Implemented a new api for api-security result count

cx-sumit-morchhale · cx-sumit-morchhale · commit 2ad9fc912bcf · 2025-12-24T20:01:22.000+05:30
diff --git a/cmd/main.go b/cmd/main.go
@@ -37,6 +37,7 @@ func main() {
 	results := viper.GetString(params.ResultsPathKey)
 	scanSummary := viper.GetString(params.ScanSummaryPathKey)
 	risksOverview := viper.GetString(params.RisksOverviewPathKey)
+	apiSecurityResult := viper.GetString(params.APISecurityResultPathKey)
 	riskManagement := viper.GetString(params.RiskManagementPathKey)
 	scsScanOverview := viper.GetString(params.ScsScanOverviewPathKey)
 	uploads := viper.GetString(params.UploadsPathKey)
@@ -69,7 +70,7 @@ func main() {
 	uploadsWrapper := wrappers.NewUploadsHTTPWrapper(uploads)
 	projectsWrapper := wrappers.NewHTTPProjectsWrapper(projects)
 	applicationsWrapper := wrappers.NewApplicationsHTTPWrapper(applications)
-	risksOverviewWrapper := wrappers.NewHTTPRisksOverviewWrapper(risksOverview)
+	risksOverviewWrapper := wrappers.NewHTTPRisksOverviewWrapper(risksOverview, apiSecurityResult)
 	riskManagementWrapper := wrappers.NewHTTPRiskManagementWrapper(riskManagement)
 	scsScanOverviewWrapper := wrappers.NewHTTPScanOverviewWrapper(scsScanOverview)
 	resultsWrapper := wrappers.NewHTTPResultsWrapper(results, scanSummary)
diff --git a/internal/commands/result.go b/internal/commands/result.go
@@ -693,15 +693,24 @@ func summaryReport(
 	scsScanOverviewWrapper wrappers.ScanOverviewWrapper,
 	featureFlagsWrapper wrappers.FeatureFlagsWrapper,
 	results *wrappers.ScanResultsCollection,
+	resultsParams map[string]string,
 ) (*wrappers.ResultSummary, error) {
 	if summary.HasAPISecurity() {
+		apiSecFilterRisks, err := getFilterResultsForAPISecScanner(risksOverviewWrapper, summary.ScanID, resultsParams)
+		if err != nil {
+			return nil, err
+		}
+		if apiSecFilterRisks != nil {
+			summary.APISecurity = *apiSecFilterRisks
+		}
 		apiSecRisks, err := getResultsForAPISecScanner(risksOverviewWrapper, summary.ScanID)
 		if err != nil {
 			return nil, err
 		}
-		summary.APISecurity = *apiSecRisks
+		if apiSecRisks != nil {
+			summary.APISecurity.APICount = apiSecRisks.APICount
+		}
 	}
-
 	if summary.HasSCS() {
 		// Getting the base SCS overview. Results counts are overwritten in enhanceWithScanSummary->countResult
 		SCSOverview, err := getScanOverviewForSCSScanner(scsScanOverviewWrapper, summary.ScanID)
@@ -770,13 +779,13 @@ func enhanceWithScanSummary(summary *wrappers.ResultSummary, results *wrappers.S
 	flagResponse, _ := wrappers.GetSpecificFeatureFlag(featureFlagsWrapper, wrappers.CVSSV3Enabled)
 	criticalEnabled := flagResponse.Status
 	if summary.HasAPISecurity() {
-		summary.EnginesResult[commonParams.APISecType].Low = summary.APISecurity.Risks[3]
-		summary.EnginesResult[commonParams.APISecType].Medium = summary.APISecurity.Risks[2]
-		summary.EnginesResult[commonParams.APISecType].High = summary.APISecurity.Risks[1]
+		summary.EnginesResult[commonParams.APISecType].Low = summary.APISecurity.SeverityCount["low"]
+		summary.EnginesResult[commonParams.APISecType].Medium = summary.APISecurity.SeverityCount["medium"]
+		summary.EnginesResult[commonParams.APISecType].High = summary.APISecurity.SeverityCount["high"]
 		if !criticalEnabled {
 			summary.EnginesResult[commonParams.APISecType].Critical = notAvailableNumber
 		} else {
-			summary.EnginesResult[commonParams.APISecType].Critical = summary.APISecurity.Risks[0]
+			summary.EnginesResult[commonParams.APISecType].Critical = summary.APISecurity.SeverityCount["critical"]
 		}
 	}
 
@@ -1211,7 +1220,7 @@ func CreateScanReport(
 	}
 	isSummaryNeeded := verifyFormatsByReportList(reportList, summaryFormats...)
 	if isSummaryNeeded && !scanPending {
-		summary, err = summaryReport(summary, policyResponseModel, risksOverviewWrapper, scsScanOverviewWrapper, featureFlagsWrapper, results)
+		summary, err = summaryReport(summary, policyResponseModel, risksOverviewWrapper, scsScanOverviewWrapper, featureFlagsWrapper, results, resultsParams)
 		if err != nil {
 			return nil, err
 		}
@@ -2888,3 +2897,44 @@ func parseURI(summaryBaseURI string) (hostName string) {
 func printWarningIfIgnorePolicyOmiited() {
 	fmt.Printf("\n            Warning: The --ignore-policy flag was not implemented because you don’t have the required permission.\n                     Only users with 'override-policy-management' permission can use this flag.                     \n\n")
 }
+
+func getFilterResultsForAPISecScanner(risksOverviewWrapper wrappers.RisksOverviewWrapper, scanID string, resultsParams map[string]string) (aPISecSeveritySummary *wrappers.APISecFilteredResult, err error) {
+	var apiSecRiskEntriesResult wrappers.APISecRiskEntriesResult
+	var errorModel *wrappers.WebError
+
+	apiSecRiskEntriesResult, errorModel, err = risksOverviewWrapper.GetFilterResultForAPISecByScanID(scanID, resultsParams)
+	if err != nil {
+		return nil, errors.Wrapf(err, "%s", failedListingResults)
+	}
+	if errorModel != nil {
+		return nil, errors.Errorf("%s: CODE: %d, %s", failedListingResults, errorModel.Code, errorModel.Message)
+	}
+	if len(apiSecRiskEntriesResult.Entries) > 0 {
+		entries := apiSecRiskEntriesResult.Entries
+		severityCount := make(map[string]int)
+		originCount := make(map[string]int)
+		totalRecords := 0
+		for _, entry := range entries {
+			if isExploitable(entry.State) {
+				sev := strings.ToLower(entry.Severity)
+				severityCount[sev]++
+				orig := strings.ToLower(entry.Origin)
+				originCount[orig]++
+				totalRecords++
+			}
+		}
+		var riskDistribution []wrappers.RiskDistributionEntry
+		if originCount["code"] > 0 {
+			riskDistribution = append(riskDistribution, wrappers.RiskDistributionEntry{Origin: "code", Total: originCount["code"]})
+		}
+		if originCount["documentation"] > 0 {
+			riskDistribution = append(riskDistribution, wrappers.RiskDistributionEntry{Origin: "documentation", Total: originCount["documentation"]})
+		}
+		return &wrappers.APISecFilteredResult{
+			SeverityCount:    severityCount,
+			RiskDistribution: riskDistribution,
+			TotalRisksCount:  totalRecords,
+		}, nil
+	}
+	return nil, nil
+}
diff --git a/internal/commands/result_test.go b/internal/commands/result_test.go
@@ -1278,11 +1278,10 @@ func createEmptyResultSummary() *wrappers.ResultSummary {
 		KicsIssues:       0,
 		ContainersIssues: containersIssues,
 		SCSOverview:      &wrappers.SCSOverview{},
-		APISecurity: wrappers.APISecResult{
+		APISecurity: wrappers.APISecFilteredResult{
 			APICount:        0,
 			TotalRisksCount: 0,
-			Risks:           []int{0, 0, 0, 0},
-			StatusCode:      0,
+			SeverityCount:   map[string]int{"critical": 0, "high": 0, "medium": 0, "low": 0},
 		},
 		EnginesEnabled: []string{"sast", "sca", "kics", "containers"},
 		EnginesResult: wrappers.EnginesResultsSummary{
@@ -1702,3 +1701,42 @@ func extractURLFromDescription(description string) string {
 	}
 	return ""
 }
+
+func TestGetFilterResultsForAPISecScanner(t *testing.T) {
+	mockWrapper := mock.RisksOverviewMockWrapper{}
+	scanID := "test-scan-id"
+	resultsParams := map[string]string{}
+
+	result, err := getFilterResultsForAPISecScanner(mockWrapper, scanID, resultsParams)
+	assert.NilError(t, err)
+	assert.Assert(t, result == nil, "Expected nil result for empty entries")
+
+	mockEntries := []wrappers.APISecRiskEntry{
+		{Severity: "Critical", Origin: "code", State: "to_verify"},
+		{Severity: "High", Origin: "documentation", State: "to_verify"},
+		{Severity: "Medium", Origin: "code", State: "to_verify"},
+		{Severity: "Low", Origin: "documentation", State: "to_verify"},
+		{Severity: "Critical", Origin: "code", State: "not_exploitable"},
+	}
+	mockWrapperWithEntries := &mock.RisksOverviewMockWrapperWithEntries{Entries: mockEntries}
+	result, err = getFilterResultsForAPISecScanner(mockWrapperWithEntries, scanID, resultsParams)
+	assert.NilError(t, err)
+	assert.Assert(t, result != nil, "Expected non-nil result for entries")
+	if result == nil {
+		return
+	}
+	assert.Equal(t, result.SeverityCount["critical"], 1)
+	assert.Equal(t, result.SeverityCount["high"], 1)
+	assert.Equal(t, result.SeverityCount["medium"], 1)
+	assert.Equal(t, result.SeverityCount["low"], 1)
+	assert.Equal(t, result.TotalRisksCount, 4)
+	assert.Equal(t, len(result.RiskDistribution), 2)
+	for _, dist := range result.RiskDistribution {
+		if dist.Origin == "code" {
+			assert.Equal(t, dist.Total, 2)
+		}
+		if dist.Origin == "documentation" {
+			assert.Equal(t, dist.Total, 2)
+		}
+	}
+}
diff --git a/internal/commands/scan.go b/internal/commands/scan.go
@@ -2463,7 +2463,7 @@ func runCreateScanCommand(
 				return reportErr
 			}
 
-			err = applyThreshold(cmd, scanResponseModel, thresholdMap, risksOverviewWrapper, results)
+			err = applyThreshold(cmd, scanResponseModel, thresholdMap, risksOverviewWrapper, results, featureFlagsWrapper)
 
 			if err != nil {
 				return err
@@ -2731,6 +2731,7 @@ func applyThreshold(
 	thresholdMap map[string]int,
 	risksOverviewWrapper wrappers.RisksOverviewWrapper,
 	results *wrappers.ScanResultsCollection,
+	featureFlagsWrapper wrappers.FeatureFlagsWrapper,
 ) error {
 	if len(thresholdMap) == 0 {
 		return nil
@@ -2742,7 +2743,11 @@ func applyThreshold(
 		params[commonParams.SastRedundancyFlag] = ""
 	}
 
-	summaryMap, err := getSummaryThresholdMap(scanResponseModel, risksOverviewWrapper, results)
+	resultsParams, err := getFilters(cmd)
+	if err != nil {
+		return err
+	}
+	summaryMap, err := getSummaryThresholdMap(scanResponseModel, risksOverviewWrapper, results, featureFlagsWrapper, resultsParams)
 
 	if err != nil {
 		return err
@@ -2830,6 +2835,8 @@ func getSummaryThresholdMap(
 	scan *wrappers.ScanResponseModel,
 	risksOverviewWrapper wrappers.RisksOverviewWrapper,
 	results *wrappers.ScanResultsCollection,
+	featureFlagsWrapper wrappers.FeatureFlagsWrapper,
+	resultsParam map[string]string,
 ) (map[string]int, error) {
 	summaryMap := make(map[string]int)
 
@@ -2841,13 +2848,21 @@ func getSummaryThresholdMap(
 	}
 
 	if slices.Contains(scan.Engines, commonParams.APISecType) {
-		apiSecRisks, err := getResultsForAPISecScanner(risksOverviewWrapper, scan.ID)
+		apiSecFilterRisks, err := getFilterResultsForAPISecScanner(risksOverviewWrapper, scan.ID, resultsParam)
 		if err != nil {
 			return nil, err
 		}
-		summaryMap["api-security-high"] = apiSecRisks.Risks[1]
-		summaryMap["api-security-medium"] = apiSecRisks.Risks[2]
-		summaryMap["api-security-low"] = apiSecRisks.Risks[3]
+		if apiSecFilterRisks != nil && apiSecFilterRisks.SeverityCount != nil {
+			summaryMap["api-security-high"] = apiSecFilterRisks.SeverityCount["high"]
+			summaryMap["api-security-medium"] = apiSecFilterRisks.SeverityCount["medium"]
+			summaryMap["api-security-low"] = apiSecFilterRisks.SeverityCount["low"]
+
+			flagResponse, _ := wrappers.GetSpecificFeatureFlag(featureFlagsWrapper, wrappers.CVSSV3Enabled)
+			criticalEnabled := flagResponse.Status
+			if criticalEnabled {
+				summaryMap["api-security-critical"] = apiSecFilterRisks.SeverityCount["critical"]
+			}
+		}
 	}
 	return summaryMap, nil
 }
diff --git a/internal/params/binds.go b/internal/params/binds.go
@@ -25,6 +25,7 @@ var EnvVarsBinds = []struct {
 	{ResultsPathKey, ResultsPathEnv, "api/results"},
 	{ScanSummaryPathKey, ScanSummaryPathEnv, "api/scan-summary"},
 	{RisksOverviewPathKey, RisksOverviewPathEnv, "api/apisec/static/api/scan/%s/risks-overview"},
+	{APISecurityResultPathKey, APISecurityResultPathEnv, "api/apisec/static/api/risks"},
 	{ScsScanOverviewPathKey, ScsScanOverviewPathEnv, "api/micro-engines/read/scans/%s/scan-overview"},
 	{SastResultsPathKey, SastResultsPathEnv, "api/sast-results"},
 	{SastResultsPredicatesPathKey, SastResultsPredicatesPathEnv, "api/sast-results-predicates"},
diff --git a/internal/params/envs.go b/internal/params/envs.go
@@ -30,6 +30,7 @@ const (
 	ResultsPathEnv                      = "CX_RESULTS_PATH"
 	ScanSummaryPathEnv                  = "CX_SCAN_SUMMARY_PATH"
 	RisksOverviewPathEnv                = "CX_RISKS_OVERVIEW_PATH"
+	APISecurityResultPathEnv            = "API_SECURITY_RESULT_PATH"
 	ScsScanOverviewPathEnv              = "CX_SCS_SCAN_OVERVIEW_PATH"
 	SastResultsPathEnv                  = "CX_SAST_RESULTS_PATH"
 	SastResultsPredicatesPathEnv        = "CX_SAST_RESULTS_PREDICATES_PATH"
diff --git a/internal/params/keys.go b/internal/params/keys.go
@@ -29,6 +29,7 @@ var (
 	ResultsPathKey                      = strings.ToLower(ResultsPathEnv)
 	ScanSummaryPathKey                  = strings.ToLower(ScanSummaryPathEnv)
 	RisksOverviewPathKey                = strings.ToLower(RisksOverviewPathEnv)
+	APISecurityResultPathKey            = strings.ToLower(APISecurityResultPathEnv)
 	ScsScanOverviewPathKey              = strings.ToLower(ScsScanOverviewPathEnv)
 	SastResultsPathKey                  = strings.ToLower(SastResultsPathEnv)
 	KicsResultsPathKey                  = strings.ToLower(KicsResultsPathEnv)
diff --git a/internal/wrappers/mock/risks-overview-mock.go b/internal/wrappers/mock/risks-overview-mock.go
@@ -15,3 +15,25 @@ func (r RisksOverviewMockWrapper) GetAllAPISecRisksByScanID(scanID string) (
 		Risks:           []int{},
 	}, nil, nil
 }
+func (r RisksOverviewMockWrapper) GetFilterResultForAPISecByScanID(scanID string, queryParam map[string]string) (wrappers.APISecRiskEntriesResult, *wrappers.WebError, error) {
+	return wrappers.APISecRiskEntriesResult{
+		Entries: []wrappers.APISecRiskEntry{},
+	}, nil, nil
+}
+
+type RisksOverviewMockWrapperWithEntries struct {
+	Entries []wrappers.APISecRiskEntry
+}
+
+func (r *RisksOverviewMockWrapperWithEntries) GetFilterResultForAPISecByScanID(scanID string, queryParam map[string]string) (wrappers.APISecRiskEntriesResult, *wrappers.WebError, error) {
+	return wrappers.APISecRiskEntriesResult{
+		Entries: r.Entries,
+	}, nil, nil
+}
+func (r RisksOverviewMockWrapperWithEntries) GetAllAPISecRisksByScanID(scanID string) (
+	*wrappers.APISecResult,
+	*wrappers.WebError,
+	error,
+) {
+	return &wrappers.APISecResult{}, nil, nil
+}
diff --git a/internal/wrappers/results-summary.go b/internal/wrappers/results-summary.go
@@ -20,7 +20,7 @@ type ResultSummary struct {
 	ContainersIssues *int         `json:"ContainersIssues,omitempty"`
 	ScsIssues        *int         `json:"ScsIssues,omitempty"`
 	SCSOverview      *SCSOverview `json:"ScsOverview,omitempty"`
-	APISecurity      APISecResult
+	APISecurity      APISecFilteredResult
 	RiskStyle        string
 	RiskMsg          string
 	Status           string
@@ -41,14 +41,20 @@ type ResultSummary struct {
 
 // nolint: govet
 type APISecResult struct {
-	APICount         int                `json:"api_count,omitempty"`
-	TotalRisksCount  int                `json:"total_risks_count,omitempty"`
-	Risks            []int              `json:"risks,omitempty"`
-	RiskDistribution []riskDistribution `json:"risk_distribution,omitempty"`
+	APICount         int                     `json:"api_count,omitempty"`
+	TotalRisksCount  int                     `json:"total_risks_count,omitempty"`
+	Risks            []int                   `json:"risks,omitempty"`
+	RiskDistribution []RiskDistributionEntry `json:"risk_distribution,omitempty"`
 	StatusCode       int
 }
 
-type riskDistribution struct {
+type APISecFilteredResult struct {
+	SeverityCount    map[string]int
+	TotalRisksCount  int
+	RiskDistribution []RiskDistributionEntry
+	APICount         int
+}
+type RiskDistributionEntry struct {
 	Origin string `json:"origin,omitempty"`
 	Total  int    `json:"total,omitempty"`
 }
@@ -166,7 +172,7 @@ func (r *ResultSummary) SCSIssuesValue() int {
 	return *r.ScsIssues
 }
 
-func (r *ResultSummary) getRiskFromAPISecurity(origin string) *riskDistribution {
+func (r *ResultSummary) getRiskFromAPISecurity(origin string) *RiskDistributionEntry {
 	for _, risk := range r.APISecurity.RiskDistribution {
 		if strings.EqualFold(risk.Origin, origin) {
 			return &risk
diff --git a/internal/wrappers/risks-overview-http.go b/internal/wrappers/risks-overview-http.go
diff --git a/internal/wrappers/risks-overview.go b/internal/wrappers/risks-overview.go
