From 2c3b32e894805e16e8e8fe6ebdf5cc14f5ac972b Mon Sep 17 00:00:00 2001
From: Sascha Knoop <github@darkspirit510.de>
Date: Tue, 1 Nov 2022 10:54:18 +0100
Subject: [PATCH 01/10] refactor CweNumber to enum
---
.../benchmarkutils/score/BenchmarkScore.java | 23 +-
.../owasp/benchmarkutils/score/CweNumber.java | 325 +++++++++--
.../benchmarkutils/score/TestCaseResult.java | 6 +-
.../score/parsers/AcunetixReader.java | 43 +-
.../score/parsers/AppScanDynamicReader.java | 39 +-
.../score/parsers/AppScanSourceReader.java | 6 +-
.../score/parsers/ArachniReader.java | 7 +-
.../score/parsers/BurpJsonReader.java | 3 +-
.../score/parsers/BurpReader.java | 40 +-
.../score/parsers/CASTAIPReader.java | 47 +-
.../score/parsers/CheckmarxESReader.java | 16 +-
.../score/parsers/CheckmarxIASTReader.java | 91 ++-
.../score/parsers/CheckmarxReader.java | 9 +-
.../score/parsers/CodeQLReader.java | 78 +--
.../score/parsers/ContrastAssessReader.java | 12 +-
.../score/parsers/ContrastScanReader.java | 5 +-
.../score/parsers/CoverityReader.java | 29 +-
.../score/parsers/CrashtestReader.java | 22 +-
.../score/parsers/FaastReader.java | 3 +-
.../score/parsers/FindbugsReader.java | 94 ++-
.../score/parsers/FortifyReader.java | 101 ++--
.../parsers/FusionLiteInsightReader.java | 7 +-
.../score/parsers/HCLAppScanIASTReader.java | 8 +-
.../score/parsers/HCLAppScanSourceReader.java | 10 +-
.../parsers/HCLAppScanStandardReader.java | 25 +-
.../score/parsers/HdivReader.java | 5 +-
.../score/parsers/HorusecReader.java | 26 +-
.../score/parsers/InsiderReader.java | 25 +-
.../score/parsers/JuliaReader.java | 3 +-
.../score/parsers/KiuwanReader.java | 19 +-
.../score/parsers/KlocworkCSVReader.java | 14 +-
.../score/parsers/LGTMReader.java | 14 +-
.../score/parsers/NJSScanReader.java | 40 +-
.../score/parsers/NetsparkerReader.java | 9 +-
.../score/parsers/NoisyCricketReader.java | 3 +-
.../score/parsers/PMDReader.java | 33 +-
.../score/parsers/ParasoftReader.java | 7 +-
.../score/parsers/QualysWASReader.java | 145 ++---
.../score/parsers/Rapid7Reader.java | 8 +-
.../score/parsers/ReshiftReader.java | 23 +-
.../score/parsers/SeekerReader.java | 45 +-
.../score/parsers/SemgrepReader.java | 25 +-
.../score/parsers/ShiftLeftReader.java | 25 +-
.../score/parsers/ShiftLeftScanReader.java | 36 +-
.../score/parsers/SnappyTickReader.java | 44 +-
.../score/parsers/SonarQubeJsonReader.java | 8 +-
.../score/parsers/SonarQubeReader.java | 550 ++++++++----------
.../score/parsers/SourceMeterReader.java | 17 +-
.../score/parsers/ThunderScanReader.java | 13 +-
.../score/parsers/VeracodeReader.java | 20 +-
.../parsers/VisualCodeGrepperReader.java | 7 +-
.../score/parsers/W3AFReader.java | 9 +-
.../score/parsers/WapitiJsonReader.java | 53 +-
.../score/parsers/WapitiReader.java | 38 +-
.../score/parsers/WebInspectReader.java | 71 +--
.../score/parsers/XanitizerReader.java | 51 +-
.../score/parsers/ZapJsonReader.java | 53 +-
.../score/parsers/ZapReader.java | 11 +-
.../benchmarkutils/score/CweNumberTest.java | 74 +++
.../score/parsers/AcunetixReaderTest.java | 2 +-
.../score/parsers/BurpReaderTest.java | 2 +-
.../score/parsers/CASTAIPReaderTest.java | 2 +-
.../score/parsers/ContrastScanReaderTest.java | 2 +-
.../score/parsers/FortifyReaderTest.java | 2 +-
.../score/parsers/InsiderReaderTest.java | 2 +-
.../score/parsers/Rapid7ReaderTest.java | 2 +-
.../score/parsers/SeekerReaderTest.java | 2 +-
.../score/parsers/SonarQubeReaderTest.java | 2 +-
.../score/parsers/WapitiJsonReaderTest.java | 2 +-
.../score/parsers/WapitiReaderTest.java | 2 +-
70 files changed, 1238 insertions(+), 1357 deletions(-)
create mode 100644 plugin/src/test/java/org/owasp/benchmarkutils/score/CweNumberTest.java
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/BenchmarkScore.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/BenchmarkScore.java
index ea087336..b21a5744 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/BenchmarkScore.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/BenchmarkScore.java
@@ -721,7 +721,7 @@ private static void process(
@SuppressWarnings("unused")
private static void printExtraCWE(
TestSuiteResults expectedResults, TestSuiteResults actualResults) {
- Set<Integer> expectedCWE = new HashSet<Integer>();
+ Set<CweNumber> expectedCWE = new HashSet<CweNumber>();
for (int i : expectedResults.keySet()) {
List<TestCaseResult> list = expectedResults.get(i);
for (TestCaseResult t : list) {
@@ -729,7 +729,7 @@ private static void printExtraCWE(
}
}
- Set<Integer> actualCWE = new HashSet<Integer>();
+ Set<CweNumber> actualCWE = new HashSet<CweNumber>();
for (int i : actualResults.keySet()) {
List<TestCaseResult> list = actualResults.get(i);
if (list != null) {
@@ -739,8 +739,8 @@ private static void printExtraCWE(
}
}
- Set<Integer> extras = difference(actualCWE, expectedCWE);
- for (int cwe : extras) {
+ Set<CweNumber> extras = difference(actualCWE, expectedCWE);
+ for (CweNumber cwe : extras) {
System.out.println("Extra: " + cwe);
}
}
@@ -954,20 +954,21 @@ private static boolean compare(TestCaseResult exp, List<TestCaseResult> actList,
// System.out.println( " Evidence: " + act.getCWE() + " " + act.getEvidence() + "[" +
// act.getConfidence() + "]");
- int actualCWE = act.getCWE();
- int expectedCWE = exp.getCWE();
+ CweNumber actualCWE = act.getCWE();
+ CweNumber expectedCWE = exp.getCWE();
- boolean match = actualCWE == expectedCWE;
+ boolean match = actualCWE.equals(expectedCWE);
// Special case: many tools report CWE 89 (sqli) for Hibernate Injection (hqli) rather
// than actual CWE of 564 So we accept either
- if (!match && (expectedCWE == 564)) {
- match = (actualCWE == 89);
+ if (!match && (CweNumber.HIBERNATE_INJECTION.equals(expectedCWE))) {
+ match = CweNumber.SQL_INJECTION.equals(actualCWE);
}
// special hack since IBM/Veracode don't distinguish different kinds of weak algorithm
if (tool.startsWith("AppScan") || tool.startsWith("Vera")) {
- if (expectedCWE == 328 && actualCWE == 327) {
+ if (CweNumber.WEAK_HASH_ALGO.equals(expectedCWE)
+ && CweNumber.WEAK_CRYPTO_ALGO.equals(actualCWE)) {
match = true;
}
}
@@ -1036,7 +1037,7 @@ private static TestSuiteResults readExpectedResults(File file) {
tcr.setTestCaseName(parts[0]);
tcr.setCategory(parts[1]);
tcr.setReal(Boolean.parseBoolean(parts[2]));
- tcr.setCWE(Integer.parseInt(parts[3]));
+ tcr.setCWE(CweNumber.lookup(Integer.parseInt(parts[3])));
String tcname = parts[0].substring(TESTCASENAME.length());
tcr.setNumber(Integer.parseInt(tcname));
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/CweNumber.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/CweNumber.java
index 03ff0a63..ae58d9ed 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/CweNumber.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/CweNumber.java
@@ -1,165 +1,364 @@
-/**
- * OWASP Benchmark Project
- *
- * <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For
- * details, please see <a
- * href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>.
- *
- * <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
- * of the GNU General Public License as published by the Free Software Foundation, version 2.
- *
- * <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
- * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
- * PURPOSE. See the GNU General Public License for more details.
- *
- * @author Sascha Knoop
- * @created 2021
- */
package org.owasp.benchmarkutils.score;
-public class CweNumber {
+public enum CweNumber {
/** To be used when the CWE reported is one we don't care about in any test suite */
- public static int DONTCARE = 0000;
+ DONTCARE(0),
+
+ /** CWE-16: CWE CATEGORY: Configuration */
+ CATEGORY_CONFIGURATION(16),
+
+ /** CWE-20: Improper Input Validation */
+ IMPROPER_INPUT_VALIDAITON(20),
/** CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') */
- public static int PATH_TRAVERSAL = 22;
+ PATH_TRAVERSAL(22),
+
+ /**
+ * CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
+ */
+ COMMAND_INJECTION(77),
/**
* CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command
* Injection')
*/
- public static int COMMAND_INJECTION = 78;
+ OS_COMMAND_INJECTION(78),
/**
* CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
*/
- public static int XSS = 79;
+ XSS(79),
+
+ /** CWE-83: Improper Neutralization of Script in Attributes in a Web Page */
+ IMPROPER_NEUTRALIZATION_OF_ATTRIBUTES(83),
/**
* CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
*/
- public static int SQL_INJECTION = 89;
+ SQL_INJECTION(89),
/**
* CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
*/
- public static int LDAP_INJECTION = 90;
+ LDAP_INJECTION(90),
+
+ /** CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') */
+ CRLF_INJECTION(93),
+
+ /**
+ * CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval
+ * Injection')
+ */
+ EVAL_INJECTION(95),
+
+ /** CWE-99: Improper Control of Resource Identifiers ('Resource Injection') */
+ RESOURCE_INJECTION(99),
+
+ /** CWE-112: Missing XML Validation */
+ MISSING_XML_VALIDATION(112),
/**
* CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response
* Splitting')
*/
- public static int HTTP_RESPONSE_SPLITTING = 113;
+ HTTP_RESPONSE_SPLITTING(113),
+
+ /** CWE-117: Improper Output Neutralization for Logs */
+ MISSING_LOG_OUTPUT_NEUTRALIZATION(117),
/** CWE-134: Use of Externally-Controlled Format String */
- public static int EXTERNALLY_CONTROLLED_STRING = 134;
+ EXTERNALLY_CONTROLLED_STRING(134),
+
+ /** CWE-190: Integer Overflow or Wraparound */
+ INTEGER_OVERFLOW_WRAPAROUND(190),
+
+ /** CWE-200: Exposure of Sensitive Information to an Unauthorized Actor */
+ EXPOSURE_SENSITIVE_TO_UNAUTHORIZED_USER(200),
+
+ /** CWE-209: Generation of Error Message Containing Sensitive Information */
+ ERROR_MESSAGE_WITH_SENSITIVE_INFO(209),
+
+ /** CWE-215: Insertion of Sensitive Information Into Debugging Code */
+ SENSITIVE_INFO_IN_DEBUG_MODE(215),
+
+ /** CWE-235: Improper Handling of Extra Parameters */
+ IMPROPER_HANDLING_OF_PARAMETERS(235),
+
+ /** CWE-250: Execution with Unnecessary Privileges */
+ TOO_PRIVILIGED_EXECUTION(250),
+
+ /** CWE-252: Unchecked Return Value */
+ UNCHECKED_RETURN_VALUE(252),
+
+ /** CWE-259: Use of Hard-coded Password */
+ HARDCODED_PASSWORD(259),
/** CWE-284: Improper Access Control */
- public static int IMPROPER_ACCESS_CONTROL = 284;
+ IMPROPER_ACCESS_CONTROL(284),
+
+ /** CWE-293: Using Referer Field for Authentication */
+ REFERER_FIELD_IN_AUTHENTICATION(293),
+
+ /** CWE-311: Missing Encryption of Sensitive Data */
+ UNENCRYPTED_SENSITIVE_DATA(311),
+
+ /** CWE-320: CWE CATEGORY: Key Management Errors */
+ CATEGORY_KEY_MANAGEMENT_ERROR(320),
+
+ /** CWE-325: Missing Cryptographic Step */
+ MISSING_CRYPTOGRAPHIC_STEP(325),
/** CWE-327: Use of a Broken or Risky Cryptographic Algorithm */
- public static int WEAK_CRYPTO_ALGO = 327;
+ WEAK_CRYPTO_ALGO(327),
/** CWE-328: Use of Weak Hash */
- public static int WEAK_HASH_ALGO = 328;
+ WEAK_HASH_ALGO(328),
/** CWE-329: Generation of Predictable IV with CBC Mode */
- public static int STATIC_CRYPTO_INIT = 329;
+ STATIC_CRYPTO_INIT(329),
/** CWE-330: Use of Insufficiently Random Values */
- public static int WEAK_RANDOM = 330;
+ WEAK_RANDOM(330),
+
+ /** CWE-346: Origin Validation Error */
+ ORIGIN_VALIDATION_ERROR(346),
/** CWE-352: Cross-Site Request Forgery (CSRF) */
- public static int CSRF = 352;
+ CSRF(352),
+
+ /** CWE-359: Exposure of Private Personal Information to an Unauthorized Actor */
+ EXPOSURE_PRIVATE_TO_UNAUTHORIZED_USER(359),
+
+ /** CWE-369: Divide By Zero */
+ DIVISION_BY_ZERO(369),
+
+ /** CWE-374: Passing Mutable Objects to an Untrusted Method */
+ PASS_MUTABLE_OBJECT_TO_UNTRUSTED_MODULE(374),
/** CWE-382: J2EE Bad Practices: Use of System.exit() */
- public static int SYSTEM_EXIT = 382;
+ SYSTEM_EXIT(382),
/** CWE-395: Use of NullPointerException Catch to Detect NULL Pointer Dereference */
- public static int CATCHING_NULL_POINTER_EXCEPTION = 395;
+ CATCHING_NULL_POINTER_EXCEPTION(395),
/** CWE-396: Declaration of Catch for Generic Exception */
- public static int CATCH_GENERIC_EXCEPTION = 396;
+ CATCH_GENERIC_EXCEPTION(396),
/** CWE-397: Declaration of Throws for Generic Exception */
- public static int THROW_GENERIC_EXCEPTION = 397;
+ THROW_GENERIC_EXCEPTION(397),
+
+ /** CWE-400: Uncontrolled Resource Consumption */
+ UNCONTROLLED_RESOURCE_CONSUMPTION(400),
+
+ /** CWE-404: Improper Resource Shutdown or Release */
+ UNRELEASED_RESOURCE(404),
+
+ /** CWE-434: Unrestricted Upload of File with Dangerous Type */
+ UNRESTRICTED_FILE_UPLOAD(434),
+
+ /** CWE-451: User Interface (UI) Misrepresentation of Critical Information */
+ MISREPRESENTATION_OF_CRITICAL_INFO(451),
+
+ /** CWE-459: Incomplete Cleanup */
+ INCOMPLETE_CLEANUP(459),
+
+ /**
+ * CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
+ */
+ UNSAFE_REFLECTION(470),
+
+ /** CWE-472: External Control of Assumed-Immutable Web Parameter */
+ EXTERNAL_CONTROL_OF_WEB_PARAM(472),
+
+ /** CWE-476: NULL Pointer Dereference */
+ NULL_POINTER_DEREFERENCE(476),
/** CWE-478: Missing Default Case in Switch Statement */
- public static int MISSING_DEFAULT_CASE = 478;
+ MISSING_DEFAULT_CASE(478),
+
+ /** CWE-482: Comparing instead of Assigning */
+ COMPARING_INSTEAD_OF_ASSIGNING(482),
/** CWE-483: Incorrect Block Delimitation */
- public static int INCORRECT_BLOCK_DELIMITATION = 483;
+ INCORRECT_BLOCK_DELIMITATION(483),
/** CWE-484: Omitted Break Statement in Switch */
- public static int OMITTED_BREAK = 484;
+ OMITTED_BREAK(484),
+
+ /** CWE-486: Comparison of Classes by Name */
+ COMPARISON_BY_CLASS_NAME(486),
+
+ /** CWE-489: Active Debug Code */
+ ACTIVE_DEBUG_CODE(489),
/** CWE-493: Critical Public Variable Without Final Modifier */
- public static int PUBLIC_VAR_WITHOUT_FINAL = 493;
+ PUBLIC_VAR_WITHOUT_FINAL(493),
/** CWE-500: Public Static Field Not Marked Final */
- public static int PUBLIC_STATIC_NOT_FINAL = 500;
+ PUBLIC_STATIC_NOT_FINAL(500),
/** CWE-501: Trust Boundary Violation */
- public static int TRUST_BOUNDARY_VIOLATION = 501;
+ TRUST_BOUNDARY_VIOLATION(501),
/** CWE-502: Deserialization of Untrusted Data */
- public static int INSECURE_DESERIALIZATION = 502;
+ INSECURE_DESERIALIZATION(502),
+
+ /** CWE-521: Weak Password Requirements */
+ WEAK_PASSWORD_REQUIREMENTS(521),
/** CWE-523: Unprotected Transport of Credentials */
- public static int UNPROTECTED_CREDENTIALS_TRANSPORT = 523;
+ UNPROTECTED_CREDENTIALS_TRANSPORT(523),
+
+ /** CWE-525: Use of Web Browser Cache Containing Sensitive Information */
+ SENSITIVE_INFORMATION_IN_BROWSER_CACHE(525),
/** CWE-532: Insertion of Sensitive Information into Log File */
- public static int SENSITIVE_LOGFILE = 532;
+ SENSITIVE_LOGFILE(532),
+
+ /** CWE-563: Assignment to Variable without Use */
+ UNUSED_VAR_ASSIGNMENT(563),
/** CWE-564: SQL Injection: Hibernate */
- public static int HIBERNATE_INJECTION = 564;
+ HIBERNATE_INJECTION(564),
/** CWE-572: Call to Thread run() instead of start() */
- public static int THREAD_WRONG_CALL = 572;
+ THREAD_WRONG_CALL(572),
- /** CWE-580: clone() Method Without super.clone() */
- public static int CLONE_WITHOUT_SUPER_CLONE = 580;
+ /** CWE-579: J2EE Bad Practices: Non-serializable Object Stored in Session */
+ NON_SERIALIZABLE_OBJECT_IN_SESSION(579),
- /** CWE-563: Assignment to Variable without Use */
- public static int UNUSED_VAR_ASSIGNMENT = 563;
+ /** CWE-580: clone() Method Without super.clone() */
+ CLONE_WITHOUT_SUPER_CLONE(580),
/** CWE-581: Object Model Violation: Just One of Equals and Hashcode Defined */
- public static int OBJECT_MODEL_VIOLATION = 581;
+ OBJECT_MODEL_VIOLATION(581),
+
+ /** CWE-582: Array Declared Public, Final, and Static */
+ STATIC_FINAL_ARRAY_IS_PUBLIC(582),
/** CWE-583: finalize() Method Declared Public */
- public static int FINALIZE_DECLARED_PUBLIC = 583;
+ FINALIZE_DECLARED_PUBLIC(583),
/** CWE-584: Return Inside Finally Block */
- public static int RETURN_INSIDE_FINALLY = 584;
+ RETURN_INSIDE_FINALLY(584),
+
+ /** CWE-594: J2EE Framework: Saving Unserializable Objects to Disk */
+ SAVING_UNSERIALIZABLE_OBJECT_TO_DISK(594),
/** CWE-595: Comparison of Object References Instead of Object Contents */
- public static int OBJECT_REFERENCE_COMPARISON = 595;
+ OBJECT_REFERENCE_COMPARISON(595),
+
+ /** CWE-600: Uncaught Exception in Servlet */
+ UNCAUGHT_EXCEPTION_IN_SERVLET(600),
+
+ /** CWE-601: URL Redirection to Untrusted Site ('Open Redirect') */
+ OPEN_REDIRECT(601),
+
+ /** CWE-607: Public Static Final Field References Mutable Object */
+ PUBLIC_STATIC_FINAL_MUTABLE_OBJECT(607),
/** CWE-611: Improper Restriction of XML External Entity Reference */
- public static int XXE = 611;
+ XXE(611),
+
+ /** CWE-613: Insufficient Session Expiration */
+ INSUFFICIENT_SESSION_EXPIRATION(613),
/** CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute */
- public static int INSECURE_COOKIE = 614;
+ INSECURE_COOKIE(614),
/** CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection') */
- public static int XPATH_INJECTION = 643;
+ XPATH_INJECTION(643),
/**
* CWE-649: Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity
* Checking
*/
- public static int OBFUSCATION = 649;
+ OBFUSCATION(649),
+
+ /** CWE-650: Trusting HTTP Permission Methods on the Server Side */
+ TRUSTING_SERVER_HTTP(650),
+
+ /** CWE-652: Improper Neutralization of Data within XQuery Expressions ('XQuery Injection') */
+ XQUERY_INJECTION(652),
+
+ /** CWE-693: Protection Mechanism Failure */
+ PROTECTION_MECHANISM_FAILURE(693),
+
+ /** CWE-703: Improper Check or Handling of Exceptional Conditions */
+ IMPROPER_CHECK_FOR_EXCEPTION_CONDITIONS(703),
/** CWE-754: Improper Check for Unusual or Exceptional Conditions */
- public static int IMPROPER_CHECK_FOR_CONDITIONS = 754;
+ IMPROPER_CHECK_FOR_CONDITIONS(754),
+
+ /** CWE-759: Use of a One-Way Hash without a Salt */
+ UNSALTED_ONE_WAY_HASH(759),
+
+ /** CWE-772: Missing Release of Resource after Effective Lifetime */
+ MISSING_RELEASE_OF_RESOURCE(772),
+
+ /**
+ * CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
+ */
+ XML_ENTITY_EXPANSION(776),
+
+ /** CWE-778: Insufficient Logging */
+ INSUFFICIENT_LOGGING(778),
+
+ /** CWE-780: Use of RSA Algorithm without OAEP */
+ RSA_MISSING_PADDING(780),
/** CWE-783: Operator Precedence Logic Error */
- public static int OPERATOR_PRECEDENCE_LOGIC = 783;
+ OPERATOR_PRECEDENCE_LOGIC(783),
/** CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') */
- public static int LOOP_WITH_UNREACHABLE_EXIT = 835;
+ LOOP_WITH_UNREACHABLE_EXIT(835),
+
+ /** CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes */
+ IMPROPER_CHECK_FOR_MODIFICATION(915),
+
+ /** CWE-918: Server-Side Request Forgery (SSRF) */
+ SERVER_SIDE_REQUEST_FORGERY(918),
+
+ /**
+ * CWE-937: CWE CATEGORY: OWASP Top Ten 2013 Category A9 - Using Components with Known
+ * Vulnerabilities
+ */
+ CATEGORY_OWASP_2013_A9(937),
+
+ /** CWE-943: Improper Neutralization of Special Elements in Data Query Logic */
+ IMPROPER_DATA_QUERY_NEUTRALIZATION(943),
/** CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag */
- public static int COOKIE_WITHOUT_HTTPONLY = 1004;
+ COOKIE_WITHOUT_HTTPONLY(1004),
+
+ /** CWE-1021: Improper Restriction of Rendered UI Layers or Frames */
+ IMPROPER_RESTRICTION_OF_UI_LAYERS(1021);
+
+ int number;
+
+ CweNumber(int number) {
+ this.number = number;
+ }
+
+ public static CweNumber lookup(int searchFor) {
+ for (CweNumber entry : CweNumber.class.getEnumConstants()) {
+ if (entry.number == searchFor) {
+ return entry;
+ }
+ }
+
+ System.out.println("WARN: Requested unmapped CWE number " + searchFor + ".");
+
+ return DONTCARE;
+ }
+
+ public static CweNumber lookup(String searchFor) {
+ try {
+ return lookup(Integer.parseInt(searchFor));
+ } catch (NumberFormatException n) {
+ System.out.println("ERROR: Failed to parse CWE number '" + searchFor + "'.");
+ return CweNumber.DONTCARE;
+ }
+ }
}
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/TestCaseResult.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/TestCaseResult.java
index 94e51254..b3961c0d 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/TestCaseResult.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/TestCaseResult.java
@@ -27,7 +27,7 @@ public class TestCaseResult {
private int number = 0;
private boolean real = false;
private boolean result = false;
- private int CWE = 0;
+ private CweNumber CWE = CweNumber.DONTCARE;
private String category = null;
private String evidence = null;
private int confidence = 0;
@@ -84,11 +84,11 @@ public void setPassed(boolean result) {
this.result = result;
}
- public int getCWE() {
+ public CweNumber getCWE() {
return CWE;
}
- public void setCWE(int cwe) {
+ public void setCWE(CweNumber cwe) {
this.CWE = cwe;
}
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/AcunetixReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/AcunetixReader.java
index 87b25063..4ee5f071 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/AcunetixReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/AcunetixReader.java
@@ -159,10 +159,8 @@ private TestCaseResult parseAcunetixVulnerability(Node vuln) throws Exception {
Node vulnId = getNamedChild("cwe", classification);
if (vulnId != null) {
String cweNum = vulnId.getTextContent();
- int cwe = cweLookup(cweNum);
- tcr.setCWE(cwe);
- // System.out.println("Found CWE: " + cwe + " in test case: " +
- // tcr.getNumber());
+ tcr.setCWE(cweLookup(cweNum));
+
tcr.setConfidence(
Integer.parseInt(getNamedChild("certainty", vuln).getTextContent()));
return tcr;
@@ -198,8 +196,7 @@ private TestCaseResult parseAcunetixReportItem(Node flaw) throws Exception {
Node vulnId = getNamedChild("CWE", flaw);
if (vulnId != null) {
String cweNum = getAttributeValue("id", vulnId);
- int cwe = cweLookup(cweNum);
- tcr.setCWE(cwe);
+ tcr.setCWE(cweLookup(cweNum));
}
// String conf = getNamedChild( "Severity", flaw ).getTextContent();
@@ -230,40 +227,12 @@ private TestCaseResult parseAcunetixReportItem(Node flaw) throws Exception {
return null;
}
- private int cweLookup(String cweNum) {
+ private CweNumber cweLookup(String cweNum) {
if (cweNum == null || cweNum.isEmpty()) {
System.out.println("ERROR: No CWE number supplied");
- return 0000;
- }
- switch (cweNum) {
- case "22":
- return CweNumber.PATH_TRAVERSAL;
- case "78":
- return CweNumber.COMMAND_INJECTION;
- case "79":
- return CweNumber.XSS;
- case "89":
- return CweNumber.SQL_INJECTION;
- case "614":
- return CweNumber.INSECURE_COOKIE;
-
- // switch left in case we ever need to map a reported cwe to the one expected by
- // Benchmark
- // case "ldap-injection" : return 90; // ldap injection
- // case "header-injection" : return 113; // header injection
- // case "hql-injection" : return 0000; // hql injection
- // case "unsafe-readline" : return 0000; // unsafe readline
- // case "reflection-injection" : return 0000; // reflection injection
- // case "xpath-injection" : return 643; // xpath injection
- // case "crypto-bad-mac" : return 328; // weak hash
- // case "crypto-weak-randomness" : return 330; // weak random
- // case "crypto-bad-ciphers" : return 327; // weak encryption
- // case "trust-boundary-violation" : return 501; // trust boundary
- // case "xxe" : return 611; // xml entity
+ return CweNumber.DONTCARE;
}
- // Add any 'new' CWEs ever found to switch above so we know they are mapped properly.
- System.out.println("INFO: Found following CWE which we haven't seen before: " + cweNum);
- return Integer.parseInt(cweNum);
+ return CweNumber.lookup(cweNum);
}
}
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/AppScanDynamicReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/AppScanDynamicReader.java
index c856196c..665aa8d1 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/AppScanDynamicReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/AppScanDynamicReader.java
@@ -21,6 +21,7 @@
import java.util.List;
import java.util.Map;
import org.owasp.benchmarkutils.score.BenchmarkScore;
+import org.owasp.benchmarkutils.score.CweNumber;
import org.owasp.benchmarkutils.score.ResultFile;
import org.owasp.benchmarkutils.score.TestCaseResult;
import org.owasp.benchmarkutils.score.TestSuiteResults;
@@ -147,8 +148,10 @@ private TestCaseResult parseAppScanDynamicVulnerability(
TestCaseResult tcr = new TestCaseResult();
String cwekey = getAttributeValue("IssueTypeID", issue);
Integer cwe = cweMap.get(cwekey);
- if (cwe == null) return null;
- tcr.setCWE(translate(cwe));
+ if (cwe == null) {
+ return null;
+ }
+ tcr.setCWE(CweNumber.lookup(cwe));
tcr.setCategory(cwekey);
tcr.setEvidence(cwekey);
@@ -173,36 +176,4 @@ private TestCaseResult parseAppScanDynamicVulnerability(
return null;
}
-
- private int translate(int id) {
- switch (id) {
- // //case "Build Misconfiguration" : return 00;
- // case "Command Injection" : return 78;
- // case "Cookie Security" : return 614;
- // case "Cross-Site Scripting" : return 79;
- // //case "Dead Code" : return 00;
- // //case "Denial of Service" : return 00;
- // case "Header Manipulation" : return 113;
- // case "Insecure Randomness" : return 330;
- // //case "J2EE Bad Practices" : return 00;
- // case "LDAP Injection" : return 90;
- // //case "Missing Check against Null" : return 00;
- // //case "Null Dereference" : return 00;
- // case "Password Management" : return 00;
- // case "Path Manipulation" : return 22;
- // //case "Poor Error Handling" : return 00;
- // //case "Poor Logging Practice" : return 00;
- // //case "Poor Style" : return 00;
- // //case "Resource Injection" : return 00;
- // case "SQL Injection" : return 89;
- // //case "System Information Leak" : return 00;
- // case "Trust Boundary Violation" : return 501;
- // //case "Unreleased Resource" : return 00;
- // //case "Unsafe Reflection" : return 00;
- // case "Weak Cryptographic Hash" : return 328;
- // case "Weak Encryption" : return 327;
- // case "XPath Injection" : return 643;
- }
- return id;
- }
}
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/AppScanSourceReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/AppScanSourceReader.java
index 315b7ee9..c8507397 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/AppScanSourceReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/AppScanSourceReader.java
@@ -143,7 +143,7 @@ private String parseTime(String message) {
}
}
*/
- private int cweLookup(String vtype) {
+ private CweNumber cweLookup(String vtype) {
switch (vtype) {
// case "Vulnerability.AppDOS" : return 00;
// case "Vulnerability.Authentication.Entity" : return 00;
@@ -160,7 +160,7 @@ private int cweLookup(String vtype) {
case "Vulnerability.Injection.LDAP":
return CweNumber.LDAP_INJECTION;
case "Vulnerability.Injection.OS":
- return CweNumber.COMMAND_INJECTION;
+ return CweNumber.OS_COMMAND_INJECTION;
case "Vulnerability.Injection.SQL":
return CweNumber.SQL_INJECTION;
case "Vulnerability.Injection.XPath":
@@ -178,7 +178,7 @@ private int cweLookup(String vtype) {
case "Vulnerability.Validation.Required":
return CweNumber.TRUST_BOUNDARY_VIOLATION;
}
- return 0;
+ return CweNumber.DONTCARE;
}
/**
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/ArachniReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/ArachniReader.java
index f7c9674f..68ebf9cb 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/ArachniReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/ArachniReader.java
@@ -25,6 +25,7 @@
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import org.owasp.benchmarkutils.score.BenchmarkScore;
+import org.owasp.benchmarkutils.score.CweNumber;
import org.owasp.benchmarkutils.score.ResultFile;
import org.owasp.benchmarkutils.score.TestCaseResult;
import org.owasp.benchmarkutils.score.TestSuiteResults;
@@ -144,7 +145,7 @@ private TestCaseResult parseArachniIssue(Node flaw) throws URISyntaxException {
TestCaseResult tcr = new TestCaseResult();
Node rule = getNamedChild("cwe", flaw);
if (rule != null) {
- tcr.setCWE(cweLookup(rule.getTextContent()));
+ tcr.setCWE(CweNumber.lookup(rule.getTextContent()));
}
String cat = getNamedChild("name", flaw).getTextContent();
@@ -178,8 +179,4 @@ private TestCaseResult parseArachniIssue(Node flaw) throws URISyntaxException {
}
return null;
}
-
- private int cweLookup(String orig) {
- return Integer.parseInt(orig);
- }
}
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/BurpJsonReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/BurpJsonReader.java
index a6e34b8a..7f9a0932 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/BurpJsonReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/BurpJsonReader.java
@@ -21,6 +21,7 @@
import org.json.JSONException;
import org.json.JSONObject;
import org.owasp.benchmarkutils.score.BenchmarkScore;
+import org.owasp.benchmarkutils.score.CweNumber;
import org.owasp.benchmarkutils.score.ResultFile;
import org.owasp.benchmarkutils.score.TestCaseResult;
import org.owasp.benchmarkutils.score.TestSuiteResults;
@@ -100,7 +101,7 @@ private TestCaseResult parseBurpJSONFinding(JSONObject finding) {
String testNumber = filename.substring(BenchmarkScore.TESTCASENAME.length());
tcr.setNumber(Integer.parseInt(testNumber));
int rule = issue.getInt("type_index");
- int cwe = BurpReader.cweLookup(new Integer(rule).toString());
+ CweNumber cwe = BurpReader.cweLookup(new Integer(rule).toString());
tcr.setCWE(cwe);
// tcr.setEvidence( issue.getString("description") ); // Sometimes descriptions
// aren't provided, so comment out.
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/BurpReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/BurpReader.java
index e64b827b..6cd9c623 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/BurpReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/BurpReader.java
@@ -108,10 +108,10 @@ private TestCaseResult parseBurpVulnerability(Node issue) {
// https://portswigger.net/kb/issues - This page lists all the issue types Burp looks for, and
// their customer ID #'s. There are more on this page. The following primarily lists those
// that are currently relevant in the Benchmark.
- static int cweLookup(String id) {
+ static CweNumber cweLookup(String id) {
switch (id) {
case "1048832":
- return CweNumber.COMMAND_INJECTION;
+ return CweNumber.OS_COMMAND_INJECTION;
case "1049088":
return CweNumber.SQL_INJECTION;
case "1049344":
@@ -131,24 +131,22 @@ static int cweLookup(String id) {
case "2098944":
return CweNumber.CSRF;
case "3146240":
- return 918; // External service interaction (DNS)
+ return CweNumber.SERVER_SIDE_REQUEST_FORGERY; // External service interaction (DNS)
case "4194560":
return CweNumber.DONTCARE; // Referer Dependent Response
case "4194576":
return CweNumber.DONTCARE; // X-Forwarded-For header dependency
- case "4197376":
- return 20; // Input returned in response (reflected)
- case "4197632":
- return 20; // Suspicious input transformation (reflected)
+ case "4197376": // Input returned in response (reflected)
+ case "4197632": // Suspicious input transformation (reflected)
+ return CweNumber.IMPROPER_INPUT_VALIDAITON;
case "5243392":
return CweNumber.INSECURE_COOKIE;
case "5244416":
- return 9998; // Cookie without HttpOnly flag set - There is no CWE defined for this
- // weakness
- case "5245344":
- return 1021; // Clickjacking
- case "5245360":
- return 16; // Browser cross-site scripting filter disabled
+ return CweNumber.COOKIE_WITHOUT_HTTPONLY; // Cookie without HttpOnly flag set
+ case "5245344": // Clickjacking
+ return CweNumber.IMPROPER_RESTRICTION_OF_UI_LAYERS;
+ case "5245360": // Browser cross-site scripting filter disabled
+ return CweNumber.CATEGORY_CONFIGURATION;
case "5245952":
return CweNumber
.DONTCARE; // Ajax request header manipulation (DOM-based) - Map to nothing
@@ -156,20 +154,22 @@ static int cweLookup(String id) {
case "5247488":
return CweNumber
.DONTCARE; // DOM Trust Boundary Violation - Map to nothing right now.
- case "6291968":
- return 200; // Information Disclosure - Email Address Disclosed
- case "6292736":
- return 200; // Information Disclosure - Credit Card # Disclosed
+ case "6291968": // Information Disclosure - Email Address Disclosed
+ case "6292736": // Information Disclosure - Credit Card # Disclosed
+ return CweNumber.EXPOSURE_SENSITIVE_TO_UNAUTHORIZED_USER;
case "7340288":
- return 525; // Information Exposure Through Browser Caching-Cacheable HTTPS Response
+ return CweNumber
+ .SENSITIVE_INFORMATION_IN_BROWSER_CACHE; // Information Exposure Through
+ // Browser Caching-Cacheable HTTPS
+ // Response
case "8389120":
return CweNumber.DONTCARE; // HTML doesn't specify character set - Map to nothing.
case "8389632":
return CweNumber.DONTCARE; // Incorrect Content Type - Map to nothing right now.
case "8389888":
- return 16; // Content type is not specified
+ return CweNumber.CATEGORY_CONFIGURATION; // Content type is not specified
} // end switch(id)
System.out.println("Unknown Burp rule id: " + id);
- return -1;
+ return CweNumber.DONTCARE;
}
}
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/CASTAIPReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/CASTAIPReader.java
index f5478ce9..846c59ae 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/CASTAIPReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/CASTAIPReader.java
@@ -82,8 +82,7 @@ private TestCaseResult parseCASTAIPIssue(Node flaw) throws Exception {
// Get CWE #
violation = violation.substring(violation.indexOf("CWE-") + "CWE-".length());
violation = violation.substring(0, violation.indexOf(')'));
- int cwe = cweLookup(violation);
- tcr.setCWE(cwe);
+ tcr.setCWE(cweLookup(violation));
// Get Benchmark test case #. If it's not in a Benchmark test case, return null
String filename = getAttributeValue("name", flaw);
@@ -99,47 +98,11 @@ private TestCaseResult parseCASTAIPIssue(Node flaw) throws Exception {
return null;
}
- private int cweLookup(String name) {
+ private CweNumber cweLookup(String name) {
if (name == null || name.isEmpty()) {
- return 0000;
+ return CweNumber.DONTCARE;
}
- switch (name.trim()) {
- case "614":
- return CweNumber.INSECURE_COOKIE;
- case "78":
- return CweNumber.COMMAND_INJECTION;
- case "79":
- return CweNumber.XSS;
- case "89":
- return CweNumber.SQL_INJECTION;
- case "90":
- return CweNumber.LDAP_INJECTION;
- // case "header-injection" : return 113; // header injection
- // case "hql-injection" : return 0000; // hql injection
- // case "unsafe-readline" : return 0000; // unsafe readline
- // case "reflection-injection" : return 0000; // reflection injection
- // case "reflected-xss" : return 79; // xss
- case "91":
- case "643":
- return CweNumber.XPATH_INJECTION;
- case "73": // This tool calls this CWE-73 "External Control of File"
- case "22":
- return CweNumber.PATH_TRAVERSAL;
- // Name or Path"
- // case "crypto-bad-mac" : return 328; // weak hash
- // case "crypto-weak-randomness" : return 330; // weak random
- // case "crypto-bad-ciphers" : return 327; // weak encryption
- case "501":
- return CweNumber.TRUST_BOUNDARY_VIOLATION;
- // case "xxe" : return 611; // xml entity
- case "134":
- return CweNumber
- .EXTERNALLY_CONTROLLED_STRING; // Use of Externally-Controlled Format String
- // - Which really isn't a
- default:
- System.out.println(
- "No matching CWE # found in CAST AIP Reader for: 'CWE-" + name + "'");
- }
- return 0000;
+
+ return CweNumber.lookup(name.trim());
}
}
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/CheckmarxESReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/CheckmarxESReader.java
index 024972bc..594548cd 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/CheckmarxESReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/CheckmarxESReader.java
@@ -57,12 +57,7 @@ public TestSuiteResults parse(ResultFile resultFile) throws Exception {
JSONObject query = queries.getJSONObject(i);
// cwe
- int cwe = query.getJSONObject("Metadata").getInt("CweId");
- try {
- cwe = translate(cwe);
- } catch (NumberFormatException ex) {
- System.out.println("flaw: " + query);
- }
+ CweNumber cwe = translate(query.getJSONObject("Metadata").getInt("CweId"));
// category
String category = query.getJSONObject("Metadata").getString("QueryName");
@@ -116,22 +111,23 @@ private boolean isIrrelevant(String name) {
|| name.equals("Unprotected_Cookie");
}
- private int translate(int cwe) {
+ private CweNumber translate(int cwe) {
switch (cwe) {
case 77:
case 15:
- return CweNumber.COMMAND_INJECTION;
+ return CweNumber.OS_COMMAND_INJECTION;
case 36:
case 23:
return CweNumber.PATH_TRAVERSAL;
case 338:
return CweNumber.WEAK_RANDOM;
}
- return cwe;
+
+ return CweNumber.lookup(cwe);
}
private TestCaseResult parseCheckmarxFindings(
- int cwe, String category, String evidence, JSONObject result) {
+ CweNumber cwe, String category, String evidence, JSONObject result) {
try {
TestCaseResult tcr = new TestCaseResult();
tcr.setCWE(cwe);
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/CheckmarxIASTReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/CheckmarxIASTReader.java
index 2ffc5b38..b39c5db4 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/CheckmarxIASTReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/CheckmarxIASTReader.java
@@ -22,6 +22,7 @@
import org.apache.commons.csv.CSVFormat;
import org.apache.commons.csv.CSVRecord;
import org.owasp.benchmarkutils.score.BenchmarkScore;
+import org.owasp.benchmarkutils.score.CweNumber;
import org.owasp.benchmarkutils.score.ResultFile;
import org.owasp.benchmarkutils.score.TestCaseResult;
import org.owasp.benchmarkutils.score.TestSuiteResults;
@@ -68,7 +69,7 @@ public TestSuiteResults parse(ResultFile resultFile) throws Exception {
Integer.parseInt(
testCase.substring(
testCase.length() - BenchmarkScore.TESTIDLENGTH)));
- if (tcr.getCWE() != 0) {
+ if (!CweNumber.DONTCARE.equals(tcr.getCWE())) {
tr.put(tcr);
}
}
@@ -77,103 +78,101 @@ public TestSuiteResults parse(ResultFile resultFile) throws Exception {
return tr;
}
- private int cweLookup(String checkerKey) {
+ private CweNumber cweLookup(String checkerKey) {
// checkerKey = checkerKey.replace("-SECOND-ORDER", "");
switch (checkerKey) {
case "App_DOS_Database_Connections":
- return 400; // App_DOS_Database_Connections
+ return CweNumber.UNCONTROLLED_RESOURCE_CONSUMPTION; // App_DOS_Database_Connections
case "Blind_SQL_Injection":
- return 89; // sql injection
+ return CweNumber.SQL_INJECTION;
case "Click_Jacking":
- return 693; // Click_Jacking
+ return CweNumber.PROTECTION_MECHANISM_FAILURE;
case "Command_Injection":
- return 78; // Command_Injection
+ return CweNumber.OS_COMMAND_INJECTION;
case "CORS":
- return 346; // CORS
+ return CweNumber.ORIGIN_VALIDATION_ERROR;
case "CSRF":
- return 352; // CSRF
+ return CweNumber.CSRF;
case "Debug_Mode_Enabled":
- return 215; // Debug_Mode_Enabled
+ return CweNumber.SENSITIVE_INFO_IN_DEBUG_MODE;
case "Deserialize_Vulnerability":
- return 502; // Deserialize_Vulnerability
+ return CweNumber.INSECURE_DESERIALIZATION;
case "Failed_Login_Without_Audit":
- return 778; // Failed_Login_Without_Audit
+ return CweNumber.INSUFFICIENT_LOGGING;
case "File_Upload_To_Unprotected_Directory":
- return 434; // File_Upload_To_Unprotected_Directory
+ return CweNumber.UNRESTRICTED_FILE_UPLOAD;
case "Improper_HTTP_Get_Usage":
- return 650; // Improper_HTTP_Get_Usage
+ return CweNumber.TRUSTING_SERVER_HTTP;
case "Insecure_Cookie":
case "Session_Id_Disclosure": // CxIAST does not define but it is same as
// Insecure_Cookie YE
- return 614; // Insecure_Cookie
+ return CweNumber.INSECURE_COOKIE;
case "Insecure_Outgoing_Communication":
- return 311; // Insecure_Outgoing_Communication
+ return CweNumber.UNENCRYPTED_SENSITIVE_DATA;
case "Insufficient_Session_Expiration":
- return 613; // Insufficient_Session_Expiration
+ return CweNumber.INSUFFICIENT_SESSION_EXPIRATION;
case "LDAP_Injection":
- return 90; // LDAP_Injection
+ return CweNumber.LDAP_INJECTION;
case "Least_Privilege_Violation":
- return 250; // Least_Privilege_Violation
+ return CweNumber.TOO_PRIVILIGED_EXECUTION;
case "Log_Forging":
- return 117;
+ return CweNumber.MISSING_LOG_OUTPUT_NEUTRALIZATION;
case "Missing_X_Content_Type_Options_Header":
- return 693;
+ return CweNumber.PROTECTION_MECHANISM_FAILURE;
case "Missing_X_XSS_Protection_Header":
- return 693;
+ return CweNumber.PROTECTION_MECHANISM_FAILURE;
case "NoSQL_Injection":
- return 943;
+ return CweNumber.IMPROPER_DATA_QUERY_NEUTRALIZATION;
case "Open_Redirect":
- return 601;
+ return CweNumber.OPEN_REDIRECT;
case "Parameter_Pollution":
- return 235;
+ return CweNumber.IMPROPER_HANDLING_OF_PARAMETERS;
case "Parameter_Tampering":
- return 99;
+ return CweNumber.RESOURCE_INJECTION;
case "Path_Traversal":
- return 22;
+ return CweNumber.PATH_TRAVERSAL;
case "Second_Order_Command_Injection":
- return 77;
+ return CweNumber.COMMAND_INJECTION;
case "Second_Order_LDAP_Injection":
- return 90;
+ return CweNumber.LDAP_INJECTION;
case "Second_Order_Path_Traversal":
- return 22;
+ return CweNumber.PATH_TRAVERSAL;
case "Second_Order_SQL_Injection":
- return 89;
+ return CweNumber.SQL_INJECTION;
case "Second_Order_XPath_Injection":
- return 643;
+ return CweNumber.XPATH_INJECTION;
case "Sensitive_Data_Exposure_Credit_Card":
- return 311;
case "Sensitive_Data_Exposure_Email":
- return 311;
case "Sensitive_Data_Exposure_Long_Number":
- return 311;
+ return CweNumber.UNENCRYPTED_SENSITIVE_DATA;
case "SQL_Injection":
- return 89;
+ return CweNumber.SQL_INJECTION;
case "Stored_XSS":
- return 79;
+ return CweNumber.XSS;
case "Successful_Login_Without_Audit":
- return 778;
+ return CweNumber.INSUFFICIENT_LOGGING;
case "Trust_Boundary_Violation":
- return 501;
+ return CweNumber.TRUST_BOUNDARY_VIOLATION;
case "Weak_Cryptography":
- return 327;
+ return CweNumber.WEAK_CRYPTO_ALGO;
case "Weak_DB_Password":
- return 521;
+ return CweNumber.WEAK_PASSWORD_REQUIREMENTS;
case "Weak_Hashing":
- return 328;
+ return CweNumber.WEAK_HASH_ALGO;
case "Weak_Random":
- return 330;
+ return CweNumber.WEAK_RANDOM;
case "XPath_Injection":
- return 643;
+ return CweNumber.XPATH_INJECTION;
case "XSS":
- return 79;
+ return CweNumber.XSS;
case "XXE":
- return 611;
+ return CweNumber.XXE;
default:
System.out.println(
"WARNING: Unmapped Vulnerability category detected: " + checkerKey);
}
- return 0;
+ return CweNumber.DONTCARE;
}
}
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/CheckmarxReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/CheckmarxReader.java
index 9ad9e1ac..81b3417d 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/CheckmarxReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/CheckmarxReader.java
@@ -21,8 +21,8 @@
import java.util.List;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
-import org.owasp.benchmarkutils.score.CweNumber;
import org.owasp.benchmarkutils.score.BenchmarkScore;
+import org.owasp.benchmarkutils.score.CweNumber;
import org.owasp.benchmarkutils.score.ResultFile;
import org.owasp.benchmarkutils.score.TestCaseResult;
import org.owasp.benchmarkutils.score.TestSuiteResults;
@@ -217,17 +217,18 @@ private TestCaseResult parseCheckmarxVulnerability(Node query, Node result) {
return null;
}
- private int translate(int cwe) {
+ private CweNumber translate(int cwe) {
switch (cwe) {
case 77:
case 15:
- return CweNumber.COMMAND_INJECTION;
+ return CweNumber.OS_COMMAND_INJECTION;
case 36:
case 23:
return CweNumber.PATH_TRAVERSAL;
case 338:
return CweNumber.WEAK_RANDOM;
}
- return cwe;
+
+ return CweNumber.lookup(cwe);
}
}
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/CodeQLReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/CodeQLReader.java
index af3b61fb..4fe333cd 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/CodeQLReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/CodeQLReader.java
@@ -22,6 +22,7 @@
import org.json.JSONArray;
import org.json.JSONObject;
import org.owasp.benchmarkutils.score.BenchmarkScore;
+import org.owasp.benchmarkutils.score.CweNumber;
import org.owasp.benchmarkutils.score.ResultFile;
import org.owasp.benchmarkutils.score.TestCaseResult;
import org.owasp.benchmarkutils.score.TestSuiteResults;
@@ -177,8 +178,7 @@ private TestCaseResult parseLGTMFinding(
"WARNING: Unexpectedly found more than one location for finding against rule: "
+ ruleId);
}
- int cwe = mapCWE(ruleId, cweForRule);
- tcr.setCWE(cwe);
+ tcr.setCWE(mapCWE(cweForRule));
// tcr.setCategory( props.getString( "subcategoryShortDescription" ) ); //
// Couldn't find any Category info in results file
tcr.setEvidence(finding.getJSONObject("message").getString("text"));
@@ -190,75 +190,11 @@ private TestCaseResult parseLGTMFinding(
return null;
}
- private int mapCWE(String ruleName, Integer cweNumber) {
-
- switch (cweNumber) {
- // These are properly mapped by default
- case 22: // java/path-injection and zipslip
- case 78: // java & js/command-line-injection
- case 79: // java/xss & js/reflected-xss
- case 89: // java & js/sql-injection and similar sqli rules
- case 90: // java/ldap-injection
- case 327: // java/weak-cryptographic-algorithm
- case 611: // java & js/xxe
- case 614: // java/insecure-cookie
- case 643: // java/xml/xpath-injection
- return cweNumber.intValue(); // Return CWE as is
-
- // These rules we care about, but have to map to the CWE we expect
- case 335: // java/predictable-seed - This mapping improves the tool's score
- return 330; // Weak Random
-
- /*
- * These rules exist in the java-code-scanning.qls query set, but we don't see findings
- * for them in Benchmark currently. They are left here in case we do see them in the
- * future to make it easier to support them.
- // These rules we care about, but have to map to the CWE we expect
- case 338: // java/jhipster-prng
- return 330; // Weak Random
- case 347: // java/missing-jwt-signature-check - TODO - Does this affect score?
- return 327; // Weak Crypto
-
- // These rules we don't care about now, but we return their CWE value anyway in case
- // we care in the future
- case 94: // java/insecure-bean-validation and many others
- case 190: // java/implicit-cast-in-compound-assignment
- case 197: // java/tainted-numeric-cast
- case 297: // java/unsafe-hostname-verification
- case 300: // java/maven/non-https-url
- case 315: // java/cleartext-storage-in-cookie
- case 352: // java/spring-disabled-csrf-protection
- case 502: // java/unsafe-deserialization
- case 601: // java/unvalidated-url-redirection
- case 732: // java/world-writable-file-read
- case 807: // java/tainted-permissions-check
- case 917: // java/ognl-injection
- case 918: // java/ssrf
- case 1104: // java/maven/dependency-upon-bintray
- */
-
- case 113: // java/http-response-splitting
- case 117: // js/log-injection
- case 134: // java/tainted-format-string
- case 209: // java/stack-trace-exposure
- case 404: // java/database-resource-leak
- case 477: // java/deprecated-call
- case 485: // java/abstract-to-concrete-cast
- case 561: // java/unused-parameter
- case 563: // js/useless-assignment-to-local
- case 570: // java/constant-comparison
- case 685: // java/unused-format-argument
- case 730: // js/regex-injection (i.e., DOS)
- case 776: // js/xml-bomb (i.e., XEE, as opposed to XXE, which is already mapped above
- case 843: // js/type-confusion-through-parameter-tampering
- return cweNumber.intValue(); // Return CWE as is
- default:
- System.out.println(
- "CodeQL parser encountered new unmapped vulnerability type: "
- + cweNumber
- + " for rule: "
- + ruleName);
+ private CweNumber mapCWE(Integer cweNumber) {
+ if (cweNumber == 335) {
+ return CweNumber.WEAK_RANDOM;
}
- return 0; // Not mapped to anything
+
+ return CweNumber.lookup(cweNumber);
}
}
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/ContrastAssessReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/ContrastAssessReader.java
index 02d9afdd..45dd6526 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/ContrastAssessReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/ContrastAssessReader.java
@@ -131,7 +131,8 @@ private void parseContrastNodeFinding(TestSuiteResults tr, String line) throws E
tcr.setCWE(cweLookup(elements[0]));
tcr.setCategory(elements[0]);
- if (tcr.getCWE() != 0 && elements[1].contains(BenchmarkScore.TESTCASENAME)) {
+ if (!CweNumber.DONTCARE.equals(tcr.getCWE())
+ && elements[1].contains(BenchmarkScore.TESTCASENAME)) {
String testNumber =
elements[1].substring(
elements[1].lastIndexOf('/')
@@ -171,7 +172,8 @@ private void parseContrastJavaFinding(TestSuiteResults tr, String json) throws E
JSONObject request = obj.getJSONObject("request");
String uri = request.getString("uri");
- if (tcr.getCWE() != 0 && uri.contains(BenchmarkScore.TESTCASENAME)) {
+ if (!CweNumber.DONTCARE.equals(tcr.getCWE())
+ && uri.contains(BenchmarkScore.TESTCASENAME)) {
// Normal uri's look like: "uri":"/benchmark/cmdi-00/BenchmarkTest00215", but for
// web services, they can look like:
// "uri":"/benchmark/rest/xxe-00/BenchmarkTest03915/send"
@@ -203,7 +205,7 @@ private void parseContrastJavaFinding(TestSuiteResults tr, String json) throws E
}
}
- static int cweLookup(String rule) {
+ static CweNumber cweLookup(String rule) {
switch (rule) {
case "autocomplete-missing":
// Not sure the CWE for this.
@@ -214,7 +216,7 @@ static int cweLookup(String rule) {
return CweNumber.DONTCARE;
case "unsafe-code-execution": // Note: This is technically CWE 95 'Eval Injection'
case "cmd-injection":
- return CweNumber.COMMAND_INJECTION;
+ return CweNumber.OS_COMMAND_INJECTION;
case "cookie-flags-missing":
return CweNumber.INSECURE_COOKIE;
case "crypto-bad-ciphers":
@@ -262,7 +264,7 @@ static int cweLookup(String rule) {
System.out.println("WARNING: Contrast-Unrecognized finding type: " + rule);
}
- return 0;
+ return CweNumber.DONTCARE;
}
private String calculateTime(String firstLine, String lastLine) {
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/ContrastScanReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/ContrastScanReader.java
index 28382264..d60cf2d0 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/ContrastScanReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/ContrastScanReader.java
@@ -26,6 +26,7 @@
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.owasp.benchmarkutils.score.BenchmarkScore;
+import org.owasp.benchmarkutils.score.CweNumber;
import org.owasp.benchmarkutils.score.ResultFile;
import org.owasp.benchmarkutils.score.TestCaseResult;
import org.owasp.benchmarkutils.score.TestSuiteResults;
@@ -106,9 +107,9 @@ public TestSuiteResults parse(ResultFile resultFile) throws Exception {
// TODO: This should use SARIF format, but that doesn't work yet, per above comment.
for (Report.Run run : report.runs) {
for (Report.Run.Result result : run.results) {
- int cwe = ContrastAssessReader.cweLookup(result.rule);
+ CweNumber cwe = ContrastAssessReader.cweLookup(result.rule);
- if (cwe <= 0) {
+ if (CweNumber.DONTCARE.equals(cwe)) {
continue;
}
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/CoverityReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/CoverityReader.java
index ee008bee..84ad462c 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/CoverityReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/CoverityReader.java
@@ -20,6 +20,7 @@
import org.json.JSONArray;
import org.json.JSONObject;
import org.owasp.benchmarkutils.score.BenchmarkScore;
+import org.owasp.benchmarkutils.score.CweNumber;
import org.owasp.benchmarkutils.score.ResultFile;
import org.owasp.benchmarkutils.score.TestCaseResult;
import org.owasp.benchmarkutils.score.TestSuiteResults;
@@ -78,8 +79,7 @@ private TestCaseResult parseCoverityFinding(JSONObject finding, int version) {
if (cweNumber == null || cweNumber.equals("none")) {
return null;
}
- int cwe = fixCWE(cweNumber);
- tcr.setCWE(cwe);
+ tcr.setCWE(fixCWE(cweNumber));
tcr.setCategory(props.getString("subcategoryShortDescription"));
tcr.setEvidence(props.getString("subcategoryLongDescription"));
return tcr;
@@ -104,8 +104,7 @@ private TestCaseResult parseCoverityFinding(JSONObject finding, int version) {
return null;
}
String cweNumber = finding.getString("cweNumber");
- int cwe = fixCWE(cweNumber);
- tcr.setCWE(cwe);
+ tcr.setCWE(fixCWE(cweNumber));
tcr.setCategory(finding.getString("categoryDescription"));
tcr.setEvidence(finding.getString("longDescription"));
return tcr;
@@ -177,10 +176,12 @@ private TestCaseResult parseCoverityFindingV2(JSONObject finding) {
} else if (checker_name.equals("ldap_injection")) {
cwe_string = "90";
}
- int cwe = fixCWE(cwe_string);
- if (cwe <= 0) {
+ CweNumber cwe = fixCWE(cwe_string);
+
+ if (CweNumber.DONTCARE.equals(cwe)) {
return null;
}
+
tcr.setCWE(cwe);
tcr.setCategory(checker_name);
tcr.setEvidence(subcategory);
@@ -192,11 +193,17 @@ private TestCaseResult parseCoverityFindingV2(JSONObject finding) {
return null;
}
- private int fixCWE(String cweNumber) {
+ private CweNumber fixCWE(String cweNumber) {
int cwe = Integer.parseInt(cweNumber);
- if (cwe == 94) cwe = 643;
- if (cwe == 36) cwe = 22;
- if (cwe == 23) cwe = 22;
- return cwe;
+
+ switch (cwe) {
+ case 23:
+ case 36:
+ return CweNumber.PATH_TRAVERSAL;
+ case 94:
+ return CweNumber.XPATH_INJECTION;
+ }
+
+ return CweNumber.lookup(cwe);
}
}
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/CrashtestReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/CrashtestReader.java
index 1728f6aa..bc9d0937 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/CrashtestReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/CrashtestReader.java
@@ -24,6 +24,7 @@
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import org.owasp.benchmarkutils.score.BenchmarkScore;
+import org.owasp.benchmarkutils.score.CweNumber;
import org.owasp.benchmarkutils.score.ResultFile;
import org.owasp.benchmarkutils.score.TestCaseResult;
import org.owasp.benchmarkutils.score.TestSuiteResults;
@@ -97,9 +98,9 @@ private TestCaseResult parseCrashtestIssue(Node testcase) throws URISyntaxExcept
String testCaseType = testcase.getAttributes().getNamedItem("classname").getNodeValue();
- int cwe = cweLookup(testCaseType);
+ CweNumber cwe = cweLookup(testCaseType);
tcr.setCWE(cwe);
- if (cwe != -1) {
+ if (CweNumber.DONTCARE.equals(cwe)) {
String message = failure.getAttributes().getNamedItem("message").getNodeValue();
// Parse testcase # from URL:
@@ -173,27 +174,26 @@ private TestCaseResult parseCrashtestIssue(Node testcase) throws URISyntaxExcept
* name="XML External Entity (XXE) (2740)"/>
*
* @param the Crashtest classname
- * @return CWE number or -1 if we don't care about this test type
+ * @return CWE Number
*/
- private int cweLookup(String classname) {
-
+ private CweNumber cweLookup(String classname) {
switch (classname) {
case "commandinjection.crashtest.cloud":
- return 78;
+ return CweNumber.OS_COMMAND_INJECTION;
case "sqlinjection.crashtest.cloud":
- return 89;
+ return CweNumber.SQL_INJECTION;
case "xss.crashtest.cloud":
- return 79;
+ return CweNumber.XSS;
case "xxe.crashtest.cloud":
- return 611;
+ return CweNumber.XXE;
case "portscan.crashtest.cloud":
case "ssl.crashtest.cloud":
- return -1;
+ return CweNumber.DONTCARE;
default:
System.out.println("Unrecognized Crashtest rule: " + classname);
- return -1;
+ return CweNumber.DONTCARE;
}
}
}
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/FaastReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/FaastReader.java
index 60aa100b..2a04ce87 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/FaastReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/FaastReader.java
@@ -22,6 +22,7 @@
import org.json.JSONArray;
import org.json.JSONObject;
import org.owasp.benchmarkutils.score.BenchmarkScore;
+import org.owasp.benchmarkutils.score.CweNumber;
import org.owasp.benchmarkutils.score.ResultFile;
import org.owasp.benchmarkutils.score.TestCaseResult;
import org.owasp.benchmarkutils.score.TestSuiteResults;
@@ -77,7 +78,7 @@ private TestCaseResult parseFaastFinding(JSONObject finding) {
if (url.contains(BenchmarkScore.TESTCASENAME)) {
tcr.setNumber(Integer.parseInt(testNumber));
- tcr.setCWE(cwe);
+ tcr.setCWE(CweNumber.lookup(cwe));
tcr.setCategory(category);
return tcr;
}
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/FindbugsReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/FindbugsReader.java
index 73a340d6..f3150ffc 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/FindbugsReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/FindbugsReader.java
@@ -21,6 +21,7 @@
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import org.owasp.benchmarkutils.score.BenchmarkScore;
+import org.owasp.benchmarkutils.score.CweNumber;
import org.owasp.benchmarkutils.score.ResultFile;
import org.owasp.benchmarkutils.score.TestCaseResult;
import org.owasp.benchmarkutils.score.TestSuiteResults;
@@ -118,7 +119,7 @@ private TestCaseResult parseFindBugsBug(Node n) {
return null;
}
- private int figureCWE(TestCaseResult tcr, Node cwenode, Node catnode) {
+ private CweNumber figureCWE(TestCaseResult tcr, Node cwenode, Node catnode) {
String cwe = null;
if (cwenode != null) {
cwe = cwenode.getNodeValue();
@@ -140,7 +141,7 @@ private int figureCWE(TestCaseResult tcr, Node cwenode, Node catnode) {
else if (cwe.equals("326")) {
cwe = "327";
}
- return Integer.parseInt(cwe);
+ return CweNumber.lookup(cwe);
}
// This is a fallback mapping for unsupported/old versions of the Find Security Bugs plugin
@@ -149,109 +150,98 @@ else if (cwe.equals("326")) {
switch (cat) {
// Cookies
case "SECIC":
- return 614; // insecure cookie use
- case "SECCU":
- return 00; // servlet cookie
+ return CweNumber.INSECURE_COOKIE;
case "SECHOC":
- return 00; // HTTP Only not set on cookie - Information Leak / Disclosure
- // (CWE-200)??
+ return CweNumber.COOKIE_WITHOUT_HTTPONLY;
// Injections
case "SECSQLIHIB":
- return 564; // Hibernate Injection, child of SQL Injection
+ return CweNumber.HIBERNATE_INJECTION;
case "SECSQLIJDO":
- return 89;
case "SECSQLIJPA":
- return 89;
case "SECSQLISPRJDBC":
- return 89;
case "SECSQLIJDBC":
- return 89;
+ return CweNumber.SQL_INJECTION;
// LDAP injection
case "SECLDAPI":
- return 90; // LDAP injection
+ return CweNumber.LDAP_INJECTION;
// XPath injection
case "SECXPI":
- return 643; // XPATH injection
+ return CweNumber.XPATH_INJECTION;
// Command injection
case "SECCI":
- return 78; // command injection
+ return CweNumber.OS_COMMAND_INJECTION;
// Weak random
case "SECPR":
- return 330; // weak random
+ return CweNumber.WEAK_RANDOM;
// Weak encryption
- case "SECDU":
- return 327; // weak encryption DES
- case "CIPINT":
- return 327; // weak encryption - cipher with no integrity
- case "PADORA":
- return 327; // padding oracle -- FIXME: probably wrong
+ case "SECDU": // weak encryption DES
+ return CweNumber.WEAK_CRYPTO_ALGO;
+ case "CIPINT": // weak encryption - cipher with no integrity
+ return CweNumber.WEAK_CRYPTO_ALGO;
+ case "PADORA": // padding oracle -- FIXME: probably wrong
+ return CweNumber.WEAK_CRYPTO_ALGO;
case "STAIV":
- return 329; // static initialization vector for crypto
+ return CweNumber.STATIC_CRYPTO_INIT;
// Weak hash
case "SECWMD":
- return 328; // weak hash
+ return CweNumber.WEAK_HASH_ALGO;
// Path traversal
case "SECPTO":
- return 22; // path traversal
case "SECPTI":
- return 22; // path traversal
+ return CweNumber.PATH_TRAVERSAL;
// XSS
case "SECXRW":
- return 79; // XSS
case "SECXSS1":
- return 79; // XSS
case "SECXSS2":
- return 79; // XSS
+ return CweNumber.XSS;
// XXE
case "SECXXEDOC":
- return 611; // XXE
case "SECXXEREAD":
- return 611; // XXE
case "SECXXESAX":
- return 611; // XXE
+ return CweNumber.XXE;
// Input sources
- case "SECSP":
- return 00; // servlet parameter - not a vuln
- case "SECSH":
- return 00; // servlet header - not a vuln
- case "SECSHR":
- return 00; // Use of Request Header -- spoofable
- case "SECSSQ":
- return 00; // servlet query - not a vuln
+ case "SECSP": // servlet parameter - not a vuln
+ return CweNumber.DONTCARE;
+ case "SECSH": // servlet header - not a vuln
+ return CweNumber.DONTCARE;
+ case "SECSHR": // Use of Request Header -- spoofable
+ return CweNumber.DONTCARE;
+ case "SECSSQ": // servlet query - not a vuln
+ return CweNumber.DONTCARE;
// Technology detection
- case "SECSC":
- return 00; // found Spring endpoint - not a vuln
- case "SECJRS":
- return 00; // JAX-RS Endpoint
+ case "SECSC": // found Spring endpoint - not a vuln
+ return CweNumber.DONTCARE;
+ case "SECJRS": // JAX-RS Endpoint
+ return CweNumber.DONTCARE;
// Configuration
- case "SECOPFP":
- return 00; // Overly Permissive File Permissions
+ case "SECOPFP": // Overly Permissive File Permissions
+ return CweNumber.DONTCARE;
// Other
case "SECHPP":
- return 235; // HTTP Parameter Polution
- case "SECUNI":
- return 00; // Improper Unicode
- case "SECWF":
- return 00; // Weak Filename Utils - i.e., not filtering out Null bytes in file names
+ return CweNumber.IMPROPER_HANDLING_OF_PARAMETERS;
+ case "SECUNI": // Improper Unicode
+ return CweNumber.DONTCARE;
+ case "SECWF": // Weak Filename Utils - i.e., not filtering out Null bytes in file names
+ return CweNumber.DONTCARE;
default:
System.out.println("Unknown vuln category for FindBugs: " + cat);
}
- return 0;
+ return CweNumber.DONTCARE;
}
}
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/FortifyReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/FortifyReader.java
index c1ff3410..94886ccb 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/FortifyReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/FortifyReader.java
@@ -225,21 +225,22 @@ private TestCaseResult parseFortifyVulnerability(Node vuln) {
return null;
}
- private int cweLookup(String vtype, String subtype, Node unifiedNode) {
-
+ private CweNumber cweLookup(String vtype, String subtype, Node unifiedNode) {
switch (vtype) {
case "Access Control":
return CweNumber.IMPROPER_ACCESS_CONTROL;
case "Command Injection":
- return CweNumber.COMMAND_INJECTION;
+ return CweNumber.OS_COMMAND_INJECTION;
case "Cookie Security":
{
// Verify its the exact type we are looking for (e.g., not HttpOnly finding)
- if ("Cookie not Sent Over SSL".equals(subtype))
+ if ("Cookie not Sent Over SSL".equals(subtype)) {
return CweNumber.INSECURE_COOKIE;
- else return 00;
+ } else {
+ return CweNumber.DONTCARE;
+ }
}
case "Cross-Site Request Forgery":
@@ -251,41 +252,36 @@ private int cweLookup(String vtype, String subtype, Node unifiedNode) {
// Not a type of XSS weakness we are testing for. Causes False Positives
// for Fortify.
case "Poor Validation":
- return 83;
+ return CweNumber.IMPROPER_NEUTRALIZATION_OF_ATTRIBUTES;
}
- return 79;
+ return CweNumber.XSS;
}
case "Dead Code":
- return 00;
+ return CweNumber.DONTCARE;
case "Denial of Service":
- return 400;
+ return CweNumber.UNCONTROLLED_RESOURCE_CONSUMPTION;
case "Dynamic Code Evaluation":
- return 95;
+ return CweNumber.EVAL_INJECTION;
case "Header Manipulation":
- return 113;
+ return CweNumber.HTTP_RESPONSE_SPLITTING;
case "Hidden Field":
- return 472;
+ return CweNumber.EXTERNAL_CONTROL_OF_WEB_PARAM;
case "Insecure Randomness":
- return 330;
+ return CweNumber.WEAK_RANDOM;
case "Key Management":
- return 320;
-
+ return CweNumber.CATEGORY_KEY_MANAGEMENT_ERROR;
case "LDAP Injection":
- return 90;
-
+ return CweNumber.LDAP_INJECTION;
case "Mass Assignment":
- return 915;
-
+ return CweNumber.IMPROPER_CHECK_FOR_MODIFICATION;
case "Missing Check against Null":
case "Missing Check for Null Parameter":
- return 476;
-
+ return CweNumber.NULL_POINTER_DEREFERENCE;
case "Missing XML Validation":
- return 112;
-
+ return CweNumber.MISSING_XML_VALIDATION;
case "Null Dereference":
- return 476;
+ return CweNumber.NULL_POINTER_DEREFERENCE;
// Fortify reports weak randomness issues under Obsolete by ESAPI, rather than in
// the Insecure Randomness category if it thinks you are using ESAPI. However, its
@@ -310,71 +306,64 @@ private int cweLookup(String vtype, String subtype, Node unifiedNode) {
// generates random #'s using the java.util.Random or
// java.security.SecureRandom classes. e.g., nextWHATEVER().
(methodName != null && methodName.startsWith("next"))) {
- return 330;
+ return CweNumber.WEAK_RANDOM;
}
}
- return 00; // If neither of these, then don't care
+ return CweNumber.DONTCARE; // If neither of these, then don't care
}
case "Password Management":
- return 00;
+ return CweNumber.DONTCARE;
case "Path Manipulation":
- return 22;
-
+ return CweNumber.PATH_TRAVERSAL;
case "Poor Error Handling":
- return 703;
+ return CweNumber.IMPROPER_CHECK_FOR_EXCEPTION_CONDITIONS;
case "Poor Logging Practice":
- return 478;
+ return CweNumber.MISSING_DEFAULT_CASE;
case "Privacy Violation":
- return 359;
+ return CweNumber.EXPOSURE_PRIVATE_TO_UNAUTHORIZED_USER;
case "Resource Injection":
- return 99;
-
+ return CweNumber.RESOURCE_INJECTION;
case "SQL Injection":
return CweNumber.SQL_INJECTION;
case "System Information Leak":
- return 209;
+ return CweNumber.ERROR_MESSAGE_WITH_SENSITIVE_INFO;
case "Trust Boundary Violation":
- return 501;
+ return CweNumber.TRUST_BOUNDARY_VIOLATION;
case "Unchecked Return Value":
- return 252;
+ return CweNumber.UNCHECKED_RETURN_VALUE;
case "Unreleased Resource":
- return 404;
+ return CweNumber.UNRELEASED_RESOURCE;
case "Unsafe Reflection":
- return 470;
-
+ return CweNumber.UNSAFE_REFLECTION;
case "Weak Cryptographic Hash":
- return 328;
-
+ return CweNumber.WEAK_HASH_ALGO;
case "Weak Encryption":
{
switch (subtype) {
// These 2 are not types of Encryption weakness we are testing for.
// Cause False Positives for Fortify.
case "Missing Required Step":
- return 325;
+ return CweNumber.MISSING_CRYPTOGRAPHIC_STEP;
case "Inadequate RSA Padding":
- return 780;
+ return CweNumber.RSA_MISSING_PADDING;
// TODO: Assuming this Fortify rule is valid, we might need to fix
// Benchmark itself to eliminate unintended vulns.
case "Insecure Mode of Operation":
- return 0; // Disable so it doesn't count against Fortify.
+ return CweNumber
+ .DONTCARE; // Disable so it doesn't count against Fortify.
}
- return 327;
+ return CweNumber.WEAK_CRYPTO_ALGO;
}
case "XPath Injection":
- return 643;
-
+ return CweNumber.XPATH_INJECTION;
case "XQuery Injection":
- return 652;
-
+ return CweNumber.XQUERY_INJECTION;
case "XML Entity Expansion Injection":
- return 776;
-
+ return CweNumber.XML_ENTITY_EXPANSION;
case "XML External Entity Injection":
- return 611;
-
+ return CweNumber.XXE;
// Things we don't care about
case "Build Misconfiguration":
case "Code Correctness":
@@ -386,13 +375,13 @@ private int cweLookup(String vtype, String subtype, Node unifiedNode) {
case "Portability Flaw":
case "Race Condition":
case "Redundant Null Check":
- return 00;
+ return CweNumber.DONTCARE;
default:
System.out.println(
"Fortify parser encountered unknown vulnerability type: " + vtype);
} // end switch
- return 0;
+ return CweNumber.DONTCARE;
}
}
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/FusionLiteInsightReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/FusionLiteInsightReader.java
index 9ab8dcf0..5cba9ccd 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/FusionLiteInsightReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/FusionLiteInsightReader.java
@@ -27,6 +27,7 @@
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import org.owasp.benchmarkutils.score.BenchmarkScore;
+import org.owasp.benchmarkutils.score.CweNumber;
import org.owasp.benchmarkutils.score.ResultFile;
import org.owasp.benchmarkutils.score.TestCaseResult;
import org.owasp.benchmarkutils.score.TestSuiteResults;
@@ -73,10 +74,10 @@ public TestSuiteResults parse(ResultFile resultFile) throws Exception {
for (Node finding : findingList) {
String findingName = getNamedChild("Name", finding).getTextContent();
- int findingCWE =
- Integer.parseInt(getNamedChild("CWE", finding).getTextContent());
+ CweNumber findingCWE =
+ CweNumber.lookup(getNamedChild("CWE", finding).getTextContent());
- if (findingCWE != 0) {
+ if (!CweNumber.DONTCARE.equals(findingCWE)) {
int testNumber = extractTestNumber(targetURL);
if (testNumber != -1) {
TestCaseResult tcr = new TestCaseResult();
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanIASTReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanIASTReader.java
index 30080be2..d5eb563f 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanIASTReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanIASTReader.java
@@ -101,7 +101,7 @@ private void parseFindings(TestSuiteResults tr, String json) throws Exception {
if (uri.contains(BenchmarkScore.TESTCASENAME)) {
tcr.setNumber(testNumber(uri));
- if (tcr.getCWE() != 0) {
+ if (!CweNumber.DONTCARE.equals(tcr.getCWE())) {
// System.out.println( tcr.getNumber() + "\t" + tcr.getCWE() + "\t" +
// tcr.getCategory() );
tr.put(tcr);
@@ -113,14 +113,14 @@ private void parseFindings(TestSuiteResults tr, String json) throws Exception {
}
}
- private int cweLookup(String rule) {
+ private CweNumber cweLookup(String rule) {
switch (rule) {
case "SessionManagement.Cookies":
return CweNumber.INSECURE_COOKIE;
case "Injection.SQL":
return CweNumber.SQL_INJECTION;
case "Injection.OS":
- return CweNumber.COMMAND_INJECTION;
+ return CweNumber.OS_COMMAND_INJECTION;
case "Injection.LDAP":
return CweNumber.LDAP_INJECTION;
case "CrossSiteScripting.Reflected":
@@ -140,7 +140,7 @@ private int cweLookup(String rule) {
default:
System.out.println("WARNING: HCL AppScan IAST-Unrecognized finding type: " + rule);
}
- return 0;
+ return CweNumber.DONTCARE;
}
private String calculateTime(String firstLine, String lastLine) {
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanSourceReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanSourceReader.java
index cef83386..d543414e 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanSourceReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanSourceReader.java
@@ -76,7 +76,7 @@ public TestSuiteResults parse(ResultFile resultFile) throws Exception {
getNamedChild("ref", getNamedChild("issue-type", vulnerability))
.getTextContent();
- int vtype = cweLookup(issueType);
+ CweNumber vtype = cweLookup(issueType);
// System.out.println("Vuln type: " + issueType + " has CWE of: " + vtype);
// Then get the filename containing the vuln. And if not in a test case, skip it.
@@ -154,7 +154,7 @@ else if (methodSig == null)
return hours + ":" + mins + ":" + secs;
}
*/
- private int cweLookup(String vtype) {
+ private CweNumber cweLookup(String vtype) {
switch (vtype) {
// case "AppDOS" : return 00;
// case "Authentication.Entity" : return 00;
@@ -176,7 +176,7 @@ private int cweLookup(String vtype) {
case "Injection.LDAP":
return CweNumber.LDAP_INJECTION;
case "Injection.OS":
- return CweNumber.COMMAND_INJECTION;
+ return CweNumber.OS_COMMAND_INJECTION;
case "Injection.SQL":
return CweNumber.SQL_INJECTION;
case "Injection.XPath":
@@ -184,7 +184,7 @@ private int cweLookup(String vtype) {
// case "Malicious.DynamicCode" : return 00;
// case "Malicious.DynamicCode.Execution" : return 00;
case "OpenSource":
- return 00; // Known vuln in open source lib.
+ return CweNumber.DONTCARE; // Known vuln in open source lib.
case "PathTraversal":
return CweNumber.PATH_TRAVERSAL;
// case "Quality.TestCode" : return 00;
@@ -199,6 +199,6 @@ private int cweLookup(String vtype) {
System.out.println(
"WARNING: HCL AppScan Source-Unrecognized finding type: " + vtype);
}
- return 0;
+ return CweNumber.DONTCARE;
}
}
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanStandardReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanStandardReader.java
index decde5d7..787748f6 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanStandardReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanStandardReader.java
@@ -116,7 +116,7 @@ private TestCaseResult TestCaseLookup(String issueType, String url) {
String testArea =
urlElements[urlElements.length - 2].split("-")[0]; // .split strips off the -##
- int vtype = cweLookup(issueType, testArea);
+ CweNumber vtype = cweLookup(issueType, testArea);
// Then get the filename containing the vuln. And if not in a test case, skip it.
// Parse out test number from:
@@ -192,17 +192,22 @@ private List<String> variantLookup(
return testCaseElementsFromVariants;
}
- private int cweLookup(String vtype, String testArea) {
- int cwe = cweLookup(vtype); // Do the standard CWE lookup
-
- // Then map some to other CWEs based on the test area being processed.
- if ("xpathi".equals(testArea) && cwe == 89) cwe = 643; // CWE for XPath injection
- if ("ldapi".equals(testArea) && cwe == 89) cwe = 90; // CWE for LDAP injection
+ private CweNumber cweLookup(String vtype, String testArea) {
+ CweNumber cwe = cweLookup(vtype); // Do the standard CWE lookup
+ if (CweNumber.SQL_INJECTION.equals(cwe)) {
+ // Then map some to other CWEs based on the test area being processed.
+ if ("xpathi".equals(testArea)) {
+ return CweNumber.XPATH_INJECTION;
+ }
+ if ("ldapi".equals(testArea)) {
+ return CweNumber.LDAP_INJECTION;
+ }
+ }
return cwe;
}
- private int cweLookup(String vtype) {
+ private CweNumber cweLookup(String vtype) {
switch (vtype) {
case "attDirectoryFound":
case "attDirOptions":
@@ -214,7 +219,7 @@ private int cweLookup(String vtype) {
case "attCommandInjectionAdns":
case "attCommandInjectionUnixTws":
case "attFileParamPipe":
- return CweNumber.COMMAND_INJECTION;
+ return CweNumber.OS_COMMAND_INJECTION;
case "attCrossSiteScripting":
return CweNumber.XSS;
@@ -273,6 +278,6 @@ private int cweLookup(String vtype) {
System.out.println(
"WARNING: HCL AppScan Standard-Unrecognized finding type: " + vtype);
}
- return 0;
+ return CweNumber.DONTCARE;
}
}
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HdivReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HdivReader.java
index 966203f5..42797a4d 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HdivReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HdivReader.java
@@ -29,6 +29,7 @@
import java.util.List;
import java.util.Set;
import org.owasp.benchmarkutils.score.BenchmarkScore;
+import org.owasp.benchmarkutils.score.CweNumber;
import org.owasp.benchmarkutils.score.ResultFile;
import org.owasp.benchmarkutils.score.TestCaseResult;
import org.owasp.benchmarkutils.score.TestSuiteResults;
@@ -134,7 +135,7 @@ private void process(final TestSuiteResults tr, String testNumber, final List<St
try {
Type t = Type.valueOf(type);
- tcr.setCWE(t.number);
+ tcr.setCWE(CweNumber.lookup(t.number));
tcr.setCategory(t.id);
try {
@@ -143,7 +144,7 @@ private void process(final TestSuiteResults tr, String testNumber, final List<St
System.out.println("> Parse error: " + line);
}
- if (tcr.getCWE() != 0) {
+ if (!CweNumber.DONTCARE.equals(tcr.getCWE())) {
tr.put(tcr);
}
} catch (Exception e) {
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HorusecReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HorusecReader.java
index 0a89b8ac..76932789 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HorusecReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HorusecReader.java
@@ -92,7 +92,7 @@ private TestCaseResult parseTestCaseResult(JSONObject finding) {
return null;
}
- private int figureCwe(JSONObject vuln) {
+ private CweNumber figureCwe(JSONObject vuln) {
String details = vuln.getString("details");
String cwe = fetchCweFromDetails(details);
@@ -102,37 +102,17 @@ private int figureCwe(JSONObject vuln) {
}
switch (cwe) {
- case "79":
- return CweNumber.XSS;
- case "89":
- return CweNumber.SQL_INJECTION;
case "326":
- case "327":
return CweNumber.WEAK_CRYPTO_ALGO;
- case "328":
- return CweNumber.WEAK_HASH_ALGO;
- case "329":
- return CweNumber.STATIC_CRYPTO_INIT;
- case "330":
- return CweNumber.WEAK_RANDOM;
case "502":
if (category(details).equals("LDAP deserialization should be disabled")) {
return CweNumber.LDAP_INJECTION;
}
return CweNumber.INSECURE_DESERIALIZATION;
- case "611":
- return CweNumber.XXE;
- case "614":
- return CweNumber.INSECURE_COOKIE;
- case "643":
- return CweNumber.XPATH_INJECTION;
- case "649":
- return CweNumber.OBFUSCATION;
- default:
- System.out.println("WARN: Horusec reported CWE not yet mapped: " + cwe);
- return Integer.parseInt(cwe);
}
+
+ return CweNumber.lookup(cwe);
}
private String fetchCweFromDetails(String details) {
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/InsiderReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/InsiderReader.java
index 32fd757a..67d0b2ee 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/InsiderReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/InsiderReader.java
@@ -79,8 +79,8 @@ private TestCaseResult parseTestCaseResult(JSONObject finding) {
TestCaseResult tcr = new TestCaseResult();
tcr.setNumber(testNumber(filename));
- int cwe = cweNumber(finding);
- tcr.setCWE(cwe);
+ String cwe = finding.getString("cwe").substring(4);
+ tcr.setCWE(CweNumber.lookup(cwe));
return tcr;
}
@@ -91,27 +91,6 @@ private TestCaseResult parseTestCaseResult(JSONObject finding) {
return null;
}
- private int cweNumber(JSONObject finding) {
- String cwe = finding.getString("cwe").substring(4);
-
- switch (cwe) {
- case "78":
- return CweNumber.COMMAND_INJECTION;
- case "326":
- case "327":
- return CweNumber.WEAK_CRYPTO_ALGO;
- case "330":
- return CweNumber.WEAK_RANDOM;
- case "532":
- return CweNumber.SENSITIVE_LOGFILE;
-
- default:
- System.out.println(
- "INFO: Found following CWE which we haven't seen before: " + cwe);
- return Integer.parseInt(cwe);
- }
- }
-
private String filename(JSONObject vuln) {
String className = vuln.getString("class");
return className.substring(0, className.indexOf(' '));
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/JuliaReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/JuliaReader.java
index b03d2e13..7026d5aa 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/JuliaReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/JuliaReader.java
@@ -21,6 +21,7 @@
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import org.owasp.benchmarkutils.score.BenchmarkScore;
+import org.owasp.benchmarkutils.score.CweNumber;
import org.owasp.benchmarkutils.score.ResultFile;
import org.owasp.benchmarkutils.score.TestCaseResult;
import org.owasp.benchmarkutils.score.TestSuiteResults;
@@ -93,7 +94,7 @@ private TestCaseResult parseJuliaBug(Node n) {
tcr.setNumber(Integer.parseInt(testNumber));
}
} else if (childName.equals("CWEid"))
- tcr.setCWE(Integer.parseInt(child.getTextContent()));
+ tcr.setCWE(CweNumber.lookup(child.getTextContent()));
}
return tcr;
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/KiuwanReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/KiuwanReader.java
index 2b3746f1..51d9deac 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/KiuwanReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/KiuwanReader.java
@@ -91,7 +91,7 @@ private TestCaseResult parseKiuwanFinding(JSONObject finding) {
if (filename.contains(BenchmarkScore.TESTCASENAME)) {
tcr.setNumber(testNumber(filename));
- int cwe = -1;
+ CweNumber cwe = CweNumber.DONTCARE;
try {
JSONArray mappings = finding.getJSONArray("mappings");
for (int i = 0; i < mappings.length(); i++) {
@@ -103,7 +103,7 @@ private TestCaseResult parseKiuwanFinding(JSONObject finding) {
}
}
- if (cwe != -1) {
+ if (!CweNumber.DONTCARE.equals(cwe)) {
tcr.setCWE(cwe);
tcr.setCategory(finding.getString("summary"));
tcr.setEvidence(finding.getString("scannerDetail"));
@@ -120,16 +120,15 @@ private TestCaseResult parseKiuwanFinding(JSONObject finding) {
return null;
}
- private int fixCWE(String cweNumber) {
- int cwe = Integer.parseInt(cweNumber);
-
- if (cwe == 564) {
- cwe = CweNumber.SQL_INJECTION;
+ private CweNumber fixCWE(String cweNumber) {
+ if ("564".equals(cweNumber)) {
+ return CweNumber.SQL_INJECTION;
}
- if (cwe == 77) {
- cwe = CweNumber.COMMAND_INJECTION;
+ if ("77".equals(cweNumber)) {
+ return CweNumber.OS_COMMAND_INJECTION;
}
- return cwe;
+
+ return CweNumber.lookup(cweNumber);
}
}
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/KlocworkCSVReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/KlocworkCSVReader.java
index b910a5dc..4b708c54 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/KlocworkCSVReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/KlocworkCSVReader.java
@@ -76,7 +76,7 @@ public TestSuiteResults parse(ResultFile resultFile) throws Exception {
System.out.println("> Parse error: " + record.toString());
}
- if (tcr.getCWE() != 0) {
+ if (!CweNumber.DONTCARE.equals(tcr.getCWE())) {
tr.put(tcr);
}
}
@@ -86,10 +86,12 @@ public TestSuiteResults parse(ResultFile resultFile) throws Exception {
return tr;
}
- private int cweLookup(String checkerKey) {
+ private CweNumber cweLookup(String checkerKey) {
// We don't care about non-vulnerability findings
- if (!checkerKey.startsWith("SV.")) return CweNumber.DONTCARE;
+ if (!checkerKey.startsWith("SV.")) {
+ return CweNumber.DONTCARE;
+ }
switch (checkerKey) {
// These few are OBE because of the SV. check above, but left in, in case we want to
@@ -114,9 +116,9 @@ private int cweLookup(String checkerKey) {
case "SV.EXEC.ENV": // Process Injection Environment Variables
case "SV.EXEC.LOCAL": // Process Injection. Local Arguments
case "SV.EXEC.PATH": // Untrusted Search Path
- return CweNumber.COMMAND_INJECTION;
+ return CweNumber.OS_COMMAND_INJECTION;
case "SV.HASH.NO_SALT": // Use of a one-way cryptographic hash without a salt
- return 759; // CWE-759: Use of a One-Way Hash without a Salt
+ return CweNumber.UNSALTED_ONE_WAY_HASH;
// Not the same as: CweNumber.WEAK_HASH_ALGO; - CWE: 328 Weak Hashing
case "SV.LDAP": // Unvalidated user input is used as LDAP filter
return CweNumber.LDAP_INJECTION;
@@ -147,7 +149,7 @@ private int cweLookup(String checkerKey) {
default:
System.out.println(
"WARNING: Unmapped Vulnerability category detected: " + checkerKey);
- return 0;
+ return CweNumber.DONTCARE;
}
}
}
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/LGTMReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/LGTMReader.java
index 72870d42..29e5e985 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/LGTMReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/LGTMReader.java
@@ -21,6 +21,7 @@
import org.json.JSONArray;
import org.json.JSONObject;
import org.owasp.benchmarkutils.score.BenchmarkScore;
+import org.owasp.benchmarkutils.score.CweNumber;
import org.owasp.benchmarkutils.score.ResultFile;
import org.owasp.benchmarkutils.score.TestCaseResult;
import org.owasp.benchmarkutils.score.TestSuiteResults;
@@ -163,8 +164,7 @@ private TestCaseResult parseLGTMFinding(
"Unexpectedly found more than one location for finding against rule: "
+ ruleId);
}
- int cwe = cweForRule.intValue();
- tcr.setCWE(cwe);
+ tcr.setCWE(CweNumber.lookup(cweForRule.intValue()));
// tcr.setCategory( props.getString( "subcategoryShortDescription" ) ); //
// Couldn't find any Category info in results file
tcr.setEvidence(finding.getJSONObject("message").getString("text"));
@@ -175,14 +175,4 @@ private TestCaseResult parseLGTMFinding(
}
return null;
}
-
- /*
- private int fixCWE( String cweNumber ) {
- int cwe = Integer.parseInt( cweNumber );
- if ( cwe == 94 ) cwe = 643;
- if ( cwe == 36 ) cwe = 22;
- if ( cwe == 23 ) cwe = 22;
- return cwe;
- }
- */
}
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/NJSScanReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/NJSScanReader.java
index a844d7a1..8cc18bff 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/NJSScanReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/NJSScanReader.java
@@ -22,6 +22,7 @@
import org.json.JSONException;
import org.json.JSONObject;
import org.owasp.benchmarkutils.score.BenchmarkScore;
+import org.owasp.benchmarkutils.score.CweNumber;
import org.owasp.benchmarkutils.score.ResultFile;
import org.owasp.benchmarkutils.score.TestCaseResult;
import org.owasp.benchmarkutils.score.TestSuiteResults;
@@ -144,13 +145,12 @@ private TestCaseResult[] parseCWE(JSONObject CWE) {
// Grab the number between "-num:"
cwe_str = cwe_str.substring(cwe_str.indexOf('-') + 1, cwe_str.indexOf(':'));
- int cwe_identifier = cweLookup(Integer.parseInt(cwe_str));
+ CweNumber cwe = cweLookup(Integer.parseInt(cwe_str));
// Process each file
JSONArray file_arr = CWE.getJSONArray("files");
for (int i = 0; i < file_arr.length(); i++) {
- TestCaseResult result =
- produceTestCaseResult(file_arr.getJSONObject(i), cwe_identifier);
+ TestCaseResult result = produceTestCaseResult(file_arr.getJSONObject(i), cwe);
if (result != null) results.add(result);
}
@@ -178,13 +178,13 @@ private TestCaseResult[] parseCWE(JSONObject CWE) {
* <p>Catch errors here because I do not want to interrupt the for loop in the above call
*
* @param file The JSONObject which contains a single file dictionary object
- * @param cwe_identifier The numerical value of the CWE
+ * @param cwe CweNumber value
* @return A TestCaseResult with the information from the file or null if finding is not in a
* test case source file
*/
- private TestCaseResult produceTestCaseResult(JSONObject file, int cwe_identifier) {
+ private TestCaseResult produceTestCaseResult(JSONObject file, CweNumber cwe) {
TestCaseResult tcr = new TestCaseResult();
- tcr.setCWE(cwe_identifier);
+ tcr.setCWE(cwe);
String filename = "";
try {
@@ -213,34 +213,16 @@ private TestCaseResult produceTestCaseResult(JSONObject file, int cwe_identifier
return tcr;
}
- private int cweLookup(int cwe) {
+ private CweNumber cweLookup(int cwe) {
switch (cwe) {
case 23: // Relative Path Traversal <-- care about this one
- return 22; // We expect 22, not 23
-
- case 79: // XSS <-- care about this one
- case 209: // Info leak from Error Message
- case 400: // Uncontrolled Resource Consumption
- case 522: // Insufficiently protected credentials
- case 613: // Insufficient session expiration
- case 614: // Sensitive cookie without Secure Attribute <-- care about this one
- case 693: // Protection Mechanism Failure (e.g., One or more Security Response header is
- // explicitly disabled in Helmet)
- case 798: // Hard coded credentials
- case 1275: // Sensitive cookie w/ Improper SameSite Attribute
- break; // Don't care about these, or mapping is correct, so return 'as is'.
-
+ return CweNumber.PATH_TRAVERSAL; // We expect 22, not 23
case 943: // Improper Neutralization of Special Elements in Data Query Logic (Child of
// SQL Injection)
- return 89; // This is likely an SQLi finding, so mapping to that.
-
- default:
- System.out.println(
- "WARNING: NJSScan-Unrecognized cwe: "
- + cwe
- + ". Verify mapping is correct and add mapping to NJSScanReader.");
+ return CweNumber
+ .SQL_INJECTION; // This is likely an SQLi finding, so mapping to that.
}
- return cwe;
+ return CweNumber.lookup(cwe);
}
}
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/NetsparkerReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/NetsparkerReader.java
index 310e2dc8..b3aa67c4 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/NetsparkerReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/NetsparkerReader.java
@@ -86,8 +86,7 @@ private TestCaseResult parseNetsparkerIssue(Node flaw) {
Node vulnId = getNamedChild("CWE", classification);
if (vulnId != null) {
String cweNum = vulnId.getTextContent();
- int cwe = cweLookup(cweNum);
- tcr.setCWE(cwe);
+ tcr.setCWE(cweLookup(cweNum));
}
}
@@ -112,9 +111,9 @@ private TestCaseResult parseNetsparkerIssue(Node flaw) {
return null;
}
- private int cweLookup(String cweNum) {
+ private CweNumber cweLookup(String cweNum) {
if (cweNum == null || cweNum.isEmpty()) {
- return 0000;
+ return CweNumber.DONTCARE;
}
int cwe = Integer.parseInt(cweNum);
switch (cwe) {
@@ -137,6 +136,6 @@ private int cweLookup(String cweNum) {
// case "trust-boundary-violation" : return 501; // trust boundary
// case "xxe" : return 611; // xml entity
}
- return cwe;
+ return CweNumber.lookup(cwe);
}
}
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/NoisyCricketReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/NoisyCricketReader.java
index c39fb555..ae8e86d3 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/NoisyCricketReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/NoisyCricketReader.java
@@ -19,6 +19,7 @@
import java.util.List;
import org.owasp.benchmarkutils.score.BenchmarkScore;
+import org.owasp.benchmarkutils.score.CweNumber;
import org.owasp.benchmarkutils.score.ResultFile;
import org.owasp.benchmarkutils.score.TestCaseResult;
import org.owasp.benchmarkutils.score.TestSuiteResults;
@@ -73,7 +74,7 @@ private void parseNoisyCricketIssue(Node item, TestSuiteResults tr) {
for (String cwe : cwes) {
TestCaseResult tcr = new TestCaseResult();
tcr.setNumber(testNumber);
- tcr.setCWE(Integer.parseInt(cwe));
+ tcr.setCWE(CweNumber.lookup(cwe));
tr.put(tcr);
}
}
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/PMDReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/PMDReader.java
index 6ccefdcf..3f5f8853 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/PMDReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/PMDReader.java
@@ -23,6 +23,7 @@
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import org.owasp.benchmarkutils.score.BenchmarkScore;
+import org.owasp.benchmarkutils.score.CweNumber;
import org.owasp.benchmarkutils.score.ResultFile;
import org.owasp.benchmarkutils.score.TestCaseResult;
import org.owasp.benchmarkutils.score.TestSuiteResults;
@@ -35,8 +36,7 @@ public class PMDReader extends Reader {
@Override
public boolean canRead(ResultFile resultFile) {
- return resultFile.filename().endsWith(".xml")
- && resultFile.xmlRootNodeName().equals("pmd");
+ return resultFile.filename().endsWith(".xml") && resultFile.xmlRootNodeName().equals("pmd");
}
@Override
@@ -108,7 +108,7 @@ private List<TestCaseResult> parsePMDItem(Node fileNode) {
return results;
}
- private int figureCWE(String rule) {
+ private CweNumber figureCWE(String rule) {
switch (rule) {
case "AvoidUsingOctalValues":
case "CollapsibleIfStatements":
@@ -126,38 +126,37 @@ private int figureCWE(String rule) {
case "UnusedLocalVariable":
case "UnusedPrivateMethod":
case "UselessParentheses":
- return 0000; // Don't care
+ return CweNumber.DONTCARE;
// Don't think PMD reports any of these:
case "??1":
- return 614; // insecure cookie use
+ return CweNumber.INSECURE_COOKIE;
case "??2":
- return 330; // weak random
+ return CweNumber.WEAK_RANDOM;
case "??3":
- return 90; // LDAP injection
+ return CweNumber.LDAP_INJECTION;
case "??4":
- return 22; // path traversal
case "??5":
- return 22; // path traversal
+ return CweNumber.PATH_TRAVERSAL;
case "??6":
- return 327; // weak encryption
+ return CweNumber.WEAK_CRYPTO_ALGO;
case "??7":
- return 643; // xpath injection
+ return CweNumber.XPATH_INJECTION;
case "??8":
- return 328; // weak hash
+ return CweNumber.WEAK_HASH_ALGO;
case "??9":
- return 78; // command injection
+ return CweNumber.OS_COMMAND_INJECTION;
case "??10":
- return 79; // XSS
+ return CweNumber.XSS;
- // FbInfer additional rules
+ // FbInfer additional rules
case "RESOURCE_LEAK":
case "NULL_DEREFERENCE":
- return 0;
+ return CweNumber.DONTCARE;
default:
System.out.println("Unknown category: " + rule);
}
- return 0;
+ return CweNumber.DONTCARE;
}
}
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/ParasoftReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/ParasoftReader.java
index 9da70bc3..7560d0e2 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/ParasoftReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/ParasoftReader.java
@@ -158,13 +158,12 @@ private TestCaseResult parseFlowViol(Node flaw) {
}
// https://www.securecoding.cert.org/confluence/display/java/Parasoft
- private int cweLookup(String cat) {
-
+ private CweNumber cweLookup(String cat) {
switch (cat) {
// case "BD.PB.CC" : return x;
// case "BD.RES.LEAKS" : return x;
case "BD.SECURITY.TDCMD":
- return CweNumber.COMMAND_INJECTION;
+ return CweNumber.OS_COMMAND_INJECTION;
case "BD.SECURITY.TDFNAMES":
return CweNumber.PATH_TRAVERSAL;
case "BD.SECURITY.TDLDAP":
@@ -193,6 +192,6 @@ private int cweLookup(String cat) {
// case "Weak Cryptographic Hash" : return 328;
// case "Weak Encryption" : return 327;
}
- return -1;
+ return CweNumber.DONTCARE;
}
}
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/QualysWASReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/QualysWASReader.java
index 9eb65a5a..47ee1179 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/QualysWASReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/QualysWASReader.java
@@ -19,6 +19,7 @@
import java.util.List;
import org.owasp.benchmarkutils.score.BenchmarkScore;
+import org.owasp.benchmarkutils.score.CweNumber;
import org.owasp.benchmarkutils.score.ResultFile;
import org.owasp.benchmarkutils.score.TestCaseResult;
import org.owasp.benchmarkutils.score.TestSuiteResults;
@@ -114,7 +115,7 @@ public TestSuiteResults parse(ResultFile resultFile) throws Exception {
private TestCaseResult parseQualysVulnerability(Node issue) {
TestCaseResult tcr = new TestCaseResult();
String cwe = getNamedChild("QID", issue).getTextContent();
- tcr.setCWE(translate_cwe(cwe));
+ tcr.setCWE(translateCwe(cwe));
String name = getNamedChild("QID", issue).getTextContent();
tcr.setCategory(translate_name(name));
@@ -141,85 +142,85 @@ private TestCaseResult parseQualysVulnerability(Node issue) {
return null;
}
- private int translate_cwe(String id) {
+ private CweNumber translateCwe(String id) {
switch (id) {
case "150001":
- return 79; // Reflected Cross-Site Scripting (XSS) Vulnerabilities
+ return CweNumber.XSS;
case "150003":
- return 89; // SQL Injection
- case "150009":
- return 9999; // Links Crawled
- case "150010":
- return 9999; // External Links Discovered
+ return CweNumber.SQL_INJECTION;
+ case "150009": // Links Crawled
+ return CweNumber.DONTCARE;
+ case "150010": // External Links Discovered
+ return CweNumber.DONTCARE;
case "150012":
- return 89; // Blind SQL Injection
- case "150018":
- return 9999; // Connection Error Occurred During Web Application Scan
- case "150021":
- return 9999; // Scan Diagnostics
+ return CweNumber.SQL_INJECTION;
+ case "150018": // Connection Error Occurred During Web Application Scan
+ return CweNumber.DONTCARE;
+ case "150021": // Scan Diagnostics
+ return CweNumber.DONTCARE;
case "150022":
- return 209; // Verbose Error Message
- case "150028":
- return 9999; // Cookies Collected
- case "150033":
- return 9999; // Credit Card Number Pattern Identified In HTML
- case "150042":
- return 9999; // Server Returns HTTP 500 Message For Request
- case "150046":
- return 79; // Reflected Cross-Site Scripting (XSS) in HTTP Header
- case "150054":
- return 9999; // Email Addresses Collected
- case "150055":
- return 78; // PHP Command Injection
- case "150079":
- return 772; // Slow HTTP headers vulnerability
- case "150081":
- return 693; // X-Frame-Options header is not set
- case "150084":
- return 79; // Unencoded characters
- case "150085":
- return 772; // Slow HTTP POST vulnerability
- case "150086":
- return 9999; // Server accepts unnecessarily large POST request body
- case "150104":
- return 9999; // Form Contains Email Address Field
- case "150115":
- return 9999; // Authentication Form found
- case "150122":
- return 614; // Cookie Does Not Contain The "secure" Attribute
- case "150123":
- return 1004; // Cookie Does Not Contain The "HTTPOnly" Attribute
- case "150124":
- return 451; // Clickjacking - Framable Page
- case "150126":
- return 9999; // Links With High Resource Consumption
- case "150135":
- return 9999; // HTTP Strict Transport Security (HSTS) header missing/misconfigured.
- case "150148":
- return 9999; // AJAX Links Crawled
- case "150152":
- return 9999; // Forms Crawled
- case "150162":
- return 937; // Use of JavaScript Library with Known Vulnerability
- case "150172":
- return 9999; // Requests Crawled
- case "150176":
- return 9999; // JavaScript Libraries Detected
- case "150202":
- return 9999; // Missing header: X-Content-Type-Options
- case "150204":
- return 9999; // Missing header: X-XSS-Protection
- case "150205":
- return 9999; // Misconfigured header: X-XSS-Protection
- case "150206":
- return 9999; // Content-Security-Policy Not Implemented
- case "150251":
- return 643; // Blind XPath Injection
+ return CweNumber.ERROR_MESSAGE_WITH_SENSITIVE_INFO;
+ case "150028": // Cookies Collected
+ return CweNumber.DONTCARE;
+ case "150033": // Credit Card Number Pattern Identified In HTML
+ return CweNumber.DONTCARE;
+ case "150042": // Server Returns HTTP 500 Message For Request
+ return CweNumber.DONTCARE;
+ case "150046": // Reflected Cross-Site Scripting (XSS) in HTTP Header
+ return CweNumber.XSS;
+ case "150054": // Email Addresses Collected
+ return CweNumber.DONTCARE;
+ case "150055": // PHP Command Injection
+ return CweNumber.OS_COMMAND_INJECTION;
+ case "150079": // Slow HTTP headers vulnerability
+ return CweNumber.MISSING_RELEASE_OF_RESOURCE;
+ case "150081": // X-Frame-Options header is not set
+ return CweNumber.PROTECTION_MECHANISM_FAILURE;
+ case "150084": // Unencoded characters
+ return CweNumber.XSS;
+ case "150085": // Slow HTTP POST vulnerability
+ return CweNumber.MISSING_RELEASE_OF_RESOURCE;
+ case "150086": // Server accepts unnecessarily large POST request body
+ return CweNumber.DONTCARE;
+ case "150104": // Form Contains Email Address Field
+ return CweNumber.DONTCARE;
+ case "150115": // Authentication Form found
+ return CweNumber.DONTCARE;
+ case "150122": // Cookie Does Not Contain The "secure" Attribute
+ return CweNumber.INSECURE_COOKIE;
+ case "150123": // Cookie Does Not Contain The "HTTPOnly" Attribute
+ return CweNumber.COOKIE_WITHOUT_HTTPONLY;
+ case "150124": // Clickjacking - Framable Page
+ return CweNumber.MISREPRESENTATION_OF_CRITICAL_INFO;
+ case "150126": // Links With High Resource Consumption
+ return CweNumber.DONTCARE;
+ case "150135": // HTTP Strict Transport Security (HSTS) header missing/misconfigured.
+ return CweNumber.DONTCARE;
+ case "150148": // AJAX Links Crawled
+ return CweNumber.DONTCARE;
+ case "150152": // Forms Crawled
+ return CweNumber.DONTCARE;
+ case "150162": // Use of JavaScript Library with Known Vulnerability
+ return CweNumber.CATEGORY_OWASP_2013_A9;
+ case "150172": // Requests Crawled
+ return CweNumber.DONTCARE;
+ case "150176": // JavaScript Libraries Detected
+ return CweNumber.DONTCARE;
+ case "150202": // Missing header: X-Content-Type-Options
+ return CweNumber.DONTCARE;
+ case "150204": // Missing header: X-XSS-Protection
+ return CweNumber.DONTCARE;
+ case "150205": // Misconfigured header: X-XSS-Protection
+ return CweNumber.DONTCARE;
+ case "150206": // Content-Security-Policy Not Implemented
+ return CweNumber.DONTCARE;
+ case "150251": // Blind XPath Injection
+ return CweNumber.XPATH_INJECTION;
case "123456":
- return 6666;
+ return CweNumber.DONTCARE;
} // end switch(id)
System.out.println("Unknown id: " + id);
- return -1;
+ return CweNumber.DONTCARE;
}
// Qualys does not provide the NAME of the vulnerabilities in the VULNERABILITY node. These are
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/Rapid7Reader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/Rapid7Reader.java
index ec376327..95843b6d 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/Rapid7Reader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/Rapid7Reader.java
@@ -66,7 +66,7 @@ public TestSuiteResults parse(ResultFile resultFile) throws Exception {
return tr;
}
- private int cweLookup(String cweNum, String evidence) {
+ private CweNumber cweLookup(String cweNum, String evidence) {
int cwe = 0;
if (cweNum != null && !cweNum.isEmpty()) {
cwe = Integer.parseInt(cweNum);
@@ -95,14 +95,14 @@ private int cweLookup(String cweNum, String evidence) {
case "X-Content-Type-Options header not found":
case "X-Frame-Options HTTP header checking":
case "X-XSS-Protection header not found":
- return 0;
+ return CweNumber.DONTCARE;
default:
{
// If this prints out anything new, add to this mapping so we know it's
// mapped properly.
System.out.println(
"Found new unmapped finding with evidence: " + evidence);
- return 0; // In case they add any new mappings
+ return CweNumber.DONTCARE; // In case they add any new mappings
}
}
case 79:
@@ -143,7 +143,7 @@ private int cweLookup(String cweNum, String evidence) {
// FP rate up 7.75%
return CweNumber.SQL_INJECTION;
}
- return cwe;
+ return CweNumber.lookup(cwe);
}
@JsonIgnoreProperties(ignoreUnknown = true)
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/ReshiftReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/ReshiftReader.java
index 83639ca1..5330b220 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/ReshiftReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/ReshiftReader.java
@@ -21,6 +21,7 @@
import org.apache.commons.csv.CSVFormat;
import org.apache.commons.csv.CSVRecord;
import org.owasp.benchmarkutils.score.BenchmarkScore;
+import org.owasp.benchmarkutils.score.CweNumber;
import org.owasp.benchmarkutils.score.ResultFile;
import org.owasp.benchmarkutils.score.TestCaseResult;
import org.owasp.benchmarkutils.score.TestSuiteResults;
@@ -33,7 +34,7 @@ public boolean canRead(ResultFile resultFile) {
&& resultFile.line(0).contains("Reshift Report");
}
- private static int cweLookup(String checkerKey) {
+ private static CweNumber cweLookup(String checkerKey) {
checkerKey = checkerKey.replace("-SECOND-ORDER", "");
switch (checkerKey) {
@@ -41,38 +42,38 @@ private static int cweLookup(String checkerKey) {
case "Path Traversal (Read)":
case "Path Traversal (Relative)":
case "Path Traversal (Write)":
- return 22; // path traversal
+ return CweNumber.PATH_TRAVERSAL;
case "SQL Injection (Hibernate)":
case "SQL Injection (Java Database Connectivity)":
case "SQL Injection (JDBC)":
case "SQL Injection (Non-constant String)":
case "SQL Injection (Prepared Statement)":
- return 89; // sql injection
+ return CweNumber.SQL_INJECTION;
case "Arbitrary Command Execution":
- return 78; // command injection
+ return CweNumber.OS_COMMAND_INJECTION;
case "XPath Injection":
- return 643; // xpath injection
+ return CweNumber.XPATH_INJECTION;
case "Cipher is Susceptible to Padding Oracle":
case "Cipher With No Integrity":
case "DES is Insecure":
case "DESede is Insecure":
case "Static IV":
- return 327; // weak encryption
+ return CweNumber.WEAK_CRYPTO_ALGO;
case "MD2, MD4 and MD5 Are Weak Hash Functions":
case "SHA-1 is a Weak Hash Function":
- return 328; // weak hash
+ return CweNumber.WEAK_HASH_ALGO;
case "LDAP Injection":
- return 90; // ldap injection
+ return CweNumber.LDAP_INJECTION;
case "Cross-Site Scripting (XSS-Servlet Output)":
- return 79; // xss
+ return CweNumber.XSS;
default:
System.out.println(
"WARNING: Unmapped Vulnerability category detected: " + checkerKey);
}
- return 0;
+ return CweNumber.DONTCARE;
}
@Override
@@ -122,7 +123,7 @@ public TestSuiteResults parse(ResultFile resultFile) throws Exception {
url.substring(
testCaseNumStart,
testCaseNumStart + BenchmarkScore.TESTIDLENGTH)));
- if (tcr.getCWE() != 0) {
+ if (!CweNumber.DONTCARE.equals(tcr.getCWE())) {
tr.put(tcr);
}
}
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/SeekerReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/SeekerReader.java
index 4c9e4b71..ed73cb20 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/SeekerReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/SeekerReader.java
@@ -19,6 +19,7 @@
import org.apache.commons.csv.CSVFormat;
import org.apache.commons.csv.CSVRecord;
+import org.owasp.benchmarkutils.score.CweNumber;
import org.owasp.benchmarkutils.score.ResultFile;
import org.owasp.benchmarkutils.score.TestCaseResult;
import org.owasp.benchmarkutils.score.TestSuiteResults;
@@ -53,7 +54,7 @@ public TestSuiteResults parse(ResultFile resultFile) throws Exception {
System.out.println("> Parse error: " + record.toString());
}
- if (tcr.getCWE() != 0) {
+ if (!CweNumber.DONTCARE.equals(tcr.getCWE())) {
tr.put(tcr);
}
}
@@ -63,53 +64,53 @@ public TestSuiteResults parse(ResultFile resultFile) throws Exception {
return tr;
}
- private int cweLookup(String checkerKey) {
+ private CweNumber cweLookup(String checkerKey) {
checkerKey = checkerKey.replace("-SECOND-ORDER", "");
switch (checkerKey) {
case "COOK-SEC":
- return 614; // insecure cookie use
+ return CweNumber.INSECURE_COOKIE;
case "SQLI":
- return 89; // sql injection
+ return CweNumber.SQL_INJECTION;
case "CMD-INJECT":
- return 78; // command injection
+ return CweNumber.OS_COMMAND_INJECTION;
case "LDAP-INJECTION":
- return 90; // ldap injection
+ return CweNumber.LDAP_INJECTION;
case "header-injection":
- return 113; // header injection
+ return CweNumber.HTTP_RESPONSE_SPLITTING;
case "hql-injection":
- return 564; // hql injection
+ return CweNumber.HIBERNATE_INJECTION;
case "unsafe-readline":
- return 0000; // unsafe readline
+ return CweNumber.DONTCARE;
case "reflection-injection":
- return 0000; // reflection injection
+ return CweNumber.DONTCARE;
case "R-XSS":
- return 79; // XSS
+ return CweNumber.XSS;
case "XPATH-INJECT":
- return 643; // XPath injection
+ return CweNumber.XPATH_INJECTION;
case "DIR-TRAVERSAL":
- return 22; // path traversal
+ return CweNumber.PATH_TRAVERSAL;
case "crypto-bad-mac":
- return 328; // weak hash
+ return CweNumber.WEAK_HASH_ALGO;
case "crypto-weak-randomness":
- return 330; // weak random
+ return CweNumber.WEAK_RANDOM;
case "WEAK-ENC":
- return 327; // weak encryption
+ return CweNumber.WEAK_CRYPTO_ALGO;
case "trust-boundary-violation":
- return 501; // trust boundary
+ return CweNumber.TRUST_BOUNDARY_VIOLATION;
case "xxe":
- return 611; // XML Entity Injection
+ return CweNumber.XXE;
case "WEAK-HASH":
- return 328;
+ return CweNumber.WEAK_HASH_ALGO;
case "WEAK-RANDOM-GENERATOR":
- return 330;
+ return CweNumber.WEAK_RANDOM;
case "TRUST-BOUNDARY-VIOLATION":
- return 501;
+ return CweNumber.TRUST_BOUNDARY_VIOLATION;
default:
System.out.println(
"WARNING: Unmapped Vulnerability category detected: " + checkerKey);
}
- return 0;
+ return CweNumber.DONTCARE;
}
}
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/SemgrepReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/SemgrepReader.java
index 1720cc20..8cc201e9 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/SemgrepReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/SemgrepReader.java
@@ -54,17 +54,10 @@ public TestSuiteResults parse(ResultFile resultFile) throws Exception {
return tr;
}
- private int translate(int cwe) {
-
+ private CweNumber translate(int cwe) {
switch (cwe) {
- case 113: // Header injection;
- case 200: // Information Leak / Disclosure;
- case 276: // Incorrect Default Permissions;
- case 352: // CSRF;
- break; // Don't care - So return CWE 'as is'
-
case 78:
- return CweNumber.COMMAND_INJECTION;
+ return CweNumber.OS_COMMAND_INJECTION;
case 89:
return CweNumber.SQL_INJECTION;
case 90:
@@ -72,16 +65,12 @@ private int translate(int cwe) {
case 326:
case 327:
case 696: // Incorrect Behavior Order
- return CweNumber.WEAK_CRYPTO_ALGO; // weak encryption
+ return CweNumber.WEAK_CRYPTO_ALGO;
case 614:
case 1004:
return CweNumber.INSECURE_COOKIE;
- default:
- System.out.println(
- "INFO: Found following CWE in SemGrep results which we haven't seen before: "
- + cwe);
}
- return cwe;
+ return CweNumber.lookup(cwe);
}
private TestCaseResult parseSemgrepFindings(JSONObject result) {
@@ -199,9 +188,11 @@ private TestCaseResult parseSemgrepFindings(JSONObject result) {
JSONObject metadata = extra.getJSONObject("metadata");
// CWE
- int cwe = Integer.parseInt(metadata.getString("cwe").split(":")[0].split("-")[1]);
+ CweNumber cwe = CweNumber.DONTCARE;
try {
- cwe = translate(cwe);
+ int cweNumber =
+ Integer.parseInt(metadata.getString("cwe").split(":")[0].split("-")[1]);
+ cwe = translate(cweNumber);
} catch (NumberFormatException ex) {
System.out.println("CWE # not parseable from: " + metadata.getString("cwe"));
}
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/ShiftLeftReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/ShiftLeftReader.java
index 5ef5ad46..ef275c36 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/ShiftLeftReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/ShiftLeftReader.java
@@ -19,6 +19,7 @@
import java.io.BufferedReader;
import java.io.FileReader;
+import org.owasp.benchmarkutils.score.CweNumber;
import org.owasp.benchmarkutils.score.ResultFile;
import org.owasp.benchmarkutils.score.TestCaseResult;
import org.owasp.benchmarkutils.score.TestSuiteResults;
@@ -67,30 +68,30 @@ public TestSuiteResults parse(ResultFile resultFile) throws Exception {
return tr;
}
- private int categoryToCWE(String category) {
+ private CweNumber categoryToCWE(String category) {
switch (category) {
case "cmdi":
- return 78;
+ return CweNumber.OS_COMMAND_INJECTION;
case "crypto":
- return 327;
+ return CweNumber.WEAK_CRYPTO_ALGO;
case "hash":
- return 328;
+ return CweNumber.WEAK_HASH_ALGO;
case "ldapi":
- return 90;
+ return CweNumber.LDAP_INJECTION;
case "pathtraver":
- return 22;
+ return CweNumber.PATH_TRAVERSAL;
case "securecookie":
- return 614;
+ return CweNumber.INSECURE_COOKIE;
case "sqli":
- return 89;
+ return CweNumber.SQL_INJECTION;
case "trustbound":
- return 501;
+ return CweNumber.TRUST_BOUNDARY_VIOLATION;
case "weakrand":
- return 330;
+ return CweNumber.WEAK_RANDOM;
case "xpathi":
- return 643;
+ return CweNumber.XPATH_INJECTION;
case "xss":
- return 79;
+ return CweNumber.XSS;
default:
throw new RuntimeException("Unknown category: " + category);
}
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/ShiftLeftScanReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/ShiftLeftScanReader.java
index 941b5fb9..df53f718 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/ShiftLeftScanReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/ShiftLeftScanReader.java
@@ -25,6 +25,7 @@
import org.json.JSONArray;
import org.json.JSONObject;
import org.owasp.benchmarkutils.score.BenchmarkScore;
+import org.owasp.benchmarkutils.score.CweNumber;
import org.owasp.benchmarkutils.score.ResultFile;
import org.owasp.benchmarkutils.score.TestCaseResult;
import org.owasp.benchmarkutils.score.TestSuiteResults;
@@ -108,7 +109,7 @@ private String filename(JSONObject finding) {
.getName();
}
- private int cweNumber(JSONObject finding) {
+ private CweNumber cweNumber(JSONObject finding) {
String ruleId = finding.getString("ruleId");
switch (ruleId) {
@@ -116,47 +117,48 @@ private int cweNumber(JSONObject finding) {
case "PATH_TRAVERSAL_OUT":
case "PT_RELATIVE_PATH_TRAVERSAL":
case "PT_ABSOLUTE_PATH_TRAVERSAL":
- return 22;
+ return CweNumber.PATH_TRAVERSAL;
case "COMMAND_INJECTION":
- return 78;
+ return CweNumber.OS_COMMAND_INJECTION;
case "HTTP_RESPONSE_SPLITTING":
- return 113;
+ return CweNumber.HTTP_RESPONSE_SPLITTING;
case "XSS_SERVLET":
case "HRS_REQUEST_PARAMETER_TO_COOKIE":
case "XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER":
- return 79;
+ return CweNumber.XSS;
case "SQL_INJECTION_JDBC":
case "SQL_INJECTION_SPRING_JDBC":
case "SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE":
case "SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING":
- return 89;
+ return CweNumber.SQL_INJECTION;
case "LDAP_INJECTION":
- return 90;
+ return CweNumber.LDAP_INJECTION;
case "PADDING_ORACLE":
- return 209;
+ // FIXME: shouldn't this be 463?
+ return CweNumber.ERROR_MESSAGE_WITH_SENSITIVE_INFO;
case "DES_USAGE":
case "CIPHER_INTEGRITY":
- return 327;
+ return CweNumber.WEAK_CRYPTO_ALGO;
case "WEAK_MESSAGE_DIGEST_MD5":
case "WEAK_MESSAGE_DIGEST_SHA1":
- return 328;
+ return CweNumber.WEAK_HASH_ALGO;
case "STATIC_IV":
- return 329;
+ return CweNumber.STATIC_CRYPTO_INIT;
case "PREDICTABLE_RANDOM":
- return 330;
+ return CweNumber.WEAK_RANDOM;
case "TRUST_BOUNDARY_VIOLATION":
- return 501;
+ return CweNumber.TRUST_BOUNDARY_VIOLATION;
case "HTTPONLY_COOKIE":
- return 1004;
+ return CweNumber.COOKIE_WITHOUT_HTTPONLY;
case "INSECURE_COOKIE":
- return 614;
+ return CweNumber.INSECURE_COOKIE;
case "XPATH_INJECTION":
- return 643;
+ return CweNumber.XPATH_INJECTION;
default:
System.out.println(
"INFO: Found following ruleId which we haven't seen before: " + ruleId);
- return -1;
+ return CweNumber.DONTCARE;
}
}
}
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/SnappyTickReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/SnappyTickReader.java
index 36aec08a..e5b49252 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/SnappyTickReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/SnappyTickReader.java
@@ -22,6 +22,7 @@
import java.util.List;
import org.owasp.benchmarkutils.score.BenchmarkScore;
+import org.owasp.benchmarkutils.score.CweNumber;
import org.owasp.benchmarkutils.score.ResultFile;
import org.owasp.benchmarkutils.score.TestCaseResult;
import org.owasp.benchmarkutils.score.TestSuiteResults;
@@ -78,14 +79,14 @@ public TestSuiteResults parse(ResultFile resultFile) throws Exception {
List<Node> vulnerabilities = getNamedChildren("Vulnerability", vulnCollect);
for (Node vulnerability : vulnerabilities) {
String cweNum = getAttributeValue("CWE", vulnerability);
- int findingCWE = cweLookup(cweNum);
+ CweNumber findingCWE = cweLookup(cweNum);
// There is a single FindingsList per Vulnerability category
Node findingsList = getNamedChild("FindingsList", vulnerability);
List<Node> findings = getNamedChildren("Finding", findingsList);
for (Node finding : findings) {
String filename = getAttributeValue("FileName", finding);
String findingName = filename.substring(0, filename.indexOf("."));
- if (findingCWE != 0) {
+ if (!CweNumber.DONTCARE.equals(findingCWE)) {
int testNumber = extractTestNumber(findingName);
if (testNumber != -1) {
TestCaseResult tcr = new TestCaseResult();
@@ -115,40 +116,17 @@ private int extractTestNumber(String testfile) {
return -1;
}
- private int cweLookup(String checkerKey) {
- switch (checkerKey.trim()) {
- case "1004":
- return 614; // HTTPOnly Flag Not Set For Cookies:insecure cookie use
- case "614":
- return 614; // Cookie not Sent Over SSL:insecure cookie use
- case "78":
- return 78; // command injection
- case "89":
- return 89; // SQL injection
- case "755":
- return 755; // SQL Exception Vulnerability:Info Leak
+ private CweNumber cweLookup(String checkerKey) {
+ String cwe = checkerKey.trim();
+
+ switch (cwe) {
case "258":
- return 000; // "Use an empty string as a password"
- case "20":
- return 20; // "Input Validation Issue or Input Validation Required"
- case "79":
- return 79; // Malicious Scripting Attacks and xss
+ return CweNumber.DONTCARE;
case "73":
- return 22; // Path Manipulation: path traversal
case "538":
- return 22; // File Disclosure Vulnerability:path traversal
- case "330":
- return 330; // Use of java.util.Random generator function:weak random
- case "327":
- return 327; // Broken Cryptography or
- // Weak Encryption Insecure Mode of Operation:weak encryption
- case "328":
- return 328; // Broken Hashing algorithm
- default:
- System.out.println(
- "Found unrecognized vulnerability type in Snappy Tick results: "
- + checkerKey);
+ return CweNumber.PATH_TRAVERSAL;
}
- return 0;
+
+ return CweNumber.lookup(checkerKey.trim());
}
}
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/SonarQubeJsonReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/SonarQubeJsonReader.java
index f0a29e07..2dea2342 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/SonarQubeJsonReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/SonarQubeJsonReader.java
@@ -127,7 +127,7 @@ private TestCaseResult parseSonarQubeQualityIssue(JSONObject finding) {
if (squid == null || squid.equals("none")) {
return null;
}
- int cwe = SonarQubeReader.cweLookup(squid);
+ CweNumber cwe = SonarQubeReader.cweLookup(squid);
tcr.setCWE(cwe);
tcr.setCategory(finding.getJSONArray("tags").toString());
tcr.setEvidence(finding.getString("message"));
@@ -176,7 +176,7 @@ private TestCaseResult parseSonarQubeHotSpotIssue(JSONObject finding) {
if (secCat == null || secCat.equals("none")) {
return null;
}
- int cwe = securityCategoryCWELookup(secCat, finding.getString("message"));
+ CweNumber cwe = securityCategoryCWELookup(secCat, finding.getString("message"));
tcr.setCWE(cwe);
tcr.setCategory(secCat);
tcr.setEvidence(
@@ -200,7 +200,7 @@ private TestCaseResult parseSonarQubeHotSpotIssue(JSONObject finding) {
* in some findings to move such issues to the 'right' CWE.
* As such, we specifically look at the message in some cases to fix the mapping.
*/
- public int securityCategoryCWELookup(String secCat, String message) {
+ public CweNumber securityCategoryCWELookup(String secCat, String message) {
// Not sure where to look up all the possible security categories in SonarQube, but the
// mappings seem obvious enough.
@@ -270,7 +270,7 @@ public int securityCategoryCWELookup(String secCat, String message) {
+ "'");
}
- return -1;
+ return CweNumber.DONTCARE;
}
// This parser relies on the SQUID # mapping method in SonarQubeReader.cweLookup()
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/SonarQubeReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/SonarQubeReader.java
index 25b34760..ab85552c 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/SonarQubeReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/SonarQubeReader.java
@@ -175,7 +175,7 @@ private TestCaseResult parseSonarPluginIssue(Node flaw) {
// case "Weak Encryption" : return 327;
// case "XPath Injection" : return 643;
- public static int cweLookup(String squidNumber) {
+ public static CweNumber cweLookup(String squidNumber) {
// To look up these #'s, go here: https://rules.sonarsource.com/java/RSPEC-#### and put just
// the #'s with no leading zeroes to look up the 'squid' rule.
switch (squidNumber) {
@@ -210,340 +210,270 @@ public static int cweLookup(String squidNumber) {
case "S135": // Loops should not contain more than a single "break" or "continue"
// statement
return CweNumber.DONTCARE;
- case "S864":
- return CweNumber
- .OPERATOR_PRECEDENCE_LOGIC; // Limited dependence should be placed on
- // operator precedence rules in expressions
- case "S888":
- return CweNumber
- .LOOP_WITH_UNREACHABLE_EXIT; // Relational operators should be used in "for"
- // loop termination conditions
- case "S899":
- return CweNumber
- .IMPROPER_CHECK_FOR_CONDITIONS; // Return values should not be ignored when
- // they contain the operation status code
- case "S1066":
- return CweNumber.DONTCARE; // Collapsible "if" statements should be merged
- case "S1075":
- return CweNumber.DONTCARE; // URIs should not be hardcoded
+ case "S864": // Limited dependence should be placed on operator precedence rules in
+ // expressions
+ return CweNumber.OPERATOR_PRECEDENCE_LOGIC;
+ case "S888": // Relational operators should be used in "for" loop termination conditions
+ return CweNumber.LOOP_WITH_UNREACHABLE_EXIT;
+ case "S899": // Return values should not be ignored when they contain the operation
+ // status code
+ return CweNumber.IMPROPER_CHECK_FOR_CONDITIONS;
+ case "S1066": // Collapsible "if" statements should be merged
+ return CweNumber.DONTCARE;
+ case "S1075": // URIs should not be hardcoded
+ return CweNumber.DONTCARE;
case "S1104": // Class variable fields should not have public accessibility
return CweNumber.PUBLIC_VAR_WITHOUT_FINAL;
- case "S1116":
- return CweNumber.DONTCARE; // Empty statements should be removed
- case "S1117":
- return CweNumber.DONTCARE; // Local variables should not shadow class fields
- case "S1118":
- return CweNumber.DONTCARE; // Utility classes should not have public constructors
- case "S1128":
- return CweNumber.DONTCARE; // Unnecessary imports should be removed
- case "S1130":
- return CweNumber.DONTCARE; // "throws" declarations should not be superfluous
- case "S1132":
- return CweNumber
- .DONTCARE; // Strings literals should be placed on the left side when
- // checking for
+ case "S1116": // Empty statements should be removed
+ return CweNumber.DONTCARE;
+ case "S1117": // Local variables should not shadow class fields
+ return CweNumber.DONTCARE;
+ case "S1118": // Utility classes should not have public constructors
+ return CweNumber.DONTCARE;
+ case "S1128": // Unnecessary imports should be removed
+ return CweNumber.DONTCARE;
+ case "S1130": // "throws" declarations should not be superfluous
+ return CweNumber.DONTCARE;
+ case "S1132": // Strings literals should be placed on the left side when checking for
// equality
- case "S1134":
- return CweNumber.DONTCARE; // Track uses of "FIXME" tags
- case "S1135":
- return CweNumber.DONTCARE; // Track uses of "TODO" tags
- case "S1141":
- return CweNumber.DONTCARE; // Try-catch blocks should not be nested
- case "S1143":
- return CweNumber.RETURN_INSIDE_FINALLY; // "return " statements should not occur in
- // "finally" blocks
- case "S1144":
- return CweNumber.DONTCARE; // Unused "private" methods should be removed
- case "S1145":
- return CweNumber
- .DONTCARE; // "if" statement conditions should not unconditionally evaluate
- // to"true" or to"false"
- case "S1147":
- return CweNumber.SYSTEM_EXIT; // Exit methods should not be called
- case "S1149":
- return CweNumber
- .DONTCARE; // Synchronized classes Vector, Hashtable, Stack and StringBuffer
- // should not be used
- case "S1155":
- return CweNumber
- .DONTCARE; // Collection.isEmpty() should be used to test for emptiness
- case "S1161":
- return CweNumber
- .DONTCARE; // "@Override" should be used on overriding and implementing
- // methods
- case "S1163":
- return CweNumber.DONTCARE; // Exceptions should not be thrown in finally blocks
- case "S1168":
- return CweNumber
- .DONTCARE; // Empty arrays and collections should be returned instead of
- // null
- case "S1171":
- return CweNumber.DONTCARE; // Only static class initializers should be used
- case "S1172":
- return CweNumber.DONTCARE; // Unused method parameters should be removed
- case "S1174":
- return CweNumber
- .FINALIZE_DECLARED_PUBLIC; // "Object.finalize()" should remain protected
+ return CweNumber.DONTCARE;
+ case "S1134": // Track uses of "FIXME" tags
+ return CweNumber.DONTCARE;
+ case "S1135": // Track uses of "TODO" tags
+ return CweNumber.DONTCARE;
+ case "S1141": // Try-catch blocks should not be nested
+ return CweNumber.DONTCARE;
+ case "S1143": // "return " statements should not occur in "finally" blocks
+ return CweNumber.RETURN_INSIDE_FINALLY;
+ case "S1144": // Unused "private" methods should be removed
+ return CweNumber.DONTCARE;
+ case "S1145": // "if" statement conditions should not unconditionally evaluate to"true"
+ // or to"false"
+ return CweNumber.DONTCARE;
+ case "S1147": // Exit methods should not be called
+ return CweNumber.SYSTEM_EXIT;
+ case "S1149": // Synchronized classes Vector, Hashtable, Stack and StringBuffer should
+ // not be used
+ return CweNumber.DONTCARE;
+ case "S1155": // Collection.isEmpty() should be used to test for emptiness
+ return CweNumber.DONTCARE;
+ case "S1161": // "@Override" should be used on overriding and implementing methods
+ return CweNumber.DONTCARE;
+ case "S1163": // Exceptions should not be thrown in finally blocks
+ return CweNumber.DONTCARE;
+ case "S1168": // Empty arrays and collections should be returned instead of null
+ return CweNumber.DONTCARE;
+ case "S1171": // Only static class initializers should be used
+ return CweNumber.DONTCARE;
+ case "S1172": // Unused method parameters should be removed
+ return CweNumber.DONTCARE;
+ case "S1174": // "Object.finalize()" should remain protected
// (versus public) when overriding
- case "S1181":
- return CweNumber
- .CATCH_GENERIC_EXCEPTION; // Throwable and Error should not be caught
- case "S1182":
- return CweNumber
- .CLONE_WITHOUT_SUPER_CLONE; // Classes that override "clone" should be
- // "Cloneable" and call "super.clone()"
- case "S1186":
- return CweNumber.DONTCARE; // Methods should not be empty
- case "S1192":
- return CweNumber.DONTCARE; // String literals should not be duplicated
- case "S1197":
- return CweNumber
- .DONTCARE; // Array designators "[]" should be on the type, not the variable
- case "S1199":
- return CweNumber.DONTCARE; // Nested code blocks should not be used
- case "S1206":
- return CweNumber
- .OBJECT_MODEL_VIOLATION; // "equals(Object obj)" and"hashCode()" should be
- // overridden in pairs
- case "S1210":
- return CweNumber
- .DONTCARE; // "equals(Object obj)" should be overridden along with the
- // "compareTo(T obj)" method
+ return CweNumber.FINALIZE_DECLARED_PUBLIC;
+ case "S1181": // Throwable and Error should not be caught
+ return CweNumber.CATCH_GENERIC_EXCEPTION;
+ case "S1182": // Classes that override "clone" should be "Cloneable" and call
+ // "super.clone()"
+ return CweNumber.CLONE_WITHOUT_SUPER_CLONE;
+ case "S1186": // Methods should not be empty
+ return CweNumber.DONTCARE;
+ case "S1192": // String literals should not be duplicated
+ return CweNumber.DONTCARE;
+ case "S1197": // Array designators "[]" should be on the type, not the variable
+ return CweNumber.DONTCARE;
+ case "S1199": // Nested code blocks should not be used
+ return CweNumber.DONTCARE;
+ case "S1206": // "equals(Object obj)" and"hashCode()" should be overridden in pairs
+ return CweNumber.OBJECT_MODEL_VIOLATION;
+ case "S1210": // "equals(Object obj)" should be overridden along with the "compareTo(T
+ // obj)" method
+ return CweNumber.DONTCARE;
case "S1217": // Thread.run() and Runnable.run() should not be called directly
return CweNumber.THREAD_WRONG_CALL;
- case "S1301":
- return CweNumber
- .DONTCARE; // "switch" statements should have at least 3 "case" clauses
- case "S1481":
- return CweNumber.DONTCARE; // Remove this unused "c" local variable.
- case "S1444":
- return CweNumber.PUBLIC_STATIC_NOT_FINAL; // "public static" fields should always be
+ case "S1301": // "switch" statements should have at least 3 "case" clauses
+ return CweNumber.DONTCARE;
+ case "S1481": // Remove this unused "c" local variable.
+ return CweNumber.DONTCARE;
+ case "S1444": // "public static" fields should always be
+ return CweNumber.PUBLIC_STATIC_NOT_FINAL;
// constant
- case "S1479":
- return CweNumber
- .DONTCARE; // "switch" statements should not have too many "case" clauses
- case "S1488":
- return CweNumber
- .DONTCARE; // Local variables should not be declared and then immediately
- // returned
- // or thrown
- case "S1643":
- return CweNumber.DONTCARE; // Strings should not be concatenated using '+' in a loop
- case "S1659":
- return CweNumber
- .DONTCARE; // Multiple variables should not be declared on the same line
+ case "S1479": // "switch" statements should not have too many "case" clauses
+ return CweNumber.DONTCARE;
+ case "S1488": // Local variables should not be declared and then immediately returned or
+ // thrown
+ return CweNumber.DONTCARE;
+ case "S1643": // Strings should not be concatenated using '+' in a loop
+ return CweNumber.DONTCARE;
+ case "S1659": // Multiple variables should not be declared on the same line
+ return CweNumber.DONTCARE;
case "S1696": // "NullPointerException" should not be caught
return CweNumber.CATCHING_NULL_POINTER_EXCEPTION;
- case "S1698":
- return CweNumber
- .OBJECT_REFERENCE_COMPARISON; // Objects should be compared with"equals()"
- case "S1724":
- return CweNumber.DONTCARE; // Deprecated classes and interfaces should not be
- // extended/implemented
- case "S1850":
- return CweNumber
- .DONTCARE; // "instanceof" operators that always return "true" or"false"
- // should be
+ case "S1698": // Objects should be compared with"equals()"
+ return CweNumber.OBJECT_REFERENCE_COMPARISON;
+ case "S1724": // Deprecated classes and interfaces should not be extended/implemented
+ return CweNumber.DONTCARE;
+ case "S1850": // "instanceof" operators that always return "true" or"false" should be
// removed
- case "S1854":
- return CweNumber.UNUSED_VAR_ASSIGNMENT; // Unused assignments should be removed
- case "S1872":
- return 486; // Classes should not be compared by name
- case "S1873":
- return 582; // "static final" arrays should be"private"
- case "S1874":
- return CweNumber.DONTCARE; // "@Deprecated" code should not be used
- case "S1905":
- return CweNumber.DONTCARE; // Redundant casts should not be used
- case "S1948":
- return 594; // Fields in a"Serializable" class should either be transient or
+ return CweNumber.DONTCARE;
+ case "S1854": // Unused assignments should be removed
+ return CweNumber.UNUSED_VAR_ASSIGNMENT;
+ case "S1872": // Classes should not be compared by name
+ return CweNumber.COMPARISON_BY_CLASS_NAME;
+ case "S1873": // "static final" arrays should be"private"
+ return CweNumber.STATIC_FINAL_ARRAY_IS_PUBLIC;
+ case "S1874": // "@Deprecated" code should not be used
+ return CweNumber.DONTCARE;
+ case "S1905": // Redundant casts should not be used
+ return CweNumber.DONTCARE;
+ case "S1948": // Fields in a"Serializable" class should either be transient or
// serializable
- case "S1989":
- return 600; // Exceptions should not be thrown from servlet methods
- case "S2068":
- return 259; // Credentials should not be hard-coded
- case "S2070":
- return CweNumber.WEAK_HASH_ALGO; // Benchmark Vuln: SHACweNumber.DONTCARE and
- // Message-Digest hash
+ return CweNumber.SAVING_UNSERIALIZABLE_OBJECT_TO_DISK;
+ case "S1989": // Exceptions should not be thrown from servlet methods
+ return CweNumber.UNCAUGHT_EXCEPTION_IN_SERVLET;
+ case "S2068": // Credentials should not be hard-coded
+ return CweNumber.HARDCODED_PASSWORD;
+ case "S2070": // Benchmark Vuln: SHACweNumber.DONTCARE and Message-Digest hash
// algorithms should not be used
- case "S2076":
- return CweNumber
- .COMMAND_INJECTION; // Benchmark Vuln: Values passed to OS commands should
- // be sanitized
- case "S2077":
- return CweNumber
- .SQL_INJECTION; // Benchmark Vuln: Values passed to SQL commands should be
- // sanitized
- case "S2078":
- return CweNumber
- .LDAP_INJECTION; // Benchmark Vuln: Values passed to LDAP queries should be
- // sanitized
- case "S2083":
- return CweNumber.PATH_TRAVERSAL; // Benchmark Vuln: I/O function calls should not be
- // vulnerable to path injection attacks
- case "S2089":
- return 293; // HTTP referers should not be relied on
- case "S2091":
- return CweNumber.XPATH_INJECTION; // Benchmark Vuln: XPath expressions should not be
- // vulnerable to injection attacks
- case "S2092":
- return CweNumber.INSECURE_COOKIE; // Benchmark Vuln: Cookies should be "secure"
- case "S2093":
- return CweNumber.DONTCARE; // Try-with-resources should be used
- case "S2095":
- return 459; // Resources should be closed
- case "S2115":
- return 521; // Secure password should be used when connecting to a database
- case "S2130":
- return CweNumber
- .DONTCARE; // Parsing should be used to convert "Strings" to primitives
- case "S2147":
- return CweNumber.DONTCARE; // Catches should be combined
- case "S2157":
- return CweNumber.DONTCARE; // "Cloneables" should implement "clone"
- case "S2160":
- return CweNumber.DONTCARE; // Subclasses that add fields should override "equals"
- case "S2176":
- return CweNumber
- .DONTCARE; // Class names should not shadow interfaces or superclasses
- case "S2178":
- return CweNumber.DONTCARE; // Short-circuit logic should be used in boolean contexts
- case "S2184":
- return 190; // Math operands should be cast before assignment
- case "S2222":
- return 459; // Locks should be released
- case "S2225":
- return 476; // "toString()" and"clone()" methods should not return null
- case "S2245":
- return CweNumber
- .WEAK_RANDOM; // Benchmark Vuln: Pseudorandom number generators (PRNGs)
- // should not be used in secure contexts
- case "S2254":
- return CweNumber
- .DONTCARE; // "HttpServletRequest.getRequestedSessionId()" should not be
- // used
- case "S2257":
- return CweNumber
- .WEAK_CRYPTO_ALGO; // Benchmark Vuln: Only standard cryptographic algorithms
- // should be used
- case "S2259":
- return 476; // Null pointers should not be dereferenced
- case "S2275":
- return CweNumber
- .DONTCARE; // Printf-style format strings should not lead to unexpected
- // behavior
- // at runtime
+ return CweNumber.WEAK_HASH_ALGO;
+ case "S2076": // Benchmark Vuln: Values passed to OS commands should be sanitized
+ return CweNumber.OS_COMMAND_INJECTION;
+ case "S2077": // Benchmark Vuln: Values passed to SQL commands should be sanitized
+ return CweNumber.SQL_INJECTION;
+ case "S2078": // Benchmark Vuln: Values passed to LDAP queries should be sanitized
+ return CweNumber.LDAP_INJECTION;
+ case "S2083": // Benchmark Vuln: I/O function calls should not be vulnerable to path
+ // injection attacks
+ return CweNumber.PATH_TRAVERSAL;
+ case "S2089": // HTTP referers should not be relied on
+ return CweNumber.REFERER_FIELD_IN_AUTHENTICATION;
+ case "S2091": // Benchmark Vuln: XPath expressions should not be vulnerable to injection
+ // attacks
+ return CweNumber.XPATH_INJECTION;
+ case "S2092": // Benchmark Vuln: Cookies should be "secure"
+ return CweNumber.INSECURE_COOKIE;
+ case "S2093": // Try-with-resources should be used
+ return CweNumber.DONTCARE;
+ case "S2095": // Resources should be closed
+ return CweNumber.INCOMPLETE_CLEANUP;
+ case "S2115": // Secure password should be used when connecting to a database
+ return CweNumber.WEAK_PASSWORD_REQUIREMENTS;
+ case "S2130": // Parsing should be used to convert "Strings" to primitives
+ return CweNumber.DONTCARE;
+ case "S2147": // Catches should be combined
+ return CweNumber.DONTCARE;
+ case "S2157": // "Cloneables" should implement "clone"
+ return CweNumber.DONTCARE;
+ case "S2160": // Subclasses that add fields should override "equals"
+ return CweNumber.DONTCARE;
+ case "S2176": // Class names should not shadow interfaces or superclasses
+ return CweNumber.DONTCARE;
+ case "S2178": // Short-circuit logic should be used in boolean contexts
+ return CweNumber.DONTCARE;
+ case "S2184": // Math operands should be cast before assignment
+ return CweNumber.INTEGER_OVERFLOW_WRAPAROUND;
+ case "S2222": // Locks should be released
+ return CweNumber.INCOMPLETE_CLEANUP;
+ case "S2225": // "toString()" and"clone()" methods should not return null
+ return CweNumber.NULL_POINTER_DEREFERENCE;
+ case "S2245": // Benchmark Vuln: Pseudorandom number generators (PRNGs) should not be
+ // used in secure contexts
+ return CweNumber.WEAK_RANDOM;
+ case "S2254": // "HttpServletRequest.getRequestedSessionId()" should not be used
+ return CweNumber.DONTCARE;
+ case "S2257": // Benchmark Vuln: Only standard cryptographic algorithms should be used
+ return CweNumber.WEAK_CRYPTO_ALGO;
+ case "S2259": // Null pointers should not be dereferenced
+ return CweNumber.NULL_POINTER_DEREFERENCE;
+ case "S2275": // Printf-style format strings should not lead to unexpected behavior at
+ // runtime
+ return CweNumber.DONTCARE;
case "S2277":
- return 780; // Cryptographic RSA algorithms should always incorporate OAEP (Optimal
- // Asymmetric Encryption Padding)
- case "S2278":
- return CweNumber
- .WEAK_CRYPTO_ALGO; // Benchmark Vuln: DES (Data Encryption Standard) and
- // DESede
- // (3DES) should not be used
- case "S2293":
- return CweNumber.DONTCARE; // The diamond operator ("<>") should be used
- case "S2384":
- return 374; // Mutable members should not be stored or returned directly
- case "S2386":
- return 607; // Mutable fields should not be "public static"
- case "S2441":
- return 579; // Non-serializable objects should not be stored in"HttpSessions"
- case "S2479":
- return CweNumber
- .DONTCARE; // Whitespace and control characters in literals should be
- // explicit
- case "S2583":
- return 489; // Conditions should not unconditionally evaluate to"TRUE" or to"FALSE"
- case "S2589":
- return CweNumber
- .DONTCARE; // Boolean expressions should not be gratuitous - CWEs: 570/571
- case "S2658":
- return 470; // Use of Externally-Controlled Input to Select Classes or Code ('Unsafe
+ return CweNumber.RSA_MISSING_PADDING; // Cryptographic RSA algorithms should always
+ // incorporate OAEP (Optimal Asymmetric Encryption
+ // Padding)
+ case "S2278": // Benchmark Vuln: DES (Data Encryption Standard) and DESede (3DES) should
+ // not be used
+ return CweNumber.WEAK_CRYPTO_ALGO;
+ case "S2293": // The diamond operator ("<>") should be used
+ return CweNumber.DONTCARE;
+ case "S2384": // Mutable members should not be stored or returned directly
+ return CweNumber.PASS_MUTABLE_OBJECT_TO_UNTRUSTED_MODULE;
+ case "S2386": // Mutable fields should not be "public static"
+ return CweNumber.PUBLIC_STATIC_FINAL_MUTABLE_OBJECT;
+ case "S2441": // Non-serializable objects should not be stored in"HttpSessions"
+ return CweNumber.NON_SERIALIZABLE_OBJECT_IN_SESSION;
+ case "S2479": // Whitespace and control characters in literals should be explicit
+ return CweNumber.DONTCARE;
+ case "S2583": // Conditions should not unconditionally evaluate to"TRUE" or to"FALSE"
+ return CweNumber.ACTIVE_DEBUG_CODE;
+ case "S2589": // Boolean expressions should not be gratuitous - CWEs: 570/571
+ return CweNumber.DONTCARE;
+ case "S2658": // Use of Externally-Controlled Input to Select Classes or Code ('Unsafe
// Reflection')
- case "S2677":
- return CweNumber.DONTCARE; // "read" and "readLine" return values should be used
- case "S2681":
- return 483; // Multiline blocks should be enclosed in curly braces
+ return CweNumber.UNSAFE_REFLECTION;
+ case "S2677": // "read" and "readLine" return values should be used
+ return CweNumber.DONTCARE;
+ case "S2681": // Multiline blocks should be enclosed in curly braces
+ return CweNumber.INCORRECT_BLOCK_DELIMITATION;
case "S2696":
return CweNumber.DONTCARE; // Instance methods should not write to "static" fields
case "S2755":
return CweNumber.XXE; // XML parsers should not be vulnerable to XXE attacks
case "S2786":
return CweNumber.DONTCARE; // Nested "enum"s should not be declared static
- case "S2864":
- return CweNumber
- .DONTCARE; // "entrySet()" should be iterated when both the key and value
- // are
- // needed
- case "S3008":
- return CweNumber
- .DONTCARE; // Static non-final field names should comply with a naming
- // convention
- case "S3012":
- return CweNumber.DONTCARE; // Arrays should not be copied using loops
- case "S3400":
- return CweNumber.DONTCARE; // Methods should not return constants
- case "S3518":
- return 369; // Zero should not be a possible denominator
- case "S3599":
- return CweNumber.DONTCARE; // Double Brace Initialization should not be used
- case "S3626":
- return CweNumber.DONTCARE; // Jump statements should not be redundant
- case "S3649":
- return CweNumber
- .SQL_INJECTION; // Database queries should not be vulnerable to injection
- // attacks
- case "S3740":
- return CweNumber.DONTCARE; // Raw types should not be used
- case "S3776":
- return CweNumber.DONTCARE; // Cognitive Complexity of methods should not be too high
- case "S3824":
- return CweNumber
- .DONTCARE; // "Map.get" and value test should be replaced with single method
- // call
- case "S3973":
- return CweNumber
- .DONTCARE; // A conditionally executed single line should be denoted by
- // indentation
- case "S4042":
- return CweNumber.DONTCARE; // "java.nio.Files#delete" should be preferred
- case "S4435":
- return CweNumber.XXE; // XML transformers should be secured
- case "S4488":
- return CweNumber
- .DONTCARE; // Composed "@RequestMapping" variants should be preferred
- case "S4719":
- return CweNumber.DONTCARE; // "StandardCharsets" constants should be preferred
- case "S4838":
- return CweNumber
- .DONTCARE; // An iteration on a Collection should be performed on the type
- // handled
- // by the Collection
+ case "S2864": // "entrySet()" should be iterated when both the key and value are needed
+ return CweNumber.DONTCARE;
+ case "S3008": // Static non-final field names should comply with a naming convention
+ return CweNumber.DONTCARE;
+ case "S3012": // Arrays should not be copied using loops
+ return CweNumber.DONTCARE;
+ case "S3400": // Methods should not return constants
+ return CweNumber.DONTCARE;
+ case "S3518": // Zero should not be a possible denominator
+ return CweNumber.DIVISION_BY_ZERO;
+ case "S3599": // Double Brace Initialization should not be used
+ return CweNumber.DONTCARE;
+ case "S3626": // Jump statements should not be redundant
+ return CweNumber.DONTCARE;
+ case "S3649": // Database queries should not be vulnerable to injection attacks
+ return CweNumber.SQL_INJECTION;
+ case "S3740": // Raw types should not be used
+ return CweNumber.DONTCARE;
+ case "S3776": // Cognitive Complexity of methods should not be too high
+ return CweNumber.DONTCARE;
+ case "S3824": // "Map.get" and value test should be replaced with single method call
+ return CweNumber.DONTCARE;
+ case "S3973": // A conditionally executed single line should be denoted by indentation
+ return CweNumber.DONTCARE;
+ case "S4042": // "java.nio.Files#delete" should be preferred
+ return CweNumber.DONTCARE;
+ case "S4435": // XML transformers should be secured
+ return CweNumber.XXE;
+ case "S4488": // Composed "@RequestMapping" variants should be preferred
+ return CweNumber.DONTCARE;
+ case "S4719": // "StandardCharsets" constants should be preferred
+ return CweNumber.DONTCARE;
+ case "S4838": // An iteration on a Collection should be performed on the type handled by
+ // the Collection
+ return CweNumber.DONTCARE;
case "S5131": // Endpoints should not be vulnerable to reflected cross-site scripting
// (XSS) attacks
return CweNumber.XSS;
- case "S5261":
- return CweNumber
- .DONTCARE; // "else" statements should be clearly matched with an "if"
- case "S5361":
- return CweNumber
- .DONTCARE; // "String#replace" should be preferred to "String#replaceAll"
- case "S5542":
- return CweNumber
- .WEAK_CRYPTO_ALGO; // Benchmark Vuln: Encryption algorithms should be used
- // with
- // secure mode and padding scheme
- case "S5547":
- return CweNumber
- .WEAK_CRYPTO_ALGO; // Benchmark Vuln: Cipher algorithms should be robust
-
+ case "S5261": // "else" statements should be clearly matched with an "if"
+ return CweNumber.DONTCARE;
+ case "S5361": // "String#replace" should be preferred to "String#replaceAll"
+ return CweNumber.DONTCARE;
+ case "S5542": // Benchmark Vuln: Encryption algorithms should be used with secure mode
+ // and padding scheme
+ return CweNumber.WEAK_CRYPTO_ALGO;
+ case "S5547": // Benchmark Vuln: Cipher algorithms should be robust
+ return CweNumber.WEAK_CRYPTO_ALGO;
case "CallToDeprecatedMethod":
case "ClassVariableVisibilityCheck":
- case "DuplicatedBlocks":
+ case "DuplicatedBlocks": // Not sure why these are being returned instead of an S####
+ // value
case "SwitchLastCaseIsDefaultCheck":
- return CweNumber.DONTCARE; // Not sure why these are being returned instead of an
- // S#### value
+ return CweNumber.DONTCARE;
default:
System.out.println(
"SonarQubeReader: Unknown squid number: "
@@ -551,6 +481,6 @@ public static int cweLookup(String squidNumber) {
+ " has no CWE mapping.");
}
- return -1;
+ return CweNumber.DONTCARE;
}
}
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/SourceMeterReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/SourceMeterReader.java
index 21f97804..0390a626 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/SourceMeterReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/SourceMeterReader.java
@@ -17,6 +17,7 @@
*/
package org.owasp.benchmarkutils.score.parsers;
+import org.owasp.benchmarkutils.score.CweNumber;
import org.owasp.benchmarkutils.score.ResultFile;
import org.owasp.benchmarkutils.score.TestCaseResult;
import org.owasp.benchmarkutils.score.TestSuiteResults;
@@ -93,18 +94,18 @@ private TestCaseResult parseSourceMeterItem(String vuln, String file) throws Exc
return null;
}
- private static int cweLookup(String vuln) {
+ private static CweNumber cweLookup(String vuln) {
switch (vuln) {
// case "insecure-cookie":
// return 614; // insecure cookie use
case "SQL Injection":
- return 89; // sql injection
+ return CweNumber.SQL_INJECTION;
case "Command Injection":
- return 78; // command injection
+ return CweNumber.OS_COMMAND_INJECTION;
case "LDAP Injection":
- return 90; // ldap injection
+ return CweNumber.LDAP_INJECTION;
case "HTTP Response Splitting":
- return 113; // header injection
+ return CweNumber.HTTP_RESPONSE_SPLITTING;
// case "hql-injection":
// return 0000; // hql injection
// case "unsafe-readline":
@@ -112,11 +113,11 @@ private static int cweLookup(String vuln) {
// case "reflection-injection":
// return 0000; // reflection injection
case "Cross-site Scripting":
- return 79; // xss
+ return CweNumber.XSS;
// case "xpath-injection":
// return 643; // xpath injection
case "Path Traversal":
- return 22; // path traversal
+ return CweNumber.PATH_TRAVERSAL;
// case "crypto-bad-mac":
// return 328; // weak hash
// case "crypto-weak-randomness":
@@ -128,6 +129,6 @@ private static int cweLookup(String vuln) {
// case "xxe":
// return 611; // xml entity
}
- return 0;
+ return CweNumber.DONTCARE;
}
}
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/ThunderScanReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/ThunderScanReader.java
index 79aad119..d9ed21c7 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/ThunderScanReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/ThunderScanReader.java
@@ -86,7 +86,8 @@ private String lineNumber(Report.VulnerabilityType.Vulnerability vulnerability)
private boolean resultsInCwe(
Report.VulnerabilityType vulnerabilityType, Report.VulnerabilityType.Vulnerability v) {
- return figureCwe(vulnerabilityType.name, v.function, v.filename) != -1;
+ return !CweNumber.DONTCARE.equals(
+ figureCwe(vulnerabilityType.name, v.function, v.filename));
}
private boolean isBenchmarkTest(String filename) {
@@ -97,7 +98,7 @@ private boolean isRealVulnerability(String function) {
return !function.matches("/printStackTrace|Cookie$|getMessage$/");
}
- private int figureCwe(String type, String function, String filename) {
+ private CweNumber figureCwe(String type, String function, String filename) {
switch (type) {
case "SQL Injection":
return CweNumber.SQL_INJECTION;
@@ -105,7 +106,7 @@ private int figureCwe(String type, String function, String filename) {
case "File Manipulation":
return CweNumber.PATH_TRAVERSAL;
case "Command Execution":
- return CweNumber.COMMAND_INJECTION;
+ return CweNumber.OS_COMMAND_INJECTION;
case "Cross Site Scripting":
return CweNumber.XSS;
case "LDAP Injection":
@@ -133,14 +134,14 @@ private int figureCwe(String type, String function, String filename) {
return CweNumber.INSECURE_COOKIE;
}
- return -1;
+ return CweNumber.DONTCARE;
case "JSP Page Execution":
case "Dangerous File Extensions":
case "Arbitrary Server Connection":
case "Log Forging":
case "Mail Relay":
case "HTTP Response Splitting":
- return -1;
+ return CweNumber.DONTCARE;
default:
System.out.println(
"INFO: Unable to figure out cwe for: "
@@ -149,7 +150,7 @@ private int figureCwe(String type, String function, String filename) {
+ function
+ " @ "
+ filename);
- return -1;
+ return CweNumber.DONTCARE;
}
}
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/VeracodeReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/VeracodeReader.java
index c052ccc7..ffe6002f 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/VeracodeReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/VeracodeReader.java
@@ -23,6 +23,7 @@
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import org.owasp.benchmarkutils.score.BenchmarkScore;
+import org.owasp.benchmarkutils.score.CweNumber;
import org.owasp.benchmarkutils.score.ResultFile;
import org.owasp.benchmarkutils.score.TestCaseResult;
import org.owasp.benchmarkutils.score.TestSuiteResults;
@@ -137,11 +138,18 @@ private TestCaseResult parseVeracodeVulnerability(Node flaw) {
return null;
}
- private int translate(int cwe) {
- if (cwe == 73) return 22;
- if (cwe == 80) return 79;
- if (cwe == 331) return 330;
- if (cwe == 91) return 643;
- return cwe;
+ private CweNumber translate(int cwe) {
+ switch (cwe) {
+ case 73:
+ return CweNumber.PATH_TRAVERSAL;
+ case 80:
+ return CweNumber.XSS;
+ case 91:
+ return CweNumber.XPATH_INJECTION;
+ case 331:
+ return CweNumber.WEAK_RANDOM;
+ }
+
+ return CweNumber.lookup(cwe);
}
}
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/VisualCodeGrepperReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/VisualCodeGrepperReader.java
index aa897511..f5e05541 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/VisualCodeGrepperReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/VisualCodeGrepperReader.java
@@ -106,7 +106,7 @@ private TestCaseResult parseVisualCodeGrepperIssue(Node n) {
return null;
}
- private int figureCWE(TestCaseResult tcr, Node catnode) {
+ private CweNumber figureCWE(TestCaseResult tcr, Node catnode) {
String cat = null;
if (catnode != null) {
cat = catnode.getTextContent();
@@ -131,7 +131,7 @@ private int figureCWE(TestCaseResult tcr, Node catnode) {
// Command injection
case "java.lang.Runtime.exec Gets Path from Variable":
- return CweNumber.COMMAND_INJECTION;
+ return CweNumber.OS_COMMAND_INJECTION;
// XPath Injection
case "FileInputStream":
@@ -161,7 +161,8 @@ private int figureCWE(TestCaseResult tcr, Node catnode) {
return CweNumber.TRUST_BOUNDARY_VIOLATION;
default:
- return 00; // System.out.println( "Unknown vuln category for VisualCodeGrepper: " +
+ return CweNumber.DONTCARE; // System.out.println( "Unknown vuln category for
+ // VisualCodeGrepper: " +
// cat );
}
}
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/W3AFReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/W3AFReader.java
index 55db6164..e443b567 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/W3AFReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/W3AFReader.java
@@ -89,8 +89,7 @@ private TestCaseResult parseW3AFIssue(Node flaw) {
tcr.setEvidence(severity + "::" + description);
String name = getAttributeValue("name", flaw);
- int cwe = cweLookup(name);
- tcr.setCWE(cwe);
+ tcr.setCWE(cweLookup(name));
String uri = getAttributeValue("url", flaw);
String testfile = uri.substring(uri.lastIndexOf('/') + 1);
@@ -113,9 +112,9 @@ private TestCaseResult parseW3AFIssue(Node flaw) {
return null;
}
- private int cweLookup(String name) {
+ private CweNumber cweLookup(String name) {
if (name == null || name.isEmpty()) {
- return 0000;
+ return CweNumber.DONTCARE;
}
switch (name) {
case "Cross site scripting vulnerability":
@@ -137,6 +136,6 @@ private int cweLookup(String name) {
// case "trust-boundary-violation" : return 501; // trust boundary
// case "xxe" : return 611; // xml entity
}
- return 0000;
+ return CweNumber.DONTCARE;
}
}
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/WapitiJsonReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/WapitiJsonReader.java
index f19bfef6..0ecc10c1 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/WapitiJsonReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/WapitiJsonReader.java
@@ -26,6 +26,7 @@
import org.json.JSONArray;
import org.json.JSONObject;
import org.owasp.benchmarkutils.score.BenchmarkScore;
+import org.owasp.benchmarkutils.score.CweNumber;
import org.owasp.benchmarkutils.score.ResultFile;
import org.owasp.benchmarkutils.score.TestCaseResult;
import org.owasp.benchmarkutils.score.TestSuiteResults;
@@ -51,36 +52,38 @@ public TestSuiteResults parse(ResultFile resultFile) throws Exception {
JSONObject vulnerabilities = resultFile.json().getJSONObject("vulnerabilities");
- Map<String, Integer> categoryCweMap = new HashMap<>();
+ Map<String, CweNumber> categoryCweMap = new HashMap<>();
- categoryCweMap.put("CRLF Injection", 93);
- categoryCweMap.put("Cross Site Request Forgery", 352);
- categoryCweMap.put("Command execution", 78); // aka command injection
- categoryCweMap.put("Path Traversal", 22);
- categoryCweMap.put("Secure Flag cookie", 614);
- categoryCweMap.put("Blind SQL Injection", 89);
- categoryCweMap.put("SQL Injection", 89);
- categoryCweMap.put("Cross Site Scripting", 79);
- categoryCweMap.put("XML External Entity", 611);
+ categoryCweMap.put("CRLF Injection", CweNumber.CRLF_INJECTION);
+ categoryCweMap.put("Cross Site Request Forgery", CweNumber.CSRF);
+ categoryCweMap.put("Command execution", CweNumber.OS_COMMAND_INJECTION);
+ categoryCweMap.put("Path Traversal", CweNumber.PATH_TRAVERSAL);
+ categoryCweMap.put("Secure Flag cookie", CweNumber.INSECURE_COOKIE);
+ categoryCweMap.put("Blind SQL Injection", CweNumber.SQL_INJECTION);
+ categoryCweMap.put("SQL Injection", CweNumber.SQL_INJECTION);
+ categoryCweMap.put("Cross Site Scripting", CweNumber.XSS);
+ categoryCweMap.put("XML External Entity", CweNumber.XXE);
// Add others we don't currently care about, to make sure that all findings are considered,
// and no new finding types are ignored
// It is possible we'd care about some of these in the future
- categoryCweMap.put("Content Security Policy Configuration", 1021);
- categoryCweMap.put("Open Redirect", 601);
- categoryCweMap.put("Server Side Request Forgery", 918);
- categoryCweMap.put("Backup file", 0);
- categoryCweMap.put("Fingerprint web application framework", 0);
- categoryCweMap.put("Fingerprint web server", 0);
- categoryCweMap.put("Htaccess Bypass", 0);
- categoryCweMap.put("HTTP Secure Headers", 0);
- categoryCweMap.put("HttpOnly Flag cookie", 1004);
- categoryCweMap.put("Potentially dangerous file", 0);
- categoryCweMap.put("Weak credentials", 0);
-
- for (Map.Entry<String, Integer> entry : categoryCweMap.entrySet()) {
+ categoryCweMap.put(
+ "Content Security Policy Configuration",
+ CweNumber.IMPROPER_RESTRICTION_OF_UI_LAYERS);
+ categoryCweMap.put("Open Redirect", CweNumber.OPEN_REDIRECT);
+ categoryCweMap.put("Server Side Request Forgery", CweNumber.SERVER_SIDE_REQUEST_FORGERY);
+ categoryCweMap.put("Backup file", CweNumber.DONTCARE);
+ categoryCweMap.put("Fingerprint web application framework", CweNumber.DONTCARE);
+ categoryCweMap.put("Fingerprint web server", CweNumber.DONTCARE);
+ categoryCweMap.put("Htaccess Bypass", CweNumber.DONTCARE);
+ categoryCweMap.put("HTTP Secure Headers", CweNumber.DONTCARE);
+ categoryCweMap.put("HttpOnly Flag cookie", CweNumber.COOKIE_WITHOUT_HTTPONLY);
+ categoryCweMap.put("Potentially dangerous file", CweNumber.DONTCARE);
+ categoryCweMap.put("Weak credentials", CweNumber.DONTCARE);
+
+ for (Map.Entry<String, CweNumber> entry : categoryCweMap.entrySet()) {
String category = entry.getKey();
- Integer cwe = entry.getValue();
+ CweNumber cwe = entry.getValue();
// The following gets all the vulnerabilities reported for the specified category
// JSONArray arr = vulnerabilities.getJSONArray(category);
@@ -110,7 +113,7 @@ public TestSuiteResults parse(ResultFile resultFile) throws Exception {
return tr;
}
- private static TestCaseResult parseTestCaseResult(JSONObject finding, Integer cwe) {
+ private static TestCaseResult parseTestCaseResult(JSONObject finding, CweNumber cwe) {
try {
String filename = getFilenameFromFinding(finding);
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/WapitiReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/WapitiReader.java
index aa66c733..f1f9aedc 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/WapitiReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/WapitiReader.java
@@ -76,7 +76,7 @@ public TestSuiteResults parse(ResultFile resultFile) throws Exception {
// type
// First, get the CWE for all these entries
- int cwe = getCWE(vuln);
+ CweNumber cwe = getCWE(vuln);
// Then process each entry
Node entriesNode = getNamedChild("entries", vuln);
@@ -106,47 +106,17 @@ public TestSuiteResults parse(ResultFile resultFile) throws Exception {
}
// Parse the CWE # out of the references included with the vuln
- private int getCWE(Node vuln) {
- int cwe = -1;
+ private CweNumber getCWE(Node vuln) {
+ CweNumber cwe = CweNumber.DONTCARE;
Node refs = getNamedChild("references", vuln);
List<Node> references = getNamedChildren("reference", refs);
for (Node ref : references) {
String title = getNamedChild("title", ref).getTextContent();
if (title.startsWith("CWE-")) {
String cweNum = title.substring("CWE-".length(), title.indexOf(":"));
- cwe = cweLookup(cweNum);
+ cwe = CweNumber.lookup(cweNum);
}
}
return cwe;
}
-
- private int cweLookup(String cwe) {
- switch (cwe) {
- case "22":
- return CweNumber.PATH_TRAVERSAL;
- case "78":
- return CweNumber.COMMAND_INJECTION;
- case "79":
- return CweNumber.XSS;
- case "89": // Normal and Blind SQL Injection
- return CweNumber.SQL_INJECTION;
- case "352":
- return CweNumber.CSRF;
- case "611":
- return CweNumber.XXE;
- case "93": // HTTP Response Splitting
- case "530": // Exposure of Backup file
- case "538": // Htaccess bypass
- case "601": // Open Redirect
- case "798": // Hard Coded credentials
- case "918": // SSRF
- return CweNumber.DONTCARE;
-
- // Note: Wapiti does report Secure Flag not set on cookie findings, but doesn't
- // report the specific page. Only the entire web app.
- default:
- System.out.println("WARNING: Wapiti-Unmapped CWE number: " + cwe);
- }
- return -1;
- }
}
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/WebInspectReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/WebInspectReader.java
index d1dacce8..87c9750d 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/WebInspectReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/WebInspectReader.java
@@ -19,6 +19,7 @@
import java.util.List;
import org.owasp.benchmarkutils.score.BenchmarkScore;
+import org.owasp.benchmarkutils.score.CweNumber;
import org.owasp.benchmarkutils.score.ResultFile;
import org.owasp.benchmarkutils.score.TestCaseResult;
import org.owasp.benchmarkutils.score.TestSuiteResults;
@@ -84,8 +85,7 @@ private TestCaseResult parseWebInspectIssue(Node flaw) throws Exception {
Node vulnId = getNamedChild("VulnerabilityID", flaw);
if (vulnId != null) {
String vuln = vulnId.getTextContent();
- int cwe = cweLookup(vuln);
- tcr.setCWE(cwe);
+ tcr.setCWE(cweLookup(vuln));
}
String conf = getNamedChild("Severity", flaw).getTextContent();
@@ -112,70 +112,75 @@ private TestCaseResult parseWebInspectIssue(Node flaw) throws Exception {
return null;
}
- private int cweLookup(String rule) {
+ private CweNumber cweLookup(String rule) {
switch (rule) {
case "810":
- return 0000; // Poor Error Handling: Unhandled Exception
+ return CweNumber.DONTCARE; // Poor Error Handling: Unhandled Exception
case "1436":
- return 0000; // Poor Error Handling: Unhandled Exception
+ return CweNumber.DONTCARE; // Poor Error Handling: Unhandled Exception
case "1498":
- return 0000; // Poor Error Handling: Unhandled Exception
+ return CweNumber.DONTCARE; // Poor Error Handling: Unhandled Exception
case "4720":
- return 614; // Cookie Security: Cookie Not Sent Over SSL
+ return CweNumber.INSECURE_COOKIE;
case "4724":
- return 0000; // Password Management: Unmasked Password Field
+ return CweNumber.DONTCARE; // Password Management: Unmasked Password Field
case "4725":
- return 0000; // Server Misconfiguration: SSL Certificate Hostname Discrepancy
+ return CweNumber
+ .DONTCARE; // Server Misconfiguration: SSL Certificate Hostname Discrepancy
case "4729":
- return 0000; // Transport Layer Protection: Insecure Transmission
+ return CweNumber.DONTCARE; // Transport Layer Protection: Insecure Transmission
case "5546":
- return 0000; // Compliance Failure: Missing Privacy Policy
+ return CweNumber.DONTCARE; // Compliance Failure: Missing Privacy Policy
case "5597":
- return 0000; // Privacy Violation: Autocomplete
+ return CweNumber.DONTCARE; // Privacy Violation: Autocomplete
case "5649":
- return 79; // Cross-Site Scripting: Reflected
+ return CweNumber.XSS;
case "10167":
- return 0000; // Password Management: Insecure Submission
+ return CweNumber.DONTCARE; // Password Management: Insecure Submission
case "10210":
- return 0000; // Access Control: Unprotected Directory
+ return CweNumber.DONTCARE; // Access Control: Unprotected Directory
case "10237":
- return 0000; // Privacy Violation: Credit Card Number
+ return CweNumber.DONTCARE; // Privacy Violation: Credit Card Number
case "10543":
- return 0000; // Cookie Security: HTTPOnly not Set
+ return CweNumber.DONTCARE; // Cookie Security: HTTPOnly not Set
case "10655":
- return 0000; // Application Misconfiguration: Exposure of POST Parameters in GET
+ return CweNumber
+ .DONTCARE; // Application Misconfiguration: Exposure of POST Parameters in
+ // GET
// Request
case "10825":
- return 0000; // Privacy Violation: Credit Card Number
+ return CweNumber.DONTCARE; // Privacy Violation: Credit Card Number
case "10932":
- return 0000; // Poor Error Handling: Server Error Message
+ return CweNumber.DONTCARE; // Poor Error Handling: Server Error Message
case "10965":
- return 0000; // Transport Layer Protection: Insecure Transmission
+ return CweNumber.DONTCARE; // Transport Layer Protection: Insecure Transmission
case "11293":
- return 79; // Cross-Frame Scripting
case "11294":
- return 79; // Cross-Frame Scripting
+ return CweNumber.XSS;
case "11299":
- return 89; // SQL Injection: Blind
+ return CweNumber.SQL_INJECTION;
case "11306":
- return 0000; // Server Misconfiguration: Cache Policy
+ return CweNumber.DONTCARE; // Server Misconfiguration: Cache Policy
case "11359":
- return 0000; // Server Misconfiguration: Response Headers
+ return CweNumber.DONTCARE; // Server Misconfiguration: Response Headers
case "11365":
- return 0000; // Insecure SSL: Missing Http Strict Transport
+ return CweNumber.DONTCARE; // Insecure SSL: Missing Http Strict Transport
case "11380":
- return 0000; // Often Misused: Weak SSL Certificate
+ return CweNumber.DONTCARE; // Often Misused: Weak SSL Certificate
case "11395":
- return 0000; // Transport Layer Protection: Weak SSL Protocol
+ return CweNumber.DONTCARE; // Transport Layer Protection: Weak SSL Protocol
// case "insecure-cookie" : return 614; // insecure cookie use
// case "sql-injection" : return 89; // sql injection
// case "cmd-injection" : return 78; // command injection
// case "ldap-injection" : return 90; // ldap injection
// case "header-injection" : return 113; // header injection
- // case "hql-injection" : return 0000; // hql injection
- // case "unsafe-readline" : return 0000; // unsafe readline
- // case "reflection-injection" : return 0000; // reflection injection
+ // case "hql-injection" : return CweNumber.DONTCARE; // hql
+ // injection
+ // case "unsafe-readline" : return CweNumber.DONTCARE; // unsafe
+ // readline
+ // case "reflection-injection" : return CweNumber.DONTCARE; //
+ // reflection injection
// case "reflected-xss" : return 79; // xss
// case "xpath-injection" : return 643; // xpath injection
// case "path-traversal" : return 22; // path traversal
@@ -185,6 +190,6 @@ private int cweLookup(String rule) {
// case "trust-boundary-violation" : return 501; // trust boundary
// case "xxe" : return 611; // xml entity
}
- return 0;
+ return CweNumber.DONTCARE;
}
}
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/XanitizerReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/XanitizerReader.java
index e0926584..6363a54b 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/XanitizerReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/XanitizerReader.java
@@ -21,6 +21,7 @@
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import org.owasp.benchmarkutils.score.BenchmarkScore;
+import org.owasp.benchmarkutils.score.CweNumber;
import org.owasp.benchmarkutils.score.ResultFile;
import org.owasp.benchmarkutils.score.TestCaseResult;
import org.owasp.benchmarkutils.score.TestSuiteResults;
@@ -51,7 +52,7 @@ public TestSuiteResults parse(ResultFile resultFile) throws Exception {
private final StringBuilder m_CollectedCharacters = new StringBuilder();
private String m_ProblemTypeId;
- private int m_CWE = -1;
+ private CweNumber m_CWE = CweNumber.DONTCARE;
private String m_Class;
private String m_Classification;
@@ -99,15 +100,16 @@ public void endElement(
case "cweNumber":
// remove leading "CWE-" and thousands delimiter
try {
- m_CWE =
+ int cwe =
Integer.parseInt(
m_CollectedCharacters
.toString()
.substring(4)
.replace(".", "")
.replace(",", ""));
- } catch (NumberFormatException e) {
- m_CWE = -1;
+
+ m_CWE = CweNumber.lookup(cwe);
+ } catch (NumberFormatException ignored) {
}
break;
@@ -141,7 +143,7 @@ public void endElement(
// for backward compatibility
// for reports without CWE numbers - map problem type to
// CWE number
- if (m_CWE < 0) {
+ if (CweNumber.DONTCARE.equals(m_CWE)) {
m_CWE = figureCWE(m_ProblemTypeId);
}
@@ -159,7 +161,7 @@ public void endElement(
}
m_ProblemTypeId = null;
- m_CWE = -1;
+ m_CWE = CweNumber.DONTCARE;
m_Class = null;
m_Classification = null;
break;
@@ -184,45 +186,34 @@ public void characters(final char ch[], final int start, final int length)
return tr;
}
- private int figureCWE(final String problemTypeId) {
+ private CweNumber figureCWE(final String problemTypeId) {
switch (problemTypeId) {
case "ci:CommandInjection":
- return 78;
-
+ return CweNumber.OS_COMMAND_INJECTION;
case "SpecialMethodCall:WeakEncryption":
- return 327;
-
+ return CweNumber.WEAK_CRYPTO_ALGO;
case "SpecialMethodCall:WeakHash":
- return 328;
-
+ return CweNumber.WEAK_HASH_ALGO;
case "ci:LDAPInjection":
- return 90;
-
+ return CweNumber.LDAP_INJECTION;
case "pt:PathTraversal":
- return 22;
-
+ return CweNumber.PATH_TRAVERSAL;
case "cook:UnsecuredCookie":
- return 614;
-
+ return CweNumber.INSECURE_COOKIE;
case "ci:SQLInjection":
- return 89;
-
+ return CweNumber.SQL_INJECTION;
case "tbv:TrustBoundaryViolationSession":
- return 501;
-
+ return CweNumber.TRUST_BOUNDARY_VIOLATION;
case "SpecialMethodCall:java.util.Random":
- return 330;
-
+ return CweNumber.WEAK_RANDOM;
case "ci:XPathInjection":
- return 643;
-
+ return CweNumber.XPATH_INJECTION;
case "xss:XSSFromRequest":
case "xss:XSSFromDb":
- return 79;
-
+ return CweNumber.XSS;
default:
// Dummy.
- return 0;
+ return CweNumber.DONTCARE;
}
}
}
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/ZapJsonReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/ZapJsonReader.java
index de4887da..cf09b996 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/ZapJsonReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/ZapJsonReader.java
@@ -121,7 +121,7 @@ private void handleNewReportFormat(ResultFile resultFile, TestSuiteResults tr) {
site ->
site.alerts.forEach(
alert -> {
- int cwe = mapCwe(alert.cwe);
+ CweNumber cwe = mapCwe(alert.cwe);
alert.instances.forEach(
instance -> {
@@ -152,55 +152,16 @@ private String extractTestName(String fullUrl) {
}
}
- private int figureCwe(JSONObject finding) {
+ private CweNumber figureCwe(JSONObject finding) {
return mapCwe(finding.getString("cweid"));
}
- static int mapCwe(String cwe) {
- switch (cwe) {
- case "22":
- return CweNumber.PATH_TRAVERSAL;
- case "78":
- return CweNumber.COMMAND_INJECTION;
- case "79":
- return CweNumber.XSS;
- case "89":
- return CweNumber.SQL_INJECTION;
- case "90":
- return CweNumber.LDAP_INJECTION;
- case "264":
- case "284":
- return CweNumber.IMPROPER_ACCESS_CONTROL;
-
- case "352":
- return CweNumber.CSRF;
- case "614":
- return CweNumber.INSECURE_COOKIE;
-
- case "1004":
- return CweNumber.COOKIE_WITHOUT_HTTPONLY;
-
- // Don't care about these:
- case "16": // Configuration
- case "134": // Use of Externally-Controlled Format String
- case "200": // Exposure of Sensitive Information to Unauthorized Actor - When 500 errors
- // are returned
- case "436": // Interpretation Conflict
- case "345": // Insufficient Verification of Data Authenticity
- case "525": // Browser caching sensitive data
- case "565": // Reliance on Cookies without Validation and Integrity Checking
- case "693": // Protection Mechanism Failure
- case "829": // Inclusion of Functionality from Untrusted Control Sphere (e.g., CDN)
- case "933": // Security Misconfiguration
- case "1021": // Improper Restriction of Rendered UI Layers or Frames
- case "1275": // Sensitive Cookie with Improper SameSite Attribute
- return Integer.parseInt(cwe); // Return the CWE anyway.
-
- default:
- System.out.println(
- "WARNING: ZAP CWE not mapped to expected test suite CWE: " + cwe);
- return Integer.parseInt(cwe);
+ static CweNumber mapCwe(String cwe) {
+ if ("264".equals(cwe)) {
+ return CweNumber.IMPROPER_ACCESS_CONTROL;
}
+
+ return CweNumber.lookup(cwe);
}
@JsonIgnoreProperties(ignoreUnknown = true)
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/ZapReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/ZapReader.java
index 6cc4cdc4..a090802c 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/ZapReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/ZapReader.java
@@ -22,6 +22,7 @@
import java.util.List;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
+import org.owasp.benchmarkutils.score.CweNumber;
import org.owasp.benchmarkutils.score.ResultFile;
import org.owasp.benchmarkutils.score.TestCaseResult;
import org.owasp.benchmarkutils.score.TestSuiteResults;
@@ -121,7 +122,7 @@ public TestSuiteResults parse(ResultFile resultFile) throws Exception {
// </alertitem>
private void parseAndAddZapIssues(Node flaw, TestSuiteResults tr) throws URISyntaxException {
- int cwe = -1;
+ CweNumber cwe = CweNumber.DONTCARE;
Node rule = getNamedChild("cweid", flaw);
if (rule != null) {
cwe = cweLookup(rule.getTextContent());
@@ -144,7 +145,7 @@ private void parseAndAddZapIssues(Node flaw, TestSuiteResults tr) throws URISynt
}
private void addIssue(
- Node alertData, TestSuiteResults tr, int cwe, String category, int confidence) {
+ Node alertData, TestSuiteResults tr, CweNumber cwe, String category, int confidence) {
int testNumber = testNumber(getNamedChild("uri", alertData).getTextContent());
if (testNumber > 0) {
tr.put(createTestCaseResult(cwe, category, confidence, testNumber));
@@ -152,9 +153,9 @@ private void addIssue(
}
private TestCaseResult createTestCaseResult(
- int cwe, String category, int confidence, int testNumber) {
+ CweNumber cwe, String category, int confidence, int testNumber) {
TestCaseResult tcr = new TestCaseResult();
- if (cwe != -1) {
+ if (!CweNumber.DONTCARE.equals(cwe)) {
tcr.setCWE(cwe);
}
tcr.setCategory(category);
@@ -164,7 +165,7 @@ private TestCaseResult createTestCaseResult(
return tcr;
}
- private int cweLookup(String orig) {
+ private CweNumber cweLookup(String orig) {
return ZapJsonReader.mapCwe(orig);
}
}
diff --git a/plugin/src/test/java/org/owasp/benchmarkutils/score/CweNumberTest.java b/plugin/src/test/java/org/owasp/benchmarkutils/score/CweNumberTest.java
new file mode 100644
index 00000000..3d8470cc
--- /dev/null
+++ b/plugin/src/test/java/org/owasp/benchmarkutils/score/CweNumberTest.java
@@ -0,0 +1,74 @@
+package org.owasp.benchmarkutils.score;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+import java.io.ByteArrayOutputStream;
+import java.util.HashSet;
+import java.util.Set;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+
+public class CweNumberTest {
+
+ private static final int UNMAPPED_CWE_NUMBER = 99999;
+ ByteArrayOutputStream out;
+
+ @BeforeEach
+ public void setUp() {
+ out = new java.io.ByteArrayOutputStream();
+ System.setOut(new java.io.PrintStream(out));
+ }
+
+ @Test
+ public void returnDontCareForUnmappedCweNumber() {
+ assertEquals(CweNumber.DONTCARE, CweNumber.lookup(UNMAPPED_CWE_NUMBER));
+ }
+
+ @Test
+ public void looksUpValueByInteger() {
+ assertEquals(CweNumber.PATH_TRAVERSAL, CweNumber.lookup(CweNumber.PATH_TRAVERSAL.number));
+ }
+
+ @Test
+ public void looksUpValueByString() {
+ assertEquals(
+ CweNumber.PATH_TRAVERSAL, CweNumber.lookup("" + CweNumber.PATH_TRAVERSAL.number));
+ }
+
+ @Test
+ public void warnsAboutUnmappedCweNumber() {
+ CweNumber.lookup(UNMAPPED_CWE_NUMBER);
+ assertEquals(
+ "WARN: Requested unmapped CWE number " + UNMAPPED_CWE_NUMBER + ".\n",
+ out.toString());
+ }
+
+ @Test
+ public void doesNotWarnForMappedCweNumber() {
+ CweNumber.lookup(CweNumber.PATH_TRAVERSAL.number);
+ assertEquals("", out.toString());
+ }
+
+ @Test
+ public void returnsDontCareForUnparsableNumber() {
+ assertEquals(CweNumber.DONTCARE, CweNumber.lookup("unparsable"));
+ }
+
+ @Test
+ public void showsErrorForUnparsableNumber() {
+ CweNumber.lookup("unparsable");
+ assertEquals("ERROR: Failed to parse CWE number 'unparsable'.\n", out.toString());
+ }
+
+ @Test
+ public void doesNotContainSameNumberTwice() {
+ CweNumber[] enumValues = CweNumber.class.getEnumConstants();
+ Set<Integer> cweNumbers = new HashSet<>();
+
+ for (CweNumber cweNumber : enumValues) {
+ cweNumbers.add(cweNumber.number);
+ }
+
+ assertEquals(enumValues.length, cweNumbers.size());
+ }
+}
diff --git a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/AcunetixReaderTest.java b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/AcunetixReaderTest.java
index 2bff445a..de55f2c1 100644
--- a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/AcunetixReaderTest.java
+++ b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/AcunetixReaderTest.java
@@ -54,7 +54,7 @@ void readerHandlesGivenResultFile() throws Exception {
assertEquals(2, result.getTotalResults());
- assertEquals(CweNumber.COMMAND_INJECTION, result.get(1).get(0).getCWE());
+ assertEquals(CweNumber.OS_COMMAND_INJECTION, result.get(1).get(0).getCWE());
assertEquals(CweNumber.XSS, result.get(2).get(0).getCWE());
}
}
diff --git a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/BurpReaderTest.java b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/BurpReaderTest.java
index 05d876ca..4fd81365 100644
--- a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/BurpReaderTest.java
+++ b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/BurpReaderTest.java
@@ -54,7 +54,7 @@ void readerHandlesGivenResultFile() throws Exception {
assertEquals(2, result.getTotalResults());
- assertEquals(CweNumber.COMMAND_INJECTION, result.get(1).get(0).getCWE());
+ assertEquals(CweNumber.OS_COMMAND_INJECTION, result.get(1).get(0).getCWE());
assertEquals(CweNumber.SQL_INJECTION, result.get(2).get(0).getCWE());
}
}
diff --git a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/CASTAIPReaderTest.java b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/CASTAIPReaderTest.java
index 59ef8023..195d8115 100644
--- a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/CASTAIPReaderTest.java
+++ b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/CASTAIPReaderTest.java
@@ -54,7 +54,7 @@ void readerHandlesGivenResultFile() throws Exception {
assertEquals(2, result.getTotalResults());
- assertEquals(CweNumber.COMMAND_INJECTION, result.get(1).get(0).getCWE());
+ assertEquals(CweNumber.OS_COMMAND_INJECTION, result.get(1).get(0).getCWE());
assertEquals(CweNumber.SQL_INJECTION, result.get(2).get(0).getCWE());
}
}
diff --git a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/ContrastScanReaderTest.java b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/ContrastScanReaderTest.java
index 96872e3d..875cd0b1 100644
--- a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/ContrastScanReaderTest.java
+++ b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/ContrastScanReaderTest.java
@@ -54,7 +54,7 @@ void readerHandlesGivenResultFile() throws Exception {
assertEquals(2, result.getTotalResults());
- assertEquals(CweNumber.COMMAND_INJECTION, result.get(1).get(0).getCWE());
+ assertEquals(CweNumber.OS_COMMAND_INJECTION, result.get(1).get(0).getCWE());
assertEquals(CweNumber.INSECURE_COOKIE, result.get(2).get(0).getCWE());
}
}
diff --git a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/FortifyReaderTest.java b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/FortifyReaderTest.java
index 9a5792aa..98e20171 100644
--- a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/FortifyReaderTest.java
+++ b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/FortifyReaderTest.java
@@ -55,7 +55,7 @@ void readerHandlesGivenResultFile() throws Exception {
assertEquals(2, result.getTotalResults());
- assertEquals(CweNumber.COMMAND_INJECTION, result.get(1).get(0).getCWE());
+ assertEquals(CweNumber.OS_COMMAND_INJECTION, result.get(1).get(0).getCWE());
assertEquals(CweNumber.SQL_INJECTION, result.get(2).get(0).getCWE());
}
}
diff --git a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/InsiderReaderTest.java b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/InsiderReaderTest.java
index 9fcdf32f..f96d237f 100644
--- a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/InsiderReaderTest.java
+++ b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/InsiderReaderTest.java
@@ -54,7 +54,7 @@ void readerHandlesGivenResultFile() throws Exception {
assertEquals(2, result.getTotalResults());
- assertEquals(CweNumber.COMMAND_INJECTION, result.get(1).get(0).getCWE());
+ assertEquals(CweNumber.OS_COMMAND_INJECTION, result.get(1).get(0).getCWE());
assertEquals(CweNumber.WEAK_CRYPTO_ALGO, result.get(2).get(0).getCWE());
}
}
diff --git a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/Rapid7ReaderTest.java b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/Rapid7ReaderTest.java
index 3bdcd51b..222e6048 100644
--- a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/Rapid7ReaderTest.java
+++ b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/Rapid7ReaderTest.java
@@ -57,6 +57,6 @@ void readerHandlesGivenResultFile() throws Exception {
assertEquals(2, result.getTotalResults());
assertEquals(CweNumber.SQL_INJECTION, result.get(1).get(0).getCWE());
- assertEquals(CweNumber.COMMAND_INJECTION, result.get(2).get(0).getCWE());
+ assertEquals(CweNumber.OS_COMMAND_INJECTION, result.get(2).get(0).getCWE());
}
}
diff --git a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/SeekerReaderTest.java b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/SeekerReaderTest.java
index c4904ed6..e52b9f99 100644
--- a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/SeekerReaderTest.java
+++ b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/SeekerReaderTest.java
@@ -54,7 +54,7 @@ void readerHandlesGivenResultFile() throws Exception {
assertEquals(2, result.getTotalResults());
- assertEquals(CweNumber.COMMAND_INJECTION, result.get(1).get(0).getCWE());
+ assertEquals(CweNumber.OS_COMMAND_INJECTION, result.get(1).get(0).getCWE());
assertEquals(CweNumber.TRUST_BOUNDARY_VIOLATION, result.get(2).get(0).getCWE());
}
}
diff --git a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/SonarQubeReaderTest.java b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/SonarQubeReaderTest.java
index 2f0df0c9..52c73ad2 100644
--- a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/SonarQubeReaderTest.java
+++ b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/SonarQubeReaderTest.java
@@ -56,7 +56,7 @@ void readerHandlesGivenPluginResultFile() throws Exception {
assertEquals(2, result.getTotalResults());
- assertEquals(CweNumber.COMMAND_INJECTION, result.get(1).get(0).getCWE());
+ assertEquals(CweNumber.OS_COMMAND_INJECTION, result.get(1).get(0).getCWE());
assertEquals(CweNumber.WEAK_RANDOM, result.get(2).get(0).getCWE());
}
}
diff --git a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/WapitiJsonReaderTest.java b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/WapitiJsonReaderTest.java
index 88c0374d..b6f00108 100644
--- a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/WapitiJsonReaderTest.java
+++ b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/WapitiJsonReaderTest.java
@@ -54,7 +54,7 @@ void readerHandlesGivenResultFile() throws Exception {
assertEquals(2, result.getTotalResults());
- assertEquals(CweNumber.COMMAND_INJECTION, result.get(1).get(0).getCWE());
+ assertEquals(CweNumber.OS_COMMAND_INJECTION, result.get(1).get(0).getCWE());
assertEquals(CweNumber.PATH_TRAVERSAL, result.get(2).get(0).getCWE());
}
}
diff --git a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/WapitiReaderTest.java b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/WapitiReaderTest.java
index 5b0fb949..40219e38 100644
--- a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/WapitiReaderTest.java
+++ b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/WapitiReaderTest.java
@@ -55,6 +55,6 @@ void readerHandlesGivenResultFile() throws Exception {
assertEquals(2, result.getTotalResults());
assertEquals(CweNumber.SQL_INJECTION, result.get(1).get(0).getCWE());
- assertEquals(CweNumber.COMMAND_INJECTION, result.get(2).get(0).getCWE());
+ assertEquals(CweNumber.OS_COMMAND_INJECTION, result.get(2).get(0).getCWE());
}
}
From 5a88f84d274ebd7338aa71c3c87da6e79786cd3c Mon Sep 17 00:00:00 2001
From: Sascha Knoop <github@darkspirit510.de>
Date: Tue, 1 Nov 2022 16:50:38 +0100
Subject: [PATCH 02/10] revert missing line
---
.../org/owasp/benchmarkutils/score/parsers/FindbugsReader.java | 2 ++
1 file changed, 2 insertions(+)
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/FindbugsReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/FindbugsReader.java
index f3150ffc..63984146 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/FindbugsReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/FindbugsReader.java
@@ -151,6 +151,8 @@ else if (cwe.equals("326")) {
// Cookies
case "SECIC":
return CweNumber.INSECURE_COOKIE;
+ case "SECCU":
+ return CweNumber.DONTCARE;
case "SECHOC":
return CweNumber.COOKIE_WITHOUT_HTTPONLY;
From c7390697892641b4e9beb85cea02e331d6e77b6a Mon Sep 17 00:00:00 2001
From: Sascha Knoop <github@darkspirit510.de>
Date: Tue, 1 Nov 2022 16:51:07 +0100
Subject: [PATCH 03/10] lots of missing CWE numbers
---
.../owasp/benchmarkutils/score/CweNumber.java | 168 +++++++++++++++++-
1 file changed, 167 insertions(+), 1 deletion(-)
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/CweNumber.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/CweNumber.java
index ae58d9ed..069d8676 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/CweNumber.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/CweNumber.java
@@ -14,6 +14,15 @@ public enum CweNumber {
/** CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') */
PATH_TRAVERSAL(22),
+ /** CWE-73: External Control of File Name or Path */
+ EXTERNAL_FILE_OR_PATH_CONTROL(73),
+
+ /**
+ * CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component
+ * ('Injection')
+ */
+ GENERAL_INJECTION(74),
+
/**
* CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
*/
@@ -33,6 +42,11 @@ public enum CweNumber {
/** CWE-83: Improper Neutralization of Script in Attributes in a Web Page */
IMPROPER_NEUTRALIZATION_OF_ATTRIBUTES(83),
+ /**
+ * CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
+ */
+ ARGUMENT_INJECTION(88),
+
/**
* CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
*/
@@ -43,6 +57,9 @@ public enum CweNumber {
*/
LDAP_INJECTION(90),
+ /** CWE-91: XML Injection (aka Blind XPath Injection) */
+ BLIND_XPATH_INJECTION(91),
+
/** CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') */
CRLF_INJECTION(93),
@@ -67,15 +84,27 @@ public enum CweNumber {
/** CWE-117: Improper Output Neutralization for Logs */
MISSING_LOG_OUTPUT_NEUTRALIZATION(117),
+ /** CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') */
+ CLASSIC_BUFFER_OVERFLOW(120),
+
/** CWE-134: Use of Externally-Controlled Format String */
EXTERNALLY_CONTROLLED_STRING(134),
+ /** CWE-180: Incorrect Behavior Order: Validate Before Canonicalize */
+ INCORRECT_BEHAVIOUR_ORDER(180),
+
+ /** CWE-182: Collapse of Data into Unsafe Value */
+ COLLAPSE_DATA_IN_UNSAFE_VALUE(182),
+
/** CWE-190: Integer Overflow or Wraparound */
INTEGER_OVERFLOW_WRAPAROUND(190),
/** CWE-200: Exposure of Sensitive Information to an Unauthorized Actor */
EXPOSURE_SENSITIVE_TO_UNAUTHORIZED_USER(200),
+ /** CWE-205: Observable Behavioral Discrepancy */
+ OBSERVABLE_BEHAVIORAL_DISCREPANCY(205),
+
/** CWE-209: Generation of Error Message Containing Sensitive Information */
ERROR_MESSAGE_WITH_SENSITIVE_INFO(209),
@@ -85,6 +114,12 @@ public enum CweNumber {
/** CWE-235: Improper Handling of Extra Parameters */
IMPROPER_HANDLING_OF_PARAMETERS(235),
+ /** CWE-244: Improper Clearing of Heap Memory Before Release ('Heap Inspection') */
+ HEAP_INSPECTION(244),
+
+ /** CWE-248: Uncaught Exception */
+ UNCAUGHT_EXCEPTION(248),
+
/** CWE-250: Execution with Unnecessary Privileges */
TOO_PRIVILIGED_EXECUTION(250),
@@ -97,12 +132,24 @@ public enum CweNumber {
/** CWE-284: Improper Access Control */
IMPROPER_ACCESS_CONTROL(284),
+ /** CWE-285: Improper Authorization */
+ IMPROPER_AUTHORIZATION(285),
+
/** CWE-293: Using Referer Field for Authentication */
REFERER_FIELD_IN_AUTHENTICATION(293),
+ /** CWE-295: Improper Certificate Validation */
+ IMPROPER_CERTIFICATE_VALIDATION(295),
+
/** CWE-311: Missing Encryption of Sensitive Data */
UNENCRYPTED_SENSITIVE_DATA(311),
+ /** CWE-315: Cleartext Storage of Sensitive Information in a Cookie */
+ UNENCRYPTED_SENSITIVE_INFO_STORED_IN_COOKIE(315),
+
+ /** CWE-319: Cleartext Transmission of Sensitive Information */
+ CLEARTEXT_TRANSMISSION_OF_SENSITIVE_INFO(319),
+
/** CWE-320: CWE CATEGORY: Key Management Errors */
CATEGORY_KEY_MANAGEMENT_ERROR(320),
@@ -121,24 +168,48 @@ public enum CweNumber {
/** CWE-330: Use of Insufficiently Random Values */
WEAK_RANDOM(330),
+ /** CWE-332: Insufficient Entropy in PRNG */
+ INSUFFICIENT_ENTRUPY_IN_PNRG(332),
+
+ /** CWE-345: Insufficient Verification of Data Authenticity */
+ INSUFFICIENT_DATA_AUTHENTICITY_VERIFICATION(345),
+
/** CWE-346: Origin Validation Error */
ORIGIN_VALIDATION_ERROR(346),
/** CWE-352: Cross-Site Request Forgery (CSRF) */
CSRF(352),
+ /** CWE-353: Missing Support for Integrity Check */
+ MISSING_SUPPORT_FOR_INTEGRITY_CHECK(353),
+
/** CWE-359: Exposure of Private Personal Information to an Unauthorized Actor */
EXPOSURE_PRIVATE_TO_UNAUTHORIZED_USER(359),
+ /**
+ * CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race
+ * Condition')
+ */
+ RACE_CONDITION(362),
+
/** CWE-369: Divide By Zero */
DIVISION_BY_ZERO(369),
/** CWE-374: Passing Mutable Objects to an Untrusted Method */
PASS_MUTABLE_OBJECT_TO_UNTRUSTED_MODULE(374),
+ /** CWE-379: Creation of Temporary File in Directory with Insecure Permissions */
+ TEMPORARY_FILE_WITH_INSECURE_PERMISSIONS(379),
+
/** CWE-382: J2EE Bad Practices: Use of System.exit() */
SYSTEM_EXIT(382),
+ /** CWE-390: Detection of Error Condition Without Action */
+ DETECTING_ERROR_WITHOUT_ACTION(390),
+
+ /** CWE-391: Unchecked Error Condition */
+ UNCHECKED_ERROR_CONDITION(391),
+
/** CWE-395: Use of NullPointerException Catch to Detect NULL Pointer Dereference */
CATCHING_NULL_POINTER_EXCEPTION(395),
@@ -148,6 +219,9 @@ public enum CweNumber {
/** CWE-397: Declaration of Throws for Generic Exception */
THROW_GENERIC_EXCEPTION(397),
+ /** CWE-398: CWE CATEGORY: 7PK - Code Quality */
+ CATEGORY_CODE_QUALITY(398),
+
/** CWE-400: Uncontrolled Resource Consumption */
UNCONTROLLED_RESOURCE_CONSUMPTION(400),
@@ -157,6 +231,12 @@ public enum CweNumber {
/** CWE-434: Unrestricted Upload of File with Dangerous Type */
UNRESTRICTED_FILE_UPLOAD(434),
+ /** CWE-436: Interpretation Conflict */
+ INTERPRETATION_CONFLICT(436),
+
+ /** CWE-440: Expected Behavior Violation */
+ EXPECTED_BEHAVIOUR_VIOLATION(440),
+
/** CWE-451: User Interface (UI) Misrepresentation of Critical Information */
MISREPRESENTATION_OF_CRITICAL_INFO(451),
@@ -171,9 +251,15 @@ public enum CweNumber {
/** CWE-472: External Control of Assumed-Immutable Web Parameter */
EXTERNAL_CONTROL_OF_WEB_PARAM(472),
+ /** CWE-474: Use of Function with Inconsistent Implementations */
+ FUNCTION_WITH_INCONSISTENT_IMPLEMENTATION(474),
+
/** CWE-476: NULL Pointer Dereference */
NULL_POINTER_DEREFERENCE(476),
+ /** CWE-477: Use of Obsolete Function */
+ OBSOLETE_FUNCTION_USAGE(477),
+
/** CWE-478: Missing Default Case in Switch Statement */
MISSING_DEFAULT_CASE(478),
@@ -195,6 +281,15 @@ public enum CweNumber {
/** CWE-493: Critical Public Variable Without Final Modifier */
PUBLIC_VAR_WITHOUT_FINAL(493),
+ /** CWE-494: Download of Code Without Integrity Check */
+ MISSING_INTEGRITY_CHECK_FOR_DOWNLOADED_CODE(494),
+
+ /** CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere */
+ EXPOSE_SYSTEM_INFO_TO_UNAUTHORIZED_CONTROL(497),
+
+ /** CWE-499: Serializable Class Containing Sensitive Data */
+ SERIALIZABLE_CLASS_WITH_SENSITIVE_DATA(499),
+
/** CWE-500: Public Static Field Not Marked Final */
PUBLIC_STATIC_NOT_FINAL(500),
@@ -207,21 +302,54 @@ public enum CweNumber {
/** CWE-521: Weak Password Requirements */
WEAK_PASSWORD_REQUIREMENTS(521),
+ /** CWE-522: Insufficiently Protected Credentials */
+ INSUFFICIENTLY_RPOTECTED_CREDENTIALS(522),
+
/** CWE-523: Unprotected Transport of Credentials */
UNPROTECTED_CREDENTIALS_TRANSPORT(523),
/** CWE-525: Use of Web Browser Cache Containing Sensitive Information */
SENSITIVE_INFORMATION_IN_BROWSER_CACHE(525),
+ /** CWE-530: Exposure of Backup File to an Unauthorized Control Sphere */
+ EXPOSE_BACKUP_TO_UNAUTHORIZED_TARGET(530),
+
/** CWE-532: Insertion of Sensitive Information into Log File */
SENSITIVE_LOGFILE(532),
+ /** CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory */
+ SENSITIVE_INFO_IN_EXTERNAL_ACCESSIBLE_SPACE(538),
+
+ /** CWE-539: Use of Persistent Cookies Containing Sensitive Information */
+ PERSISTENT_COOKIE_CONTAINS_SENSITIVE_INFO(539),
+
+ /** CWE-541: Inclusion of Sensitive Information in an Include File */
+ SENSITIVE_INFORMATION_IN_INCLUDED_FILE(541),
+
+ /** CWE-547: Use of Hard-coded, Security-relevant Constants */
+ HARDCODED_SECURITY_RELEVANT_CONSTANTS(547),
+
+ /** CWE-561: Dead Code */
+ DEAD_CODE(561),
+
/** CWE-563: Assignment to Variable without Use */
UNUSED_VAR_ASSIGNMENT(563),
/** CWE-564: SQL Injection: Hibernate */
HIBERNATE_INJECTION(564),
+ /** CWE-565: Reliance on Cookies without Validation and Integrity Checking */
+ MISSING_COOKIE_VALIDATION(565),
+
+ /** CWE-567: Unsynchronized Access to Shared Data in a Multithreaded Context */
+ UNSYNCHRONIZED_ACCESS_TO_SHARED_DATA(567),
+
+ /** CWE-570: Expression is Always False */
+ EXPRESSION_ALWAYS_FALSE(570),
+
+ /** CWE-571: Expression is Always True */
+ EXPRESSION_ALWAYS_TRUE(571),
+
/** CWE-572: Call to Thread run() instead of start() */
THREAD_WRONG_CALL(572),
@@ -255,6 +383,9 @@ public enum CweNumber {
/** CWE-601: URL Redirection to Untrusted Site ('Open Redirect') */
OPEN_REDIRECT(601),
+ /** CWE-606: Unchecked Input for Loop Condition */
+ UNCHECKED_INPUT_FOR_LOOP_CONDITION(606),
+
/** CWE-607: Public Static Final Field References Mutable Object */
PUBLIC_STATIC_FINAL_MUTABLE_OBJECT(607),
@@ -282,15 +413,27 @@ public enum CweNumber {
/** CWE-652: Improper Neutralization of Data within XQuery Expressions ('XQuery Injection') */
XQUERY_INJECTION(652),
+ /** CWE-676: Use of Potentially Dangerous Function */
+ USE_POTENTIALLY_DANGEROUS_FUNCTION(676),
+
+ /** CWE-681: Incorrect Conversion between Numeric Types */
+ INCORRECT_NUMERIC_TYPE_CONVERSION(681),
+
/** CWE-693: Protection Mechanism Failure */
PROTECTION_MECHANISM_FAILURE(693),
/** CWE-703: Improper Check or Handling of Exceptional Conditions */
IMPROPER_CHECK_FOR_EXCEPTION_CONDITIONS(703),
+ /** CWE-732: Incorrect Permission Assignment for Critical Resource */
+ INCORRECT_PERMISSIONS_FOR_CRITICAL_RESOURCE(732),
+
/** CWE-754: Improper Check for Unusual or Exceptional Conditions */
IMPROPER_CHECK_FOR_CONDITIONS(754),
+ /** CWE-760: Use of a One-Way Hash with a Predictable Salt */
+ ONE_WAY_HASH_WITH_PREDICTABLE_SALT(760),
+
/** CWE-759: Use of a One-Way Hash without a Salt */
UNSALTED_ONE_WAY_HASH(759),
@@ -311,6 +454,23 @@ public enum CweNumber {
/** CWE-783: Operator Precedence Logic Error */
OPERATOR_PRECEDENCE_LOGIC(783),
+ /**
+ * CWE-784: Reliance on Cookies without Validation and Integrity Checking in a Security Decision
+ */
+ RELIANCE_ON_UNCHECKED_COOKIE(784),
+
+ /** CWE-789: Memory Allocation with Excessive Size Value */
+ EXCESSIVE_SIZE_MEMORY_ALLOCATION(789),
+
+ /** CWE-798: Use of Hard-coded Credentials */
+ HARDCODED_CREDENTIALS(798),
+
+ /** CWE-807: Reliance on Untrusted Inputs in a Security Decision */
+ RELIANCE_IN_UNTRUSTED_INPUT(807),
+
+ /** CWE-829: Inclusion of Functionality from Untrusted Control Sphere */
+ INCLUDE_CODE_FROM_UNTRUSTED_SOURCE(829),
+
/** CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') */
LOOP_WITH_UNREACHABLE_EXIT(835),
@@ -320,6 +480,9 @@ public enum CweNumber {
/** CWE-918: Server-Side Request Forgery (SSRF) */
SERVER_SIDE_REQUEST_FORGERY(918),
+ /** CWE CATEGORY: OWASP Top Ten 2013 Category A5 - Security Misconfiguration */
+ CATEGORY_OWASP_2013_A5(933),
+
/**
* CWE-937: CWE CATEGORY: OWASP Top Ten 2013 Category A9 - Using Components with Known
* Vulnerabilities
@@ -333,7 +496,10 @@ public enum CweNumber {
COOKIE_WITHOUT_HTTPONLY(1004),
/** CWE-1021: Improper Restriction of Rendered UI Layers or Frames */
- IMPROPER_RESTRICTION_OF_UI_LAYERS(1021);
+ IMPROPER_RESTRICTION_OF_UI_LAYERS(1021),
+
+ /** CWE-1275: Sensitive Cookie with Improper SameSite Attribute */
+ SENSITIVE_COOKIE_WITH_IMPROPER_SAMESITE_ATTR(1275);
int number;
From 4efc94c5b7f0d4acc771db5b5108b110e7ef1e71 Mon Sep 17 00:00:00 2001
From: Sascha Knoop <github@darkspirit510.de>
Date: Tue, 1 Nov 2022 22:30:04 +0100
Subject: [PATCH 04/10] restore file header
---
.../owasp/benchmarkutils/score/CweNumber.java | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/CweNumber.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/CweNumber.java
index 069d8676..5600df8c 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/CweNumber.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/CweNumber.java
@@ -1,3 +1,20 @@
+/**
+ * OWASP Benchmark Project
+ *
+ * <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For
+ * details, please see <a
+ * href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>.
+ *
+ * <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation, version 2.
+ *
+ * <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ * PURPOSE. See the GNU General Public License for more details.
+ *
+ * @author Sascha Knoop
+ * @created 2021
+ */
package org.owasp.benchmarkutils.score;
public enum CweNumber {
From c8809e71ff96277b4ca1225445ae1d967c4cc3fb Mon Sep 17 00:00:00 2001
From: Sascha Knoop <github@darkspirit510.de>
Date: Sun, 6 Nov 2022 19:28:46 +0100
Subject: [PATCH 05/10] add/revert header; print caller class in warn message
---
.../owasp/benchmarkutils/score/CweNumber.java | 12 +++++++--
.../benchmarkutils/score/CweNumberTest.java | 27 ++++++++++++++++---
2 files changed, 33 insertions(+), 6 deletions(-)
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/CweNumber.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/CweNumber.java
index 5600df8c..a4103efc 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/CweNumber.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/CweNumber.java
@@ -531,16 +531,24 @@ public static CweNumber lookup(int searchFor) {
}
}
- System.out.println("WARN: Requested unmapped CWE number " + searchFor + ".");
+ System.out.println("WARN: " + callerClass() + " requested unmapped CWE number " + searchFor + ".");
return DONTCARE;
}
+ private static String callerClass() {
+ return simpleName(Thread.currentThread().getStackTrace()[3].getClassName());
+ }
+
+ private static String simpleName(String fullClassName) {
+ return fullClassName.substring(fullClassName.lastIndexOf('.') + 1);
+ }
+
public static CweNumber lookup(String searchFor) {
try {
return lookup(Integer.parseInt(searchFor));
} catch (NumberFormatException n) {
- System.out.println("ERROR: Failed to parse CWE number '" + searchFor + "'.");
+ System.out.println("ERROR: Failed to parse CWE number '" + searchFor + "' provided by " + callerClass() + ".");
return CweNumber.DONTCARE;
}
}
diff --git a/plugin/src/test/java/org/owasp/benchmarkutils/score/CweNumberTest.java b/plugin/src/test/java/org/owasp/benchmarkutils/score/CweNumberTest.java
index 3d8470cc..0ccd7750 100644
--- a/plugin/src/test/java/org/owasp/benchmarkutils/score/CweNumberTest.java
+++ b/plugin/src/test/java/org/owasp/benchmarkutils/score/CweNumberTest.java
@@ -1,3 +1,20 @@
+/**
+ * OWASP Benchmark Project
+ *
+ * <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For
+ * details, please see <a
+ * href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>.
+ *
+ * <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation, version 2.
+ *
+ * <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ * PURPOSE. See the GNU General Public License for more details.
+ *
+ * @author Sascha Knoop
+ * @created 2022
+ */
package org.owasp.benchmarkutils.score;
import static org.junit.jupiter.api.Assertions.assertEquals;
@@ -36,10 +53,10 @@ public void looksUpValueByString() {
}
@Test
- public void warnsAboutUnmappedCweNumber() {
+ public void warnsAboutUnmappedCweNumberContainingCallerClass() {
CweNumber.lookup(UNMAPPED_CWE_NUMBER);
assertEquals(
- "WARN: Requested unmapped CWE number " + UNMAPPED_CWE_NUMBER + ".\n",
+ "WARN: CweNumberTest requested unmapped CWE number " + UNMAPPED_CWE_NUMBER + ".\n",
out.toString());
}
@@ -55,9 +72,11 @@ public void returnsDontCareForUnparsableNumber() {
}
@Test
- public void showsErrorForUnparsableNumber() {
+ public void showsErrorForUnparsableNumberContainingCallerClass() {
CweNumber.lookup("unparsable");
- assertEquals("ERROR: Failed to parse CWE number 'unparsable'.\n", out.toString());
+ assertEquals(
+ "ERROR: Failed to parse CWE number 'unparsable' provided by CweNumberTest.\n",
+ out.toString());
}
@Test
From 20cff4df06397ff59adc69d967e79bf92a2ee3f2 Mon Sep 17 00:00:00 2001
From: Sascha Knoop <github@darkspirit510.de>
Date: Sun, 6 Nov 2022 19:37:25 +0100
Subject: [PATCH 06/10] fix comments; linting
---
.../owasp/benchmarkutils/score/CweNumber.java | 10 +++-
.../score/parsers/BurpReader.java | 46 ++++++++-----------
.../score/parsers/SonarQubeReader.java | 19 ++++----
.../parsers/VisualCodeGrepperReader.java | 4 +-
4 files changed, 38 insertions(+), 41 deletions(-)
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/CweNumber.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/CweNumber.java
index a4103efc..a3e98800 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/CweNumber.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/CweNumber.java
@@ -531,7 +531,8 @@ public static CweNumber lookup(int searchFor) {
}
}
- System.out.println("WARN: " + callerClass() + " requested unmapped CWE number " + searchFor + ".");
+ System.out.println(
+ "WARN: " + callerClass() + " requested unmapped CWE number " + searchFor + ".");
return DONTCARE;
}
@@ -548,7 +549,12 @@ public static CweNumber lookup(String searchFor) {
try {
return lookup(Integer.parseInt(searchFor));
} catch (NumberFormatException n) {
- System.out.println("ERROR: Failed to parse CWE number '" + searchFor + "' provided by " + callerClass() + ".");
+ System.out.println(
+ "ERROR: Failed to parse CWE number '"
+ + searchFor
+ + "' provided by "
+ + callerClass()
+ + ".");
return CweNumber.DONTCARE;
}
}
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/BurpReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/BurpReader.java
index 6cd9c623..6487f285 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/BurpReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/BurpReader.java
@@ -130,44 +130,38 @@ static CweNumber cweLookup(String id) {
return CweNumber.XSS;
case "2098944":
return CweNumber.CSRF;
- case "3146240":
- return CweNumber.SERVER_SIDE_REQUEST_FORGERY; // External service interaction (DNS)
- case "4194560":
- return CweNumber.DONTCARE; // Referer Dependent Response
- case "4194576":
- return CweNumber.DONTCARE; // X-Forwarded-For header dependency
+ case "3146240": // External service interaction (DNS)
+ return CweNumber.SERVER_SIDE_REQUEST_FORGERY;
+ case "4194560": // Referer Dependent Response
+ return CweNumber.DONTCARE;
+ case "4194576": // X-Forwarded-For header dependency
+ return CweNumber.DONTCARE;
case "4197376": // Input returned in response (reflected)
case "4197632": // Suspicious input transformation (reflected)
return CweNumber.IMPROPER_INPUT_VALIDAITON;
case "5243392":
return CweNumber.INSECURE_COOKIE;
- case "5244416":
- return CweNumber.COOKIE_WITHOUT_HTTPONLY; // Cookie without HttpOnly flag set
+ case "5244416": // Cookie without HttpOnly flag set
+ return CweNumber.COOKIE_WITHOUT_HTTPONLY;
case "5245344": // Clickjacking
return CweNumber.IMPROPER_RESTRICTION_OF_UI_LAYERS;
case "5245360": // Browser cross-site scripting filter disabled
return CweNumber.CATEGORY_CONFIGURATION;
- case "5245952":
- return CweNumber
- .DONTCARE; // Ajax request header manipulation (DOM-based) - Map to nothing
- // right
- case "5247488":
- return CweNumber
- .DONTCARE; // DOM Trust Boundary Violation - Map to nothing right now.
+ case "5245952": // Ajax request header manipulation (DOM-based) - Map to nothing right
+ return CweNumber.DONTCARE;
+ case "5247488": // DOM Trust Boundary Violation - Map to nothing right now.
+ return CweNumber.DONTCARE;
case "6291968": // Information Disclosure - Email Address Disclosed
case "6292736": // Information Disclosure - Credit Card # Disclosed
return CweNumber.EXPOSURE_SENSITIVE_TO_UNAUTHORIZED_USER;
- case "7340288":
- return CweNumber
- .SENSITIVE_INFORMATION_IN_BROWSER_CACHE; // Information Exposure Through
- // Browser Caching-Cacheable HTTPS
- // Response
- case "8389120":
- return CweNumber.DONTCARE; // HTML doesn't specify character set - Map to nothing.
- case "8389632":
- return CweNumber.DONTCARE; // Incorrect Content Type - Map to nothing right now.
- case "8389888":
- return CweNumber.CATEGORY_CONFIGURATION; // Content type is not specified
+ case "7340288": // Information Exposure Throug Browser Caching-Cacheable HTTPS Response
+ return CweNumber.SENSITIVE_INFORMATION_IN_BROWSER_CACHE;
+ case "8389120": // HTML doesn't specify character set - Map to nothing.
+ return CweNumber.DONTCARE;
+ case "8389632": // Incorrect Content Type - Map to nothing right now.
+ return CweNumber.DONTCARE;
+ case "8389888": // Content type is not specified
+ return CweNumber.CATEGORY_CONFIGURATION;
} // end switch(id)
System.out.println("Unknown Burp rule id: " + id);
return CweNumber.DONTCARE;
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/SonarQubeReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/SonarQubeReader.java
index ab85552c..f5b32376 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/SonarQubeReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/SonarQubeReader.java
@@ -387,10 +387,9 @@ public static CweNumber cweLookup(String squidNumber) {
case "S2275": // Printf-style format strings should not lead to unexpected behavior at
// runtime
return CweNumber.DONTCARE;
- case "S2277":
- return CweNumber.RSA_MISSING_PADDING; // Cryptographic RSA algorithms should always
- // incorporate OAEP (Optimal Asymmetric Encryption
- // Padding)
+ case "S2277": // Cryptographic RSA algorithms should always incorporate OAEP (Optimal
+ // Asymmetric Encryption Padding)
+ return CweNumber.RSA_MISSING_PADDING;
case "S2278": // Benchmark Vuln: DES (Data Encryption Standard) and DESede (3DES) should
// not be used
return CweNumber.WEAK_CRYPTO_ALGO;
@@ -415,12 +414,12 @@ public static CweNumber cweLookup(String squidNumber) {
return CweNumber.DONTCARE;
case "S2681": // Multiline blocks should be enclosed in curly braces
return CweNumber.INCORRECT_BLOCK_DELIMITATION;
- case "S2696":
- return CweNumber.DONTCARE; // Instance methods should not write to "static" fields
- case "S2755":
- return CweNumber.XXE; // XML parsers should not be vulnerable to XXE attacks
- case "S2786":
- return CweNumber.DONTCARE; // Nested "enum"s should not be declared static
+ case "S2696": // Instance methods should not write to "static" fields
+ return CweNumber.DONTCARE;
+ case "S2755": // XML parsers should not be vulnerable to XXE attacks
+ return CweNumber.XXE;
+ case "S2786": // Nested "enum"s should not be declared static
+ return CweNumber.DONTCARE;
case "S2864": // "entrySet()" should be iterated when both the key and value are needed
return CweNumber.DONTCARE;
case "S3008": // Static non-final field names should comply with a naming convention
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/VisualCodeGrepperReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/VisualCodeGrepperReader.java
index f5e05541..e13713ed 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/VisualCodeGrepperReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/VisualCodeGrepperReader.java
@@ -161,9 +161,7 @@ private CweNumber figureCWE(TestCaseResult tcr, Node catnode) {
return CweNumber.TRUST_BOUNDARY_VIOLATION;
default:
- return CweNumber.DONTCARE; // System.out.println( "Unknown vuln category for
- // VisualCodeGrepper: " +
- // cat );
+ return CweNumber.DONTCARE;
}
}
}
From 84e6fbfbf149039d121fa7586c716c3d9eb33f42 Mon Sep 17 00:00:00 2001
From: Sascha Knoop <github@darkspirit510.de>
Date: Tue, 8 Nov 2022 12:25:09 +0100
Subject: [PATCH 07/10] handle changes in semgrep result file structure
---
.../score/parsers/SemgrepReader.java | 20 +-
.../score/parsers/SemgrepReaderTest.java | 34 ++-
.../testfiles/Benchmark_semgrep-v0.121.0.json | 202 ++++++++++++++++++
3 files changed, 243 insertions(+), 13 deletions(-)
create mode 100644 plugin/src/test/resources/testfiles/Benchmark_semgrep-v0.121.0.json
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/SemgrepReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/SemgrepReader.java
index 1720cc20..2232fc21 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/SemgrepReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/SemgrepReader.java
@@ -19,11 +19,7 @@
import org.json.JSONArray;
import org.json.JSONObject;
-import org.owasp.benchmarkutils.score.BenchmarkScore;
-import org.owasp.benchmarkutils.score.CweNumber;
-import org.owasp.benchmarkutils.score.ResultFile;
-import org.owasp.benchmarkutils.score.TestCaseResult;
-import org.owasp.benchmarkutils.score.TestSuiteResults;
+import org.owasp.benchmarkutils.score.*;
public class SemgrepReader extends Reader {
@@ -199,7 +195,9 @@ private TestCaseResult parseSemgrepFindings(JSONObject result) {
JSONObject metadata = extra.getJSONObject("metadata");
// CWE
- int cwe = Integer.parseInt(metadata.getString("cwe").split(":")[0].split("-")[1]);
+ String cweString = getStringOrFirstArrayIndex(metadata, "cwe");
+ int cwe = Integer.parseInt(cweString.split(":")[0].split("-")[1]);
+
try {
cwe = translate(cwe);
} catch (NumberFormatException ex) {
@@ -207,7 +205,7 @@ private TestCaseResult parseSemgrepFindings(JSONObject result) {
}
// category
- String category = metadata.getString("owasp");
+ String category = getStringOrFirstArrayIndex(metadata, "owasp");
// evidence
String evidence = result.getString("check_id");
@@ -227,4 +225,12 @@ private TestCaseResult parseSemgrepFindings(JSONObject result) {
return null;
}
+
+ private static String getStringOrFirstArrayIndex(JSONObject metadata, String key) {
+ if (metadata.get(key) instanceof JSONArray) {
+ return metadata.getJSONArray(key).getString(0);
+ } else {
+ return metadata.getString(key);
+ }
+ }
}
diff --git a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/SemgrepReaderTest.java b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/SemgrepReaderTest.java
index 4be5563d..80f9b451 100644
--- a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/SemgrepReaderTest.java
+++ b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/SemgrepReaderTest.java
@@ -30,23 +30,30 @@
public class SemgrepReaderTest extends ReaderTestBase {
- private ResultFile resultFile;
+ private ResultFile resultFileV65;
+ private ResultFile resultFileV121;
@BeforeEach
void setUp() {
- resultFile = TestHelper.resultFileOf("testfiles/Benchmark_semgrep-v0.65.0.json");
+ resultFileV65 = TestHelper.resultFileOf("testfiles/Benchmark_semgrep-v0.65.0.json");
+ resultFileV121 = TestHelper.resultFileOf("testfiles/Benchmark_semgrep-v0.121.0.json");
BenchmarkScore.TESTCASENAME = "BenchmarkTest";
}
@Test
- public void onlySemgrepReaderReportsCanReadAsTrue() {
- assertOnlyMatcherClassIs(this.resultFile, SemgrepReader.class);
+ public void onlySemgrepReaderReportsCanReadAsTrueForV65() {
+ assertOnlyMatcherClassIs(this.resultFileV65, SemgrepReader.class);
}
@Test
- void readerHandlesGivenResultFile() throws Exception {
+ public void onlySemgrepReaderReportsCanReadAsTrueForV121() {
+ assertOnlyMatcherClassIs(this.resultFileV121, SemgrepReader.class);
+ }
+
+ @Test
+ void readerHandlesGivenResultFileInV65() throws Exception {
SemgrepReader reader = new SemgrepReader();
- TestSuiteResults result = reader.parse(resultFile);
+ TestSuiteResults result = reader.parse(resultFileV65);
assertEquals(TestSuiteResults.ToolType.SAST, result.getToolType());
assertFalse(result.isCommercial());
@@ -57,4 +64,19 @@ void readerHandlesGivenResultFile() throws Exception {
assertEquals(CweNumber.SQL_INJECTION, result.get(1).get(0).getCWE());
assertEquals(CweNumber.INSECURE_COOKIE, result.get(2).get(0).getCWE());
}
+
+ @Test
+ void readerHandlesGivenResultFileInV121() throws Exception {
+ SemgrepReader reader = new SemgrepReader();
+ TestSuiteResults result = reader.parse(resultFileV121);
+
+ assertEquals(TestSuiteResults.ToolType.SAST, result.getToolType());
+ assertFalse(result.isCommercial());
+ assertEquals("Semgrep", result.getToolName());
+
+ assertEquals(2, result.getTotalResults());
+
+ assertEquals(CweNumber.COMMAND_INJECTION, result.get(3).get(0).getCWE());
+ assertEquals(CweNumber.INSECURE_COOKIE, result.get(4).get(0).getCWE());
+ }
}
diff --git a/plugin/src/test/resources/testfiles/Benchmark_semgrep-v0.121.0.json b/plugin/src/test/resources/testfiles/Benchmark_semgrep-v0.121.0.json
new file mode 100644
index 00000000..dee91ef1
--- /dev/null
+++ b/plugin/src/test/resources/testfiles/Benchmark_semgrep-v0.121.0.json
@@ -0,0 +1,202 @@
+{
+ "errors": [],
+ "results": [
+ {
+ "check_id": "java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call",
+ "end": {
+ "col": 44,
+ "line": 63,
+ "offset": 2350
+ },
+ "extra": {
+ "fingerprint": "b04b2629a927ec0c62a65dbf719260f058c7591b15db57c22eaa4c0d50068efa3731782ca98ff43f75f99a17de166835c74b932b5bc35c709e09a19f83328056_0",
+ "is_ignored": false,
+ "lines": " Process p = r.exec(cmd + param);",
+ "message": "A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.",
+ "metadata": {
+ "category": "security",
+ "confidence": "LOW",
+ "cwe": [
+ "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
+ ],
+ "cwe2021-top25": true,
+ "cwe2022-top25": true,
+ "impact": "HIGH",
+ "license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
+ "likelihood": "LOW",
+ "owasp": [
+ "A01:2017 - Injection",
+ "A03:2021 - Injection"
+ ],
+ "references": [
+ "https://owasp.org/Top10/A03_2021-Injection"
+ ],
+ "shortlink": "https://sg.run/rd90",
+ "source": "https://semgrep.dev/r/java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call",
+ "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#COMMAND_INJECTION.",
+ "subcategory": [
+ "audit"
+ ],
+ "technology": [
+ "java"
+ ]
+ },
+ "metavars": {
+ "$RUNTIME": {
+ "abstract_content": "r",
+ "end": {
+ "col": 26,
+ "line": 63,
+ "offset": 2332
+ },
+ "propagated_value": {
+ "svalue_abstract_content": "Runtime.getRuntime()",
+ "svalue_end": {
+ "col": 41,
+ "line": 60,
+ "offset": 2290
+ },
+ "svalue_start": {
+ "col": 21,
+ "line": 60,
+ "offset": 2270
+ }
+ },
+ "start": {
+ "col": 25,
+ "line": 63,
+ "offset": 2331
+ }
+ },
+ "$TYPE": {
+ "abstract_content": "Runtime",
+ "end": {
+ "col": 16,
+ "line": 60,
+ "offset": 2265
+ },
+ "start": {
+ "col": 9,
+ "line": 60,
+ "offset": 2258
+ }
+ },
+ "$X": {
+ "abstract_content": "cmd",
+ "end": {
+ "col": 35,
+ "line": 63,
+ "offset": 2341
+ },
+ "start": {
+ "col": 32,
+ "line": 63,
+ "offset": 2338
+ }
+ },
+ "$Y": {
+ "abstract_content": "param",
+ "end": {
+ "col": 43,
+ "line": 63,
+ "offset": 2349
+ },
+ "start": {
+ "col": 38,
+ "line": 63,
+ "offset": 2344
+ }
+ }
+ },
+ "severity": "ERROR"
+ },
+ "path": "src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00003.java",
+ "start": {
+ "col": 13,
+ "line": 63,
+ "offset": 2319
+ }
+ },
+ {
+ "check_id": "java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly",
+ "end": {
+ "col": 40,
+ "line": 42,
+ "offset": 1833
+ },
+ "extra": {
+ "fingerprint": "4c3df9b11fc18bb0371952e86b7fb99b8d6887a7318e27c21c9efea697cece407aec6c67e7998fda8889af9418d3af1cf8cec783ca9a1f8353792348b5e50ae1_0",
+ "is_ignored": false,
+ "lines": " response.addCookie(userCookie);",
+ "message": "A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'",
+ "metadata": {
+ "asvs": {
+ "control_id": "3.4.2 Missing Cookie Attribute",
+ "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v34-cookie-based-session-management",
+ "section": "V3: Session Management Verification Requirements",
+ "version": "4"
+ },
+ "category": "security",
+ "confidence": "LOW",
+ "cwe": [
+ "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag"
+ ],
+ "impact": "LOW",
+ "license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
+ "likelihood": "LOW",
+ "owasp": [
+ "A05:2021 - Security Misconfiguration"
+ ],
+ "references": [
+ "https://owasp.org/Top10/A05_2021-Security_Misconfiguration"
+ ],
+ "shortlink": "https://sg.run/b7Be",
+ "source": "https://semgrep.dev/r/java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly",
+ "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#HTTPONLY_COOKIE",
+ "subcategory": [
+ "audit"
+ ],
+ "technology": [
+ "java"
+ ]
+ },
+ "metavars": {
+ "$COOKIE": {
+ "abstract_content": "userCookie",
+ "end": {
+ "col": 38,
+ "line": 42,
+ "offset": 1831
+ },
+ "start": {
+ "col": 28,
+ "line": 42,
+ "offset": 1821
+ }
+ },
+ "$RESPONSE": {
+ "abstract_content": "response",
+ "end": {
+ "col": 17,
+ "line": 42,
+ "offset": 1810
+ },
+ "start": {
+ "col": 9,
+ "line": 42,
+ "offset": 1802
+ }
+ }
+ },
+ "severity": "WARNING"
+ },
+ "path": "src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00004.java",
+ "start": {
+ "col": 9,
+ "line": 42,
+ "offset": 1802
+ }
+ }
+ ],
+ "version": "0.121.0"
+}
From 798597bcb75b65fea259b65c8fcf9716c0bac25a Mon Sep 17 00:00:00 2001
From: Sascha Knoop <github@darkspirit510.de>
Date: Fri, 10 Mar 2023 23:00:56 +0100
Subject: [PATCH 08/10] restore / adapt mapping comment
---
.../owasp/benchmarkutils/score/parsers/CodeQLReader.java | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/CodeQLReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/CodeQLReader.java
index 4fe333cd..00330ffb 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/CodeQLReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/CodeQLReader.java
@@ -190,7 +190,14 @@ private TestCaseResult parseLGTMFinding(
return null;
}
+ /**
+ * Maps detected CWE number to one that BenchmarkScore expects.
+ *
+ * @param cweNumber reported CWE number
+ * @return fixed (or same) CWE number
+ */
private CweNumber mapCWE(Integer cweNumber) {
+ // java/predictable-seed - This mapping improves the tool's score
if (cweNumber == 335) {
return CweNumber.WEAK_RANDOM;
}
From 50c41690928967ebc722bcbe2d6d6d78b27f9427 Mon Sep 17 00:00:00 2001
From: Sascha Knoop <github@darkspirit510.de>
Date: Fri, 10 Mar 2023 23:06:22 +0100
Subject: [PATCH 09/10] restore mapping
---
.../score/parsers/InsiderReader.java | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/InsiderReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/InsiderReader.java
index 67d0b2ee..56bbb3a5 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/InsiderReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/InsiderReader.java
@@ -80,7 +80,7 @@ private TestCaseResult parseTestCaseResult(JSONObject finding) {
tcr.setNumber(testNumber(filename));
String cwe = finding.getString("cwe").substring(4);
- tcr.setCWE(CweNumber.lookup(cwe));
+ tcr.setCWE(mapCWE(cwe));
return tcr;
}
@@ -91,6 +91,20 @@ private TestCaseResult parseTestCaseResult(JSONObject finding) {
return null;
}
+ /**
+ * Maps detected CWE number to one that BenchmarkScore expects.
+ *
+ * @param cweNumber reported CWE number
+ * @return fixed (or same) CWE number
+ */
+ private static CweNumber mapCWE(String cweNumber) {
+ if ("326".equals(cweNumber)) {
+ return CweNumber.WEAK_CRYPTO_ALGO;
+ }
+
+ return CweNumber.lookup(cweNumber);
+ }
+
private String filename(JSONObject vuln) {
String className = vuln.getString("class");
return className.substring(0, className.indexOf(' '));
From 09513237337f7d4fb33feb5fb1d39ce3ca573c5d Mon Sep 17 00:00:00 2001
From: Sascha Knoop <github@darkspirit510.de>
Date: Wed, 28 Dec 2022 11:53:53 +0100
Subject: [PATCH 10/10] revert wildcard import
---
.../owasp/benchmarkutils/score/parsers/SemgrepReader.java | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/SemgrepReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/SemgrepReader.java
index bb4de567..1edfa797 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/SemgrepReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/SemgrepReader.java
@@ -19,7 +19,11 @@
import org.json.JSONArray;
import org.json.JSONObject;
-import org.owasp.benchmarkutils.score.*;
+import org.owasp.benchmarkutils.score.BenchmarkScore;
+import org.owasp.benchmarkutils.score.CweNumber;
+import org.owasp.benchmarkutils.score.ResultFile;
+import org.owasp.benchmarkutils.score.TestCaseResult;
+import org.owasp.benchmarkutils.score.TestSuiteResults;
public class SemgrepReader extends Reader {