Merge pull request #37 from Contrast-Security-OSS/AIML-48_query_api_for_vuln_details_and_format_for_issue_body

Aiml 48 query api for vuln details and format for issue body

Author: JacobMagesHaskinsContrast

src/agent_handler.py

@@ -810,5 +810,3 @@ def _patched_loop_check_closed(self):
                  return #ignore this error
              raise
         asyncio.BaseEventLoop._check_closed = _patched_loop_check_closed
-
-# %%

src/build_output_analyzer.py

@@ -84,4 +84,4 @@ def extract_build_errors(build_output):
         return "BUILD FAILURE - KEY ERRORS:\n\n" + "\n\n...\n\n".join(result_blocks)
 
     # Fallback: just return the last part of the build output
-    return "BUILD FAILURE - LAST OUTPUT:\n\n" + "\n".join(tail_lines[-50:])
+    return "BUILD FAILURE - LAST OUTPUT:\n\n" + "\n".join(tail_lines[-50:])

src/closed_handler.py

@@ -143,5 +143,3 @@ def handle_closed_pr():
 
 if __name__ == "__main__":
     handle_closed_pr()
-
-# %%

src/contrast_api.py

@@ -434,3 +434,102 @@ def notify_remediation_failed(remediation_id: str, failure_category: str, contra
     except json.JSONDecodeError:
         log(f"Error decoding JSON response when notifying Remediation service about failed remediation {remediation_id}.", is_error=True)
         return False
+
+def get_vulnerability_details(contrast_host: str, contrast_org_id: str, contrast_app_id: str, contrast_auth_key: str, contrast_api_key: str, github_repo_url: str, max_pull_requests: int = 5, severities: list = None) -> dict:
+    """Gets vulnerability remediation details from the Contrast API.
+    
+    Args:
+        contrast_host: The Contrast Security host URL
+        contrast_org_id: The organization ID
+        contrast_app_id: The application ID
+        contrast_auth_key: The Contrast authorization key
+        contrast_api_key: The Contrast API key
+        github_repo_url: The GitHub repository URL
+        max_pull_requests: Maximum number of pull requests (default: 5)
+        severities: List of vulnerability severities to filter by (default: ["CRITICAL", "HIGH"])
+        
+    Returns:
+        dict: Contains vulnerability remediation details or None if no vulnerability found
+        Structure: {
+            'remediationId': '...',
+            'vulnerabilityUuid': '...',
+            'vulnerabilityTitle': '...',
+            'vulnerabilityRuleName': '...',
+            'vulnerabilityStatus': '...',
+            'vulnerabilitySeverity': '...',
+            'vulnerabilityOverviewStory': '...',
+            'vulnerabilityEventsSummary': '...',
+            'vulnerabilityHttpRequestDetails': '...'
+        }
+    """
+    if severities is None:
+        severities = ["CRITICAL", "HIGH"]
+        
+    debug_log("\n--- Fetching vulnerability details from remediation-details API ---")
+    
+    api_url = f"https://{normalize_host(contrast_host)}/api/v4/aiml-remediation/organizations/{contrast_org_id}/applications/{contrast_app_id}/remediation-details"
+    debug_log(f"API URL: {api_url}")
+    
+    headers = {
+        "Authorization": contrast_auth_key,
+        "API-Key": contrast_api_key,
+        "Content-Type": "application/json",
+        "Accept": "application/json",
+        "User-Agent": config.USER_AGENT
+    }
+    
+    payload = {
+        "teamserverHost": f"https://{normalize_host(contrast_host)}",
+        "repoRootDir": str(config.REPO_ROOT),
+        "repoUrl": github_repo_url,
+        "maxPullRequests": max_pull_requests,
+        "severities": severities
+    }
+    
+    debug_log(f"Request payload: {json.dumps(payload, indent=2)}")
+    
+    try:
+        debug_log(f"Making POST request to: {api_url}")
+        response = requests.post(api_url, headers=headers, json=payload, timeout=30)
+        
+        debug_log(f"Remediation-details API Response Status Code: {response.status_code}")
+        
+        # Handle different status codes
+        if response.status_code == 204:
+            log("No vulnerabilities found that need remediation (204 No Content).")
+            return None
+        elif response.status_code == 409:
+            log("At or over the maximum PR limit (409 Conflict).")
+            return None
+        elif response.status_code == 200:
+            response_json = response.json()
+            debug_log(f"Successfully received vulnerability details from API")
+            debug_log(f"Response keys: {list(response_json.keys())}")
+            
+            # Validate that we have required components
+            required_keys = ['remediationId', 'vulnerabilityUuid', 'vulnerabilityTitle']
+            missing_keys = [key for key in required_keys if key not in response_json]
+            
+            if missing_keys:
+                log(f"Warning: Missing some keys in API response: {missing_keys}")
+            
+            # Log a summary without exposing sensitive details
+            debug_log(f"Vulnerability UUID: {response_json.get('vulnerabilityUuid', 'Unknown')}")
+            debug_log(f"Vulnerability Title: {response_json.get('vulnerabilityTitle', 'Unknown')}")
+            debug_log(f"Vulnerability Severity: {response_json.get('vulnerabilitySeverity', 'Unknown')}")
+            debug_log(f"Remediation ID: {response_json.get('remediationId', 'Unknown')}")
+            
+            return response_json
+        else:
+            log(f"Unexpected status code {response.status_code} from remediation-details API: {response.text}", is_error=True)
+            return None
+            
+    except requests.exceptions.RequestException as e:
+        log(f"Error fetching vulnerability details: {e}", is_error=True)
+        return None
+    except json.JSONDecodeError:
+        log("Error decoding JSON response from remediation-details API.", is_error=True)
+        return None
+    except Exception as e:
+        log(f"Unexpected error calling remediation-details API: {e}", is_error=True)
+        return None

src/external_coding_agent.py

@@ -41,10 +41,75 @@ def __init__(self, config: Config):
         self.config = config
         debug_log(f"Initialized ExternalCodingAgent")
 
-    def generate_fixes(self, vuln_uuid: str, remediation_id: str, vuln_title: str) -> bool:
+    def assemble_issue_body(self, vulnerability_details: dict) -> str:
+        """
+        Assembles a GitHub Issue body from vulnerability details.
+        
+        Args:
+            vulnerability_details: Dictionary containing vulnerability information
+            
+        Returns:
+            str: Formatted GitHub Issue body for the vulnerability
+        """
+        # Extract key details with safe fallbacks
+        vuln_title = vulnerability_details.get('vulnerabilityTitle', 'Unknown Vulnerability')
+        vuln_uuid = vulnerability_details.get('vulnerabilityUuid', 'Unknown UUID')
+        vuln_rule = vulnerability_details.get('vulnerabilityRuleName', 'Unknown Rule')
+        vuln_severity = vulnerability_details.get('vulnerabilitySeverity', 'Unknown Severity')
+        vuln_status = vulnerability_details.get('vulnerabilityStatus', 'Unknown Status')
+        vuln_overview = vulnerability_details.get('vulnerabilityOverviewStory', 'No overview available')
+        vuln_events = vulnerability_details.get('vulnerabilityEventsSummary', 'No event details available')
+        vuln_http_details = vulnerability_details.get('vulnerabilityHttpRequestDetails', 'No HTTP request details available')
+        
+        # Assemble the issue body
+        issue_body = f"""
+# Contrast AI SmartFix Issue Report
+
+This issue should address a vulnerability identified by the Contrast Security platform (ID: [{vuln_uuid}](https://{self.config.CONTRAST_HOST}/Contrast/static/ng/index.html#/{self.config.CONTRAST_ORG_ID}/applications/{self.config.CONTRAST_APP_ID}/vulns/{vuln_uuid})).
+        
+# Security Vulnerability: {vuln_title}
+
+## Vulnerability Details
+
+**Rule:** {vuln_rule}  
+**Severity:** {vuln_severity}  
+**Status:** {vuln_status}  
+
+## Overview
+
+{vuln_overview}
+
+## Technical Details
+
+### Event Summary
+```
+{vuln_events}
+```
+
+### HTTP Request Details
+```
+{vuln_http_details}
+```
+
+## Action Required
+
+Please review this security vulnerability and implement appropriate fixes to address the identified issue.
+
+**Important:** If you cannot find the vulnerability, then take no actions (corrective or otherwise). Simply report that the vulnerability was not found."""
+
+        debug_log(f"Assembled issue body with {len(issue_body)} characters")
+        return issue_body
+    
+    def generate_fixes(self, vuln_uuid: str, remediation_id: str, vuln_title: str, issue_body: str = None) -> bool:
         """
         Generate fixes for vulnerabilities.
         
+        Args:
+            vuln_uuid: The vulnerability UUID
+            remediation_id: The remediation ID
+            vuln_title: The vulnerability title
+            issue_body: The issue body content (optional, uses default if not provided)
+        
         Returns:
             bool: False if the CODING_AGENT is SMARTFIX, True otherwise
         """
@@ -55,11 +120,15 @@ def generate_fixes(self, vuln_uuid: str, remediation_id: str, vuln_title: str) -
         log(f"\n::group::--- Using External Coding Agent ({self.config.CODING_AGENT}) ---")
         telemetry_handler.update_telemetry("additionalAttributes.codingAgent", "EXTERNAL-COPILOT")
 
-        # Hard-coded vulnerability label for now, will be passed as argument later
+        # Generate labels and issue details
         vulnerability_label = f"contrast-vuln-id:VULN-{vuln_uuid}"
         remediation_label = f"smartfix-id:{remediation_id}"
         issue_title = vuln_title
-        issue_body = "This is a fake issue body for testing purposes."
+        
+        # Use the provided issue_body or fall back to default
+        if issue_body is None:
+            log(f"Failed to generate issue body for vulnerability id {vuln_uuid}", is_error=True)
+            error_exit(remediation_id, FailureCategory.AGENT_FAILURE.value)
 
         # Use git_handler to find if there's an existing issue with this label
         issue_number = git_handler.find_issue_with_label(vulnerability_label)
@@ -162,5 +231,3 @@ def _poll_for_pr(self, issue_number: int, remediation_id: str, vulnerability_lab
         return None
 
     # Additional methods will be implemented later
-
-# %%

src/git_handler.py

@@ -723,5 +723,3 @@ def add_labels_to_pr(pr_number: int, labels: List[str]) -> bool:
     except Exception as e:
         log(f"Failed to add labels to PR #{pr_number}: {e}", is_error=True)
         return False
-
-# %%

src/main.py

@@ -276,28 +276,52 @@ def main():
             log(f"\n--- Reached max PR limit ({max_open_prs_setting}). Current open PRs: {current_open_pr_count}. Stopping processing. ---")
             break
 
-        # --- Fetch Next Vulnerability and Prompts from New API ---
-        log("\n::group::--- Fetching next vulnerability and prompts from Contrast API ---")
+        # --- Fetch Next Vulnerability Data from API ---
+        if config.CODING_AGENT == "SMARTFIX":
+            # For SMARTFIX, get vulnerability with prompts
+            log("\n::group::--- Fetching next vulnerability and prompts from Contrast API ---")
+            vulnerability_data = contrast_api.get_vulnerability_with_prompts(
+                config.CONTRAST_HOST, config.CONTRAST_ORG_ID, config.CONTRAST_APP_ID,
+                config.CONTRAST_AUTHORIZATION_KEY, config.CONTRAST_API_KEY,
+                max_open_prs_setting, github_repo_url, config.VULNERABILITY_SEVERITIES
+            )
+            log("\n::endgroup::")
 
-        vulnerability_data = contrast_api.get_vulnerability_with_prompts(
-            config.CONTRAST_HOST, config.CONTRAST_ORG_ID, config.CONTRAST_APP_ID,
-            config.CONTRAST_AUTHORIZATION_KEY, config.CONTRAST_API_KEY,
-            max_open_prs_setting, github_repo_url, config.VULNERABILITY_SEVERITIES
-        )
-        log("\n::endgroup::")
+            if not vulnerability_data:
+                log("No more vulnerabilities found to process or API error occurred. Stopping processing.")
+                break
 
-        if not vulnerability_data:
-            log("No more vulnerabilities found to process or API error occurred. Stopping processing.")
-            break
+            # Extract vulnerability details and prompts from the response
+            vuln_uuid = vulnerability_data['vulnerabilityUuid']
+            vuln_title = vulnerability_data['vulnerabilityTitle']
+            remediation_id = vulnerability_data['remediationId']
+            fix_system_prompt = vulnerability_data['fixSystemPrompt']
+            fix_user_prompt = vulnerability_data['fixUserPrompt']
+            qa_system_prompt = vulnerability_data['qaSystemPrompt']
+            qa_user_prompt = vulnerability_data['qaUserPrompt']
+        else:
+            # For external coding agents (like GITHUB_COPILOT), get vulnerability details
+            log("\n::group::--- Fetching next vulnerability details from Contrast API ---")
+            vulnerability_data = contrast_api.get_vulnerability_details(
+                config.CONTRAST_HOST, config.CONTRAST_ORG_ID, config.CONTRAST_APP_ID,
+                config.CONTRAST_AUTHORIZATION_KEY, config.CONTRAST_API_KEY,
+                github_repo_url, max_open_prs_setting, config.VULNERABILITY_SEVERITIES
+            )
+            log("\n::endgroup::")
+
+            if not vulnerability_data:
+                log("No more vulnerabilities found to process or API error occurred. Stopping processing.")
+                break
 
-        # Extract vulnerability details and prompts from the response
-        vuln_uuid = vulnerability_data['vulnerabilityUuid']
-        vuln_title = vulnerability_data['vulnerabilityTitle']
-        remediation_id = vulnerability_data['remediationId']
-        fix_system_prompt = vulnerability_data['fixSystemPrompt']
-        fix_user_prompt = vulnerability_data['fixUserPrompt']
-        qa_system_prompt = vulnerability_data['qaSystemPrompt']
-        qa_user_prompt = vulnerability_data['qaUserPrompt']
+            # Extract vulnerability details from the response (no prompts for external agents)
+            vuln_uuid = vulnerability_data['vulnerabilityUuid']
+            vuln_title = vulnerability_data['vulnerabilityTitle']
+            remediation_id = vulnerability_data['remediationId']
+            # No prompts available for external coding agents
+            fix_system_prompt = None
+            fix_user_prompt = None
+            qa_system_prompt = None
+            qa_user_prompt = None
 
         # Populate vulnInfo in telemetry
         telemetry_handler.update_telemetry("vulnInfo.vulnId", vuln_uuid)
@@ -345,7 +369,10 @@ def main():
         # --- Check if we need to use the external coding agent ---
         if config.CODING_AGENT != "SMARTFIX":
             external_agent = ExternalCodingAgent(config)
-            if external_agent.generate_fixes(vuln_uuid, remediation_id, vuln_title):
+            # Assemble the issue body from vulnerability details
+            issue_body = external_agent.assemble_issue_body(vulnerability_data)
+            # Pass the assembled issue body to generate_fixes()
+            if external_agent.generate_fixes(vuln_uuid, remediation_id, vuln_title, issue_body):
                 log(f"\n\n--- External Coding Agent successfully generated fixes ---")
                 processed_one = True
                 contrast_api.send_telemetry_data()

src/qa_handler.py

@@ -256,4 +256,3 @@ def run_qa_loop(
         log(f"\n\u274c Build failed after {qa_attempts} QA attempts.")
 
     return build_success, changed_files, build_command, qa_summary_log
-# %%

src/utils.py

@@ -257,5 +257,3 @@ def error_exit(remediation_id: str, failure_code: Optional[str] = None):
 
     # Exit with error code
     sys.exit(1)
-
-# %%

test/test_external_coding_agent.py

@@ -83,7 +83,7 @@ def test_generate_fixes_with_smartfix(self, mock_debug_log):
         agent = ExternalCodingAgent(self.config)
 
         # Call generate_fixes
-        result = agent.generate_fixes("1234-FAKE-ABCD", "1REM-FAKE-ABCD", "Fake Vulnerability Title")
+        result = agent.generate_fixes("1234-FAKE-ABCD", "1REM-FAKE-ABCD", "Fake Vulnerability Title", "Fake issue body.")
 
         # Assert that result is False
         self.assertFalse(result)
@@ -125,7 +125,7 @@ def test_generate_fixes_with_external_agent_pr_created(self, mock_log, mock_debu
         agent = ExternalCodingAgent(self.config)
 
         # Call generate_fixes
-        result = agent.generate_fixes("1234-FAKE-ABCD", "1REM-FAKE-ABCD", "Fake Vulnerability Title")
+        result = agent.generate_fixes("1234-FAKE-ABCD", "1REM-FAKE-ABCD", "Fake Vulnerability Title", "Fake issue body.")
 
         # Assert that result is True
         self.assertTrue(result)
@@ -171,7 +171,7 @@ def test_generate_fixes_with_external_agent_pr_timeout(self, mock_log, mock_debu
 
         try:
             # Call generate_fixes
-            result = agent.generate_fixes("1234-FAKE-ABCD", "1REM-FAKE-ABCD", "Fake Vulnerability Title")
+            result = agent.generate_fixes("1234-FAKE-ABCD", "1REM-FAKE-ABCD", "Fake Vulnerability Title", "Fake issue body.")
 
             # Assert that result is False when PR is not created
             self.assertFalse(result)
@@ -229,7 +229,7 @@ def test_generate_fixes_with_existing_issue(self, mock_log, mock_debug_log, mock
 
         try:
             # Call generate_fixes
-            result = agent.generate_fixes("1234-FAKE-ABCD", "1REM-FAKE-ABCD", "Fake Vulnerability Title")
+            result = agent.generate_fixes("1234-FAKE-ABCD", "1REM-FAKE-ABCD", "Fake Vulnerability Title", "Fake issue body.")
 
             # Assert that result is True
             self.assertTrue(result)