Kiuwan is a powerful, end-to-end application security platform. Kiuwan Static Application Security Testing (SAST) product is the tool that detects security vulnerabilities in source code using static analysis.
The problem is that Xygeni does not provide a mechanism in the agent (Kiuwan Local Analyzer) for writing to a local file the findings from the tool.
The Kiuwan scanner (Kiuwan Local Analyzer) by default uploads its findings to the Kiuwan platform.
To export the findings to a local file for uploading into third-party tools like Xygeni, the approach used was to register the custom rule provided that registers a task to export the findings at the end of the analysis, using the standard-provided report formatter for the xml_issues report, the same format that the agent uses to send the findings to the Kiuwan on-cloud service.
The rule JAR and rule descriptors are already provided in the directory for your convenience. Anyway, the jar with the compile rule could be generated using Maven:
The compilation will copy the jar into dist and run the script to create a rule descriptor for each technology, which stores all rule descriptors into .
Next, follow the instructions to upload the and the to Kiuwan.
Read in Kiuwan documentation for full details on how to install rule definitions and their implementations, so the exporter rule may work at your installation. You need also to add the imported rules to an existing model, so the local analyzer will download them.
Once rules and jar uploaded and added to the Kiuwan model, the local analyzer will execute the exporter rule when the output report is given, so it can be uploaded into Xygeni.
Run the Kiuwan Local Analyzer with the path to the report file provided in the KIUWAN_JSON_REPORT environment variable.
Use the xygeni report-upload command for uploading the exported report, after normalization to the Xygeni SAST format.
$ cd extensions/report_upload/kiuwan
$ mvn package$ KIUWAN_JSON_REPORT=/path/to/my/report.xml
$ agent.sh -s DIR -n NAME -c
...
Report file available at: /path/to/my/report.xmlxygeni report-upload --report=/path/to/my/report.xml --format sast-kiuwanThe xygeni report-upload command normalizes and uploads findings from third-party security tools to the Xygeni platform. The input reports are typically export formats (JSON, XML) and may follow common exchange formats like Static Analysis Results Interchange Format (SARIF) or GitLab’s Security Report Schemas.
The following is the list of third-party security scanners and report formats supported. Formats and tools are listed in alphabetical order. Xygeni does not endorse any vendor or tool.
Go to report-upload command reference for further details.
Snyk
Snyk SCA report, in JSON format
sca-checkmarx-one-results
Checkmarx One
SAST scanner of Checkmarx One, exported using 'cx results show'
sast-fortify-fpr
Fortify
Fortify SAST report, in .fpr or .fvdl format
sast-fortify-xml
Fortify
Fortify SAST XML report
sast-kiuwan
Kiuwan
Kiuwan SAST XML report
sast-sonarcloud
SonarCloud
SonarCloud SAST JSON report
sast-sonarserver
SonarServer
SonarServer SAST JSON report
iac-checkmarx-one
Checkmarx One
IaC scanner of Checkmarx One, in JSON format
iac-checkmarx-one-results
Checkmarx One
IaC scanner of Checkmarx One, exported using 'cx results show'
sca-sarif
<any>
Component vulnerabilities detected by a SCA tool, SARIF format
sca-checkmarx
Checkmarx SCA
CxSCA report, in JSON format
sca-checkmarx-one
Checkmarx One
SCA scanner of Checkmarx One, in JSON format
sca-checkmarx-one-results
Checkmarx One
SCA scanner of Checkmarx One, exported using 'cx results show'
sast-sarif
<any>
Code vulnerabilities detected by a SAST tool, in SARIF format
sast-checkmarx
Checkmarx
CxSAST JSON report
sast-checkmarx-xml
Checkmarx
CxSAST XML report
sast-checkmarx-one
Checkmarx One
SAST scanner of Checkmarx One, in JSON format
iac-sarif
<any>
IaC vulnerabilities detected by a IaC tool, in SARIF format
iac-checkov
Checkov
Checkov IaC scanner, JSON format
iac-kics
KICS
IaC vulnerabilities detected by KICS, in JSON format
iac-checkmarx
Checkmarx
IaC scanner of Checkmarx, in JSON format
secrets-sarif
<any>
Secrets detected by a secrets tool, in SARIF format
secrets-gitleaks
GitLeaks
Secrets detected by GitLeaks, in JSON format
sca-snyk
package ext.kiuwan;
import com.als.core.AbstractRule;
import com.als.core.RuleContext;
import com.als.core.io.IOUtils;
import com.als.core.renderers.RenderException;
import com.als.core.renderers.Renderer;
import com.als.core.renderers.XmlIssuesRenderer;
import com.als.core.util.StringUtil;
import com.als.core.util.SysUtils;
import com.optimyth.qaking.task.OneShotTask;
import java.io.File;
import java.io.IOException;
import java.io.OutputStream;
/**
* ExportRule is a pseudo-rule that exports the Kiuwan SAST report to XML ('xml_issues' format),
* for importing the raw scanner findings into other tools, like ASOC / ASPM.
* <p>
* The rule does not create any issue. It simply registers a {@link ReportExportTask} as a POST_PROCESS task
* to be run at the end of the analysis. This task exports the report to XML, using the 'KIUWAN_JSON_REPORT'
* property (either environment variable or java system property).
*
* @author lrodriguez
* @version 30-Apr-2024 (lrodriguez)
*/
public class ExportRule extends AbstractRule {
@Override public boolean accept(String technology, RuleContext ctx) {
return true; // valid for any tech
}
@Override public void initialize(RuleContext ctx) {
super.initialize(ctx);
ReportExportTask exporter = new ReportExportTask();
ctx.getAnalysisTasks().addOneShotTask(exporter);
}
/**
* The task that runs at the end of the analysis, for dumping the XML report
* to the file specified in the $KIUWAN_JSON_REPORT environment variable.
*/
public static class ReportExportTask implements OneShotTask {
private final String report = SysUtils.getProperty("KIUWAN_JSON_REPORT");
private final boolean isActive = StringUtil.hasText(report);
@Override public boolean isActiveTask() { return isActive; }
@Override public void start(RuleContext ctx) {
if(!isActive) return;
System.out.println(ExportRule.class.getName() + " active, will export report to: " + report);
}
@Override public void end(RuleContext ctx) {
if(!isActive) return;
File reportFile = getReportFile();
try(OutputStream os = IOUtils.openOutputStream(reportFile, false)) {
getRenderer().render(ctx.getReport(), os, reportFile.getParentFile(), ctx);
System.out.println("Report file available at: " + reportFile.getAbsolutePath());
} catch (IOException | RenderException e) {
System.err.println("Error: cannot write report file "+ reportFile + ": " + e.getMessage());
}
}
private File getReportFile() {
File reportFile = new File(report);
if(!reportFile.isAbsolute()) {
// Use $HOME as base directory if relative path is provided.
// Often $HOME is writable even on CI/CD runners.
reportFile = new File(SysUtils.getUserHome(), report);
}
// ensure the directory for report exists
// noinspection ResultOfMethodCallIgnored
reportFile.getParentFile().mkdirs();
return reportFile;
}
/** XmlIssuesRenderer with simple configuration. We do not render muted issues, but you may change this. */
private Renderer getRenderer() {
XmlIssuesRenderer renderer = new XmlIssuesRenderer();
renderer.setIndentPositions(2);
renderer.setRenderMutedIssues(false); // ignore muted
renderer.setRenderChecks(true);
renderer.setRenderCheckDetails(true);
renderer.setRenderErrors(true);
renderer.setRenderIssuesStatistics(true);
return renderer;
}
}
}