# Step 1: Evidence Details

|System|Source of data|Frameworks|Purpose|
|---|---|---|---|
|Semgrep|compliancecow|-|Semgrep enhances code security by identifying vulnerabilities and enforcing security best practices. Custom rules can be created to address specific security needs.<br> Integrating Semgrep into the development process ensures consistent and automated security checks with every code change.|

```
RecomendedEvidenceName:
SemgrepCodeVulnerabilityReport
SemgrepSupplyChainVulnerabilityReport
SemgrepCodeFindingsSummaryReport
SemgrepSupplyChainFindingsSummaryReport
```

**Reference:** <br>
https://semgrep.dev/api/v1/docs/#section/Introduction <br>
https://semgrep.dev/r

# Step 2: Define the System Specific Data (a.k.a Extended Data Schema)

## Step 2a: Creating a Web Token API in Semgrep UI

1. **Login to Semgrep UI**:
   - Navigate to the Semgrep UI login page.
   - Enter your credentials to log in.

2. **Navigate to the API Tokens Section**:
   - After logging in, go to the settings.
   - Find the option for Tokens.

3. **Generate a New Token**:
   - Click on the option to create a new token.
   - Provide a Name or description for the token to identify its purpose.
   - Set the Web API Scope for the token and copy the Secrets value.
   - Click on 'Save' to create the token.

4. **Save the Token Securely**:
   - Copy the generated token and store it securely.
   - This token will be used for authenticating API requests.

## Step 2b: IncludeCriteria, ExcludeCriteria and Severity

1. **Understanding IncludeCriteria and ExcludeCriteria**:
   - `IncludeCriteria` and `ExcludeCriteria` are used to filter projects for analysis.
   - They help in specifying which projects should be included or excluded during the scan.

2. **Default Values Handling**:
   - If the user does not provide any input for `IncludeCriteria` or `ExcludeCriteria`, default values will be used.
   - The default values ensure that all relevant projects are included unless explicitly excluded.

3. **Using IncludeCriteria**:
   - Example: `/project/shoppingwebsite, /project/username/project2`
   - This will include the specified projects in the scan.

4. **Using ExcludeCriteria**:
   - Example: `/project/username/project1`
   - This will exclude the specified projects from the scan.

5. **Exact Match Requirement**:
   - The criteria matching is case-sensitive and requires an exact match.
   - Invalid project names in `ExcludeCriteria` will not affect the valid `IncludeCriteria`.

6. **Severity Levels Input**:
   - The Severity parameter allows the user to specify the severity levels of findings to include in the report.
   - Valid Severity Values: low, medium, high, critical.
   - If the user does not provide any severity input, the scan will include all severities by default.
   - If the user provides '*' as the severity input, all severities (low, medium, high, critical) will be included by default.
   - **Error Handling:** If the user provides an invalid severity (e.g., loww, highh), the program will throw an error, produce a log file with the error details, and exit the program.

7. **Default Handling Code**:
   - The implementation ensures that if no input is given, default criteria (which include all projects and all severities) are applied automatically.

# Step 2c: API & Flow

  - GET  /deployments
     - This returns the response of the deployments your authentication can access.
  - GET /deployments/’{deployment_slug}’/findings
     - This returns the response containing a list of code or supply chain findings in an organization.
     - Query parameter: ‘issue-type’ specifies the type of findings to return. If not specified, it returns SAST (Code) findings. It can be either SAST (Code) or SCA (Supply Chain).
   - GET  /deployments/’{deploymentId}’/secrets
     - This returns the response of the secrets findings of your organization.

# Step 2d: Define the Extended Schema


In [None]:
# List code or supply chain findings
{
  "findings": [
    {
      "id": 1234567,
      "ref": "refs/pull/1234/merge",
      "first_seen_scan_id": 1234,
      "syntactic_id": "440eeface888e78afceac3dc7d4cc2cf",
      "match_based_id": "440eeface888e78afceac3dc7d4cc2cf",
      "repository": {
        "name": "semgrep",
        "url": "https://github.com/semgrep/semgrep"
      },
      "line_of_code_url": "https://github.com/semgrep/semgrep/blob/39f95450a7d4d70e54c9edbd109bed8210a36889/src/core_cli/Core_CLI.ml#L1",
      "triage_state": "untriaged",
      "state": "unresolved",
      "status": "open",
      "severity": "medium",
      "confidence": "medium",
      "categories": [
        "security"
      ],
      "created_at": "2020-11-18T23:28:12.391807Z",
      "relevant_since": "2020-11-18T23:28:12.391807Z",
      "rule_name": "typescript.react.security.audit.react-no-refs.react-no-refs",
      "rule_message": "`ref` usage found. refs give direct DOM access and may create a possibility for XSS, which could cause\nsensitive information such as user cookies to be retrieved by an attacker. Instead, avoid direct DOM\nmanipulation or use DOMPurify to sanitize HTML before writing it into the page.\n",
      "location": {
        "file_path": "frontend/src/corpComponents/Code.tsx",
        "line": 120,
        "column": 8,
        "end_line": 124,
        "end_column": 16
      },
      "sourcing_policy": {
        "id": 120,
        "name": "Default Policy",
        "slug": "default-policy"
      },
      "triaged_at": "2020-11-19T23:28:12.391807Z",
      "triage_comment": "This finding is from the test repo",
      "triage_reason": "acceptable_risk",
      "state_updated_at": "2020-11-19T23:28:12.391807Z",
      "rule": {
        "name": "html.security.plaintext-http-link.plaintext-http-link",
        "message": "This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL if possible.",
        "confidence": "high",
        "category": "security",
        "subcategories": [
          "vuln"
        ],
        "vulnerability_classes": [
          "Mishandled Sensitive Information"
        ],
        "cwe_names": [
          "CWE-319: Cleartext Transmission of Sensitive Information"
        ],
        "owasp_names": [
          "A03:2017 - Sensitive Data Exposure",
          "A02:2021 - Cryptographic Failures"
        ]
      },
      "assistant": {
        "autofix": {
          "fix_code": "cookie.setHttpOnly(true);\nresponse.addCookie(cookie);",
          "explanation": "This fix requires an additional library to be imported."
        },
        "autotriage": {
          "verdict": "false_positive",
          "reason": "The matched code is used for a non-security related feature."
        },
        "component": {
          "tag": "user data",
          "risk": "high"
        }
      }
    }
  ]
}

# List secrets findings
{
  "findings": [
    {
      "createdAt": "2024-06-17T17:23:01.901204Z",
      "updatedAt": "2024-06-20T17:33:00.669343Z",
      "id": "691234",
      "type": "OpenAI", #sevicetype
      "findingPath": "src/ai.py:232",
      "findingPathUrl": "https://github.com/foo/bar/blob/6ad16b240d4b6ae5bd6e326dd71053c21344e311/src/ai.py#L232",
      "repository": {
        "name": "foo/bar",
        "url": "https://github.com/foo/bar",
        "visibility": "REPOSITORY_VISIBILITY_PRIVATE",
        "scmType": "SCM_TYPE_GITHUB"
      },
      "ref": "refs/pull/148/merge",
      "refUrl": "https://github.com/foo/bar/pull/148",
      "severity": "SEVERITY_HIGH",
      "confidence": "CONFIDENCE_HIGH",
      "validationState": "VALIDATION_STATE_CONFIRMED_VALID",
      "mode": "MODE_MONITOR",
      "status": "FINDING_STATUS_FIXED",
      "ruleHashId": "lBU41LA"
    },
    {
      "createdAt": "2024-06-08T11:01:23.380293Z",
      "updatedAt": "2024-06-22T11:07:02.384500Z",
      "id": "6881234",
      "type": "Heroku",
      "findingPath": "config.yaml:801",
      "findingPathUrl": "https://github.com/foo/baz/blob/e2b6d5ca75d830e10f5f617481a66a981bd093c0/config.yaml#L801",
      "repository": {
        "name": "foo/baz",
        "url": "https://github.com/foo/baz",
        "visibility": "REPOSITORY_VISIBILITY_PRIVATE",
        "scmType": "SCM_TYPE_GITHUB"
      },
      "ref": "develop",
      "refUrl": "https://github.com/foo/baz/tree/develop",
      "severity": "SEVERITY_HIGH",
      "confidence": "CONFIDENCE_MEDIUM",
      "validationState": "VALIDATION_STATE_CONFIRMED_INVALID",
      "mode": "MODE_COMMENT",
      "status": "FINDING_STATUS_IGNORED",
      "ruleHashId": "pKUYdA"
    }
  ],
  "cursor": "Pm0ROjIwMjQtMDItMDYgMjA6MDQ6NDguMEDzNzk2fmk6NYTM2zUxOTI="
}

# Code to Display Step 3. Standard Schema and  Step 4. Compliance Taxonomy

In [None]:
import json
from IPython.display import display, Markdown
import ipywidgets as widgets

# Load the JSON data from the file
path = "StandardSchemaAndComplianceTaxonomyConfig.json" # Config File path

with open(path, 'r') as file:
    evidence = json.load(file)

# Extract keys for the dropdown options
evidence_keys = list(evidence.keys())
# Include a default option in the dropdown
options = ["---choose evidence---"] + evidence_keys
dropdown = widgets.Dropdown(options=options, description='Select Evidence:')

# Create an Output widget to manage the display area
output = widgets.Output()
display(dropdown, output)

# Define the callback function for when the dropdown value changes
def on_change(change):
    with output:
        # Clear previous output
        output.clear_output()

        if change['type'] == 'change' and change['name'] == 'value':
            key = change['new']
            if key == "---choose evidence---":
                # Do nothing if the default option is selected
                return

            evidence_item = evidence.get(key, {})
            schema_content = evidence_item.get("schema", "")
            table_content = evidence_item.get("table", "")
            compliance_content = evidence_item.get("compliancetaxonomy", "")

            # Display the Markdown content
            display(Markdown(schema_content))
            display(Markdown(table_content))
            display(Markdown(compliance_content))

# Set up the observer to trigger the callback function
dropdown.observe(on_change, names='value')

Dropdown(description='Select Evidence:', options=('---choose evidence---', 'SemgrepCodeVulnerabilityReport', '…

Output()

# Step 5: Calculation for Compliance Percentage and Status

In [None]:
# Calculation of Compliance Percentage

TotalCount = Count of 'COMPLIANT' and 'NON_COMPLIANT' records
CompliantCount = Count of 'COMPLIANT' records

CompliancePCT = (CompliantCount / TotalCount) * 100

Compliance Status
COMPLIANT - 100%
NON_COMPLIANT - 0% to less than 100%
NOT_DETERMINED - If no records are found.

# Step 6: Describe (in words) the Remediation Steps for Non-Compliance
N/A

# Step 7: Control Setup Details

| Control Details            |                               |
|----------------------------|-------------------------------|
| **RuleName**               |  FetchSemgrepFindings         |
| **PreRequisiteRuleNames**  | N/A                           |
| **ExtendedSchemaRuleNames**| N/A                           |
| **ApplicationClassName**   |  semgrepconnector             |
| **PostSynthesizerName**    |             N/A               |