Merge pull request #12 from h3xstream/master

davewichers · davewichers · commit 812919973565 · 2015-09-19T16:36:09.000-04:00
Support for the latest version of Find Security Bugs
diff --git a/pom.xml b/pom.xml
@@ -61,7 +61,7 @@
 								<plugin>
 									<groupId>com.h3xstream.findsecbugs</groupId>
 									<artifactId>findsecbugs-plugin</artifactId>
-									<version>1.4.0</version>
+									<version>1.4.3</version>
 								</plugin>
 							</plugins>
 						</configuration>
diff --git a/src/main/java/org/owasp/benchmark/score/parsers/FindbugsReader.java b/src/main/java/org/owasp/benchmark/score/parsers/FindbugsReader.java
@@ -105,35 +105,69 @@ private static int figureCWE( TestCaseResult tcr, Node cwenode, Node catnode) {
 			if ( cwe.equals( "23" ) || cwe.equals( "36" ) ) {
 				cwe = "22";
 			}
+			// FSB identify DES/DESede as CWE-326 (Inadequate Encryption Strength) while Benchmark
+			// marked it as CWE-327 (Use of a Broken or Risky Cryptographic Algorithm)
+			else if ( cwe.equals( "326" ) ) {
+				cwe = "327";
+			}
 			return Integer.parseInt( cwe );
 		}
-		
+
+		//This is a fallback mapping for unsupported/old versions of the Find Security Bugs plugin
+		//All important bug patterns have their CWE ID associated in later versions (1.4.3+).
 		switch( cat ) {
-		case "SECCU" : 		return 614;  // insecure cookie use
-		case "SECPR" : 		return 330;  // weak random
-		case "SECLDAPI" : 	return 90;   // LDAP injection
-		case "SECPTO" : 	return 22;   // path traversal
-		case "SECPTI" : 	return 22;   // path traversal
-		case "CIPINT" : 	return 327;	 // weak encryption - cipher with no integrity
-		case "PADORA" : 	return 327;  // padding oracle -- FIXME: probably wrong
-		case "SECXPI" : 	return 643;  // XPATH injection
-		case "SECWMD" : 	return 328;  // weak hash
-		case "SECCI" : 		return 78;   // command injection
-		case "SECDU" : 		return 327;  // weak encryption DES
-		case "SECXRW" :		return 79;   // XSS
-		case "SECXSS1" :	return 79;   // XSS
-		case "SECXSS2" :	return 79;   // XSS
-		case "SECXXEDOC" :  return 611;  // XXE - Probably DOM Parser
-		case "SECSQLIHIB" : return 564;  // Hibernate Injection, child of SQL Injection
-		case "SECXXESAX" :  return 611;  // XXE - SAX Parser
-		case "STAIV" : 		return 329;  // static initialization vector for crypto
-
-		case "SECSP" : 		return 00;	 // servlet parameter - not a vuln
-		case "SECSH" : 		return 00;   // servlet header -- not a vuln
-		case "SECSSQ" : 	return 00;   // servlet query - not a vuln
-		
+			//Cookies
+			case "SECIC" : 		return 614;  // insecure cookie use
+			case "SECCU" :      return 00; // servlet cookie
+
+			//Injections
+			case "SECSQLIHIB"     : return 564;  // Hibernate Injection, child of SQL Injection
+			case "SECSQLIJDO"     : return 89;
+			case "SECSQLIJPA"     : return 89;
+			case "SECSQLISPRJDBC" : return 89;
+			case "SECSQLIJDBC"    : return 89;
+
+			//LDAP injection
+			case "SECLDAPI" : 	return 90;   // LDAP injection
+
+			//XPath injection
+			case "SECXPI" : 	return 643;  // XPATH injection
+
+			//Command injection
+			case "SECCI" : 		return 78;   // command injection
+
+			//Weak random
+			case "SECPR" : 		return 330;  // weak random
+
+			//Weak encryption
+			case "SECDU" : 		return 327;  // weak encryption DES
+			case "CIPINT" : 	return 327;	 // weak encryption - cipher with no integrity
+			case "PADORA" : 	return 327;  // padding oracle -- FIXME: probably wrong
+			case "STAIV" : 		return 329;  // static initialization vector for crypto
+
+			//Weak hash
+			case "SECWMD" : 	return 328;  // weak hash
+
+			//Path traversal
+			case "SECPTO" : 	return 22;   // path traversal
+			case "SECPTI" : 	return 22;   // path traversal
+
+			//XSS
+			case "SECXRW" :		return 79;   // XSS
+			case "SECXSS1" :	return 79;   // XSS
+			case "SECXSS2" :	return 79;   // XSS
+
+			//XXE
+			case "SECXXEDOC" :  return 611;  // XXE
+			case "SECXXEREAD" :  return 611;  // XXE
+			case "SECXXESAX" :  return 611;  // XXE
+
+			//Input sources
+			case "SECSP" : 		return 00;	 // servlet parameter - not a vuln
+			case "SECSH" : 		return 00;   // servlet header -- not a vuln
+			case "SECSSQ" : 	return 00;   // servlet query - not a vuln
 
-		default : System.out.println( "Unknown category: " + cat );
+			default : System.out.println( "Unknown category: " + cat );
 		}
 
 		return 0;
