Feature 345 summary in reports

[zigfridus]

This PR will close #345

[Jeeppler]

Overall you are on the right track, but you need to build up the data structure for the summary in the HTMLScanResultReportModelBuilder. See comments.

[Jeeppler]

The id should be: #scanTypeRedFindingsBlock

[Jeeppler]

There should be a new table for every scanType + redList.

[Jeeppler]

Each finding table needs a separate heading.
For example:

<h3 class='redFindingHeadline' id="codeScanRedFindingsBlock">Code Scan</a>

[zigfridus]

@Jeeppler
Some quick questions.

1. What does Secret Scan do? I haven't met this type of scan in SecHub before.
2. It seems to me it's neccessary to significantly change the structure of model in HTMLScanResultReportModelBuilder. Do you approve this?

[Jeeppler]

@zigfridus

1. Secret Scan is looking through code or repositories and tries to find hard coded secrets and credentials. This is a common problem. For example, with AWS credentials: https://github.com/ramimac/aws-customer-security-incidents. The secret scan module is fairly new. It was introduced a few weeks ago.

2. It seems to me it's necessary to significantly change the structure of model in HTMLScanResultReportModelBuilder. Do you approve this? - Yes, go ahead and do the necessary changes.

[zigfridus]

@Jeeppler
I would like to ask, may I reorganize the summary table in the way like on this image.
image
This will greatly simplify for me the summary table creation?

[Jeeppler]

@zigfridus yes, that is a good idea

[Jeeppler]

@zigfridus please add the image of the table from the Google drive into this issue here. I would like to have the documentation of this issue in one place.

[zigfridus]

@Jeeppler
Proposition of transposition of the Summary table:

[zigfridus]

@Jeeppler
Please have a look at my last commit with a draft summary table.
Thanks

[Jeeppler]

Outstanding work. I love how readable the code is.

I found some smaller issues. Please change those.

Still there are three major things I am missing:

1. Tests (there should be a test for the ScanTypeCount class and extend HTMLScanResultReportModelBuilderTest)
2. A list of CWEs found (see: Summary in Reports #345 (comment))
3. The JSON report should contain the same summary (see: Summary in Reports #345 (comment))

You are clearly on the right track. I know the issue is challenging.

[zigfridus]

@Jeeppler
Hello
Please have a look at my last commit. I added the neccessary sections into the JSON report.
I didn't create tests yet. I will create them if you are ok with my improvements.

[Jeeppler]

Looks pretty good. However, I did found some issues. For details have a look at the comments.

Please include a screenshot with your next pull-request review request (only as comment in the pull-request conversation).

[zigfridus]

@Jeeppler
Could you please explain for me this your sentence:
"Please include a screenshot with your next pull-request review request (only as comment in the pull-request conversation)."
I don't clearly understand it.

[Jeeppler]

@zigfridus It would be nice to have a screenshot of the report with the summary once you request a review. The simply reason is, that you are working on the HTML report and it is always a good idea to show case the visual changes.

Simply include the screenshot as part of this conversation.

[zigfridus]

Hello @Jeeppler
According to the test data in the example3_coverity.sarif.json the finding with the same CWE ID (for example CWE-352) could have both HIGH and MEDIUM severity at the same time. Is it possible or is it a mistake in the test data?

[Jeeppler]

@zigfridus yes, they could both have different severity levels even for the same CWE, depending on how the tool calculates the severity level (e, g. based on a Control Flow Graph). It is certainly an edge case.

In addition, some tools produce findings with a CWE-0. The problem, a CWE-0 does not exist.

In the real world there are a lot of oddities, quirks and bugs. Tests might help to check for those. However, I do expect that over time we will uncover some situations/combinations you/we did not account for. That is fine.

[zigfridus]

@Jeeppler Thank you for the explanation.

[zigfridus]

@Jeeppler Finally I have some result that I can show you. These are 2 reports, generated by the modified code.

example 1:

example 3:

Please have a look at the html files in the ZIP:
examples.zip

I didn't find at your example a details block: Should it exist in my report too?

[Jeeppler]

@zigfridus Thanks, I know it takes time. Overall, it look very nice. Good job. 🥇

The details block should exist in your report as well. I am surprised, that it does not exist in your code.

Regarding the tables. I think if they look this they would be easier to read:

CodeScan

High

CWE         | Name                                                      | Count
-------------------------------------------------------------------------
CWE-543  | Bad choice of lock object                                    | 1
CWE-352  | Cross-site request forgery                                   | 1
CWE-79    | Cross-site scripting                                        | 131
CWE-22    | Filesystem path, filename, or URI manipulation              | 5
…

In addition, it would be nice to use the <details> - HTML tag for the table with CWE numbers.

Closed:

> SecretScan
> CodeScan
…

CodeScan open:

> SecretScan
v CodeScan

High

CWE         | Name                                                      | Count
-------------------------------------------------------------------------
CWE-543  | Bad choice of lock object                                    | 1
CWE-352  | Cross-site request forgery                                   | 1
CWE-79    | Cross-site scripting                                        | 131
CWE-22    | Filesystem path, filename, or URI manipulation              | 5
…

[zigfridus]

@Jeeppler
Please have a look at my improvements:
examples.zip

1. Added the block of details in description.
2. Designed summary blocks as tables.
3. Add possibility to collapse summary blocks.

[zigfridus]

@Jeeppler
I amended my code according to your recommendations. After that it was built successfully. Please have a look.

[Jeeppler]

Looks good too me 👍

[CLA-Mercedes-Benz]

All committers have signed the CLA.

[de-jcup]

Thank you for your contribution.
I found some parts I want to have been changed. Especially the report for web scans is not correct rendering (JSON and HTML). Please look at the comments for more details.

[de-jcup]

When you do a
map.get("metadata") and you have not defined it, it will always be null

Please remove the line.

[zigfridus]

@de-jcup It seems to me I have already removed it in this commit or am I wrong?

[de-jcup]

You added your new tests - okay (of course)
But you dropped the existing meta data label tests. Why?

We need these tests to ensure that the labels are inside the report - it is an important version.

Please add the former meta data label checks/tests again.

[zigfridus]

Unfortunately I didn't find any of these labels in the report that should be tested:
{"metaData":{"labels":{},"summary":
Should they exist here?

[de-jcup]

You added your new tests - okay (of course)
But you dropped the existing meta data label tests. Why?

We need these tests to ensure that the labels are inside the report - it is an important version.

Please add the former meta data label checks/tests again.

[zigfridus]

Unfortunately I didn't find any of these labels in the report that should be tested:
{"metaData":{"labels":{},"summary":
Should they exist here?

[de-jcup]

@zigfridus : I am happy to see that you have done some new commits/pushes. When your changes are complete, please re-request a review from me by GitHub UI. Thank you.

[zigfridus]

@de-jcup
I fixed some issues you found. Please have a look at my comments for unresolved conversations. I would like to have some clarifications. Thank you.

[de-jcup]

@zigfridus : Sorry (again) for the late response

With

• Provide a community branch and describe it inside contributions #2759

we introduced a "community" branch.

Please do me a favor and change your PR target from develop to community.
After this, I will merge the PR to community branch, do some additions and after this
merge it finally to develop

We try to install this as the default mechanism - to speed up merges, reduce frustration at contributor side, see build failures before merging to develop (main) branch etc. (see #2759 for details).

So... this is like a test balloon, but I hope this works well in future for other contributions/contributors as well.

Thank you for your patience, your contribution and your perseverance regarding this long ongoing PR...

^{Remark: With #2599 I fixed the sorting of the reduced open api file. Please merge the develop branch into your branch and get rid of the merge conflict (community branch is at same level as develop branch)}

[zigfridus]

@de-jcup
I changed this branch to community.

[Jeeppler]

@zigfridus awesome, thank you.

[zigfridus]

@Jeeppler
I changed the branch here. Could you please advice how to change destination branch in my fork?

[Jeeppler]

@zigfridus I think the best way to solve the problem is to close this pull-request (2156) and create a new pull-request fork/branch with the target branch mercedes-benz:community.

To not loos all the discussions from this conversation, you can simply link/mention this pull-request in your new pull-request.