Update CheckmarxReader.java

Fix error in the reading of Checkmarx results

Author: ErezYalon

src/main/java/org/owasp/benchmark/score/parsers/CheckmarxReader.java

@@ -42,7 +42,7 @@ public TestResults parse(File f) throws Exception {
         Document doc = docBuilder.parse(is);
 
         TestResults tr = new TestResults( "Checkmarx CxSAST",true, TestResults.ToolType.SAST );
-       
+
         // <CxXMLResults DeepLink="http://CHECKMARX2/CxWebClient/ViewerMain.aspx?scanid=52869&amp;projectid=30265"
         // ScanStart="Monday, July 27, 2015 4:50:08 PM" Preset="Default 2014" ScanTime="13h:54m:20s"
         // LinesOfCodeScanned="1507279" FilesScanned="21075" ReportCreationTime="Tuesday, July 28, 2015 8:38:30 AM"
@@ -51,10 +51,10 @@ public TestResults parse(File f) throws Exception {
         Node root = doc.getDocumentElement();
         String version = getAttributeValue( "CheckmarxVersion", root );
         tr.setToolVersion( version );
-        
+
         String time = getAttributeValue("ScanTime", root);
         tr.setTime( time );
-        
+
         List<Node> queryList = getNamedChildren( "Query", root );
 
         for ( Node query : queryList ) {            
@@ -68,7 +68,7 @@ public TestResults parse(File f) throws Exception {
         }
         return tr;
     }
-    
+
     private TestCaseResult parseCheckmarxVulnerability(Node query, Node result) {
         TestCaseResult tcr = new TestCaseResult();
         // <Query id="594" cweId="89" name="SQL_Injection" group="Java_High_Risk" Severity="High"
@@ -80,27 +80,72 @@ private TestCaseResult parseCheckmarxVulnerability(Node query, Node result) {
         // state="0" Remark=""
         // DeepLink="http://CHECKMARX2/CxWebClient/ViewerMain.aspx?scanid=52869&amp;projectid=30265&amp;pathid=2318"
         // SeverityIndex="3">
-        
+
         String cwe = getAttributeValue("cweId", query);
         if ( cwe != null ) {
             tcr.setCWE( translate( Integer.parseInt(cwe ) ) );
         } else {
             System.out.println( "flaw: " + query );
         }
-        
+
         String name = getAttributeValue("name", query);
         tcr.setCategory( name );
         // filter out dynamic SQL queries because they report SQL injection separately - these are just dynamic SQL
-        if ( name.equals( "Dynamic_SQL_Queries" ) ) {
+		//Other queries are filtered because they are a CHILD_OF of some other query and they share the same cwe id 
+		//We only want the results from the queries that are relevant (PARENT_OF) for the benchmark project
+        if ( name.equals( "Dynamic_SQL_Queries" ) ||
+			 name.equals( "Heuristic_2nd_Order_SQL_Injection" ) ||
+			 name.equals( "Heuristic_SQL_Injection" ) ||
+			 name.equals( "Second_Order_SQL_Injection" ) ||
+			 name.equals( "Blind_SQL_Injections" ) ||
+			 name.equals( "Improper_Build_Of_Sql_Mapping" ) ||
+			 name.equals( "SQL_Injection_Evasion_Attack" ) ||
+			 name.equals( "Potential_SQL_Injection" ) ||
+			 name.equals( "Client_Side_Injection" ) ||
+             name.equals( "GWT_DOM_XSS" ) ||
+             name.equals( "GWT_Reflected_XSS" ) ||
+             name.equals( "Heuristic_CGI_Stored_XSS" ) ||
+             name.equals( "Heuristic_Stored_XSS" ) ||
+             name.equals( "Stored_XSS" ) ||
+             name.equals( "Suspected_XSS" ) ||
+             name.equals( "UTF7_XSS" ) ||
+             name.equals( "CGI_Stored_XSS" ) ||
+             name.equals( "Potential_GWT_Reflected_XSS" ) ||
+             name.equals( "Potential_I_Reflected_XSS_All_Clients" ) ||
+             name.equals( "Potential_IO_Reflected_XSS_All_Clients" ) ||
+             name.equals( "Potential_O_Reflected_XSS_All_ClientsS" ) ||
+             name.equals( "Potential_Stored_XSS" ) ||
+             name.equals( "Potential_UTF7_XSS" ) ||
+			 name.equals( "Stored_Command_Injection" ) ||
+             name.equals( "CGI_Reflected_XSS_All_Clients" )) {
             return null;
         }
 
-        tcr.setConfidence( Integer.parseInt( getAttributeValue( "SeverityIndex", result) ) );
-        
+		//In the output xml file from Checkmarx there is no attribute on the node "query" named SeverityIndex
+        //tcr.setConfidence( Integer.parseInt( getAttributeValue( "SeverityIndex", result) ) );
+
         tcr.setEvidence( getAttributeValue( "name", query ) );
- 
-        String testcase = getAttributeValue( "FileName", result );
-        testcase = testcase.substring( testcase.lastIndexOf('/') +1);
+
+		/* Some results do not appear in the previous version of this parser because it only look for the attribute "FileName"
+		*  Checkmarx have some results where the input does not start in a BenchmarkTest file so it was necessary to make some changes
+		*  We must consider a good result if the result node "FileName" startsWith BenchmarkTest file or if the last PathNode ends in a "FileName" that startsWith BenchmarkTest file. 
+		*  An example is the SeparateClassRequest.java file that have some inputs that we catch but are not been considered as a valid result (FN)
+		*/
+		
+		//Get the Path element inside Result
+		 List<Node> paths = getNamedChildren("Path", result);
+		//Get ALL the PathNodes elements inside each Path
+		 List<Node> pathNodes = getNamedChildren("PathNode", paths.get(0));
+		//Get the lAST PathNode element from the list above
+		 Node last = pathNodes.get(pathNodes.size() -1);
+		//Get the FileName element inside the last PathNode
+		 List<Node> fileNames = getNamedChildren( "FileName", last );
+		 Node fileNameNode = fileNames.get(0);
+
+		//If the result starts in a BenchmarkTest file
+        String testcase = getAttributeValue("FileName", result);
+		//A change was made in the following line due to the paths in the xml outputs file, they are windows based '\\'
+        testcase = testcase.substring( testcase.lastIndexOf('\\') +1);
         if ( testcase.startsWith( "BenchmarkTest" ) ) {
             String testno = testcase.substring( "BenchmarkTest".length(), testcase.length() -5 );
             try {
@@ -110,7 +155,21 @@ private TestCaseResult parseCheckmarxVulnerability(Node query, Node result) {
             }
             return tcr;
         }
-        
+		//If not, then the last PastNode must end in a FileName that startsWith BenchmarkTest file
+        else{
+          String testcase2 = fileNameNode.getFirstChild().getNodeValue();
+          testcase2 = testcase2.substring( testcase2.lastIndexOf('\\') +1);
+          if ( testcase2.startsWith( "BenchmarkTest" ) ) {
+              String testno2 = testcase2.substring( "BenchmarkTest".length(), testcase2.length() -5 );
+              try {
+                  tcr.setNumber( Integer.parseInt( testno2 ) );
+              } catch ( NumberFormatException e ) {
+                  e.printStackTrace();
+              }
+              return tcr;
+          }
+        }
+
         return null;
     }