diff --git a/build.gradle b/build.gradle index 85db788d..082ab1c1 100644 --- a/build.gradle +++ b/build.gradle @@ -4,7 +4,7 @@ import java.net.http.HttpResponse import java.nio.file.Paths plugins { - id "org.jetbrains.intellij" version "1.17.0" + id "org.jetbrains.intellij" version "1.16.0" id "java" id "maven-publish" id "de.undercouch.download" version "5.3.0" diff --git a/src/main/java/com/jfrog/ide/idea/inspections/JFrogSecurityWarning.java b/src/main/java/com/jfrog/ide/idea/inspections/JFrogSecurityWarning.java index 110b6bda..17f47aff 100644 --- a/src/main/java/com/jfrog/ide/idea/inspections/JFrogSecurityWarning.java +++ b/src/main/java/com/jfrog/ide/idea/inspections/JFrogSecurityWarning.java @@ -58,16 +58,24 @@ public JFrogSecurityWarning(SarifResult result, SourceCodeScanType reporter, Rul getFirstRegion(result).getEndLine() - 1, getFirstRegion(result).getEndColumn() - 1, result.getMessage().getText(), - !result.getLocations().isEmpty() ? uriToPath(result.getLocations().get(0).getPhysicalLocation().getArtifactLocation().getUri()) : "", + getFilePath(result), result.getRuleId(), getFirstRegion(result).getSnippet().getText(), reporter, - (!result.getKind().equals("pass") && (rule.getRuleProperties().map(properties -> properties.getApplicability().equals("applicable")).orElse(true))), + isWarningApplicable(result,rule), Severity.fromSarif(result.getSeverity()), convertCodeFlowsToFindingInfo(result.getCodeFlows()) ); } + private static boolean isWarningApplicable(SarifResult result,Rule rule){ + return !result.getKind().equals("pass") && (rule.getRuleProperties().map(properties -> properties.getApplicability().equals("applicable")).orElse(true)); + } + + private static String getFilePath(SarifResult result){ + return !result.getLocations().isEmpty() ? uriToPath(result.getLocations().get(0).getPhysicalLocation().getArtifactLocation().getUri()) : ""; + } + private static FindingInfo[][] convertCodeFlowsToFindingInfo(List codeFlows) { if (codeFlows == null || codeFlows.isEmpty()) { return null; diff --git a/src/main/java/com/jfrog/ide/idea/scan/data/Rule.java b/src/main/java/com/jfrog/ide/idea/scan/data/Rule.java index 514580b6..f6bd89a0 100644 --- a/src/main/java/com/jfrog/ide/idea/scan/data/Rule.java +++ b/src/main/java/com/jfrog/ide/idea/scan/data/Rule.java @@ -1,6 +1,8 @@ package com.jfrog.ide.idea.scan.data; import com.fasterxml.jackson.annotation.JsonProperty; +import lombok.Getter; +import org.apache.batik.svggen.font.table.RangeRecord; import java.util.Objects; import java.util.Optional; @@ -56,6 +58,7 @@ public int hashCode() { return Objects.hash(id); } + @Override public boolean equals(Object other) { if (other == this) { @@ -68,3 +71,5 @@ public boolean equals(Object other) { return Objects.equals(this.id, rhs.id); } } + + diff --git a/src/test/java/com/jfrog/ide/idea/scan/ScanBinaryExecutorTest.java b/src/test/java/com/jfrog/ide/idea/scan/ScanBinaryExecutorTest.java index 918ab813..00669272 100644 --- a/src/test/java/com/jfrog/ide/idea/scan/ScanBinaryExecutorTest.java +++ b/src/test/java/com/jfrog/ide/idea/scan/ScanBinaryExecutorTest.java @@ -7,6 +7,7 @@ import junit.framework.TestCase; import org.apache.commons.io.FileUtils; import org.jfrog.build.api.util.NullLog; +import org.junit.Assert; import java.io.File; import java.io.IOException; @@ -15,6 +16,7 @@ import java.util.List; import static com.jfrog.ide.common.utils.Utils.createYAMLMapper; +import static org.junit.Assert.assertThrows; /** * @author tala @@ -87,21 +89,28 @@ public void testSarifParserNotApplicResults() throws IOException { public void testSarifParserApplicResultsWithKindPass() throws IOException { List parsedOutput = scanner.parseOutputSarif(APPLIC_KIND_PASS_OUTPUT); - assertEquals(4, parsedOutput.size()); - // 2 known applicable results (code evidence returned) + assertEquals(6, parsedOutput.size()); + //Not Applicable with kind pass assertEquals("applic_CVE-2022-25878", parsedOutput.get(0).getRuleID()); assertFalse(parsedOutput.get(0).isApplicable()); - assertEquals("CVE-2022-25978", parsedOutput.get(1).getRuleID()); + //Applicable with kind pass + assertEquals("applic_CVE-2022-25978", parsedOutput.get(1).getRuleID()); assertTrue(parsedOutput.get(1).isApplicable()); - // 2 known no-applicable results (have a scanner but no code evidence returned) + //Not applicable with kind pass and no properties assertEquals("applic_CVE-2021-25878", parsedOutput.get(2).getRuleID()); assertFalse(parsedOutput.get(2).isApplicable()); + //Applicable with kind fail assertEquals("applic_CVE-2022-29019", parsedOutput.get(3).getRuleID()); - assertFalse(parsedOutput.get(3).isApplicable()); + assertTrue(parsedOutput.get(3).isApplicable()); + //Not applicable as its not_covered + assertEquals("applic_CVE-2022-29004", parsedOutput.get(4).getRuleID()); + assertFalse(parsedOutput.get(4).isApplicable()); + //Not applicable as its undetermined + assertEquals("applic_CVE-2022-29014", parsedOutput.get(5).getRuleID()); + assertFalse(parsedOutput.get(5).isApplicable()); } - public void testGetBinaryDownloadURL() { final String externalRepoName = "test-releases-repo"; final String expectedExternalRepoUrl = "test-releases-repo/artifactory/xsc-gen-exe-analyzer-manager-local/"; diff --git a/src/test/resources/sourceCode/applicable_kind_pass_output.sarif b/src/test/resources/sourceCode/applicable_kind_pass_output.sarif index 97b8094a..e32d5554 100644 --- a/src/test/resources/sourceCode/applicable_kind_pass_output.sarif +++ b/src/test/resources/sourceCode/applicable_kind_pass_output.sarif @@ -16,11 +16,11 @@ "markdown": "The scanner checks whether the vulnerable function `pem.Decode` is called." }, "shortDescription": { - "text": "Scanner for CVE-2020-28502" + "text": "Scanner for applic_CVE-2022-25878" } }, { - "id": "CVE-2022-25978", + "id": "applic_CVE-2022-25978", "properties": { "conclusion": "negative", "applicability": "applicable" @@ -30,7 +30,7 @@ "markdown": "The scanner checks whether the vulnerable function `org.apache.xmlbeans.XmlObject.Factory.parse` is called or an interface that extends `org.apache.xmlbeans.XmlObject` is used." }, "shortDescription": { - "text": "Scanner for CVE-2020-5310" + "text": "Scanner for applic_CVE-2022-25978" } }, { @@ -40,7 +40,7 @@ "markdown": "The scanner checks whether the vulnerable function `pem.Decode` is called." }, "shortDescription": { - "text": "Scanner for CVE-2020-28502" + "text": "Scanner for applic_CVE-2021-25878" } }, { @@ -50,10 +50,35 @@ "markdown": "The scanner checks whether the vulnerable function `org.apache.xmlbeans.XmlObject.Factory.parse` is called or an interface that extends `org.apache.xmlbeans.XmlObject` is used." }, "shortDescription": { - "text": "Scanner for CVE-2020-5310" + "text": "Scanner for applic_CVE-2022-29019" } + }, + { + "id": "applic_CVE-2022-29004", + "fullDescription": { + "text": "The scanner checks whether the vulnerable function `org.apache.xmlbeans.XmlObject.Factory.parse` is called or an interface that extends `org.apache.xmlbeans.XmlObject` is used.", + "markdown": "The scanner checks whether the vulnerable function `org.apache.xmlbeans.XmlObject.Factory.parse` is called or an interface that extends `org.apache.xmlbeans.XmlObject` is used." + }, + "shortDescription": { + "text": "Scanner for applic_CVE-2022-29004" + }, "properties": { + "conclusion": "positive", + "applicability": "not_covered" + } + }, + { + "id": "applic_CVE-2022-29014", + "fullDescription": { + "text": "The scanner checks whether the vulnerable function `org.apache.xmlbeans.XmlObject.Factory.parse` is called or an interface that extends `org.apache.xmlbeans.XmlObject` is used.", + "markdown": "The scanner checks whether the vulnerable function `org.apache.xmlbeans.XmlObject.Factory.parse` is called or an interface that extends `org.apache.xmlbeans.XmlObject` is used." + }, + "shortDescription": { + "text": "Scanner for applic_CVE-2022-29014" + }, "properties": { + "conclusion": "positive", + "applicability": "undetermined" + } } - ], "version": "APPLIC_SCANNERv0.2.0" } @@ -116,7 +141,7 @@ } } ], - "ruleId": "CVE-2022-25978" + "ruleId": "applic_CVE-2022-25978" }, { "message": { @@ -129,8 +154,21 @@ "message": { "text": "The scanner checks whether the vulnerable function `ansi-regex` is called." }, - "kind": "pass", + "kind": "fail", "ruleId": "applic_CVE-2022-29019" + }, + { + "message": { + "text": "The scanner checks whether the vulnerable function `call-all-ansi` is called." + }, + "kind": "pass", + "ruleId": "applic_CVE-2022-29004" + }, + {"message": { + "text": "The scanner checks whether the vulnerable function `not-call-all-ansi` is called." + }, + "kind": "pass", + "ruleId": "applic_CVE-2022-29014" } ] }