mixeway / mixewaybackend Goto Github PK

When user is setting analysis to e.g. not relevant next import of vulnerabilities is overwriting this property

Email and template sending according to SMTP settings

When Infrastructure Scan is being started or ended state of interface.scanrunning is not changing

Hi there,

A lot of enterprises are moving to Azure Boards (https://azure.microsoft.com/en-us/services/devops/boards/) for issue tracking. It would be fantastic to see this support added to MixeWay.

It is possible to put in queue multiple application of same type with scan type of SAST

Desired bahaviour:

• once code project is put to queue (status inquueue or running =true) it is impossible to add it back to queue

Dont throw exceptions at startup

Need to refactor:

• Integration Services
• REST API controllers and services
• Testing

Scope: Code scaning

While trying to add multiple assets in project->configuration->add asset
using: "1.1.1.1,2.2.2.2" -> works
adding with space: "1.1.1.1, 2.2.2.2" -> add only first asset

Expected behavior: add all assets even when between them there are spaces

While setting strategy of automatic issue creation, ticket should be automaticaly created.

• Requesting for scan the same asset in same project with different routing domain is not affected. While I request a new scan for the asset already in database with different routing domain, I expect it to change the RD and run scan. If scan on old routing domain is already started omit action- when trying to change RD on running interface return error
• Vuln Management flag and project name are not being updated when trying to update them using request new scan
• Requesting a scan for asset already in database I should be able to change hostname of it
• When I start scan with 1 IP, and then I send new request with 2 IP (including previously set) I expect to start the scan so there will be 2 running for both IPs
• Improper resolution of some routing domains e.g. BRAMKARZ INTERNET - BE TK
• Requesting a scan of 4 IPs in 2 different routing domains results in running only 1 scan in single routing domain I expect it to run all domains on all 4 IPs
• Proper error handling
• Response on create scan request should contain scan scope

Submiting code issue cause 404.
Adding bugTracker require proxy to be set while it should be optional one

org.springframework.transaction.UnexpectedRollbackException: Transaction silently rolled back because it has been marked as rollback-only
at org.springframework.transaction.support.AbstractPlatformTransactionManager.processCommit(AbstractPlatformTransactionManager.java:753) ~[spring-tx-5.2.1.RELEASE.jar!/:5.2.1.RELEASE]
at org.springframework.transaction.support.AbstractPlatformTransactionManager.commit(AbstractPlatformTransactionManager.java:712) ~[spring-tx-5.2.1.RELEASE.jar!/:5.2.1.RELEASE]
at org.springframework.transaction.interceptor.TransactionAspectSupport.commitTransactionAfterReturning(TransactionAspectSupport.java:631) ~[spring-tx-5.2.1.RELEASE.jar!/:5.2.1.RELEASE]
at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:385) ~[spring-tx-5.2.1.RELEASE.jar!/:5.2.1.RELEASE]
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:99) ~[spring-tx-5.2.1.RELEASE.jar!/:5.2.1.RELEASE]
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.2.1.RELEASE.jar!/:5.2.1.RELEASE]
at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:747) ~[spring-aop-5.2.1.RELEASE.jar!/:5.2.1.RELEASE]
at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:689) ~[spring-aop-5.2.1.RELEASE.jar!/:5.2.1.RELEASE]
at io.mixeway.plugins.webappscan.scheduler.WebAppScheduler$$EnhancerBySpringCGLIB$$40c92e38.runScanFromQueue() ~[classes!/:0.9]
at sun.reflect.GeneratedMethodAccessor990.invoke(Unknown Source) ~[na:na]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_232]
at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_232]
at org.springframework.scheduling.support.ScheduledMethodRunnable.run(ScheduledMethodRunnable.java:84) ~[spring-context-5.2.1.RELEASE.jar!/:5.2.1.RELEASE]
at org.springframework.scheduling.support.DelegatingErrorHandlingRunnable.run(DelegatingErrorHandlingRunnable.java:54) ~[spring-context-5.2.1.RELEASE.jar!/:5.2.1.RELEASE]
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [na:1.8.0_232]
at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) [na:1.8.0_232]
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180) [na:1.8.0_232]
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294) [na:1.8.0_232]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_232]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_232]
at java.lang.Thread.run(Thread.java:748) [na:1.8.0_232]
^C

Need new endpoint in CodeController

accessing:

POST /v2/api/show/project/code/details
{
  "repourl":"https://github.com/examplerepo"
}

should result in searching the CodeProjectRepository for CodeProject entity by repourl.

HTTP response should contain CodeProject entity if everything is ok, 403 code if caller has no permissions for finding particular CodeProject and 404 if there is no CodeProject with given repourl found in database

As is

Currently vulnerability trend chart is generated based on records in VulnHistory table.

This table is generated based on scheduler in GlobalScheduler.createHistoryForVulns()

to be

VulnHistory table to be extended -> to contain information about severities
e.g.: codeVulnHistory to -> codeVulnHistory, codeVulnCriticalHistory, codeVulnHighHistory, codeVulnMediumHistory, codeVulnLowHistory (where codeVulnHistory = codeVulnCriticalHistory+codeVulnHighHistory+codeVulnMediumHistory+codeVulnLowHistory)

note: it is important that the overall (e.g. codeVulnHistory) still exists as it is used in many places by the frontend.

Additional: new API Endpoint that will print history for project with severities has to be created

To do

• Create new columns in VulnHistory table (via changelog)
• Modify createVulnHistoryService.createScheduled(project) to populate new columns
• Create API endpoint in ProjectRestController that show history for project including information about severities
• Create tests for newly created methods

Refactor of method and integration in scope of web app scans

Refactor to cover changes in network integration area

Exception related with URL duplicates at WebApp have to be handled properly.

Add docker-compose
Add certs in image

Integration with OWASP Dependency Track will cover area of OpenSource vulnerability scanning. There should be API Client created which will gather through Dtrack REST API vulnerabilities found by UUID.

There should be possibility on Mixeway to store UUID on Dependency track in order to create link between.

Not all types of scanners are possible to be removed

Another way to authenticate to Mixeway using OIDC connect (eg keycloak)

Queries and calculations of metrics should be done much faster.

Integration with Checkmarx would extend possibility to create SAST scannings.

There should be API Client created which implements method:

• Create and configure target
• start scan
• check scan status
• load vulnerabilities

Need to refactor:

Integration Services
REST API controllers and services
Testing
Scope: Code scaning