Remove some files that belong to other Benchmark projects. Simplify p…

…om file, and update a few parsers to match changes in public Benchmark and fix 1-2 bugs I introduced a while ago.
OWASP-Benchmark · Sep 22, 2021 · 300c3ac · 300c3ac
1 parent 2a72d59
commit 300c3ac
Show file tree

Hide file tree

Showing 15 changed files with 20 additions and 155 deletions.
diff --git a/.gitignore b/.gitignore
@@ -11,5 +11,6 @@
 .settings/
 *.DS_Store
 plugin/src/main/resources/benchmark.properties
+internalonly/
 target/
 
diff --git a/.mvn/extensions.xml b/.mvn/extensions.xml
diff --git a/internal/anonymousScoringConfig.yaml b/internal/anonymousScoringConfig.yaml
diff --git a/internal/julietscoringconfig.yaml b/internal/julietscoringconfig.yaml
diff --git a/internal/mixedAnonScoringConfig.yaml b/internal/mixedAnonScoringConfig.yaml
diff --git a/internal/mixedAveScoringConfig.yaml b/internal/mixedAveScoringConfig.yaml
diff --git a/internal/mixedScoringConfig.yaml b/internal/mixedScoringConfig.yaml
diff --git a/internal/score_v1.3config.yaml b/internal/score_v1.3config.yaml
diff --git a/plugin/pom.xml b/plugin/pom.xml
@@ -13,93 +13,6 @@
         <version>1.3</version>
     </parent>
 
-    <!-- NORMAL -->
-    <profiles>
-
-        <profile>
-            <id>crawler</id>
-            <build>
-                <plugins>
-                    <plugin>
-                        <groupId>org.codehaus.mojo</groupId>
-                        <artifactId>exec-maven-plugin</artifactId>
-                        <version>${version.exec.maven}</version>
-                        <executions>
-                            <execution>
-                                <phase>validate</phase>
-                                <goals>
-                                    <goal>java</goal>
-                                </goals>
-                                <configuration>
-                                    <mainClass>org.owasp.benchmarkutils.tools.BenchmarkCrawler</mainClass>
-                                    <arguments>
-                                        <argument>${addlArg1}</argument> <!-- -f here -->
-                                        <argument>${addlArg2}</argument> <!-- filename here -->
-                                    </arguments>
-                                </configuration>
-                            </execution>
-                        </executions>
-                    </plugin>
-                </plugins>
-            </build>
-        </profile>
-
-        <profile>
-            <id>scorecard</id>
-            <build>
-                <plugins>
-                    <plugin>
-                        <groupId>org.codehaus.mojo</groupId>
-                        <artifactId>exec-maven-plugin</artifactId>
-                        <version>${version.exec.maven}</version>
-                        <executions>
-                            <execution>
-                                <phase>validate</phase>
-                                <goals>
-                                    <goal>java</goal>
-                                </goals>
-                                <configuration>
-                                    <mainClass>org.owasp.benchmarkutils.score.BenchmarkScore</mainClass>
-                                    <systemProperties>
-                                        <systemProperty>
-                                            <key>java.awt.headless</key>
-                                            <value>true</value>
-                                        </systemProperty>
-                                    </systemProperties>
-                                </configuration>
-                            </execution>
-                        </executions>
-                    </plugin>
-                </plugins>
-            </build>
-        </profile>
-
-        <profile>
-            <id>time</id>
-            <build>
-                <plugins>
-                    <plugin>
-                        <groupId>org.codehaus.mojo</groupId>
-                        <artifactId>exec-maven-plugin</artifactId>
-                        <version>${version.exec.maven}</version>
-                        <executions>
-                            <execution>
-                                <phase>validate</phase>
-                                <goals>
-                                    <goal>java</goal>
-                                </goals>
-                                <configuration>
-                                    <mainClass>org.owasp.benchmarkutils.score.WriteTime</mainClass>
-                                </configuration>
-                            </execution>
-                        </executions>
-                    </plugin>
-                </plugins>
-            </build>
-        </profile>
-
-    </profiles>
-
     <dependencies>
 
         <dependency>

diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/CASTAIPReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/CASTAIPReader.java
@@ -101,11 +101,11 @@ private TestCaseResult parseCASTAIPIssue(Node flaw) throws Exception {
         // Get Benchmark test case #. If it's not in a Benchmark test case, return null
         String filename = getAttributeValue("name", flaw);
         filename = filename.replaceAll("\\\\", "/");
-        filename = filename.substring(filename.lastIndexOf('/'));
+        filename = filename.substring(filename.lastIndexOf('/') + 1);
         if (filename.startsWith(BenchmarkScore.TESTCASENAME)) {
             String testNumber =
                     filename.substring(
-                            BenchmarkScore.TESTCASENAME.length() + 1, filename.lastIndexOf('.'));
+                            BenchmarkScore.TESTCASENAME.length(), filename.lastIndexOf('.'));
             try {
                 tcr.setNumber(Integer.parseInt(testNumber));
                 return tcr;

diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/CheckmarxESReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/CheckmarxESReader.java
@@ -138,7 +138,8 @@ private TestCaseResult parseCheckmarxFindings(
             if (testcaseName.startsWith(BenchmarkScore.TESTCASENAME)) {
                 String testNo =
                         testcaseName.substring(
-                                BenchmarkScore.TESTCASENAME.length(), testcaseName.length() - 5);
+                                BenchmarkScore.TESTCASENAME.length(),
+                                testcaseName.lastIndexOf('.'));
                 try {
                     tcr.setNumber(Integer.parseInt(testNo));
                 } catch (NumberFormatException e) {
@@ -153,7 +154,7 @@ private TestCaseResult parseCheckmarxFindings(
                     String testNo =
                             testcaseName.substring(
                                     BenchmarkScore.TESTCASENAME.length(),
-                                    testcaseName.length() - 5);
+                                    testcaseName.lastIndexOf('.'));
                     try {
                         tcr.setNumber(Integer.parseInt(testNo));
                     } catch (NumberFormatException e) {

diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/CheckmarxReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/CheckmarxReader.java
@@ -171,7 +171,8 @@ private TestCaseResult parseCheckmarxVulnerability(Node query, Node result) {
         }
         if (testcase.startsWith(BenchmarkScore.TESTCASENAME)) {
             String testno =
-                    testcase.substring(BenchmarkScore.TESTCASENAME.length(), testcase.length() - 5);
+                    testcase.substring(
+                            BenchmarkScore.TESTCASENAME.length(), testcase.lastIndexOf('.'));
             try {
                 tcr.setNumber(Integer.parseInt(testno));
             } catch (NumberFormatException e) {
@@ -195,7 +196,7 @@ private TestCaseResult parseCheckmarxVulnerability(Node query, Node result) {
             if (testcase2.startsWith(BenchmarkScore.TESTCASENAME)) {
                 String testno2 =
                         testcase2.substring(
-                                BenchmarkScore.TESTCASENAME.length(), testcase2.length() - 5);
+                                BenchmarkScore.TESTCASENAME.length(), testcase2.lastIndexOf('.'));
                 try {
                     tcr.setNumber(Integer.parseInt(testno2));
                 } catch (NumberFormatException e) {

diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/CoverityReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/CoverityReader.java
@@ -65,8 +65,8 @@ private TestCaseResult parseCoverityFinding(JSONObject finding, int version) {
             if (version == 3) {
                 filename = finding.getString("mainEventFilePathname");
                 filename = filename.replaceAll("\\\\", "/");
-                filename = filename.substring(filename.lastIndexOf('/'));
-                if (filename.contains(BenchmarkScore.TESTCASENAME)) {
+                filename = filename.substring(filename.lastIndexOf('/') + 1);
+                if (filename.startsWith(BenchmarkScore.TESTCASENAME)) {
                     String testNumber =
                             filename.substring(
                                     BenchmarkScore.TESTCASENAME.length(),
@@ -95,8 +95,8 @@ private TestCaseResult parseCoverityFinding(JSONObject finding, int version) {
                                 .getJSONObject(0)
                                 .getString("mainEventFilePathname");
                 filename = filename.replaceAll("\\\\", "/");
-                filename = filename.substring(filename.lastIndexOf('/'));
-                if (filename.contains(BenchmarkScore.TESTCASENAME)) {
+                filename = filename.substring(filename.lastIndexOf('/') + 1);
+                if (filename.startsWith(BenchmarkScore.TESTCASENAME)) {
                     String testNumber =
                             filename.substring(
                                     BenchmarkScore.TESTCASENAME.length(),
@@ -139,12 +139,11 @@ private TestCaseResult parseCoverityFindingV2(JSONObject finding) {
 
             filename = finding.getString("mainEventFilePathname");
             filename = filename.replaceAll("\\\\", "/");
-            filename = filename.substring(filename.lastIndexOf('/'));
-            if (filename.contains(BenchmarkScore.TESTCASENAME)) {
+            filename = filename.substring(filename.lastIndexOf('/') + 1);
+            if (filename.startsWith(BenchmarkScore.TESTCASENAME)) {
                 String testNumber =
                         filename.substring(
-                                BenchmarkScore.TESTCASENAME.length() + 1,
-                                filename.lastIndexOf('.'));
+                                BenchmarkScore.TESTCASENAME.length(), filename.lastIndexOf('.'));
                 tcr.setNumber(Integer.parseInt(testNumber));
                 //
                 // *** Warning: serious foefeling and cutting of corners ahead. ***
@@ -160,10 +159,8 @@ private TestCaseResult parseCoverityFindingV2(JSONObject finding) {
                 // there is "SQL_INJECTION".
                 //
                 // The easiest implementation (that does not require an additional parameter
-                // pointing
-                // to 'issueTypes.json') seems to use a couple of hardcoded checks instead of
-                // implementing
-                // an elaborate lookup algorithm.
+                // pointing to 'issueTypes.json') seems to use a couple of hardcoded checks instead
+                // of implementing an elaborate lookup algorithm.
                 //
                 String checker_name = finding.getString("checkerName").toLowerCase();
                 String subcategory = finding.getString("subcategory").toLowerCase();

diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/SemgrepReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/SemgrepReader.java
@@ -173,7 +173,7 @@ private TestCaseResult parseSemgrepFindings(JSONObject result) {
                     ]
                 },
                 "severity": "WARNING",
-                "lines": "\t\tString sql = \"SELECT * from USERS where USERNAME='foo' and PASSWORD='\"+ bar +\"'\";\n\t\t\t\t\n\t\ttry {\n\t\t\tjava.sql.Statement statement =  org.owasp.benchmark.helpers.DatabaseHelper.getSqlStatement();\n\t\t\tstatement.execute( sql );\n            org.owasp.benchmarkutils.helpers.DatabaseHelper.printResults(statement, sql, response);\n\t\t} catch (java.sql.SQLException e) {\n\t\t\tif (org.owasp.benchmarkutils.helpers.DatabaseHelper.hideSQLErrors) {\n        \t\tresponse.getWriter().println(\n\"Error processing request.\"\n);\n        \t\treturn;\n        \t}\n\t\t\telse throw new ServletException(e);\n\t\t}"
+                "lines": "\t\tString sql = \"SELECT * from USERS where USERNAME='foo' and PASSWORD='\"+ bar +\"'\";\n\t\t\t\t\n\t\ttry {\n\t\t\tjava.sql.Statement statement =  org.owasp.benchmark.helpers.DatabaseHelper.getSqlStatement();\n\t\t\tstatement.execute( sql );\n            org.owasp.benchmark.helpers.DatabaseHelper.printResults(statement, sql, response);\n\t\t} catch (java.sql.SQLException e) {\n\t\t\tif (org.owasp.benchmark.helpers.DatabaseHelper.hideSQLErrors) {\n        \t\tresponse.getWriter().println(\n\"Error processing request.\"\n);\n        \t\treturn;\n        \t}\n\t\t\telse throw new ServletException(e);\n\t\t}"
             }
         }
          */

diff --git a/scripts/verifyBenchmarkPluginAvailable.sh b/scripts/verifyBenchmarkPluginAvailable.sh
@@ -6,7 +6,7 @@ then
   echo ""
   echo "!!!WARNING: Required plugin: org.owasp:benchmarkutils-maven-plugin not available."
   echo "To get and install it, do the following:"
-  echo "  git clone https://github.com/OWASP/Benchmark/BenchmarkUtils.git"
+  echo "  git clone https://github.com/OWASP-Benchmark/BenchmarkUtils.git"
   echo "  cd BenchmarkUtils"
   echo "  mvn install"
   echo ""
-Original file line number
+Diff line change
@@ Expand Up @@
                         ]
                     },
                     "severity": "WARNING",
-                    "lines": "\t\tString sql = \"SELECT * from USERS where USERNAME='foo' and PASSWORD='\"+ bar +\"'\";\n\t\t\t\t\n\t\ttry {\n\t\t\tjava.sql.Statement statement =  org.owasp.benchmark.helpers.DatabaseHelper.getSqlStatement();\n\t\t\tstatement.execute( sql );\n            org.owasp.benchmarkutils.helpers.DatabaseHelper.printResults(statement, sql, response);\n\t\t} catch (java.sql.SQLException e) {\n\t\t\tif (org.owasp.benchmarkutils.helpers.DatabaseHelper.hideSQLErrors) {\n        \t\tresponse.getWriter().println(\n\"Error processing request.\"\n);\n        \t\treturn;\n        \t}\n\t\t\telse throw new ServletException(e);\n\t\t}"
+                    "lines": "\t\tString sql = \"SELECT * from USERS where USERNAME='foo' and PASSWORD='\"+ bar +\"'\";\n\t\t\t\t\n\t\ttry {\n\t\t\tjava.sql.Statement statement =  org.owasp.benchmark.helpers.DatabaseHelper.getSqlStatement();\n\t\t\tstatement.execute( sql );\n            org.owasp.benchmark.helpers.DatabaseHelper.printResults(statement, sql, response);\n\t\t} catch (java.sql.SQLException e) {\n\t\t\tif (org.owasp.benchmark.helpers.DatabaseHelper.hideSQLErrors) {\n        \t\tresponse.getWriter().println(\n\"Error processing request.\"\n);\n        \t\treturn;\n        \t}\n\t\t\telse throw new ServletException(e);\n\t\t}"
                 }
             }
              */
@@ Expand Down @@