Merge remote-tracking branch 'origin/main' into generalizeScoring

Author: Dave Wichers

.github/workflows/maven.yaml

@@ -8,7 +8,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
       with:
         fetch-depth: 0
     - name: Set up JDK 11

library/src/main/resources/categories.xml

@@ -159,6 +159,14 @@
         <isInjection>true</isInjection>
         <shortname>SQLI</shortname>
     </category>
+    <category>
+        <id>tempfile</id>
+        <name>Insecure Temporary File</name>
+        <cwe>377</cwe>
+        <childof>668</childof>
+        <parentof>378,379</parentof>
+        <shortname>TEMP</shortname>
+    </category>
     <category>
         <id>trustbound</id>
         <name>Trust Boundary</name>

plugin/pom.xml

@@ -59,13 +59,13 @@
         <dependency>
             <groupId>commons-cli</groupId>
             <artifactId>commons-cli</artifactId>
-            <version>1.10.0</version>
+            <version>1.11.0</version>
         </dependency>
 
         <dependency>
             <groupId>commons-io</groupId>
             <artifactId>commons-io</artifactId>
-            <version>2.20.0</version>
+            <version>2.21.0</version>
         </dependency>
 
         <dependency>
@@ -83,7 +83,7 @@
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-lang3</artifactId>
-            <version>3.19.0</version>
+            <version>3.20.0</version>
         </dependency>
 
         <dependency>
@@ -108,7 +108,7 @@
         <dependency>
             <groupId>org.apache.maven.plugin-tools</groupId>
             <artifactId>maven-plugin-annotations</artifactId>
-            <version>3.15.1</version>
+            <version>3.15.2</version>
             <scope>provided</scope>
         </dependency>
 
@@ -192,7 +192,7 @@
     </build>
 
     <properties>
-        <version.fasterxml.jackson>2.20.0</version.fasterxml.jackson>
+        <version.fasterxml.jackson>2.20.1</version.fasterxml.jackson>
         <!-- 3.0.3+ version of eclipse.persistence requires jakarta.xml.bind instead of jaxb -->
         <version.eclipse.persistence>2.7.15</version.eclipse.persistence>
         <version.junit.jupiter>5.13.4</version.junit.jupiter>

plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/BanditReader.java

@@ -0,0 +1,37 @@
+/**
+ * OWASP Benchmark Project
+ *
+ * <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For
+ * details, please see <a
+ * href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>.
+ *
+ * <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation, version 2.
+ *
+ * <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ * PURPOSE. See the GNU General Public License for more details.
+ *
+ * @author Dave Wichers
+ * @created 2025
+ */
+package org.owasp.benchmarkutils.score.parsers.sarif;
+
+import org.owasp.benchmarkutils.score.ResultFile;
+
+/**
+ * This reader is made for the datadog-static-analyzer available on <a
+ * href="https://github.com/DataDog/datadog-static-analyzer">...</a>. It uses the SARIF file
+ * produces by the tool.
+ */
+public class BanditReader extends SarifReader {
+
+    public BanditReader() {
+        super("Bandit", false, CweSourceType.TAG);
+    }
+
+    @Override
+    public String toolName(ResultFile resultFile) {
+        return "Bandit";
+    }
+}

plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/Reader.java

@@ -30,6 +30,7 @@
 import org.owasp.benchmarkutils.score.TestSuiteResults;
 import org.owasp.benchmarkutils.score.parsers.csv.SemgrepCSVReader;
 import org.owasp.benchmarkutils.score.parsers.csv.WhiteHatDynamicReader;
+import org.owasp.benchmarkutils.score.parsers.sarif.BanditReader;
 import org.owasp.benchmarkutils.score.parsers.sarif.CodeQLReader;
 import org.owasp.benchmarkutils.score.parsers.sarif.CodeSonarReader;
 import org.owasp.benchmarkutils.score.parsers.sarif.ContrastScanReader;
@@ -58,6 +59,7 @@ public static List<Reader> allReaders() {
                 new AppScanDynamicReader(),
                 new AppScanSourceReader(),
                 new ArachniReader(),
+                new BanditReader(),
                 new BearerReader(),
                 new BlackDuckReader(),
                 new BurpJsonReader(),

pom.xml

@@ -53,12 +53,12 @@
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-plugin-plugin</artifactId>
-                    <version>3.15.1</version>
+                    <version>3.15.2</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-release-plugin</artifactId>
-                    <version>3.1.1</version>
+                    <version>3.2.0</version>
                 </plugin>
             </plugins>
         </pluginManagement>
@@ -167,7 +167,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-jar-plugin</artifactId>
-                <version>3.4.2</version>
+                <version>3.5.0</version>
             </plugin>
 
             <plugin>
@@ -212,7 +212,7 @@
             <plugin>
                 <groupId>org.codehaus.mojo</groupId>
                 <artifactId>versions-maven-plugin</artifactId>
-                <version>2.19.1</version>
+                <version>2.20.1</version>
             </plugin>
 
             <plugin>