Skip to content

Commit

Permalink
Check for matching Reader within reader and not in BenchmarkScore (+ …
Browse files Browse the repository at this point in the history 
…lots of tests) (#11)

* refactoring attempt

* remove main dummy code

* migrate all readers to abstract superclass and add some JUnit tests

* restore disclaimer

* wapiti test and silence on failed xml parsing

* more tests; prevent SemgrepReader from parsing ShiftLeftScan file

* test for AcunetixReader; README for testfiles

* test for CheckmarxIASTReader

* test for ZapReader

* test for JuliaReader

* test for BurpReader

* test for CheckmarxReader

* some CWE replacements and linting

* test for KiuwanReader

* test for VisualCodeGrepperReader

* test for HCLReaderTest

* test for HdivReaderTest

* test for Fortify (incomplete for old versions); linting

* remove BOM (if present)

* store binary data, only retreive strings on request

* let ArachniReader ignore FindBugs results

* remove fortify from BenchmarkScore

* test for Coverity

* test for Arachni

* fix filename in test

* test for W3AF

* test for Wapiti

* linting

* test for Netsparker

* test for CASTAIP

* linting

* test for AppScanDynamicReader2

* test for ParasoftReader

* test for SonarQubeReader (plugin)

* test for FindBugsReader (using SpotBugs file)

* fix - don't cal JSONObject constructor twice
  • Loading branch information
@darkspirit510
darkspirit510 authored Feb 2, 2022
1 parent 9d3d704 commit fb3a4f0
Show file tree
Hide file tree
Showing 120 changed files with 5,417 additions and 1,184 deletions.
1 change: 1 addition & 0 deletions .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
.project
.java-version
.keystore
.idea/

# Package Files #
*.jar
Expand Down
7 changes: 7 additions & 0 deletions plugin/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -143,6 +143,13 @@
<version>1.4.01</version>
</dependency>

<dependency>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter</artifactId>
<version>5.8.0</version>
<scope>test</scope>
</dependency>

</dependencies>

<build>
Expand Down
403 changes: 9 additions & 394 deletions plugin/src/main/java/org/owasp/benchmarkutils/score/BenchmarkScore.java
View file

Large diffs are not rendered by default.

162 changes: 162 additions & 0 deletions plugin/src/main/java/org/owasp/benchmarkutils/score/CweNumber.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,162 @@
/**
* OWASP Benchmark Project
*
* <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For
* details, please see <a
* href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>.
*
* <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
* of the GNU General Public License as published by the Free Software Foundation, version 2.
*
* <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
* WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
* PURPOSE. See the GNU General Public License for more details.
*
* <p>This reader reads JSON reports from the Horusec open source tool at:
* https://github.com/ZupIT/horusec
*
* @author Sascha Knoop
* @created 2021
*/
package org.owasp.benchmarkutils.score;

public class CweNumber {

/** CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') */
public static int PATH_TRAVERSAL = 22;

/**
* CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command
* Injection')
*/
public static int COMMAND_INJECTION = 78;

/**
* CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
*/
public static int XSS = 79;

/**
* CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
*/
public static int SQL_INJECTION = 89;

/**
* CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
*/
public static int LDAP_INJECTION = 90;

/**
* CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response
* Splitting')
*/
public static int HTTP_RESPONSE_SPLITTING = 113;

/** CWE-134: Use of Externally-Controlled Format String */
public static int EXTERNALLY_CONTROLLED_STRING = 134;

/** CWE-284: Improper Access Control */
public static int IMPROPER_ACCESS_CONTROL = 284;

/** CWE-327: Use of a Broken or Risky Cryptographic Algorithm */
public static int BROKEN_CRYPTO = 327;

/** CWE-328: Reversible One-Way Hash */
public static int REVERSIBLE_HASH = 328;

/** CWE-329: Generation of Predictable IV with CBC Mode */
public static int STATIC_CRYPTO_INIT = 329;

/** CWE-330: Use of Insufficiently Random Values */
public static int WEAK_RANDOM = 330;

/** CWE-352: Cross-Site Request Forgery (CSRF) */
public static int CSRF = 352;

/** CWE-382: J2EE Bad Practices: Use of System.exit() */
public static int SYSTEM_EXIT = 382;

/** CWE-395: Use of NullPointerException Catch to Detect NULL Pointer Dereference */
public static int CATCHING_NULL_POINTER_EXCEPTION = 395;

/** CWE-396: Declaration of Catch for Generic Exception */
public static int CATCH_GENERIC_EXCEPTION = 396;

/** CWE-397: Declaration of Throws for Generic Exception */
public static int THROW_GENERIC_EXCEPTION = 397;

/** CWE-478: Missing Default Case in Switch Statement */
public static int MISSING_DEFAULT_CASE = 478;

/** CWE-483: Incorrect Block Delimitation */
public static int INCORRECT_BLOCK_DELIMITATION = 483;

/** CWE-484: Omitted Break Statement in Switch */
public static int OMITTED_BREAK = 484;

/** CWE-493: Critical Public Variable Without Final Modifier */
public static int PUBLIC_VAR_WITHOUT_FINAL = 493;

/** CWE-500: Public Static Field Not Marked Final */
public static int PUBLIC_STATIC_NOT_FINAL = 500;

/** CWE-501: Trust Boundary Violation */
public static int TRUST_BOUNDARY_VIOLATION = 501;

/** CWE-502: Deserialization of Untrusted Data */
public static int INSECURE_DESERIALIZATION = 502;

/** CWE-523: Unprotected Transport of Credentials */
public static int UNPROTECTED_CREDENTIALS_TRANSPORT = 523;

/** CWE-532: Insertion of Sensitive Information into Log File */
public static int SENSITIVE_LOGFILE = 532;

/** CWE-572: Call to Thread run() instead of start() */
public static int THREAD_WRONG_CALL = 572;

/** CWE-580: clone() Method Without super.clone() */
public static int CLONE_WITHOUT_SUPER_CLONE = 580;

/** CWE-563: Assignment to Variable without Use */
public static int UNUSED_VAR_ASSIGNMENT = 563;

/** CWE-581: Object Model Violation: Just One of Equals and Hashcode Defined */
public static int OBJECT_MODEL_VIOLATION = 581;

/** CWE-583: finalize() Method Declared Public */
public static int FINALIZE_DECLARED_PUBLIC = 583;

/** CWE-584: Return Inside Finally Block */
public static int RETURN_INSIDE_FINALLY = 584;

/** CWE-595: Comparison of Object References Instead of Object Contents */
public static int OBJECT_REFERENCE_COMPARISON = 595;

/** CWE-611: Improper Restriction of XML External Entity Reference */
public static int XML_ENTITIES = 611;

/** CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute */
public static int INSECURE_COOKIE = 614;

/** CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection') */
public static int XPATH_INJECTION = 643;

/**
* CWE-649: Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity
* Checking
*/
public static int OBFUSCATION = 649;

/** CWE-754: Improper Check for Unusual or Exceptional Conditions */
public static int IMPROPER_CHECK_FOR_CONDITIONS = 754;

/** CWE-783: Operator Precedence Logic Error */
public static int OPERATOR_PRECEDENCE_LOGIC = 783;

/** CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') */
public static int LOOP_WITH_UNREACHABLE_EXIT = 835;

/** CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag */
public static int COOKIE_WITHOUT_HTTPONLY = 1004;
}
178 changes: 178 additions & 0 deletions plugin/src/main/java/org/owasp/benchmarkutils/score/ResultFile.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,178 @@
package org.owasp.benchmarkutils.score;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.IOException;
import java.io.StringReader;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.zip.ZipEntry;
import java.util.zip.ZipInputStream;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import org.json.JSONObject;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.xml.sax.InputSource;
import org.xml.sax.helpers.DefaultHandler;

public class ResultFile {
private final byte[] rawContent;
private final String filename;
private final File originalFile;
private JSONObject contentAsJson;
private Document contentAsXml;

public ResultFile(File fileToParse) throws IOException {
this(fileToParse, readFileContent(fileToParse));
}

public ResultFile(String filename, String content) throws IOException {
this(filename, content.getBytes());
}

public ResultFile(String filename, byte[] rawContent) throws IOException {
this(new File(filename), rawContent);
}

public ResultFile(File fileToParse, byte[] rawContent) throws IOException {
this.rawContent = rawContent;
originalFile = fileToParse;
filename = originalFile.getName();
parseJson();
parseXml();
}

private String removeBom(byte[] rawContent) {
String s = new String(rawContent, StandardCharsets.UTF_8);

if (s.startsWith("\uFEFF")) {
return s.substring(1);
}

return s;
}

private static byte[] readFileContent(File fileToParse) throws IOException {
return Files.readAllBytes(Paths.get(fileToParse.getPath()));
}

private void parseJson() {
try {
contentAsJson = new JSONObject(removeBom(rawContent));
} catch (Exception ignored) {
// No JSON
}
}

private void parseXml() {
try {
DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
// Prevent XXE = Note, disabling DTDs entirely breaks the parsing of some XML files,
// like a Burp results file, so have to use the alternate defense.
// dbFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
docBuilderFactory.setFeature(
"http://xml.org/sax/features/external-general-entities", false);
docBuilderFactory.setFeature(
"http://xml.org/sax/features/external-parameter-entities", false);
DocumentBuilder docBuilder = docBuilderFactory.newDocumentBuilder();
docBuilder.setErrorHandler(new DefaultHandler());
InputSource is = new InputSource(new StringReader(this.content()));
this.contentAsXml = docBuilder.parse(is);
} catch (Exception ignored) {
// No XML
}
}

public String filename() {
return filename;
}

public boolean isJson() {
return contentAsJson != null;
}

public boolean isXml() {
return contentAsXml != null;
}

public JSONObject json() {
return contentAsJson;
}

public String content() {
return removeBom(rawContent);
}

public File file() {
return originalFile;
}

/**
* Read the specified line of the provided file. Returns empty string if the given file does not
* have as many lines.
*/
public String line(int lineNum) {
List<String> lines = Arrays.asList(removeBom(rawContent).split("\n"));

if (lineNum >= lines.size()) {
return "";
}

return lines.get(lineNum);
}

public List<String> lines() {
return new ArrayList<>();
}

public Document xml() {
return contentAsXml;
}

public Element xmlRootNode() {
return xml().getDocumentElement();
}

public String xmlRootNodeName() {
return isXml() ? xmlRootNode().getNodeName() : "";
}

/**
* Extracts a file from a packed ResultFile.
*
* @return
*/
public ResultFile extract(String zipPath) {
try (ZipInputStream zipIn = new ZipInputStream(new ByteArrayInputStream(rawContent))) {
ZipEntry entry = zipIn.getNextEntry();
while (entry != null) {
if (entry.getName().equals(zipPath)) {
return readFileFromZip(zipPath, zipIn);
}
zipIn.closeEntry();
entry = zipIn.getNextEntry();
}
} catch (IOException e) {
throw new RuntimeException(e);
}

throw new RuntimeException("ZipFile does not contain " + zipPath);
}

private ResultFile readFileFromZip(String zipPath, ZipInputStream zipIn) throws IOException {
try (ByteArrayOutputStream bos = new ByteArrayOutputStream()) {
final byte[] buf = new byte[1024];
int length;
while ((length = zipIn.read(buf, 0, buf.length)) >= 0) {
bos.write(buf, 0, length);
}
return new ResultFile(zipPath, bos.toByteArray());
}
}
}
17 changes: 0 additions & 17 deletions plugin/src/main/java/org/owasp/benchmarkutils/score/TestSuiteResults.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -247,23 +247,6 @@ public void setTime(File f) {
}
}

// We had to create a custom method for Fortify since we extract the contents of the .fpr
// file out into a temp file whose name looks like this:
// Benchmark_1.1-Fortify-13121.fpr8111236727473243675.fvdl

public void setFortifyTime(File f) {
String filename = f.getName();
// to make the same as normal filenames, strip off the '.fvdl' at the end of the filename
filename = filename.substring(0, filename.lastIndexOf('.') - 1);
String time = filename.substring(filename.lastIndexOf('-') + 1, filename.lastIndexOf('.'));
try {
int seconds = Integer.parseInt(time);
this.setTime(formatTime(seconds * 1000));
} catch (Exception e) {
this.setTime("Time not specified");
}
}

/**
* Get the total number of results for these TestResults.
*
Expand Down
Loading

0 comments on commit fb3a4f0

Please sign in to comment.