def _get_flaws(self, build_id, build_type):
"""Returns a list of flaws"""
try:
detailed_report_xml = self.api.get_detailed_report(build_id)
except VeracodeAPIError as e:
raise VeracodeError(e)
detailed_report_root_element = parse_and_remove_xml_namespaces(
detailed_report_xml)
# Use xpath to find all flaws in the detailed report
findall_string = "severity/category/cwe/" + build_type + "flaws/flaw"
flaw_elements = detailed_report_root_element.findall(findall_string)
flaw_elements.sort(key=lambda flaw: int(flaw.attrib["issueid"]))
flaws = []
for flaw_element in flaw_elements:
date_first_occurrence = parser.parse(
flaw_element.attrib["date_first_occurrence"]).astimezone(
pytz.utc)
if build_type == "static":
flaws.append(
models.StaticFlaw(
flaw_element.attrib["issueid"], date_first_occurrence,
flaw_element.attrib["severity"],
flaw_element.attrib["cweid"],
flaw_element.attrib["categoryname"],
flaw_element.attrib["affects_policy_compliance"],
flaw_element.attrib["remediationeffort"],
flaw_element.attrib["remediation_status"],
flaw_element.attrib["mitigation_status_desc"],
flaw_element.attrib["exploitLevel"],
flaw_element.attrib["module"],
flaw_element.attrib["sourcefile"],
flaw_element.attrib["line"]))
elif build_type == "dynamic":
flaws.append(
models.DynamicFlaw(
flaw_element.attrib["issueid"], date_first_occurrence,
flaw_element.attrib["severity"],
flaw_element.attrib["cweid"],
flaw_element.attrib["categoryname"],
flaw_element.attrib["affects_policy_compliance"],
flaw_element.attrib["remediationeffort"],
flaw_element.attrib["remediation_status"],
flaw_element.attrib["mitigation_status_desc"],
flaw_element.attrib["url"]))
if build_type == "static":
static_analysis_element = detailed_report_root_element.find(
"static-analysis")
analysis_size_bytes = None
if static_analysis_element is not None:
analysis_size_bytes = static_analysis_element.attrib[
"analysis_size_bytes"]
return flaws, analysis_size_bytes
else:
return flaws
def _get_app_info(self, app_id):
"""Returns a dict holding app info"""
try:
app_info_xml = self.api.get_app_info(app_id)
except VeracodeAPIError as e:
raise VeracodeError(e)
app_info_root_element = parse_and_remove_xml_namespaces(app_info_xml)
return app_info_root_element.find("application").attrib
def _get_processed_builds(self):
try:
with open("processed_builds.txt", "r") as f:
processed_builds = json.loads(f.read())
except IOError as e:
if e.errno is errno.ENOENT:
processed_builds = {}
else:
logging.exception("Error opening processed builds file")
raise VeracodeError(e)
return processed_builds
def _get_build_info(self, app_id, build_id, sandbox_id=None):
"""Returns an XML element holding build info"""
try:
build_info_xml = self.api.get_build_info(app_id, build_id,
sandbox_id)
except VeracodeAPIError as e:
raise VeracodeError(e)
build_info_root_element = parse_and_remove_xml_namespaces(
build_info_xml)
return build_info_root_element.find("build")
def create_csv(row_list, filepath):
"""Create a new CSV file from a list of rows."""
try:
with open(filepath, 'w') as f:
if sys.version_info >= (3, ):
wr = csv.writer(f, quoting=csv.QUOTE_ALL, escapechar='\\')
else:
wr = UnicodeWriter(f, quoting=csv.QUOTE_ALL, escapechar='\\')
wr.writerows(row_list)
except IOError as e:
logging.exception("Error writing csv file")
raise VeracodeError(e)
def update_and_save_processed_builds_file(self, app_id, build_id,
build_policy_updated_date):
build_policy_updated_date_string = str(
build_policy_updated_date
) if build_policy_updated_date is not None else None
build_data = {"policy_updated_date": build_policy_updated_date_string}
if app_id not in self.processed_builds:
self.processed_builds[app_id] = {build_id: build_data}
else:
self.processed_builds[app_id][build_id] = build_data
try:
with open("processed_builds.txt", "w") as f:
json.dump(self.processed_builds, f)
except IOError as e:
logging.exception("Error saving processed builds file")
raise VeracodeError(e)
def _get_apps(self):
"""Returns a list of apps"""
try:
app_list_xml = self.api.get_app_list()
except VeracodeAPIError as e:
raise VeracodeError(e)
app_list_root_element = parse_and_remove_xml_namespaces(app_list_xml)
app_elements = app_list_root_element.findall("app")
apps = []
for app_element in app_elements:
apps.append(
models.App(app_element.attrib["app_id"],
app_element.attrib["app_name"]))
return apps
def _get_builds(self,
app_id,
include_static_builds,
include_dynamic_builds,
sandbox_id=None):
"""Returns a list of builds"""
try:
if sandbox_id is None:
build_list_xml = self.api.get_build_list(app_id)
else:
build_list_xml = self.api.get_build_list(app_id, sandbox_id)
except VeracodeAPIError as e:
raise VeracodeError(e)
build_list_root_element = parse_and_remove_xml_namespaces(
build_list_xml)
build_elements = build_list_root_element.findall("build")
builds = []
for build_element in build_elements:
if sandbox_id is None:
if "policy_updated_date" in build_element.attrib:
policy_updated_date_string = build_element.attrib["policy_updated_date"][:22] + \
build_element.attrib["policy_updated_date"][23:]
policy_updated_date = parser.parse(
policy_updated_date_string).astimezone(pytz.utc)
else:
# In this case it's a build that hasn't completed yet, as it's not a sandbox and should have a
# policy updated date if the build has been published.
continue
else:
policy_updated_date = None
if include_static_builds and "dynamic_scan_type" not in build_element.attrib:
builds.append(
models.StaticBuild(build_element.attrib["build_id"],
build_element.attrib["version"],
policy_updated_date))
if include_dynamic_builds and "dynamic_scan_type" in build_element.attrib:
builds.append(
models.DynamicBuild(build_element.attrib["build_id"],
build_element.attrib["version"],
policy_updated_date))
return builds
def _get_sandboxes(self, app_id):
"""Returns a list of sandboxes"""
try:
sandbox_list_xml = self.api.get_sandbox_list(app_id)
except VeracodeAPIError as e:
raise VeracodeError(e)
sandbox_list_root_element = parse_and_remove_xml_namespaces(
sandbox_list_xml)
sandbox_elements = sandbox_list_root_element.findall("sandbox")
sandboxes = []
for sandbox_element in sandbox_elements:
sandboxes.append(
models.Sandbox(sandbox_element.attrib["sandbox_id"],
sandbox_element.attrib["sandbox_name"]))
return sandboxes
def build_should_be_processed(self, app_id, build_id,
build_policy_updated_date):
if app_id not in self.processed_builds or build_id not in self.processed_builds[
app_id]:
return True
elif self.processed_builds[app_id][build_id][
"policy_updated_date"] in [None, "None"]:
return False
else:
try:
last_build_policy_updated_string = self.processed_builds[app_id][build_id]["policy_updated_date"][:22]\
+ self.processed_builds[app_id][build_id]["policy_updated_date"][23:]
last_build_policy_updated_date = parser.parse(
last_build_policy_updated_string).astimezone(pytz.utc)
except ValueError as e:
logging.exception("Error parsing date")
raise VeracodeError(e)
else:
return build_policy_updated_date.astimezone(
pytz.utc) > last_build_policy_updated_date