Skip to content

Commit cb65f8d

Browse files
nidhi0512apoorvasingh5
nidhi0512
and
apoorvasingh5
authored
Integration branch (#18)
* GA Changes GA * GA changes 1.0.12 * code changes for encryption and decryption of access_token * code changes for encryption and decryption of access_token * code changes for encryption and decryption of access_token * updated scan summary name and update set * change log level to basic * Update Update_Set_GA_1.0.11.xml * Added Update set From Vendor Instance --------- Co-authored-by: Apoorva <[email protected]>
1 parent 255b673 commit cb65f8d

12 files changed

+8468
-7941
lines changed

Diff for: Scripts/CheckmarxOneAppListIntegration_sys_script_include_f60f0ee047131110328ca368436d43ba.xml

+10-6
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
<?xml version="1.0" encoding="UTF-8"?>
2-
<unload unload_date="2023-06-27 13:48:20">
2+
<unload unload_date="2023-08-11 14:37:20">
33
<sys_script_include action="INSERT_OR_UPDATE">
44
<access>public</access>
55
<active>true</active>
@@ -58,21 +58,26 @@ CheckmarxOneAppListIntegration.prototype = Object.extendsObject(sn_vul.Applicati
5858
var groups = '';
5959
var groupval = ' ';
6060
for (var item in response.projects) {
61+
var applicationIds = '';
6162
groups = +response.projects[item].groups.toString();
62-
{
63+
var projectResponse = this.UTIL.getProjectById(this.IMPLEMENTATION, response.projects[item].id);
64+
if (null != projectResponse.applicationIds && projectResponse.applicationIds.length > 0)
65+
applicationIds = projectResponse.applicationIds.toString(); {
6366
if (groups == 0) {
6467
appListAll += '<project id="' + response.projects[item].id +
6568
'" createdAt="' + response.projects[item].createdAt +
69+
'" applicationIds="' + applicationIds +
6670
'" groups="' + groupval + '">' +
6771
'<name><' + '![CDATA[' + response.projects[item].name + ']]' + '></name></project>';
6872
6973
} else {
7074
appListAll += '<project id="' + response.projects[item].id +
7175
'" createdAt="' + response.projects[item].createdAt +
76+
'" applicationIds="' + applicationIds +
7277
'" groups="' + response.projects[item].groups.toString() + '">' +
7378
'<name><' + '![CDATA[' + response.projects[item].name + ']]' + '></name></project>';
7479
}
75-
}
80+
}
7681
}
7782
7883
var reportContent = appListRootNodeStart + appListAll + appListRootNodeEnd;
@@ -178,20 +183,19 @@ CheckmarxOneAppListIntegration.prototype = Object.extendsObject(sn_vul.Applicati
178183
shouldRetry: function(process) {
179184
return true;
180185
},
181-
182186
type: 'CheckmarxOneAppListIntegration'
183187
});]]></script>
184188
<sys_class_name>sys_script_include</sys_class_name>
185189
<sys_created_by>admin</sys_created_by>
186190
<sys_created_on>2022-11-18 05:11:38</sys_created_on>
187191
<sys_id>f60f0ee047131110328ca368436d43ba</sys_id>
188-
<sys_mod_count>132</sys_mod_count>
192+
<sys_mod_count>133</sys_mod_count>
189193
<sys_name>CheckmarxOneAppListIntegration</sys_name>
190194
<sys_package display_value="Checkmarx One Vulnerability Integration" source="x_chec3_chexone">3d20e92d47471110328ca368436d436a</sys_package>
191195
<sys_policy/>
192196
<sys_scope display_value="Checkmarx One Vulnerability Integration">3d20e92d47471110328ca368436d436a</sys_scope>
193197
<sys_update_name>sys_script_include_f60f0ee047131110328ca368436d43ba</sys_update_name>
194198
<sys_updated_by>[email protected]</sys_updated_by>
195-
<sys_updated_on>2023-06-26 17:02:50</sys_updated_on>
199+
<sys_updated_on>2023-08-08 11:25:54</sys_updated_on>
196200
</sys_script_include>
197201
</unload>

Diff for: Scripts/CheckmarxOneAppListProcessor_sys_script_include_716c87ad471f1110328ca368436d438a.xml

+19-27
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
<?xml version="1.0" encoding="UTF-8"?>
2-
<unload unload_date="2023-06-27 13:48:59">
2+
<unload unload_date="2023-08-11 14:38:22">
33
<sys_script_include action="INSERT_OR_UPDATE">
44
<access>public</access>
55
<active>true</active>
@@ -16,15 +16,14 @@ CheckmarxOneAppListProcessor.prototype = Object.extendsObject(sn_vul.Application
1616
*/
1717
MSG: 'CheckmarxOne AppListProcessor:',
1818
UTIL: new x_chec3_chexone.CheckmarxOneUtil(),
19-
process: function (attachment) {
19+
20+
process: function(attachment) {
2021
if (!attachment) {
2122
gs.warn(gs.getMessage('CheckmarxOneAppListProcessor: Called with no attachment'));
2223
return;
2324
}
2425
try {
25-
2626
this.UTIL.validateXML(new GlideSysAttachment().getContent(attachment), 'error');
27-
2827
//Parsing the Project List attachment
2928
var appDoc = new XMLDocument2();
3029
appDoc.parseXML(new GlideSysAttachment().getContent(attachment));
@@ -38,17 +37,22 @@ CheckmarxOneAppListProcessor.prototype = Object.extendsObject(sn_vul.Application
3837
var errorProcess = '';
3938
while (iter.hasNext()) {
4039
try {
41-
42-
4340
var appNode = iter.next();
4441
var attributes = appNode.getAttributes();
42+
var applicationId = '';
43+
var appId;
44+
if (appNode.getAttribute('applicationIds') && appNode.getAttribute('applicationIds') != {}) {
45+
appId ={};
46+
appId[gs.getMessage("Application Id: ")] = appNode.getAttribute('applicationIds').toString();
47+
} else
48+
appId = '';
4549
//map attributes from Checkmarx into the servicenow expected format'
4650
var appObj = {
4751
source_app_id: attributes.id,
4852
app_name: appNode.getLastChild().getTextContent().toString(),
4953
source_assigned_teams: attributes.groups,
5054
description: 'created at' + attributes.createdAt,
51-
55+
source_additional_info: JSON.stringify(appId),
5256
};
5357
//Updating the project information in ServiceNow table
5458
var result = this.AVR_API.createOrUpdateApp(appObj);
@@ -59,45 +63,33 @@ CheckmarxOneAppListProcessor.prototype = Object.extendsObject(sn_vul.Application
5963
this.import_counts.updated++;
6064
else if (result.unchanged)
6165
this.import_counts.unchanged++;
62-
}
66+
}
6367
64-
} catch (ex) {
65-
errorMessage = gs.getMessage("Error in retriving data for app list integration!");
66-
gs.error(this.MSG + "errorMessage " + ex);
67-
errorProcess += " | " + ex.getMessage();
68+
} catch (ex) {
69+
errorMessage = gs.getMessage("Error in retriving data for app list integration!");
70+
gs.error(this.MSG + "errorMessage " + ex);
71+
errorProcess += " | " + ex.getMessage();
72+
}
6873
}
69-
}
7074
7175
if (!gs.nil(errorProcess))
7276
gs.error(this.MSG + "All errors that occurred while processing project lists: " + errorProcess);
7377
this.completeProcess(this.integrationProcessGr, this.import_counts);
7478
},
7579
76-
}
77-
78-
}
79-
} catch (ex) {
80-
errorMessage = gs.getMessage("Error in retriving data for app list integration!");
81-
gs.error(this.MSG + "errorMessage " + ex);
82-
throw ex;
83-
}
84-
85-
this.completeProcess(this.integrationProcessGr, this.import_counts);
86-
},
87-
8880
type: 'CheckmarxOneAppListProcessor'
8981
});]]></script>
9082
<sys_class_name>sys_script_include</sys_class_name>
9183
<sys_created_by>admin</sys_created_by>
9284
<sys_created_on>2022-11-21 12:03:00</sys_created_on>
9385
<sys_id>716c87ad471f1110328ca368436d438a</sys_id>
94-
<sys_mod_count>48</sys_mod_count>
86+
<sys_mod_count>49</sys_mod_count>
9587
<sys_name>CheckmarxOneAppListProcessor</sys_name>
9688
<sys_package display_value="Checkmarx One Vulnerability Integration" source="x_chec3_chexone">3d20e92d47471110328ca368436d436a</sys_package>
9789
<sys_policy/>
9890
<sys_scope display_value="Checkmarx One Vulnerability Integration">3d20e92d47471110328ca368436d436a</sys_scope>
9991
<sys_update_name>sys_script_include_716c87ad471f1110328ca368436d438a</sys_update_name>
10092
<sys_updated_by>[email protected]</sys_updated_by>
101-
<sys_updated_on>2023-06-26 17:18:16</sys_updated_on>
93+
<sys_updated_on>2023-08-08 11:22:07</sys_updated_on>
10294
</sys_script_include>
10395
</unload>

Diff for: Scripts/CheckmarxOneAppVulItemIntegration_sys_script_include_891d8fed471f1110328ca368436d4334.xml

+78-20
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
<?xml version="1.0" encoding="UTF-8"?>
2-
<unload unload_date="2023-06-27 13:49:35">
2+
<unload unload_date="2023-09-05 08:40:21">
33
<sys_script_include action="INSERT_OR_UPDATE">
44
<access>public</access>
55
<active>true</active>
@@ -17,9 +17,32 @@ CheckmarxOneAppVulItemIntegration.prototype = Object.extendsObject(sn_vul.Applic
1717
retrieveData: function() {
1818
var params = this._getParameters(this.PROCESS.getValue('parameters'));
1919
var response = "<null/>";
20+
if (Object.keys(params.run)[0]) {
21+
var appname = '';
22+
var lastscandate = '';
23+
var branch = '';
24+
var appId = '';
25+
var applicationIds = [];
26+
var applicationIdsStr = '';
27+
var responseLastScanSummary = this.UTIL.getScanDetails(this.IMPLEMENTATION, Object.keys(params.run)[0]);
28+
var jsonLastScanSummResp = JSON.parse(responseLastScanSummary.getBody());
29+
//to map value of last_scan_date, project name and project Id in XML
30+
for (var value in jsonLastScanSummResp.scans) {
31+
var projectResponse = this.UTIL.getProjectById(this.IMPLEMENTATION, jsonLastScanSummResp.scans[value].projectId);
32+
if (null != projectResponse.applicationIds && projectResponse.applicationIds.length > 0)
33+
applicationIds = applicationIds.concat(projectResponse.applicationIds);
34+
lastscandate += this.UTIL.parseDate(jsonLastScanSummResp.scans[value].updatedAt);
35+
appname += jsonLastScanSummResp.scans[value].projectName;
36+
branch += jsonLastScanSummResp.scans[value].branch;
37+
appId += jsonLastScanSummResp.scans[value].projectId;
38+
}
39+
if (applicationIds.length > 0)
40+
applicationIdsStr = applicationIds.toString();
41+
}
42+
2043
if (params.run) {
2144
// scanId, offset
22-
response = this.getDetailedReport(Object.keys(params.run)[0], params.run[Object.keys(params.run)[0]]);
45+
response = this.getDetailedReport(Object.keys(params.run)[0], params.run[Object.keys(params.run)[0]], lastscandate, appname, branch, appId, applicationIdsStr);
2346
gs.debug(this.MSG + ' getDetailedReport response:' + response);
2447
2548
}
@@ -45,7 +68,7 @@ CheckmarxOneAppVulItemIntegration.prototype = Object.extendsObject(sn_vul.Applic
4568
};
4669
},
4770
48-
getDetailedReport: function(scanId, offset) {
71+
getDetailedReport: function(scanId, offset, lastscandate, appname, branch, appId, applicationIdsStr) {
4972
try {
5073
var includesca = this.UTIL.importScaFlaw(this.IMPLEMENTATION);
5174
var includesast = this.UTIL.importSastFlaw(this.IMPLEMENTATION);
@@ -56,13 +79,9 @@ CheckmarxOneAppVulItemIntegration.prototype = Object.extendsObject(sn_vul.Applic
5679
var SCAscanDetailedAll = '';
5780
var SASTscanDetailedAll = '';
5881
var scanDetailedAll = '';
59-
var lastscandate = '';
6082
var sca = 'sca';
6183
var sast = 'sast';
6284
var description = '';
63-
var appname = '';
64-
var branch = '';
65-
var appId = '';
6685
var line = '';
6786
var ref = '';
6887
var reference = '';
@@ -76,20 +95,11 @@ CheckmarxOneAppVulItemIntegration.prototype = Object.extendsObject(sn_vul.Applic
7695
var cvssScore = " ";
7796
var cvssVector = " ";
7897
var newoffset = offset - 1;
79-
var responseLastScanSummary = this.UTIL.getScanDetails(this.IMPLEMENTATION, scanId);
80-
var jsonLastScanSummResp = JSON.parse(responseLastScanSummary.getBody());
81-
gs.debug(this.MSG + " getSummaryReport : parsed scanInfoResponse " + JSON.stringify(jsonLastScanSummResp));
82-
//to map value of last_scan_date, project name and project Id in XML
83-
for (var value in jsonLastScanSummResp.scans) {
84-
lastscandate += this.UTIL.parseDate(jsonLastScanSummResp.scans[value].updatedAt);
85-
appId += jsonLastScanSummResp.scans[value].projectId;
86-
}
8798
var responseLastScanReport = this.UTIL.getVulInfo(this.IMPLEMENTATION, scanId, newoffset);
8899
gs.debug(this.MSG + " getDetailedReport : scanInfoResponse " + responseLastScanReport);
89100
var jsonLastScanReportResp = JSON.parse(responseLastScanReport.getBody());
90101
var scan_type = "static";
91102
var vulnerabilityCountThresholdLevel = config.vulnerability_threshold_level;
92-
93103
for (var item in jsonLastScanReportResp.results) {
94104
if (jsonLastScanReportResp.results[item].type == "sast") {
95105
for (var j in jsonLastScanReportResp.results[item].data.nodes) {
@@ -100,6 +110,8 @@ CheckmarxOneAppVulItemIntegration.prototype = Object.extendsObject(sn_vul.Applic
100110
if ((vulnerabilityCountThresholdLevel == 'LOW') ||
101111
(severity.toUpperCase() == 'HIGH') ||
102112
(severity.toUpperCase() == vulnerabilityCountThresholdLevel)) {
113+
var owasp = this._getOWASPTop10(jsonLastScanReportResp.results[item].vulnerabilityDetails.compliances);
114+
var sans = this._getSANSTop25(jsonLastScanReportResp.results[item].vulnerabilityDetails.compliances);
103115
SASTscanDetailedAll += '<result id="' + jsonLastScanReportResp.results[item].similarityId + '" scan_type="' + scan_type +
104116
'" cweId="' + jsonLastScanReportResp.results[item].vulnerabilityDetails.cweId +
105117
'" cweName="' + jsonLastScanReportResp.results[item].data.queryName +
@@ -120,25 +132,28 @@ CheckmarxOneAppVulItemIntegration.prototype = Object.extendsObject(sn_vul.Applic
120132
'" app_id="' + appId +
121133
'" branch="' + branch +
122134
'" last_scan_date="' + lastscandate +
135+
'" OWASPTop10="' + owasp +
136+
'" SANSTop25="' + sans +
137+
'" application_ids="' + applicationIdsStr +
123138
'" scan_id="' + 'sast' + scanId + '">' +
124139
'<references><' + '![CDATA[' + reference + ']]' + '></references>' +
125140
'<description><' + '![CDATA[' + jsonLastScanReportResp.results[item].description + ']]' + '></description></result>';
126141
}
127142
128143
}
129-
if (jsonLastScanReportResp.results[item].type == "sca") {
144+
if (jsonLastScanReportResp.results[item].type == "sca" || jsonLastScanReportResp.results[item].type == "sca-container") {
130145
131146
for (var k in jsonLastScanReportResp.results[item].data.packageData) {
132147
var url = jsonLastScanReportResp.results[item].data.packageData[k].url;
133148
ref += url + ', ';
134149
}
135-
136150
var scaseverity = jsonLastScanReportResp.results[item].severity;
137151
138152
if ((vulnerabilityCountThresholdLevel == 'LOW') ||
139153
(scaseverity.toUpperCase() == 'HIGH') ||
140154
(scaseverity.toUpperCase() == vulnerabilityCountThresholdLevel)) {
141-
SCAscanDetailedAll += '<result id="' + jsonLastScanReportResp.results[item].id + '" scan_type="' + jsonLastScanReportResp.results[item].type +
155+
SCAscanDetailedAll += '<result id="' + jsonLastScanReportResp.results[item].id +
156+
'" scan_type="' + 'sca' +
142157
'" cweId="' + jsonLastScanReportResp.results[item].vulnerabilityDetails.cweId +
143158
'" cweName="' + jsonLastScanReportResp.results[item].vulnerabilityDetails.cveName +
144159
'" cvssScore="' + jsonLastScanReportResp.results[item].vulnerabilityDetails.cvssScore +
@@ -159,12 +174,13 @@ CheckmarxOneAppVulItemIntegration.prototype = Object.extendsObject(sn_vul.Applic
159174
'" app_id="' + appId +
160175
'" branch="' + branch +
161176
'" last_scan_date="' + lastscandate +
177+
'" application_ids="' + applicationIdsStr +
162178
'" scan_id="' + 'sca' + scanId + '">' +
163179
'<references><' + '![CDATA[' + ref + ']]' + '></references>' +
164180
'<description><' + '![CDATA[' + jsonLastScanReportResp.results[item].description + ']]' + '></description></result>';
165181
}
166182
}
167-
183+
// '" references="' + ref.replace(/</g, " ") +
168184
}
169185
if (includesca) {
170186
scanDetailedAll += SCAscanDetailedAll;
@@ -181,6 +197,44 @@ CheckmarxOneAppVulItemIntegration.prototype = Object.extendsObject(sn_vul.Applic
181197
return reportContent;
182198
},
183199
200+
// Get all the OWASP Top 10 compliances as a concatenated string with comma.
201+
_getOWASPTop10: function(compliances) {
202+
var owasp = '';
203+
if (compliances != null) {
204+
for (var value in compliances) {
205+
var compliance = compliances[value].toString();
206+
var tempStr = compliance.toLowerCase();
207+
var containsStr = tempStr.indexOf('owasp top 10');
208+
if (containsStr != -1) {
209+
if (owasp == '')
210+
owasp += compliance;
211+
else
212+
owasp += ',' + compliance;
213+
}
214+
}
215+
}
216+
return owasp;
217+
},
218+
219+
// Get all the SANS Top 25 compliances as a concatenated string with comma.
220+
_getSANSTop25: function(compliances) {
221+
var sans = '';
222+
if (compliances != null) {
223+
for (var value in compliances) {
224+
var compliance = compliances[value].toString();
225+
var tempStr = compliance.toLowerCase();
226+
var containsStr = tempStr.indexOf('sans top 25');
227+
if (containsStr != -1) {
228+
if (sans == '')
229+
sans += compliance;
230+
else
231+
sans += ',' + compliance;
232+
}
233+
}
234+
}
235+
return sans;
236+
},
237+
184238
// Gets the integration parameters as a map
185239
_getParameters: function(parameters) {
186240
var params = {
@@ -275,6 +329,7 @@ CheckmarxOneAppVulItemIntegration.prototype = Object.extendsObject(sn_vul.Applic
275329
var offsets = [];
276330
var offset = 0;
277331
var ReportLength = this.UTIL.getTotalVulcount(this.IMPLEMENTATION, scanId);
332+
//gs.info("Report Length" + ReportLength);
278333
var loopLength = ReportLength / 50;
279334
//in result api offset value start from 0 and increment by 1, here it acts like page instead of number of item like other api
280335
for (var i = 0; i <= parseInt(loopLength); i++) {
@@ -336,10 +391,13 @@ CheckmarxOneAppVulItemIntegration.prototype = Object.extendsObject(sn_vul.Applic
336391
<sys_created_by>admin</sys_created_by>
337392
<sys_created_on>2022-11-21 12:06:20</sys_created_on>
338393
<sys_id>891d8fed471f1110328ca368436d4334</sys_id>
394+
<sys_mod_count>163</sys_mod_count>
339395
<sys_name>CheckmarxOneAppVulItemIntegration</sys_name>
340396
<sys_package display_value="Checkmarx One Vulnerability Integration" source="x_chec3_chexone">3d20e92d47471110328ca368436d436a</sys_package>
341397
<sys_policy/>
342398
<sys_scope display_value="Checkmarx One Vulnerability Integration">3d20e92d47471110328ca368436d436a</sys_scope>
343399
<sys_update_name>sys_script_include_891d8fed471f1110328ca368436d4334</sys_update_name>
400+
<sys_updated_by>[email protected]</sys_updated_by>
401+
<sys_updated_on>2023-08-29 05:30:33</sys_updated_on>
344402
</sys_script_include>
345403
</unload>

0 commit comments

Comments
 (0)