Merge pull request #3873 from mercedes-benz/develop

Merge `develop` into `master` for release

Author: sven-dmlr

github-actions/scan/README.adoc

@@ -79,6 +79,12 @@ To be able to use this action you need a SecHub project. Check the https://merce
     # OPTIONAL: job (pipeline) will be marked as failed if SecHub finds something
     # DEFAULT: true
     fail-job-with-findings: true
+
+    # OPTIONAL: The file that defines false positives.
+    #           This step is executed before the scan.
+    #           The action defineFalsePositives overwrites all previously marked false positives on SecHub side with the ones defined in this file.
+    #           You can use the SecHub client action getFalsePositives to get the current false positives and extend the returned false positive list.
+    define-false-positives: 'sechub-false-positives.json'
 ----
 
 [IMPORTANT]

github-actions/scan/__test__/integrationtest.test.ts

@@ -10,6 +10,7 @@ import { getFieldFromJson } from '../src/json-helper';
 import * as launcher from '../src/launcher';
 import { LaunchContext } from '../src/launcher';
 import { IntegrationTestContext } from './integrationtest/testframework';
+import { defineFalsePositives } from '../src/sechub-cli';
 jest.mock('@actions/core');
 jest.mock('@actions/artifact');
 
@@ -321,6 +322,40 @@ describe('integrationtest non-generated config', () => {
 
 });
 
+describe('integrationtest define-false-positives generated config', () => {
+    
+    test('codescan first red then result is green after define-false-positives is executed', async () => {
+
+        /* prepare */
+        initInputMap();
+        mockedInputMap.set(input.PARAM_INCLUDED_FOLDERS, '__test__/integrationtest/test-sources');
+        mockedInputMap.set(input.PARAM_PROJECT_NAME, 'test-project-7');
+        
+        /* execute */
+        const result1 = await launcher.launch();
+
+        /* test */
+        assertTrafficLight(result1, 'RED');
+        assertLastClientExitCode(result1, 1);
+        assertUploadDone();
+
+        /* prepare 2 */
+        const defineFalsePositivesFile = createDefineFalsePositivesFile(result1);
+        mockedInputMap.set(input.PARAM_DEFINE_FALSE_POSITIVES, defineFalsePositivesFile);
+
+        /* execute 2 */
+        const result2 = await launcher.launch();
+
+        /* test 2 */
+        assertLastClientExitCode(result2, 0);
+        assertTrafficLight(result2, 'GREEN');
+        assertUploadDone();
+
+        /* clean up */
+        deleteFile(defineFalsePositivesFile);
+    });
+
+});
 
 function assertActionIsMarkedAsFailed(){
     expect(setFailed).toHaveBeenCalledTimes(1);
@@ -376,3 +411,17 @@ function loadSpdxJsonReportAndAssertItContains(context: LaunchContext, textPart:
 
     expect(spdxJson).toContain(textPart);
 }
+
+function createDefineFalsePositivesFile(context: LaunchContext): string {
+    const defineFalsePositivesJson = `{"apiVersion":"1.0","type":"falsePositiveDataList","jobData":[{"jobUUID":"${context.jobUUID}","findingId":1}]}`
+    const fileName = "defineFalsePositivesFile.json";
+    const filePath = `./${fileName}`;
+    fs.writeFileSync(filePath, defineFalsePositivesJson);
+    return filePath;
+}
+
+function deleteFile(file: string) {
+    if (fs.existsSync(file)) {
+        fs.unlinkSync(file);
+      }
+}

github-actions/scan/__test__/integrationtest/03-init_sechub_data.sh

@@ -81,5 +81,6 @@ createData 3 codescan red
 createData 4 webscan red
 createData 5 secretscan yellow
 createData 6 licensescan green
+createData 7 codescan red-def-fp
 
 ./sechub-api.sh project_set_whitelist_uris test-project-4 https://vulnerable.demo.example.com

github-actions/scan/__test__/integrationtest/test-config/executor-codescan-red-def-fp.json

@@ -0,0 +1,39 @@
+{
+    "name": "executor-codescan-red-def-fp",
+    "productIdentifier": "PDS_CODESCAN",
+    "setup": {
+        "baseURL": "https://localhost:8444",
+        "credentials": {
+            "user": "pds-inttest-techuser",
+            "password": "pds-inttest-apitoken"
+        },
+        "jobParameters": [
+            {
+                "key": "sechub.productexecutor.pds.timetowait.nextcheck.milliseconds",
+                "value": "500"
+            },
+            {
+                "key": "sechub.productexecutor.pds.trustall.certificates",
+                "value": "true"
+            },
+            {
+                "key": "pds.mocking.disabled",
+                "value": "true"
+            },
+            {
+                "key": "pds.config.productidentifier",
+                "value": "codescan_demo_red_def_fp"
+            },
+            {
+                "key": "pds.config.use.sechub.storage",
+                "value": "true"
+            },
+            {
+                "key": "pds.config.supported.datatypes",
+                "value": "SOURCE"
+            }
+        ]
+    },
+    "executorVersion": 1,
+    "enabled": true
+}

github-actions/scan/__test__/integrationtest/test-config/gha_integrationtest_pds-config.json

@@ -20,6 +20,12 @@
       "scanType": "codeScan",
       "description": "This is only a fake code scan - used by integration tests. The code scan will just return one high vulnerability"
     },
+    {
+      "id": "codescan_demo_red_def_fp",
+      "path": "./__test__/integrationtest/test-scripts/pds-codescan-demo-red-define-false-positives.sh",
+      "scanType": "codeScan",
+      "description": "This is only a fake code scan - used by integration tests. The code scan will just return one high vulnerability, which is used for false positives handling."
+    },
     {
       "id": "webscan_demo_red",
       "path": "./__test__/integrationtest/test-scripts/pds-webscan-demo-red.sh",

github-actions/scan/__test__/integrationtest/test-product-output/example-codescan-sarif-output-red.json

@@ -0,0 +1,57 @@
+{
+    "version": "2.1.0",
+    "$schema": "http://json.schemastore.org/sarif-2.1.0-rtm.4",
+    "runs": [
+      {
+        "tool": {
+          "driver": {
+            "name": "ESLint",
+            "informationUri": "https://eslint.org",
+            "rules": [
+              {
+                "id": "no-unused-vars",
+                "shortDescription": {
+                  "text": "disallow unused variables"
+                },
+                "helpUri": "https://eslint.org/docs/rules/no-unused-vars",
+                "properties": {
+                  "category": "Variables"
+                }
+              }
+            ]
+          }
+        },
+        "artifacts": [
+          {
+            "location": {
+              "uri": "file:///C:/dev/sarif/sarif-tutorials/samples/Introduction/simple-example.js"
+            }
+          }
+        ],
+        "results": [
+          {
+            "level": "error",
+            "message": {
+              "text": "'x' is assigned a value but never used."
+            },
+            "locations": [
+              {
+                "physicalLocation": {
+                  "artifactLocation": {
+                    "uri": "file:///C:/dev/sarif/sarif-tutorials/samples/Introduction/simple-example.js",
+                    "index": 0
+                  },
+                  "region": {
+                    "startLine": 1,
+                    "startColumn": 5
+                  }
+                }
+              }
+            ],
+            "ruleId": "no-unused-vars",
+            "ruleIndex": 0
+          }
+        ]
+      }
+    ]
+  }

github-actions/scan/__test__/integrationtest/test-scripts/pds-codescan-demo-red-define-false-positives.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+# SPDX-License-Identifier: MIT
+
+cat "__test__/integrationtest/test-product-output/example-codescan-sarif-output-red.json" > "${PDS_JOB_RESULT_FILE}"

github-actions/scan/__test__/sechub-cli.test.ts

@@ -1,6 +1,6 @@
 // SPDX-License-Identifier: MIT
 
-import {extractJobUUID, getReport, scan} from '../src/sechub-cli';
+import {defineFalsePositives, extractJobUUID, getReport, scan} from '../src/sechub-cli';
 import {execFileSync} from 'child_process';
 import {sanitize} from "../src/shell-arg-sanitizer";
 
@@ -220,4 +220,47 @@ describe('getReport', function () {
         expect(sanitize).toBeCalledWith('json');
     });
 
+});
+
+describe('defineFalsePositives', function () {
+
+    it('sanitizes shell arguments', () => {
+        /* prepare */
+        const context: any = {
+            clientExecutablePath: '/path/to/sechub-cli',
+            projectName: 'project-name',
+            defineFalsePositivesFile: '/path/to/define-false-positive-file'
+        };
+        (sanitize as jest.Mock).mockImplementation((arg) => {
+            return arg;
+        });
+
+        /* execute */
+        defineFalsePositives(context);
+
+        /* test */
+        expect(sanitize).toBeCalledTimes(3);
+        expect(sanitize).toBeCalledWith('/path/to/sechub-cli');
+        expect(sanitize).toBeCalledWith('project-name');
+        expect(sanitize).toBeCalledWith('/path/to/define-false-positive-file');
+    });
+
+
+    it.each([null, undefined, ''])('context.lastClientExitCode is 0 when defineFalsePositivesFile is %s', (file) => {
+        /* prepare */
+        const context: any = {
+            defineFalsePositivesFile: file
+        };
+        (sanitize as jest.Mock).mockImplementation((arg) => {
+            return arg;
+        });
+
+        /* execute */
+        defineFalsePositives(context);
+
+        /* test */
+        expect(sanitize).toBeCalledTimes(0);
+        expect(context.lastClientExitCode).toBe(0);
+        expect(context.defineFalsePositivesFile).toBe(file);
+    });
 });

github-actions/scan/action.yml

@@ -57,6 +57,9 @@ inputs:
     description: 'Job will be marked as failed if SecHub finds something'
     required: false
     default: true
+  define-false-positives:
+    description: 'The file that defines false positives. This step is executed before the scan. The action defineFalsePositives overwrites all previously marked false positives on SecHub side with the ones defined in this file. You can use the SecHub client action getFalsePositives to get the current false positives and extend the returned false positive list.'
+    required: false
 
 outputs:
   scan-trafficlight:
@@ -115,6 +118,7 @@ runs:
         trust-all: ${{ inputs.trust-all }}
         debug: ${{ inputs.debug }}
         fail-job-with-findings: ${{ inputs.fail-job-with-findings }}
+        define-false-positives: ${{ inputs.define-false-positives }}
         ACTIONS_RUNTIME_TOKEN: ${{ env.ACTIONS_RUNTIME_TOKEN }}
         ACTIONS_RUNTIME_URL: ${{ env.ACTIONS_RUNTIME_URL }}
         ACTIONS_CACHE_URL: ${{ env.ACTIONS_CACHE_URL }}