fix SonarQube mapping for rule java:S4790 (#156)

darkspirit510 · web-flow · commit a76ceca68488 · 2025-02-05T18:15:55.000-05:00
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/SonarQubeReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/SonarQubeReader.java
@@ -516,8 +516,8 @@ public static int cweLookup(String squidNumber) {
                 // with secure mode and padding scheme
             case "S5547":
             case "S4790":
-                return CweNumber
-                        .WEAK_CRYPTO_ALGO; // Benchmark Vuln: Cipher algorithms should be robust
+                // Using weak hashing algorithms is security-sensitive
+                return CweNumber.WEAK_HASH_ALGO;
             case "S3330":
                 return CweNumber.COOKIE_WITHOUT_HTTPONLY;
 
diff --git a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/SonarQubeJsonReaderTest.java b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/SonarQubeJsonReaderTest.java
@@ -78,6 +78,6 @@ void readerHandlesGivenV25ResultFile() throws Exception {
         assertEquals(2, result.getTotalResults());
 
         assertEquals(CweNumber.SQL_INJECTION, result.get(1).get(0).getCWE());
-        assertEquals(CweNumber.WEAK_CRYPTO_ALGO, result.get(2).get(0).getCWE());
+        assertEquals(CweNumber.WEAK_HASH_ALGO, result.get(2).get(0).getCWE());
     }
 }
diff --git a/plugin/src/test/resources/testfiles/Benchmark_sonarqube-v25.1.0.102122.json b/plugin/src/test/resources/testfiles/Benchmark_sonarqube-v25.1.0.102122.json
@@ -20,29 +20,29 @@
       "line": 57,
       "description": "Formatting SQL queries is security-sensitive",
       "message": "Make sure using a dynamically formatted SQL query is safe here.",
-      "key": "e1518810-c118-4cad-ae23-f337cf913d65"
+      "key": "11111111-1111-1111-1111-111111111111"
     },
     {
-      "rule": "java:S5547",
-      "severity": "CRITICAL",
-      "status": "OPEN",
+      "rule": "java:S4790",
+      "severity": "MINOR",
+      "status": "TO_REVIEW",
       "component": "src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00002.java",
-      "line": 72,
-      "description": "Cipher algorithms should be robust",
-      "message": "Use a strong cipher algorithm.",
-      "key": "ffecce86-2afe-4fe3-b5b2-f06e24d549db"
+      "line": 50,
+      "description": "Using weak hashing algorithms is security-sensitive",
+      "message": "Make sure this weak hash algorithm is not used in a sensitive context here.",
+      "key": "22222222-2222-2222-2222-222222222222"
     }
   ],
   "hotspotKeys": [
-    "9012d4af-be33-4e0d-8c68-705d8fef08c4",
-    "0c0fbd12-b778-44b8-a0f6-dbfa9afc0872"
+    "11111111-1111-1111-1111-111111111111",
+    "22222222-2222-2222-2222-222222222222"
   ],
   "deltaAnalysis": "No",
   "qualityGateStatus": false,
   "summary": {
     "blocker": 0,
-    "critical": 1015,
-    "major": 3072,
-    "minor": 6613
+    "critical": 1,
+    "major": 2,
+    "minor": 3
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -78,6 +78,6 @@ void readerHandlesGivenV25ResultFile() throws Exception {`
`78`	`78`	`assertEquals(2, result.getTotalResults());`
`79`	`79`
`80`	`80`	`assertEquals(CweNumber.SQL_INJECTION, result.get(1).get(0).getCWE());`
`81`		`- assertEquals(CweNumber.WEAK_CRYPTO_ALGO, result.get(2).get(0).getCWE());`
	`81`	`+ assertEquals(CweNumber.WEAK_HASH_ALGO, result.get(2).get(0).getCWE());`
`82`	`82`	`}`
`83`	`83`	`}`