Add Burp and new SonarQube readers. Remove reverse() call from test cases. Delete or move some files out of the root dir. of project.

Author: davewichers

pom.xml

@@ -8,7 +8,6 @@
 	<name>OWASP Benchmark Project</name>
 	<url>https://www.owasp.org/index.php/Benchmark</url>
 	<profiles>
-
 		<profile>
 			<id>benchmarkscore</id>
 			<build>
@@ -78,24 +77,6 @@
 			</properties>
 			<build>
 				<plugins>
-					<plugin>
-						<groupId>org.apache.maven.plugins</groupId>
-						<artifactId>maven-verifier-plugin</artifactId>
-						<version>1.1</version>
-						<configuration>
-							<verificationFile>verifications.xml</verificationFile>
-						</configuration>
-						<executions>
-							<execution>
-								<id>main</id>
-								<phase>validate</phase>
-								<goals>
-									<goal>verify</goal>
-								</goals>
-							</execution>
-						</executions>
-					</plugin>
-
 					<plugin>
 						<artifactId>maven-antrun-plugin</artifactId>
 						<version>1.7</version>
@@ -108,7 +89,7 @@
 								</goals>
 								<configuration>
 									<target>
-										<ant target="run" antfile="${basedir}/build.xml">
+										<ant target="run" antfile="${basedir}/src/config/build.xml">
 											<!-- This is the important bit -->
 											<reference torefid="maven.compile.classpath" refid="maven.compile.classpath" />
 										</ant>
@@ -568,7 +549,6 @@
 					</execution>
 				</executions>
 			</plugin>
-
 			<!-- FindBugs Static Analysis -->
 			<plugin>
 				<groupId>org.codehaus.mojo</groupId>

build.xml renamed to src/config/build.xml

@@ -22,8 +22,8 @@ public class Thing2 implements ThingInterface {
 
 	@Override
 	public String doSomething(String i) {
-		// reverse input
-		String r = new StringBuilder(i).reverse().toString();
+		if (i == null) return "";
+		String r = new StringBuilder(i).toString();
 		return r;
 	}
 }

src/main/java/org/owasp/benchmark/helpers/Thing2.java

@@ -20,6 +20,7 @@
 
 import java.io.BufferedReader;
 import java.io.File;
+import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 import java.io.FileOutputStream;
 import java.io.FileReader;
@@ -40,9 +41,13 @@
 import java.util.Set;
 import java.util.TreeMap;
 
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+
 import org.apache.commons.io.FileUtils;
 import org.owasp.benchmark.score.parsers.AppscanReader;
 import org.owasp.benchmark.score.parsers.ArachniReader;
+import org.owasp.benchmark.score.parsers.BurpReader;
 import org.owasp.benchmark.score.parsers.CheckmarxReader;
 import org.owasp.benchmark.score.parsers.Counter;
 import org.owasp.benchmark.score.parsers.CoverityReader;
@@ -51,14 +56,19 @@
 import org.owasp.benchmark.score.parsers.OverallResults;
 import org.owasp.benchmark.score.parsers.PMDReader;
 import org.owasp.benchmark.score.parsers.ParasoftReader;
-import org.owasp.benchmark.score.parsers.SonarReader;
+import org.owasp.benchmark.score.parsers.Reader;
+import org.owasp.benchmark.score.parsers.SonarQubeLegacyReader;
+import org.owasp.benchmark.score.parsers.SonarQubeReader;
 import org.owasp.benchmark.score.parsers.TestCaseResult;
 import org.owasp.benchmark.score.parsers.TestResults;
 import org.owasp.benchmark.score.parsers.VeracodeReader;
 import org.owasp.benchmark.score.parsers.ZapReader;
 import org.owasp.benchmark.score.report.Report;
 import org.owasp.benchmark.score.report.ScatterScores;
 import org.owasp.benchmark.score.report.ScatterVulns;
+import org.w3c.dom.Document;
+import org.w3c.dom.Node;
+import org.xml.sax.InputSource;
 
 public class BenchmarkScore {
 
@@ -367,7 +377,15 @@ private static TestResults readActualResults(File actual) throws Exception {
         }      
 
         else if ( filename.endsWith(".json" ) ) {
-            tr = new CoverityReader().parse( actual );
+            String line1 = getLine( actual, 0 );
+            String line2 = getLine( actual, 1 );
+            if ( line2.contains("formatVersion")) {
+                tr = new CoverityReader().parse( actual );
+            }
+            
+            else {
+                tr = new SonarQubeReader().parse( actual );
+            }
         }
 
 		else if ( filename.endsWith( ".xml" ) ) {
@@ -395,7 +413,7 @@ else if ( line2.startsWith( "<detailedreport")) {
             }
 
             else if ( line1.startsWith( "<total")) {
-                tr = new SonarReader().parse( actual );
+                tr = new SonarQubeLegacyReader().parse( actual );
             }
 
             else if ( line1.contains( "<OWASPZAPReport") || line2.contains( "<OWASPZAPReport")) {
@@ -409,6 +427,14 @@ else if ( line2.startsWith( "<CxXMLResults")) {
             else if ( line2.startsWith( "<report")) {
                 tr = new ArachniReader().parse( actual );
             }
+		    
+            else {
+                Document doc = getXMLDocument( actual );
+                Node root = doc.getDocumentElement();
+                if ( root.getNodeName().equals( "issues" ) ) {
+                    tr = new BurpReader().parse( doc );
+                }
+            }
 		}
 
 		else if ( filename.endsWith( ".fpr" ) ) {
@@ -690,7 +716,14 @@ private static void updateMenuTemplates( String toolmenu, String vulnmenu ) {
 	            }
 	        }
 	    }
-	    
+	}
+	
+	private static Document getXMLDocument( File f ) throws Exception {
+        DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
+        DocumentBuilder docBuilder = docBuilderFactory.newDocumentBuilder();
+        InputSource is = new InputSource(new FileInputStream(f));
+        Document doc = docBuilder.parse(is);
+        return doc;
 	}
 
 }

src/main/java/org/owasp/benchmark/score/BenchmarkScore.java

@@ -0,0 +1,137 @@
+/**
+ * OWASP Benchmark Project
+ *
+ * This file is part of the Open Web Application Security Project (OWASP)
+ * Benchmark Project For details, please see
+ * <a href="https://www.owasp.org/index.php/Benchmark">https://www.owasp.org/index.php/Benchmark</a>.
+ *
+ * The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation, version 2.
+ *
+ * The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details
+ *
+ * @author Dave Wichers <a href="https://www.aspectsecurity.com">Aspect Security</a>
+ * @created 2015
+ */
+
+package org.owasp.benchmark.score.parsers;
+
+import java.util.List;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Node;
+
+public class BurpReader extends Reader {
+    
+    public TestResults parse(Document doc) throws Exception {
+
+        TestResults tr = new TestResults("Burp Pro", true, TestResults.ToolType.SAST);
+
+        // <issues burpVersion="1.6.24"
+        // exportTime="Wed Aug 19 23:27:54 EDT 2015">
+
+        Node root = doc.getDocumentElement();
+        String version = getAttributeValue("burpVersion", root);
+        tr.setToolVersion(version);
+
+        // String time = getAttributeValue("ScanTime", root);
+        // tr.setTime( time );
+
+        List<Node> issueList = getNamedChildren("issue", root);
+
+        for (Node issue : issueList) {
+            TestCaseResult tcr = parseBurpVulnerability(issue);
+            if (tcr != null) {
+//                System.out.println( tcr.getNumber() + "\t" + tcr.getCWE() + "\t" + tcr.getEvidence() );
+                tr.put(tcr);
+            }
+        }
+        return tr;
+    }
+
+    // <issue>
+    // <serialNumber>5773821289236842496</serialNumber>
+    // <type>2097920</type>
+    // <name>Cross-site scripting (reflected)</name>
+    // <host ip="127.0.0.1">https://localhost:8443</host>
+    // <path><![CDATA[/benchmark/BenchmarkTest00023]]></path>
+    // <location><![CDATA[/benchmark/BenchmarkTest00023 [vector parameter]]]></location>
+    // <severity>High</severity>
+    // <confidence>Certain</confidence>
+    // <issueBackground></remediationBackground>
+    // <references></references>
+    // <issueDetail></issueDetail>
+    // </issue>
+
+    private TestCaseResult parseBurpVulnerability(Node issue) {
+        TestCaseResult tcr = new TestCaseResult();
+        String cwe = getNamedChild("type", issue).getTextContent();
+        tcr.setCWE(translate(cwe));
+
+        String name = getNamedChild("name", issue).getTextContent();
+        tcr.setCategory(name);
+        tcr.setEvidence(name);
+
+        String confidence = getNamedChild( "confidence", issue ).getTextContent();
+        // tcr.setConfidence( makeIntoInt( confidence ) );
+
+        String testcase = getNamedChild("path", issue).getTextContent();
+        testcase = testcase.substring(testcase.lastIndexOf('/') + 1);
+        testcase = testcase.split("\\.")[0];        
+        if (testcase.startsWith("BenchmarkTest")) {
+            String testno = testcase.substring("BenchmarkTest".length() );
+            try {
+                tcr.setNumber(Integer.parseInt(testno));
+            } catch (NumberFormatException e) {
+                e.printStackTrace();
+            }
+            return tcr;
+        }
+
+        return null;
+    }
+
+    private int translate(String id) {
+        switch (id) {
+        case "2097920": return 79;  // XSS
+        case "5247488": return 9999; // DOM Trust Boundary Violation - Map to nothing right now.
+        case "1048832": return 78; // Command Injection 
+        case "1051392": return 22; // Path Manipulation
+        case "5243392": return 614; //SSL cookie without secure flag set
+        case "5244416": return 9998; //cookie without HttpOnly flag set - There is no CWE defined for this weakness
+        case "1050112": return 643; //XPATH injection
+        
+            // //case "Build Misconfiguration" : return 00;
+            // case "Command Injection" : return 78;
+            // case "Cookie Security" : return 614;
+            // case "Cross-Site Scripting" : return 79;
+            // //case "Dead Code" : return 00;
+            // //case "Denial of Service" : return 00;
+            // case "Header Manipulation" : return 113;
+            // case "Insecure Randomness" : return 330;
+            // //case "J2EE Bad Practices" : return 00;
+            // case "LDAP Injection" : return 90;
+            // //case "Missing Check against Null" : return 00;
+            // //case "Null Dereference" : return 00;
+            // case "Password Management" : return 00;
+            // case "Path Manipulation" : return 22;
+            // //case "Poor Error Handling" : return 00;
+            // //case "Poor Logging Practice" : return 00;
+            // //case "Poor Style" : return 00;
+            // //case "Resource Injection" : return 00;
+            // case "SQL Injection" : return 89;
+            // //case "System Information Leak" : return 00;
+            // case "Trust Boundary Violation" : return 501;
+            // //case "Unreleased Resource" : return 00;
+            // //case "Unsafe Reflection" : return 00;
+            // case "Weak Cryptographic Hash" : return 328;
+            // case "Weak Encryption" : return 327;
+            // case "XPath Injection" : return 643;
+        }
+        System.out.println("Unknown id: " + id);
+        return -1;
+    }
+
+}

src/main/java/org/owasp/benchmark/score/parsers/BurpReader.java

@@ -74,7 +74,7 @@ public List<Node> getNamedNodes(String name, NodeList list) {
         return results;
     }
 
-    public String getAttributeValue(String name, Node node) {
+    public static String getAttributeValue(String name, Node node) {
         if (node == null)
             return null;
         NamedNodeMap nnm = node.getAttributes();

src/main/java/org/owasp/benchmark/score/parsers/Reader.java

@@ -31,7 +31,7 @@
 import org.w3c.dom.NodeList;
 import org.xml.sax.InputSource;
 
-public class SonarReader extends Reader {
+public class SonarQubeLegacyReader extends Reader {
 
     public TestResults parse(File f) throws Exception {
         DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
@@ -78,8 +78,37 @@ private TestCaseResult parseSonarIssue(Node flaw) {
         return null;
     }
 
+//    //case "Build Misconfiguration" : return 00;
+//    case "Command Injection" : return 78;
+//    case "Cookie Security" : return 614;
+//    case "Cross-Site Scripting" : return 79;
+//    //case "Dead Code" : return 00;
+//    //case "Denial of Service" : return 00;
+//    case "Header Manipulation" : return 113;
+//    case "Insecure Randomness" : return 330;
+//    //case "J2EE Bad Practices" : return 00;
+//    case "LDAP Injection" : return 90;
+//    //case "Missing Check against Null" : return 00;
+//    //case "Null Dereference" : return 00;
+//    case "Password Management" : return 00;
+//    case "Path Manipulation" : return 22;
+//    //case "Poor Error Handling" : return 00;
+//    //case "Poor Logging Practice" : return 00;
+//    //case "Poor Style" : return 00;
+//    //case "Resource Injection" : return 00;
+//    case "SQL Injection" : return 89;
+//    //case "System Information Leak" : return 00;
+//    case "Trust Boundary Violation" : return 501;
+//    //case "Unreleased Resource" : return 00;
+//    //case "Unsafe Reflection" : return 00;
+//    case "Weak Cryptographic Hash" : return 328;
+//    case "Weak Encryption" : return 327;
+//    case "XPath Injection" : return 643;
+    
 
-    private int cweLookup(String squidNumber) {        
+    
+    
+    public static int cweLookup(String squidNumber) {        
         switch( squidNumber ) {       
         case "S00105" : return 0000; //S00105-Replace all tab characters in this file by sequences of white-spaces.
         case "S106" : return 0000; //S00106-Replace this usage of System.out or System.err by a logger.
@@ -106,7 +135,7 @@ private int cweLookup(String squidNumber) {
         case "S1948" : return 594; //S1948-Fields in a"Serializable" class should either be transient or serializable
         case "S2068" : return 259; //S2068-Credentials should not be hard-coded
         case "S2070" : return 328; //S2070-SHA-1 and Message-Digest hash algorithms should not be used
-        case "S2076" : return 88; //S2076-Values passed to OS commands should be sanitized
+        case "S2076" : return 78; //S2076-Values passed to OS commands should be sanitized
         case "S2077" : return 89; //S2077-Values passed to SQL commands should be sanitized
         case "S2078" : return 90; //S2078-Values passed to LDAP queries should be sanitized
         case "S2089" : return 293; //S2089-HTTP referers should not be relied on