Fix the scatterchart statistics in the right column on the Vulnerabilities and Category Groups pages,

fix the menu name for the ToolsByGrp commercial average link, fix some
of the test cases now that stats are calculated 0-100, rather than 0-1.
Add a CWE column to the Tools CommercialAverages page table and fix the
associated test cases.

Author: davewichers

library/src/main/java/org/owasp/benchmarkutils/helpers/Categories.java

@@ -313,6 +313,27 @@ private void load(InputStream xmlFileStream)
         this.allCategories = allCategories;
     }
 
+    /**
+     * Look up the CWE associated with the supplied vulnerability category long name.
+     *
+     * @param name The category name to look up the CWE for. E.g., Command Injection.
+     * @return the associated CWE.
+     */
+    public static int getCWEByName(String name) {
+        String lowerName = name.toLowerCase(); // The Map uses lowercase names
+        if (_instance == null) {
+            throw new NullPointerException("ERROR: Categories singleton not initialized");
+        }
+        if (_instance.nameToCategoryMap.get(lowerName) == null) {
+            System.err.println(
+                    "ERROR: No matching Category found for name: '"
+                            + name
+                            + "' provided to method: getCWEByName()");
+            return -1;
+        }
+        return _instance.nameToCategoryMap.get(lowerName).getCWE();
+    }
+
     // NOTE: All these methods return the actual internal objects so COULD be modified by the caller
     // causing unexpected side effects.
 

plugin/src/main/java/org/owasp/benchmarkutils/score/BenchmarkScore.java

@@ -1099,7 +1099,7 @@ private static void generateVulnerabilityScorecards(
                         Paths.get(
                                 scoreCardDir.getAbsolutePath()
                                         + File.separator
-                                        + commercialAveragesTable.filename());
+                                        + commercialAveragesTable.filename(useCategoryGroups));
                 // Resources in a jar file have to be loaded as streams, not directly as Files.
                 InputStream vulnTemplateStream =
                         CL.getResourceAsStream(scoreCardDir + "/commercialAveTemplate.html");

plugin/src/main/java/org/owasp/benchmarkutils/score/TestCaseResult.java

@@ -271,12 +271,10 @@ public CategoryGroup getCategoryGroup() {
      *
      * @param cwe The CWE # reported by this tool.
      * @param filename The filename that might be a test case.
+     *     <p>public void setCWEAndTestCaseID(int cwe, String filename) { if
+     *     (ExpectedResultsProvider.getExpectedResults().isTestCaseFile(filename)) { // DRW FIXME:TODO -
+     *     Not implemented yet. Maybe just delete? } }
      */
-    public void setCWEAndTestCaseID(int cwe, String filename) {
-        if (ExpectedResultsProvider.getExpectedResults().isTestCaseFile(filename)) {
-            // DRW TODO
-        }
-    }
 
     /**
      * The CWE category name, e.g., pathtraver, hash, cmdi, etc.

plugin/src/main/java/org/owasp/benchmarkutils/score/report/ScatterVulns.java

@@ -445,9 +445,9 @@ private void makeLegend(
 
                 this.commercialToolCount++;
                 this.overallToolCount++;
-                double score = categoryMetrics.score * 100;
-                double tpr = categoryMetrics.truePositiveRate * 100;
-                double fpr = categoryMetrics.falsePositiveRate * 100;
+                double score = categoryMetrics.score;
+                double tpr = categoryMetrics.truePositiveRate;
+                double fpr = categoryMetrics.falsePositiveRate;
                 // don't show the commercial tool results if in 'show ave only mode'
                 if (!BenchmarkScore.config.showAveOnlyMode) {
                     // Special hack to make it line up better if the letter is an 'I' or 'i'
@@ -463,16 +463,16 @@ private void makeLegend(
                             i,
                             label,
                             tool.getToolNameAndVersion(),
-                            toolMetrics.getTruePositiveRate(),
-                            toolMetrics.getFalsePositiveRate());
+                            tpr,
+                            fpr);
 
                     i++; // increment the location of the label
                     // Weak hack if more than 26 tools scored. This will only get us to 52
                     if (ch == 'Z') ch = 'a';
                     else ch++;
                 }
                 commercialTotalScore += score;
-                commercialTotalPrecision += categoryMetrics.precision * 100;
+                commercialTotalPrecision += categoryMetrics.precision;
                 commercialTotalTPR += tpr;
                 commercialTotalFPR += fpr;
 
@@ -536,8 +536,8 @@ private void makeLegend(
                     i,
                     ch + ": ",
                     "Commercial Average",
-                    commercialAveTPR / 100,
-                    commercialAveFPR / 100);
+                    commercialAveTPR,
+                    commercialAveFPR);
 
             Point2D averagePoint =
                     new Point2D.Double(aveFalsePosRates * 100, aveTruePosRates * 100);

plugin/src/main/java/org/owasp/benchmarkutils/score/report/ToolReport.java

@@ -122,7 +122,7 @@ public String generateHtml(
         return html;
     }
 
-    /** Generate a Detailed results table for whatever tool's results are passed in. */
+    // Generate a Detailed results table for whatever tool's results are passed in.
     private static String generateDetailedResultsTableForTool(
             Tool tool,
             Map<String, CategoryMetrics> overallAveToolMetrics,
@@ -183,7 +183,8 @@ private static String generateDetailedResultsTableForTool(
             else if (categoryMetrics.truePositiveRate > .7
                     && categoryMetrics.falsePositiveRate < .3) style = "class=\"success\"";
 
-            // We use a lineBuff so we can sort the lines in different ways before output the table
+            // We use a lineBuff so we can sort the lines in different ways before outputting the
+            // table
             StringBuffer lineBuff = new StringBuffer();
             lineBuff.append("<tr " + style + ">");
             if (CategoryGroups.isCategoryGroupsEnabled()) {
@@ -224,7 +225,7 @@ else if (categoryMetrics.truePositiveRate > .7
                 // default value hard spaces equal to triangle width
                 String precisionBonus = "&nbsp;&nbsp;&nbsp;&nbsp;";
                 // r.precision has range 0-1, but currentCategoryMetrics.precision is 1 to 100.
-                // FIXME: Fix precision calculations so they are the same units
+                // FIXME: Fix r.precision calculations so they are the same units
                 double precisionDiff =
                         100 * categoryMetrics.precision - currentCategoryMetrics.precision;
                 if (precisionDiff >= 5)
@@ -257,6 +258,7 @@ else if (fscoreDiff <= -5) {
                 // default value hard spaces equal to triangle width
                 recallBonus = "&nbsp;&nbsp;&nbsp;&nbsp;";
                 // FIXME: Fix truePositiveRate calculations so they are the same units
+                // Note: This might be done already.
                 double recallDiff =
                         100 * categoryMetrics.truePositiveRate
                                 - currentCategoryMetrics.truePositiveRate;

plugin/src/main/java/org/owasp/benchmarkutils/score/report/html/CommercialAveragesTable.java

@@ -22,6 +22,7 @@
 
 import java.util.ArrayList;
 import java.util.List;
+import org.owasp.benchmarkutils.helpers.Categories;
 import org.owasp.benchmarkutils.score.domain.TestSuiteName;
 import org.owasp.benchmarkutils.score.report.ScatterVulns;
 
@@ -70,7 +71,10 @@ private int commercialToolTotal() {
     private void addHeaderTo(HtmlStringBuilder htmlBuilder) {
         htmlBuilder.beginTr();
         if (this.useCategoryGroups) htmlBuilder.th("Category Group");
-        else htmlBuilder.th("Vulnerability Category");
+        else {
+            htmlBuilder.th(50, "CWE");
+            htmlBuilder.th("Vulnerability Category");
+        }
         htmlBuilder.th("Low Tool Type");
         htmlBuilder.th("Low Score");
         htmlBuilder.th("Ave Score");
@@ -81,14 +85,21 @@ private void addHeaderTo(HtmlStringBuilder htmlBuilder) {
 
     private void appendRowTo(HtmlStringBuilder htmlBuilder, ScatterVulns scatter) {
         htmlBuilder.beginTr();
+        if (!this.useCategoryGroups) htmlBuilder.td(Categories.getCWEByName(scatter.CATEGORY));
         htmlBuilder.td(scatter.CATEGORY);
         htmlBuilder.td(scatter.getCommercialLowToolType() + "");
 
         htmlBuilder.td(scatter.getCommercialLow(), cssClassFor(scatter.getCommercialLow()));
         htmlBuilder.td(scatter.getCommercialAve());
 
         htmlBuilder.td(scatter.getCommercialHigh(), cssClassFor(scatter.getCommercialHigh()));
-        htmlBuilder.td(scatter.getCommercialHighToolType() + "");
+        // If no tools score above 0 in a category, the High type is null, so set it equal to the
+        // low type since they are all zero
+        if (scatter.getCommercialHighToolType() != null) {
+            htmlBuilder.td(scatter.getCommercialHighToolType() + "");
+        } else {
+            htmlBuilder.td(scatter.getCommercialLowToolType() + "");
+        }
         htmlBuilder.endTr();
     }
 
@@ -106,6 +117,7 @@ private static String cssClassFor(int commercialLow) {
 
     private void addFooterTo(HtmlStringBuilder htmlBuilder) {
         htmlBuilder.beginTr();
+        if (!this.useCategoryGroups) htmlBuilder.td("");
         htmlBuilder.td("Average across all categories for " + commercialToolTotal() + " tools");
         htmlBuilder.td("");
         htmlBuilder.td(
@@ -139,10 +151,10 @@ public boolean hasEntries() {
         return !entries.isEmpty();
     }
 
-    public String filename() {
+    public String filename(boolean forCategoryGroups) {
         return format(
                 "{0}_v{1}_Scorecard_for_Commercial_Tools"
-                        + (this.useCategoryGroups ? "_CategoryGroups" : "")
+                        + (forCategoryGroups ? "_CategoryGroups" : "")
                         + ".html",
                 testSuiteName.simpleName(),
                 testSuiteVersion);

plugin/src/main/java/org/owasp/benchmarkutils/score/report/html/HtmlStringBuilder.java

@@ -59,6 +59,19 @@ public HtmlStringBuilder th(String content) {
         return this;
     }
 
+    /**
+     * Define header with fixed width in pixels
+     *
+     * @param width
+     * @param content
+     * @return The specified HTML column header
+     */
+    public HtmlStringBuilder th(int width, String content) {
+        sb.append("<th style=\"width: " + width + "px;\">").append(content).append("</th>");
+
+        return this;
+    }
+
     public HtmlStringBuilder th(long content) {
         sb.append("<th>").append(content).append("</th>");
 

plugin/src/main/java/org/owasp/benchmarkutils/score/report/html/MenuUpdater.java

@@ -97,7 +97,7 @@ private String toolMenu() {
                 .forEach(tool -> sb.append(toolMenuEntry(tool, false)));
 
         if (commercialAveragesTable.hasEntries()) {
-            sb.append(commercialAveragesMenuEntry());
+            sb.append(commercialAveragesMenuEntry(false));
         }
 
         return sb.toString();
@@ -111,9 +111,8 @@ private String toolCatalogGroupsMenu() {
                     .filter(tool -> !(config.showAveOnlyMode && tool.isCommercial()))
                     .forEach(tool -> sb.append(toolMenuEntry(tool, true)));
 
-            // DRW TODO2: Need to test this for CatagoryGroups
             if (commercialAveragesTable.hasEntries()) {
-                sb.append(commercialAveragesMenuEntry());
+                sb.append(commercialAveragesMenuEntry(true));
             }
         }
         return sb.toString();
@@ -127,10 +126,10 @@ private String toolMenuEntry(Tool tool, boolean forCategoryGroups) {
                 System.lineSeparator());
     }
 
-    private String commercialAveragesMenuEntry() {
+    private String commercialAveragesMenuEntry(boolean forCategoryGroups) {
         return format(
                 "<li><a href=\"{0}\">Commercial Average</a></li>{1}",
-                commercialAveragesTable.filename(), System.lineSeparator());
+                commercialAveragesTable.filename(forCategoryGroups), System.lineSeparator());
     }
 
     private String vulnerabilityMenu() {