Rescan

[vishalhcl-5960]

Rescan implementation for the SAST scan
Note: Validation of the scanId is pending from our side & will add a new method in the serviceUtil class for it.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
1 out of 2 committers have signed the CLA.

✅ vishalhcl-5960
❌ Kripajoy Melitpalathingal

---

Kripajoy Melitpalathingal seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[mattmurp]

This method is an exact copy of createAndExecuteScan() with just a few minor changes (the url and the constant used for getting the id). This should be refactored to put all of the common logic into a private method, so the 2 public methods can simply call that private method, passing in the minor differences.

[vishalhcl-5960]

Sure, We have created a new private common method executeScan() which has been called from both create&ExecuteScan() & rescan() method.

[mattmurp]

What's the reason for getting the scan id and returning it? Since this is a rescan, the scan id is already known. I think it makes more sense to return the execution id.

[vishalhcl-5960]

Sure, Now we are fetching the executionId if the user go for rescanning.

[mattmurp]

Both the "if" and "else" branches make the same call to add the file id to the params. That should be done once outside of the conditional rather than repeating the code.

[kripajoym]

Keys are different. For scan, the key is ApplicationFileId, while for a rescan, it's FileId.

[mattmurp]

This same method will be needed for DAST rescans, as well. Assuming it will be the same implementation, this should be moved to the ASoCScan class, so the logic can be reused.

[mattmurp]

Since other scanners will need to do this same check, I suggest doing this in the ASoCScan constructor. It can set a boolean member variable in that class (e.g. m_isRescan) that can also have a getter (e.g. isRescan()). You could then call isRescan() to see if you should call the specific scanner's submitScan() method or the general submitRescan() method on the ASoCScan class (see comment below).

[vishalhcl-5960]

We have created a new method called submitRescan() in the ASoCScan class which has been called from the analyzeIR() method of the SASTscan class.
"protected void submitRescan() {
setExecutionId(getServiceProvider().rescan(getScanId(),getProperties()));
}"

[mattmurp]

What's the reason for removing the {1} at the end of each of these strings? It looks like the calls that use them still provide information for the 2nd parameter.

[vishalhcl-5960]

We are assigning the 2nd value in a common method ("executeScan") used for createAndExecuteScan() & rescan(). So, for new scan the 2nd value will be scanId while for the rescanning it would be executionId.

[mattmurp]

Are message.rescan and message.rescan.overview used anywhere? I don't see them referenced in this PR.

[vishalhcl-5960]

Yes, We are using them in the rescan() method.
https://github.com/HCL-TECH-SOFTWARE/appscan-sdk/blob/Rescan/src/main/java/com/hcl/appscan/sdk/scan/CloudScanServiceProvider.java#L72
https://github.com/HCL-TECH-SOFTWARE/appscan-sdk/blob/Rescan/src/main/java/com/hcl/appscan/sdk/scan/CloudScanServiceProvider.java#L73

[mattmurp]

To limit duplication of code, it would be good to have the original constructor that does not take an executionId call this one directly. E.g.:
this(scanId, null, type, provider, progress);

[vishalhcl-5960]

Okay, sure.

[mattmurp]

There is a setter function setRescan(boolean rescan) that sets the member variable m_rescan, but the getter function isRescan() checks for a key in m_properties. These should be made consistent, so they both work with the member variable, which can be set in the constructor based on m_properties.

[vishalhcl-5960]

Added a getter method & assigning the m_rescan value in the constructor based on the m_properties. Also, removed the isRescan() method.

[mattmurp]

Any reason to use the class Boolean as opposed to the primitive type boolean?

[vishalhcl-5960]

Changed the "m_rescan" type to boolean.

[mattmurp]

What's the purpose of creating the params JSONObject instead of just working with the parameters Map?

[vishalhcl-5960]

It is because we are putting the boolean value if the key value equals to "true"/"false", Map properties doesn't allow me to put boolean as well as string values in the same map.
For v4 APIs, we can't assign a string value for boolean taking parameters.

[mattmurp]

I understand the creation of objectMap, but params is never written to. It's only read. So we should be able to just read from the Map parameters, as opposed to creating the JSONObject params from it.

[vishalhcl-5960]

Okay, Made the changes accordingly.

[mattmurp]

I understand the creation of objectMap, but params is never written to. It's only read. So we should be able to just read from the Map parameters, as opposed to creating the JSONObject params from it.

[mattmurp]

Line 175 does a null check on params.get(key). The value is then put into the variable "value" and we do another null check of it on line 177, which is redundent.

[vishalhcl-5960]

Removed the 2nd null check.