-
Notifications
You must be signed in to change notification settings - Fork 13
/
Copy pathVulnerabilityTrendStep.java
337 lines (260 loc) · 11.4 KB
/
VulnerabilityTrendStep.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
package com.aspectsecurity.contrast.contrastjenkins;
import com.contrastsecurity.http.TraceFilterForm;
import com.contrastsecurity.models.Traces;
import com.contrastsecurity.sdk.ContrastSDK;
import com.google.inject.Inject;
import hudson.AbortException;
import hudson.Extension;
import hudson.model.Result;
import hudson.model.Run;
import hudson.model.TaskListener;
import hudson.util.ListBoxModel;
import jenkins.model.Jenkins;
import lombok.Getter;
import org.jenkinsci.plugins.workflow.steps.*;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.DataBoundSetter;
import org.kohsuke.stapler.QueryParameter;
import java.io.IOException;
import java.util.Collections;
import java.util.Map;
@Getter
public class VulnerabilityTrendStep extends AbstractStepImpl {
private String profile;
@DataBoundSetter
public void setProfile(String profile) {
this.profile = profile;
}
private int count;
@DataBoundSetter
public void setCount(int count) {
this.count = count;
}
private String rule;
@DataBoundSetter
public void setRule(String rule) {
this.rule = rule;
}
private String severity;
@DataBoundSetter
public void setSeverity(String severity) {
this.severity = severity;
}
private String applicationId;
@DataBoundSetter
public void setApplicationId(String applicationId) {
this.applicationId = applicationId;
}
private String applicationName;
@DataBoundSetter
public void setApplicationName(String applicationName) {
this.applicationName = applicationName;
}
private int queryBy;
@DataBoundSetter
public void setQueryBy(int queryBy) {
this.queryBy = queryBy;
}
@DataBoundConstructor
public VulnerabilityTrendStep(String profile, int count, String rule, String severity, String applicationId, int queryBy) {
this.profile = profile;
this.count = count;
this.rule = rule;
this.severity = severity;
this.applicationId = applicationId;
this.queryBy = queryBy;
}
// Used to build the new instance
public VulnerabilityTrendStep() {
}
@Override
public VulnerabilityTrendStepDescriptorImpl getDescriptor() {
Jenkins instance = Jenkins.getInstance();
if (instance != null) {
return (VulnerabilityTrendStepDescriptorImpl) instance.getDescriptor(getClass());
} else {
return null;
}
}
@Extension
public static class VulnerabilityTrendStepDescriptorImpl extends AbstractStepDescriptorImpl {
public VulnerabilityTrendStepDescriptorImpl() {
super(Execution.class);
}
@Override
public String getFunctionName() {
return "contrastVerification";
}
@Override
public String getDisplayName() {
return "Verify vulnerabilities in a build";
}
@Override
public Step newInstance(Map<String, Object> arguments) {
VulnerabilityTrendStep step = new VulnerabilityTrendStep();
if (arguments.containsKey("profile")) {
Object profile = arguments.get("profile");
if (profile != null) {
step.setProfile((String) profile);
} else {
throw new IllegalArgumentException("Profile must be set.");
}
}
if (arguments.containsKey("count")) {
Object count = arguments.get("count");
if (count != null) {
step.setCount((int) count);
} else {
throw new IllegalArgumentException("Count must be set.");
}
}
if (arguments.containsKey("rule")) {
Object rule = arguments.get("rule");
step.setRule((String) rule);
}
if (arguments.containsKey("severity")) {
Object severity = arguments.get("severity");
step.setSeverity((String) severity);
}
if (arguments.containsKey("applicationId")) {
Object applicationId = arguments.get("applicationId");
if (applicationId != null) {
step.setApplicationId((String) applicationId);
} else {
throw new IllegalArgumentException("Application ID must be set.");
}
}
if (arguments.containsKey("applicationName")) {
Object applicationName = arguments.get("applicationName");
if (applicationName != null) {
step.setApplicationName((String) applicationName);
} else {
throw new IllegalArgumentException("Application name must be set.");
}
}
if (arguments.containsKey("queryBy")) {
Object queryBy = arguments.get("queryBy");
step.setQueryBy((int) queryBy);
}
return step;
}
@SuppressWarnings("unused")
public ListBoxModel doFillProfileItems() {
return VulnerabilityTrendHelper.getProfileNames();
}
/**
* Fills the Threshold Category select drop down with application ids.
*
* @return ListBoxModel filled with application ids.
*/
public ListBoxModel doFillApplicationIdItems(@QueryParameter("profile") final String teamServerProfileName) throws IOException {
return VulnerabilityTrendHelper.getApplicationIds(teamServerProfileName);
}
@SuppressWarnings("unused")
public ListBoxModel doFillRuleItems(@QueryParameter("profile") final String teamServerProfileName) {
return VulnerabilityTrendHelper.getVulnerabilityTypes(teamServerProfileName);
}
@SuppressWarnings("unused")
public ListBoxModel doFillSeverityItems() {
return VulnerabilityTrendHelper.getSeverityListBoxModel();
}
}
public static class Execution extends AbstractSynchronousStepExecution<Void> {
private static final long serialVersionUID = 1L;
@StepContextParameter
transient Run<?, ?> build;
@StepContextParameter
transient TaskListener taskListener;
@Inject
transient VulnerabilityTrendStep step;
@Override
public Void run() throws AbortException {
TeamServerProfile teamServerProfile = VulnerabilityTrendHelper.getProfile(step.getProfile());
if (teamServerProfile == null) {
VulnerabilityTrendHelper.logMessage(taskListener, "Unable to find TeamServer profile.");
throw new AbortException("Unable to find TeamServer profile.");
}
//// Compatibility fix for plugin versions <=2.6
if (step.getApplicationId() == null && step.getApplicationName() != null) {
for (App app : teamServerProfile.getApps()) {
String subStr = app.getTitle().substring(0, app.getTitle().lastIndexOf(" ("));
if (subStr.equals(step.getApplicationName())) {
step.setApplicationId(app.getName());
break;
}
}
}
VulnerabilityTrendHelper.logMessage(taskListener, "Checking the number of vulnerabilities for " + step.getApplicationId());
ContrastSDK contrastSDK = VulnerabilityTrendHelper.createSDK(teamServerProfile.getUsername(), teamServerProfile.getServiceKey(),
teamServerProfile.getApiKey(), teamServerProfile.getTeamServerUrl());
boolean applicationIdExists = VulnerabilityTrendHelper.applicationIdExists(contrastSDK, teamServerProfile.getOrgUuid(), step.getApplicationId());
if (!applicationIdExists) {
VulnerabilityTrendHelper.logMessage(taskListener, "Application with ID '" + step.getApplicationId() + "' not found.");
if (teamServerProfile.isFailOnWrongApplicationId()) {
throw new AbortException("Application with ID '" + step.getApplicationId() + "' not found.");
}
}
Traces traces;
String stepString = step.buildStepString();
VulnerabilityTrendHelper.logMessage(taskListener, "Checking the step condition where " + stepString);
try {
TraceFilterForm filterForm = new TraceFilterForm();
if (step.getQueryBy() == Constants.QUERY_BY_APP_VERSION_TAG_HIERARCHICAL_FORMAT) {
filterForm.setAppVersionTags(Collections.singletonList(VulnerabilityTrendHelper.buildAppVersionTagHierarchical(build, step.getApplicationId())));
} else if (step.getQueryBy() == Constants.QUERY_BY_START_DATE) {
filterForm.setStartDate(build.getTime());
} else {
filterForm.setAppVersionTags(Collections.singletonList(VulnerabilityTrendHelper.buildAppVersionTag(build, step.getApplicationId())));
}
if (step.getSeverity() != null) {
filterForm.setSeverities(VulnerabilityTrendHelper.getSeverityList(step.getSeverity()));
}
if (step.getRule() != null) {
filterForm.setVulnTypes(Collections.singletonList(step.getRule()));
}
if (step.getQueryBy() == Constants.QUERY_BY_START_DATE) {
traces = contrastSDK.getTraces(teamServerProfile.getOrgUuid(), step.getApplicationId(), filterForm);
} else {
traces = contrastSDK.getTracesInOrg(teamServerProfile.getOrgUuid(), filterForm);
}
} catch (Exception e) {
VulnerabilityTrendHelper.logMessage(taskListener, e.getMessage());
throw new AbortException("Unable to retrieve vulnerability information from TeamServer.");
}
if (traces.getCount() > step.getCount()) {
Result buildResult = Result.fromString(teamServerProfile.getVulnerableBuildResult());
VulnerabilityTrendHelper.logMessage(taskListener, "Failed on the condition where " + stepString);
VulnerabilityTrendHelper.logMessage(taskListener, VulnerabilityTrendHelper.getVulnerabilityInfoString(traces));
if (buildResult.toString().equals(Result.FAILURE.toString())) {
throw new AbortException("Failed on the condition where " + stepString);
} else {
build.setResult(buildResult);
return null;
}
}
VulnerabilityTrendHelper.logMessage(taskListener, "This step has passed successfully");
return null;
}
String getBuildName() {
return build.getParent().getDisplayName();
}
}
private String buildStepString() {
StringBuilder sb = new StringBuilder();
sb.append("count is ").append(count);
if (severity != null) {
sb.append(", severity is ").append(severity);
}
if (rule != null) {
sb.append(", rule type is ").append(rule);
}
if (applicationId != null) {
sb.append(", applicationId is ").append(applicationId);
}
if (queryBy != 0) {
sb.append(", queryBy is ").append(queryBy);
}
sb.append(".");
return sb.toString();
}
}