StaticSecurity Audit - Vul count check (hygieia#95)

Author: nireeshT

pom.xml

@@ -4,7 +4,7 @@
     <artifactId>api-audit</artifactId>
     <packaging>jar</packaging>
     <name>${project.groupId}:${project.artifactId}</name>
-    <version>3.6.4-SNAPSHOT</version>
+    <version>3.6.5-SNAPSHOT</version>
     <description>Hygieia Audit Rest API Layer</description>
     <url>https://github.com/Hygieia/${repository.name}</url>
 

src/main/java/com/capitalone/dashboard/evaluator/StaticSecurityAnalysisEvaluator.java

@@ -79,8 +79,8 @@ private SecurityReviewAuditResponse getStaticSecurityScanResponse(CollectorItem
         CodeQuality returnQuality = codeQualities.get(0);
 
         /*
-        * audit on scan type
-        * */
+         * audit on scan type
+         * */
         List<String> approvedScanTypes = settings.getValidStaticSecurityScanTypes();
         if(CollectionUtils.isNotEmpty(approvedScanTypes) && Objects.nonNull(returnQuality)) {
             String scanType = returnQuality.getScanType();
@@ -93,18 +93,27 @@ private SecurityReviewAuditResponse getStaticSecurityScanResponse(CollectorItem
         securityReviewAuditResponse.setLastExecutionTime(returnQuality.getTimestamp());
         Set<CodeQualityMetric> metrics = returnQuality.getMetrics();
 
-        if (metrics.stream().anyMatch(metric -> metric.getName().equalsIgnoreCase(STR_CRITICAL))){
+        if (metrics.stream().anyMatch(metric -> metric.getName().equalsIgnoreCase(STR_CRITICAL)) && findSeverityCount(metrics, STR_CRITICAL) > 0){
             securityReviewAuditResponse.addAuditStatus(CodeQualityAuditStatus.STATIC_SECURITY_SCAN_FOUND_CRITICAL);
             securityReviewAuditResponse.addAuditStatus(CodeQualityAuditStatus.STATIC_SECURITY_SCAN_FAIL);
-        }else if (metrics.stream().anyMatch(metric -> metric.getName().equalsIgnoreCase(STR_HIGH))){
+        }else if (metrics.stream().anyMatch(metric -> metric.getName().equalsIgnoreCase(STR_HIGH)) && findSeverityCount(metrics, STR_HIGH) > 0){
             securityReviewAuditResponse.addAuditStatus(CodeQualityAuditStatus.STATIC_SECURITY_SCAN_FOUND_HIGH);
             securityReviewAuditResponse.addAuditStatus(CodeQualityAuditStatus.STATIC_SECURITY_SCAN_FAIL);
         }else{
-                securityReviewAuditResponse.addAuditStatus(CodeQualityAuditStatus.STATIC_SECURITY_SCAN_OK);
+            securityReviewAuditResponse.addAuditStatus(CodeQualityAuditStatus.STATIC_SECURITY_SCAN_OK);
         }
         return securityReviewAuditResponse;
     }
 
+    private int findSeverityCount(Set<CodeQualityMetric> metrics, String severity){
+        if(CollectionUtils.isNotEmpty(metrics)){
+            CodeQualityMetric codeQualityMetric = metrics.stream().filter(metric -> severity.equalsIgnoreCase(metric.getName())).filter(Objects::nonNull).findFirst().get();
+            return StringUtils.isNotEmpty(codeQualityMetric.getValue())?Integer.parseInt(codeQualityMetric.getValue()) : 0;
+        }
+        return 0;
+    }
+
+
     public void setSettings(ApiSettings settings) {
         this.settings = settings;
     }

src/test/java/com/capitalone/dashboard/evaluator/StaticSecurityAnalysisEvaluatorTest.java

@@ -48,7 +48,7 @@ public void testEvaluate_StaticSecurityMissing(){
     @Test
     public void testEvaluate_StaticSecurityCritical(){
 
-        List<CodeQuality> codeQualitiesCritical = getSecurityCodeQualityData("Critical", CodeQualityMetricStatus.Alert, "");
+        List<CodeQuality> codeQualitiesCritical = getSecurityCodeQualityData("Critical", CodeQualityMetricStatus.Alert, "1");
         when(codeQualityRepository.findByCollectorItemIdAndTimestampIsBetweenOrderByTimestampDesc(any(ObjectId.class),any(Long.class),any(Long.class))).thenReturn(codeQualitiesCritical);
         CollectorItem collectorItem = new CollectorItem();
         collectorItem.getOptions().put("reportUrl", "");
@@ -59,7 +59,7 @@ public void testEvaluate_StaticSecurityCritical(){
     @Test
     public void testEvaluate_StaticSecurityHigh(){
 
-        List<CodeQuality> codeQualitiesCritical = getSecurityCodeQualityData("High", CodeQualityMetricStatus.Alert, "");
+        List<CodeQuality> codeQualitiesCritical = getSecurityCodeQualityData("High", CodeQualityMetricStatus.Alert, "1");
         when(codeQualityRepository.findByCollectorItemIdAndTimestampIsBetweenOrderByTimestampDesc(any(ObjectId.class),any(Long.class),any(Long.class))).thenReturn(codeQualitiesCritical);
         CollectorItem collectorItem = new CollectorItem();
         collectorItem.getOptions().put("reportUrl", "");