SCA filtering improvement

build-11.gradle

@@ -2,7 +2,7 @@ import org.gradle.api.tasks.testing.Test
 
 buildscript {
 	ext {
-        CxSBSDK = "0.4.47"
+        CxSBSDK = "0.4.49"
         ConfigProviderVersion = "1.0.9"
         //cxVersion = "8.90.5"
         springBootVersion = '2.2.6.RELEASE'

build-cxgo.gradle

@@ -1,6 +1,6 @@
 buildscript {
     ext {
-        CxSBSDK = "0.1.40"
+        CxSBSDK = "0.1.41"
         ConfigProviderVersion = "1.0.9"
         //cxVersion = "8.90.5"
         springBootVersion = '2.2.6.RELEASE'

build.gradle

@@ -1,6 +1,6 @@
 buildscript {
     ext {
-        CxSBSDK = "0.4.47"
+        CxSBSDK = "0.4.49"
         ConfigProviderVersion = "1.0.9"
         //cxVersion = "8.90.5"
         springBootVersion = '2.2.6.RELEASE'

src/main/java/com/checkmarx/flow/controller/FlowController.java

@@ -3,21 +3,26 @@
 import com.checkmarx.flow.config.FlowProperties;
 import com.checkmarx.flow.config.JiraProperties;
 import com.checkmarx.flow.constants.FlowConstants;
-import com.checkmarx.flow.dto.*;
+import com.checkmarx.flow.dto.BugTracker;
+import com.checkmarx.flow.dto.ControllerRequest;
+import com.checkmarx.flow.dto.EventResponse;
+import com.checkmarx.flow.dto.FlowOverride;
+import com.checkmarx.flow.dto.ScanRequest;
 import com.checkmarx.flow.exception.InvalidTokenException;
-import com.checkmarx.flow.service.*;
+import com.checkmarx.flow.service.ConfigurationOverrider;
+import com.checkmarx.flow.service.FilterFactory;
+import com.checkmarx.flow.service.FlowService;
+import com.checkmarx.flow.service.HelperService;
+import com.checkmarx.flow.service.SastScanner;
 import com.checkmarx.flow.utils.HTMLHelper;
 import com.checkmarx.flow.utils.ScanUtils;
 import com.checkmarx.sdk.config.Constants;
 import com.checkmarx.sdk.config.CxProperties;
 import com.checkmarx.sdk.dto.Filter;
 import com.checkmarx.sdk.dto.ScanResults;
 import com.checkmarx.sdk.dto.filtering.FilterConfiguration;
-import com.checkmarx.sdk.dto.filtering.ScriptedFilter;
 import com.fasterxml.jackson.annotation.JsonInclude;
 import com.fasterxml.jackson.annotation.JsonProperty;
-import groovy.lang.GroovyShell;
-import groovy.lang.Script;
 import lombok.RequiredArgsConstructor;
 import org.apache.commons.collections.CollectionUtils;
 import org.apache.commons.lang3.StringUtils;
@@ -230,22 +235,14 @@ public ResponseEntity<EventResponse> initiateScan(
     }
 
     private FilterConfiguration determineFilter(CxScanRequest scanRequest) {
-        FilterConfiguration filter = filterFactory.getFilter(null, properties);
+        FilterConfiguration filter;
 
         boolean hasSimpleFilters = CollectionUtils.isNotEmpty(scanRequest.getFilters());
         boolean hasFilterScript = StringUtils.isNotEmpty(scanRequest.getFilterScript());
         if (hasSimpleFilters || hasFilterScript) {
-            Script parsedScript = null;
-            if (hasFilterScript) {
-                GroovyShell groovyShell = new GroovyShell();
-                parsedScript = groovyShell.parse(scanRequest.getFilterScript());
-            }
-            filter = FilterConfiguration.builder()
-                    .simpleFilters(scanRequest.getFilters())
-                    .scriptedFilter(ScriptedFilter.builder()
-                            .script(parsedScript)
-                            .build())
-                    .build();
+            filter = filterFactory.getFilterFromComponents(scanRequest.getFilterScript(), scanRequest.getFilters());
+        } else {
+            filter = filterFactory.getFilter(null, properties);
         }
         return filter;
     }

src/main/java/com/checkmarx/flow/service/ConfigurationOverrider.java

@@ -15,7 +15,9 @@
 import com.checkmarx.sdk.config.ScaConfig;
 import com.checkmarx.sdk.config.ScaProperties;
 import com.checkmarx.sdk.dto.CxConfig;
+import com.checkmarx.sdk.dto.Filter;
 import com.checkmarx.sdk.dto.Sca;
+import com.checkmarx.sdk.dto.filtering.EngineFilterConfiguration;
 import com.checkmarx.sdk.dto.filtering.FilterConfiguration;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import lombok.RequiredArgsConstructor;
@@ -40,13 +42,12 @@ public class ConfigurationOverrider {
             BugTracker.Type.GITLABMERGE));
 
     private final FlowProperties flowProperties;
-    private final ScaProperties scaProperties;
     private final SCAScanner scaScanner;
     private final SastScanner sastScanner;
 
     public ScanRequest overrideScanRequestProperties(CxConfig override, ScanRequest request) {
         ConfigProvider configProvider = ConfigProvider.getInstance();
-        if (request == null || (!isConfigAsCodeAvailable(configProvider) && !isLegacyConfigAsCodeAvailable(override))) {
+        if (request == null || (!configProviderResultsAreAvailable(configProvider) && !configAsCodeIsAvailable(override))) {
             return request;
         }
 
@@ -73,12 +74,14 @@ public ScanRequest overrideScanRequestProperties(CxConfig override, ScanRequest
         return request;
     }
 
-    private boolean isConfigAsCodeAvailable(ConfigProvider configProvider) {
+    private boolean configProviderResultsAreAvailable(ConfigProvider configProvider) {
         return configProvider.hasAnyConfiguration(MDC.get(FlowConstants.MAIN_MDC_ENTRY));
     }
 
-    private boolean isLegacyConfigAsCodeAvailable(CxConfig override) {
-        return override != null && !(Boolean.FALSE.equals(override.getActive()));
+    private boolean configAsCodeIsAvailable(CxConfig override) {
+        // Config-as-code should be enabled if the 'active' property is either
+        // true or null => checking against Boolean.FALSE.
+        return override != null && !Boolean.FALSE.equals(override.getActive());
     }
 
     private void applyFlowOverride(FlowOverride fo, ScanRequest request, Map<String, String> overrideReport) {
@@ -145,13 +148,17 @@ private void overrideFilters(FlowOverride flowOverride, ScanRequest request, Map
                     override.getCwe(),
                     override.getCategory(),
                     override.getStatus());
-            FilterConfiguration filter = filterFactory.getFilter(controllerRequest, null);
-            request.setFilter(filter);
+            FilterConfiguration filterConfig = filterFactory.getFilter(controllerRequest, null);
+            request.setFilter(filterConfig);
 
             String filterDescr;
-            if (CollectionUtils.isNotEmpty(filter.getSimpleFilters())) {
-                filterDescr = filter.getSimpleFilters()
-                        .stream()
+            List<Filter> simpleFilters = Optional.ofNullable(filterConfig)
+                    .map(FilterConfiguration::getSastFilters)
+                    .map(EngineFilterConfiguration::getSimpleFilters)
+                    .orElse(null);
+
+            if (CollectionUtils.isNotEmpty(simpleFilters)) {
+                filterDescr = simpleFilters.stream()
                         .map(Object::toString)
                         .collect(Collectors.joining(","));
             } else {

src/main/java/com/checkmarx/flow/service/FilterFactory.java

@@ -3,6 +3,7 @@
 import com.checkmarx.flow.config.FlowProperties;
 import com.checkmarx.flow.dto.ControllerRequest;
 import com.checkmarx.sdk.dto.Filter;
+import com.checkmarx.sdk.dto.filtering.EngineFilterConfiguration;
 import com.checkmarx.sdk.dto.filtering.FilterConfiguration;
 import com.checkmarx.sdk.dto.filtering.ScriptedFilter;
 import com.checkmarx.sdk.exception.CheckmarxRuntimeException;
@@ -28,25 +29,40 @@ public FilterConfiguration getFilter(ControllerRequest request,
                 .orElse(ControllerRequest.builder().build());
 
         if (hasRequiredProperties(request)) {
-            result = getFilter(request.getSeverity(),
+            result = getFilterFromLists(request.getSeverity(),
                     request.getCwe(),
                     request.getCategory(),
                     request.getStatus(),
                     null,
                     null);
         } else if (flowProperties != null) {
-            result = getFilter(flowProperties);
+            result = getFilterFromProperties(flowProperties);
         } else {
             result = FilterConfiguration.builder().build();
         }
         return result;
     }
 
+    public FilterConfiguration getFilterFromComponents(String filterScript, List<Filter> simpleFilters) {
+        Script parsedScript = parseScriptText(filterScript);
+
+        EngineFilterConfiguration sastFilterConfig = EngineFilterConfiguration.builder()
+                .simpleFilters(simpleFilters)
+                .scriptedFilter(ScriptedFilter.builder()
+                        .script(parsedScript)
+                        .build())
+                .build();
+
+        return FilterConfiguration.builder()
+                .sastFilters(sastFilterConfig)
+                .build();
+    }
+
     /**
      * Create filter configuration based on CxFlow properties.
      */
-    private static FilterConfiguration getFilter(FlowProperties flowProperties) {
-        return getFilter(flowProperties.getFilterSeverity(),
+    private FilterConfiguration getFilterFromProperties(FlowProperties flowProperties) {
+        return getFilterFromLists(flowProperties.getFilterSeverity(),
                 flowProperties.getFilterCwe(),
                 flowProperties.getFilterCategory(),
                 flowProperties.getFilterStatus(),
@@ -64,7 +80,7 @@ private boolean hasRequiredProperties(ControllerRequest request) {
     /**
      * Create filter configuration based on lists of severity, cwe, category and on the text of a filter script
      */
-    private static FilterConfiguration getFilter(List<String> severity,
+    private FilterConfiguration getFilterFromLists(List<String> severity,
                                                  List<String> cwe,
                                                  List<String> category,
                                                  List<String> status,
@@ -77,14 +93,7 @@ private static FilterConfiguration getFilter(List<String> severity,
         simpleFilters.addAll(getListByFilterType(status, Filter.Type.STATUS));
         simpleFilters.addAll(getListByFilterType(state, Filter.Type.STATE));
 
-        Script parsedScript = parseScriptText(filterScript);
-
-        return FilterConfiguration.builder()
-                .simpleFilters(simpleFilters)
-                .scriptedFilter(ScriptedFilter.builder()
-                        .script(parsedScript)
-                        .build())
-                .build();
+        return getFilterFromComponents(filterScript, simpleFilters);
     }
 
     private static Script parseScriptText(String filterScript) {

src/main/java/com/checkmarx/flow/service/OsaScannerService.java

@@ -6,14 +6,19 @@
 import com.checkmarx.flow.dto.ScanRequest;
 import com.checkmarx.flow.exception.ExitThrowable;
 import com.checkmarx.flow.exception.MachinaException;
+import com.checkmarx.sdk.dto.Filter;
 import com.checkmarx.sdk.dto.ScanResults;
+import com.checkmarx.sdk.dto.filtering.EngineFilterConfiguration;
+import com.checkmarx.sdk.dto.filtering.FilterConfiguration;
 import com.checkmarx.sdk.exception.CheckmarxException;
 import com.checkmarx.sdk.service.CxClient;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.stereotype.Service;
 
 import java.io.File;
+import java.util.List;
+import java.util.Optional;
 
 import static com.checkmarx.flow.exception.ExitThrowable.exit;
 
@@ -32,7 +37,13 @@ public class OsaScannerService {
 
     public void cxOsaParseResults(ScanRequest request, File file, File libs) throws ExitThrowable {
         try {
-            ScanResults results = cxService.getOsaReportContent(file, libs, request.getFilter().getSimpleFilters());
+            List<Filter> simpleFilters = Optional.ofNullable(request)
+                    .map(ScanRequest::getFilter)
+                    .map(FilterConfiguration::getSastFilters)
+                    .map(EngineFilterConfiguration::getSimpleFilters)
+                    .orElse(null);
+
+            ScanResults results = cxService.getOsaReportContent(file, libs, simpleFilters);
             resultsService.processResults(request, results, scanDetails);
             if(flowProperties.isBreakBuild() && results !=null && results.getXIssues()!=null && !results.getXIssues().isEmpty()){
                 log.error(ERROR_BREAK_MSG);

src/main/java/com/checkmarx/flow/service/ResultsService.java

@@ -15,8 +15,10 @@
 import com.checkmarx.flow.utils.ScanUtils;
 import com.checkmarx.sdk.config.Constants;
 import com.checkmarx.sdk.config.CxProperties;
+import com.checkmarx.sdk.dto.Filter;
 import com.checkmarx.sdk.dto.ScanResults;
 import com.checkmarx.sdk.dto.cx.CxProject;
+import com.checkmarx.sdk.dto.filtering.EngineFilterConfiguration;
 import com.checkmarx.sdk.dto.filtering.FilterConfiguration;
 import com.checkmarx.sdk.exception.CheckmarxException;
 import com.checkmarx.sdk.service.CxClient;
@@ -123,7 +125,7 @@ public CompletableFuture<ScanResults> publishCombinedResults(ScanRequest scanReq
 
     public void processResults(ScanRequest request, ScanResults results, ScanDetails scanDetails) throws MachinaException {
         scanDetails = Optional.ofNullable(scanDetails).orElseGet(ScanDetails::new);
-        if (!cxProperties.getOffline()) {
+        if (Boolean.FALSE.equals(cxProperties.getOffline())) {
             getCxFields(request, results);
         }
         switch (request.getBugTracker().getType()) {
@@ -193,9 +195,14 @@ void sendEmailNotification(ScanRequest request, ScanResults results) {
     }
 
     ScanResults getOSAScan(ScanRequest request, Integer projectId, String osaScanId, FilterConfiguration filter, ScanResults results) throws CheckmarxException {
-        if (cxProperties.getEnableOsa() && !ScanUtils.empty(osaScanId)) {
+        if (Boolean.TRUE.equals(cxProperties.getEnableOsa()) && !ScanUtils.empty(osaScanId)) {
             log.info("Waiting for OSA Scan results for scan id {}", osaScanId);
-            results = osaService.waitForOsaScan(osaScanId, projectId, results, filter.getSimpleFilters());
+
+            List<Filter> filters = Optional.ofNullable(filter.getScaFilters())
+                    .map(EngineFilterConfiguration::getSimpleFilters)
+                    .orElse(null);
+
+            results = osaService.waitForOsaScan(osaScanId, projectId, results, filters);
 
             new ScanResultsReport(osaScanId, request, results).log();
         }