Merge pull request #3824 from mercedes-benz/feature-2078-gha-execute-define-false-positives-before-scan-starts

Add defineFalsePositives step to GH action before scan execution #2078

Author: winzj

github-actions/scan/README.adoc

@@ -79,6 +79,9 @@ To be able to use this action you need a SecHub project. Check the https://merce
     # OPTIONAL: job (pipeline) will be marked as failed if SecHub finds something
     # DEFAULT: true
     fail-job-with-findings: true
+
+    # OPTIONAL: File that defines false positives. This step is executed before the scan. The SecHub cli defineFalsePositives overwrites the false positives on SecHub side with the ones defined in this file. Uses the SecHub cli getFalsePositives to get the current false positives and extend the returned false positive list.
+    define-false-positives: 'sechub-false-positives.json'
 ----
 
 [IMPORTANT]

github-actions/scan/__test__/integrationtest.test.ts

@@ -10,6 +10,7 @@ import { getFieldFromJson } from '../src/json-helper';
 import * as launcher from '../src/launcher';
 import { LaunchContext } from '../src/launcher';
 import { IntegrationTestContext } from './integrationtest/testframework';
+import { defineFalsePositives } from '../src/sechub-cli';
 jest.mock('@actions/core');
 jest.mock('@actions/artifact');
 
@@ -321,6 +322,40 @@ describe('integrationtest non-generated config', () => {
 
 });
 
+describe('integrationtest define-false-positives generated config', () => {
+    
+    test('codescan first red then result is green after define-false-positives is executed', async () => {
+
+        /* prepare */
+        initInputMap();
+        mockedInputMap.set(input.PARAM_INCLUDED_FOLDERS, '__test__/integrationtest/test-sources');
+        mockedInputMap.set(input.PARAM_PROJECT_NAME, 'test-project-7');
+        
+        /* execute */
+        const result1 = await launcher.launch();
+
+        /* test */
+        assertTrafficLight(result1, 'RED');
+        assertLastClientExitCode(result1, 1);
+        assertUploadDone();
+
+        /* prepare 2 */
+        const defineFalsePositivesFile = createDefineFalsePositivesFile(result1);
+        mockedInputMap.set(input.PARAM_DEFINE_FALSE_POSITIVES, defineFalsePositivesFile);
+
+        /* execute 2 */
+        const result2 = await launcher.launch();
+
+        /* test 2 */
+        assertLastClientExitCode(result2, 0);
+        assertTrafficLight(result2, 'GREEN');
+        assertUploadDone();
+
+        /* clean up */
+        deleteFile(defineFalsePositivesFile);
+    });
+
+});
 
 function assertActionIsMarkedAsFailed(){
     expect(setFailed).toHaveBeenCalledTimes(1);
@@ -376,3 +411,17 @@ function loadSpdxJsonReportAndAssertItContains(context: LaunchContext, textPart:
 
     expect(spdxJson).toContain(textPart);
 }
+
+function createDefineFalsePositivesFile(context: LaunchContext): string {
+    const defineFalsePositivesJson = `{"apiVersion":"1.0","type":"falsePositiveDataList","jobData":[{"jobUUID":"${context.jobUUID}","findingId":1}]}`
+    const fileName = "defineFalsePositivesFile.json";
+    const filePath = `./${fileName}`;
+    fs.writeFileSync(filePath, defineFalsePositivesJson);
+    return filePath;
+}
+
+function deleteFile(file: string) {
+    if (fs.existsSync(file)) {
+        fs.unlinkSync(file);
+      }
+}

github-actions/scan/__test__/integrationtest/03-init_sechub_data.sh

@@ -81,5 +81,6 @@ createData 3 codescan red
 createData 4 webscan red
 createData 5 secretscan yellow
 createData 6 licensescan green
+createData 7 codescan red-def-fp
 
 ./sechub-api.sh project_set_whitelist_uris test-project-4 https://vulnerable.demo.example.com

github-actions/scan/__test__/integrationtest/test-config/executor-codescan-red-def-fp.json

@@ -0,0 +1,39 @@
+{
+    "name": "executor-codescan-red-def-fp",
+    "productIdentifier": "PDS_CODESCAN",
+    "setup": {
+        "baseURL": "https://localhost:8444",
+        "credentials": {
+            "user": "pds-inttest-techuser",
+            "password": "pds-inttest-apitoken"
+        },
+        "jobParameters": [
+            {
+                "key": "sechub.productexecutor.pds.timetowait.nextcheck.milliseconds",
+                "value": "500"
+            },
+            {
+                "key": "sechub.productexecutor.pds.trustall.certificates",
+                "value": "true"
+            },
+            {
+                "key": "pds.mocking.disabled",
+                "value": "true"
+            },
+            {
+                "key": "pds.config.productidentifier",
+                "value": "codescan_demo_red_def_fp"
+            },
+            {
+                "key": "pds.config.use.sechub.storage",
+                "value": "true"
+            },
+            {
+                "key": "pds.config.supported.datatypes",
+                "value": "SOURCE"
+            }
+        ]
+    },
+    "executorVersion": 1,
+    "enabled": true
+}

github-actions/scan/__test__/integrationtest/test-config/gha_integrationtest_pds-config.json

@@ -20,6 +20,12 @@
       "scanType": "codeScan",
       "description": "This is only a fake code scan - used by integration tests. The code scan will just return one high vulnerability"
     },
+    {
+      "id": "codescan_demo_red_def_fp",
+      "path": "./__test__/integrationtest/test-scripts/pds-codescan-demo-red-define-false-positives.sh",
+      "scanType": "codeScan",
+      "description": "This is only a fake code scan - used by integration tests. The code scan will just return one high vulnerability, which is used for false positives handling."
+    },
     {
       "id": "webscan_demo_red",
       "path": "./__test__/integrationtest/test-scripts/pds-webscan-demo-red.sh",

github-actions/scan/__test__/integrationtest/test-product-output/example-codescan-sarif-output-red.json

@@ -0,0 +1,57 @@
+{
+    "version": "2.1.0",
+    "$schema": "http://json.schemastore.org/sarif-2.1.0-rtm.4",
+    "runs": [
+      {
+        "tool": {
+          "driver": {
+            "name": "ESLint",
+            "informationUri": "https://eslint.org",
+            "rules": [
+              {
+                "id": "no-unused-vars",
+                "shortDescription": {
+                  "text": "disallow unused variables"
+                },
+                "helpUri": "https://eslint.org/docs/rules/no-unused-vars",
+                "properties": {
+                  "category": "Variables"
+                }
+              }
+            ]
+          }
+        },
+        "artifacts": [
+          {
+            "location": {
+              "uri": "file:///C:/dev/sarif/sarif-tutorials/samples/Introduction/simple-example.js"
+            }
+          }
+        ],
+        "results": [
+          {
+            "level": "error",
+            "message": {
+              "text": "'x' is assigned a value but never used."
+            },
+            "locations": [
+              {
+                "physicalLocation": {
+                  "artifactLocation": {
+                    "uri": "file:///C:/dev/sarif/sarif-tutorials/samples/Introduction/simple-example.js",
+                    "index": 0
+                  },
+                  "region": {
+                    "startLine": 1,
+                    "startColumn": 5
+                  }
+                }
+              }
+            ],
+            "ruleId": "no-unused-vars",
+            "ruleIndex": 0
+          }
+        ]
+      }
+    ]
+  }

github-actions/scan/__test__/integrationtest/test-scripts/pds-codescan-demo-red-define-false-positives.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+# SPDX-License-Identifier: MIT
+
+cat "__test__/integrationtest/test-product-output/example-codescan-sarif-output-red.json" > "${PDS_JOB_RESULT_FILE}"

github-actions/scan/__test__/sechub-cli.test.ts

@@ -1,6 +1,6 @@
 // SPDX-License-Identifier: MIT
 
-import {extractJobUUID, getReport, scan} from '../src/sechub-cli';
+import {defineFalsePositives, extractJobUUID, getReport, scan} from '../src/sechub-cli';
 import {execFileSync} from 'child_process';
 import {sanitize} from "../src/shell-arg-sanitizer";
 
@@ -220,4 +220,47 @@ describe('getReport', function () {
         expect(sanitize).toBeCalledWith('json');
     });
 
+});
+
+describe('defineFalsePositives', function () {
+
+    it('sanitizes shell arguments', () => {
+        /* prepare */
+        const context: any = {
+            clientExecutablePath: '/path/to/sechub-cli',
+            projectName: 'project-name',
+            defineFalsePositivesFile: '/path/to/define-false-positive-file'
+        };
+        (sanitize as jest.Mock).mockImplementation((arg) => {
+            return arg;
+        });
+
+        /* execute */
+        defineFalsePositives(context);
+
+        /* test */
+        expect(sanitize).toBeCalledTimes(3);
+        expect(sanitize).toBeCalledWith('/path/to/sechub-cli');
+        expect(sanitize).toBeCalledWith('project-name');
+        expect(sanitize).toBeCalledWith('/path/to/define-false-positive-file');
+    });
+
+
+    it.each([null, undefined, ''])('context.lastClientExitCode is 0 when defineFalsePositivesFile is %s', (file) => {
+        /* prepare */
+        const context: any = {
+            defineFalsePositivesFile: file
+        };
+        (sanitize as jest.Mock).mockImplementation((arg) => {
+            return arg;
+        });
+
+        /* execute */
+        defineFalsePositives(context);
+
+        /* test */
+        expect(sanitize).toBeCalledTimes(0);
+        expect(context.lastClientExitCode).toBe(0);
+        expect(context.defineFalsePositivesFile).toBe(file);
+    });
 });

github-actions/scan/action.yml

@@ -57,6 +57,9 @@ inputs:
     description: 'Job will be marked as failed if SecHub finds something'
     required: false
     default: true
+  define-false-positives:
+    description: 'The file that defines false positives. This step is executed before the scan. The SecHub cli defineFalsePositives overwrites the false positives on SecHub side with the ones defined in this file. Uses the SecHub cli getFalsePositives to get the current false positives and extend the returned false positive list.'
+    required: false
 
 outputs:
   scan-trafficlight:
@@ -115,6 +118,7 @@ runs:
         trust-all: ${{ inputs.trust-all }}
         debug: ${{ inputs.debug }}
         fail-job-with-findings: ${{ inputs.fail-job-with-findings }}
+        define-false-positives: ${{ inputs.define-false-positives }}
         ACTIONS_RUNTIME_TOKEN: ${{ env.ACTIONS_RUNTIME_TOKEN }}
         ACTIONS_RUNTIME_URL: ${{ env.ACTIONS_RUNTIME_URL }}
         ACTIONS_CACHE_URL: ${{ env.ACTIONS_CACHE_URL }}

github-actions/scan/dist/index.js

@@ -28120,6 +28120,7 @@ const PARAM_FAIL_JOB_ON_FINDING = 'fail-job-with-findings';
 const PARAM_TRUST_ALL = 'trust-all';
 const PARAM_SCAN_TYPES = 'scan-types';
 const PARAM_CONTENT_TYPE = 'content-type';
+const PARAM_DEFINE_FALSE_POSITIVES = 'define-false-positives';
 const INPUT_DATA_DEFAULTS = {
     configPath: '',
     url: '',
@@ -28136,6 +28137,7 @@ const INPUT_DATA_DEFAULTS = {
     trustAll: '',
     scanTypes: '',
     contentType: '',
+    defineFalsePositives: '',
 };
 function resolveGitHubInputData() {
     return {
@@ -28154,6 +28156,7 @@ function resolveGitHubInputData() {
         trustAll: getParam(PARAM_TRUST_ALL),
         scanTypes: getParam(PARAM_SCAN_TYPES),
         contentType: getParam(PARAM_CONTENT_TYPE),
+        defineFalsePositives: getParam(PARAM_DEFINE_FALSE_POSITIVES),
     };
 }
 /**
@@ -28401,6 +28404,40 @@ function getReport(jobUUID, reportFormat, context) {
         context.lastClientExitCode = error.status;
     }
 }
+/**
+ * Executes the defineFalsePositives method of the SecHub CLI. Sets the client exitcode inside context.
+ * @param context launch context
+ */
+function defineFalsePositives(context) {
+    if (!context.defineFalsePositivesFile) {
+        core.info("No define-false-positive file was specified. Skipping step defineFalsePositives...");
+        context.lastClientExitCode = 0;
+        return;
+    }
+    const clientExecutablePath = sanitize(context.clientExecutablePath);
+    const projectIdValue = sanitize(context.projectName);
+    const defineFalsePositivesFile = sanitize(context.defineFalsePositivesFile);
+    try {
+        const output = (0,external_child_process_.execFileSync)(clientExecutablePath, ['-project', projectIdValue, '-file', defineFalsePositivesFile, 'defineFalsePositives'], {
+            env: {
+                SECHUB_SERVER: process.env.SECHUB_SERVER,
+                SECHUB_USERID: process.env.SECHUB_USERID,
+                SECHUB_APITOKEN: process.env.SECHUB_APITOKEN,
+                SECHUB_PROJECT: process.env.SECHUB_PROJECT,
+                SECHUB_DEBUG: process.env.SECHUB_DEBUG,
+                SECHUB_TRUSTALL: process.env.SECHUB_TRUSTALL,
+            },
+            encoding: 'utf-8'
+        });
+        core.info('defineFalsePositives executed successfully');
+        context.lastClientExitCode = 0;
+    }
+    catch (error) {
+        core.error(`Error executing defineFalsePositives command: ${error.message}`);
+        core.error(`Standard error: ${error.stderr}`);
+        context.lastClientExitCode = error.status;
+    }
+}
 
 ;// CONCATENATED MODULE: ./src/json-helper.ts
 // SPDX-License-Identifier: MIT
@@ -46125,13 +46162,20 @@ async function getRedirectUrl(url) {
 
 
 
+
 /**
  * Starts the launch process
  * @returns launch context
  */
 async function launch() {
     const context = await createContext();
     await init(context);
+    executeDefineFalsePositives(context);
+    if (context.lastClientExitCode > 0) {
+        // In case of an error during the defineFalsePositives step, we fail the action here!
+        failAction(context.lastClientExitCode);
+        return context;
+    }
     executeScan(context);
     await postScan(context);
     return context;
@@ -46151,7 +46195,8 @@ const LAUNCHER_CONTEXT_DEFAULTS = {
     workspaceFolder: '',
     secHubReportJsonObject: undefined,
     secHubReportJsonFileName: '',
-    trafficLight: 'OFF'
+    trafficLight: 'OFF',
+    defineFalsePositivesFile: '',
 };
 /**
  * Creates the initial launch context
@@ -46188,7 +46233,8 @@ async function createContext() {
         secHubJsonFilePath: generatedSecHubJsonFilePath,
         workspaceFolder: workspaceFolder,
         trafficLight: LAUNCHER_CONTEXT_DEFAULTS.trafficLight,
-        debug: gitHubInputData.debug == 'true'
+        debug: gitHubInputData.debug == 'true',
+        defineFalsePositivesFile: gitHubInputData.defineFalsePositives,
     };
 }
 function createSafeBuilderData(gitHubInputData) {
@@ -46212,6 +46258,14 @@ function executeScan(context) {
     scan(context);
     logExitCode(context.lastClientExitCode);
 }
+/**
+ * Executes defineFalsePositive action of the SecHub GO client.
+ * @param context launch context
+ */
+function executeDefineFalsePositives(context) {
+    defineFalsePositives(context);
+    logExitCode(context.lastClientExitCode);
+}
 async function postScan(context) {
     core.debug(`postScan(1): context.lastExitCode=${context.lastClientExitCode}`);
     if (context.lastClientExitCode > 1) {