Add createProduct, addEngagmgent

Author: wurstbrot

scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoLoopException.java

@@ -0,0 +1,29 @@
+/*
+ *
+ *  SecureCodeBox (SCB)
+ *  Copyright 2015-2018 iteratec GmbH
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  	http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ * /
+ */
+package io.securecodebox.persistence;
+
+public class DefectDojoLoopException extends RuntimeException{
+    public DefectDojoLoopException(String message) {
+        super(message);
+    }
+
+    public DefectDojoLoopException(String message, Throwable cause) {
+        super(message, cause);
+    }
+}

scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoService.java

@@ -18,7 +18,6 @@
  */
 package io.securecodebox.persistence;
 
-
 import io.securecodebox.persistence.models.*;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -43,6 +42,8 @@
 import java.time.LocalDate;
 import java.time.format.DateTimeFormatter;
 import java.util.Arrays;
+import java.util.LinkedList;
+import java.util.List;
 import java.util.Optional;
 
 @Component
@@ -181,8 +182,13 @@ public EngagementResponse createEngagement(EngagementPayload engagementPayload)
             throw new DefectDojoPersistenceException("Failed to create Engagement for SecurityTest", e);
         }
     }
-
     public ImportScanResponse createFindings(String rawResult, long engagementId, long lead, String currentDate,String defectDojoScanName) {
+        return createFindings(rawResult, engagementId, lead, currentDate,defectDojoScanName, "");
+    }
+    /**
+     * Till version 1.5.4. testName (in defectdojo _test_type_) must be defectDojoScanName, afterwards, you can have somethings else
+     */
+    public ImportScanResponse createFindings(String rawResult, long engagementId, long lead, String currentDate,String defectDojoScanName, String testName) {
         RestTemplate restTemplate = new RestTemplate();
         HttpHeaders headers = getHeaders();
         headers.setContentType(MediaType.MULTIPART_FORM_DATA);
@@ -193,7 +199,12 @@ public ImportScanResponse createFindings(String rawResult, long engagementId, lo
         mvn.add("lead", Long.toString(lead));
         mvn.add("scan_date", currentDate);
         mvn.add("scan_type", defectDojoScanName);
-
+        mvn.add("close_old_findings", "true");
+        mvn.add("skip_duplicates", "false");
+        
+        if(!testName.isEmpty())
+            mvn.add("test_type", testName);
+        
         try {
             ByteArrayResource contentsAsResource = new ByteArrayResource(rawResult.getBytes(StandardCharsets.UTF_8)) {
                 @Override
@@ -214,10 +225,10 @@ public String getFilename() {
         }
     }
     public ImportScanResponse createFindingsForEngagementName(String engagementName, String rawResults, String defectDojoScanName, long productId, long lead){
-        return createFindingsForEngagementName(engagementName, rawResults, defectDojoScanName, productId, lead, new EngagementPayload());
+        return createFindingsForEngagementName(engagementName, rawResults, defectDojoScanName, productId, lead, new EngagementPayload(), "");
     }
 
-    public ImportScanResponse createFindingsForEngagementName(String engagementName, String rawResults, String defectDojoScanName, long productId, long lead, EngagementPayload engagementPayload){
+    public ImportScanResponse createFindingsForEngagementName(String engagementName, String rawResults, String defectDojoScanName, long productId, long lead, EngagementPayload engagementPayload, String testName){
         Long engagementId = getEngagementIdByEngagementName(engagementName, productId).orElseGet(() -> {
             engagementPayload.setName(engagementName);
             engagementPayload.setProduct(productId);
@@ -227,7 +238,22 @@ public ImportScanResponse createFindingsForEngagementName(String engagementName,
             return createEngagement(engagementPayload).getId();
         });
 
-        return createFindings(rawResults, engagementId, lead, currentDate(), defectDojoScanName);
+        return createFindings(rawResults, engagementId, lead, currentDate(), defectDojoScanName, testName);
+    }
+
+    public ImportScanResponse createFindingsForEngagementName(String engagementName, String rawResults, String defectDojoScanName, String productName, long lead, EngagementPayload engagementPayload, String testName){
+        long productId = 0;
+        try {
+            productId = retrieveProductId(productName);
+        } catch(DefectDojoProductNotFound e) {
+            LOG.debug("Given product does not exists");
+        }
+        if(productId == 0) {
+            ProductResponse productResponse = createProduct(productName);
+            productId = productResponse.getId();
+        }
+        
+        return createFindingsForEngagementName(engagementName, rawResults, defectDojoScanName, productId, lead, engagementPayload, testName);
     }
 
     private Optional<Long> getEngagementIdByEngagementName(String engagementName, long productId){
@@ -257,4 +283,83 @@ private Optional<Long> getEngagementIdByEngagementName(String engagementName, lo
         LOG.warn("Engagement with name '{}' not found.", engagementName);
         return Optional.empty();
     }
+    public ProductResponse createProduct(String productName) {
+        RestTemplate restTemplate = new RestTemplate();
+        ProductPayload productPayload = new ProductPayload(productName, "Description missing");
+        HttpEntity<ProductPayload> payload = new HttpEntity<>(productPayload, getHeaders());
+
+        try {
+            ResponseEntity<ProductResponse> response = restTemplate.exchange(defectDojoUrl + "/api/v2/products/", HttpMethod.POST, payload, ProductResponse.class);
+            return response.getBody();
+        } catch (HttpClientErrorException e) {
+            LOG.warn("Failed to create product {}", e);
+            LOG.warn("Failure response body. {}", e.getResponseBodyAsString());
+            throw new DefectDojoPersistenceException("Failed to create product", e);
+        }
+    }
+
+    public void deleteUnusedBranches(List<String> existingBranches, String producName) {
+        long productId = retrieveProductId(producName);
+        deleteUnusedBranches(existingBranches, productId);
+    } 
+
+    /**
+     * Deletes engagements based on branch tag
+     * Be aware that the branch tag MUST be set, otherwise all engagments will be deleted
+     */
+    public void deleteUnusedBranches(List<String> existingBranches, long productId) {
+        RestTemplate restTemplate = new RestTemplate();
+        
+        //get existing branches
+        List<EngagementResponse> engagementPayloads = getEngagementsForProduct(productId, 0);
+        for(EngagementResponse engagementPayload : engagementPayloads) {
+            boolean branchExists = false;
+            for(String existingBranchName : existingBranches) {
+                if(existingBranchName.equals(engagementPayload.getBanch())) {
+                    branchExists = true;
+                    break;
+                }
+            }
+            if(!branchExists) {
+                deleteEnageament(engagementPayload.getId());
+                LOG.info("Deleted engagement with id " + engagementPayload.getId() + ", branch " + engagementPayload.getBanch());
+            }
+        }
+    }
+
+    private List<EngagementResponse> getEngagementsForProduct(long productId, long offset) throws DefectDojoLoopException{
+        if(offset > 9999) {
+            throw new DefectDojoLoopException("offset engagement products too much!");
+        }
+        UriComponentsBuilder builder = UriComponentsBuilder.fromHttpUrl(defectDojoUrl + "/api/v2/engagements")
+                .queryParam("product", Long.toString(productId))
+                .queryParam("limit", Long.toString(50L))
+                .queryParam("offset", Long.toString(offset));
+
+        RestTemplate restTemplate = new RestTemplate();
+        HttpEntity engagementRequest = new HttpEntity(getHeaders());
+
+        ResponseEntity<DefectDojoResponse<EngagementResponse>> engagementResponse = restTemplate.exchange(builder.toUriString(), HttpMethod.GET, engagementRequest, new ParameterizedTypeReference<DefectDojoResponse<EngagementResponse>>(){});
+        List<EngagementResponse> engagementPayloads = new LinkedList<EngagementResponse>();
+        for(EngagementResponse engagement : engagementResponse.getBody().getResults()){
+            engagementPayloads.add(engagement);
+        }
+        if(engagementResponse.getBody().getNext() != null){
+            engagementPayloads.addAll(getEngagementsForProduct(productId, offset + 1));;
+        }
+        return engagementPayloads;
+    }    
+    public void deleteEnageament(long engagementId){
+        RestTemplate restTemplate = new RestTemplate();
+
+        String uri = defectDojoUrl + "/api/v2/engagements/" + engagementId + "/?id=" + engagementId;
+        HttpEntity request = new HttpEntity(getHeaders());
+        try {
+            ResponseEntity<DefectDojoResponse> response = restTemplate.exchange(uri, HttpMethod.DELETE, request, DefectDojoResponse.class);
+        } catch (HttpClientErrorException e) {
+            LOG.warn("Failed to delete engagment {}, engagementId: " + engagementId, e);
+            LOG.warn("Failure response body. {}", e.getResponseBodyAsString());
+            throw new DefectDojoPersistenceException("Failed to delete product", e);
+        }
+    }    
 }

scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/DefectDojoProduct.java

@@ -21,4 +21,11 @@ public class DefectDojoProduct {
 
     @JsonProperty("authorized_users")
     List<String> authorizedUsers;
+
+    public DefectDojoProduct() {}
+
+    public DefectDojoProduct(String productName, String productDescription) {
+        name = productName;
+        description = productDescription;
+    }
 }

scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/EngagementPayload.java

@@ -63,7 +63,7 @@ public class EngagementPayload {
     protected String commitHash;
 
     @JsonProperty("branch_tag")
-    protected String branch;
+    public String branch;
 
     @JsonProperty("source_code_management_uri")
     protected String repo;
@@ -80,6 +80,9 @@ public class EngagementPayload {
     @JsonProperty
     protected String description;
 
+    @JsonProperty("deduplication_on_engagement")
+    protected boolean deduplicationOnEngagement;
+
     /**
      * Currently only contains the statuses relevant to us.
      * If you need others, feel free to add them ;)

scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/EngagementResponse.java

@@ -27,6 +27,9 @@ public class EngagementResponse {
     @JsonProperty
     protected String name;
 
+    @JsonProperty("branch_tag")
+    protected String branch;
+
     public long getId() {
         return id;
     }
@@ -42,4 +45,12 @@ public String getName() {
     public void setName(String name) {
         this.name = name;
     }
+
+    public String getBanch() {
+        return branch;
+    }
+
+    public void setBranch(String branch) {
+        this.branch = branch;
+    }
 }

scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/ProductPayload.java

@@ -0,0 +1,34 @@
+/*
+*  Licensed under the Apache License, Version 2.0 (the "License");
+*  you may not use this file except in compliance with the License.
+*  You may obtain a copy of the License at
+*
+*  	http://www.apache.org/licenses/LICENSE-2.0
+*
+*  Unless required by applicable law or agreed to in writing, software
+*  distributed under the License is distributed on an "AS IS" BASIS,
+*  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+*  See the License for the specific language governing permissions and
+*  limitations under the License.
+*/
+
+package io.securecodebox.persistence.models;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import java.util.List;
+import lombok.Data;
+
+@Data
+public class ProductPayload {
+    @JsonProperty
+    String name;
+
+    @JsonProperty
+    String description;
+
+    public ProductPayload(String productName, String productDescription) {
+        name = productName;
+        description = productDescription;
+    }
+}

scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/ProductResponse.java

@@ -0,0 +1,45 @@
+/*
+ *
+ *  SecureCodeBox (SCB)
+ *  Copyright 2015-2018 iteratec GmbH
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  	http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ * /
+ */
+package io.securecodebox.persistence.models;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+public class ProductResponse {
+    @JsonProperty
+    protected long id;
+
+    @JsonProperty
+    protected String name;
+
+    public long getId() {
+        return id;
+    }
+
+    public void setId(long id) {
+        this.id = id;
+    }
+
+    public String getName() {
+        return name;
+    }
+
+    public void setName(String name) {
+        this.name = name;
+    }
+}

scb-persistenceproviders/defectdojo-persistenceprovider/src/test/java/io/securecodebox/persistence/DefectDojoPersistenceProviderTest.java

@@ -233,4 +233,13 @@ public void createsFindingsForNonSupportedScanner() {
                 eq("Generic Findings Import")
         );
     }
+
+    @Test
+    public void createProduct() {
+        String productName = "mytestproduct";
+        defectDojoService.createProduct(productName);
+        verify(defectDojoService, times(1)).createProduct(
+            eq(productName)
+        );
+    }
 }