From 48f19a5aecb7ba3d3ac2ceae1356f050fa0ea46d Mon Sep 17 00:00:00 2001 From: zhukov_an Date: Fri, 18 Oct 2024 14:22:22 +0300 Subject: [PATCH 1/2] Positive Technologies Application Inspector SARIF report support added --- .../benchmarkutils/score/parsers/Reader.java | 2 + .../score/parsers/sarif/PTAIReader.java | 41 +++++++ .../score/parsers/sarif/PTAIReaderTest.java | 57 ++++++++++ .../testfiles/Benchmark_PTAI-v4.7.2.sarif | 104 ++++++++++++++++++ 4 files changed, 204 insertions(+) create mode 100644 plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/PTAIReader.java create mode 100644 plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/PTAIReaderTest.java create mode 100644 plugin/src/test/resources/testfiles/Benchmark_PTAI-v4.7.2.sarif diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/Reader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/Reader.java index 97da88bf..f156ebb9 100644 --- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/Reader.java +++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/Reader.java @@ -32,6 +32,7 @@ import org.owasp.benchmarkutils.score.parsers.sarif.CodeQLReader; import org.owasp.benchmarkutils.score.parsers.sarif.ContrastScanReader; import org.owasp.benchmarkutils.score.parsers.sarif.DatadogSastReader; +import org.owasp.benchmarkutils.score.parsers.sarif.PTAIReader; import org.owasp.benchmarkutils.score.parsers.sarif.PrecautionReader; import org.owasp.benchmarkutils.score.parsers.sarif.SemgrepSarifReader; import org.owasp.benchmarkutils.score.parsers.sarif.SnykReader; @@ -89,6 +90,7 @@ public static List allReaders() { new ParasoftReader(), new PrecautionReader(), new PMDReader(), + new PTAIReader(), new QualysWASReader(), new Rapid7Reader(), new ReshiftReader(), diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/PTAIReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/PTAIReader.java new file mode 100644 index 00000000..af0d1fa8 --- /dev/null +++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/PTAIReader.java @@ -0,0 +1,41 @@ +/** + * OWASP Benchmark Project + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Alexey Zhukov + * @created 2024 + */ +package org.owasp.benchmarkutils.score.parsers.sarif; + +import org.owasp.benchmarkutils.score.CweNumber; + +public class PTAIReader extends SarifReader { + + static final int PTAI_CWE_EXTERNAL_FILEPATH_CONTROL = 73; + static final int PTAI_CWE_BLIND_XPATH_INJECTION = 91; + + public PTAIReader() { + super("Positive Technologies Application Inspector", true, CweSourceType.FIELD); + } + + @Override + public int mapCwe(int cwe) { + switch (cwe) { + case PTAI_CWE_EXTERNAL_FILEPATH_CONTROL: + return CweNumber.PATH_TRAVERSAL; + case PTAI_CWE_BLIND_XPATH_INJECTION: + return CweNumber.XPATH_INJECTION; + } + return cwe; + } +} diff --git a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/PTAIReaderTest.java b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/PTAIReaderTest.java new file mode 100644 index 00000000..ef3d798e --- /dev/null +++ b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/PTAIReaderTest.java @@ -0,0 +1,57 @@ +/** + * OWASP Benchmark Project + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Alexey Zhukov + * @created 2024 + */ +package org.owasp.benchmarkutils.score.parsers.sarif; + +import static org.junit.jupiter.api.Assertions.assertEquals; + +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.owasp.benchmarkutils.score.*; +import org.owasp.benchmarkutils.score.parsers.ReaderTestBase; + +public class PTAIReaderTest extends ReaderTestBase { + + private ResultFile resultFile; + + @BeforeEach + void setUp() { + resultFile = TestHelper.resultFileOf("testfiles/Benchmark_PTAI-v4.7.2.sarif"); + BenchmarkScore.TESTCASENAME = "BenchmarkTest"; + } + + @Test + public void onlyPTAIReaderTestReportsCanReadAsTrue() { + assertOnlyMatcherClassIs(this.resultFile, PTAIReader.class); + } + + @Test + void readerHandlesGivenResultFile() throws Exception { + PTAIReader reader = new PTAIReader(); + TestSuiteResults result = reader.parse(resultFile); + + assertEquals(TestSuiteResults.ToolType.SAST, result.getToolType()); + + assertEquals("Positive Technologies Application Inspector", result.getToolName()); + assertEquals("4.7.2.36549", result.getToolVersion()); + + assertEquals(2, result.getTotalResults()); + + assertEquals(CweNumber.PATH_TRAVERSAL, result.get(1).get(0).getCWE()); + assertEquals(CweNumber.SQL_INJECTION, result.get(8).get(0).getCWE()); + } +} diff --git a/plugin/src/test/resources/testfiles/Benchmark_PTAI-v4.7.2.sarif b/plugin/src/test/resources/testfiles/Benchmark_PTAI-v4.7.2.sarif new file mode 100644 index 00000000..c861425d --- /dev/null +++ b/plugin/src/test/resources/testfiles/Benchmark_PTAI-v4.7.2.sarif @@ -0,0 +1,104 @@ +{ + "version": "2.1.0", + "$schema": "http://json.schemastore.org/sarif-2.1.0.json", + "runs": [ + { + "tool": { + "driver": { + "name": "Positive Technologies Application Inspector", + "version": "4.7.2.36549", + "organization": "Positive Technologies", + "informationUri": "https://www.ptsecurity.com/ww-en/products/ai/", + "rules": [ + { + "id": "SQL Injection", + "name": "SQL Injection", + "properties": { + "cwe": [ + "CWE-89" + ] + }, + "defaultConfiguration": { + "level": "error", + "enabled": true + }, + "messageStrings": { + "default": { + "text": "SQL Injection" + } + } + }, + { + "id": "Arbitrary File Reading", + "name": "Arbitrary File Reading", + "properties": { + "cwe": [ + "CWE-73" + ] + }, + "defaultConfiguration": { + "level": "error", + "enabled": true + }, + "messageStrings": { + "default": { + "text": "Arbitrary File Reading" + } + } + } + ] + } + }, + "results": [ + { + "ruleId": "Arbitrary File Reading", + "suppressions": [ + ], + "message": { + "id": "default", + "text": "Arbitrary File Reading" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "./src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00001.java" + }, + "region": { + "startLine": 71, + "snippet": { + "text": "new java.io.FileInputStream(new java.io.File(fileName))" + } + } + } + } + ] + }, + { + "ruleId": "SQL Injection", + "suppressions": [ + ], + "message": { + "id": "default", + "text": "SQL Injection" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "./src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00008.java" + }, + "region": { + "startLine": 57, + "snippet": { + "text": "connection.prepareCall(sql)" + } + } + } + } + ] + } + ] + } + ] +} From 6a0172ad3416e673924590ced4bea9fe9d1de88d Mon Sep 17 00:00:00 2001 From: zhukov_an Date: Thu, 7 Nov 2024 10:42:20 +0300 Subject: [PATCH 2/2] PT AI tool name and version are shortened --- .../score/parsers/sarif/PTAIReader.java | 25 ++++++++++++++++++- .../score/parsers/sarif/PTAIReaderTest.java | 4 +-- 2 files changed, 26 insertions(+), 3 deletions(-) diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/PTAIReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/PTAIReader.java index af0d1fa8..e0254829 100644 --- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/PTAIReader.java +++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/PTAIReader.java @@ -18,14 +18,37 @@ package org.owasp.benchmarkutils.score.parsers.sarif; import org.owasp.benchmarkutils.score.CweNumber; +import org.owasp.benchmarkutils.score.ResultFile; +import org.owasp.benchmarkutils.score.TestSuiteResults; public class PTAIReader extends SarifReader { static final int PTAI_CWE_EXTERNAL_FILEPATH_CONTROL = 73; static final int PTAI_CWE_BLIND_XPATH_INJECTION = 91; + static final String EXPECTED_TOOL_NAME = "Positive Technologies Application Inspector"; + static final String SHORTENED_TOOL_NAME = "PT Application Inspector"; + public PTAIReader() { - super("Positive Technologies Application Inspector", true, CweSourceType.FIELD); + super(EXPECTED_TOOL_NAME, true, CweSourceType.FIELD); + } + + @Override + public String toolName(ResultFile resultFile) { + return SHORTENED_TOOL_NAME; + } + + /** + * SARIF report tool version field is too long as it contains build number. Shorten it to X.Y.Z + */ + @Override + public void setVersion(ResultFile resultFile, TestSuiteResults testSuiteResults) { + super.setVersion(resultFile, testSuiteResults); + String version = testSuiteResults.getToolVersion(); + String[] versionItems = version.split("\\."); + if (versionItems.length < 4) return; + testSuiteResults.setToolVersion( + String.format("%s.%s.%s", versionItems[0], versionItems[1], versionItems[2])); } @Override diff --git a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/PTAIReaderTest.java b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/PTAIReaderTest.java index ef3d798e..6df8ffcc 100644 --- a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/PTAIReaderTest.java +++ b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/PTAIReaderTest.java @@ -46,8 +46,8 @@ void readerHandlesGivenResultFile() throws Exception { assertEquals(TestSuiteResults.ToolType.SAST, result.getToolType()); - assertEquals("Positive Technologies Application Inspector", result.getToolName()); - assertEquals("4.7.2.36549", result.getToolVersion()); + assertEquals("PT Application Inspector", result.getToolName()); + assertEquals("4.7.2", result.getToolVersion()); assertEquals(2, result.getTotalResults());