From 0f9ffeb3d66110fbb840e41ef9f52d9570c49a7b Mon Sep 17 00:00:00 2001 From: mcprol Date: Sun, 10 Nov 2019 16:30:30 +0100 Subject: [PATCH 1/2] fix kiuwan reader --- .../benchmark/score/parsers/KiuwanReader.java | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/src/main/java/org/owasp/benchmark/score/parsers/KiuwanReader.java b/src/main/java/org/owasp/benchmark/score/parsers/KiuwanReader.java index e89aa5a460..95c198dfbc 100644 --- a/src/main/java/org/owasp/benchmark/score/parsers/KiuwanReader.java +++ b/src/main/java/org/owasp/benchmark/score/parsers/KiuwanReader.java @@ -41,15 +41,24 @@ public TestResults parse( File f ) throws Exception { // String resultsFormatVersion = obj.getString( "version" ); // Note: no threadfix version info included in format. JSONArray findings = obj.getJSONArray("findings"); + + String source = obj.getString("source"); - TestResults tr = new TestResults( "Kiuwan", true, TestResults.ToolType.SAST); + TestResults tr = new TestResults(source, true, TestResults.ToolType.SAST); // Scan time is not included in the threadfix schema. But scan time is provided on their web site next to results tr.setTime(f); // This grabs the scan time out of the filename, if provided // e.g., Benchmark_1.2_Kiuwan-660.threadfix, means the scan took 660 seconds. // Set the version of Kiuwan used to do the scan (Can't because that info isn't provided) // It is provided on their web site. Looks like: Engine version master.p561.q11382.a1870.i501 -// tr.setToolVersion(driver.getString("version")); + // We will use the created date. format: "created":"2019-11-05T21:24:49Z" + String created = obj.getString("created"); + if (null != created) { + created = created.replace("-", ""); + created = created.replace(":", ""); + created = created.trim(); + tr.setToolVersion(created); + } //System.out.println("Found: " + findings.length() + " findings."); for (int i = 0; i < findings.length(); i++) @@ -68,8 +77,10 @@ public TestResults parse( File f ) throws Exception { private TestCaseResult parseKiuwanFinding(JSONObject finding) { try { TestCaseResult tcr = new TestCaseResult(); - JSONObject staticDetails = finding.getJSONObject("staticDetails"); - String filename = staticDetails.getJSONArray("dataFlow").getJSONObject(0).getString("file"); + JSONObject staticDetails = finding.getJSONObject("staticDetails"); + JSONArray dataFlow = staticDetails.getJSONArray("dataFlow"); + int propagationPathLength = dataFlow.length()-1; + String filename = dataFlow.getJSONObject(propagationPathLength).getString("file"); filename = filename.substring( filename.lastIndexOf( '/' ) ); if ( filename.contains( BenchmarkScore.BENCHMARKTESTNAME ) ) { String testNumber = filename.substring( BenchmarkScore.BENCHMARKTESTNAME.length() + 1, filename.length() - 5 ); From f4c7303c679edf21e4f071741681f68de035530e Mon Sep 17 00:00:00 2001 From: mcprol Date: Mon, 18 Nov 2019 11:22:03 +0100 Subject: [PATCH 2/2] read analysis metadata from threadfix report --- .../benchmark/score/parsers/KiuwanReader.java | 29 ++++++++++--------- 1 file changed, 16 insertions(+), 13 deletions(-) diff --git a/src/main/java/org/owasp/benchmark/score/parsers/KiuwanReader.java b/src/main/java/org/owasp/benchmark/score/parsers/KiuwanReader.java index 95c198dfbc..cc8719ed3e 100644 --- a/src/main/java/org/owasp/benchmark/score/parsers/KiuwanReader.java +++ b/src/main/java/org/owasp/benchmark/score/parsers/KiuwanReader.java @@ -41,23 +41,26 @@ public TestResults parse( File f ) throws Exception { // String resultsFormatVersion = obj.getString( "version" ); // Note: no threadfix version info included in format. JSONArray findings = obj.getJSONArray("findings"); + JSONObject metadata = obj.getJSONObject("metadata"); String source = obj.getString("source"); TestResults tr = new TestResults(source, true, TestResults.ToolType.SAST); - // Scan time is not included in the threadfix schema. But scan time is provided on their web site next to results - tr.setTime(f); // This grabs the scan time out of the filename, if provided - // e.g., Benchmark_1.2_Kiuwan-660.threadfix, means the scan took 660 seconds. + + // Scan time is included in the threadfix schema: "metadata/Kiuwan-AnalysisDuration" + if (null != metadata) { + String analysisDuration = metadata.getString("Kiuwan-AnalysisDuration"); + if (null != analysisDuration) { + tr.setTime(analysisDuration); + } + } - // Set the version of Kiuwan used to do the scan (Can't because that info isn't provided) - // It is provided on their web site. Looks like: Engine version master.p561.q11382.a1870.i501 - // We will use the created date. format: "created":"2019-11-05T21:24:49Z" - String created = obj.getString("created"); - if (null != created) { - created = created.replace("-", ""); - created = created.replace(":", ""); - created = created.trim(); - tr.setToolVersion(created); + // Set the version of Kiuwan used to do the scan: "metadata/Kiuwan-EngineVersion" + if (null != metadata) { + String engineVersion = metadata.getString("Kiuwan-EngineVersion"); + if (null != engineVersion) { + tr.setToolVersion(engineVersion); + } } //System.out.println("Found: " + findings.length() + " findings."); @@ -121,7 +124,7 @@ private TestCaseResult parseKiuwanFinding(JSONObject finding) { private int fixCWE( String cweNumber ) { int cwe = Integer.parseInt( cweNumber ); if ( cwe == 564 ) cwe = 89; // SQLi - if ( cwe == 77 ) cwe = 78; // Command Injection + if ( cwe == 77 ) cwe = 78; // Command Injection return cwe; }