Skip to content

CXFLW-1590 Fixed issue for Pr feedback false #1422

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 18, 2025
Merged

CXFLW-1590 Fixed issue for Pr feedback false #1422

merged 1 commit into from
Feb 18, 2025

Conversation

satyamchaurasiapersistent
Copy link
Contributor

Description
Since version 1.7.01, when passing argument --gitlab.scan-submitted-comment="false", instead of only disabling the MR comment that says "Scan submitted to checkmarx", it also disable the comment containing the scan summary. This contradicts the documentation and makes it impossible to only disable the scan submitted comment. This is caused by this if that was added in ResultsService in version 1.7.01:

case GITLABMERGE:
if (gitLabService.isScanSubmittedComment() && request.getScanSubmittedComment()) {
gitLabService.processMerge(request, results);
gitLabService.endBlockMerge(request);
}
Expected Behavior
When scan-submitted-comment is set to false, cxflow should still add the scan summary as a merge request comment but should not comment to say that a scan was submitted to checkmarx.

Actual Behavior
When scan-submitted-comment is set to false, cxflow does not comment in the merge request at all. It runs a scan and does nothing with the result.

Reproduction
Start from this template and modify checkmarx-scan-mr to send this argument to cxflow : --gitlab.scan-submitted-comment="false"

Run the merge request pipeline. cxflow will run but won't comment the scan summary to your merge request.

Environment Details
Tested on cxflow 1.7.06 with java 17.

@cx-aviv-sevillia
Copy link
Contributor

Logo
Checkmarx One – Scan Summary & Details5b718edd-738b-40bb-93c2-29cd9571568f

New Issues (6)

Checkmarx found the following issues in this Pull Request

Severity Issue Source File / Package Checkmarx Insight
CRITICAL CVE-2024-50379 Maven-org.apache.tomcat.embed:tomcat-embed-core-10.1.31 Vulnerable Package
CRITICAL CVE-2024-56337 Maven-org.apache.tomcat.embed:tomcat-embed-core-10.1.31 Vulnerable Package
MEDIUM CVE-2024-12798 Maven-ch.qos.logback:logback-core-1.4.14 Vulnerable Package
MEDIUM CVE-2024-12798 Maven-ch.qos.logback:logback-classic-1.4.14 Vulnerable Package
MEDIUM CVE-2024-38828 Maven-org.springframework:spring-webmvc-6.1.14 Vulnerable Package
LOW CVE-2024-12801 Maven-ch.qos.logback:logback-core-1.4.14 Vulnerable Package
Fixed Issues (7)

Great job! The following issues were fixed in this Pull Request

Severity Issue Source File / Package
MEDIUM SSRF /src/main/java/com/checkmarx/flow/controller/FlowController.java: 83
MEDIUM SSRF /src/main/java/com/checkmarx/flow/controller/FlowController.java: 83
MEDIUM SSRF /src/main/java/com/checkmarx/flow/controller/FlowController.java: 83
MEDIUM SSRF /src/main/java/com/checkmarx/flow/controller/FlowController.java: 83
MEDIUM SSRF /src/main/java/com/checkmarx/flow/controller/FlowController.java: 83
MEDIUM SSRF /src/main/java/com/checkmarx/flow/controller/FlowController.java: 72
MEDIUM SSRF /src/main/java/com/checkmarx/flow/controller/FlowController.java: 75

@itsKedar itsKedar self-requested a review February 18, 2025 06:57
@satyamchaurasiapersistent satyamchaurasiapersistent merged commit a91f2c4 into develop Feb 18, 2025
10 of 14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@itsKedar itsKedar itsKedar approved these changes

Assignees
No one assigned
Labels
size/S
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@satyamchaurasiapersistent @cx-aviv-sevillia @itsKedar @satyamchaurasia