Merge pull request #138 from jenkinsci/June-integration-2023

Release 2023.2.6 changes

build.gradle

@@ -53,10 +53,11 @@ dependencies {
         exclude group: 'org.apache.logging.log4j', module: 'log4j-core'
     }
 
-    compile ('com.checkmarx:cx-client-common:2022.4.3') {
+    compile ('com.checkmarx:cx-client-common:2023.2.5') {
        exclude group: 'org.apache.commons', module: 'commons-compress'
        exclude group: 'org.yaml' , module: 'snakeyaml'
        exclude group: 'com.google.code.gson', module: 'gson'
+        exclude group: 'org.json', module: 'json'
     }
 
     compile 'com.fasterxml.jackson.core:jackson-core:2.11.3',
@@ -70,7 +71,9 @@ dependencies {
             'org.apache.logging.log4j:log4j-core:2.17.1',
             'org.apache.commons:commons-compress:1.22',
             'com.google.code.gson:gson:2.8.9',           
-            'org.yaml:snakeyaml:1.33'
+            'org.yaml:snakeyaml:1.33',
+            'org.json:json:20230227'
+
             constraints {
                 implementation('io.vertx:vertx-web:3.9.7') {
                     because 'previous versions have a bug impacting this application'

gradle.properties

@@ -1,6 +1,6 @@
 description = Provides automatic scan of code by Checkmarx server and shows results summary and trend in Jenkins interface.
 group = com.checkmarx.jenkins
-version = 2022.4.3
+version = 2023.2.6
 
 repositoryVersion=
 

src/main/java/com/checkmarx/jenkins/CxScanResult.java

@@ -58,6 +58,8 @@ public class CxScanResult implements Action {
 
     private File pdfReport;
     public static final String PDF_REPORT_NAME = "ScanReport.pdf";
+
+    public static final String SCA_PDF_REPORT_NAME = "ScaPdfReport.pdf";
     private boolean osaSuccessful; //osa fails flag for jelly
 
     private String htmlReportName;
@@ -233,6 +235,18 @@ public void doPdfReport(StaplerRequest req, StaplerResponse rsp) throws IOExcept
         outputStream.close();
     }
 
+	public void doScaPdfReport(StaplerRequest req, StaplerResponse rsp) throws IOException {
+		rsp.setContentType("application/pdf");
+		ServletOutputStream outputStream = rsp.getOutputStream();
+		File buildDirectory = owner.getRootDir();
+		File b = new File(buildDirectory, "/checkmarx/" + SCA_PDF_REPORT_NAME);
+
+		IOUtils.copy(b, outputStream);
+
+		outputStream.flush();
+		outputStream.close();
+	}
+
     static String resolveHTMLReportName(boolean sastEnabled, ScannerType dependencyScanner) {
         final String POSTFIX = ".html";
         String result = "Report";

src/main/java/com/checkmarx/jenkins/DependencyScanConfig.java

@@ -77,6 +77,9 @@ public class DependencyScanConfig {
     @DataBoundSetter
     public Integer scaTimeout;
 
+    @DataBoundSetter
+    public boolean generateScaReport;
+
     @DataBoundSetter
     public boolean isIncludeSources;
 
@@ -89,6 +92,15 @@ public class DependencyScanConfig {
     @DataBoundSetter
     public String scaResolverAddParameters;
 
+    @DataBoundSetter
+    public String globalScaResolverAddParameters;
+
+    @DataBoundSetter
+    public boolean isExploitablePathByScaResolver;
+
+    @DataBoundSetter
+    public boolean isGlobalExploitablePathByScaResolver;
+
     @DataBoundSetter
     public String fsaVariables;
 
@@ -98,4 +110,4 @@ public class DependencyScanConfig {
     @DataBoundConstructor
     public DependencyScanConfig() {
     }
-}
+}

src/main/java/com/checkmarx/jenkins/ScaReportFormat.java

@@ -0,0 +1,15 @@
+package com.checkmarx.jenkins;
+
+public enum ScaReportFormat {
+	PDF("PDF"), XML("XML"), CSV("CSV"), JSON("JSON"), cyclonedxjson("cyclonedxjson"), cyclonedxxml("cyclonedxxml");
+
+	private final String displayName;
+
+	ScaReportFormat(String displayName) {
+		this.displayName = displayName;
+	}
+
+	public String getDisplayName() {
+		return displayName;
+	}
+}

src/main/resources/com/checkmarx/jenkins/CxScanBuilder/config.jelly

@@ -62,7 +62,19 @@
         <f:entry title="Preset" field="preset">
             <f:select />
         </f:entry>
-
+        <j:choose>
+        <j:when test="${descriptor.enableDataRetention}">
+        <f:optionalBlock title="Override global scan retention settings" name="overrideGlobalRetentionRate"
+                         checked="${instance.overrideGlobalRetentionRate}" inline="true">
+                    <f:entry title="Scan Retention rate (number of scan)" field="projectRetentionRate">
+                        <f:number clazz="number" min="0" max="10000" step="1" default="${descriptor.projectRetentionRateEnforce}" checkMethod="POST" />
+                    </f:entry>
+        </f:optionalBlock>
+        </j:when>
+        <j:otherwise>
+            <f:description>Global settings option for Data Retention is disabled</f:description>
+        </j:otherwise>
+        </j:choose>
          <!-- GLOBAL INCLUDE\EXCLUDE -->
         <f:radioBlock checked="${instance == null || instance.exclusionsSetting == null || instance.exclusionsSetting.equals('global')}" inline="true"
             name="exclusionsSetting" title="Use Global Include/Exclude Settings" value="global">
@@ -128,8 +140,6 @@
         <f:optionalBlock title="Enable Override Project Setting" inline="true" field="overrideProjectSetting" checked="${instance==null?false:instance.overrideProjectSetting}" />                     
     </f:optionalBlock>
     <f:optionalBlock title="Skip scan if triggered by SCM Changes" inline="true" field="skipSCMTriggers" />
-
-
     <f:section title="Dependency Scan" />
     <f:optionalBlock title="Enable dependency scan" field="dependencyScanConfig"
                      checked="${instance.dependencyScanConfig != null}">
@@ -200,9 +210,10 @@
                         <f:entry title="Path to SCA Resolver" field="pathToScaResolver">
                             <f:textbox value="${instance.dependencyScanConfig.pathToScaResolver}" />
                         </f:entry>
-
+                        <f:optionalBlock title="Enable Exploitable Path" field="isExploitablePathByScaResolver" inline="true"  checked="${instance.dependencyScanConfig.isExploitablePathByScaResolver}">
+                        </f:optionalBlock>
                         <f:entry title="SCA Resolver Additional Parameters" field="scaResolverAddParameters">
-                             <f:textarea value="${instance.dependencyScanConfig.scaResolverAddParameters}" />
+                            <f:textarea value="${instance.dependencyScanConfig.scaResolverAddParameters}" />
                         </f:entry>
                     </f:radioBlock>
                     <f:radioBlock checked="${instance.dependencyScanConfig.enableScaResolver == null || instance.dependencyScanConfig.enableScaResolver == 'MANIFEST'}" inline="true"
@@ -311,6 +322,15 @@
                     <!-- -= Generate PDF report =- -->
                     <f:optionalBlock title="Generate CxSAST PDF report" inline="true" field="generatePdfReport" />
 
+					<!-- -= generateScaReport =- -->
+                	<f:optionalBlock title="Generate CxSCA report" inline="true" field="generateScaReport" checkMethod="POST"
+                	checked="${instance.generateScaReport &amp;&amp; instance.dependencyScanConfig.dependencyScannerType == 'SCA'}">
+
+                		<f:entry name="scaReportFormat" title="Report Format:" field="scaReportFormat">
+            			<f:enum field="scaReportFormat">${it.displayName}</f:enum>
+            			</f:entry>
+           			</f:optionalBlock>
+
                     <!-- -= enableProjectPolicyEnforcement =- -->
                     <f:optionalBlock title="Enable Project's policy enforcement" inline="true" field="enableProjectPolicyEnforcement" />
 
@@ -422,4 +442,4 @@
         </j:choose>
         <f:optionalBlock title="Hide Debug Logs" inline="true" field="hideDebugLogs" checked="${instance==null?descriptor.hideDebugLogs:instance.hideDebugLogs}" />        
     </f:section>
-</j:jelly>
+</j:jelly>

src/main/resources/com/checkmarx/jenkins/CxScanBuilder/global.jelly

@@ -42,7 +42,7 @@
         <f:optionalBlock title="Use Jenkins proxy" inline="true" field="isProxy" />
 
 		<f:validateButton title="Test Connection" progress="Testing..." method="testConnection"
-			with="isProxy,serverUrl,username,password,timestamp,credentialsId" />
+			with="enableCertificateValidation,isProxy,serverUrl,username,password,timestamp,credentialsId" />
 
         <f:entry title="Maven Path" field="mvnPath">
             <f:textbox/>
@@ -56,6 +56,7 @@
             <f:textbox/>
         </f:entry>
 
+
         <f:entry title="Default Include/Exclude wildcard patterns" field="filterPattern">
             <f:textarea default="${descriptor.DEFAULT_FILTER_PATTERNS}"/>
         </f:entry>
@@ -168,6 +169,24 @@
                     <f:validateButton title="Test Connection" progress="Testing..." method="testScaConnection"
                                       with="scaServerUrl,scaAccessControlUrl,scaCredentialsId,scaTenant,scaTimeout,timestamp,isProxy"/>
                 </f:nested>
+                 <f:radioBlock checked="${descriptor.dependencyScanConfig.enableScaResolver == null || descriptor.dependencyScanConfig.enableScaResolver == 'SCA_RESOLVER'}" inline="true"
+                                    name="enableScaResolver" title="Perform SCA scan using dependency resolution by SCA Resolver tool."
+                                    value="SCA_RESOLVER">
+                  <!-- Sca Resolver Fields-->
+                        <f:entry title="Path to SCA Resolver" field="pathToScaResolver">
+                            <f:textbox value="${descriptor.dependencyScanConfig.pathToScaResolver}" />
+                        </f:entry>
+
+                        <f:optionalBlock title="Enable Exploitable Path" field="isGlobalExploitablePathByScaResolver" inline="true"  checked="${descriptor.dependencyScanConfig.isGlobalExploitablePathByScaResolver}">
+                        </f:optionalBlock>
+                     <f:entry title="SCA Resolver Additional Parameters" field="globalScaResolverAddParameters">
+                         <f:textarea value="${descriptor.dependencyScanConfig.globalScaResolverAddParameters}" />
+                     </f:entry>
+                    </f:radioBlock>
+                    <f:radioBlock checked="${descriptor.dependencyScanConfig.enableScaResolver == null || descriptor.dependencyScanConfig.enableScaResolver == 'MANIFEST'}" inline="true"
+                                    name="enableScaResolver" title="Perform SCA scan by uploading manifests file(s)/source to SCA Service."
+                                    value="MANIFEST">
+                            <!-- Non-Sca Resolver Fields-->
                 <f:entry title="Package Manager's Config File(s) Path" field="scaConfigFile">
                         <f:textarea value="${descriptor.dependencyScanConfig.scaConfigFile}" />
                     </f:entry>
@@ -191,8 +210,15 @@
            		 with="scaSastServerUrl,password,username,timestamp,sastCredentialsId,isProxy" />
     </f:optionalBlock>
             </f:radioBlock>
+           </f:radioBlock>
+        </f:optionalBlock>
+        <f:optionalBlock title="Enable Data Retention" inline="true"
+                         field="enableDataRetention">
+            <f:entry title="Scan Retention rate (number of scan)" field="projectRetentionRateEnforce">
+                <f:number clazz="positive-number" min="1" max="10000" step="1" default="10" checkMethod="POST" />
+            </f:entry>
         </f:optionalBlock>
 		<f:optionalBlock title="Hide Debug Logs" inline="true" field="hideDebugLogs"/>        
     </f:section>
 
-</j:jelly>
+</j:jelly>

src/main/resources/com/checkmarx/jenkins/CxScanBuilder/help-enableDataRetention.html

@@ -0,0 +1,3 @@
+<div>
+    Enables the option to set number for scan to retain while creating project.
+</div>

src/main/resources/com/checkmarx/jenkins/CxScanBuilder/help-enableScaResolver.html

@@ -1,3 +1,3 @@
 <div>
-  When this flag is enabled, the plugin will use SCA Resolver utility to scan dependencies.
+  When this flag is enabled, the plugin will use SCA Resolver utility to scan dependencies. ScaResolver tool will be executed in offline mode.
 </div>

src/main/resources/com/checkmarx/jenkins/CxScanBuilder/help-generateScaReport.html

@@ -0,0 +1,3 @@
+<div>
+    Downloads a report with scan results from the Checkmarx server. The report is available via a link on "Checkmarx Scan Results" page.
+</div>

src/main/resources/com/checkmarx/jenkins/CxScanBuilder/help-globalScaResolverAddParameters.html

@@ -0,0 +1,5 @@
+<div>
+    <p>For dependency resolution using the SCA Resolver tool, arguments to the SCA Resolver tool need to be provided.</p>
+    <p>For Example: --log-level Debug --save-evidence-path ./evidences.json --extract-archives zip,ear --extract-depth 3 --gradle-exclude-scopes api,testCompile</p>
+    <p> "-s", "-n" and "-r" are mandatory parameters that can be automatically determined from the parameters configured in the pipeline. These parameters can also be overridden by adding them to the SCA Resolver Additional Parameters.</p>
+</div>

src/main/resources/com/checkmarx/jenkins/CxScanBuilder/help-isExploitablePathByScaResolver.html

@@ -0,0 +1,5 @@
+<div>
+    <p>For Exploitable Path Detections, SCA Resolver needs to connect to the SAST server, thus it needs the following SAST related parameters: "--cxprojectname" or "--cxprojectid", "--cxuser", "--cxpassword", "--cxserver" and "--sast-result-path".</p>
+    <p> The plugin can automatically determine these parameters from the SAST parameters configured in the pipeline. These parameters can also be overridden by adding them to the SCA Resolver Additional Parameters.</p>
+    <p>Example: --cxprojectname sastprojname --cxserver http://sasturl --cxuser sastuser --cxpassword sastpassword --sast-result-path D://result</p>
+</div>

src/main/resources/com/checkmarx/jenkins/CxScanBuilder/help-isGlobalExploitablePathByScaResolver.html

@@ -0,0 +1,5 @@
+<div>
+    <p>For Exploitable Path Detections, SCA Resolver needs to connect to the SAST server, thus it needs the following SAST related parameters: "--cxprojectname" or "--cxprojectid", "--cxuser", "--cxpassword", "--cxserver" and "--sast-result-path".</p>
+    <p> The plugin can automatically determine these parameters from the SAST parameters configured in the pipeline. These parameters can also be overridden by adding them to the SCA Resolver Additional Parameters.</p>
+    <p>Example: --cxprojectname sastprojname --cxserver http://sasturl --cxuser sastuser --cxpassword sastpassword --sast-result-path D://result</p>
+</div>

src/main/resources/com/checkmarx/jenkins/CxScanBuilder/help-scaResolverAddParameters.html

@@ -1,7 +1,5 @@
 <div>
-    Provide arguments to ScaResovler tool in the same format as supported by the ScaResolver tool. ScaResolver tool will be executed in offline mode.
-    <p>"-s", "-n" and "-r" are mandatory parameters. Example:  -s C:\Users\SampleProject -n ProjectName -r c:\output, where </p>
-    <p> -s: Path to the source code</p>
-    <p> -n: name of the project</p>
-    <p> -r: local machine path where the evidence file must be stored</p>
-</div>
+    <p>For dependency resolution using the SCA Resolver tool, arguments to the SCA Resolver tool need to be provided.</p>
+     <p>For Example: --log-level Debug --save-evidence-path ./evidences.json --extract-archives zip,ear --extract-depth 3 --gradle-exclude-scopes api,testCompile</p>
+       <p> "-s", "-n" and "-r" are mandatory parameters that can be automatically determined from the parameters configured in the pipeline. These parameters can also be overridden by adding them to the SCA Resolver Additional Parameters.</p>
+</div>