Add vuln handling

wurstbrot · wurstbrot · commit 6aeec1fda42c · 2019-08-11T09:34:24.000+02:00
diff --git a/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoService.java b/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoService.java
@@ -19,6 +19,8 @@
 package io.securecodebox.persistence;
 
 import io.securecodebox.persistence.models.*;
+
+import org.camunda.bpm.model.bpmn.instance.ReceiveTask;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Value;
@@ -45,6 +47,7 @@
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Optional;
+import java.util.Iterator;
 
 @Component
 @ConditionalOnProperty(name = "securecodebox.persistence.defectdojo.enabled", havingValue = "true")
@@ -68,6 +71,8 @@ private String currentDate() {
 
     private static final Logger LOG = LoggerFactory.getLogger(DefectDojoService.class);
 
+	private LinkedMultiValueMap options;
+
     private HttpHeaders getHeaders(){
         HttpHeaders headers = new HttpHeaders();
         headers.set("Authorization", "Token " + defectDojoApiKey);
@@ -256,6 +261,10 @@ public ImportScanResponse createFindingsForEngagementName(String engagementName,
         return createFindingsForEngagementName(engagementName, rawResults, defectDojoScanName, productId, lead, engagementPayload, testName);
     }
 
+    private Optional<Long> getEngagementIdByEngagementName(String engagementName, String productName){
+        long productId = retrieveProductId(productName);
+        return getEngagementIdByEngagementName(engagementName, productId, 0L);
+    }
     private Optional<Long> getEngagementIdByEngagementName(String engagementName, long productId){
         return getEngagementIdByEngagementName(engagementName, productId, 0L);
     }
@@ -355,11 +364,64 @@ public void deleteEnageament(long engagementId){
         String uri = defectDojoUrl + "/api/v2/engagements/" + engagementId + "/?id=" + engagementId;
         HttpEntity request = new HttpEntity(getHeaders());
         try {
-            ResponseEntity<DefectDojoResponse> response = restTemplate.exchange(uri, HttpMethod.DELETE, request, DefectDojoResponse.class);
+            ResponseEntity<DefectDojoResponse> response = restTemplate.exchange(uri, HttpMethod.GET, request, DefectDojoResponse.class);
         } catch (HttpClientErrorException e) {
             LOG.warn("Failed to delete engagment {}, engagementId: " + engagementId, e);
             LOG.warn("Failure response body. {}", e.getResponseBodyAsString());
             throw new DefectDojoPersistenceException("Failed to delete product", e);
         }
+    }
+
+    /* options is created as follows:
+        MultiValueMap<String, String> mvn = new LinkedMultiValueMap<>();
+        mvn.add("engagement", Long.toString(engagementId));
+     */
+    private List<Finding> getCurrentFindings(long engagementId, LinkedMultiValueMap<String, String> options){
+        RestTemplate restTemplate = new RestTemplate();
+
+        UriComponentsBuilder builder = UriComponentsBuilder.fromHttpUrl(defectDojoUrl + "/api/v2/findings/")
+                .queryParam("active", "true")
+                .queryParam("false_p", "false")
+                .queryParam("duplicate", "false")
+                .queryParam("test__engagement", Long.toString(engagementId));
+
+        if(options != null) {
+            builder = prepareParameters(options, builder);
+        }
+
+        HttpEntity request = new HttpEntity(getHeaders());
+        try {
+            ResponseEntity<DefectDojoResponse<Finding>> response = restTemplate.exchange(builder.toUriString(), HttpMethod.GET, request, new ParameterizedTypeReference<DefectDojoResponse<Finding>>(){});
+            List<Finding> findings = new LinkedList<Finding>();
+            for(Finding finding : response.getBody().getResults()){
+                findings.add(finding);
+            }
+            return findings;
+        } catch (HttpClientErrorException e) {
+            LOG.warn("Failed to get findings {}, engagementId: " + engagementId, e);
+            LOG.warn("Failure response body. {}", e.getResponseBodyAsString());
+            throw new DefectDojoPersistenceException("Failed to get findings", e);
+        }
+    }
+    private UriComponentsBuilder prepareParameters(LinkedMultiValueMap<String, String> queryParameters, UriComponentsBuilder builder) {
+        Iterator<String> it = queryParameters.keySet().iterator();
+     
+        while(it.hasNext()){
+            String theKey = (String)it.next();
+            builder.replaceQueryParam(theKey, queryParameters.getFirst(theKey));
+        }
+        return builder;
     }    
+
+    public List<Finding> receiveNonHandeldFindings(String productName, String engagementName, String minimumServerity, LinkedMultiValueMap<String, String> options){
+        Long engagementId = getEngagementIdByEngagementName(engagementName, productName).orElse(0L);
+        //getCurrentFindings
+        List<Finding> findings = new LinkedList<Finding>();
+        for (String serverity : Finding.getServeritiesAndHigherServerities(minimumServerity)) {
+            LinkedMultiValueMap<String, String> optionTemp = options.clone();
+            optionTemp.add("serverity", serverity);    
+            findings.addAll(getCurrentFindings(engagementId, optionTemp));
+        }
+        return findings;
+    }
 }
diff --git a/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/Finding.java b/scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/models/Finding.java
@@ -0,0 +1,85 @@
+/*
+ *
+ *  SecureCodeBox (SCB)
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  	http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ * /
+ */
+package io.securecodebox.persistence.models;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import lombok.Data;
+
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.LinkedList;
+import java.util.List;
+
+
+@Data
+public class Finding {
+    @JsonProperty
+    protected long id;
+
+    @JsonProperty
+    protected String title;
+    
+    @JsonProperty
+    protected long cwe;
+
+    @JsonProperty
+    protected String cve;
+    @JsonProperty
+
+    protected String severity;
+    
+    @JsonProperty
+    protected String description;
+    
+    @JsonProperty
+    protected boolean active = true;
+    
+    @JsonProperty
+    protected boolean verified = true;
+    
+    @JsonProperty("false_p")
+    protected boolean falsePostive = false;
+    
+    @JsonProperty
+    protected boolean duplicate =  false;
+
+    @JsonProperty("is_Mitigated")
+    protected boolean isMitigated = false;
+
+    enum FindingSeverities {
+
+    }
+    public static final LinkedList<String> findingServerities = new LinkedList<String>(){{
+        add("Low");
+        add("Medium");
+        add("High");
+        add("Critical");
+    }};
+    public static LinkedList<String> getServeritiesAndHigherServerities(String minimumServerity){
+        LinkedList<String> severities = new LinkedList<String>();
+        boolean minimumFound = false;
+        for(String serverity : findingServerities) {
+            if(minimumFound || minimumServerity.equals(serverity)) {
+                minimumFound = true;
+                severities.add(serverity);
+            }
+        }
+
+        return severities;
+    }
+}
