Add warning when a SARIF parser doesn't have a CWE mapping for a tool

specific rule. Add a few such missing rules to ZAP and ContrastScan
readers. Fix bug in JuliaReader where it was reporting findings for test
case number -1 (which isn't a real test case).

Author: Dave Wichers

plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/JuliaReader.java

@@ -68,7 +68,10 @@ public TestSuiteResults parse(ResultFile resultFile) throws Exception {
         NodeList nl = root.getChildNodes();
         for (int i = 0; i < nl.getLength(); i++) {
             Node n = nl.item(i);
-            if (n.getNodeName().equals("warning")) tr.put(parseJuliaBug(n));
+            if (n.getNodeName().equals("warning")) {
+                TestCaseResult tcr = parseJuliaBug(n);
+                if (tcr.getNumber() > 0) tr.put(tcr);
+            }
         }
 
         return tr;

plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/ZapJsonReader.java

@@ -184,17 +184,21 @@ static int mapCwe(String cwe) {
             case "-1": // Informational Alert
             case "0": // Informational Alert: Check for differences in response based on fuzzed User
                 // Agent
+                return CweNumber.DONTCARE;
+
             case "16": // Configuration
             case "20": // Improper Input Validation
             case "91": // XML Injection (aka Blind XPath Injection)
             case "120": // Classic Buffer Overflow (Not possible in Java)
             case "134": // Use of Externally-Controlled Format String
+            case "190": // Integer Overflow or Wraparound
             case "200": // Exposure of Sensitive Information to Unauthorized Actor - When 500 errors
                 // are returned
             case "345": // Insufficient Verification of Data Authenticity
             case "359": // Exposure of Private Personal Information to an Unauthorized Actor
             case "436": // Interpretation Conflict
             case "525": // Browser caching sensitive data
+            case "541": // Sensitive Info found in an Include File
             case "565": // Reliance on Cookies without Validation and Integrity Checking
             case "693": // Protection Mechanism Failure
             case "829": // Inclusion of Functionality from Untrusted Control Sphere (e.g., CDN)
@@ -204,8 +208,7 @@ static int mapCwe(String cwe) {
                 return Integer.parseInt(cwe); // Return the CWE anyway.
 
             default:
-                System.out.println(
-                        "WARNING: ZAP CWE not mapped to expected test suite CWE: " + cwe);
+                System.out.println("WARNING: No CWE mapping found for CWE: " + cwe);
                 return Integer.parseInt(cwe);
         }
     }

plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/ContrastScanReader.java

@@ -50,6 +50,7 @@ public Map<String, Integer> customRuleCweMappings(JSONObject driver) {
         ruleCweMap.put("trust-boundary-violation", CweNumber.TRUST_BOUNDARY_VIOLATION);
         ruleCweMap.put("xpath-injection", CweNumber.XPATH_INJECTION);
         ruleCweMap.put("xxe", CweNumber.XXE);
+        ruleCweMap.put("autocomplete-missing", 522); // CWE-522 Insufficiently Protected Creds
 
         return ruleCweMap;
     }

plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/SarifReader.java

@@ -247,6 +247,7 @@ private TestCaseResult testCaseResultFor(JSONObject result, Map<String, Integer>
         int cwe = mappings.getOrDefault(ruleId, -1);
 
         if (cwe == -1) {
+            System.out.println("WARNING: No CWE mapping found for ruleID: " + ruleId);
             return null;
         }