Merge pull request #64 from secureCodeBox/bugfix/fixed-defect-dojo-get-tool-configuration

MartinLang1 · web-flow · commit 378161e3f68b · 2019-01-30T12:16:30.000+01:00
Adapted defect dojo persistence provider to defect dojo api changes
diff --git a/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoPersistenceProvider.java b/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoPersistenceProvider.java
@@ -70,17 +70,17 @@ public void persist(SecurityTest securityTest) throws PersistenceException {
         checkToolTypes();
 
         EngagementResponse res = createEngagement(securityTest);
-        String engagementUrl = res.getUrl();
-        LOG.debug("Created engagement: '{}'", engagementUrl);
+        long engagementId = res.getId();
+        LOG.debug("Created engagement: '{}'", engagementId);
 
         String username = securityTest.getMetaData().get(DefectDojoMetaFields.DEFECT_DOJO_USER.name());
-        String userUrl = defectDojoService.getUserUrl(username);
+        long userUrl = defectDojoService.retrieveUserId(username);
 
         List<String> results = getDefectDojoScanName(securityTest.getName()).equals("Generic Findings Import") ? getGenericResults(securityTest) : getRawResults(securityTest);
             for (String result : results) {
                 defectDojoService.createFindings(
                         result,
-                        engagementUrl,
+                        engagementId,
                         userUrl,
                         currentDate(),
                         getDefectDojoScanName(securityTest.getName())
@@ -157,25 +157,25 @@ private List<String> getGenericResults(SecurityTest securityTest) {
 
     private EngagementResponse createEngagement(SecurityTest securityTest) {
         EngagementPayload engagementPayload = new EngagementPayload();
-        engagementPayload.setProduct(defectDojoService.getProductUrl(securityTest.getContext()));
+        engagementPayload.setProduct(defectDojoService.retrieveProductId(securityTest.getContext()));
 
         if(securityTest.getMetaData() == null){
             securityTest.setMetaData(new HashMap<>());
         }
 
         engagementPayload.setName(securityTest.getMetaData().get(CommonMetaFields.SCB_ENGAGEMENT_TITLE.name()) != null ?
                 securityTest.getMetaData().get(CommonMetaFields.SCB_ENGAGEMENT_TITLE.name()) : getDefectDojoScanName(securityTest.getName()));
-        engagementPayload.setLead(defectDojoService.getUserUrl(securityTest.getMetaData().get(DefectDojoMetaFields.DEFECT_DOJO_USER.name())));
+        engagementPayload.setLead(defectDojoService.retrieveUserId(securityTest.getMetaData().get(DefectDojoMetaFields.DEFECT_DOJO_USER.name())));
         engagementPayload.setDescription(descriptionGenerator.generate(securityTest));
         engagementPayload.setBranch(securityTest.getMetaData().get(CommonMetaFields.SCB_BRANCH.name()));
         engagementPayload.setBuildID(securityTest.getMetaData().get(CommonMetaFields.SCB_BUILD_ID.name()));
         engagementPayload.setCommitHash(securityTest.getMetaData().get(CommonMetaFields.SCB_COMMIT_HASH.name()));
         engagementPayload.setRepo(securityTest.getMetaData().get(CommonMetaFields.SCB_REPO.name()));
         engagementPayload.setTracker(securityTest.getMetaData().get(CommonMetaFields.SCB_TRACKER.name()));
 
-        engagementPayload.setBuildServer(defectDojoService.getToolConfiguration(securityTest.getMetaData().get(CommonMetaFields.SCB_BUILD_SERVER.name()), BUILD_SERVER_NAME));
-        engagementPayload.setScmServer(defectDojoService.getToolConfiguration(securityTest.getMetaData().get(CommonMetaFields.SCB_SCM_SERVER.name()), GIT_SERVER_NAME));
-        engagementPayload.setOrchestrationEngine(defectDojoService.getToolConfiguration("https://github.com/secureCodeBox", SECURITY_TEST_SERVER_NAME));
+        engagementPayload.setBuildServer(defectDojoService.retrieveOrCreateToolConfiguration(securityTest.getMetaData().get(CommonMetaFields.SCB_BUILD_SERVER.name()), BUILD_SERVER_NAME));
+        engagementPayload.setScmServer(defectDojoService.retrieveOrCreateToolConfiguration(securityTest.getMetaData().get(CommonMetaFields.SCB_SCM_SERVER.name()), GIT_SERVER_NAME));
+        engagementPayload.setOrchestrationEngine(defectDojoService.retrieveOrCreateToolConfiguration("https://github.com/secureCodeBox", SECURITY_TEST_SERVER_NAME));
 
         engagementPayload.setTargetStart(currentDate());
         engagementPayload.setTargetEnd(currentDate());
diff --git a/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoService.java b/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoService.java
@@ -82,7 +82,7 @@ public void createToolType(String name, String description){
         restTemplate.exchange(defectDojoUrl + "/api/v2/tool_types/", HttpMethod.POST, toolPayload, ToolType.class);
     }
 
-    public String getUserUrl(String username){
+    public Long retrieveUserId(String username){
         RestTemplate restTemplate = new RestTemplate();
 
         if(username == null){
@@ -93,57 +93,66 @@ public String getUserUrl(String username){
         HttpEntity userRequest = new HttpEntity(getHeaders());
         ResponseEntity<DefectDojoResponse<DefectDojoUser>> userResponse = restTemplate.exchange(uri, HttpMethod.GET, userRequest, new ParameterizedTypeReference<DefectDojoResponse<DefectDojoUser>>(){});
         if(userResponse.getBody().getCount() == 1){
-            return userResponse.getBody().getResults().get(0).getUrl();
+            return userResponse.getBody().getResults().get(0).getId();
         }
         else {
             throw new DefectDojoUserNotFound(MessageFormat.format("Could not find user: \"{0}\" in DefectDojo", username));
         }
     }
 
-    public String getProductUrl(String product){
+    public long retrieveProductId(String product){
         RestTemplate restTemplate = new RestTemplate();
 
         String uri = defectDojoUrl + "/api/v2/products/?name=" + product;
         HttpEntity productRequest = new HttpEntity(getHeaders());
         ResponseEntity<DefectDojoResponse<DefectDojoProduct>> productResponse = restTemplate.exchange(uri, HttpMethod.GET, productRequest, new ParameterizedTypeReference<DefectDojoResponse<DefectDojoProduct>>(){});
         if(productResponse.getBody().getCount() == 1){
-            return productResponse.getBody().getResults().get(0).getUrl();
+            return productResponse.getBody().getResults().get(0).getId();
         }
         else {
             throw new DefectDojoProductNotFound(MessageFormat.format("Could not find product: \"{0}\" in DefectDojo", product));
         }
     }
 
-    public String getToolConfiguration(String toolUrl, String toolType){
-        RestTemplate restTemplate = new RestTemplate();
-
+    public Long retrieveOrCreateToolConfiguration(String toolUrl, String toolType){
         if (toolUrl == null){
             return null;
         }
 
-        String uri = defectDojoUrl + "/api/v2/tool_configurations/?url=" + toolUrl;
-        HttpEntity toolRequest = new HttpEntity(getHeaders());
-        ResponseEntity<DefectDojoResponse<ToolConfig>> toolResponse = restTemplate.exchange(uri, HttpMethod.GET, toolRequest, new ParameterizedTypeReference<DefectDojoResponse<ToolConfig>>(){});
+        ResponseEntity<DefectDojoResponse<ToolConfig>> toolResponse = retrieveToolConfiguration(toolUrl);
         if(toolResponse.getBody().getCount() > 0){
-            return toolResponse.getBody().getResults().get(0).getUrl();
+            LOG.info("Tool configuration already exists. Returning existing configuration.");
+            return toolResponse.getBody().getResults().get(0).getId();
         }
         else {
-            HttpEntity toolTypeRequest = new HttpEntity(getHeaders());
-            String toolTypeRequestUri = defectDojoUrl + "/api/v2/tool_types/?name=" + toolType;
-            ResponseEntity<DefectDojoResponse<ToolType>> toolTypeResponse = restTemplate.exchange(toolTypeRequestUri, HttpMethod.GET, toolTypeRequest, new ParameterizedTypeReference<DefectDojoResponse<ToolType>>(){});
-            String toolTypeUri = toolTypeResponse.getBody().getResults().get(0).getUrl();
+            LOG.info("Tool configuration does not exist yet. Creating new configuration.");
+            createToolConfiguration(toolUrl, toolType);
+            return retrieveToolConfiguration(toolUrl).getBody().getResults().get(0).getId();
+        }
+    }
+
+    private ResponseEntity<DefectDojoResponse<ToolConfig>> retrieveToolConfiguration(String toolUrl) {
+        RestTemplate restTemplate = new RestTemplate();
+        String uri = defectDojoUrl + "/api/v2/tool_configurations/?name=" + toolUrl;
+        HttpEntity toolRequest = new HttpEntity(getHeaders());
+        return restTemplate.exchange(uri, HttpMethod.GET, toolRequest, new ParameterizedTypeReference<DefectDojoResponse<ToolConfig>>(){});
+    }
 
-            ToolConfig toolConfig = new ToolConfig();
-            toolConfig.setName(toolUrl);
-            toolConfig.setToolType(toolTypeUri);
-            toolConfig.setConfigUrl(toolUrl);
-            toolConfig.setDescription(toolType);
+    private void createToolConfiguration(String toolUrl, String toolType) {
+        HttpEntity toolTypeRequest = new HttpEntity(getHeaders());
+        String toolTypeRequestUri = defectDojoUrl + "/api/v2/tool_types/?name=" + toolType;
+        RestTemplate restTemplate = new RestTemplate();
+        ResponseEntity<DefectDojoResponse<ToolType>> toolTypeResponse = restTemplate.exchange(toolTypeRequestUri, HttpMethod.GET, toolTypeRequest, new ParameterizedTypeReference<DefectDojoResponse<ToolType>>(){});
+        String toolTypeId = toolTypeResponse.getBody().getResults().get(0).getId();
 
-            HttpEntity<ToolConfig> toolPayload = new HttpEntity<>(toolConfig, getHeaders());
-            restTemplate.exchange(defectDojoUrl + "/api/v2/tool_configurations/", HttpMethod.POST, toolPayload, ToolConfig.class);
-            return getToolConfiguration(toolUrl, toolType);
+        ToolConfig toolConfig = new ToolConfig();
+        toolConfig.setName(toolUrl);
+        toolConfig.setToolType(toolTypeId);
+        toolConfig.setConfigUrl(toolUrl);
+        toolConfig.setDescription(toolType);
 
-        }
+        HttpEntity<ToolConfig> toolPayload = new HttpEntity<>(toolConfig, getHeaders());
+        restTemplate.exchange(defectDojoUrl + "/api/v2/tool_configurations/", HttpMethod.POST, toolPayload, ToolConfig.class);
     }
 
     public EngagementResponse createEngagement(EngagementPayload engagementPayload) {
@@ -161,15 +170,15 @@ public EngagementResponse createEngagement(EngagementPayload engagementPayload)
         }
     }
 
-    public ImportScanResponse createFindings(String rawResult, String engagementUrl, String lead, String currentDate,String defectDojoScanName) {
+    public ImportScanResponse createFindings(String rawResult, long engagementId, long lead, String currentDate,String defectDojoScanName) {
         RestTemplate restTemplate = new RestTemplate();
         HttpHeaders headers = getHeaders();
         headers.setContentType(MediaType.MULTIPART_FORM_DATA);
         restTemplate.setMessageConverters(Arrays.asList(new FormHttpMessageConverter(), new ResourceHttpMessageConverter(), new MappingJackson2HttpMessageConverter()));
 
         MultiValueMap<String, Object> mvn = new LinkedMultiValueMap<>();
-        mvn.add("engagement", engagementUrl);
-        mvn.add("lead", lead);
+        mvn.add("engagement", Long.toString(engagementId));
+        mvn.add("lead", Long.toString(lead));
         mvn.add("scan_date", currentDate);
         mvn.add("scan_type", defectDojoScanName);
 
diff --git a/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/DefectDojoProduct.java b/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/DefectDojoProduct.java
@@ -8,7 +8,7 @@
 @Data
 public class DefectDojoProduct {
     @JsonProperty
-    String url;
+    long id;
 
     @JsonProperty
     String name;
diff --git a/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/DefectDojoUser.java b/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/DefectDojoUser.java
@@ -4,7 +4,7 @@
 
 public class DefectDojoUser {
     @JsonProperty
-    String url;
+    Long id;
 
     @JsonProperty
     String username;
@@ -15,12 +15,12 @@ public class DefectDojoUser {
     @JsonProperty("last_name")
     String lastName;
 
-    public String getUrl() {
-        return url;
+    public Long getId() {
+        return id;
     }
 
-    public void setUrl(String url) {
-        this.url = url;
+    public void setId(Long id) {
+        this.id = id;
     }
 
     public String getUsername() {
diff --git a/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/EngagementPayload.java b/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/EngagementPayload.java
@@ -31,7 +31,7 @@ public class EngagementPayload {
     protected String name;
 
     @JsonProperty
-    protected String product;
+    protected long product;
 
     @JsonProperty("target_start")
     protected String targetStart;
@@ -40,7 +40,7 @@ public class EngagementPayload {
     protected String targetEnd;
 
     @JsonProperty
-    protected String lead;
+    protected Long lead;
 
     @JsonProperty("engagement_type")
     protected String engagementType = "CI/CD";
@@ -67,13 +67,13 @@ public class EngagementPayload {
     protected String repo;
 
     @JsonProperty("build_server")
-    protected String buildServer;
+    protected Long buildServer;
 
     @JsonProperty("source_code_management_server")
-    protected String scmServer;
+    protected Long scmServer;
 
     @JsonProperty("orchestration_engine")
-    protected String orchestrationEngine;
+    protected Long orchestrationEngine;
 
     @JsonProperty
     protected String description;
diff --git a/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/EngagementResponse.java b/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/EngagementResponse.java
@@ -22,13 +22,13 @@
 
 public class EngagementResponse {
     @JsonProperty
-    protected String url;
+    protected long id;
 
-    public String getUrl() {
-        return url;
+    public long getId() {
+        return id;
     }
 
-    public void setUrl(String url) {
-        this.url = url;
+    public void setId(long id) {
+        this.id = id;
     }
 }
diff --git a/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/ToolConfig.java b/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/ToolConfig.java
@@ -3,6 +3,9 @@
 import com.fasterxml.jackson.annotation.JsonProperty;
 
 public class ToolConfig {
+    @JsonProperty
+    long id;
+
     @JsonProperty
     String url;
 
@@ -18,6 +21,14 @@ public class ToolConfig {
     @JsonProperty
     String description;
 
+    public long getId() {
+        return id;
+    }
+
+    public void setId(long id) {
+        this.id = id;
+    }
+
     public String getDescription() {
         return description;
     }
diff --git a/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/ToolType.java b/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/ToolType.java
@@ -4,20 +4,20 @@
 
 public class ToolType {
     @JsonProperty
-    String url;
+    String id;
 
     @JsonProperty
     String name;
 
     @JsonProperty
     String description;
 
-    public String getUrl() {
-        return url;
+    public String getId() {
+        return id;
     }
 
-    public void setUrl(String url) {
-        this.url = url;
+    public void setId(String id) {
+        this.id = id;
     }
 
     public String getName() {
diff --git a/scb-persistenceproviders/defectdojo-persistenceprovider/src/test/java/io/securecodebox/persistence/DefectDojoPersistenceProviderTest.java b/scb-persistenceproviders/defectdojo-persistenceprovider/src/test/java/io/securecodebox/persistence/DefectDojoPersistenceProviderTest.java
@@ -55,23 +55,23 @@ public void setUp() {
         when(defectDojoService.getToolTypeByName(any())).thenReturn(responseExisting);
 
         EngagementResponse engagementResponse = new EngagementResponse();
-        engagementResponse.setUrl("http://localhost:8000/api/v2/engagements/2/");
+        engagementResponse.setId(2);
         when(defectDojoService.createEngagement(any())).thenReturn(engagementResponse);
-        when(defectDojoService.getProductUrl("Nmap Scan 11")).thenReturn("http://localhost:8000/api/v2/products/1/");
-        when(defectDojoService.getProductUrl("Nonexisting")).thenThrow(DefectDojoProductNotFound.class);
+        when(defectDojoService.retrieveProductId("Nmap Scan 11")).thenReturn(1l);
+        when(defectDojoService.retrieveProductId("Nonexisting")).thenThrow(DefectDojoProductNotFound.class);
 
 
         metaData = new HashMap<>();
         metaData.put(DefectDojoMetaFields.DEFECT_DOJO_USER.name(), "John Doe");
-        when(defectDojoService.getUserUrl(eq("John Doe"))).thenReturn("http://localhost:8000/api/v2/users/5/");
+        when(defectDojoService.retrieveUserId(eq("John Doe"))).thenReturn(5l);
 
         report = new Report();
         report.setRawFindings("\"[]\"");
         report.setFindings(Collections.emptyList());
 
-        when(defectDojoService.getToolConfiguration(eq("http://crazy.buildserver"), eq("Build Server"))).thenReturn("http://localhost:8000/api/v2/tool_types/5/");
-        when(defectDojoService.getToolConfiguration(eq("http://crazy.scm_server"), eq("Git Server"))).thenReturn("http://localhost:8000/api/v2/tool_types/7/");
-        when(defectDojoService.getToolConfiguration(eq("https://github.com/secureCodeBox"), eq("Security Test Orchestration Engine"))).thenReturn("http://localhost:8000/api/v2/tool_types/9/");
+        when(defectDojoService.retrieveOrCreateToolConfiguration(eq("http://crazy.buildserver"), eq("Build Server"))).thenReturn(5l);
+        when(defectDojoService.retrieveOrCreateToolConfiguration(eq("http://crazy.scm_server"), eq("Git Server"))).thenReturn(7l);
+        when(defectDojoService.retrieveOrCreateToolConfiguration(eq("https://github.com/secureCodeBox"), eq("Security Test Orchestration Engine"))).thenReturn(9l);
 
     }
 
@@ -130,16 +130,16 @@ public void createsTheEngagement(){
         EngagementPayload payload = new EngagementPayload();
         payload.setStatus(EngagementPayload.Status.COMPLETED);
         payload.setName("Nmap Scan");
-        payload.setProduct("http://localhost:8000/api/v2/products/1/");
-        payload.setLead("http://localhost:8000/api/v2/users/5/");
+        payload.setProduct(1l);
+        payload.setLead(5l);
         payload.setBranch("master");
         payload.setRepo("https://github.com/secureCodeBox/engine");
         payload.setDescription("Foobar Description");
         payload.setTargetStart("2019-01-07");
         payload.setTargetEnd("2019-01-07");
-        payload.setBuildServer("http://localhost:8000/api/v2/tool_types/5/");
-        payload.setScmServer("http://localhost:8000/api/v2/tool_types/7/");
-        payload.setOrchestrationEngine("http://localhost:8000/api/v2/tool_types/9/");
+        payload.setBuildServer(5l);
+        payload.setScmServer(7l);
+        payload.setOrchestrationEngine(9l);
 
         persistenceProvider.persist(securityTest);
 
@@ -150,7 +150,7 @@ public void createsTheEngagement(){
 
     @Test(expected = DefectDojoUserNotFound.class)
     public void failsIfUserCouldNotBeFound(){
-        when(defectDojoService.getUserUrl(any())).thenThrow(new DefectDojoUserNotFound(""));
+        when(defectDojoService.retrieveUserId(any())).thenThrow(new DefectDojoUserNotFound(""));
 
         SecurityTest securityTest = new SecurityTest();
         securityTest.setContext("Nmap Scan 11");
@@ -195,8 +195,8 @@ public void createsFindingsForSupportedScanner() throws JsonProcessingException
         persistenceProvider.persist(securityTest);
         verify(defectDojoService, times(1)).createFindings(
                 eq("<Some Xml stuff>\n<Don't know how the form is>"),
-                eq("http://localhost:8000/api/v2/engagements/2/"),
-                eq("http://localhost:8000/api/v2/users/5/"),
+                eq(2l),
+                eq(5l),
                 eq("2019-01-07"),
                 eq("Nmap Scan")
         );
@@ -225,10 +225,10 @@ public void createsFindingsForNonSupportedScanner() {
         verify(defectDojoService, times(1)).createFindings(
                 eq( "date,title,cweid,url,severity,description,mitigation,impact,references,active,verified,falsepositive,duplicate\n"+
                         "2019-01-07,findingname,,http://someadress,INFORMATIONAL,description,,,,,,false,false"),
-                eq("http://localhost:8000/api/v2/engagements/2/"),
-                eq("http://localhost:8000/api/v2/users/5/"),
+                eq(2l),
+                eq(5l),
                 eq("2019-01-07"),
                 eq("Generic Findings Import")
         );
     }
-}
+}

Original file line number	Diff line number	Diff line change
`@@ -22,13 +22,13 @@`
`22`	`22`
`23`	`23`	`public class EngagementResponse {`
`24`	`24`	`@JsonProperty`
`25`		`- protected String url;`
	`25`	`+ protected long id;`
`26`	`26`
`27`		`- public String getUrl() {`
`28`		`- return url;`
	`27`	`+ public long getId() {`
	`28`	`+ return id;`
`29`	`29`	`}`
`30`	`30`
`31`		`- public void setUrl(String url) {`
`32`		`- this.url = url;`
	`31`	`+ public void setId(long id) {`
	`32`	`+ this.id = id;`
`33`	`33`	`}`
`34`	`34`	`}`