[CxONE] Improve report: add Low findings; Proposed Not Exploitable state (#5223)

thtri · cx-michael-kubiaczyk · sumeetpatil · web-flow · commit 46fcdd1cebbf · 2025-01-08T13:27:49.000+01:00
* Initial in progress

* compiling but not yet functional

* Missed file

* updated checkmarxone step

* Working up to fetching a project then breaks

* Missed file

* Breaks when retrieving projects+proxy set

* Create project &amp; run scan working, now polling

* Fixed polling

* added back the zipfile remove command

* Fixed polling again

* Generates and downloads PDF report

* Updated and working, prep for refactor

* Added compliance steps

* Cleanup, reporting, added groovy connector

* fixed groovy file

* checkmarxone to checkmarxOne

* checkmarxone to checkmarxOne

* split credentials (id+secret, apikey), renamed pullrequestname to branch, groovy fix

* Fixed filenames &amp; yaml

* missed the metadata_generated.go

* added json to sarif conversion

* fix:type in new checkmarxone package

* fix:type in new checkmarxone package

* removed test logs, added temp error log for creds

* extra debugging to fix crash

* improved auth logging, fixed query parse issue

* fixed bug with group fetch when using oauth user

* CWE can be -1 if not defined, can't be uint

* Query also had CweID

* Disabled predicates-fetch in sarif generation

* Removing leftover info log message

* Better error handling

* fixed default preset configuration

* removing .bat files - sorry

* Cleanup per initial review

* refactoring per Gist, fixed project find, add apps

* small fix - sorry for commit noise while testing

* Fixing issues with incremental scans.

* removing maxretries

* Updated per PR feedback, further changes todo toda

* JSON Report changes and reporting cleanup

* removing .bat (again?)

* adding docs, groovy unit test, linter fixes

* Started adding tests maybe 15% covered

* fix(checkmarxOne): test cases for pkg and reporting

* fix(checkmarxOne):fix formatting

* feat(checkmarxone): update interface with missing method

* feat(checkmarxone):change runStep signature to be able to inject dependency

* feat(checkmarxone): add tests for step (wip)

* Adding a bit more coverage

* feat(checkmarxOne): fix code review

* feat(checkmarxOne): fix code review

* feat(checkmarxOne): fix code review

* feat(checkmarxOne): fix integration test PR

* adding scan-summary bug workaround, reportgen fail

* enforceThresholds fix when no results passed in

* fixed gap when preset empty in yaml &amp; project conf

* fixed another gap in preset selection

* fix 0-result panic

* fail when no preset is set anywhere

* removed comment

* initial project-under-app support

* fixing sarif reportgen

* some cleanup of error messages

* post-merge test fixes

* revert previous upstream merge

* adding "incremental" to "full" triggers

* wrong boolean

* project-in-application api change prep

* Fixing SARIF report without preset access

* fix sarif deeplink

* removing comments

* fix(cxone):formatting

* fix(cxone):formatting

* small sarif fixes

* fixed merge

* attempt at pulling git source repo branch

* fix(cxone):new endpoint for project creation

* fix(cxOne): taxa is an array

* fix(cxOne): get Git branch from commonPipelineEnvironment

* fix(cxOne): add params to tag a scan and a project

* fix(cxOne): unit test - update project

* fix(cxOne): unit test - update project tags

* fix(cxOne): improve logs

* fix(cxOne): improve logs

* adding RequestNewPDFReport function using v2 api

* added version check

* fix(cxone): JSON report using v2 API

* update to set reportType in v2 reportgen

* fix(checkmarxOneExecuteScan): remove absolute patch for code preview

* fix(checkmarxOneExecuteScan): remove SCA confusion from driver name

* fix(checkmarxOneExecuteScan): search project name by exact match

* fix(checkmarxOneExecuteScan): escape branch name in deeplink

* fix(checkmarxOneExecuteScan): fix format

* fix(checkmarxOneExecuteScan): include Low severity; add Proposed Not Exploitable status to the report

---------

Co-authored-by: michael kubiaczyk &lt;michael.kubiaczyk@checkmarx.com&gt;
Co-authored-by: michaelkubiaczyk &lt;48311127+michaelkubiaczyk@users.noreply.github.com&gt;
Co-authored-by: sumeet patil &lt;sumeet.patil@sap.com&gt;
Co-authored-by: Adrien &lt;99400874+hubadr@users.noreply.github.com&gt;
diff --git a/pkg/checkmarxone/checkmarxone.go b/pkg/checkmarxone/checkmarxone.go
@@ -1376,6 +1376,17 @@ func (sys *SystemInstance) RequestNewReportV2(scanID, reportType string) (string
 		},
 		"filters": map[string][]string{
 			"scanners": {"sast"},
+			"severities": {
+				"high",
+				"medium",
+				"low",
+			},
+			"states": {
+				"to-verify",
+				"confirmed",
+				"urgent",
+				"proposed-not-exploitable",
+			},
 		},
 		"reportType": "ui",
 		"fileFormat": reportType,
