-
Notifications
You must be signed in to change notification settings - Fork 52
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CWE number as enum #31
CWE number as enum #31
Conversation
// Add any 'new' CWEs ever found to switch above so we know they are mapped properly. | ||
System.out.println("INFO: Found following CWE which we haven't seen before: " + cweNum); | ||
return Integer.parseInt(cweNum); | ||
return CweNumber.lookup(cweNum); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This change doesn't allow us to manually decide how to map these. This can be especially important for DAST tools as they frequently report 1 type of injection as another. I'm thinking in cases like this we should leave the manual mapping the way it was. What do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As discussed: #31 (comment)
return CweNumber | ||
.SENSITIVE_INFORMATION_IN_BROWSER_CACHE; // Information Exposure Through | ||
// Browser Caching-Cacheable HTTPS | ||
// Response |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you merge the above 2 lines into a single line comment?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Already fixed
} | ||
return 0000; | ||
|
||
return CweNumber.lookup(name.trim()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Again, I think its better to leave the manual mapping here so we can map in anything 'new'.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As discussed: #31 (comment)
case 36: | ||
case 23: | ||
return CweNumber.PATH_TRAVERSAL; | ||
case 338: | ||
return CweNumber.WEAK_RANDOM; | ||
} | ||
return cwe; | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should add a warning like the others, e.g., "something new seen here not mapped before". Take exact message from other parser that already has this warning.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As discussed: #31 (comment)
case 36: | ||
case 23: | ||
return CweNumber.PATH_TRAVERSAL; | ||
case 338: | ||
return CweNumber.WEAK_RANDOM; | ||
} | ||
return cwe; | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you add new/missing mapping warning here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As discussed: #31 (comment)
+ " for rule: " | ||
+ ruleName); | ||
private CweNumber mapCWE(Integer cweNumber) { | ||
if (cweNumber == 335) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should retain the explanatory comment of why we are doing this.
} | ||
return 0; // Not mapped to anything | ||
|
||
return CweNumber.lookup(cweNumber); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I prefer that we keep the manual mapping so we can get the warning of 'new' types of issues not yet mapped.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As discussed: #31 (comment)
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we restore what we had so we can flag reported CWEs not yet mapped?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As discussed: #31 (comment)
int cwe = cweNumber(finding); | ||
tcr.setCWE(cwe); | ||
String cwe = finding.getString("cwe").substring(4); | ||
tcr.setCWE(CweNumber.lookup(cwe)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Restore what we had so we can flag reported CWEs not yet mapped. And there is one mapping here that doesn't go straight up, 326 to Weak Crypto.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
} | ||
|
||
return cwe; | ||
return CweNumber.lookup(cwe); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we restore what we had so we can flag reported CWEs not yet mapped?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As discussed: #31 (comment)
} | ||
return cwe; | ||
return CweNumber.lookup(cwe); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we restore what we had so we can flag reported CWEs not yet mapped?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As discussed: #31 (comment)
case "xss": | ||
return 79; | ||
return CweNumber.XSS; | ||
default: | ||
throw new RuntimeException("Unknown category: " + category); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe change this to a simple system out println? Runtime exception seems harsh.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can change this, but I didn't touch this in my PR.
} | ||
return 0; | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we restore what we had so we can flag reported CWEs not yet mapped?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As discussed: #31 (comment)
plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/SonarQubeReader.java
Outdated
Show resolved
Hide resolved
plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/VisualCodeGrepperReader.java
Outdated
Show resolved
Hide resolved
Node refs = getNamedChild("references", vuln); | ||
List<Node> references = getNamedChildren("reference", refs); | ||
for (Node ref : references) { | ||
String title = getNamedChild("title", ref).getTextContent(); | ||
if (title.startsWith("CWE-")) { | ||
String cweNum = title.substring("CWE-".length(), title.indexOf(":")); | ||
cwe = cweLookup(cweNum); | ||
cwe = CweNumber.lookup(cweNum); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we restore the old cweLookup so we can still get the warning "WARNING: Wapiti-Unmapped CWE number: " + cwe);"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As discussed: #31 (comment)
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we restore the old cweLookup so we can still get the warning "WARNING: ZAP CWE not mapped to expected test suite CWE: " + cwe);
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As discussed: #31 (comment)
@darkspirit510 - Thanks so much for all this refactoring work! I provided some minor comments in a few dozen of the files changed. Can you address those comments and we should be good to go. |
Sorry for the late reply :-) Since most of your comments are about the "missing" default message, one general reply why I removed them: After checking all mapping methods in all Reader classes, you can divide them into three groups:
|
As you address issues per my comments above, can you add comments to each issue you've addressed so I can resolve comments on fixed issues? |
If you accept my explaination, i can write a short note to every comment. |
@darkspirit510 - that works. Thanks. |
@darkspirit510 - Did you ever work on my comments (per above)? Also, there is a branch conflict now, w/SemgrepReader. Can you resolve that too? |
@davewichers most of the comments should be explained in comment #31 (comment). But I actually missed some comments, I'll go through them within the next days. |
I fixed/commented all the things. If you're still not sure about this PR, I think about closing and redoing it in smaller chunks. |
@darkspirit510 - There was a lot of work done here, but might have been overcome by events. Do you want finish this one? Or start over and do this in smaller chunks? |
@darkspirit510 - Nudge :-) |
Since this is way too old, I'll redo it in smaller chunks 😅 |
Migrated CweNumber to enum to ensure there is no magic number stuff going on. Could remove a lot of mapping code that just attempts to map string to number. Since the code has to go through CweNumber's lookup method (which informs about request of unknown number), this (at least somehow) handles #6 and #7. It obviously does not handle default blocks for mapping of any tools internal namings/ids to CweNumbers.