CxONE: search project name by exact match (#5187)

* Initial in progress

* compiling but not yet functional

* Missed file

* updated checkmarxone step

* Working up to fetching a project then breaks

* Missed file

* Breaks when retrieving projects+proxy set

* Create project & run scan working, now polling

* Fixed polling

* added back the zipfile remove command

* Fixed polling again

* Generates and downloads PDF report

* Updated and working, prep for refactor

* Added compliance steps

* Cleanup, reporting, added groovy connector

* fixed groovy file

* checkmarxone to checkmarxOne

* checkmarxone to checkmarxOne

* split credentials (id+secret, apikey), renamed pullrequestname to branch, groovy fix

* Fixed filenames & yaml

* missed the metadata_generated.go

* added json to sarif conversion

* fix:type in new checkmarxone package

* fix:type in new checkmarxone package

* removed test logs, added temp error log for creds

* extra debugging to fix crash

* improved auth logging, fixed query parse issue

* fixed bug with group fetch when using oauth user

* CWE can be -1 if not defined, can't be uint

* Query also had CweID

* Disabled predicates-fetch in sarif generation

* Removing leftover info log message

* Better error handling

* fixed default preset configuration

* removing .bat files - sorry

* Cleanup per initial review

* refactoring per Gist, fixed project find, add apps

* small fix - sorry for commit noise while testing

* Fixing issues with incremental scans.

* removing maxretries

* Updated per PR feedback, further changes todo toda

* JSON Report changes and reporting cleanup

* removing .bat (again?)

* adding docs, groovy unit test, linter fixes

* Started adding tests maybe 15% covered

* fix(checkmarxOne): test cases for pkg and reporting

* fix(checkmarxOne):fix formatting

* feat(checkmarxone): update interface with missing method

* feat(checkmarxone):change runStep signature to be able to inject dependency

* feat(checkmarxone): add tests for step (wip)

* Adding a bit more coverage

* feat(checkmarxOne): fix code review

* feat(checkmarxOne): fix code review

* feat(checkmarxOne): fix code review

* feat(checkmarxOne): fix integration test PR

* adding scan-summary bug workaround, reportgen fail

* enforceThresholds fix when no results passed in

* fixed gap when preset empty in yaml & project conf

* fixed another gap in preset selection

* fix 0-result panic

* fail when no preset is set anywhere

* removed comment

* initial project-under-app support

* fixing sarif reportgen

* some cleanup of error messages

* post-merge test fixes

* revert previous upstream merge

* adding "incremental" to "full" triggers

* wrong boolean

* project-in-application api change prep

* Fixing SARIF report without preset access

* fix sarif deeplink

* removing comments

* fix(cxone):formatting

* fix(cxone):formatting

* small sarif fixes

* fixed merge

* attempt at pulling git source repo branch

* fix(cxone):new endpoint for project creation

* fix(cxOne): taxa is an array

* fix(cxOne): get Git branch from commonPipelineEnvironment

* fix(cxOne): add params to tag a scan and a project

* fix(cxOne): unit test - update project

* fix(cxOne): unit test - update project tags

* fix(cxOne): improve logs

* fix(cxOne): improve logs

* adding RequestNewPDFReport function using v2 api

* added version check

* fix(cxone): JSON report using v2 API

* update to set reportType in v2 reportgen

* fix(checkmarxOneExecuteScan): remove absolute patch for code preview

* fix(checkmarxOneExecuteScan): remove SCA confusion from driver name

* fix(checkmarxOneExecuteScan): search project name by exact match

* fix(checkmarxOneExecuteScan): escape branch name in deeplink

* fix(checkmarxOneExecuteScan): fix format

---------

Co-authored-by: michael kubiaczyk <[email protected]>
Co-authored-by: michaelkubiaczyk <[email protected]>
Co-authored-by: sumeet patil <[email protected]>
Co-authored-by: Adrien <[email protected]>

Author: 4 people

cmd/checkmarxOneExecuteScan.go

@@ -8,6 +8,7 @@ import (
 	"io"
 	"maps"
 	"math"
+	"net/url"
 	"os"
 	"path/filepath"
 	"regexp"
@@ -803,7 +804,7 @@ func (c *checkmarxOneExecuteScanHelper) getDetailedResults(scan *checkmarxOne.Sc
 	}
 
 	resultMap["Preset"] = scanmeta.PresetName
-	resultMap["DeepLink"] = fmt.Sprintf("%v/projects/%v/overview?branch=%v", c.config.ServerURL, c.Project.ProjectID, scan.Branch)
+	resultMap["DeepLink"] = fmt.Sprintf("%v/projects/%v/overview?branch=%v", c.config.ServerURL, c.Project.ProjectID, url.QueryEscape(scan.Branch))
 	resultMap["ReportCreationTime"] = time.Now().String()
 	resultMap["High"] = map[string]int{}
 	resultMap["Medium"] = map[string]int{}

pkg/checkmarxone/checkmarxone.go

@@ -759,7 +759,7 @@ func (sys *SystemInstance) GetProjectsByName(projectName string) ([]Project, err
 	var err error
 
 	body := url.Values{}
-	body.Add("name", projectName)
+	body.Add("names", projectName)
 
 	data, err = sendRequest(sys, http.MethodGet, fmt.Sprintf("/projects/?%v", body.Encode()), nil, header, []int{404})
 

pkg/checkmarxone/cxjson_to_sarif.go

@@ -67,6 +67,10 @@ func ConvertCxJSONToSarif(sys System, serverURL string, scanResults *[]ScanResul
 		for k := 0; k < len(r.Data.Nodes); k++ {
 			loc := *new(format.Location)
 			loc.PhysicalLocation.ArtifactLocation.URI = r.Data.Nodes[0].FileName
+			// remove absolute path of file name (coming from JSON format)
+			if len(r.Data.Nodes[0].FileName) > 0 && r.Data.Nodes[0].FileName[0:1] == "/" {
+				loc.PhysicalLocation.ArtifactLocation.URI = r.Data.Nodes[0].FileName[1:]
+			}
 			loc.PhysicalLocation.Region.StartLine = r.Data.Nodes[k].Line
 			loc.PhysicalLocation.Region.EndLine = r.Data.Nodes[k].Line
 			loc.PhysicalLocation.Region.StartColumn = r.Data.Nodes[k].Column
@@ -91,6 +95,10 @@ func ConvertCxJSONToSarif(sys System, serverURL string, scanResults *[]ScanResul
 			threadFlowLocation := *new(format.Locations)
 			tfloc := new(format.Location)
 			tfloc.PhysicalLocation.ArtifactLocation.URI = r.Data.Nodes[0].FileName
+			// remove absolute path of file name (coming from JSON format)
+			if len(r.Data.Nodes[0].FileName) > 0 && r.Data.Nodes[0].FileName[0:1] == "/" {
+				loc.PhysicalLocation.ArtifactLocation.URI = r.Data.Nodes[0].FileName[1:]
+			}
 			tfloc.PhysicalLocation.Region.StartLine = r.Data.Nodes[k].Line
 			tfloc.PhysicalLocation.Region.EndLine = r.Data.Nodes[k].Line
 			tfloc.PhysicalLocation.Region.StartColumn = r.Data.Nodes[k].Column
@@ -244,7 +252,7 @@ func ConvertCxJSONToSarif(sys System, serverURL string, scanResults *[]ScanResul
 	log.Entry().Debug("[SARIF] Now handling driver object.")
 	tool := *new(format.Tool)
 	tool.Driver = *new(format.Driver)
-	tool.Driver.Name = "CheckmarxOne SCA"
+	tool.Driver.Name = "Checkmarx One"
 
 	// TODO: a way to fetch/store the version
 	tool.Driver.Version = "1" //strings.Split(cxxml.CheckmarxVersion, "V ")