feature: Add 'Scan Type' field to Pattern object [TAROT-2627]

afsmeira · web-flow · commit c81bdb9ca8c3 · 2024-04-23T09:25:49.000+01:00
diff --git a/codacy-plugins-api/src/main/scala/com/codacy/plugins/api/results/Pattern.scala b/codacy-plugins-api/src/main/scala/com/codacy/plugins/api/results/Pattern.scala
@@ -32,6 +32,7 @@ object Pattern {
                            level: Result.Level,
                            category: Category,
                            subcategory: Option[Subcategory],
+                           scanType: Option[ScanType],
                            parameters: Set[Parameter.Specification] = Set.empty,
                            languages: Set[Language] = Set.empty,
                            enabled: Boolean = false) {
@@ -50,4 +51,56 @@ object Pattern {
       InsecureModulesLibraries, Visibility, CSRF, Android, MaliciousCode, Cryptography, CommandInjection, FirefoxOS,
       Auth, DoS, SQLInjection, Routes, Regex, SSL, Other = Value
   }
+
+  /** ScanType represents the type of analysis performed to discover issues that match the associated patterns.
+    *
+    * Scan types can be divided into two "categories":
+    *   - Static scan types: these are the only scan types that can actually be associated to a pattern of our static
+    *     analysis pipeline. These scans are performed on "static" source code.
+    *     - SAST
+    *     - SCA
+    *     - ContainerSCA
+    *     - Secrets
+    *     - IaC
+    *     - CICD
+    *     - License
+    *   - Dynamic scan types: are performed on live applications and can never be associated with patterns of our static
+    *     analysis pipeline. They are defined here for completion.
+    *     - PenTesting
+    *     - DAST
+    *     - CSPM
+    */
+  type ScanType = ScanType.Value
+  object ScanType extends Enumeration {
+
+    /** Static application security testing, i.e. source code scanning. */
+    val SAST = Value
+
+    /** Software composition analysis or supply chain security. Scan open source libraries that projects depend on for vulnerabilities or CVEs.*/
+    val SCA = Value
+
+    /** Like SCA but scanning container dependencies. */
+    val ContainerSCA = Value
+
+    /** Scan files for exposed API keys, passwords, certificates, encryption keys, etc. */
+    val Secrets = Value
+
+    /** Scan infrastructure-as-code files for misconfigurations and vulnerabilities. */
+    val IaC = Value
+
+    /** Scan CI/CD files for misconfigurations and vulnerabilities. */
+    val CICD = Value
+
+    /** Scan license files for compliance with organization policies. */
+    val License = Value
+
+    /** Manually scan an application or system for vulnerabilities. */
+    val PenTesting = Value
+
+    /** Similar to pen-testing, but automated and not as customizable. */
+    val DAST = Value
+
+    /** Cloud security posture management. Scan live cloud environments for infrastructure and configuration risks. */
+    val CSPM = Value
+  }
 }
