Add AppScan Dynamic scorecard generator. Add support for more vuln

categories in Burp scorecard generator.

Author: davewichers

src/main/java/org/owasp/benchmark/score/BenchmarkScore.java

@@ -45,7 +45,8 @@
 import javax.xml.parsers.DocumentBuilderFactory;
 
 import org.apache.commons.io.FileUtils;
-import org.owasp.benchmark.score.parsers.AppscanReader;
+import org.owasp.benchmark.score.parsers.AppScanDynamicReader;
+import org.owasp.benchmark.score.parsers.AppScanSourceReader;
 import org.owasp.benchmark.score.parsers.ArachniReader;
 import org.owasp.benchmark.score.parsers.BurpReader;
 import org.owasp.benchmark.score.parsers.CheckmarxReader;
@@ -373,7 +374,7 @@ private static TestResults readActualResults(File actual) throws Exception {
 		TestResults tr = null;
 
         if ( filename.endsWith(".ozasmt" ) ) {
-            tr = new AppscanReader().parse( actual );
+            tr = new AppScanSourceReader().parse( actual );
         }      
 
         else if ( filename.endsWith(".json" ) ) {
@@ -432,7 +433,11 @@ else if ( line2.startsWith( "<report")) {
                 Document doc = getXMLDocument( actual );
                 Node root = doc.getDocumentElement();
                 if ( root.getNodeName().equals( "issues" ) ) {
-                    tr = new BurpReader().parse( doc );
+                    tr = new BurpReader().parse( root );
+                }
+                
+                if ( root.getNodeName().equals( "XmlReport") ) {
+                    tr = new AppScanDynamicReader().parse( root );
                 }
             }
 		}

src/main/java/org/owasp/benchmark/score/parsers/AppScanDynamicReader.java

@@ -0,0 +1,197 @@
+/**
+ * OWASP Benchmark Project
+ *
+ * This file is part of the Open Web Application Security Project (OWASP)
+ * Benchmark Project For details, please see
+ * <a href="https://www.owasp.org/index.php/Benchmark">https://www.owasp.org/index.php/Benchmark</a>.
+ *
+ * The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation, version 2.
+ *
+ * The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details
+ *
+ * @author Dave Wichers <a href="https://www.aspectsecurity.com">Aspect Security</a>
+ * @created 2015
+ */
+
+package org.owasp.benchmark.score.parsers;
+
+import java.text.ParseException;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import org.w3c.dom.Node;
+
+public class AppScanDynamicReader extends Reader {
+    
+    public TestResults parse(Node root) throws Exception {
+
+        TestResults tr = new TestResults("IBM AppScan", true, TestResults.ToolType.DAST);
+
+//      <AppScanInfo>
+//        <Version>9.0.1.1</Version>
+//        <ServicePack />
+//      </AppScanInfo>
+
+        Node info = getNamedChild("AppScanInfo", root);
+        Node version = getNamedChild( "Version", info );
+        tr.setToolVersion(version.getTextContent());
+
+//        <Summary>
+//        <TotalScanDuration>14:48:40.9394530</TotalScanDuration>
+
+        Node summary = getNamedChild("Summary", root);
+        Node elapsed = getNamedChild( "TotalScanDuration", summary );
+        tr.setTime(calculateTime(elapsed.getTextContent()));
+        
+//        <IssueType ID="SSL_CertWithBadCN" Count="1">
+//        <RemediationID>fix_60280</RemediationID>
+//        <advisory>
+//          <name>SSL Certificate Domain Name Mismatch</name>
+//          <testDescription>Infrastructure test</testDescription>
+//          <threatClassification>
+//            <name>Insufficient Transport Layer Protection</name>
+//            <reference>http://projects.webappsec.org/Insufficient-Transport-Layer-Protection</reference>
+//          </threatClassification>
+//          <testTechnicalDescription>
+//          </testTechnicalDescription>
+//          <causes>
+//            <cause>The web server or application server are configured in an insecure way</cause>
+//          </causes>
+//          <securityRisks>
+//          </securityRisks>
+//          <affectedProducts>
+//            <affectedProduct>N/A</affectedProduct>
+//          </affectedProducts>
+//          <cwe>
+//            <link target="http://cwe.mitre.org/data/definitions/297.html" id="CWE-297">297</link>
+//          </cwe>
+//          <xfid>
+//            <link target="http://xforce.iss.net/xforce/xfdb/52881" id="52881">52881</link>
+//          </xfid>
+//          <references />
+//          <fixRecommendations>
+//            <fixRecommendation type="General">
+//            </fixRecommendation>
+//          </fixRecommendations>
+//        </advisory>
+//        <Severity>Informational</Severity>
+//        <Invasive>False</Invasive>
+//      </IssueType>
+        
+        // parse issue types list into cweMap
+        Map<String,Integer> cweMap = new HashMap<String,Integer>();
+        Node results = getNamedChild("Results", root);
+        Node issueTypes = getNamedChild("IssueTypes", results);
+        List<Node> issueTypeList = getNamedChildren("IssueType", issueTypes);
+        for ( Node issueType : issueTypeList ) {
+            try {
+                String key = getAttributeValue( "ID", issueType );
+                Node advisory = getNamedChild( "advisory", issueType );
+                Node cwenode = getNamedChild( "cwe", advisory );
+                Node link = getNamedChild( "link", cwenode );
+                Integer cwe = Integer.parseInt( link.getTextContent() );
+                cweMap.put( key, cwe );
+            } catch( Exception e ) {
+                // System.out.println( "Found an issueType with no CWE link: " + getAttributeValue( "ID", issueType ));
+            }
+        }
+        
+        Node issues = getNamedChild("Issues", results);
+        List<Node> issueList = getNamedChildren("Issue", issues);
+        for (Node issue : issueList) {
+            TestCaseResult tcr = parseAppScanDynamicVulnerability(issue, cweMap);
+            if (tcr != null) {
+                // System.out.println( tcr.getNumber() + "\t" + tcr.getCWE() + "\t" + tcr.getEvidence() );
+                tr.put(tcr);
+            }
+        }
+        return tr;
+    }
+
+
+    
+//  <TotalScanDuration>14:48:40.9394530</TotalScanDuration>
+    private static String calculateTime(String elapsed) {
+        try {
+            String[] splits = elapsed.split( "[\\.:]");
+            int hours = Integer.parseInt( splits[0] );
+            int minutes = Integer.parseInt( splits[1] );
+            int seconds = Integer.parseInt( splits[2] );
+            long millis = 1000 * ( hours * 60 * 60 + minutes * 60 + seconds );
+            return TestResults.formatTime( millis );
+        } catch( Exception e ) {
+            e.printStackTrace();
+            return "Unknown";
+        }
+    }
+    
+//    <Issue IssueTypeID="attBlindSqlInjectionStrings" Noise="False">
+//    <Url>https://localhost:8443/benchmark/BenchmarkTest00153</Url>
+    private TestCaseResult parseAppScanDynamicVulnerability(Node issue, Map<String,Integer> cweMap ) {
+        TestCaseResult tcr = new TestCaseResult();
+        String cwekey = getAttributeValue("IssueTypeID", issue);
+        Integer cwe = cweMap.get(cwekey);
+        if ( cwe == null ) return null;
+        tcr.setCWE(translate(cwe));
+
+        tcr.setCategory(cwekey);
+        tcr.setEvidence(cwekey);
+
+        // fixme: not really confidence
+        // fixme: what is "noise" attribute?
+        String confidence = getNamedChild( "Severity", issue ).getTextContent();
+        // tcr.setConfidence( makeIntoInt( confidence ) );
+
+        String testcase = getNamedChild("Url", issue).getTextContent();
+        testcase = testcase.substring(testcase.lastIndexOf('/') + 1);
+        testcase = testcase.split("\\.")[0];
+        if (testcase.startsWith("BenchmarkTest")) {
+            String testno = testcase.substring("BenchmarkTest".length() );
+            try {
+                tcr.setNumber(Integer.parseInt(testno));
+            } catch (NumberFormatException e) {
+                e.printStackTrace();
+            }
+            return tcr;
+        }
+
+        return null;
+    }
+
+    private int translate(int id) {
+        switch (id) {
+            // //case "Build Misconfiguration" : return 00;
+            // case "Command Injection" : return 78;
+            // case "Cookie Security" : return 614;
+            // case "Cross-Site Scripting" : return 79;
+            // //case "Dead Code" : return 00;
+            // //case "Denial of Service" : return 00;
+            // case "Header Manipulation" : return 113;
+            // case "Insecure Randomness" : return 330;
+            // //case "J2EE Bad Practices" : return 00;
+            // case "LDAP Injection" : return 90;
+            // //case "Missing Check against Null" : return 00;
+            // //case "Null Dereference" : return 00;
+            // case "Password Management" : return 00;
+            // case "Path Manipulation" : return 22;
+            // //case "Poor Error Handling" : return 00;
+            // //case "Poor Logging Practice" : return 00;
+            // //case "Poor Style" : return 00;
+            // //case "Resource Injection" : return 00;
+            // case "SQL Injection" : return 89;
+            // //case "System Information Leak" : return 00;
+            // case "Trust Boundary Violation" : return 501;
+            // //case "Unreleased Resource" : return 00;
+            // //case "Unsafe Reflection" : return 00;
+            // case "Weak Cryptographic Hash" : return 328;
+            // case "Weak Encryption" : return 327;
+            // case "XPath Injection" : return 643;
+        }
+        return id;
+    }
+
+}

src/main/java/org/owasp/benchmark/score/parsers/AppscanReader.java renamed to src/main/java/org/owasp/benchmark/score/parsers/AppScanSourceReader.java

@@ -34,7 +34,7 @@
 import org.w3c.dom.NodeList;
 import org.xml.sax.InputSource;
 
-public class AppscanReader extends Reader {
+public class AppScanSourceReader extends Reader {
 
 	public TestResults parse( File f ) throws Exception {
 		DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();

src/main/java/org/owasp/benchmark/score/parsers/BurpReader.java

@@ -25,14 +25,13 @@
 
 public class BurpReader extends Reader {
 
-    public TestResults parse(Document doc) throws Exception {
+    public TestResults parse(Node root) throws Exception {
 
-        TestResults tr = new TestResults("Burp Pro", true, TestResults.ToolType.SAST);
+        TestResults tr = new TestResults("Burp Suite Pro", true, TestResults.ToolType.DAST);
 
         // <issues burpVersion="1.6.24"
         // exportTime="Wed Aug 19 23:27:54 EDT 2015">
 
-        Node root = doc.getDocumentElement();
         String version = getAttributeValue("burpVersion", root);
         tr.setToolVersion(version);
 
@@ -74,7 +73,7 @@ private TestCaseResult parseBurpVulnerability(Node issue) {
         tcr.setCategory(name);
         tcr.setEvidence(name);
 
-        String confidence = getNamedChild( "confidence", issue ).getTextContent();
+        //String confidence = getNamedChild( "confidence", issue ).getTextContent();
         // tcr.setConfidence( makeIntoInt( confidence ) );
 
         String testcase = getNamedChild("path", issue).getTextContent();
@@ -95,18 +94,25 @@ private TestCaseResult parseBurpVulnerability(Node issue) {
 
     private int translate(String id) {
         switch (id) {
-        case "2097920": return 79;  // XSS
+        case "2097920": return 79;   // XSS
         case "5247488": return 9999; // DOM Trust Boundary Violation - Map to nothing right now.
-        case "1048832": return 78; // Command Injection 
-        case "1051392": return 22; // Path Manipulation
-        case "5243392": return 614; //SSL cookie without secure flag set
-        case "5244416": return 9998; //cookie without HttpOnly flag set - There is no CWE defined for this weakness
-        case "1050112": return 643; //XPATH injection
-        
+        case "1048832": return 78;   // Command Injection 
+        case "1051392": return 22;   // Path Manipulation
+        case "5243392": return 614;  // SSL cookie without secure flag set
+        case "5244416": return 9998; // cookie without HttpOnly flag set - There is no CWE defined for this weakness
+        case "1050112": return 643;  // XPATH injection
+        case "1049344": return 22;   // Path Manipulation
+        case "1049088": return 89;   // SQL injection
+        case "6291968": return 200;  // Information Disclosure - Email Address Disclosed 
+        case "6292736": return 200;  // Information Disclosure - Credit Card # Disclosed 
+        case "7340288": return 525;  // Information Exposure Through Browser Caching-Cacheable HTTPS Response
+        case "5245344": return 8888; // Clickjacking - There is no CWE # for this.
+        case "8389632": return 9999; // Incorrect Content Type - Don't care. Map to nothing right now.
+        case "2098944": return 352;  // CSRF Vulnerability
+        case "8389120": return 9999; // HTML doesn't specify character set - Don't care. Map to nothing.
+                
             // //case "Build Misconfiguration" : return 00;
-            // case "Command Injection" : return 78;
             // case "Cookie Security" : return 614;
-            // case "Cross-Site Scripting" : return 79;
             // //case "Dead Code" : return 00;
             // //case "Denial of Service" : return 00;
             // case "Header Manipulation" : return 113;
@@ -116,19 +122,16 @@ private int translate(String id) {
             // //case "Missing Check against Null" : return 00;
             // //case "Null Dereference" : return 00;
             // case "Password Management" : return 00;
-            // case "Path Manipulation" : return 22;
             // //case "Poor Error Handling" : return 00;
             // //case "Poor Logging Practice" : return 00;
             // //case "Poor Style" : return 00;
             // //case "Resource Injection" : return 00;
-            // case "SQL Injection" : return 89;
             // //case "System Information Leak" : return 00;
             // case "Trust Boundary Violation" : return 501;
             // //case "Unreleased Resource" : return 00;
             // //case "Unsafe Reflection" : return 00;
             // case "Weak Cryptographic Hash" : return 328;
             // case "Weak Encryption" : return 327;
-            // case "XPath Injection" : return 643;
         }
         System.out.println("Unknown id: " + id);
         return -1;