Upgrade FindSecBugs plugin and minor improvement to Findbugs scorecard

davewichers · davewichers · commit 2cbdd02078e3 · 2020-03-13T17:53:25.000-04:00
generator to handle a new type of issue now reported by FindSecBugs.
diff --git a/pom.xml b/pom.xml
@@ -85,7 +85,7 @@
 								<plugin>
 									<groupId>com.h3xstream.findsecbugs</groupId>
 									<artifactId>findsecbugs-plugin</artifactId>
-									<version>1.9.0</version>
+									<version>1.10.1</version>
 								</plugin>
 							</plugins>
 						</configuration>
diff --git a/src/main/java/org/owasp/benchmark/score/parsers/FindbugsReader.java b/src/main/java/org/owasp/benchmark/score/parsers/FindbugsReader.java
@@ -128,12 +128,13 @@ else if ( cwe.equals( "326" ) ) {
 		}
 
 		//This is a fallback mapping for unsupported/old versions of the Find Security Bugs plugin
+		//as defined in: findsecbugs-plugin/src/main/resources/metadata/findbugs.xml
 		//All important bug patterns have their CWE ID associated in later versions (1.4.3+).
 		switch ( cat ) {
 			//Cookies
 			case "SECIC" : 		return 614;  // insecure cookie use
-			case "SECCU" :      return 00; // servlet cookie
-			case "SECHOC" :		return 00; // HTTP Only not set on cookie - Information Leak / Disclosure (CWE-200)??
+			case "SECCU" : 		return 00;   // servlet cookie
+			case "SECHOC" :		return 00;   // HTTP Only not set on cookie - Information Leak / Disclosure (CWE-200)??
 
 			//Injections
 			case "SECSQLIHIB"     : return 564;  // Hibernate Injection, child of SQL Injection
@@ -156,7 +157,7 @@ else if ( cwe.equals( "326" ) ) {
 
 			//Weak encryption
 			case "SECDU" : 		return 327;  // weak encryption DES
-			case "CIPINT" : 	return 327;	 // weak encryption - cipher with no integrity
+			case "CIPINT" : 	return 327;  // weak encryption - cipher with no integrity
 			case "PADORA" : 	return 327;  // padding oracle -- FIXME: probably wrong
 			case "STAIV" : 		return 329;  // static initialization vector for crypto
 
@@ -173,19 +174,22 @@ else if ( cwe.equals( "326" ) ) {
 			case "SECXSS2" :	return 79;   // XSS
 
 			//XXE
-			case "SECXXEDOC" :  return 611;  // XXE
-			case "SECXXEREAD" :  return 611;  // XXE
-			case "SECXXESAX" :  return 611;  // XXE
+			case "SECXXEDOC" :      return 611;  // XXE
+			case "SECXXEREAD" :     return 611;  // XXE
+			case "SECXXESAX" :      return 611;  // XXE
 
 			//Input sources
-			case "SECSP" : 		return 00;	 // servlet parameter - not a vuln
-			case "SECSH" : 		return 00;   // servlet header -- not a vuln
+			case "SECSP" : 		return 00;   // servlet parameter - not a vuln
+			case "SECSH" : 		return 00;   // servlet header - not a vuln
 			case "SECSHR" : 	return 00;   // Use of Request Header -- spoofable
 			case "SECSSQ" : 	return 00;   // servlet query - not a vuln
 
 			//Technology detection
-			case "SECSC" : 		return 00;	 // found Spring endpoint - not a vuln
-			case "SECJRS"  :    return 00;   // JAX-RS Endpoint
+			case "SECSC" : 		return 00;   // found Spring endpoint - not a vuln
+			case "SECJRS" : 	return 00;   // JAX-RS Endpoint
+
+			//Configuration
+			case "SECOPFP" :        return 00;   // Overly Permissive File Permissions
 
 			default : System.out.println( "Unknown vuln category for FindBugs: " + cat );
 		}
