Skip to content

Commit 275ff3b

Browse files
darkspirit510darkspirit510
authored
handle changes in semgrep result file structure (#33)
* handle changes in semgrep result file structure * revert star import
1 parent 207aef9 commit 275ff3b

File tree

3 files changed

+242
-8
lines changed

3 files changed

+242
-8
lines changed

plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/SemgrepReader.java

+12-2
Original file line numberDiff line numberDiff line change
@@ -199,15 +199,17 @@ private TestCaseResult parseSemgrepFindings(JSONObject result) {
199199
JSONObject metadata = extra.getJSONObject("metadata");
200200

201201
// CWE
202-
int cwe = Integer.parseInt(metadata.getString("cwe").split(":")[0].split("-")[1]);
202+
String cweString = getStringOrFirstArrayIndex(metadata, "cwe");
203+
int cwe = Integer.parseInt(cweString.split(":")[0].split("-")[1]);
204+
203205
try {
204206
cwe = translate(cwe);
205207
} catch (NumberFormatException ex) {
206208
System.out.println("CWE # not parseable from: " + metadata.getString("cwe"));
207209
}
208210

209211
// category
210-
String category = metadata.getString("owasp");
212+
String category = getStringOrFirstArrayIndex(metadata, "owasp");
211213

212214
// evidence
213215
String evidence = result.getString("check_id");
@@ -227,4 +229,12 @@ private TestCaseResult parseSemgrepFindings(JSONObject result) {
227229

228230
return null;
229231
}
232+
233+
private static String getStringOrFirstArrayIndex(JSONObject metadata, String key) {
234+
if (metadata.get(key) instanceof JSONArray) {
235+
return metadata.getJSONArray(key).getString(0);
236+
} else {
237+
return metadata.getString(key);
238+
}
239+
}
230240
}

plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/SemgrepReaderTest.java

+28-6
Original file line numberDiff line numberDiff line change
@@ -30,23 +30,30 @@
3030

3131
public class SemgrepReaderTest extends ReaderTestBase {
3232

33-
private ResultFile resultFile;
33+
private ResultFile resultFileV65;
34+
private ResultFile resultFileV121;
3435

3536
@BeforeEach
3637
void setUp() {
37-
resultFile = TestHelper.resultFileOf("testfiles/Benchmark_semgrep-v0.65.0.json");
38+
resultFileV65 = TestHelper.resultFileOf("testfiles/Benchmark_semgrep-v0.65.0.json");
39+
resultFileV121 = TestHelper.resultFileOf("testfiles/Benchmark_semgrep-v0.121.0.json");
3840
BenchmarkScore.TESTCASENAME = "BenchmarkTest";
3941
}
4042

4143
@Test
42-
public void onlySemgrepReaderReportsCanReadAsTrue() {
43-
assertOnlyMatcherClassIs(this.resultFile, SemgrepReader.class);
44+
public void onlySemgrepReaderReportsCanReadAsTrueForV65() {
45+
assertOnlyMatcherClassIs(this.resultFileV65, SemgrepReader.class);
4446
}
4547

4648
@Test
47-
void readerHandlesGivenResultFile() throws Exception {
49+
public void onlySemgrepReaderReportsCanReadAsTrueForV121() {
50+
assertOnlyMatcherClassIs(this.resultFileV121, SemgrepReader.class);
51+
}
52+
53+
@Test
54+
void readerHandlesGivenResultFileInV65() throws Exception {
4855
SemgrepReader reader = new SemgrepReader();
49-
TestSuiteResults result = reader.parse(resultFile);
56+
TestSuiteResults result = reader.parse(resultFileV65);
5057

5158
assertEquals(TestSuiteResults.ToolType.SAST, result.getToolType());
5259
assertFalse(result.isCommercial());
@@ -57,4 +64,19 @@ void readerHandlesGivenResultFile() throws Exception {
5764
assertEquals(CweNumber.SQL_INJECTION, result.get(1).get(0).getCWE());
5865
assertEquals(CweNumber.INSECURE_COOKIE, result.get(2).get(0).getCWE());
5966
}
67+
68+
@Test
69+
void readerHandlesGivenResultFileInV121() throws Exception {
70+
SemgrepReader reader = new SemgrepReader();
71+
TestSuiteResults result = reader.parse(resultFileV121);
72+
73+
assertEquals(TestSuiteResults.ToolType.SAST, result.getToolType());
74+
assertFalse(result.isCommercial());
75+
assertEquals("Semgrep", result.getToolName());
76+
77+
assertEquals(2, result.getTotalResults());
78+
79+
assertEquals(CweNumber.COMMAND_INJECTION, result.get(3).get(0).getCWE());
80+
assertEquals(CweNumber.INSECURE_COOKIE, result.get(4).get(0).getCWE());
81+
}
6082
}

plugin/src/test/resources/testfiles/Benchmark_semgrep-v0.121.0.json

+202
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,202 @@
1+
{
2+
"errors": [],
3+
"results": [
4+
{
5+
"check_id": "java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call",
6+
"end": {
7+
"col": 44,
8+
"line": 63,
9+
"offset": 2350
10+
},
11+
"extra": {
12+
"fingerprint": "b04b2629a927ec0c62a65dbf719260f058c7591b15db57c22eaa4c0d50068efa3731782ca98ff43f75f99a17de166835c74b932b5bc35c709e09a19f83328056_0",
13+
"is_ignored": false,
14+
"lines": " Process p = r.exec(cmd + param);",
15+
"message": "A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.",
16+
"metadata": {
17+
"category": "security",
18+
"confidence": "LOW",
19+
"cwe": [
20+
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
21+
],
22+
"cwe2021-top25": true,
23+
"cwe2022-top25": true,
24+
"impact": "HIGH",
25+
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
26+
"likelihood": "LOW",
27+
"owasp": [
28+
"A01:2017 - Injection",
29+
"A03:2021 - Injection"
30+
],
31+
"references": [
32+
"https://owasp.org/Top10/A03_2021-Injection"
33+
],
34+
"shortlink": "https://sg.run/rd90",
35+
"source": "https://semgrep.dev/r/java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call",
36+
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#COMMAND_INJECTION.",
37+
"subcategory": [
38+
"audit"
39+
],
40+
"technology": [
41+
"java"
42+
]
43+
},
44+
"metavars": {
45+
"$RUNTIME": {
46+
"abstract_content": "r",
47+
"end": {
48+
"col": 26,
49+
"line": 63,
50+
"offset": 2332
51+
},
52+
"propagated_value": {
53+
"svalue_abstract_content": "Runtime.getRuntime()",
54+
"svalue_end": {
55+
"col": 41,
56+
"line": 60,
57+
"offset": 2290
58+
},
59+
"svalue_start": {
60+
"col": 21,
61+
"line": 60,
62+
"offset": 2270
63+
}
64+
},
65+
"start": {
66+
"col": 25,
67+
"line": 63,
68+
"offset": 2331
69+
}
70+
},
71+
"$TYPE": {
72+
"abstract_content": "Runtime",
73+
"end": {
74+
"col": 16,
75+
"line": 60,
76+
"offset": 2265
77+
},
78+
"start": {
79+
"col": 9,
80+
"line": 60,
81+
"offset": 2258
82+
}
83+
},
84+
"$X": {
85+
"abstract_content": "cmd",
86+
"end": {
87+
"col": 35,
88+
"line": 63,
89+
"offset": 2341
90+
},
91+
"start": {
92+
"col": 32,
93+
"line": 63,
94+
"offset": 2338
95+
}
96+
},
97+
"$Y": {
98+
"abstract_content": "param",
99+
"end": {
100+
"col": 43,
101+
"line": 63,
102+
"offset": 2349
103+
},
104+
"start": {
105+
"col": 38,
106+
"line": 63,
107+
"offset": 2344
108+
}
109+
}
110+
},
111+
"severity": "ERROR"
112+
},
113+
"path": "src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00003.java",
114+
"start": {
115+
"col": 13,
116+
"line": 63,
117+
"offset": 2319
118+
}
119+
},
120+
{
121+
"check_id": "java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly",
122+
"end": {
123+
"col": 40,
124+
"line": 42,
125+
"offset": 1833
126+
},
127+
"extra": {
128+
"fingerprint": "4c3df9b11fc18bb0371952e86b7fb99b8d6887a7318e27c21c9efea697cece407aec6c67e7998fda8889af9418d3af1cf8cec783ca9a1f8353792348b5e50ae1_0",
129+
"is_ignored": false,
130+
"lines": " response.addCookie(userCookie);",
131+
"message": "A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'",
132+
"metadata": {
133+
"asvs": {
134+
"control_id": "3.4.2 Missing Cookie Attribute",
135+
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v34-cookie-based-session-management",
136+
"section": "V3: Session Management Verification Requirements",
137+
"version": "4"
138+
},
139+
"category": "security",
140+
"confidence": "LOW",
141+
"cwe": [
142+
"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag"
143+
],
144+
"impact": "LOW",
145+
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
146+
"likelihood": "LOW",
147+
"owasp": [
148+
"A05:2021 - Security Misconfiguration"
149+
],
150+
"references": [
151+
"https://owasp.org/Top10/A05_2021-Security_Misconfiguration"
152+
],
153+
"shortlink": "https://sg.run/b7Be",
154+
"source": "https://semgrep.dev/r/java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly",
155+
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#HTTPONLY_COOKIE",
156+
"subcategory": [
157+
"audit"
158+
],
159+
"technology": [
160+
"java"
161+
]
162+
},
163+
"metavars": {
164+
"$COOKIE": {
165+
"abstract_content": "userCookie",
166+
"end": {
167+
"col": 38,
168+
"line": 42,
169+
"offset": 1831
170+
},
171+
"start": {
172+
"col": 28,
173+
"line": 42,
174+
"offset": 1821
175+
}
176+
},
177+
"$RESPONSE": {
178+
"abstract_content": "response",
179+
"end": {
180+
"col": 17,
181+
"line": 42,
182+
"offset": 1810
183+
},
184+
"start": {
185+
"col": 9,
186+
"line": 42,
187+
"offset": 1802
188+
}
189+
}
190+
},
191+
"severity": "WARNING"
192+
},
193+
"path": "src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00004.java",
194+
"start": {
195+
"col": 9,
196+
"line": 42,
197+
"offset": 1802
198+
}
199+
}
200+
],
201+
"version": "0.121.0"
202+
}

0 commit comments

Comments
 (0)