2023 q4 integration branch (#143)

* plug1316

* version

* tool tip

* plug-286

* format changes

* chages for PLUG-1142

chages for PLUG-1142

* Support for Project Level Custom Fields

* added tooltip for project level custom field

* Updated OSA logs

* Special Character fix

* removed unwanted code changes

* jira1411

* Sca scan

* 1160

* policyenforcement

* changes

* Changes for PLUG_1184 and PLUG_1399

* Tooltips for exception on threshold error field

* Warning message fix

* Project level custom fields

* Updated tooltip of enable Project Policy Enforcement

* pom file and version changes

* Removed Unwanted code changes regarding Project custom tags

* SCA Scan Timeout InMinutes

* Fixes for QA issues

* version update

* Fixing cosmetic and minor issues raised by QA

---------

Co-authored-by: Khant1000 <[email protected]>
Co-authored-by: PravinGadankush <[email protected]>
Co-authored-by: Swati Awate <[email protected]>

build.gradle

@@ -19,7 +19,7 @@ apply plugin: 'org.jenkins-ci.jpi'
 apply plugin: 'nebula.provided-base'
 
 repositories {
-    jcenter()
+	jcenter()
     mavenLocal()        // Use this to load a custom build of Common Client from a local Maven repo.
     maven { url 'http://repo.jenkins-ci.org/releases/' }
     maven { url 'http://cx-artifactory:8081/artifactory/libs-release/' }
@@ -41,23 +41,25 @@ allprojects {
 }
 
 dependencies {
-    compileOnly 'com.intellij:annotations:12.0',
-            'org.slf4j:slf4j-api:1.7.31',
-            'org.slf4j:slf4j-log4j12:1.7.31',
-            'log4j:log4j:1.2.17'
+    compileOnly 'com.intellij:annotations:12.0'
 
     compile ('com.checkmarx:cx-config-provider:1.0.14') {
         exclude group: 'org.slf4j', module: 'slf4j-api'
         exclude group: 'org.apache.logging.log4j', module: 'log4j-slf4j-impl'
         exclude group: 'org.apache.logging.log4j', module: 'log4j-api'
         exclude group: 'org.apache.logging.log4j', module: 'log4j-core'
+        exclude group: 'org.eclipse.jgit', module: 'org.eclipse.jgit'
+        exclude group: 'com.google.guava', module: 'guava'        
     }
 
-    compile ('com.checkmarx:cx-client-common:2023.2.5') {
+
+    compile ('com.checkmarx:cx-client-common:2023.4.4') {
        exclude group: 'org.apache.commons', module: 'commons-compress'
        exclude group: 'org.yaml' , module: 'snakeyaml'
        exclude group: 'com.google.code.gson', module: 'gson'
-        exclude group: 'org.json', module: 'json'
+       exclude group: 'org.json', module: 'json'
+       exclude group: 'commons-beanutils', module: 'commons-beanutils' 
+       exclude group: 'com.google.guava', module: 'guava'       
     }
 
     compile 'com.fasterxml.jackson.core:jackson-core:2.11.3',
@@ -69,10 +71,12 @@ dependencies {
             'org.apache.logging.log4j:log4j-slf4j-impl:2.17.1',
             'org.apache.logging.log4j:log4j-api:2.17.1',
             'org.apache.logging.log4j:log4j-core:2.17.1',
-            'org.apache.commons:commons-compress:1.22',
+            'org.apache.commons:commons-compress:1.25.0',
             'com.google.code.gson:gson:2.8.9',           
             'org.yaml:snakeyaml:1.33',
-            'org.json:json:20230227'
+            'org.json:json:20231013',
+            'org.eclipse.jgit:org.eclipse.jgit:6.8.0.202311291450-r',
+            'com.google.guava:guava:32.1.1-jre' 
 
             constraints {
                 implementation('io.vertx:vertx-web:3.9.7') {
@@ -93,7 +97,8 @@ dependencies {
             }
 
     optionalJenkinsPlugins 'org.jenkins-ci.main:maven-plugin:1.509.4@jar',
-            'org.jenkins-ci.plugins:credentials:2.1.19@jar'
+    		'org.jenkins-ci.plugins:credentials:2.1.19@jar'
+
 
     testCompile 'junit:junit:4.13.1',
             'org.eclipse.sisu:org.eclipse.sisu.plexus:0.0.0.M5',

gradle.properties

@@ -1,6 +1,6 @@
 description = Provides automatic scan of code by Checkmarx server and shows results summary and trend in Jenkins interface.
 group = com.checkmarx.jenkins
-version = 2023.2.6
+version = 2023.4.3
 
 repositoryVersion=
 

src/main/java/com/checkmarx/jenkins/CxScanCallable.java

@@ -157,7 +157,7 @@ public RemoteScanInfo invoke(File file, VirtualChannel channel) throws IOExcepti
             cancelScan(delegator);
         }
 
-        if (config.getEnablePolicyViolations()) {
+        if (((config.isSastEnabled()||config.isOsaEnabled()) && config.getEnablePolicyViolations()) || (config.isAstScaEnabled() && config.getEnablePolicyViolationsSCA())) {
             delegator.printIsProjectViolated(scanResults);
         }
 

src/main/java/com/checkmarx/jenkins/DependencyScanConfig.java

@@ -70,7 +70,13 @@ public class DependencyScanConfig {
 
     @DataBoundSetter
     public String scaTeamPath;
-
+
+    @DataBoundSetter
+    public String scaScanCustomTags;
+
+    @DataBoundSetter
+    public String scaProjectCustomTags;
+
     @DataBoundSetter
     public String scaTeamId;
 

src/main/resources/META-INF/hudson.remoting.ClassFilter

@@ -36,6 +36,8 @@ com.cx.restclient.ast.dto.sca.report.DependencyPathSegment
 com.cx.restclient.ast.dto.sca.report.PackageSeverity
 com.cx.restclient.ast.dto.sca.report.PackageUsage
 com.cx.restclient.common.summary.DependencyScanResult
+com.cx.restclient.ast.dto.common.tags
+com.cx.restclient.ast.dto.sca.UpdateProjectRequest
 com.cx.restclient.ast.dto.sca.ScaScanConfigValue
 com.cx.restclient.ast.dto.sca.ScaScanConfigValue$ScaScanConfigValueBuilder
 com.cx.restclient.ast.dto.sca.report.PolicyAction
@@ -46,4 +48,8 @@ com.cx.restclient.sast.dto.ResponseSastScanStatus
 com.cx.restclient.sast.dto.CxScanStateObj
 com.cx.restclient.sast.dto.CxDateAndTimeObj
 com.cx.restclient.sast.dto.CxLanguageObj
-com.cx.restclient.sast.dto.CxLinkObj
+com.cx.restclient.sast.dto.CxLinkObj
+com.cx.restclient.sast.dto.ProjectLevelCustomFields 
+com.cx.restclient.sast.dto.ProjectPutRequest
+com.cx.restclient.sca.dto.Tags
+org.apache.http.HttpHost

src/main/resources/com/checkmarx/jenkins/CxScanBuilder/config.jelly

@@ -117,6 +117,12 @@
             <f:checkbox checkMethod="POST" checked="${instance.forceScan}"/>
         </f:entry>
 
+
+        <f:entry title="Project level - custom fields" field="projectLevelCustomFields">
+        	<f:textbox checkMethod="POST" value="${instance.projectLevelCustomFields}" />
+        </f:entry>
+
+
 		<f:entry title="Scan level - custom fields" field="customFields">
         	<f:textbox checkMethod="POST" value="${instance.customFields}" />
         </f:entry>
@@ -195,7 +201,13 @@
                     <f:entry title="Teampath" field="scaTeamPath">
                         <f:textbox value="${instance.dependencyScanConfig.scaTeamPath}"/>
                     </f:entry>
-
+                    <f:entry title="Project Custom Tags" field="scaProjectCustomTags">
+                        <f:textbox value="${instance.dependencyScanConfig.scaProjectCustomTags}"/>
+                    </f:entry>
+                    <f:entry title="Scan Custom Tags" field="scaScanCustomTags">
+                        <f:textbox value="${instance.dependencyScanConfig.scaScanCustomTags}"/>
+                    </f:entry>
+
                     <f:entry title="SCA Scan timeout (minutes)" field="scaTimeout">
                         <f:textbox value="${instance.dependencyScanConfig.scaTimeout}"/>
                     </f:entry>
@@ -231,30 +243,7 @@
                             <f:optionalBlock title="Include Sources" field="isIncludeSources"
                                             inline="true"  checked="${instance.dependencyScanConfig.isIncludeSources}"/>
 
-                            <f:optionalBlock title="Enable Exploitable Path" field="isExploitablePath"
-                                            inline="true"  checked="${instance.dependencyScanConfig.isExploitablePath}">
-
-                                <f:optionalBlock title="Use global settings (${descriptor.credentialsDescription})" field="useJobLevelSastDetails"
-                                                inline="true"  negative="true" checked="${!instance.dependencyScanConfig.useJobLevelSastDetails}">
-
-                                    <f:entry title="CxSAST Server Url" field="scaSastServerUrl">
-                                        <f:textbox default="${descriptor.dependencyScanConfig.serverUrl}"  value="${instance.dependencyScanConfig.scaSastServerUrl}" />
-                                    </f:entry>
-                                    <f:entry title="CxSAST credentials" field="sastCredentialsId">
-                                        <c:select value="${instance.dependencyScanConfig.sastCredentialsId}" />
-                                    </f:entry>
-                                    <f:validateButton title="Test Connection" progress="Testing..." method="testScaSASTConnection"
-                                                    with="scaSastServerUrl,password,username,timestamp,sastCredentialsId,isProxy" />
-                                </f:optionalBlock>
-
-                                <f:entry title="Project Full Path" field="scaSASTProjectFullPath">
-                                    <f:textbox value="${instance.dependencyScanConfig.scaSASTProjectFullPath}"/>
-                                </f:entry>
-                                <f:entry title="Project ID" field="scaSASTProjectID">
-                                    <f:textbox checkMethod="POST" value="${instance.dependencyScanConfig.scaSASTProjectID}"/>
-                                </f:entry>
-                            </f:optionalBlock>
-                        </f:radioBlock>
+                             </f:radioBlock>
                 </f:nested>
             </f:radioBlock>
         </f:optionalBlock>
@@ -265,13 +254,17 @@
     <f:section title="Build Control">
         <f:entry name="jobStatusOnError" title="Job status when scan returns an error:" field="jobStatusOnError">
             <f:enum field="jobStatusOnError">${it.displayName}</f:enum>
-        </f:entry>
+        </f:entry>        
         <j:choose>
             <!-- -=use only global configuration setting =- -->
             <j:when test="${descriptor.forcingVulnerabilityThresholdEnabled and descriptor.lockVulnerabilitySettings}">
                 <f:entry title="Build status when results exceed threshold:">
                     <f:readOnlyTextbox value="Setting Locked by Administrator (${descriptor.JobGlobalStatusOnThresholdViolation})" />
                 </f:entry>
+                <f:entry title="Propagate error when results exceed threshold:">
+                    <f:readOnlyTextbox value="Setting Locked by Administrator (${descriptor.exceptionOnThresholdErrorGlobal})" />
+                </f:entry>
+
                 <f:entry title="SAST High severity vulnerabilities threshold">
                     <f:readOnlyTextbox value="${descriptor.highThresholdEnforcement}" />
                 </f:entry>
@@ -301,10 +294,11 @@
                 <f:optionalBlock title="Generate CxSAST PDF report" inline="true" field="generatePdfReport" />
 
                 <!-- -= enableProjectPolicyEnforcement =- -->
-                <f:optionalBlock title="Enable Project's policy enforcement" inline="true" field="enableProjectPolicyEnforcement" />
-
-
-                   </f:optionalBlock>
+                <f:optionalBlock title="Enable Project's policy enforcement for SAST" inline="true" field="enableProjectPolicyEnforcement" />
+                    <f:optionalBlock title="Enable Project's policy enforcement for SCA" inline="true" field="enableProjectPolicyEnforcementSCA" />
+
+
+                </f:optionalBlock>
             </j:when>
 
             <!-- ** use specific configuration setting ** -->
@@ -332,7 +326,8 @@
            			</f:optionalBlock>
 
                     <!-- -= enableProjectPolicyEnforcement =- -->
-                    <f:optionalBlock title="Enable Project's policy enforcement" inline="true" field="enableProjectPolicyEnforcement" />
+                    <f:optionalBlock title="Enable Project's policy enforcement for SAST" inline="true" field="enableProjectPolicyEnforcement" />
+                    <f:optionalBlock title="Enable Project's policy enforcement for SCA" inline="true" field="enableProjectPolicyEnforcementSCA" />
 
                    <!-- ** Enable CxSAST vulnerability threshold ** -->
                     <f:optionalBlock title="Enable vulnerability threshold" inline="true"
@@ -348,7 +343,9 @@
                                         <f:entry title="Build status when results exceed threshold:">
                                             <f:readOnlyTextbox value="${descriptor.JobGlobalStatusOnThresholdViolation.displayName}" />
                                         </f:entry>
-
+                                        <f:entry title="Propagate error when results exceed threshold:">
+                                            <f:readOnlyTextbox value="${descriptor.exceptionOnThresholdErrorGlobal}" />
+                                        </f:entry>
                                         <f:entry title="SAST High severity vulnerabilities threshold">
                                             <f:readOnlyTextbox value="${descriptor.highThresholdEnforcement}" />
                                         </f:entry>
@@ -376,6 +373,7 @@
                                         <f:entry title="Build status when results exceed threshold:" field="vulnerabilityThresholdResult">
                                             <f:select />
                                         </f:entry>
+                                        <f:optionalBlock title="Propagate error when results exceed threshold" inline="true" field="exceptionOnThresholdError" />
                                         <f:entry title="SAST High severity vulnerabilities threshold" field="highThreshold">
                                             <f:number clazz="positive-number" min="0" step="1" default="" checkMethod="post" />
                                         </f:entry>
@@ -409,6 +407,7 @@
                                 <f:entry title="Build status when results exceed threshold:" field="vulnerabilityThresholdResult">
                                     <f:select />
                                 </f:entry>
+                                <f:optionalBlock title="Propagate error when results exceed threshold" inline="true" field="exceptionOnThresholdError" />
                                 <f:entry title="SAST High severity vulnerabilities threshold" field="highThreshold">
                                     <f:number clazz="positive-number" min="0" step="1" default="" />
                                 </f:entry>

src/main/resources/com/checkmarx/jenkins/CxScanBuilder/global.jelly

@@ -84,6 +84,7 @@
             <f:entry title="Build status when results exceed threshold:" field="jobGlobalStatusOnThresholdViolation">
                 <f:enum>${it.displayName}</f:enum>
             </f:entry>
+            <f:optionalBlock title="Propagate error when results exceed threshold" inline="true" field="exceptionOnThresholdErrorGlobal" />
 
             <f:entry title="SAST High severity vulnerabilities threshold" field="highThresholdEnforcement">
                 <f:number clazz="positive-number" min="0" step="1" default="" checkMethod="POST"/>
@@ -162,7 +163,10 @@
                     <f:entry title="Account" field="scaTenant">
                         <f:textbox value="${descriptor.dependencyScanConfig.scaTenant}"/>
                     </f:entry>
-
+                    <f:entry title="Teampath" field="scaTeamPath">
+                        <f:textbox value="${instance.dependencyScanConfig.scaTeamPath}"/>
+                    </f:entry>
+
                      <f:entry title="SCA Scan timeout (minutes)" field="scaTimeout">
                         <f:textbox value="${descriptor.dependencyScanConfig.scaTimeout}"/>
                      </f:entry>
@@ -194,22 +198,9 @@
                     <f:entry title="Private Registry Environment Variable" field="scaEnvVariables">
                         <f:textarea value="${descriptor.dependencyScanConfig.scaEnvVariables}" />
                     </f:entry>
-                <f:optionalBlock title="Enable Exploitable Path" field="isExploitablePath" 
-                    inline="true"  checked="${descriptor.dependencyScanConfig.isExploitablePath}">
-                    <f:entry title="SAST Server Url" field="scaSastServerUrl">
-                <f:textbox value="${descriptor.dependencyScanConfig.scaSastServerUrl}" />
-            </f:entry>
-         <f:entry title="CxSAST credentials" field="sastCredentialsId">
-                 <c:select value="${descriptor.dependencyScanConfig.sastCredentialsId}" />
-                 </f:entry>
-                  <f:invisibleEntry>
-            <f:readOnlyTextbox field="username"/>
-            <f:readOnlyTextbox field="password"/>
-        </f:invisibleEntry>
-        <f:validateButton title="Test Connection" progress="Testing..." method="testScaSASTConnection"
-           		 with="scaSastServerUrl,password,username,timestamp,sastCredentialsId,isProxy" />
-    </f:optionalBlock>
-            </f:radioBlock>
+                        <f:optionalBlock title="Include Sources" field="isIncludeSources"
+                                         inline="true"  checked="${instance.dependencyScanConfig.isIncludeSources}"/>
+                   </f:radioBlock>
            </f:radioBlock>
         </f:optionalBlock>
         <f:optionalBlock title="Enable Data Retention" inline="true"

src/main/resources/com/checkmarx/jenkins/CxScanBuilder/help-enableProjectPolicyEnforcement.html

@@ -1,6 +1,4 @@
-<div>
-    Mark the build as failed or unstable if the project's policy is violated.<br>
+ Mark the build as failed or unstable if the project's policy is violated.<br>
     Note:<br>
     Assigning a policy to a project is done from within CxSAST<br>
-
-</div>
+    For SAST scan Mno is required, by default it is not supported in 9.6 SAST server.

src/main/resources/com/checkmarx/jenkins/CxScanBuilder/help-enableProjectPolicyEnforcementSCA.html

@@ -0,0 +1,3 @@
+Mark the build as failed or unstable if the project's policy is violated.<br>
+Note:<br>
+Assigning a policy to a project is done from within CxSCA<br>

src/main/resources/com/checkmarx/jenkins/CxScanBuilder/help-exceptionOnThresholdError.html

@@ -0,0 +1,4 @@
+<div>
+    Choose if build should throw "Threshold exceeded" exception and stop the scan in case when result of scan vulnerabilities exceeds threshold.
+	Default is False.
+</div>

src/main/resources/com/checkmarx/jenkins/CxScanBuilder/help-exceptionOnThresholdErrorGlobal.html

@@ -0,0 +1,4 @@
+<div>
+    Choose if build should throw "Threshold exceeded" exception and stop the scan in case when result of scan vulnerabilities exceeds threshold.
+	Default is False.
+</div>

src/main/resources/com/checkmarx/jenkins/CxScanBuilder/help-projectLevelCustomFields.html

@@ -0,0 +1,3 @@
+<div>
+	Add project level custom fields and its value. Example: field1:value1,field2:value2.(Note that the feature works with 9.4 version SAST onwards.)
+</div>

src/main/resources/com/checkmarx/jenkins/CxScanBuilder/help-scaProjectCustomTags.html

@@ -0,0 +1,3 @@
+<div>
+  A project tag is a key:value pair, and multiple tags can be seperated using comma(,).(E.g: a:b, c:d)
+</div>

src/main/resources/com/checkmarx/jenkins/CxScanBuilder/help-scaScanCustomTags.html

@@ -0,0 +1,3 @@
+<div>
+    A scan tag is a key:value pair, and multiple tags can be seperated using comma(,).(E.g: a:b, c:d)
+</div>