Merge branch 'main' into generalizeScoring

Author: Dave Wichers

.mvn/jvm.config

@@ -1,2 +1,8 @@
 --add-exports jdk.compiler/com.sun.tools.javac.tree=ALL-UNNAMED
 --add-opens java.base/java.lang=ALL-UNNAMED
+
+--add-exports=jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED
+--add-exports=jdk.compiler/com.sun.tools.javac.code=ALL-UNNAMED
+--add-exports=jdk.compiler/com.sun.tools.javac.file=ALL-UNNAMED
+--add-exports=jdk.compiler/com.sun.tools.javac.parser=ALL-UNNAMED
+--add-exports=jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED

plugin/pom.xml

@@ -47,7 +47,7 @@
         <dependency>
             <groupId>com.google.guava</groupId>
             <artifactId>guava</artifactId>
-            <version>33.3.1-jre</version>
+            <version>33.4.0-jre</version>
         </dependency>
 
         <dependency>
@@ -65,7 +65,7 @@
         <dependency>
             <groupId>commons-io</groupId>
             <artifactId>commons-io</artifactId>
-            <version>2.17.0</version>
+            <version>2.18.0</version>
         </dependency>
 
         <dependency>
@@ -77,7 +77,7 @@
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-csv</artifactId>
-            <version>1.12.0</version>
+            <version>1.13.0</version>
         </dependency>
 
         <dependency>
@@ -95,7 +95,7 @@
         <dependency>
             <groupId>org.apache.httpcomponents.core5</groupId>
             <artifactId>httpcore5</artifactId>
-            <version>5.3.1</version>
+            <version>5.3.2</version>
         </dependency>
 
         <dependency>
@@ -134,7 +134,7 @@
         <dependency>
             <groupId>org.json</groupId>
             <artifactId>json</artifactId>
-            <version>20240303</version>
+            <version>20250107</version>
         </dependency>
 
         <dependency>
@@ -192,10 +192,10 @@
     </build>
 
     <properties>
-        <version.fasterxml.jackson>2.18.1</version.fasterxml.jackson>
+        <version.fasterxml.jackson>2.18.2</version.fasterxml.jackson>
         <!-- 3.0.3+ version of eclipse.persistence requires jakarta.xml.bind instead of jaxb -->
         <version.eclipse.persistence>2.7.15</version.eclipse.persistence>
-        <version.junit.jupiter>5.11.3</version.junit.jupiter>
+        <version.junit.jupiter>5.11.4</version.junit.jupiter>
     </properties>
 
 </project>

plugin/src/main/java/org/owasp/benchmarkutils/helpers/CWE.java

@@ -21,6 +21,7 @@ public class CWE {
     private final int CWENumber; // e.g., 79
     private final String
             description; // e.g., Improper Neutralization of Input During Web Page Generation
+
     // ('Cross-site Scripting')
 
     public CWE(int cwe, String description) {

plugin/src/main/java/org/owasp/benchmarkutils/score/BenchmarkScore.java

@@ -714,6 +714,8 @@ private static ToolMetrics calculateMetrics(
             // c.tp & c.fp can both be zero, creating a precision of NaN. So set to 0.0.
             if (Double.isNaN(precision)) precision = 0.0;
             double tpr = (double) c.tp / (double) (c.tp + c.fn);
+            // c.tp & c.fn can both be zero, creating an tpr of NaN. So set to 0.0.
+            if (Double.isNaN(tpr)) tpr = 0.0;
             double fpr = (double) c.fp / (double) (c.fp + c.tn);
             // c.fp & c.tn can both be zero, creating an fpr of NaN. So set to 0.0.
             if (Double.isNaN(fpr)) fpr = 0.0;

plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/ZapJsonReader.java

@@ -193,14 +193,14 @@ static int mapCwe(String cwe) {
             case "91": // XML Injection (aka Blind XPath Injection)
             case "120": // Classic Buffer Overflow (Not possible in Java)
             case "134": // Use of Externally-Controlled Format String
-            case "190": // Integer Overflow
+            case "190": // Integer Overflow or Wraparound
             case "200": // Exposure of Sensitive Information to Unauthorized Actor - When 500 errors
                 // are returned
             case "345": // Insufficient Verification of Data Authenticity
             case "359": // Exposure of Private Personal Information to an Unauthorized Actor
             case "436": // Interpretation Conflict
             case "525": // Browser caching sensitive data
-            case "541": // Inclusion of Sensitive Info in Include File
+            case "541": // Sensitive Info found in an Include File
             case "565": // Reliance on Cookies without Validation and Integrity Checking
             case "693": // Protection Mechanism Failure
             case "829": // Inclusion of Functionality from Untrusted Control Sphere (e.g., CDN)
@@ -210,7 +210,7 @@ static int mapCwe(String cwe) {
                 return Integer.parseInt(cwe); // Return the CWE anyway.
 
             default:
-                System.out.println("WARNING: Unmapped ZAP CWE encountered: " + cwe);
+                System.out.println("WARNING: No CWE mapping found for CWE: " + cwe);
                 return Integer.parseInt(cwe);
         }
     }

plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/CodeQLReader.java

@@ -19,7 +19,12 @@
  */
 package org.owasp.benchmarkutils.score.parsers.sarif;
 
+import org.json.JSONArray;
+import org.json.JSONException;
+import org.json.JSONObject;
 import org.owasp.benchmarkutils.score.CweNumber;
+import org.owasp.benchmarkutils.score.ResultFile;
+import org.owasp.benchmarkutils.score.TestSuiteResults;
 
 public class CodeQLReader extends SarifReader {
 
@@ -37,4 +42,43 @@ public int mapCwe(int cwe) {
         }
         return cwe;
     }
+
+    /**
+     * Override setVersion to include the version number of the 'codeql/java-queries' ruleset with
+     * the version of the tool. Since both the tool version and the ruleset version can seperately
+     * affect the codeQL score.
+     */
+    @Override
+    public void setVersion(ResultFile resultFile, TestSuiteResults testSuiteResults) {
+        JSONObject driver = toolDriver(firstRun(resultFile));
+
+        String version = "unknown";
+        if (driver.has("semanticVersion")) {
+            version = driver.getString("semanticVersion");
+        } else if (driver.has("version")) {
+            version = driver.getString("version");
+        }
+
+        // Search for codeql/java-queries ruleset version and add that to the tool version
+        try {
+            JSONArray extensions =
+                    firstRun(resultFile).getJSONObject("tool").getJSONArray("extensions");
+
+            for (int i = 0; i < extensions.length(); i++) {
+                JSONObject extension = extensions.getJSONObject(i);
+                String name = extension.getString("name");
+                if ("codeql/java-queries".equals(name)) {
+                    // looking for:
+                    // "semanticVersion": "1.1.9+de325133c7a95d84489acdf5a6ced07886ff5c6d",
+                    String rulesetVersion = extension.getString("semanticVersion");
+                    rulesetVersion = rulesetVersion.substring(0, rulesetVersion.indexOf('+'));
+                    version += "_w" + rulesetVersion + "rules";
+                }
+            }
+        } catch (JSONException e) {
+            // Do nothing it if can't be found.
+        }
+
+        testSuiteResults.setToolVersion(version);
+    }
 }

plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/ContrastScanReader.java

@@ -34,6 +34,7 @@ public ContrastScanReader() {
     public Map<String, Integer> customRuleCweMappings(JSONObject driver) {
         Map<String, Integer> ruleCweMap = new HashMap<>();
 
+        // The following are the ruleIds for Contrast scan for Java war/jar files
         ruleCweMap.put("unsafe-code-execution", CweNumber.COMMAND_INJECTION);
         ruleCweMap.put("cmd-injection", CweNumber.COMMAND_INJECTION);
         ruleCweMap.put("cookie-flags-missing", CweNumber.INSECURE_COOKIE);
@@ -43,19 +44,122 @@ public Map<String, Integer> customRuleCweMappings(JSONObject driver) {
         ruleCweMap.put("header-injection", CweNumber.HTTP_RESPONSE_SPLITTING);
         ruleCweMap.put("hql-injection", CweNumber.HIBERNATE_INJECTION);
         ruleCweMap.put("ldap-injection", CweNumber.LDAP_INJECTION);
+        ruleCweMap.put("log-injection", 117);
         ruleCweMap.put("nosql-injection", CweNumber.SQL_INJECTION);
         ruleCweMap.put("path-traversal", CweNumber.PATH_TRAVERSAL);
         ruleCweMap.put("reflected-xss", CweNumber.XSS);
+        ruleCweMap.put("reflection-injection", 470); // CWE-470 Unsafe Reflection
         ruleCweMap.put("sql-injection", CweNumber.SQL_INJECTION);
         ruleCweMap.put("trust-boundary-violation", CweNumber.TRUST_BOUNDARY_VIOLATION);
+        // CWE-111 Direct Use of Unsafe JNI
+        ruleCweMap.put("unmanaged-code-invocation", 111);
+        // CWE-770 Allocation of Resources Without Limits or Throttling
+        ruleCweMap.put("unsafe-readline", 770);
+        // CWE-601 URL Redirection to Untrusted Site (Open Redirect)
+        ruleCweMap.put("unvalidated-redirect", 601);
         ruleCweMap.put("xpath-injection", CweNumber.XPATH_INJECTION);
         ruleCweMap.put("xxe", CweNumber.XXE);
+        ruleCweMap.put("autocomplete-missing", 522); // CWE-522 Insufficiently Protected Creds
+
+        // The following are the ruleIds for Contrast scan for HTML source code files
+        // See HTML rules: https://docs.contrastsecurity.com/en/html-scan-rules.html
+        ruleCweMap.put(
+                "OPT.HTML.MissingPasswordFieldMasking",
+                549); // CWE-549 Missing Password Field Masking
+
+        // The following are the ruleIds for Contrast scan for Java source code files
+        // See Java rules: https://docs.contrastsecurity.com/en/java-scan-rules.html
+
+        // Don't access/modify java.security config objects (Policy, Security, Provider, Principal,
+        // KeyStore)
+        ruleCweMap.put("OPT.JAVA.EJB.DontModifyAccessSecurity", CweNumber.DONTCARE);
+        ruleCweMap.put("OPT.JAVA.RGS.CMP", 486); // Comparison of Classes by Name
+        // Java access restriction subverted by using reflection. (e.g., protected/private methods).
+        ruleCweMap.put("OPT.JAVA.SEC_JAVA.AccessibilitySubversionRule", 506); // Malicious Code
+        // CWE-111 Direct Use of Unsafe JNI
+        ruleCweMap.put("OPT.JAVA.SEC_JAVA.AvoidNativeCallsRule", 111);
+        // CWE-245: Direct Mgt of Connection
+        ruleCweMap.put("OPT.JAVA.SEC_JAVA.AvoidJ2EEDirectDatabaseConnection", 245);
+        ruleCweMap.put("OPT.JAVA.SEC_JAVA.AvoidJ2EEExplicitSocket", 246); // Direct Use of Sockets
+        ruleCweMap.put(
+                "OPT.JAVA.SEC_JAVA.AvoidJ2EEExplicitThreadManagement",
+                383); // Direct Use of Threads
+        ruleCweMap.put("OPT.JAVA.SEC_JAVA.AvoidJ2EEJvmExit", 382); // Use of System.exit()
+        ruleCweMap.put("OPT.JAVA.SEC_JAVA.AvoidJ2EELeftoverDebugCode", 489); // Active Debug Code
+        // CWE-502: Deserialization of Untrusted Data
+        ruleCweMap.put("OPT.JAVA.SEC_JAVA.CodeInjectionWithDeserializationRule", 502);
+        ruleCweMap.put("OPT.JAVA.SEC_JAVA.CodeInjectionRule", 94); // Code Injection
+        ruleCweMap.put("OPT.JAVA.SEC_JAVA.CommandInjectionRule", CweNumber.COMMAND_INJECTION);
+        // XHSM. No CWE
+        ruleCweMap.put("OPT.JAVA.SEC_JAVA.CrossSiteRequestForgeryRule", CweNumber.CSRF);
+        ruleCweMap.put("OPT.JAVA.SEC_JAVA.CrossSiteHistoryManipulation", CweNumber.DONTCARE);
+        ruleCweMap.put("OPT.JAVA.SEC_JAVA.CrossSiteScriptingRule", CweNumber.XSS);
+        // CWE-676: Use of Potentially Dangerous Function
+        ruleCweMap.put("OPT.JAVA.SEC_JAVA.ESAPIBannedRule", 676);
+        ruleCweMap.put("OPT.JAVA.SEC_JAVA.ExecutionAfterRedirect", 698); // Execution after Redirect
+        // CWE-134: Use of Externally-Controlled Format String
+        ruleCweMap.put("OPT.JAVA.SEC_JAVA.ExternalControlOfConfigurationSetting", 134);
+        // CWE-15: External Control of System or Configuration Setting
+        ruleCweMap.put("OPT.JAVA.SEC_JAVA.FormatStringInjectionRule", 15);
+        // CWE-321: Hard-coded Crypto Key
+        ruleCweMap.put("OPT.JAVA.SEC_JAVA.HardcodedCryptoKey", 321);
+        ruleCweMap.put("OPT.JAVA.SEC_JAVA.HardcodedUsernamePassword", 798); // Hardcoded Creds
+        // CWE-235: Improper Handling Extra Params
+        ruleCweMap.put("OPT.JAVA.SEC_JAVA.HttpParameterPollutionRule", 235);
+        ruleCweMap.put("OPT.JAVA.SEC_JAVA.HttpSplittingRule", 113); // HTTP Req/Resp Splitting
+        // Mapping InadequatePaddingRule to CWE-327 Weak Crypto, causes LOTS of False Positives
+        ruleCweMap.put("OPT.JAVA.SEC_JAVA.InadequatePaddingRule", CweNumber.DONTCARE);
+        ruleCweMap.put("OPT.JAVA.SEC_JAVA.InformationExposureThroughErrorMessage", 209);
+        // CWE-20: Improper Input Validation
+        ruleCweMap.put("OPT.JAVA.SEC_JAVA.InputPathNotCanonicalizedRule", 20);
+        ruleCweMap.put("OPT.JAVA.SEC_JAVA.InsecureRandomnessRule", CweNumber.WEAK_RANDOM);
+        // CWE-319: Cleartext transmission of sensitive data
+        ruleCweMap.put("OPT.JAVA.SEC_JAVA.InsecureTransport", 319);
+        ruleCweMap.put("OPT.JAVA.SEC_JAVA.LdapInjectionRule", CweNumber.LDAP_INJECTION);
+        // CWE-329: Generation of Predictable IV with CBC Mode
+        ruleCweMap.put("OPT.JAVA.SEC_JAVA.NonRandomIVWithCBCMode", 329);
+        ruleCweMap.put("OPT.JAVA.SEC_JAVA.OpenRedirectRule", 601); // CWE-601 Open Redirect
+        ruleCweMap.put(
+                "OPT.JAVA.SEC_JAVA.PasswordInCommentRule", 615); // Sensitive Info in Comments
+        ruleCweMap.put(
+                "OPT.JAVA.SEC_JAVA.PasswordInConfigurationFile", 256); // Plaintext Password Storage
+        ruleCweMap.put("OPT.JAVA.SEC_JAVA.PathTraversalRule", CweNumber.PATH_TRAVERSAL);
+        // CWE-315: Cleartext Storage of Sensitive Info in Cookie
+        ruleCweMap.put("OPT.JAVA.SEC_JAVA.PlaintextStorageInACookieRule", 315);
+        ruleCweMap.put(
+                "OPT.JAVA.SEC_JAVA.PlaintextStorageOfPassword", 256); // Plaintext Password Storage
+        ruleCweMap.put("OPT.JAVA.SEC_JAVA.PotentialInfiniteLoop", 835); // Infinite Loop
+        ruleCweMap.put("OPT.JAVA.SEC_JAVA.ProcessControlRule", 114); // Process Control
+        ruleCweMap.put("OPT.JAVA.SEC_JAVA.ServerSideRequestForgeryRule", 918); // SSRF
+        ruleCweMap.put("OPT.JAVA.SEC_JAVA.SqlInjectionRule", CweNumber.SQL_INJECTION);
+        ruleCweMap.put(
+                "OPT.JAVA.SEC_JAVA.TrustBoundaryViolationRule", CweNumber.TRUST_BOUNDARY_VIOLATION);
+        ruleCweMap.put(
+                "OPT.JAVA.SEC_JAVA.UnnormalizedInputString", 20); // Improper Input Validation
+        ruleCweMap.put("OPT.JAVA.SEC_JAVA.UnsafeCookieRule", 614); // No secure attribute
+        ruleCweMap.put("OPT.JAVA.SEC_JAVA.UnsafeReflection", 470); // Unsafe Reflection
+        // CWE-566: Authorization Bypass Thru User-Controlled SQL Primary Key
+        ruleCweMap.put("OPT.JAVA.SEC_JAVA.UserControlledSQLPrimaryKey", 566);
+        ruleCweMap.put("OPT.JAVA.SEC_JAVA.WeakCryptographicHashRule", CweNumber.WEAK_HASH_ALGO);
+        ruleCweMap.put("OPT.JAVA.SEC_JAVA.WeakEncryptionRule", CweNumber.WEAK_CRYPTO_ALGO);
+        ruleCweMap.put("OPT.JAVA.SEC_JAVA.WebXmlSecurityMisconfigurationsRule", CweNumber.DONTCARE);
+        ruleCweMap.put("OPT.JAVA.SEC_JAVA.XPathInjectionRule", CweNumber.XPATH_INJECTION);
 
         return ruleCweMap;
     }
 
     @Override
     public void setVersion(ResultFile resultFile, TestSuiteResults testSuiteResults) {
         // SARIF file contains several nulls as version, just ignoring it
+        // Instead, we use the 'version' to set the type of CodeSec scan. WAR, JAR, SAST, etc.
+        JSONObject firstrun = resultFile.json().getJSONArray("runs").getJSONObject(0);
+        String commandLine =
+                firstrun.getJSONArray("invocations").getJSONObject(0).getString("commandLine");
+
+        if (commandLine.contains("contrast-scan-java-cli")) {
+            if (commandLine.endsWith("jar")) testSuiteResults.setToolVersion("OfJAR");
+            else if (commandLine.endsWith("war")) testSuiteResults.setToolVersion("OfWAR");
+        } else if (commandLine.contains("sast-engine"))
+            testSuiteResults.setToolVersion("OfSourceCode");
     }
 }

plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/SarifReader.java

@@ -63,11 +63,11 @@ private String sarifToolName(ResultFile resultFile) {
         return toolDriver(firstRun(resultFile)).getString("name");
     }
 
-    private static JSONObject firstRun(ResultFile resultFile) {
+    static JSONObject firstRun(ResultFile resultFile) {
         return resultFile.json().getJSONArray("runs").getJSONObject(0);
     }
 
-    private static JSONObject toolDriver(JSONObject run) {
+    static JSONObject toolDriver(JSONObject run) {
         return run.getJSONObject("tool").getJSONObject("driver");
     }
 
@@ -255,6 +255,7 @@ private TestCaseResult testCaseResultFor(JSONObject result, Map<String, Integer>
         int cwe = mappings.getOrDefault(ruleId, -1);
 
         if (cwe == -1) {
+            System.out.println("WARNING: No CWE mapping found for ruleID: " + ruleId);
             return null;
         }
 

plugin/src/main/java/org/owasp/benchmarkutils/score/report/ScatterHome.java

@@ -170,6 +170,7 @@ private void makeDataLabels(Set<Tool> tools, XYPlot xyplot) {
     }
 
     private static SecureRandom sr = new SecureRandom();
+
     // This method generates all the points put on the home page chart. One per tool.
     private HashMap<Point2D, String> makePointList(Set<Tool> tools) {
         HashMap<Point2D, String> map = new HashMap<Point2D, String>();

plugin/src/main/java/org/owasp/benchmarkutils/score/service/ExpectedResultsProvider.java

@@ -42,8 +42,8 @@ public class ExpectedResultsProvider {
     private static final String CWE = " cwe";
 
     private static final String SOURCE = " source";
-    private static final String DATA_FLOW = " vuln src";
-    private static final String SINK = " vuln df";
+    private static final String DATA_FLOW = " data flow";
+    private static final String SINK = " sink";
 
     private static boolean standardBenchmarkStyleScoring;
     private static TestSuiteResults expectedResults;