Skip to content

Commit c3805eb

Browse files
davewichersdavewichers
committed
Minor updates to CodeSonar for C# and to Fortify for C/C++
1 parent 8b965e2 commit c3805eb

File tree

2 files changed

+116
-53
lines changed

2 files changed

+116
-53
lines changed

plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/FortifyReader.java

Lines changed: 111 additions & 52 deletions
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,6 @@
2424
import java.util.List;
2525
import javax.xml.parsers.DocumentBuilder;
2626
import javax.xml.parsers.DocumentBuilderFactory;
27-
import org.owasp.benchmarkutils.score.BenchmarkScore;
2827
import org.owasp.benchmarkutils.score.CweNumber;
2928
import org.owasp.benchmarkutils.score.ResultFile;
3029
import org.owasp.benchmarkutils.score.TestCaseResult;
@@ -154,21 +153,22 @@ public static String parseTime(String filename) {
154153
private static TestCaseResult parseFortifyVulnerability(Node vuln) {
155154
TestCaseResult tcr = new TestCaseResult();
156155

156+
// Get the vulnerability type and subtype, if specified
157157
Node ci = getNamedNode("ClassInfo", vuln.getChildNodes());
158158
Node type = getNamedNode("Type", ci.getChildNodes());
159159
String vulnType = type.getTextContent();
160160

161-
// We grab this as sometimes we need to dig into this to verify the details of an issue
162-
Node ai = getNamedNode("AnalysisInfo", vuln.getChildNodes());
163-
Node un = getNamedNode("Unified", ai.getChildNodes());
164-
165161
Node subtype = getNamedNode("Subtype", ci.getChildNodes());
166162
String vulnSubType = "";
167163
if (subtype != null) {
168164
vulnSubType = subtype.getTextContent();
169165
}
170166
tcr.setEvidence(vulnType + "::" + vulnSubType);
171167

168+
// We grab this as sometimes we need to dig into this to verify the details of an issue
169+
Node ai = getNamedNode("AnalysisInfo", vuln.getChildNodes());
170+
Node un = getNamedNode("Unified", ai.getChildNodes());
171+
172172
Node context = getNamedNode("Context", un.getChildNodes());
173173
Node function = getNamedNode("Function", context.getChildNodes());
174174

@@ -186,9 +186,18 @@ private static TestCaseResult parseFortifyVulnerability(Node vuln) {
186186
if (isTestCaseFile(tc)) {
187187
tcr.setActualResultTestID(tc);
188188
return tcr;
189-
}
189+
} /* commented out - DEBUG only - else
190+
System.out.println(
191+
"DEBUG: Fortify parser found vulnerability of type: "
192+
+ vulnType
193+
+ " with subType: "
194+
+ vulnSubType
195+
+ " but its enclosingClass value is: "
196+
+ tc
197+
+ " so its being discarded");
198+
*/
190199
} else {
191-
/* if tc is null (from attribute enclosingClass), then this might be a NodeJS finding
200+
/* if tc is null (from attribute enclosingClass), then this might be a NodeJS finding, or C/C++
192201
that looks like this:
193202
<AnalysisInfo>
194203
<Unified>
@@ -197,32 +206,52 @@ private static TestCaseResult parseFortifyVulnerability(Node vuln) {
197206
<FunctionDeclarationSourceLocation path="testcode/TestSuiteTest00010.js" line="21" lineEnd="33" colStart="34" colEnd="0"/>
198207
</Context>
199208
*/
200-
if (tc == null) {
201-
// DRW TODO: Test with other test suite and fix use of deprecated API as
202-
// appropriate.
203-
Node functionDecl =
204-
getNamedNode("FunctionDeclarationSourceLocation", context.getChildNodes());
205-
if (functionDecl != null) {
206-
String path = getAttributeValue("path", functionDecl);
207-
if (path != null) {
208-
int i = path.indexOf(BenchmarkScore.TESTCASENAME);
209-
if (i >= 0) {
210-
tc = path.substring(i);
211-
tc =
212-
tc.substring(
213-
BenchmarkScore.TESTCASENAME.length(),
214-
tc.lastIndexOf('.'));
215-
// This strips off inner classes from the test case file name I believe
216-
int dollar = tc.indexOf('$');
217-
if (dollar != -1) {
218-
tc = tc.substring(0, dollar);
219-
}
220-
tcr.setTestID(Integer.parseInt(tc));
221-
return tcr;
209+
Node functionDecl =
210+
getNamedNode("FunctionDeclarationSourceLocation", context.getChildNodes());
211+
if (functionDecl != null) {
212+
String path = getAttributeValue("path", functionDecl);
213+
if (path != null) {
214+
if (isTestCaseFile(path)) {
215+
path = extractFilenameWithoutEnding(path);
216+
tcr.setActualResultTestID(path);
217+
return tcr;
218+
} /* Comment out debug code
219+
else
220+
System.out.println(
221+
"DEBUG: Fortify parser found vulnerability of type: "
222+
+ vulnType
223+
+ " with subType: "
224+
+ vulnSubType
225+
+ " but its FunctionDeclarationSourceLocation value is: "
226+
+ path
227+
+ " so its being discarded");
228+
*/
229+
// DRW TODO: Remove this OLD / commented out code
230+
/* The following is the old code being replaced:
231+
int i = path.indexOf(BenchmarkScore.TESTCASENAME); // todo: Replace with StartsWith Match for Juliet style test cases.
232+
if (i >= 0) {
233+
tc = path.substring(i);
234+
tc =
235+
tc.substring(
236+
BenchmarkScore.TESTCASENAME.length(),
237+
tc.lastIndexOf('.'));
238+
// This strips off inner classes from the test case file name I believe
239+
int dollar = tc.indexOf('$');
240+
if (dollar != -1) {
241+
tc = tc.substring(0, dollar);
222242
}
243+
tcr.setTestID(Integer.parseInt(tc));
244+
return tcr;
223245
}
246+
old code commented out */
224247
}
225-
}
248+
} else if (!"Password in Comment".equals(vulnSubType))
249+
System.out.println(
250+
"WARNING: Fortify parser found vulnerability of type: "
251+
+ vulnType
252+
+ " with subType: "
253+
+ vulnSubType
254+
+ " but it has no FunctionDeclarationSourceLocation Node, so can't determine where the vuln was found.");
226255
}
227256
return null;
228257
}
@@ -234,6 +263,31 @@ public static int cweLookup(String vtype, String subtype, Node unifiedNode, Stri
234263
case "Access Specifier Manipulation":
235264
return CweNumber.IMPROPER_ACCESS_CONTROL;
236265

266+
case "Buffer Overflow":
267+
{
268+
switch (subtype) {
269+
// The following are all mapped to CWE-119 since Fortify is
270+
// specifically saying this is a buffer overflow
271+
case "":
272+
case "Format String": // NOT specifying CWE 134: Use of
273+
// Externally-Controlled Format String
274+
case "Off-by-One": // NOT specifying CWE 193: Off-by-one error
275+
case "Signed Comparison": // NOT specifying CWE-839: Numeric Range
276+
// Comparison w/out minimum check
277+
return 119; // Improper Restriction of Operations within Bounds of
278+
// Memory Buffer
279+
280+
default:
281+
System.out.println(
282+
"Fortify parser found vulnerability type: 'Buffer Overflow', with unmapped subtype: '"
283+
+ subtype
284+
+ "' in class: "
285+
+ classname);
286+
return 119; // Improper Restriction of Operations within Bounds of
287+
// Memory Buffer
288+
}
289+
}
290+
237291
case "Code Correctness":
238292
{
239293
switch (subtype) {
@@ -256,9 +310,9 @@ public static int cweLookup(String vtype, String subtype, Node unifiedNode, Stri
256310
default:
257311
if (classname != null)
258312
System.out.println(
259-
"Fortify parser found vulnerability type: 'Code Correctness', with unmapped subtype: "
313+
"Fortify parser found vulnerability type: 'Code Correctness', with unmapped subtype: '"
260314
+ subtype
261-
+ " in class: "
315+
+ "' in class: "
262316
+ classname);
263317
}
264318
return CweNumber.UNMAPPED;
@@ -282,9 +336,9 @@ public static int cweLookup(String vtype, String subtype, Node unifiedNode, Stri
282336
default:
283337
if (classname != null)
284338
System.out.println(
285-
"Fortify parser found vulnerability type: 'Cookie Security', with unmapped subtype: "
339+
"Fortify parser found vulnerability type: 'Cookie Security', with unmapped subtype: '"
286340
+ subtype
287-
+ " in class: "
341+
+ "' in class: "
288342
+ classname);
289343
}
290344
return CweNumber.UNMAPPED;
@@ -300,6 +354,9 @@ public static int cweLookup(String vtype, String subtype, Node unifiedNode, Stri
300354
default:
301355
return CweNumber.XSS;
302356
}
357+
case "Dangerous Function": // CWE-1177 Use of Prohibited Code is parent of both:
358+
return 1177; // CWE-242 Use of Inherently Dangerous Function and CWE-676 Use of
359+
// Potentially Dangerous Function
303360
case "Dead Code":
304361
return 561; // Dead Code
305362
case "Denial of Service":
@@ -321,9 +378,9 @@ public static int cweLookup(String vtype, String subtype, Node unifiedNode, Stri
321378
default:
322379
if (classname != null)
323380
System.out.println(
324-
"Fortify parser found vulnerability type: 'Insecure Randomness', with unmapped subtype: "
381+
"Fortify parser found vulnerability type: 'Insecure Randomness', with unmapped subtype: '"
325382
+ subtype
326-
+ " in class: "
383+
+ "' in class: "
327384
+ classname);
328385
}
329386
return CweNumber.WEAK_RANDOM;
@@ -355,9 +412,9 @@ public static int cweLookup(String vtype, String subtype, Node unifiedNode, Stri
355412
default:
356413
if (classname != null)
357414
System.out.println(
358-
"Fortify parser found vulnerability type: 'Insider Threat', with unmapped subtype: "
415+
"Fortify parser found vulnerability type: 'Insider Threat', with unmapped subtype: '"
359416
+ subtype
360-
+ " in class: "
417+
+ "' in class: "
361418
+ classname);
362419
}
363420
return CweNumber.UNMAPPED;
@@ -383,9 +440,9 @@ public static int cweLookup(String vtype, String subtype, Node unifiedNode, Stri
383440
default:
384441
if (classname != null)
385442
System.out.println(
386-
"Fortify parser found vulnerability type: 'J2EE Bad Practices', with unmapped subtype: "
443+
"Fortify parser found vulnerability type: 'J2EE Bad Practices', with unmapped subtype: '"
387444
+ subtype
388-
+ " in class: "
445+
+ "' in class: "
389446
+ classname);
390447
}
391448
return CweNumber.UNMAPPED;
@@ -463,9 +520,9 @@ public static int cweLookup(String vtype, String subtype, Node unifiedNode, Stri
463520
default:
464521
if (classname != null)
465522
System.out.println(
466-
"Fortify parser found vulnerability type: 'Password Management', with unmapped subtype: "
523+
"Fortify parser found vulnerability type: 'Password Management', with unmapped subtype: '"
467524
+ subtype
468-
+ " in class: "
525+
+ "' in class: "
469526
+ classname);
470527
}
471528
return CweNumber.UNMAPPED;
@@ -493,9 +550,9 @@ public static int cweLookup(String vtype, String subtype, Node unifiedNode, Stri
493550

494551
default:
495552
System.out.println(
496-
"Fortify parser found vulnerability type: 'Poor Error Handling', with unmapped subtype: "
553+
"Fortify parser found vulnerability type: 'Poor Error Handling', with unmapped subtype: '"
497554
+ subtype
498-
+ " in class: "
555+
+ "' in class: "
499556
+ classname);
500557
}
501558
return 703; // Improper Check or Handling of Exceptional Conditions
@@ -516,9 +573,9 @@ public static int cweLookup(String vtype, String subtype, Node unifiedNode, Stri
516573
return CweNumber.DONTCARE;
517574
default:
518575
System.out.println(
519-
"Fortify parser found vulnerability type: 'Poor Style', with unmapped subtype: "
576+
"Fortify parser found vulnerability type: 'Poor Style', with unmapped subtype: '"
520577
+ subtype
521-
+ " in class: "
578+
+ "' in class: "
522579
+ classname);
523580
}
524581
return CweNumber.DONTCARE;
@@ -535,6 +592,8 @@ public static int cweLookup(String vtype, String subtype, Node unifiedNode, Stri
535592
return 15; // External Control of System or Config Setting
536593
case "SQL Injection":
537594
return CweNumber.SQL_INJECTION;
595+
case "String Termination Error":
596+
return 170; // Improper Null Termination
538597
case "System Information Leak":
539598
return 209; // Generation of Error Msg Containing Sensitive Info
540599
case "Trust Boundary Violation":
@@ -558,9 +617,9 @@ public static int cweLookup(String vtype, String subtype, Node unifiedNode, Stri
558617
return 325; // Missing Required Step
559618
default:
560619
System.out.println(
561-
"Fortify parser found vulnerability type: 'Weak Cryptographic Hash', with unmapped subtype: "
620+
"Fortify parser found vulnerability type: 'Weak Cryptographic Hash', with unmapped subtype: '"
562621
+ subtype
563-
+ " in class: "
622+
+ "' in class: "
564623
+ classname);
565624
}
566625
return CweNumber.WEAK_HASH_ALGO;
@@ -590,9 +649,9 @@ public static int cweLookup(String vtype, String subtype, Node unifiedNode, Stri
590649
.DONTCARE; // Disable so it doesn't count against Fortify.
591650
default:
592651
System.out.println(
593-
"Fortify parser found vulnerability type: 'Weak Encryption', with unmapped subtype: "
652+
"Fortify parser found vulnerability type: 'Weak Encryption', with unmapped subtype: '"
594653
+ subtype
595-
+ " in class: "
654+
+ "' in class: "
596655
+ classname);
597656
}
598657
return CweNumber.WEAK_CRYPTO_ALGO;
@@ -623,9 +682,9 @@ public static int cweLookup(String vtype, String subtype, Node unifiedNode, Stri
623682
System.out.println(
624683
"Fortify parser found unknown vulnerability type: "
625684
+ vtype
626-
+ ", with subtype: "
685+
+ ", with subtype: '"
627686
+ subtype
628-
+ " in class: "
687+
+ "' in class: "
629688
+ classname);
630689
} // end switch
631690

plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/CodeSonarReader.java

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,7 @@ public class CodeSonarReader extends SarifReader {
3030

3131
// Setting CweSourceType.CUSTOM causes the customRuleCweMappings() method to be invoked
3232
public CodeSonarReader() {
33-
super("CodeSonar", false, CweSourceType.CUSTOM);
33+
super("CodeSonar", true, CweSourceType.CUSTOM);
3434
}
3535

3636
@Override
@@ -71,6 +71,7 @@ public Map<String, Integer> customRuleCweMappings(JSONObject tool) {
7171

7272
// CodeSonar has some non-security rules that don't map to CWEs. So we manaully add those as
7373
// DONTCARES
74+
mappings.put("Avoid constant arrays as arguments (C#)", CweNumber.DONTCARE);
7475
mappings.put("Avoid zero-length array allocations (C#)", CweNumber.DONTCARE);
7576
mappings.put("Do not initialize unnecessarily (C#)", CweNumber.DONTCARE);
7677
mappings.put("Do not raise reserved exception types (C#)", CweNumber.DONTCARE);
@@ -80,6 +81,9 @@ public Map<String, Integer> customRuleCweMappings(JSONObject tool) {
8081
mappings.put("Seal internal types (C#)", CweNumber.DONTCARE); // Improves performance
8182
mappings.put(
8283
"Specify IFormatProvider (C#)", CweNumber.DONTCARE); // Localization Issue (fonts)
84+
mappings.put(
85+
"Use concrete types when possible for improved performance (C#)",
86+
CweNumber.DONTCARE);
8387
mappings.put("Use ordinal string comparison (C#)", CweNumber.DONTCARE);
8488
mappings.put("Use XmlReader for XPathDocument constructor (C#)", CweNumber.DONTCARE);
8589

0 commit comments

Comments
 (0)