Merge commit 'refs/pull/136/head' of https://github.com/OWASP-Benchmark/BenchmarkUtils into generalizeScoring

Author: Dave Wichers

plugin/pom.xml

@@ -47,7 +47,7 @@
         <dependency>
             <groupId>com.google.guava</groupId>
             <artifactId>guava</artifactId>
-            <version>33.3.0-jre</version>
+            <version>33.3.1-jre</version>
         </dependency>
 
         <dependency>
@@ -65,7 +65,7 @@
         <dependency>
             <groupId>commons-io</groupId>
             <artifactId>commons-io</artifactId>
-            <version>2.16.1</version>
+            <version>2.17.0</version>
         </dependency>
 
         <dependency>
@@ -77,25 +77,25 @@
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-csv</artifactId>
-            <version>1.11.0</version>
+            <version>1.12.0</version>
         </dependency>
 
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-lang3</artifactId>
-            <version>3.16.0</version>
+            <version>3.17.0</version>
         </dependency>
 
         <dependency>
             <groupId>org.apache.httpcomponents.client5</groupId>
             <artifactId>httpclient5</artifactId>
-            <version>5.3.1</version>
+            <version>5.4.1</version>
         </dependency>
 
         <dependency>
             <groupId>org.apache.httpcomponents.core5</groupId>
             <artifactId>httpcore5</artifactId>
-            <version>5.2.5</version>
+            <version>5.3.1</version>
         </dependency>
 
         <dependency>
@@ -108,7 +108,7 @@
         <dependency>
             <groupId>org.apache.maven.plugin-tools</groupId>
             <artifactId>maven-plugin-annotations</artifactId>
-            <version>3.15.0</version>
+            <version>3.15.1</version>
             <scope>provided</scope>
         </dependency>
 
@@ -140,7 +140,7 @@
         <dependency>
             <groupId>org.yaml</groupId>
             <artifactId>snakeyaml</artifactId>
-            <version>2.2</version>
+            <version>2.3</version>
         </dependency>
 
         <!-- The following dependency might be an upgrade/replacement for jaxb.xml.bind.JAXBContext,
@@ -192,10 +192,10 @@
     </build>
 
     <properties>
-        <version.fasterxml.jackson>2.17.2</version.fasterxml.jackson>
+        <version.fasterxml.jackson>2.18.1</version.fasterxml.jackson>
         <!-- 3.0.3+ version of eclipse.persistence requires jakarta.xml.bind instead of jaxb -->
         <version.eclipse.persistence>2.7.15</version.eclipse.persistence>
-        <version.junit.jupiter>5.11.0</version.junit.jupiter>
+        <version.junit.jupiter>5.11.3</version.junit.jupiter>
     </properties>
 
 </project>

plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/Reader.java

@@ -32,6 +32,7 @@
 import org.owasp.benchmarkutils.score.parsers.sarif.CodeQLReader;
 import org.owasp.benchmarkutils.score.parsers.sarif.ContrastScanReader;
 import org.owasp.benchmarkutils.score.parsers.sarif.DatadogSastReader;
+import org.owasp.benchmarkutils.score.parsers.sarif.PTAIReader;
 import org.owasp.benchmarkutils.score.parsers.sarif.PrecautionReader;
 import org.owasp.benchmarkutils.score.parsers.sarif.SemgrepSarifReader;
 import org.owasp.benchmarkutils.score.parsers.sarif.SnykReader;
@@ -90,6 +91,7 @@ public static List<Reader> allReaders() {
                 new ParasoftReader(),
                 new PrecautionReader(),
                 new PMDReader(),
+                new PTAIReader(),
                 new QualysWASReader(),
                 new Rapid7Reader(),
                 new ReshiftReader(),

plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/PTAIReader.java

@@ -0,0 +1,64 @@
+/**
+ * OWASP Benchmark Project
+ *
+ * <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For
+ * details, please see <a
+ * href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>.
+ *
+ * <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation, version 2.
+ *
+ * <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ * PURPOSE. See the GNU General Public License for more details.
+ *
+ * @author Alexey Zhukov
+ * @created 2024
+ */
+package org.owasp.benchmarkutils.score.parsers.sarif;
+
+import org.owasp.benchmarkutils.score.CweNumber;
+import org.owasp.benchmarkutils.score.ResultFile;
+import org.owasp.benchmarkutils.score.TestSuiteResults;
+
+public class PTAIReader extends SarifReader {
+
+    static final int PTAI_CWE_EXTERNAL_FILEPATH_CONTROL = 73;
+    static final int PTAI_CWE_BLIND_XPATH_INJECTION = 91;
+
+    static final String EXPECTED_TOOL_NAME = "Positive Technologies Application Inspector";
+    static final String SHORTENED_TOOL_NAME = "PT Application Inspector";
+
+    public PTAIReader() {
+        super(EXPECTED_TOOL_NAME, true, CweSourceType.FIELD);
+    }
+
+    @Override
+    public String toolName(ResultFile resultFile) {
+        return SHORTENED_TOOL_NAME;
+    }
+
+    /**
+     * SARIF report tool version field is too long as it contains build number. Shorten it to X.Y.Z
+     */
+    @Override
+    public void setVersion(ResultFile resultFile, TestSuiteResults testSuiteResults) {
+        super.setVersion(resultFile, testSuiteResults);
+        String version = testSuiteResults.getToolVersion();
+        String[] versionItems = version.split("\\.");
+        if (versionItems.length < 4) return;
+        testSuiteResults.setToolVersion(
+                String.format("%s.%s.%s", versionItems[0], versionItems[1], versionItems[2]));
+    }
+
+    @Override
+    public int mapCwe(int cwe) {
+        switch (cwe) {
+            case PTAI_CWE_EXTERNAL_FILEPATH_CONTROL:
+                return CweNumber.PATH_TRAVERSAL;
+            case PTAI_CWE_BLIND_XPATH_INJECTION:
+                return CweNumber.XPATH_INJECTION;
+        }
+        return cwe;
+    }
+}

plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/PTAIReaderTest.java

@@ -0,0 +1,57 @@
+/**
+ * OWASP Benchmark Project
+ *
+ * <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For
+ * details, please see <a
+ * href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>.
+ *
+ * <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation, version 2.
+ *
+ * <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ * PURPOSE. See the GNU General Public License for more details.
+ *
+ * @author Alexey Zhukov
+ * @created 2024
+ */
+package org.owasp.benchmarkutils.score.parsers.sarif;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.owasp.benchmarkutils.score.*;
+import org.owasp.benchmarkutils.score.parsers.ReaderTestBase;
+
+public class PTAIReaderTest extends ReaderTestBase {
+
+    private ResultFile resultFile;
+
+    @BeforeEach
+    void setUp() {
+        resultFile = TestHelper.resultFileOf("testfiles/Benchmark_PTAI-v4.7.2.sarif");
+        BenchmarkScore.TESTCASENAME = "BenchmarkTest";
+    }
+
+    @Test
+    public void onlyPTAIReaderTestReportsCanReadAsTrue() {
+        assertOnlyMatcherClassIs(this.resultFile, PTAIReader.class);
+    }
+
+    @Test
+    void readerHandlesGivenResultFile() throws Exception {
+        PTAIReader reader = new PTAIReader();
+        TestSuiteResults result = reader.parse(resultFile);
+
+        assertEquals(TestSuiteResults.ToolType.SAST, result.getToolType());
+
+        assertEquals("PT Application Inspector", result.getToolName());
+        assertEquals("4.7.2", result.getToolVersion());
+
+        assertEquals(2, result.getTotalResults());
+
+        assertEquals(CweNumber.PATH_TRAVERSAL, result.get(1).get(0).getCWE());
+        assertEquals(CweNumber.SQL_INJECTION, result.get(8).get(0).getCWE());
+    }
+}

plugin/src/test/resources/testfiles/Benchmark_PTAI-v4.7.2.sarif

@@ -0,0 +1,104 @@
+{
+  "version": "2.1.0",
+  "$schema": "http://json.schemastore.org/sarif-2.1.0.json",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "name": "Positive Technologies Application Inspector",
+          "version": "4.7.2.36549",
+          "organization": "Positive Technologies",
+          "informationUri": "https://www.ptsecurity.com/ww-en/products/ai/",
+          "rules": [
+            {
+              "id": "SQL Injection",
+              "name": "SQL Injection",
+              "properties": {
+                "cwe": [
+                  "CWE-89"
+                ]
+              },
+              "defaultConfiguration": {
+                "level": "error",
+                "enabled": true
+              },
+              "messageStrings": {
+                "default": {
+                  "text": "SQL Injection"
+                }
+              }
+            },
+            {
+              "id": "Arbitrary File Reading",
+              "name": "Arbitrary File Reading",
+              "properties": {
+                "cwe": [
+                  "CWE-73"
+                ]
+              },
+              "defaultConfiguration": {
+                "level": "error",
+                "enabled": true
+              },
+              "messageStrings": {
+                "default": {
+                  "text": "Arbitrary File Reading"
+                }
+              }
+            }
+          ]
+        }
+      },
+      "results": [
+        {
+          "ruleId": "Arbitrary File Reading",
+          "suppressions": [
+          ],
+          "message": {
+            "id": "default",
+            "text": "Arbitrary File Reading"
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "./src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00001.java"
+                },
+                "region": {
+                  "startLine": 71,
+                  "snippet": {
+                    "text": "new java.io.FileInputStream(new java.io.File(fileName))"
+                  }
+                }
+              }
+            }
+          ]
+        },
+        {
+          "ruleId": "SQL Injection",
+          "suppressions": [
+          ],
+          "message": {
+            "id": "default",
+            "text": "SQL Injection"
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "./src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00008.java"
+                },
+                "region": {
+                  "startLine": 57,
+                  "snippet": {
+                    "text": "connection.prepareCall(sql)"
+                  }
+                }
+              }
+            }
+          ]
+        }
+      ]
+    }
+  ]
+}

pom.xml

@@ -48,12 +48,12 @@
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-dependency-plugin</artifactId>
-                    <version>3.8.0</version>
+                    <version>3.8.1</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-plugin-plugin</artifactId>
-                    <version>3.15.0</version>
+                    <version>3.15.1</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
@@ -122,7 +122,7 @@
                     <dependency>
                         <groupId>org.codehaus.mojo</groupId>
                         <artifactId>extra-enforcer-rules</artifactId>
-                        <version>1.8.0</version>
+                        <version>1.9.0</version>
                     </dependency>
                 </dependencies>
                 <executions>
@@ -173,13 +173,13 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-jxr-plugin</artifactId>
-                <version>3.5.0</version>
+                <version>3.6.0</version>
             </plugin>
 
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-project-info-reports-plugin</artifactId>
-                <version>3.7.0</version>
+                <version>3.8.0</version>
             </plugin>
 
             <plugin>
@@ -206,13 +206,13 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-surefire-plugin</artifactId>
-                <version>3.5.0</version>
+                <version>3.5.2</version>
             </plugin>
 
             <plugin>
                 <groupId>org.codehaus.mojo</groupId>
                 <artifactId>versions-maven-plugin</artifactId>
-                <version>2.17.1</version>
+                <version>2.18.0</version>
             </plugin>
 
             <plugin>
@@ -358,7 +358,7 @@
         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
         <java.target>11</java.target>
         <log.directory>${project.build.directory}/log</log.directory>
-        <version.fluido>2.0.0-M10</version.fluido>
+        <version.fluido>2.0.0</version.fluido>
     </properties>
 
 </project>