From ee75bdd1e067db262ae03b4fab6c494ac277aa4a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 20 Nov 2024 09:19:04 -0500 Subject: [PATCH 01/19] Bump commons-io:commons-io from 2.17.0 to 2.18.0 (#137) Bumps commons-io:commons-io from 2.17.0 to 2.18.0. --- updated-dependencies: - dependency-name: commons-io:commons-io dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- plugin/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugin/pom.xml b/plugin/pom.xml index 8621a051..7c6e872e 100644 --- a/plugin/pom.xml +++ b/plugin/pom.xml @@ -65,7 +65,7 @@ commons-io commons-io - 2.17.0 + 2.18.0 From 86efd4f8a7efb170f2a7feb9a2577fd8dae21287 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 29 Nov 2024 10:00:38 -0500 Subject: [PATCH 02/19] Bump version.fasterxml.jackson from 2.18.1 to 2.18.2 (#138) Bumps `version.fasterxml.jackson` from 2.18.1 to 2.18.2. Updates `com.fasterxml.jackson.core:jackson-annotations` from 2.18.1 to 2.18.2 - [Commits](https://github.com/FasterXML/jackson/commits) Updates `com.fasterxml.jackson.core:jackson-core` from 2.18.1 to 2.18.2 - [Commits](https://github.com/FasterXML/jackson-core/compare/jackson-core-2.18.1...jackson-core-2.18.2) Updates `com.fasterxml.jackson.core:jackson-databind` from 2.18.1 to 2.18.2 - [Commits](https://github.com/FasterXML/jackson/commits) Updates `com.fasterxml.jackson.dataformat:jackson-dataformat-xml` from 2.18.1 to 2.18.2 - [Commits](https://github.com/FasterXML/jackson-dataformat-xml/compare/jackson-dataformat-xml-2.18.1...jackson-dataformat-xml-2.18.2) --- updated-dependencies: - dependency-name: com.fasterxml.jackson.core:jackson-annotations dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: com.fasterxml.jackson.core:jackson-core dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: com.fasterxml.jackson.core:jackson-databind dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: com.fasterxml.jackson.dataformat:jackson-dataformat-xml dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- plugin/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugin/pom.xml b/plugin/pom.xml index 7c6e872e..78b8e0fc 100644 --- a/plugin/pom.xml +++ b/plugin/pom.xml @@ -192,7 +192,7 @@ - 2.18.1 + 2.18.2 2.7.15 5.11.3 From 23439aa95d4ab0cad7925bd8b76cae0f03d3e56d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 12 Dec 2024 09:48:17 -0500 Subject: [PATCH 03/19] Bump org.apache.maven.skins:maven-fluido-skin from 2.0.0 to 2.0.1 (#139) Bumps [org.apache.maven.skins:maven-fluido-skin](https://github.com/apache/maven-fluido-skin) from 2.0.0 to 2.0.1. - [Release notes](https://github.com/apache/maven-fluido-skin/releases) - [Commits](https://github.com/apache/maven-fluido-skin/compare/maven-fluido-skin-2.0.0...maven-fluido-skin-2.0.1) --- updated-dependencies: - dependency-name: org.apache.maven.skins:maven-fluido-skin dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index dcaca1cb..8596b6d7 100644 --- a/pom.xml +++ b/pom.xml @@ -358,7 +358,7 @@ UTF-8 11 ${project.build.directory}/log - 2.0.0 + 2.0.1 From 36db4b7de6d4f0802ba472b081415682c967aee3 Mon Sep 17 00:00:00 2001 From: davewichers Date: Sun, 15 Dec 2024 14:56:56 -0500 Subject: [PATCH 04/19] Slight improvement to codeblocksupport output when there is no dataflow for a test case. --- .../owasp/benchmarkutils/tools/CodeBlockSupportResults.java | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/tools/CodeBlockSupportResults.java b/plugin/src/main/java/org/owasp/benchmarkutils/tools/CodeBlockSupportResults.java index d4672f8d..5071c4b2 100644 --- a/plugin/src/main/java/org/owasp/benchmarkutils/tools/CodeBlockSupportResults.java +++ b/plugin/src/main/java/org/owasp/benchmarkutils/tools/CodeBlockSupportResults.java @@ -82,7 +82,7 @@ public String toString() { // Optionally add the vuln type if this codeblock is a SINK + ("SINK".equals(type) ? " (" + vulnCat + ")" : "") + ", name: " - + name + + (("DATAFLOW".equals(type) && "".equals(name)) ? "NoDataFlow" : name) + ", truePositive: " + truePositive + ", True Positive - used: " @@ -103,7 +103,7 @@ public String toStringIgnoringUnsupportedSinks() { // Optionally add the vuln type if this codeblock is a SINK + ("SINK".equals(type) ? " (" + vulnCat + ")" : "") + ", name: " - + name + + (("DATAFLOW".equals(type) && "".equals(name)) ? "NoDataFlow" : name) + ", truePositive: " + truePositive + ", Ignoring unsupported sinks: TPs - used: " @@ -124,7 +124,7 @@ public String toStringForFalsePositiveSinks() { // Optionally add the vuln type if this codeblock is a SINK + ("SINK".equals(type) ? " (" + vulnCat + ")" : "") + ", name: " - + name + + (("DATAFLOW".equals(type) && "".equals(name)) ? "NoDataFlow" : name) + ", truePositive: " + truePositive /* + ", True Positive - used: " From 8709915a4f663b156748c2a6c82de61d8ed42d80 Mon Sep 17 00:00:00 2001 From: Dave Wichers Date: Mon, 16 Dec 2024 10:31:27 -0600 Subject: [PATCH 05/19] Upgrade googleJavaFormat version so it works with both Java 11 and 17 and upgrade 2 other things. --- .mvn/jvm.config | 4 ++-- plugin/pom.xml | 2 +- pom.xml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.mvn/jvm.config b/.mvn/jvm.config index 630d3320..2261b107 100644 --- a/.mvn/jvm.config +++ b/.mvn/jvm.config @@ -1,2 +1,2 @@ ---add-exports=jdk.compiler/com.sun.tools.javac.tree=ALL-UNNAMED - +--add-exports jdk.compiler/com.sun.tools.javac.tree=ALL-UNNAMED +--add-opens java.base/java.lang=ALL-UNNAMED diff --git a/plugin/pom.xml b/plugin/pom.xml index 78b8e0fc..703dd59f 100644 --- a/plugin/pom.xml +++ b/plugin/pom.xml @@ -195,7 +195,7 @@ 2.18.2 2.7.15 - 5.11.3 + 5.11.4 diff --git a/pom.xml b/pom.xml index 8596b6d7..1685183d 100644 --- a/pom.xml +++ b/pom.xml @@ -292,7 +292,7 @@ - 1.8 + 1.10.0 From 086add408aee507aa71237fa09f63ea96f502ab6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 17 Dec 2024 10:23:45 -0500 Subject: [PATCH 06/19] Bump com.google.guava:guava from 33.3.1-jre to 33.4.0-jre (#140) Bumps [com.google.guava:guava](https://github.com/google/guava) from 33.3.1-jre to 33.4.0-jre. - [Release notes](https://github.com/google/guava/releases) - [Commits](https://github.com/google/guava/commits) --- updated-dependencies: - dependency-name: com.google.guava:guava dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- plugin/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugin/pom.xml b/plugin/pom.xml index 703dd59f..7be120eb 100644 --- a/plugin/pom.xml +++ b/plugin/pom.xml @@ -47,7 +47,7 @@ com.google.guava guava - 33.3.1-jre + 33.4.0-jre From 1ec2f2258287b834dec96dc50df524b30a83326f Mon Sep 17 00:00:00 2001 From: davewichers Date: Fri, 20 Dec 2024 10:39:36 -0500 Subject: [PATCH 07/19] Fix bug when generating scorecards while using expected results full details csv. --- .../benchmarkutils/score/service/ExpectedResultsProvider.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/service/ExpectedResultsProvider.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/service/ExpectedResultsProvider.java index ad30c4ba..cbe1c0d0 100644 --- a/plugin/src/main/java/org/owasp/benchmarkutils/score/service/ExpectedResultsProvider.java +++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/service/ExpectedResultsProvider.java @@ -40,8 +40,8 @@ public class ExpectedResultsProvider { private static final String CWE = " cwe"; private static final String SOURCE = " source"; - private static final String DATA_FLOW = " vuln src"; - private static final String SINK = " vuln df"; + private static final String DATA_FLOW = " data flow"; + private static final String SINK = " sink"; public static TestSuiteResults parse(ResultFile resultFile) throws IOException { TestSuiteResults tr = new TestSuiteResults("Expected", true, null); From ea08b4bd6191d76b9af468930fc3f33cec7835f5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 2 Jan 2025 10:47:11 -0500 Subject: [PATCH 08/19] Bump org.json:json from 20240303 to 20241224 (#142) Bumps [org.json:json](https://github.com/douglascrockford/JSON-java) from 20240303 to 20241224. - [Release notes](https://github.com/douglascrockford/JSON-java/releases) - [Changelog](https://github.com/stleary/JSON-java/blob/master/docs/RELEASES.md) - [Commits](https://github.com/douglascrockford/JSON-java/commits) --- updated-dependencies: - dependency-name: org.json:json dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- plugin/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugin/pom.xml b/plugin/pom.xml index 7be120eb..1005b299 100644 --- a/plugin/pom.xml +++ b/plugin/pom.xml @@ -134,7 +134,7 @@ org.json json - 20240303 + 20241224 From d12d7ce35e8b6d0b19d68352a278cb2eabb61281 Mon Sep 17 00:00:00 2001 From: Dave Wichers Date: Mon, 6 Jan 2025 10:13:09 -0600 Subject: [PATCH 09/19] Upgrade googleJavaFormat version in pom to 1.17.0 so it works with Java 21+ and also add some jvm.config exports to suppress some warnings when Spotless uses some internal jvm classes to help with its formatting work. --- .mvn/jvm.config | 6 ++++++ pom.xml | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/.mvn/jvm.config b/.mvn/jvm.config index 2261b107..3311f694 100644 --- a/.mvn/jvm.config +++ b/.mvn/jvm.config @@ -1,2 +1,8 @@ --add-exports jdk.compiler/com.sun.tools.javac.tree=ALL-UNNAMED --add-opens java.base/java.lang=ALL-UNNAMED + +--add-exports=jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED +--add-exports=jdk.compiler/com.sun.tools.javac.code=ALL-UNNAMED +--add-exports=jdk.compiler/com.sun.tools.javac.file=ALL-UNNAMED +--add-exports=jdk.compiler/com.sun.tools.javac.parser=ALL-UNNAMED +--add-exports=jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED diff --git a/pom.xml b/pom.xml index 1685183d..3159b03c 100644 --- a/pom.xml +++ b/pom.xml @@ -292,7 +292,7 @@ - 1.10.0 + 1.17.0 From 68c084ce99fed29fc77ac3f484a932257eed4d6b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 7 Jan 2025 11:11:10 -0500 Subject: [PATCH 10/19] Bump com.diffplug.spotless:spotless-maven-plugin from 2.43.0 to 2.44.0 (#144) Bumps [com.diffplug.spotless:spotless-maven-plugin](https://github.com/diffplug/spotless) from 2.43.0 to 2.44.0. - [Release notes](https://github.com/diffplug/spotless/releases) - [Changelog](https://github.com/diffplug/spotless/blob/main/CHANGES.md) - [Commits](https://github.com/diffplug/spotless/compare/lib/2.43.0...lib/2.44.0) --- updated-dependencies: - dependency-name: com.diffplug.spotless:spotless-maven-plugin dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 3159b03c..db97ec9c 100644 --- a/pom.xml +++ b/pom.xml @@ -218,7 +218,7 @@ com.diffplug.spotless spotless-maven-plugin - 2.43.0 + 2.44.0 From 09c717683d8a53e63e830a010c35dee901b64d80 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 8 Jan 2025 10:15:42 -0500 Subject: [PATCH 11/19] Bump org.json:json from 20241224 to 20250107 (#145) Bumps [org.json:json](https://github.com/douglascrockford/JSON-java) from 20241224 to 20250107. - [Release notes](https://github.com/douglascrockford/JSON-java/releases) - [Changelog](https://github.com/stleary/JSON-java/blob/master/docs/RELEASES.md) - [Commits](https://github.com/douglascrockford/JSON-java/commits) --- updated-dependencies: - dependency-name: org.json:json dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- plugin/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugin/pom.xml b/plugin/pom.xml index 1005b299..33cab3cf 100644 --- a/plugin/pom.xml +++ b/plugin/pom.xml @@ -134,7 +134,7 @@ org.json json - 20241224 + 20250107 From c14c6d83f327f81883bbfa862f35b894e8b63e2a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 8 Jan 2025 10:15:53 -0500 Subject: [PATCH 12/19] Bump com.diffplug.spotless:spotless-maven-plugin from 2.44.0 to 2.44.1 (#146) Bumps [com.diffplug.spotless:spotless-maven-plugin](https://github.com/diffplug/spotless) from 2.44.0 to 2.44.1. - [Release notes](https://github.com/diffplug/spotless/releases) - [Changelog](https://github.com/diffplug/spotless/blob/main/CHANGES.md) - [Commits](https://github.com/diffplug/spotless/compare/lib/2.44.0...maven/2.44.1) --- updated-dependencies: - dependency-name: com.diffplug.spotless:spotless-maven-plugin dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index db97ec9c..517dbbe3 100644 --- a/pom.xml +++ b/pom.xml @@ -218,7 +218,7 @@ com.diffplug.spotless spotless-maven-plugin - 2.44.0 + 2.44.1 From e2de2de92844e609085ecd795422788e88672970 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 10 Jan 2025 12:34:23 -0500 Subject: [PATCH 13/19] Bump org.apache.httpcomponents.core5:httpcore5 from 5.3.1 to 5.3.2 (#147) Bumps [org.apache.httpcomponents.core5:httpcore5](https://github.com/apache/httpcomponents-core) from 5.3.1 to 5.3.2. - [Changelog](https://github.com/apache/httpcomponents-core/blob/rel/v5.3.2/RELEASE_NOTES.txt) - [Commits](https://github.com/apache/httpcomponents-core/compare/rel/v5.3.1...rel/v5.3.2) --- updated-dependencies: - dependency-name: org.apache.httpcomponents.core5:httpcore5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- plugin/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugin/pom.xml b/plugin/pom.xml index 33cab3cf..3f5e45ba 100644 --- a/plugin/pom.xml +++ b/plugin/pom.xml @@ -95,7 +95,7 @@ org.apache.httpcomponents.core5 httpcore5 - 5.3.1 + 5.3.2 From dfb74f06b0441b76a2b11a0833c4c0ad006f0bd8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 13 Jan 2025 10:40:06 -0500 Subject: [PATCH 14/19] Bump org.apache.commons:commons-csv from 1.12.0 to 1.13.0 (#148) Bumps [org.apache.commons:commons-csv](https://github.com/apache/commons-csv) from 1.12.0 to 1.13.0. - [Changelog](https://github.com/apache/commons-csv/blob/master/RELEASE-NOTES.txt) - [Commits](https://github.com/apache/commons-csv/compare/rel/commons-csv-1.12.0...rel/commons-csv-1.13.0) --- updated-dependencies: - dependency-name: org.apache.commons:commons-csv dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- plugin/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugin/pom.xml b/plugin/pom.xml index 3f5e45ba..ea4ad815 100644 --- a/plugin/pom.xml +++ b/plugin/pom.xml @@ -77,7 +77,7 @@ org.apache.commons commons-csv - 1.12.0 + 1.13.0 From 10b82b51736469395ec81526417602cb670d3a82 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 15 Jan 2025 10:47:52 -0500 Subject: [PATCH 15/19] Bump com.diffplug.spotless:spotless-maven-plugin from 2.44.1 to 2.44.2 (#149) Bumps [com.diffplug.spotless:spotless-maven-plugin](https://github.com/diffplug/spotless) from 2.44.1 to 2.44.2. - [Release notes](https://github.com/diffplug/spotless/releases) - [Changelog](https://github.com/diffplug/spotless/blob/main/CHANGES.md) - [Commits](https://github.com/diffplug/spotless/compare/maven/2.44.1...maven/2.44.2) --- updated-dependencies: - dependency-name: com.diffplug.spotless:spotless-maven-plugin dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 517dbbe3..9fa07bc9 100644 --- a/pom.xml +++ b/pom.xml @@ -218,7 +218,7 @@ com.diffplug.spotless spotless-maven-plugin - 2.44.1 + 2.44.2 From 1fca354c11314228a13a441a0dbf288b04e79576 Mon Sep 17 00:00:00 2001 From: Leyart Date: Thu, 16 Jan 2025 06:29:31 -1000 Subject: [PATCH 16/19] Prevent NaN on tpr (#150) --- .../java/org/owasp/benchmarkutils/score/BenchmarkScore.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/BenchmarkScore.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/BenchmarkScore.java index 1e8e0630..ca832fad 100644 --- a/plugin/src/main/java/org/owasp/benchmarkutils/score/BenchmarkScore.java +++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/BenchmarkScore.java @@ -620,6 +620,8 @@ private static ToolResults calculateMetrics(Map resu // c.tp & c.fp can both be zero, creating a precision of NaN. So set to 0.0. if (Double.isNaN(precision)) precision = 0.0; double tpr = (double) c.tp / (double) (c.tp + c.fn); + // c.tp & c.fn can both be zero, creating an tpr of NaN. So set to 0.0. + if (Double.isNaN(tpr)) tpr = 0.0; double fpr = (double) c.fp / (double) (c.fp + c.tn); // c.fp & c.tn can both be zero, creating an fpr of NaN. So set to 0.0. if (Double.isNaN(fpr)) fpr = 0.0; From e81bc429f5c759ee117a53a620c16d844221c32d Mon Sep 17 00:00:00 2001 From: Dave Wichers Date: Thu, 16 Jan 2025 14:16:39 -0600 Subject: [PATCH 17/19] Enhance the CodeQLReader SARIF parser to include the codeql/java-queries ruleset version along with the CodeQL toolsuite version so you know both the version of CodeQL and the ruleset version used when scoring it. --- .../score/parsers/sarif/CodeQLReader.java | 44 +++++++++++++++++++ .../score/parsers/sarif/SarifReader.java | 4 +- .../score/parsers/sarif/CodeQLReaderTest.java | 2 +- 3 files changed, 47 insertions(+), 3 deletions(-) diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/CodeQLReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/CodeQLReader.java index af03528d..0bff50ca 100644 --- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/CodeQLReader.java +++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/CodeQLReader.java @@ -19,7 +19,12 @@ */ package org.owasp.benchmarkutils.score.parsers.sarif; +import org.json.JSONArray; +import org.json.JSONException; +import org.json.JSONObject; import org.owasp.benchmarkutils.score.CweNumber; +import org.owasp.benchmarkutils.score.ResultFile; +import org.owasp.benchmarkutils.score.TestSuiteResults; public class CodeQLReader extends SarifReader { @@ -37,4 +42,43 @@ public int mapCwe(int cwe) { } return cwe; } + + /** + * Override setVersion to include the version number of the 'codeql/java-queries' ruleset with + * the version of the tool. Since both the tool version and the ruleset version can seperately + * affect the codeQL score. + */ + @Override + public void setVersion(ResultFile resultFile, TestSuiteResults testSuiteResults) { + JSONObject driver = toolDriver(firstRun(resultFile)); + + String version = "unknown"; + if (driver.has("semanticVersion")) { + version = driver.getString("semanticVersion"); + } else if (driver.has("version")) { + version = driver.getString("version"); + } + + // Search for codeql/java-queries ruleset version and add that to the tool version + try { + JSONArray extensions = + firstRun(resultFile).getJSONObject("tool").getJSONArray("extensions"); + + for (int i = 0; i < extensions.length(); i++) { + JSONObject extension = extensions.getJSONObject(i); + String name = extension.getString("name"); + if ("codeql/java-queries".equals(name)) { + // looking for: + // "semanticVersion": "1.1.9+de325133c7a95d84489acdf5a6ced07886ff5c6d", + String rulesetVersion = extension.getString("semanticVersion"); + rulesetVersion = rulesetVersion.substring(0, rulesetVersion.indexOf('+')); + version += "_w" + rulesetVersion + "rules"; + } + } + } catch (JSONException e) { + // Do nothing it if can't be found. + } + + testSuiteResults.setToolVersion(version); + } } diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/SarifReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/SarifReader.java index b984a0c8..edf40f26 100644 --- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/SarifReader.java +++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/SarifReader.java @@ -63,11 +63,11 @@ private String sarifToolName(ResultFile resultFile) { return toolDriver(firstRun(resultFile)).getString("name"); } - private static JSONObject firstRun(ResultFile resultFile) { + static JSONObject firstRun(ResultFile resultFile) { return resultFile.json().getJSONArray("runs").getJSONObject(0); } - private static JSONObject toolDriver(JSONObject run) { + static JSONObject toolDriver(JSONObject run) { return run.getJSONObject("tool").getJSONObject("driver"); } diff --git a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/CodeQLReaderTest.java b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/CodeQLReaderTest.java index 66199c75..123dda13 100644 --- a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/CodeQLReaderTest.java +++ b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/CodeQLReaderTest.java @@ -51,7 +51,7 @@ void readerHandlesGivenResultFile() throws Exception { assertEquals(TestSuiteResults.ToolType.SAST, result.getToolType()); assertEquals("CodeQL", result.getToolName()); - assertEquals("2.13.1", result.getToolVersion()); + assertEquals("2.13.1_w0.6.1rules", result.getToolVersion()); assertEquals(2, result.getTotalResults()); From 024f25b0e38d515907e27756a9ac261fbae324fb Mon Sep 17 00:00:00 2001 From: Dave Wichers Date: Fri, 17 Jan 2025 16:38:55 -0500 Subject: [PATCH 18/19] Add warning when a SARIF parser doesn't have a CWE mapping for a tool specific rule. Add a few such missing rules to ZAP and ContrastScan readers. Fix bug in JuliaReader where it was reporting findings for test case number -1 (which isn't a real test case). --- .../owasp/benchmarkutils/score/parsers/JuliaReader.java | 5 ++++- .../owasp/benchmarkutils/score/parsers/ZapJsonReader.java | 7 +++++-- .../score/parsers/sarif/ContrastScanReader.java | 1 + .../benchmarkutils/score/parsers/sarif/SarifReader.java | 1 + 4 files changed, 11 insertions(+), 3 deletions(-) diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/JuliaReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/JuliaReader.java index 996360e3..c18df280 100644 --- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/JuliaReader.java +++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/JuliaReader.java @@ -68,7 +68,10 @@ public TestSuiteResults parse(ResultFile resultFile) throws Exception { NodeList nl = root.getChildNodes(); for (int i = 0; i < nl.getLength(); i++) { Node n = nl.item(i); - if (n.getNodeName().equals("warning")) tr.put(parseJuliaBug(n)); + if (n.getNodeName().equals("warning")) { + TestCaseResult tcr = parseJuliaBug(n); + if (tcr.getNumber() > 0) tr.put(tcr); + } } return tr; diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/ZapJsonReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/ZapJsonReader.java index 51491840..9d202b6f 100644 --- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/ZapJsonReader.java +++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/ZapJsonReader.java @@ -184,17 +184,21 @@ static int mapCwe(String cwe) { case "-1": // Informational Alert case "0": // Informational Alert: Check for differences in response based on fuzzed User // Agent + return CweNumber.DONTCARE; + case "16": // Configuration case "20": // Improper Input Validation case "91": // XML Injection (aka Blind XPath Injection) case "120": // Classic Buffer Overflow (Not possible in Java) case "134": // Use of Externally-Controlled Format String + case "190": // Integer Overflow or Wraparound case "200": // Exposure of Sensitive Information to Unauthorized Actor - When 500 errors // are returned case "345": // Insufficient Verification of Data Authenticity case "359": // Exposure of Private Personal Information to an Unauthorized Actor case "436": // Interpretation Conflict case "525": // Browser caching sensitive data + case "541": // Sensitive Info found in an Include File case "565": // Reliance on Cookies without Validation and Integrity Checking case "693": // Protection Mechanism Failure case "829": // Inclusion of Functionality from Untrusted Control Sphere (e.g., CDN) @@ -204,8 +208,7 @@ static int mapCwe(String cwe) { return Integer.parseInt(cwe); // Return the CWE anyway. default: - System.out.println( - "WARNING: ZAP CWE not mapped to expected test suite CWE: " + cwe); + System.out.println("WARNING: No CWE mapping found for CWE: " + cwe); return Integer.parseInt(cwe); } } diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/ContrastScanReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/ContrastScanReader.java index 423a6e87..85b0b3d7 100644 --- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/ContrastScanReader.java +++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/ContrastScanReader.java @@ -50,6 +50,7 @@ public Map customRuleCweMappings(JSONObject driver) { ruleCweMap.put("trust-boundary-violation", CweNumber.TRUST_BOUNDARY_VIOLATION); ruleCweMap.put("xpath-injection", CweNumber.XPATH_INJECTION); ruleCweMap.put("xxe", CweNumber.XXE); + ruleCweMap.put("autocomplete-missing", 522); // CWE-522 Insufficiently Protected Creds return ruleCweMap; } diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/SarifReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/SarifReader.java index edf40f26..f38ec827 100644 --- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/SarifReader.java +++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/SarifReader.java @@ -247,6 +247,7 @@ private TestCaseResult testCaseResultFor(JSONObject result, Map int cwe = mappings.getOrDefault(ruleId, -1); if (cwe == -1) { + System.out.println("WARNING: No CWE mapping found for ruleID: " + ruleId); return null; } From 4a10dc2cea250df764c7835af444c4b62dd2e5db Mon Sep 17 00:00:00 2001 From: Dave Wichers Date: Mon, 20 Jan 2025 16:29:31 -0500 Subject: [PATCH 19/19] Add support for Contrast CodeSec static analysis of Source Code scanning for Java. --- .../parsers/sarif/ContrastScanReader.java | 103 ++++++++++++++++++ 1 file changed, 103 insertions(+) diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/ContrastScanReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/ContrastScanReader.java index 85b0b3d7..93c7f5c9 100644 --- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/ContrastScanReader.java +++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/ContrastScanReader.java @@ -34,6 +34,7 @@ public ContrastScanReader() { public Map customRuleCweMappings(JSONObject driver) { Map ruleCweMap = new HashMap<>(); + // The following are the ruleIds for Contrast scan for Java war/jar files ruleCweMap.put("unsafe-code-execution", CweNumber.COMMAND_INJECTION); ruleCweMap.put("cmd-injection", CweNumber.COMMAND_INJECTION); ruleCweMap.put("cookie-flags-missing", CweNumber.INSECURE_COOKIE); @@ -43,20 +44,122 @@ public Map customRuleCweMappings(JSONObject driver) { ruleCweMap.put("header-injection", CweNumber.HTTP_RESPONSE_SPLITTING); ruleCweMap.put("hql-injection", CweNumber.HIBERNATE_INJECTION); ruleCweMap.put("ldap-injection", CweNumber.LDAP_INJECTION); + ruleCweMap.put("log-injection", 117); ruleCweMap.put("nosql-injection", CweNumber.SQL_INJECTION); ruleCweMap.put("path-traversal", CweNumber.PATH_TRAVERSAL); ruleCweMap.put("reflected-xss", CweNumber.XSS); + ruleCweMap.put("reflection-injection", 470); // CWE-470 Unsafe Reflection ruleCweMap.put("sql-injection", CweNumber.SQL_INJECTION); ruleCweMap.put("trust-boundary-violation", CweNumber.TRUST_BOUNDARY_VIOLATION); + // CWE-111 Direct Use of Unsafe JNI + ruleCweMap.put("unmanaged-code-invocation", 111); + // CWE-770 Allocation of Resources Without Limits or Throttling + ruleCweMap.put("unsafe-readline", 770); + // CWE-601 URL Redirection to Untrusted Site (Open Redirect) + ruleCweMap.put("unvalidated-redirect", 601); ruleCweMap.put("xpath-injection", CweNumber.XPATH_INJECTION); ruleCweMap.put("xxe", CweNumber.XXE); ruleCweMap.put("autocomplete-missing", 522); // CWE-522 Insufficiently Protected Creds + // The following are the ruleIds for Contrast scan for HTML source code files + // See HTML rules: https://docs.contrastsecurity.com/en/html-scan-rules.html + ruleCweMap.put( + "OPT.HTML.MissingPasswordFieldMasking", + 549); // CWE-549 Missing Password Field Masking + + // The following are the ruleIds for Contrast scan for Java source code files + // See Java rules: https://docs.contrastsecurity.com/en/java-scan-rules.html + + // Don't access/modify java.security config objects (Policy, Security, Provider, Principal, + // KeyStore) + ruleCweMap.put("OPT.JAVA.EJB.DontModifyAccessSecurity", CweNumber.DONTCARE); + ruleCweMap.put("OPT.JAVA.RGS.CMP", 486); // Comparison of Classes by Name + // Java access restriction subverted by using reflection. (e.g., protected/private methods). + ruleCweMap.put("OPT.JAVA.SEC_JAVA.AccessibilitySubversionRule", 506); // Malicious Code + // CWE-111 Direct Use of Unsafe JNI + ruleCweMap.put("OPT.JAVA.SEC_JAVA.AvoidNativeCallsRule", 111); + // CWE-245: Direct Mgt of Connection + ruleCweMap.put("OPT.JAVA.SEC_JAVA.AvoidJ2EEDirectDatabaseConnection", 245); + ruleCweMap.put("OPT.JAVA.SEC_JAVA.AvoidJ2EEExplicitSocket", 246); // Direct Use of Sockets + ruleCweMap.put( + "OPT.JAVA.SEC_JAVA.AvoidJ2EEExplicitThreadManagement", + 383); // Direct Use of Threads + ruleCweMap.put("OPT.JAVA.SEC_JAVA.AvoidJ2EEJvmExit", 382); // Use of System.exit() + ruleCweMap.put("OPT.JAVA.SEC_JAVA.AvoidJ2EELeftoverDebugCode", 489); // Active Debug Code + // CWE-502: Deserialization of Untrusted Data + ruleCweMap.put("OPT.JAVA.SEC_JAVA.CodeInjectionWithDeserializationRule", 502); + ruleCweMap.put("OPT.JAVA.SEC_JAVA.CodeInjectionRule", 94); // Code Injection + ruleCweMap.put("OPT.JAVA.SEC_JAVA.CommandInjectionRule", CweNumber.COMMAND_INJECTION); + // XHSM. No CWE + ruleCweMap.put("OPT.JAVA.SEC_JAVA.CrossSiteRequestForgeryRule", CweNumber.CSRF); + ruleCweMap.put("OPT.JAVA.SEC_JAVA.CrossSiteHistoryManipulation", CweNumber.DONTCARE); + ruleCweMap.put("OPT.JAVA.SEC_JAVA.CrossSiteScriptingRule", CweNumber.XSS); + // CWE-676: Use of Potentially Dangerous Function + ruleCweMap.put("OPT.JAVA.SEC_JAVA.ESAPIBannedRule", 676); + ruleCweMap.put("OPT.JAVA.SEC_JAVA.ExecutionAfterRedirect", 698); // Execution after Redirect + // CWE-134: Use of Externally-Controlled Format String + ruleCweMap.put("OPT.JAVA.SEC_JAVA.ExternalControlOfConfigurationSetting", 134); + // CWE-15: External Control of System or Configuration Setting + ruleCweMap.put("OPT.JAVA.SEC_JAVA.FormatStringInjectionRule", 15); + // CWE-321: Hard-coded Crypto Key + ruleCweMap.put("OPT.JAVA.SEC_JAVA.HardcodedCryptoKey", 321); + ruleCweMap.put("OPT.JAVA.SEC_JAVA.HardcodedUsernamePassword", 798); // Hardcoded Creds + // CWE-235: Improper Handling Extra Params + ruleCweMap.put("OPT.JAVA.SEC_JAVA.HttpParameterPollutionRule", 235); + ruleCweMap.put("OPT.JAVA.SEC_JAVA.HttpSplittingRule", 113); // HTTP Req/Resp Splitting + // Mapping InadequatePaddingRule to CWE-327 Weak Crypto, causes LOTS of False Positives + ruleCweMap.put("OPT.JAVA.SEC_JAVA.InadequatePaddingRule", CweNumber.DONTCARE); + ruleCweMap.put("OPT.JAVA.SEC_JAVA.InformationExposureThroughErrorMessage", 209); + // CWE-20: Improper Input Validation + ruleCweMap.put("OPT.JAVA.SEC_JAVA.InputPathNotCanonicalizedRule", 20); + ruleCweMap.put("OPT.JAVA.SEC_JAVA.InsecureRandomnessRule", CweNumber.WEAK_RANDOM); + // CWE-319: Cleartext transmission of sensitive data + ruleCweMap.put("OPT.JAVA.SEC_JAVA.InsecureTransport", 319); + ruleCweMap.put("OPT.JAVA.SEC_JAVA.LdapInjectionRule", CweNumber.LDAP_INJECTION); + // CWE-329: Generation of Predictable IV with CBC Mode + ruleCweMap.put("OPT.JAVA.SEC_JAVA.NonRandomIVWithCBCMode", 329); + ruleCweMap.put("OPT.JAVA.SEC_JAVA.OpenRedirectRule", 601); // CWE-601 Open Redirect + ruleCweMap.put( + "OPT.JAVA.SEC_JAVA.PasswordInCommentRule", 615); // Sensitive Info in Comments + ruleCweMap.put( + "OPT.JAVA.SEC_JAVA.PasswordInConfigurationFile", 256); // Plaintext Password Storage + ruleCweMap.put("OPT.JAVA.SEC_JAVA.PathTraversalRule", CweNumber.PATH_TRAVERSAL); + // CWE-315: Cleartext Storage of Sensitive Info in Cookie + ruleCweMap.put("OPT.JAVA.SEC_JAVA.PlaintextStorageInACookieRule", 315); + ruleCweMap.put( + "OPT.JAVA.SEC_JAVA.PlaintextStorageOfPassword", 256); // Plaintext Password Storage + ruleCweMap.put("OPT.JAVA.SEC_JAVA.PotentialInfiniteLoop", 835); // Infinite Loop + ruleCweMap.put("OPT.JAVA.SEC_JAVA.ProcessControlRule", 114); // Process Control + ruleCweMap.put("OPT.JAVA.SEC_JAVA.ServerSideRequestForgeryRule", 918); // SSRF + ruleCweMap.put("OPT.JAVA.SEC_JAVA.SqlInjectionRule", CweNumber.SQL_INJECTION); + ruleCweMap.put( + "OPT.JAVA.SEC_JAVA.TrustBoundaryViolationRule", CweNumber.TRUST_BOUNDARY_VIOLATION); + ruleCweMap.put( + "OPT.JAVA.SEC_JAVA.UnnormalizedInputString", 20); // Improper Input Validation + ruleCweMap.put("OPT.JAVA.SEC_JAVA.UnsafeCookieRule", 614); // No secure attribute + ruleCweMap.put("OPT.JAVA.SEC_JAVA.UnsafeReflection", 470); // Unsafe Reflection + // CWE-566: Authorization Bypass Thru User-Controlled SQL Primary Key + ruleCweMap.put("OPT.JAVA.SEC_JAVA.UserControlledSQLPrimaryKey", 566); + ruleCweMap.put("OPT.JAVA.SEC_JAVA.WeakCryptographicHashRule", CweNumber.WEAK_HASH_ALGO); + ruleCweMap.put("OPT.JAVA.SEC_JAVA.WeakEncryptionRule", CweNumber.WEAK_CRYPTO_ALGO); + ruleCweMap.put("OPT.JAVA.SEC_JAVA.WebXmlSecurityMisconfigurationsRule", CweNumber.DONTCARE); + ruleCweMap.put("OPT.JAVA.SEC_JAVA.XPathInjectionRule", CweNumber.XPATH_INJECTION); + return ruleCweMap; } @Override public void setVersion(ResultFile resultFile, TestSuiteResults testSuiteResults) { // SARIF file contains several nulls as version, just ignoring it + // Instead, we use the 'version' to set the type of CodeSec scan. WAR, JAR, SAST, etc. + JSONObject firstrun = resultFile.json().getJSONArray("runs").getJSONObject(0); + String commandLine = + firstrun.getJSONArray("invocations").getJSONObject(0).getString("commandLine"); + + if (commandLine.contains("contrast-scan-java-cli")) { + if (commandLine.endsWith("jar")) testSuiteResults.setToolVersion("OfJAR"); + else if (commandLine.endsWith("war")) testSuiteResults.setToolVersion("OfWAR"); + } else if (commandLine.contains("sast-engine")) + testSuiteResults.setToolVersion("OfSourceCode"); } }