Skip to content

Use CWE in findings list report instead of problem type mapping #87

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
davewichers merged 2 commits into from
Dec 3, 2019
Merged

Use CWE in findings list report instead of problem type mapping #87

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d2a3ae1
Use CWE in findings list report instead of problem type mapping
jankuehl Dec 3, 2019
dd34136
Use problem type <-> CWE number mapping for older reports
jankuehl Dec 3, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Use problem type <-> CWE number mapping for older reports
  • Loading branch information
@jankuehl
jankuehl committed Dec 3, 2019
commit dd3413639138b53366bd55e0e411a8a3fb1d5ea6
55 changes: 54 additions & 1 deletion src/main/java/org/owasp/benchmark/score/parsers/XanitizerReader.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,11 @@ public void startElement(final String uri, final String localName, final String
case "XanitizerFindingsList":

String version = attributes.getValue("xanitizerVersionShort");
// for backward compatibility - use full version
if (version == null) {
version = attributes.getValue("xanitizerVersion");
version = version.replace('/', '-');
}
tr.setToolVersion(version);

break;
Expand Down Expand Up @@ -98,7 +103,7 @@ public void endElement(final String uri, final String localName, final String qN
// Finishing a finding.

// Defensiveness: This condition should always be true.
if (m_ProblemTypeId != null && m_Class != null && m_Classification != null && m_CWE > -1) {
if (m_ProblemTypeId != null && m_Class != null && m_Classification != null) {

// Skip informational findings.
if (!m_Classification.equals("Information")) {
Expand All @@ -117,6 +122,12 @@ public void endElement(final String uri, final String localName, final String qN
testCaseNumber = -1;
}

// for backward compatibility
// for reports without CWE numbers - map problem type to CWE number
if (m_CWE < 0) {
m_CWE = figureCWE(m_ProblemTypeId);
}

if (testCaseNumber >= 0) {
final TestCaseResult tcr = new TestCaseResult();

Expand Down Expand Up @@ -156,5 +167,47 @@ public void characters(final char ch[], final int start, final int length)
return tr;
}

private static int figureCWE(final String problemTypeId) {
switch (problemTypeId) {
case "ci:CommandInjection":
return 78;

case "SpecialMethodCall:WeakEncryption":
return 327;

case "SpecialMethodCall:WeakHash":
return 328;

case "ci:LDAPInjection":
return 90;

case "pt:PathTraversal":
return 22;

case "cook:UnsecuredCookie":
return 614;

case "ci:SQLInjection":
return 89;

case "tbv:TrustBoundaryViolationSession":
return 501;

case "SpecialMethodCall:java.util.Random":
return 330;

case "ci:XPathInjection":
return 643;

case "xss:XSSFromRequest":
case "xss:XSSFromDb":
return 79;

default:
// Dummy.
return 0;
}
}

}