-2020-11113)	2020-03-31T05:15:00	100	2.10.4	2020-05-02T22:37:28	4	Upgrade to 2.10.4
com.fasterxml.jackson.core:jackson-databind	2.10.2	9.8	CVE-2020-11620 (https://nvd.nist.gov/vuln/detail/CVE-2020-11620)	2020-04-07T23:15:00	100	2.10.4	2020-05-02T22:37:28	4	Upgrade to 2.10.4
com.fasterxml.jackson.core:jackson-databind	2.10.2	9.8	CVE-2020-11619 (https://nvd.nist.gov/vuln/detail/CVE-2020-11619)	2020-04-07T23:15:00	100	2.10.4	2020-05-02T22:37:28	4	Upgrade to 2.10.4
com.fasterxml.jackson.core:jackson-databind	2.10.2	8.8	CVE-2020-10673 (https://nvd.nist.gov/vuln/detail/CVE-2020-10673)	2020-03-18T22:15:00	100	2.10.4	2020-05-02T22:37:28	4	Upgrade to 2.10.4
com.fasterxml.jackson.core:jackson-databind	2.10.2	9.8	CVE-2020-11111 (https://nvd.nist.gov/vuln/detail/CVE-2020-11111)	2020-03-31T05:15:00	100	2.10.4	2020-05-02T22:37:28	4	Upgrade to 2.10.4
com.fasterxml.jackson.core:jackson-databind	2.10.2	8.8	CVE-2020-10672 (https://nvd.nist.gov/vuln/detail/CVE-2020-10672)	2020-03-18T22:15:00	100	2.10.4	2020-05-02T22:37:28	4	Upgrade to 2.10.4
com.fasterxml.jackson.core:jackson-databind	2.10.2	9.8	CVE-2020-11112 (https://nvd.nist.gov/vuln/detail/CVE-2020-11112)	2020-03-31T05:15:00	100	2.10.4	2020-05-02T22:37:28	4	Upgrade to 2.10.4
com.fasterxml.jackson.core:jackson-databind	2.10.2	8.8	CVE-2020-10968 (https://nvd.nist.gov/vuln/detail/CVE-2020-10968)	2020-03-26T13:15:00	100	2.10.4	2020-05-02T22:37:28	4	Upgrade to 2.10.4
log4j:log4j	1.2.17	9.8	CVE-2019-17571 (https://nvd.nist.gov/vuln/detail/CVE-2019-17571)	2019-12-20T17:15:00	100	null	null	0	Fix unavailable
org.springframework:spring-web	5.2.4.RELEASE	9.8	CVE-2016-1000027 (https://nvd.nist.gov/vuln/detail/CVE-2016-1000027)	2020-01-02T23:15:00	100	5.2.7.RELEASE	2020-06-09T07:25:46	3	Upgrade to 5.2.6.RELEASE
commons-collections:commons-collections	3.2.2	7.5	Cx78f40514-81ff (https://issues.apache.org/jira/browse/COLLECTIONS-701)	2018-10-31T10:39:00	100	null	null	0	Fix unavailable
org.json:json	20170516	7.5	Cx08fcacc9-cb99 (stleary/JSON-java#372)	2017-10-30T11:27:00	100	20190722	2019-08-07T00:56:35	4	Upgrade to 20190722
org.json:json	20170516	7.5	Cx2906ba70-607a (stleary/JSON-java#361)	2017-08-18T09:31:00	100	20190722	2019-08-07T00:56:35	4	Upgrade to 20190722
org.json:json	20170516	7.5	Cxdb5a1032-eda2 (stleary/JSON-java#484)	2019-09-17T10:37:00	100	20190722	2019-08-07T00:56:35	4	Upgrade to 20190722
io.netty:netty-codec-http	4.1.46.Final	7.5	CVE-2019-16869 (https://nvd.nist.gov/vuln/detail/CVE-2019-16869)	2019-09-26T16:15:00	100	4.1.50.Final	2020-05-13T07:05:02	4	Upgrade to 4.1.48.Final