Add support for SonarQube HotSpot API JSON results. HotSpots are

security specific areas of concern identified by SonarQube.

Author: davewichers

pom.xml

@@ -301,7 +301,7 @@
 										-Dcontrast.application.path=/
 										-Dcontrast.assess.rules.disabled_rules="autocomplete-missing,cache-controls-missing,clickjacking-control-missing,csrf"
 										-Dcontrast.assess.threshold.entries=100000
-										-Dcontrast.defend.enabled=false
+										-Dcontrast.protect.enable=false
 										-Dcontrast.level=debug
 										-Dcontrast.log.daily=true
 									</cargo.jvmargs>

src/main/java/org/owasp/benchmark/score/BenchmarkScore.java

@@ -705,19 +705,33 @@ else if ( line2 != null && line2.contains("Vendor") && line2.contains("Checkmarx
 					tr = new SemgrepReader().parse( jsonobj );
 				} catch (JSONException e) {
 
-					try {
-						jsonobj.getJSONArray("issues");
-						tr = new SonarQubeJsonReader().parse( fileToParse );
-					} catch (JSONException e2) {
-
-						try {
-							jsonobj.getJSONArray("issue_events");
-							tr = new BurpJsonReader().parse( fileToParse );
-						} catch (JSONException e3) {
+				// Note: Each of the remaining try blocks is nested under the one above, but we shown them
+				// inline as they would get too deep otherwise
+				try {
+					// SonarQube has two different JSON formats, one for standard issues and
+					// another for 'hotspots' which are securit issues. Both are handled by the same
+					// parser for SonarQube.
+					jsonobj.getJSONArray("issues");
+					tr = new SonarQubeJsonReader().parse( fileToParse );
+				} catch (JSONException e2) {
+
+				try {
+					jsonobj.getJSONArray("hotspots");
+					tr = new SonarQubeJsonReader().parse( fileToParse );
+				} catch (JSONException e3) {
+
+				try {
+					jsonobj.getJSONArray("issue_events");
+					tr = new BurpJsonReader().parse( fileToParse );
+
+					// This is the final catch that says we couldn't find a matching parser
+						} catch (JSONException e4) {
 							System.out.println("Error: No matching parser found for JSON file: " + filename);
 						}
-					}
-				}
+
+						} // end catch SonarQubeJsonReader - hotspots
+					} // end catch SonarQubeJsonReader - issues
+				} // end catch SemgrepReader
             }
         }
 

src/main/java/org/owasp/benchmark/score/parsers/ContrastReader.java

@@ -25,6 +25,7 @@
 import java.util.Date;
 
 import org.json.JSONObject;
+
 import org.owasp.benchmark.score.BenchmarkScore;
 
 public class ContrastReader extends Reader {
@@ -49,11 +50,11 @@ public TestResults parse(File f) throws Exception {
 					if (line.startsWith("{\"hash\":")) {
 						parseContrastFinding(tr, line);
 					} else if (line.contains("Agent Version:")) {
-						String version = line.substring(line.indexOf("Version:") + 8);
+						String version = line.substring(line.indexOf("Version:") + "Version:".length());
 						tr.setToolVersion(version.trim());
 					// TODO: expand length of "00001" to match length of TESTCASE_NAME rather than exactly 5
 					} else if (line.contains("DEBUG - >>> [URL") &&
-								line.contains(BenchmarkScore.TESTCASENAME+"00001")) {
+						line.contains(BenchmarkScore.TESTCASENAME+"00001")) {
 						firstLine = line;
 					} else if (line.contains("DEBUG - >>> [URL")) {
 						lastLine = line;
@@ -148,5 +149,4 @@ private String calculateTime(String firstLine, String lastLine) {
 		}
 		return null;
 	}
-
 }

src/main/java/org/owasp/benchmark/score/parsers/SonarQubeJsonReader.java

@@ -30,29 +30,41 @@
 public class SonarQubeJsonReader extends Reader {
 
 	public TestResults parse( File f ) throws Exception {
+
+		TestResults tr = new TestResults( "SonarQube", false, TestResults.ToolType.SAST);
+
+		// If the filename includes an elapsed time in seconds (e.g., TOOLNAME-seconds.xml),
+		// set the compute time on the score card.
+		tr.setTime(f);
+
 		String content = new String(Files.readAllBytes(Paths.get(f.getPath())));
 
 		JSONObject obj = new JSONObject(content);
 		// int version = obj.getInt( "formatVersion" );
 		JSONArray arr;
+
+		boolean hotSpotIssue = true;
+
+		// Figure out if there are quality issues or security hotspots in the JSON file
+		// Each has a different JSON format.
 		try {
 			arr = obj.getJSONArray("issues");
+			hotSpotIssue = false;
 		} catch (JSONException e) {
-			System.out.println("ERROR: Couldn't find 'issues' element in SonarQube JSON results."
-				+ " Maybe not SonarQube results file?" );
-			return null;
+			try {
+				arr = obj.getJSONArray("hotspots");
+			} catch (JSONException e2) {
+				System.out.println("ERROR: Couldn't find 'issues' or 'hotspots' element in SonarQube JSON results."
+					+ " Maybe not SonarQube results file?" );
+				return null;
+			}
 		}
 
-		TestResults tr = new TestResults( "SonarJava", false, TestResults.ToolType.SAST);
-
-		// If the filename includes an elapsed time in seconds (e.g., TOOLNAME-seconds.xml),
-		// set the compute time on the score card.
-		tr.setTime(f);
-
 		int numIssues = arr.length();
-		for (int i = 0; i < numIssues; i++)
-		{
-			TestCaseResult tcr = parseSonarQubeFinding( arr.getJSONObject(i) );
+		for (int i = 0; i < numIssues; i++) {
+
+			TestCaseResult tcr = (hotSpotIssue? parseSonarQubeHotSpotIssue( arr.getJSONObject(i) ) :
+			                                    parseSonarQubeQualityIssue( arr.getJSONObject(i) ));
 			if ( tcr != null ) {
 				tr.put( tcr );
 			}
@@ -61,7 +73,7 @@ public TestResults parse( File f ) throws Exception {
 		return tr;
 	}
 
-	/**
+	/** -- Example of Quality Issue JSON object
 	VULNERABILITY",
 	"tags":["cwe","owasp-a2","owasp-a6"],
 	"component":"org.owasp:benchmark:src\/main\/java\/org\/owasp\/benchmark\/testcode\/BenchmarkTest02710.java",
@@ -86,7 +98,10 @@ public TestResults parse( File f ) throws Exception {
 
 	**/
 
-	private TestCaseResult parseSonarQubeFinding(JSONObject finding ) {
+	// Quality Issues are normal SonarQube findings that are mostly not relevant to security
+	// However, there are a small number of security issues that do show up this way so we have
+	// to support both
+	private TestCaseResult parseSonarQubeQualityIssue(JSONObject finding ) {
 		try {
 			TestCaseResult tcr = new TestCaseResult();
 			String filename = null;
@@ -116,5 +131,103 @@ private TestCaseResult parseSonarQubeFinding(JSONObject finding ) {
 		return null;
 	}
 
+// The parseSonarQubeQualityIssue() method above relies on the SQUID # mapping method in SonarQubeReader.cweLookup()
+
+	/** -- Example of HotSpot Issue JSON object
+	"hotspots": [
+	  {
+		"key": "AXYEidyZsoEy1bftafT5",
+		"component": "owasp-benchmark-sonarce:src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00008.java",
+		"project": "owasp-benchmark-sonarce",
+		"securityCategory": "sql-injection",
+		"vulnerabilityProbability": "HIGH",
+		"status": "TO_REVIEW",
+		"line": 58,
+		"message": "Ensure that string concatenation is required and safe for this SQL query.",
+		"author": "[email protected]",
+		"creationDate": "2015-08-26T05:13:42+0200",
+		"updateDate": "2020-11-26T12:53:38+0100"
+	  },
+	**/
+
+	// Hotspot Issues are SonarQube security findings.
+	private TestCaseResult parseSonarQubeHotSpotIssue(JSONObject finding ) {
+		try {
+			TestCaseResult tcr = new TestCaseResult();
+			String filename = null;
+
+			filename = finding.getString("component");
+			filename = filename.replaceAll( "\\\\", "/"); // In case there are \ instead of / in the path
+			filename = filename.substring( filename.lastIndexOf( '/' ) );
+			if ( filename.contains( BenchmarkScore.TESTCASENAME ) ) {
+				String testNumber = filename.substring( BenchmarkScore.TESTCASENAME.length() + 1,
+						filename.length() - 5 );
+				tcr.setNumber( Integer.parseInt( testNumber ) );
+				String secCat = finding.getString("securityCategory");
+				if ( secCat == null || secCat.equals("none") ) {
+					return null;
+				}
+				int cwe = securityCategoryCWELookup(secCat, finding.getString("message"));
+				tcr.setCWE( cwe );
+				tcr.setCategory( secCat );
+				tcr.setEvidence( "vulnerabilityProbability: " + finding.getString("vulnerabilityProbability") );
+			}
+
+			return tcr;
+		} catch (Exception e ) {
+			e.printStackTrace();
+		}
+		return null;
+	}
+
+	/*
+	 * Some of these findings are badly mapped. For example:
+	 *      "securityCategory": "xss",
+	 *      "message": "Make sure creating this cookie without the \"HttpOnly\" flag is safe.",
+	 *  While HttpOnly is a feature to help defend against XSS, it should really be mapped to
+	 *  CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag. So we use the 'message' description
+	 *            in some findings to move such issues to the 'right' CWE.
+	 *  As such, we specifically look at the message in some cases to fix the mapping.
+	 */
+	public static int securityCategoryCWELookup(String secCat, String message) {
+		// Not sure where to look up all the possible security categories in SonarQube, but the mappings
+		// seem obvious enough.
+
+		// Given their horrible mapping scheme, we check each message to detect whether their might be a new
+		// 'message' mapped to an existing CWE (that might be wrong).
+		if ( !("Make sure that using this pseudorandom number generator is safe here.".equals(message) ||
+				"Ensure that string concatenation is required and safe for this SQL query.".equals(message) ||
+				"Make sure creating this cookie without the \"secure\" flag is safe here.".equals(message) ||
+				"Make sure that hashing data is safe here.".equals(message) ||
+				"Make sure creating this cookie without the \"HttpOnly\" flag is safe.".equals(message)) )
+		{
+			System.out.println("WARN: Found new SonarQube HotSpot rule not seen before. Category: "
+				+ secCat + " with message: '" + message + "'");
+		}
+
+		switch( secCat ) {
+
+		case "sql-injection" : return 89;  // "Ensure that string concatenation is required and safe for this SQL query."
+		case "insecure-conf" : return 614; // "Make sure creating this cookie without the \"secure\" flag is safe here."
+		case "xss"           : // "Make sure creating this cookie without the \"HttpOnly\" flag is safe."
+			{
+				if (message != null && message.contains("HttpOnly")) return 1004;
+				  else return 79; // Actual XSS CWE
+			}
+		case "weak-cryptography" : // "Make sure that using this pseudorandom number generator is safe here."
+			{  // or "Make sure that hashing data is safe here."
+				if (message != null) {
+					if (message.contains("pseudorandom")) return 330;
+					if (message.contains("hashing")) return 328;
+					else return 0000;
+				}
+				  else return 327; // Actual Weak Crypto CWE
+			}
+		default: System.out.println( "WARN: Failed to translate SonarQube security category: " + secCat );
+		}
+
+		return -1;
+	}
+
 	// This parser relies on the SQUID # mapping method in SonarQubeReader.cweLookup()
 }