Merge remote-tracking branch 'origin/bugfix/defect-dojo-metafields' into merge/defect-dojo

Author: J12934

scb-engine/src/main/resources/application-dev.yaml

@@ -15,5 +15,5 @@ securecodebox.rest.user.scanner-default:
   password: scan
 
 securecodebox.persistence.defectdojo.baseurl: http://localhost:8000
-securecodebox.persistence.defectdojo.apikey:
+securecodebox.persistence.defectdojo.apikey: 6fd1b5e90d7afa33d1da939d7d51a9b745b11660
 

scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoMetaFields.java

@@ -1,6 +1,5 @@
 package io.securecodebox.persistence;
 
 public enum DefectDojoMetaFields {
-    DEFECT_DOJO_USER,
-    DEFECT_DOJO_PRODUCT
+    DEFECT_DOJO_USER
 }

scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoPersistenceProvider.java

@@ -26,7 +26,6 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.stereotype.Component;
 
@@ -52,12 +51,6 @@ public class DefectDojoPersistenceProvider implements PersistenceProvider {
 
     protected static final String DATE_FORMAT = "yyyy-MM-dd";
 
-    @Value("${securecodebox.persistence.defectdojo.baseurl}")
-    String defectDojoUrl;
-
-    @Value("${securecodebox.persistence.defectdojo.apikey}")
-    protected String defectDojoApiKey;
-
     Clock clock = Clock.systemDefaultZone();
 
     public void setClock(Clock clock){
@@ -90,9 +83,9 @@ public void persist(SecurityTest securityTest) throws PersistenceException {
         }
     }
 
-    static final String GIT_SERVER_NAME = "GitServer";
-    static final String BUILD_SERVER_NAME = "BuildServer";
-    static final String SECURITY_TEST_SERVER_NAME = "SecurityTestOrchestrationEngine";
+    static final String GIT_SERVER_NAME = "Git Server";
+    static final String BUILD_SERVER_NAME = "Build Server";
+    static final String SECURITY_TEST_SERVER_NAME = "Security Test Orchestration Engine";
 
     private void checkToolTypes() {
         DefectDojoResponse<ToolType> toolTypeGitResponse = defectDojoService.getToolTypeByName(GIT_SERVER_NAME);
@@ -113,12 +106,12 @@ private void checkToolTypes() {
 
     void checkConnection() throws DefectDojoUnreachableException {
         try {
-            final URLConnection connection = new URL(defectDojoUrl).openConnection();
+            final URLConnection connection = new URL(defectDojoService.defectDojoUrl).openConnection();
             connection.connect();
         }catch (final MalformedURLException e){
-            throw new DefectDojoUnreachableException("Could not reach defectdojo at '" + defectDojoUrl + "'!");
+            throw new DefectDojoUnreachableException("Could not reach defectdojo at '" + defectDojoService.defectDojoUrl + "'!");
         }catch (final IOException e){
-            throw new DefectDojoUnreachableException("Could not reach defectdojo at '" + defectDojoUrl + "'!");
+            throw new DefectDojoUnreachableException("Could not reach defectdojo at '" + defectDojoService.defectDojoUrl + "'!");
         }
     }
 
@@ -137,30 +130,28 @@ private List<String> getRawResults(SecurityTest securityTest) throws DefectDojoP
 
     private EngagementResponse createEngagement(SecurityTest securityTest) {
         EngagementPayload engagementPayload = new EngagementPayload();
-        engagementPayload.setName(securityTest.getContext());
+        engagementPayload.setProduct(defectDojoService.getProductUrl(securityTest.getContext()));
 
-        String productId = securityTest.getMetaData().get(DefectDojoMetaFields.DEFECT_DOJO_PRODUCT.name());
-        if (productId == null) {
-            throw new DefectDojoProductNotProvided("DefectDojo persistence provider was configured but no product id was provided in the security test meta fields.");
+        if(securityTest.getMetaData() == null){
+            securityTest.setMetaData(new HashMap<>());
         }
-        String username = securityTest.getMetaData().get(DefectDojoMetaFields.DEFECT_DOJO_USER.name());
 
-        engagementPayload.setProduct(defectDojoUrl + "/api/v2/products/" + productId + "/");
-        engagementPayload.setLead(defectDojoService.getUserUrl(username));
+        engagementPayload.setName(securityTest.getMetaData().get(CommonMetaFields.SCB_ENGAGEMENT_TITLE.name()) != null ?
+                securityTest.getMetaData().get(CommonMetaFields.SCB_ENGAGEMENT_TITLE.name()) : getDefectDojoScanName(securityTest.getName()));
+        engagementPayload.setLead(defectDojoService.getUserUrl(securityTest.getMetaData().get(DefectDojoMetaFields.DEFECT_DOJO_USER.name())));
         engagementPayload.setDescription(descriptionGenerator.generate(securityTest));
         engagementPayload.setBranch(securityTest.getMetaData().get(CommonMetaFields.SCB_BRANCH.name()));
         engagementPayload.setBuildID(securityTest.getMetaData().get(CommonMetaFields.SCB_BUILD_ID.name()));
         engagementPayload.setCommitHash(securityTest.getMetaData().get(CommonMetaFields.SCB_COMMIT_HASH.name()));
         engagementPayload.setRepo(securityTest.getMetaData().get(CommonMetaFields.SCB_REPO.name()));
         engagementPayload.setTracker(securityTest.getMetaData().get(CommonMetaFields.SCB_TRACKER.name()));
 
-        engagementPayload.setBuildServer(defectDojoService.getToolConfiguration(securityTest.getMetaData().get(CommonMetaFields.SCB_BUILD_SERVER.name()), "BuildServer"));
-        engagementPayload.setScmServer(defectDojoService.getToolConfiguration(securityTest.getMetaData().get(CommonMetaFields.SCB_SCM_SERVER.name()), "GitServer"));
-        engagementPayload.setOrchestrationEngine(defectDojoService.getToolConfiguration("https://github.com/secureCodeBox","SecurityTestOrchestrationEngine"));
+        engagementPayload.setBuildServer(defectDojoService.getToolConfiguration(securityTest.getMetaData().get(CommonMetaFields.SCB_BUILD_SERVER.name()), "Build Server"));
+        engagementPayload.setScmServer(defectDojoService.getToolConfiguration(securityTest.getMetaData().get(CommonMetaFields.SCB_SCM_SERVER.name()), "Git Server"));
+        engagementPayload.setOrchestrationEngine(defectDojoService.getToolConfiguration("https://github.com/secureCodeBox","Security Test Orchestration Engine"));
 
         engagementPayload.setTargetStart(currentDate());
         engagementPayload.setTargetEnd(currentDate());
-
         engagementPayload.setStatus(EngagementPayload.Status.COMPLETED);
 
         return defectDojoService.createEngagement(engagementPayload);

scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoProductNotFound.java

@@ -0,0 +1,29 @@
+/*
+ *
+ *  SecureCodeBox (SCB)
+ *  Copyright 2015-2018 iteratec GmbH
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  	http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ * /
+ */
+package io.securecodebox.persistence;
+
+public class DefectDojoProductNotFound extends DefectDojoPersistenceException {
+    public DefectDojoProductNotFound(String message) {
+        super(message);
+    }
+
+    public DefectDojoProductNotFound(String message, Throwable cause) {
+        super(message, cause);
+    }
+}

scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoProductNotProvided.java

@@ -18,7 +18,6 @@
  */
 package io.securecodebox.persistence;
 
-import io.securecodebox.model.securitytest.SecurityTest;
 import io.securecodebox.persistence.models.*;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -34,7 +33,6 @@
 import org.springframework.util.MultiValueMap;
 import org.springframework.web.client.HttpClientErrorException;
 import org.springframework.web.client.RestTemplate;
-import org.springframework.web.util.UriComponentsBuilder;
 
 import java.nio.charset.StandardCharsets;
 import java.text.MessageFormat;
@@ -61,7 +59,7 @@ public DefectDojoResponse<ToolType> getToolTypeByName(String name){
         RestTemplate restTemplate = new RestTemplate();
         HttpEntity toolTypeRequest = new HttpEntity(getHeaders());
 
-        String uri = UriComponentsBuilder.fromHttpUrl(defectDojoUrl + "/api/v2/tool_types/").queryParam("name", name).toUriString();
+        String uri = defectDojoUrl + "/api/v2/tool_types/?name=" + name;
         ResponseEntity<DefectDojoResponse<ToolType>> toolTypeResponse = restTemplate.exchange(uri, HttpMethod.GET, toolTypeRequest, new ParameterizedTypeReference<DefectDojoResponse<ToolType>>(){});
 
         return toolTypeResponse.getBody();
@@ -85,7 +83,7 @@ public String getUserUrl(String username){
             username = "admin";
         }
 
-        String uri = UriComponentsBuilder.fromHttpUrl(defectDojoUrl + "/api/v2/users/").queryParam("username", username).toUriString();
+        String uri = defectDojoUrl + "/api/v2/users/?username=" + username;
         HttpEntity userRequest = new HttpEntity(getHeaders());
         ResponseEntity<DefectDojoResponse<DefectDojoUser>> userResponse = restTemplate.exchange(uri, HttpMethod.GET, userRequest, new ParameterizedTypeReference<DefectDojoResponse<DefectDojoUser>>(){});
         if(userResponse.getBody().getCount() == 1){
@@ -96,22 +94,36 @@ public String getUserUrl(String username){
         }
     }
 
+    public String getProductUrl(String product){
+        RestTemplate restTemplate = new RestTemplate();
+
+        String uri = defectDojoUrl + "/api/v2/products/?name=" + product;
+        HttpEntity productRequest = new HttpEntity(getHeaders());
+        ResponseEntity<DefectDojoResponse<DefectDojoProduct>> productResponse = restTemplate.exchange(uri, HttpMethod.GET, productRequest, new ParameterizedTypeReference<DefectDojoResponse<DefectDojoProduct>>(){});
+        if(productResponse.getBody().getCount() == 1){
+            return productResponse.getBody().getResults().get(0).getUrl();
+        }
+        else {
+            throw new DefectDojoProductNotFound(MessageFormat.format("Could not find product: \"{0}\" in DefectDojo", product));
+        }
+    }
+
     public String getToolConfiguration(String toolUrl, String toolType){
         RestTemplate restTemplate = new RestTemplate();
 
         if (toolUrl == null){
             return null;
         }
 
-        String uri = UriComponentsBuilder.fromHttpUrl(defectDojoUrl + "/api/v2/tool_configurations/").queryParam("url", toolUrl).toUriString();
+        String uri = defectDojoUrl + "/api/v2/tool_configurations/?url=" + toolUrl;
         HttpEntity toolRequest = new HttpEntity(getHeaders());
         ResponseEntity<DefectDojoResponse<ToolConfig>> toolResponse = restTemplate.exchange(uri, HttpMethod.GET, toolRequest, new ParameterizedTypeReference<DefectDojoResponse<ToolConfig>>(){});
         if(toolResponse.getBody().getCount() > 0){
             return toolResponse.getBody().getResults().get(0).getUrl();
         }
         else {
             HttpEntity toolTypeRequest = new HttpEntity(getHeaders());
-            String toolTypeRequestUri = UriComponentsBuilder.fromHttpUrl(defectDojoUrl + "/api/v2/tool_types/").queryParam("name", toolType).toUriString();
+            String toolTypeRequestUri = defectDojoUrl + "/api/v2/tool_types/?name=" + toolType;
             ResponseEntity<DefectDojoResponse<ToolType>> toolTypeResponse = restTemplate.exchange(toolTypeRequestUri, HttpMethod.GET, toolTypeRequest, new ParameterizedTypeReference<DefectDojoResponse<ToolType>>(){});
             String toolTypeUri = toolTypeResponse.getBody().getResults().get(0).getUrl();
 

scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoService.java

@@ -0,0 +1,24 @@
+package io.securecodebox.persistence.models;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import java.util.List;
+import lombok.Data;
+
+@Data
+public class DefectDojoProduct {
+    @JsonProperty
+    String url;
+
+    @JsonProperty
+    String name;
+
+    @JsonProperty
+    String description;
+
+    @JsonProperty("findings_count")
+    int findingsCount;
+
+    @JsonProperty("authorized_users")
+    List<String> authorizedUsers;
+}

scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/DefectDojoProduct.java

@@ -23,7 +23,7 @@
 
 import java.util.Arrays;
 import java.util.List;
-import java.util.Objects;
+
 
 @Data
 public class EngagementPayload {

scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/EngagementPayload.java

@@ -5,10 +5,7 @@
 import io.securecodebox.model.rest.Report;
 import io.securecodebox.model.securitytest.CommonMetaFields;
 import io.securecodebox.model.securitytest.SecurityTest;
-import io.securecodebox.persistence.models.DefectDojoResponse;
-import io.securecodebox.persistence.models.EngagementPayload;
-import io.securecodebox.persistence.models.EngagementResponse;
-import io.securecodebox.persistence.models.ToolType;
+import io.securecodebox.persistence.models.*;
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
@@ -49,29 +46,30 @@ public void setUp() {
         when(descriptionGenerator.generate(any())).thenReturn("Foobar Description");
         doNothing().when(persistenceProvider).checkConnection();
 
-        persistenceProvider.defectDojoUrl = "http://localhost:8000";
         defectDojoService.defectDojoUrl = "http://localhost:8000";
 
         DefectDojoResponse<ToolType> responseExisting = new DefectDojoResponse<>();
         responseExisting.setCount(1);
         when(defectDojoService.getToolTypeByName(any())).thenReturn(responseExisting);
 
-        EngagementResponse response = new EngagementResponse();
-        response.setUrl("http://localhost:8000/api/v2/engagements/2/");
-        when(defectDojoService.createEngagement(any())).thenReturn(response);
+        EngagementResponse engagementResponse = new EngagementResponse();
+        engagementResponse.setUrl("http://localhost:8000/api/v2/engagements/2/");
+        when(defectDojoService.createEngagement(any())).thenReturn(engagementResponse);
+        when(defectDojoService.getProductUrl("Nmap Scan 11")).thenReturn("http://localhost:8000/api/v2/products/1/");
+        when(defectDojoService.getProductUrl("Nonexisting")).thenThrow(DefectDojoProductNotFound.class);
+
 
         metaData = new HashMap<>();
-        metaData.put(DefectDojoMetaFields.DEFECT_DOJO_PRODUCT.name(), "1");
         metaData.put(DefectDojoMetaFields.DEFECT_DOJO_USER.name(), "John Doe");
         when(defectDojoService.getUserUrl(eq("John Doe"))).thenReturn("http://localhost:8000/api/v2/users/5/");
 
         report = new Report();
         report.setRawFindings("\"[]\"");
         report.setFindings(Collections.emptyList());
 
-        when(defectDojoService.getToolConfiguration(eq("http://crazy.buildserver"), eq("BuildServer"))).thenReturn("http://localhost:8000/api/v2/tool_types/5/");
-        when(defectDojoService.getToolConfiguration(eq("http://crazy.scm_server"), eq("GitServer"))).thenReturn("http://localhost:8000/api/v2/tool_types/7/");
-        when(defectDojoService.getToolConfiguration(eq("https://github.com/secureCodeBox"), eq("SecurityTestOrchestrationEngine"))).thenReturn("http://localhost:8000/api/v2/tool_types/9/");
+        when(defectDojoService.getToolConfiguration(eq("http://crazy.buildserver"), eq("Build Server"))).thenReturn("http://localhost:8000/api/v2/tool_types/5/");
+        when(defectDojoService.getToolConfiguration(eq("http://crazy.scm_server"), eq("Git Server"))).thenReturn("http://localhost:8000/api/v2/tool_types/7/");
+        when(defectDojoService.getToolConfiguration(eq("https://github.com/secureCodeBox"), eq("Security Test Orchestration Engine"))).thenReturn("http://localhost:8000/api/v2/tool_types/9/");
 
     }
 
@@ -83,17 +81,18 @@ public void createsANewToolTypeIfItCouldNotBeFound(){
 
         DefectDojoResponse<ToolType> responseEmpty = new DefectDojoResponse<>();
         responseEmpty.setCount(0);
-        when(defectDojoService.getToolTypeByName("GitServer")).thenReturn(responseEmpty);
+        when(defectDojoService.getToolTypeByName("Git Server")).thenReturn(responseEmpty);
 
         SecurityTest securityTest = new SecurityTest();
         securityTest.setReport(report);
         securityTest.setMetaData(metaData);
+        securityTest.setName("nmap");
 
         persistenceProvider.persist(securityTest);
 
-        verify(defectDojoService, times(1)).createToolType(eq("GitServer"), any());
-        verify(defectDojoService, times(0)).createToolType(eq("BuildServer"), any());
-        verify(defectDojoService, times(0)).createToolType(eq("SecurityTestOrchestrationEngine"), any());
+        verify(defectDojoService, times(1)).createToolType(eq("Git Server"), any());
+        verify(defectDojoService, times(0)).createToolType(eq("Build Server"), any());
+        verify(defectDojoService, times(0)).createToolType(eq("Security Test Orchestration Engine"), any());
     }
 
     @Test
@@ -105,6 +104,8 @@ public void doesntCreateAnyToolTypesIfAllAreAlreadyExisting(){
         SecurityTest securityTest = new SecurityTest();
         securityTest.setReport(report);
         securityTest.setMetaData(metaData);
+        securityTest.setName("nmap");
+        securityTest.setContext("Nmap Scan 11");
 
         persistenceProvider.persist(securityTest);
 
@@ -113,7 +114,6 @@ public void doesntCreateAnyToolTypesIfAllAreAlreadyExisting(){
 
     @Test
     public void createsTheEngagement(){
-
         SecurityTest securityTest = new SecurityTest();
         securityTest.setContext("Nmap Scan 11");
 
@@ -123,10 +123,11 @@ public void createsTheEngagement(){
         metaData.put(CommonMetaFields.SCB_SCM_SERVER.name(), "http://crazy.scm_server");
         securityTest.setMetaData(metaData);
         securityTest.setReport(report);
+        securityTest.setName("nmap");
 
         EngagementPayload payload = new EngagementPayload();
         payload.setStatus(EngagementPayload.Status.COMPLETED);
-        payload.setName("Nmap Scan 11");
+        payload.setName("Nmap Scan");
         payload.setProduct("http://localhost:8000/api/v2/products/1/");
         payload.setLead("http://localhost:8000/api/v2/users/5/");
         payload.setBranch("master");
@@ -155,18 +156,19 @@ public void failsIfUserCouldNotBeFound(){
         metaData.put(DefectDojoMetaFields.DEFECT_DOJO_USER.name(), "This User really does not exist");
         securityTest.setMetaData(metaData);
         securityTest.setReport(report);
+        securityTest.setName("nmap");
 
         persistenceProvider.persist(securityTest);
     }
 
-    @Test(expected = DefectDojoProductNotProvided.class)
+    @Test(expected = DefectDojoProductNotFound.class)
     public void failsIfProductCouldNotBeFound(){
         SecurityTest securityTest = new SecurityTest();
-        securityTest.setContext("Nmap Scan 11");
+        securityTest.setContext("Nonexisting");
 
-        metaData.remove(DefectDojoMetaFields.DEFECT_DOJO_PRODUCT.name());
         securityTest.setMetaData(metaData);
         securityTest.setReport(report);
+        securityTest.setName("nmap");
 
         persistenceProvider.persist(securityTest);
     }
@@ -186,6 +188,7 @@ public void createsFindings() throws JsonProcessingException {
         report.setRawFindings(doubleSer);
         securityTest.setMetaData(metaData);
         securityTest.setReport(report);
+        securityTest.setName("nmap");
 
         persistenceProvider.persist(securityTest);
         verify(defectDojoService, times(1)).createFindings(

scb-persistenceproviders/defectdojo-persistenceprovider/src/test/java/io/securecodebox/persistence/DefectDojoPersistenceProviderTest.java

@@ -7,5 +7,6 @@ public enum CommonMetaFields {
     SCB_REPO,
     SCB_TRACKER,
     SCB_BUILD_SERVER,
-    SCB_SCM_SERVER
+    SCB_SCM_SERVER,
+    SCB_ENGAGEMENT_TITLE
 }