CxOne: Update compliance check for audited findings (#5480)

hubadr · thtri · web-flow · commit 11e20cc37fb1 · 2025-09-17T17:53:34.000+02:00
Co-authored-by: thtri &lt;thanh.hai.trinh@sap.com&gt;
diff --git a/cmd/checkmarxOneExecuteScan.go b/cmd/checkmarxOneExecuteScan.go
@@ -619,7 +619,7 @@ func (c *checkmarxOneExecuteScanHelper) PostScanSummaryInPullRequest(detailedRes
 				if len(c.config.Repository) == 0 {
 					repository = pathParts[len(pathParts)-1]
 				}
-				log.Entry().Infof("Found repository %s and owner %s from orchestrator", c.config.Repository, c.config.Owner)
+				log.Entry().Debugf("Found repository %s and owner %s from orchestrator", repository, owner)
 			} else {
 				return fmt.Errorf("failed to extract owner and repository from URL %s", repoUrl)
 			}
@@ -636,23 +636,60 @@ func (c *checkmarxOneExecuteScanHelper) PostScanSummaryInPullRequest(detailedRes
 		ghIssues := c.utils.GetIssueService()
 		log.Entry().Debugf("Creating/updating GitHub issue with check results with PR: %s, GithubAPIURL: %s, Owner: %s, Repository: %s", c.config.PullRequestName, c.config.GithubAPIURL, owner, repository)
 		scanReportOverview := checkmarxOne.CreateJSONHeaderReport(detailedResults)
-		var criticalSeverityString, highSeverityString, mediumSeverityString, lowSeverityString string
+		var criticalSeverityString, highSeverityString, mediumSeverityString, lowSeverityString, criticalComplianceCheckString, highComplianceCheckString, mediumComplianceCheckString, lowComplianceCheckString string
 		for _, finding := range *scanReportOverview.Findings {
 			switch finding.ClassificationName {
 			case "Critical":
-				criticalSeverityString = fmt.Sprintf("%d", finding.Total-*finding.Audited)
+				// TODO: check if config threshold unit is percent or absolute number
+				if *finding.Audited < int(math.Ceil((float64(c.config.VulnerabilityThresholdCritical)/100.0)*float64(finding.Total))) {
+					criticalComplianceCheckString = ":x:"
+				} else {
+					criticalComplianceCheckString = ":white_check_mark:"
+				}
+				if finding.Confirmed > 0 {
+					criticalSeverityString = fmt.Sprintf("%s %d (%d confirmed)", criticalComplianceCheckString, finding.Total-*finding.Audited, finding.Confirmed)
+				} else {
+					criticalSeverityString = fmt.Sprintf("%s %d", criticalComplianceCheckString, finding.Total-*finding.Audited)
+				}
 			case "High":
-				highSeverityString = fmt.Sprintf("%d", finding.Total-*finding.Audited)
+				if *finding.Audited < int(math.Ceil((float64(c.config.VulnerabilityThresholdHigh)/100.0)*float64(finding.Total))) {
+					highComplianceCheckString = ":x:"
+				} else {
+					highComplianceCheckString = ":white_check_mark:"
+				}
+				if finding.Confirmed > 0 {
+					highSeverityString = fmt.Sprintf("%s %d (%d confirmed)", highComplianceCheckString, finding.Total-*finding.Audited, finding.Confirmed)
+				} else {
+					highSeverityString = fmt.Sprintf("%s %d", highComplianceCheckString, finding.Total-*finding.Audited)
+				}
 			case "Medium":
-				mediumSeverityString = fmt.Sprintf("%d", finding.Total-*finding.Audited)
+				if *finding.Audited < int(math.Ceil((float64(c.config.VulnerabilityThresholdMedium)/100.0)*float64(finding.Total))) {
+					mediumComplianceCheckString = ":x:"
+				} else {
+					mediumComplianceCheckString = ":white_check_mark:"
+				}
+				if finding.Confirmed > 0 {
+					mediumSeverityString = fmt.Sprintf("%s %d (%d confirmed)", mediumComplianceCheckString, finding.Total-*finding.Audited, finding.Confirmed)
+				} else {
+					mediumSeverityString = fmt.Sprintf("%s %d", mediumComplianceCheckString, finding.Total-*finding.Audited)
+				}
 			case "Low":
 				if finding.LowPerQuery != nil {
 					for _, lowFinding := range *finding.LowPerQuery {
 						if c.config.VulnerabilityThresholdLowPerQuery {
+							confirmedLowString := ""
+							if lowFinding.Confirmed > 0 {
+								confirmedLowString = fmt.Sprintf(", of which %d confirmed", lowFinding.Confirmed)
+							}
 							lowAuditedRequiredPerQuery := min(int(math.Ceil(float64(lowFinding.Total)*float64(c.config.VulnerabilityThresholdLow)/100.0)), c.config.VulnerabilityThresholdLowPerQueryMax)
-							lowSeverityString = fmt.Sprintf("%s%d %s (%d audits / %d required) <br>", lowSeverityString, lowFinding.Total-lowFinding.Audited, lowFinding.QueryName, lowFinding.Audited, lowAuditedRequiredPerQuery)
+							if lowFinding.Audited < lowAuditedRequiredPerQuery {
+								lowComplianceCheckString = ":x:"
+							} else {
+								lowComplianceCheckString = ":white_check_mark:"
+							}
+							lowSeverityString = fmt.Sprintf("%s%s %d %s (%d audited / %d required%s) <br>", lowSeverityString, lowComplianceCheckString, lowFinding.Total-lowFinding.Audited, lowFinding.QueryName, lowFinding.Audited, lowAuditedRequiredPerQuery, confirmedLowString)
 						} else {
-							lowSeverityString = fmt.Sprintf("%s%d %s<br>", lowSeverityString, lowFinding.Total-lowFinding.Audited, lowFinding.QueryName)
+							lowSeverityString = fmt.Sprintf("%s%s %d %s<br>", lowSeverityString, lowComplianceCheckString, lowFinding.Total-lowFinding.Audited, lowFinding.QueryName)
 						}
 					}
 				}
@@ -669,7 +706,7 @@ func (c *checkmarxOneExecuteScanHelper) PostScanSummaryInPullRequest(detailedRes
 **Project**: %s
 **ScanId**: %s
 **Preset**: %s
-Severity | Number of open findings
+Severity | Number of unaudited findings
 --- | ---
 :bangbang: Critical | %s
 :red_circle: High | %s
@@ -1252,36 +1289,41 @@ func (c *checkmarxOneExecuteScanHelper) enforceThresholds(results *map[string]in
 	cxLowThreshold := c.config.VulnerabilityThresholdLow
 	cxLowThresholdPerQuery := c.config.VulnerabilityThresholdLowPerQuery
 	cxLowThresholdPerQueryMax := c.config.VulnerabilityThresholdLowPerQueryMax
-	criticalValue := (*results)["Critical"].(map[string]int)["NotFalsePositive"]
-	highValue := (*results)["High"].(map[string]int)["NotFalsePositive"]
-	mediumValue := (*results)["Medium"].(map[string]int)["NotFalsePositive"]
-	lowValue := (*results)["Low"].(map[string]int)["NotFalsePositive"]
+	// findings are audited if they are in state Confirmed, Urgent or NotExploitable
+	criticalValue := (*results)["Critical"].(map[string]int)["ToVerify"] + (*results)["Critical"].(map[string]int)["ProposedNotExploitable"]
+	confirmedCriticalValue := (*results)["Critical"].(map[string]int)["Confirmed"] + (*results)["Critical"].(map[string]int)["Urgent"]
+	highValue := (*results)["High"].(map[string]int)["ToVerify"] + (*results)["High"].(map[string]int)["ProposedNotExploitable"]
+	confirmedHighValue := (*results)["High"].(map[string]int)["Confirmed"] + (*results)["High"].(map[string]int)["Urgent"]
+	mediumValue := (*results)["Medium"].(map[string]int)["ToVerify"] + (*results)["Medium"].(map[string]int)["ProposedNotExploitable"]
+	confirmedMediumValue := (*results)["Medium"].(map[string]int)["Confirmed"] + (*results)["Medium"].(map[string]int)["Urgent"]
+	lowValue := (*results)["Low"].(map[string]int)["ToVerify"] + (*results)["Low"].(map[string]int)["ProposedNotExploitable"]
+	confirmedLowValue := (*results)["Low"].(map[string]int)["Confirmed"] + (*results)["Low"].(map[string]int)["Urgent"]
 	var unit string
 	criticalViolation := ""
 	highViolation := ""
 	mediumViolation := ""
 	lowViolation := ""
 	if c.config.VulnerabilityThresholdUnit == "percentage" {
 		unit = "%"
-		criticalAudited := (*results)["Critical"].(map[string]int)["Issues"] - (*results)["Critical"].(map[string]int)["NotFalsePositive"]
+		criticalAudited := (*results)["Critical"].(map[string]int)["NotExploitable"] + (*results)["Critical"].(map[string]int)["Confirmed"] + (*results)["Critical"].(map[string]int)["Urgent"]
 		criticalOverall := (*results)["Critical"].(map[string]int)["Issues"]
 		if criticalOverall == 0 {
 			criticalAudited = 1
 			criticalOverall = 1
 		}
-		highAudited := (*results)["High"].(map[string]int)["Issues"] - (*results)["High"].(map[string]int)["NotFalsePositive"]
+		highAudited := (*results)["High"].(map[string]int)["NotExploitable"] + (*results)["High"].(map[string]int)["Confirmed"] + (*results)["High"].(map[string]int)["Urgent"]
 		highOverall := (*results)["High"].(map[string]int)["Issues"]
 		if highOverall == 0 {
 			highAudited = 1
 			highOverall = 1
 		}
-		mediumAudited := (*results)["Medium"].(map[string]int)["Issues"] - (*results)["Medium"].(map[string]int)["NotFalsePositive"]
+		mediumAudited := (*results)["Medium"].(map[string]int)["NotExploitable"] + (*results)["Medium"].(map[string]int)["Confirmed"] + (*results)["Medium"].(map[string]int)["Urgent"]
 		mediumOverall := (*results)["Medium"].(map[string]int)["Issues"]
 		if mediumOverall == 0 {
 			mediumAudited = 1
 			mediumOverall = 1
 		}
-		lowAudited := (*results)["Low"].(map[string]int)["Confirmed"] + (*results)["Low"].(map[string]int)["NotExploitable"]
+		lowAudited := (*results)["Low"].(map[string]int)["Confirmed"] + (*results)["Low"].(map[string]int)["NotExploitable"] + (*results)["Low"].(map[string]int)["Urgent"]
 		lowOverall := (*results)["Low"].(map[string]int)["Issues"]
 		if lowOverall == 0 {
 			lowAudited = 1
@@ -1310,7 +1352,7 @@ func (c *checkmarxOneExecuteScanHelper) enforceThresholds(results *map[string]in
 				lowPerQueryMap := (*results)["LowPerQuery"].(map[string]map[string]int)
 
 				for lowQuery, resultsLowQuery := range lowPerQueryMap {
-					lowAuditedPerQuery := resultsLowQuery["Confirmed"] + resultsLowQuery["NotExploitable"]
+					lowAuditedPerQuery := resultsLowQuery["Confirmed"] + resultsLowQuery["NotExploitable"] + resultsLowQuery["Urgent"]
 					lowOverallPerQuery := resultsLowQuery["Issues"]
 					lowAuditedRequiredPerQuery := min(int(math.Ceil(float64(lowOverallPerQuery)*float64(cxLowThreshold)/100.0)), cxLowThresholdPerQueryMax)
 					if lowAuditedPerQuery < lowAuditedRequiredPerQuery && lowAuditedPerQuery < cxLowThresholdPerQueryMax {
@@ -1351,10 +1393,24 @@ func (c *checkmarxOneExecuteScanHelper) enforceThresholds(results *map[string]in
 		}
 	}
 
-	criticalText := fmt.Sprintf("Critical %v%v %v", criticalValue, unit, criticalViolation)
-	highText := fmt.Sprintf("High %v%v %v", highValue, unit, highViolation)
-	mediumText := fmt.Sprintf("Medium %v%v %v", mediumValue, unit, mediumViolation)
-	lowText := fmt.Sprintf("Low %v%v %v", lowValue, unit, lowViolation)
+	var confirmedCriticalString, confirmedHighString, confirmedMediumString, confirmedLowString string
+	if confirmedCriticalValue > 0 {
+		confirmedCriticalString = fmt.Sprintf(" (of which %v confirmed)", confirmedCriticalValue)
+	}
+	if confirmedHighValue > 0 {
+		confirmedHighString = fmt.Sprintf(" (of which %v confirmed)", confirmedHighValue)
+	}
+	if confirmedMediumValue > 0 {
+		confirmedMediumString = fmt.Sprintf(" (of which %v confirmed)", confirmedMediumValue)
+	}
+	if confirmedLowValue > 0 {
+		confirmedLowString = fmt.Sprintf(" (of which %v confirmed)", confirmedLowValue)
+	}
+	criticalText := fmt.Sprintf("Critical %v%v %v %v", criticalValue, unit, confirmedCriticalString, criticalViolation)
+	highText := fmt.Sprintf("High %v%v %v %v", highValue, unit, confirmedHighString, highViolation)
+	mediumText := fmt.Sprintf("Medium %v%v %v %v", mediumValue, unit, confirmedMediumString, mediumViolation)
+	lowText := fmt.Sprintf("Low %v%v %v %v", lowValue, unit, confirmedLowString, lowViolation)
+	log.Entry().Info("Result auditing status per severity:")
 	if len(criticalViolation) > 0 {
 		insecureResults = append(insecureResults, criticalText)
 		log.Entry().Error(criticalText)
diff --git a/pkg/checkmarxone/reporting.go b/pkg/checkmarxone/reporting.go
@@ -37,13 +37,15 @@ type Finding struct {
 	ClassificationName string         `json:"classificationName"`
 	Total              int            `json:"total,omitempty"`
 	Audited            *int           `json:"audited,omitempty"`
+	Confirmed          int            `json:"confirmed,omitempty"`
 	LowPerQuery        *[]LowPerQuery `json:"categories,omitempty"`
 }
 
 type LowPerQuery struct {
 	QueryName string `json:"name"`
 	Audited   int    `json:"audited"`
 	Total     int    `json:"total"`
+	Confirmed int    `json:"confirmed"`
 }
 
 func CreateCustomReport(data *map[string]interface{}, insecure, neutral []string) reporting.ScanReport {
@@ -163,22 +165,25 @@ func CreateJSONHeaderReport(data *map[string]interface{}) CheckmarxOneReportData
 	criticalFindings := Finding{}
 	criticalFindings.ClassificationName = "Critical"
 	criticalFindings.Total = (*data)["Critical"].(map[string]int)["Issues"]
-	criticalAudited := (*data)["Critical"].(map[string]int)["Issues"] - (*data)["Critical"].(map[string]int)["NotFalsePositive"]
+	criticalAudited := (*data)["Critical"].(map[string]int)["NotExploitable"] + (*data)["Critical"].(map[string]int)["Urgent"] + (*data)["Critical"].(map[string]int)["Confirmed"]
 	criticalFindings.Audited = &criticalAudited
+	criticalFindings.Confirmed = (*data)["Critical"].(map[string]int)["Confirmed"] + (*data)["Critical"].(map[string]int)["Urgent"]
 	findings = append(findings, criticalFindings)
 	// High
 	highFindings := Finding{}
 	highFindings.ClassificationName = "High"
 	highFindings.Total = (*data)["High"].(map[string]int)["Issues"]
-	highAudited := (*data)["High"].(map[string]int)["Issues"] - (*data)["High"].(map[string]int)["NotFalsePositive"]
+	highAudited := (*data)["High"].(map[string]int)["NotExploitable"] + (*data)["High"].(map[string]int)["Urgent"] + (*data)["High"].(map[string]int)["Confirmed"]
 	highFindings.Audited = &highAudited
+	highFindings.Confirmed = (*data)["High"].(map[string]int)["Confirmed"] + (*data)["High"].(map[string]int)["Urgent"]
 	findings = append(findings, highFindings)
 	// Medium
 	mediumFindings := Finding{}
 	mediumFindings.ClassificationName = "Medium"
 	mediumFindings.Total = (*data)["Medium"].(map[string]int)["Issues"]
-	mediumAudited := (*data)["Medium"].(map[string]int)["Issues"] - (*data)["Medium"].(map[string]int)["NotFalsePositive"]
+	mediumAudited := (*data)["Medium"].(map[string]int)["NotExploitable"] + (*data)["Medium"].(map[string]int)["Urgent"] + (*data)["Medium"].(map[string]int)["Confirmed"]
 	mediumFindings.Audited = &mediumAudited
+	mediumFindings.Confirmed = (*data)["Medium"].(map[string]int)["Confirmed"] + (*data)["Medium"].(map[string]int)["Urgent"]
 	findings = append(findings, mediumFindings)
 	// Low
 	lowFindings := Finding{}
@@ -187,19 +192,21 @@ func CreateJSONHeaderReport(data *map[string]interface{}) CheckmarxOneReportData
 		lowPerQueryList := []LowPerQuery{}
 		lowPerQueryMap := (*data)["LowPerQuery"].(map[string]map[string]int)
 		for queryName, resultsLowQuery := range lowPerQueryMap {
-			audited := resultsLowQuery["Confirmed"] + resultsLowQuery["NotExploitable"]
+			audited := resultsLowQuery["Confirmed"] + resultsLowQuery["NotExploitable"] + resultsLowQuery["Urgent"]
 			total := resultsLowQuery["Issues"]
 			lowPerQuery := LowPerQuery{}
 			lowPerQuery.QueryName = queryName
 			lowPerQuery.Audited = audited
+			lowPerQuery.Confirmed = resultsLowQuery["Confirmed"] + resultsLowQuery["Urgent"]
 			lowPerQuery.Total = total
 			lowPerQueryList = append(lowPerQueryList, lowPerQuery)
 		}
 		lowFindings.LowPerQuery = &lowPerQueryList
 		findings = append(findings, lowFindings)
 	} else {
 		lowFindings.Total = (*data)["Low"].(map[string]int)["Issues"]
-		lowAudited := (*data)["Low"].(map[string]int)["Confirmed"] + (*data)["Low"].(map[string]int)["NotExploitable"]
+		lowAudited := (*data)["Low"].(map[string]int)["Confirmed"] + (*data)["Low"].(map[string]int)["NotExploitable"] + (*data)["Low"].(map[string]int)["Urgent"]
+		lowFindings.Confirmed = (*data)["Low"].(map[string]int)["Confirmed"] + (*data)["Low"].(map[string]int)["Urgent"]
 		lowFindings.Audited = &lowAudited
 		findings = append(findings, lowFindings)
 	}
