CET-19215 add secret scanning

Author: lukbla

pom.xml

@@ -2,7 +2,7 @@
   <modelVersion>4.0.0</modelVersion>
   <groupId>org.kohsuke</groupId>
   <artifactId>cortexapps-github-api</artifactId>
-  <version>1.326</version>
+  <version>1.327</version>
   <name>GitHub API for Java</name>
   <url>https://github-api.kohsuke.org/</url>
   <description>GitHub API for Java</description>

src/main/java/org/kohsuke/github/GHSecretScanningAlert.java

@@ -5,7 +5,9 @@
 
 import java.io.IOException;
 import java.net.URL;
+import java.util.Arrays;
 import java.util.Date;
+import java.util.List;
 
 /**
  * Secret scanning alert for a repository
@@ -18,16 +20,23 @@ public class GHSecretScanningAlert extends GHObject {
     private GHRepository owner;
     private long number;
     private String html_url;
+    private String locations_url;
     private GHSecretScanningAlertState state;
     private String resolution;
     private String resolved_at;
     private GHUser resolved_by;
+    private String secret_name;
     private String secret_type;
-    private Secret secret;
-    private String push_protection_bypassed;
+    private String secret_type_display_name;
+    private String secret;
+
+    private Boolean push_protection_bypassed;
     private GHUser push_protection_bypassed_by;
     private String push_protection_bypassed_at;
 
+    private String created_at;
+    private String updated_at;
+
     GHSecretScanningAlert wrap(GHRepository owner) {
         this.owner = owner;
         return this;
@@ -54,6 +63,11 @@ public long getId() {
         return getNumber();
     }
 
+    @Override
+    public URL getHtmlUrl() throws IOException {
+        return GitHubClient.parseURL(html_url);
+    }
+
     /**
      * State of alert
      *
@@ -105,11 +119,29 @@ public String getSecretType() {
     }
 
     /**
-     * Secret that was detected
+     * Display name for tyype of secret that was detected
+     *
+     * @return the secret type display name
+     */
+    public String getSecretTypeDisplayName() {
+        return secret_type_display_name;
+    }
+
+    /**
+     * Secret name that was detected
      *
-     * @return the secret
+     * @return the secret name
      */
-    public Secret getSecret() {
+    public String getSecretName() {
+        return secret_name;
+    }
+
+    /**
+     * Secret value that was detected
+     *
+     * @return the secret value
+     */
+    public String getSecret() {
         return secret;
     }
 
@@ -118,8 +150,8 @@ public Secret getSecret() {
      *
      * @return true if push protection was bypassed, false otherwise
      */
-    public boolean isPushProtectionBypassed() {
-        return push_protection_bypassed != null && !push_protection_bypassed.isEmpty();
+    public Boolean isPushProtectionBypassed() {
+        return push_protection_bypassed;
     }
 
     /**
@@ -141,45 +173,41 @@ public Date getPushProtectionBypassedAt() {
         return GitHubClient.parseDate(push_protection_bypassed_at);
     }
 
-    @Override
-    public URL getHtmlUrl() throws IOException {
-        return GitHubClient.parseURL(html_url);
+    /**
+     * Gets created at.
+     *
+     * @return the created at
+     */
+    public Date getCreatedAt() {
+        return GitHubClient.parseDate(created_at);
+    }
+
+    /**
+     * Gets updated at.
+     *
+     * @return the updated at
+     */
+    public Date getUpdatedAt() {
+        return GitHubClient.parseDate(updated_at);
     }
 
     /**
-     * Secret details
-     */
-    @SuppressFBWarnings(value = { "UWF_UNWRITTEN_FIELD" }, justification = "JSON API")
-    public static class Secret {
-        private String name;
-        private String type;
-        private String value;
-
-        /**
-         * Name of the secret
-         *
-         * @return the name
-         */
-        public String getName() {
-            return name;
-        }
-
-        /**
-         * Type of the secret
-         *
-         * @return the type
-         */
-        public String getType() {
-            return type;
-        }
-
-        /**
-         * Value of the secret
-         *
-         * @return the value
-         */
-        public String getValue() {
-            return value;
-        }
+     * Gets locations url.
+     *
+     * @return the locations url
+     */
+    public String getLocationsUrl() {
+        return locations_url;
     }
+
+    /**
+     * Gets locations.
+     *
+     * @return the locations array
+     */
+    public List<GHSecretScanningAlertLocation> getLocations() throws IOException {
+        return Arrays.asList(
+                root().createRequest().withUrlPath(getLocationsUrl()).fetch(GHSecretScanningAlertLocation[].class));
+    }
+
 }

src/main/java/org/kohsuke/github/GHSecretScanningAlertLocation.java

@@ -0,0 +1,36 @@
+package org.kohsuke.github;
+
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
+
+/**
+ * Code scanning alert for a repository
+ *
+ * <a href="https://docs.github.com/en/rest/reference/code-scanning"></a>
+ */
+@SuppressFBWarnings(value = { "UWF_UNWRITTEN_FIELD" }, justification = "JSON API")
+public class GHSecretScanningAlertLocation {
+    private String type;
+    private GHSecretScanningAlertLocationDetails details;
+
+    public GHSecretScanningAlertLocation() {
+    }
+
+    /**
+     * The type of location.
+     *
+     * @return the type
+     */
+    public String getType() {
+        return type;
+    }
+
+    /**
+     * The details of the location.
+     *
+     * @return the details
+     */
+    public GHSecretScanningAlertLocationDetails getDetails() {
+        return details;
+    }
+
+}

src/main/java/org/kohsuke/github/GHSecretScanningAlertLocationDetails.java

@@ -0,0 +1,25 @@
+package org.kohsuke.github;
+
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
+
+/**
+ * Code sc for a repository
+ *
+ * <a href="https://docs.github.com/en/rest/reference/code-scanning"></a>
+ */
+@SuppressFBWarnings(value = { "UWF_UNWRITTEN_FIELD" }, justification = "JSON API")
+public class GHSecretScanningAlertLocationDetails {
+    private String path;
+
+    public GHSecretScanningAlertLocationDetails() {
+    }
+
+    /**
+     * The path to the file containing the secret.
+     *
+     * @return the path
+     */
+    public String getPath() {
+        return path;
+    }
+}

src/test/java/org/kohsuke/github/GHSecretScanningAlertTest.java

@@ -1,10 +1,8 @@
 package org.kohsuke.github;
 
-import org.junit.Assume;
 import org.junit.Before;
 import org.junit.Test;
 
-import java.io.IOException;
 import java.util.List;
 
 import static org.hamcrest.Matchers.*;
@@ -28,76 +26,51 @@ public class GHSecretScanningAlertTest extends AbstractGitHubWireMockTest {
      */
     @Before
     public void setUp() throws Exception {
-        repo = gitHub.getRepository("cortextests" + "/" + "test-code-scanning");
+        repo = gitHub.getRepository("cortextests" + "/" + "secret-scanning");
     }
 
     /**
-     * Test list code scanning alert payload
+     * Test list secret scanning alert payload
      */
     @Test
-    public void testListSecretScanningAlerts() {
+    public void testListSecretScanningAlerts() throws Exception {
         // Arrange
 
         // Act
         List<GHSecretScanningAlert> alerts = repo.listSecretScanningAlerts()._iterator(2).nextPage();
 
         // Assert
-        assertThat(alerts.size(), equalTo(2)); // This assertion is based on manual setup done on repo to
-        // guarantee there are atleast 2 issues
+        assertThat(alerts.size(), equalTo(2));
 
-        // GHCodeScanningAlert alert = codeQlAlerts.get(0);
-        //
-        // // Verify the code scanning tool details
-        // assertThat(alert.getTool(), not((Object) null));
-        // GHCodeScanningAlert.Tool tool = alert.getTool();
-        // assertThat(tool.getName(), is("CodeQL"));
-        // assertThat(tool.getVersion(), not((Object) null));
-        //
-        // // Verify that fields of the code scanning rule are non-null
-        // assertThat(alert.getRule(), not((Object) null));
-        // GHCodeScanningAlert.Rule rule = alert.getRule();
-        // assertThat(rule.getId(), not((Object) null));
-        // assertThat(rule.getName(), not((Object) null));
-        // assertThat(rule.getSeverity(), not((Object) null));
-        // assertThat(rule.getSecuritySeverityLevel(), not((Object) null));
-        //
-        // // Act - Search by filtering on alert status
-        // List<GHCodeScanningAlert> openAlerts = repo.listCodeScanningAlerts(GHCodeScanningAlertState.OPEN)
-        // ._iterator(2)
-        // .nextPage(); // This assertion is based on manual setup done on repo to
-        // // guarantee there are atleast 2 issues
-        //
-        // // Assert
-        // assertThat(openAlerts.size(), equalTo(2));
-        // GHCodeScanningAlert openAlert = openAlerts.get(0);
-        // assertThat(openAlert.getState(), is(GHCodeScanningAlertState.OPEN));
-    }
+        GHSecretScanningAlert alert1 = alerts.get(0);
+        assertThat(alert1.getNumber(), equalTo(2L));
+        assertThat(alert1.getState(), equalTo(GHSecretScanningAlertState.OPEN));
+        assertThat(alert1.getSecretType(), equalTo("npm_access_token"));
+        assertThat(alert1.getSecret(), equalTo("secret1"));
+        assertThat(alert1.isPushProtectionBypassed(), equalTo(false));
+        assertThat(alert1.getResolvedBy(), nullValue());
+        assertThat(alert1.getResolvedAt(), nullValue());
 
-    /**
-     * Test get code scanning alert payload
-     *
-     * @throws IOException
-     *             Signals that an I/O exception has occurred.
-     */
-    @Test
-    public void testGetCodeScanningAlert() throws IOException {
-        // Arrange
-        List<GHCodeScanningAlert> dismissedAlerts = repo.listCodeScanningAlerts(GHCodeScanningAlertState.DISMISSED)
-                ._iterator(1)
-                .nextPage();
-        Assume.assumeThat(dismissedAlerts.size(), greaterThanOrEqualTo(1));
-        GHCodeScanningAlert dismissedAlert = dismissedAlerts.get(0);
-        long idOfDismissed = dismissedAlert.getId();
+        List<GHSecretScanningAlertLocation> locations = alert1.getLocations();
+        assertThat(locations.size(), equalTo(1));
+        assertThat(locations.get(0).getType(), equalTo("commit"));
+        assertThat(locations.get(0).getDetails().getPath(), equalTo("secrets/secrets1.env"));
 
-        // Act
-        GHCodeScanningAlert result = repo.getCodeScanningAlert(idOfDismissed);
+        GHSecretScanningAlert alert2 = alerts.get(1);
+        assertThat(alert2.getNumber(), equalTo(1L));
+        assertThat(alert2.getState(), equalTo(GHSecretScanningAlertState.OPEN));
+        assertThat(alert2.getSecretType(), equalTo("stripe_test_secret_key"));
+        assertThat(alert2.getSecret(), equalTo("secret2"));
+        assertThat(alert2.isPushProtectionBypassed(), equalTo(true));
+        assertThat(alert2.getPushProtectionBypassedBy().getLogin(), equalTo("lukbla"));
+        assertThat(alert2.getPushProtectionBypassedAt(), equalTo(GitHubClient.parseDate("2025-05-05T15:32:05Z")));
+        assertThat(alert2.getResolvedBy(), nullValue());
+        assertThat(alert2.getResolvedAt(), nullValue());
 
-        // Assert
-        assertThat(result, not((Object) null));
-        assertThat(result.getId(), equalTo(idOfDismissed));
-        assertThat(result.getDismissedReason(), equalTo(dismissedAlert.getDismissedReason()));
-        assertThat(result.getDismissedAt(), equalTo(dismissedAlert.getDismissedAt()));
-        assertThat(result.getDismissedBy().login, equalTo(dismissedAlert.getDismissedBy().login));
+        List<GHSecretScanningAlertLocation> locations2 = alert2.getLocations();
+        assertThat(locations2.size(), equalTo(1));
+        assertThat(locations2.get(0).getType(), equalTo("commit"));
+        assertThat(locations2.get(0).getDetails().getPath(), equalTo("secrets.env"));
     }
 
 }