Determine the number of test cases per CWE in per CategoryGroup, if

enabled, and add a chart at the bottom of the CategoryGroup page which
lists the Test Case Counts for each CWE that have test cases in that
CategoryGroup.

Author: davewichers

plugin/src/main/java/org/owasp/benchmarkutils/helpers/CategoryGroup.java

@@ -19,6 +19,7 @@
 
 import java.util.HashMap;
 import java.util.Map;
+import java.util.Set;
 
 /*
  * This class contains a single vulnerability group. Each group has a set of associated CWEs, so the entire group can be scored in the same manner that an individual vulnerability category can be scored.
@@ -84,6 +85,15 @@ public CWE getCWE(int cweNum) {
         return this.cweToCategoryGroupMap.get(cweNum);
     }
 
+    /**
+     * Gets the list of all CWEs in this Category Group.
+     *
+     * @return The list of all CWEs in this Category Group.
+     */
+    public Set<Integer> getCWEs() {
+        return this.cweToCategoryGroupMap.keySet();
+    }
+
     public String toString() {
         return this.longname + "::" + this.abbreviation;
     }

plugin/src/main/java/org/owasp/benchmarkutils/score/BenchmarkScore.java

@@ -35,6 +35,7 @@
 import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
+import java.util.SortedMap;
 import java.util.TreeMap;
 import java.util.TreeSet;
 import org.apache.commons.io.FileUtils;
@@ -45,6 +46,7 @@
 import org.apache.maven.plugins.annotations.Parameter;
 import org.owasp.benchmarkutils.helpers.Categories;
 import org.owasp.benchmarkutils.helpers.Category;
+import org.owasp.benchmarkutils.helpers.CategoryGroup;
 import org.owasp.benchmarkutils.helpers.CategoryGroups;
 import org.owasp.benchmarkutils.helpers.Utils;
 import org.owasp.benchmarkutils.score.domain.TestSuiteName;
@@ -53,10 +55,12 @@
 import org.owasp.benchmarkutils.score.report.ScatterInterpretation;
 import org.owasp.benchmarkutils.score.report.ScatterVulns;
 import org.owasp.benchmarkutils.score.report.html.CommercialAveragesTable;
+import org.owasp.benchmarkutils.score.report.html.HtmlStringBuilder;
 import org.owasp.benchmarkutils.score.report.html.MenuUpdater;
 import org.owasp.benchmarkutils.score.report.html.OverallStatsTable;
 import org.owasp.benchmarkutils.score.report.html.ToolScorecard;
 import org.owasp.benchmarkutils.score.report.html.VulnerabilityStatsTable;
+import org.owasp.benchmarkutils.score.service.CountsPerCWE;
 import org.owasp.benchmarkutils.score.service.ExpectedResultsProvider;
 import org.owasp.benchmarkutils.score.service.ResultsFileCreator;
 
@@ -505,8 +509,6 @@ public static void main(String[] args) {
                         TESTSUITENAME,
                         TESTSUITEVERSION,
                         commercialAveragesTable,
-                        // commercialCategoryGroupAveragesTable, - DRW TODO - Needed? Have to turn
-                        // on commercial averages to test.
                         tools,
                         vulnSet,
                         catGroupsSet,
@@ -1080,6 +1082,18 @@ private static void generateVulnerabilityScorecards(
                                 config.report.html.precisionKeyEntry
                                         + config.report.html.fsCoreEntry);
 
+                // Add optional details of test cases per CWE included in a Category Group
+                html =
+                        html.replace(
+                                "${CategoryGroupDetailsTitle}",
+                                (useCategoryGroups
+                                        ? "<h2>Test Case Counts for CWEs Included in this Group</h2>"
+                                        : ""));
+                html =
+                        html.replace(
+                                "${CategoryGroupDetailsTable}",
+                                generateCategoryGroupDetailsTable(cat, useCategoryGroups));
+
                 Files.write(htmlFile.toPath(), html.getBytes());
 
                 // Only build commercial stats scorecard if there are 2+ commercial tools
@@ -1124,4 +1138,67 @@ private static void generateVulnerabilityScorecards(
             }
         } // end if commercialAveragesTable.hasEntries()
     }
+
+    private static String generateCategoryGroupDetailsTable(
+            String categoryGroup, boolean useCategoryGroups) {
+        if (!useCategoryGroups) return "";
+        HtmlStringBuilder htmlBuilder = new HtmlStringBuilder();
+
+        htmlBuilder.beginTable("table");
+
+        htmlBuilder.beginTr();
+        htmlBuilder.th("CWE");
+        htmlBuilder.th("Vulnerability Category");
+        htmlBuilder.th("TPs");
+        htmlBuilder.th("FPs");
+        htmlBuilder.th("Total");
+        htmlBuilder.endTr();
+
+        CategoryGroup currentGroup = CategoryGroups.getCategoryGroupByName(categoryGroup);
+        Set<Integer> cweList = currentGroup.getCWEs();
+
+        // Create a sorted list by Vuln Category name (e.g., Hard-coded Password) where there are
+        // testcases in a CWE in this CategoryGroup
+        SortedMap<String, Integer> sortedCWEList = new TreeMap<>();
+        for (int cwe : cweList) {
+            CountsPerCWE cweCounts = ExpectedResultsProvider.getTestcaseCountsForCWE(cwe);
+            if (cweCounts != null) {
+                Category cat = Categories.getCategoryByCWE(cwe);
+                sortedCWEList.put(cat.getName(), Integer.valueOf(cwe));
+            }
+        }
+
+        // Loop through sortedCWEList and add a row for each CWE with these details to the table
+        int totalTpCount = 0, totalFpCount = 0, totalCount = 0;
+        for (String vulnType : sortedCWEList.keySet()) {
+            Integer CWE = sortedCWEList.get(vulnType);
+            CountsPerCWE cweCounts = ExpectedResultsProvider.getTestcaseCountsForCWE(CWE);
+            htmlBuilder.beginTr();
+            htmlBuilder.td(CWE);
+            htmlBuilder.td(vulnType);
+            int tpCountForCWE = cweCounts.getTPCount();
+            totalTpCount += tpCountForCWE;
+            htmlBuilder.td(tpCountForCWE);
+            int fpCountForCWE = cweCounts.getFPCount();
+            totalFpCount += fpCountForCWE;
+            htmlBuilder.td(fpCountForCWE);
+            int countTotalForCWE = tpCountForCWE + fpCountForCWE;
+            totalCount += countTotalForCWE;
+            htmlBuilder.td(countTotalForCWE);
+            htmlBuilder.endTr();
+        }
+
+        // And final total row
+        htmlBuilder.beginTr();
+        htmlBuilder.td("<b>Grand Total</b>");
+        htmlBuilder.td("");
+        htmlBuilder.td("<b>" + totalTpCount + "</b>");
+        htmlBuilder.td("<b>" + totalFpCount + "</b>");
+        htmlBuilder.td("<b>" + totalCount + "</b>");
+        htmlBuilder.endTr();
+
+        htmlBuilder.endTable();
+
+        return htmlBuilder.toString();
+    }
 }

plugin/src/main/java/org/owasp/benchmarkutils/score/TestCaseResult.java

@@ -260,22 +260,6 @@ public CategoryGroup getCategoryGroup() {
         return this.categoryGroup;
     }
 
-    /**
-     * This method is used to abstract away how filenames are matched against a test case, that way
-     * it can be enhanced to support different test suite formats, and the logic on how to do this
-     * isn't implemented in every individual parser. This method expects that
-     * ExpectedResultsProvider.getExpectedResults().isTestCaseFile(filename) was called first to
-     * verify this file is a test case in the test suite being scored. It sets the CWE number and
-     * the test case name in this TestCaseResult if successful. It halts with an error if the
-     * supplied filename is not a valid test case.
-     *
-     * @param cwe The CWE # reported by this tool.
-     * @param filename The filename that might be a test case.
-     *     <p>public void setCWEAndTestCaseID(int cwe, String filename) { if
-     *     (ExpectedResultsProvider.getExpectedResults().isTestCaseFile(filename)) { // DRW FIXME:TODO -
-     *     Not implemented yet. Maybe just delete? } }
-     */
-
     /**
      * The CWE category name, e.g., pathtraver, hash, cmdi, etc.
      *
@@ -349,9 +333,5 @@ public String toString() {
                 + getCWE()
                 + ", toolPassed: "
                 + isPassed();
-        /*                + ", evidence: "
-                        + getEvidence()
-                        + ", confidence: "
-                        + getConfidence();
-        */ }
+    }
 }

plugin/src/main/java/org/owasp/benchmarkutils/score/service/CountsPerCWE.java

@@ -0,0 +1,37 @@
+/**
+ * OWASP Benchmark Project
+ *
+ * <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For
+ * details, please see <a
+ * href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>.
+ *
+ * <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation, version 2.
+ *
+ * <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ * PURPOSE. See the GNU General Public License for more details.
+ *
+ * @author Dave Wichers
+ * @created 2025
+ */
+
+/**
+ * Instances of this class are used to keep track of the number True and False Positives for a CWE
+ * in the expectedresults file.
+ */
+package org.owasp.benchmarkutils.score.service;
+
+public class CountsPerCWE {
+
+    int truePositiveCount;
+    int falsePositiveCount;
+
+    public int getTPCount() {
+        return truePositiveCount;
+    }
+
+    public int getFPCount() {
+        return truePositiveCount;
+    }
+}

plugin/src/main/java/org/owasp/benchmarkutils/score/service/ExpectedResultsProvider.java

@@ -21,11 +21,14 @@
 import static java.lang.Integer.parseInt;
 
 import java.io.IOException;
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
 import java.util.Optional;
 import org.apache.commons.csv.CSVParser;
 import org.apache.commons.csv.CSVRecord;
 import org.owasp.benchmarkutils.helpers.Categories;
+import org.owasp.benchmarkutils.helpers.CategoryGroups;
 import org.owasp.benchmarkutils.score.BenchmarkScore;
 import org.owasp.benchmarkutils.score.ResultFile;
 import org.owasp.benchmarkutils.score.TestCaseResult;
@@ -49,6 +52,11 @@ public class ExpectedResultsProvider {
     private static boolean standardBenchmarkStyleScoring;
     private static TestSuiteResults expectedResults;
 
+    // If Category Groups are enabled, this map keeps counts of the # of TP and FP test cases per
+    // CWE
+    private static final Map<String, CountsPerCWE> testcaseCountsPerCWE =
+            new HashMap<String, CountsPerCWE>();
+
     public static TestSuiteResults parse(ResultFile resultFile) throws IOException {
         TestSuiteResults tr = new TestSuiteResults("Expected", true, null);
 
@@ -57,9 +65,6 @@ public static TestSuiteResults parse(ResultFile resultFile) throws IOException {
             List<CSVRecord> allExpectedResults = parser.getRecords();
 
             CSVRecord firstRecord = allExpectedResults.get(0);
-            // setExpectedResultsMetadata() has side effect of setting
-            // BenchmarkScore.TESTSUITENAME, BenchmarkScore.TESTCASENAME, and
-            // ExpectedResultsProvider.standardBenchmarkStyleScoring
             setExpectedResultsMetadata(parser, firstRecord, tr);
 
             // Parse all the expected results
@@ -68,11 +73,11 @@ public static TestSuiteResults parse(ResultFile resultFile) throws IOException {
 
                 String testCaseFileName = record.get(TEST_NAME);
                 tcr.setTestCaseName(testCaseFileName);
-                //                tcr.setCategory(record.get(CATEGORY));
-                tcr.setTruePositive(parseBoolean(record.get(REAL_VULNERABILITY)));
-                int cwe = parseInt(record.get(CWE));
+                boolean truePositive = parseBoolean(record.get(REAL_VULNERABILITY));
+                tcr.setTruePositive(truePositive);
+                String cweNumber = record.get(CWE);
+                int cwe = parseInt(cweNumber);
                 tcr.setCWE(cwe);
-                //                tcr.setNumber(testNumber(record.get(TEST_NAME), testCaseName));
 
                 if (TestCaseResult.UNMAPPED_CATEGORY.equals(tcr.getCategory())) {
                     System.out.println(
@@ -102,6 +107,20 @@ public static TestSuiteResults parse(ResultFile resultFile) throws IOException {
                 }
 
                 tr.put(tcr);
+
+                // Add this test case to the testcaseCountsPerCWE Map, if CategoryGroups enabled
+                if (CategoryGroups.isCategoryGroupsEnabled()) {
+                    CountsPerCWE cweCounts = testcaseCountsPerCWE.get(cweNumber);
+                    if (cweCounts == null) {
+                        cweCounts = new CountsPerCWE();
+                        if (truePositive) cweCounts.truePositiveCount = 1;
+                        else cweCounts.falsePositiveCount = 1;
+                        testcaseCountsPerCWE.put(cweNumber, cweCounts);
+                    } else {
+                        if (truePositive) cweCounts.truePositiveCount++;
+                        else cweCounts.falsePositiveCount++;
+                    }
+                }
             }
         }
 
@@ -182,4 +201,16 @@ private static void setExpectedResultsMetadata(
     private static boolean isExtendedResultsFile(CSVParser parser) {
         return parser.getHeaderNames().contains(SOURCE);
     }
+
+    /**
+     * Gets the number of True Positive and/or False Positive test cases in this test suite for the
+     * specified CWE number.
+     *
+     * @param cweNumber The CWE number to look for
+     * @return The Counts for that CWE, or null if there are no test cases for this CWE in this test
+     *     suite
+     */
+    public static CountsPerCWE getTestcaseCountsForCWE(int cwe) {
+        return testcaseCountsPerCWE.get(Integer.toString(cwe));
+    }
 }

plugin/src/main/resources/scorecard/vulntemplate.html

@@ -62,6 +62,7 @@ <h2>Detailed Results Per Tool for ${vulnerability}</h2>
             ${table}
 
             <p />
+            ${CategoryGroupDetailsTitle} ${CategoryGroupDetailsTable}
             <p />
 
             <h2>Key</h2>