Merge pull request #1106 from Checkmarx/feature/add-asmp-traits

Add traits to ASPM results object (AST-000)

Author: cx-daniel-greenspan

internal/commands/result.go

@@ -234,13 +234,14 @@ func riskManagementSubCommand(riskManagement wrappers.RiskManagementWrapper, fea
 		Long:  "The risk-management command displays risk management results for a specific project in Checkmarx One",
 		Example: heredoc.Doc(
 			`
-			$ cx results risk-management --project-id <project Id> --limit <limit> (1-50, default: 50)
+			$ cx results risk-management --project-id <project Id> --scan-id <scan ID> --limit <limit> (1-50, default: 50)
 		`,
 		),
 		RunE: runRiskManagementCommand(riskManagement, featureFlagsWrapper),
 	}
 
 	riskManagementCmd.PersistentFlags().String(commonParams.ProjectIDFlag, "", "Project ID")
+	riskManagementCmd.PersistentFlags().String(commonParams.ScanIDFlag, "", "Scan ID")
 	riskManagementCmd.PersistentFlags().Int(commonParams.LimitFlag, -1, "Limit")
 
 	addFormatFlag(riskManagementCmd, printer.FormatJSON, printer.FormatTable, printer.FormatList)
@@ -355,14 +356,16 @@ func runRiskManagementCommand(riskManagement wrappers.RiskManagementWrapper, fea
 ) func(cmd *cobra.Command, args []string) error {
 	return func(cmd *cobra.Command, args []string) error {
 		projectID, _ := cmd.Flags().GetString(commonParams.ProjectIDFlag)
+		scanID, _ := cmd.Flags().GetString(commonParams.ScanIDFlag)
+
 		limit, _ := cmd.Flags().GetInt(commonParams.LimitFlag)
 
 		flagResponse, _ := wrappers.GetSpecificFeatureFlag(featureFlagsWrapper, wrappers.RiskManagementEnabled)
 		ASPMEnabled := flagResponse.Status
 		if !ASPMEnabled {
 			return errors.Errorf("%s", "Risk management results are currently unavailable for your tenant.")
 		}
-		results, err := getRiskManagementResults(riskManagement, projectID)
+		results, err := getRiskManagementResults(riskManagement, projectID, scanID)
 		if err != nil {
 			return err
 		}
@@ -372,8 +375,8 @@ func runRiskManagementCommand(riskManagement wrappers.RiskManagementWrapper, fea
 	}
 }
 
-func getRiskManagementResults(riskManagement wrappers.RiskManagementWrapper, projectID string) (*wrappers.ASPMResult, error) {
-	ASPMResult, errorModel, err := riskManagement.GetTopVulnerabilitiesByProjectID(projectID)
+func getRiskManagementResults(riskManagement wrappers.RiskManagementWrapper, projectID, scanID string) (*wrappers.ASPMResult, error) {
+	ASPMResult, errorModel, err := riskManagement.GetTopVulnerabilitiesByProjectID(projectID, scanID)
 	if err != nil {
 		return nil, errors.Wrapf(err, "%s", failedListingResults)
 	}

internal/params/binds.go

@@ -73,6 +73,6 @@ var EnvVarsBinds = []struct {
 	{AiProxyCheckmarxAiRouteKey, AiProxyCheckmarxAiRouteEnv, "api/ai-proxy/redirect/azure"},
 	{ASCAPortKey, ASCAPortEnv, ""},
 	{ScsRepoTokenKey, ScsRepoTokenEnv, ""},
-	{RiskManagementPathKey, RiskManagementPathEnv, "api/risk-management/projects/%s/results"},
+	{RiskManagementPathKey, RiskManagementPathEnv, "api/risk-management/projects/%s/results?scanID=%s"},
 	{ConfigFilePathKey, ConfigFilePathEnv, ""},
 }

internal/wrappers/mock/risk-management-mock.go

@@ -6,14 +6,15 @@ import (
 
 type RiskManagementMockWrapper struct{}
 
-func (r *RiskManagementMockWrapper) GetTopVulnerabilitiesByProjectID(projectID string) (*wrappers.ASPMResult, *wrappers.WebError, error) {
+func (r *RiskManagementMockWrapper) GetTopVulnerabilitiesByProjectID(projectID string, scanID string) (*wrappers.ASPMResult, *wrappers.WebError, error) {
 	mockResults := []wrappers.RiskManagementResult{
-		{ID: "1", Name: "Vuln1", Severity: "High"},
-		{ID: "2", Name: "Vuln2", Severity: "Medium"},
+		{ID: "1", Name: "Vuln1", Severity: "High", Traits: map[string]string{wrappers.ExpPathKey: wrappers.ExpPathValue}},
+		{ID: "2", Name: "Vuln2", Severity: "Medium", Traits: map[string]string{wrappers.SuspMalwareKey: wrappers.SuspMalwareValue}},
 	}
 
 	mockASPMResult := &wrappers.ASPMResult{
 		ProjectID: projectID,
+		ScanID:    scanID,
 		Results:   mockResults,
 	}
 

internal/wrappers/risk-management-http.go

@@ -3,31 +3,33 @@ package wrappers
 import (
 	"encoding/json"
 	"fmt"
+	"github.com/checkmarx/ast-cli/internal/logger"
+	"github.com/checkmarx/ast-cli/internal/wrappers/configuration"
 	"net/http"
 
 	commonParams "github.com/checkmarx/ast-cli/internal/params"
 	"github.com/pkg/errors"
 	"github.com/spf13/viper"
 )
 
+const riskManagementDefaultPath = "api/risk-management/projects/%s/results?scanID=%s"
+
 type RiskManagementHTTPWrapper struct {
 	path string
 }
 
 func NewHTTPRiskManagementWrapper(path string) RiskManagementWrapper {
+	validPath := setRMDefaultPath(path)
 	return &RiskManagementHTTPWrapper{
-		path: path,
+		path: validPath,
 	}
 }
 
-func (r *RiskManagementHTTPWrapper) GetTopVulnerabilitiesByProjectID(projectID string) (
-	*ASPMResult,
-	*WebError,
-	error,
-) {
+func (r *RiskManagementHTTPWrapper) GetTopVulnerabilitiesByProjectID(projectID string, scanID string) (*ASPMResult, *WebError, error) {
 	clientTimeout := viper.GetUint(commonParams.ClientTimeoutKey)
-	path := fmt.Sprintf(r.path, projectID)
-	resp, err := SendHTTPRequest(http.MethodGet, path, http.NoBody, true, clientTimeout)
+
+	path := fmt.Sprintf(r.path, projectID, scanID)
+	resp, err := SendHTTPRequest(http.MethodGet, path, nil, true, clientTimeout)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -58,3 +60,17 @@ func (r *RiskManagementHTTPWrapper) GetTopVulnerabilitiesByProjectID(projectID s
 		return nil, nil, errors.Errorf("response status code %d", resp.StatusCode)
 	}
 }
+
+func setRMDefaultPath(path string) string {
+	if path != riskManagementDefaultPath {
+		configFilePath, err := configuration.GetConfigFilePath()
+		if err != nil {
+			logger.PrintfIfVerbose("Error getting config file path: %v", err)
+		}
+		err = configuration.SafeWriteSingleConfigKeyString(configFilePath, commonParams.RiskManagementPathKey, riskManagementDefaultPath)
+		if err != nil {
+			logger.PrintfIfVerbose("Error writing Risk Management path to config file: %v", err)
+		}
+	}
+	return riskManagementDefaultPath
+}

internal/wrappers/risk-management.go

@@ -2,8 +2,24 @@ package wrappers
 
 import "time"
 
+const (
+	SuspMalwareKey = "suspMalware"
+	ExpPathKey     = "explPath"
+	//PubExposedKey  = "pubExposed"
+	//RuntimeKey     = "runtime"
+
+	SuspMalwareValue = "Suspected Malware"
+	ExpPathValue     = "Exploitable Path"
+	//PubExposedValue  = "Public Exposed"
+	//RuntimeValue     = "Runtime"
+)
+
 type RiskManagementWrapper interface {
-	GetTopVulnerabilitiesByProjectID(projectID string) (*ASPMResult, *WebError, error)
+	GetTopVulnerabilitiesByProjectID(projectID string, scanID string) (*ASPMResult, *WebError, error)
+}
+
+type GetASPMResultRequest struct {
+	ScanId string `json:"scanID"`
 }
 
 type ApplicationScore struct {
@@ -27,6 +43,7 @@ type RiskManagementResult struct {
 	Severity           string             `json:"severity"`
 	RiskScore          float64            `json:"riskScore"`
 	EnrichmentSources  map[string]string  `json:"enrichmentSources"`
+	Traits             map[string]string  `json:"traits"`
 	CreatedAt          time.Time          `json:"createdAt"`
 	ApplicationsScores []ApplicationScore `json:"applicationsScores"`
 }

test/integration/predicate_test.go

@@ -16,8 +16,6 @@ import (
 	"gotest.tools/assert"
 )
 
-var projectID string
-
 func TestSastUpdateAndGetPredicatesForSimilarityId(t *testing.T) {
 
 	fmt.Println("Step 1: Testing the command 'triage update' to update an issue from the project.")
@@ -101,7 +99,6 @@ func TestSastUpdateAndGetPredicatesForSimilarityId(t *testing.T) {
 }
 
 func TestGetAndUpdatePredicateWithInvalidScannerType(t *testing.T) {
-
 	err, _ := executeCommand(
 		t, "triage", "update",
 		flag(params.ProjectIDFlag), "1234",

test/integration/result_test.go

@@ -616,7 +616,7 @@ func readAndUnmarshalFile(t *testing.T, path string, v interface{}) {
 }
 
 func TestRiskManagementResults_ReturnResults(t *testing.T) {
-	projectName := "ast-phoenix-test-project"
+	projectName := GenerateRandomProjectNameForScan()
 	_ = executeCmdNilAssertion(
 		t, "Create project should pass",
 		"project", "create",
@@ -631,20 +631,21 @@ func TestRiskManagementResults_ReturnResults(t *testing.T) {
 		flag(params.ScanInfoFormatFlag), printer.FormatJSON,
 		flag(params.ScanTypes), params.SastType,
 	}
-	_, projectID := executeCreateScan(t, args)
+	scanId, projectId := executeCreateScan(t, args)
 
 	defer func() {
 		_ = executeCmdNilAssertion(
 			t, "Delete project should pass",
 			"project", "delete",
-			flag(params.ProjectIDFlag), projectID,
+			flag(params.ProjectIDFlag), projectId,
 		)
 	}()
 
 	outputBuffer := executeCmdNilAssertion(
 		t, "Results risk-management generating JSON report should pass",
 		"results", "risk-management",
-		flag(params.ProjectIDFlag), projectID,
+		flag(params.ProjectIDFlag), projectId,
+		flag(params.ScanIDFlag), scanId,
 		flag(params.LimitFlag), "20",
 	)
 	result := wrappers.ASPMResult{}