Add support for scoring a Fortify.fpr file converted to SARIF using the

Microsoft SARIF SDK Multitool.

Author: Dave Wichers

plugin/src/main/java/org/owasp/benchmarkutils/score/CweNumber.java

@@ -19,168 +19,171 @@
 
 public class CweNumber {
 
+    /** Used occasionally to indicate a CWE isn't mapped yet, but might get mapped properly later */
+    public static final int UNMAPPED = -1;
+
     /** To be used when the CWE reported is one we don't care about in any test suite */
-    public static int DONTCARE = 0000;
+    public static final int DONTCARE = 0000;
 
     /** CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') */
-    public static int PATH_TRAVERSAL = 22;
+    public static final int PATH_TRAVERSAL = 22;
 
     /** CWE-23: Relative Path Traversal */
-    public static int RELATIVE_PATH_TRAVERSAL = 23;
+    public static final int RELATIVE_PATH_TRAVERSAL = 23;
 
     /**
      * CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command
      * Injection')
      */
-    public static int COMMAND_INJECTION = 78;
+    public static final int COMMAND_INJECTION = 78;
 
     /**
      * CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
      */
-    public static int XSS = 79;
+    public static final int XSS = 79;
 
     /**
      * CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
      */
-    public static int SQL_INJECTION = 89;
+    public static final int SQL_INJECTION = 89;
 
     /**
      * CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
      */
-    public static int LDAP_INJECTION = 90;
+    public static final int LDAP_INJECTION = 90;
 
     /** CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') */
-    public static int CRLF_INJECTION = 93;
+    public static final int CRLF_INJECTION = 93;
 
     /**
      * CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response
      * Splitting')
      */
-    public static int HTTP_RESPONSE_SPLITTING = 113;
+    public static final int HTTP_RESPONSE_SPLITTING = 113;
 
     /** CWE-134: Use of Externally-Controlled Format String */
-    public static int EXTERNALLY_CONTROLLED_STRING = 134;
+    public static final int EXTERNALLY_CONTROLLED_STRING = 134;
 
     /** CWE-284: Improper Access Control */
-    public static int IMPROPER_ACCESS_CONTROL = 284;
+    public static final int IMPROPER_ACCESS_CONTROL = 284;
 
     /** CWE-327: Use of a Broken or Risky Cryptographic Algorithm */
-    public static int WEAK_CRYPTO_ALGO = 327;
+    public static final int WEAK_CRYPTO_ALGO = 327;
 
     /** CWE-328: Use of Weak Hash */
-    public static int WEAK_HASH_ALGO = 328;
+    public static final int WEAK_HASH_ALGO = 328;
 
     /** CWE-329: Generation of Predictable IV with CBC Mode */
-    public static int STATIC_CRYPTO_INIT = 329;
+    public static final int STATIC_CRYPTO_INIT = 329;
 
     /** CWE-330: Use of Insufficiently Random Values */
-    public static int WEAK_RANDOM = 330;
+    public static final int WEAK_RANDOM = 330;
 
     /** CWE-352: Cross-Site Request Forgery (CSRF) */
-    public static int CSRF = 352;
+    public static final int CSRF = 352;
 
     /** CWE-382: J2EE Bad Practices: Use of System.exit() */
-    public static int SYSTEM_EXIT = 382;
+    public static final int SYSTEM_EXIT = 382;
 
     /** CWE-395: Use of NullPointerException Catch to Detect NULL Pointer Dereference */
-    public static int CATCHING_NULL_POINTER_EXCEPTION = 395;
+    public static final int CATCHING_NULL_POINTER_EXCEPTION = 395;
 
     /** CWE-396: Declaration of Catch for Generic Exception */
-    public static int CATCH_GENERIC_EXCEPTION = 396;
+    public static final int CATCH_GENERIC_EXCEPTION = 396;
 
     /** CWE-397: Declaration of Throws for Generic Exception */
-    public static int THROW_GENERIC_EXCEPTION = 397;
+    public static final int THROW_GENERIC_EXCEPTION = 397;
 
     /** CWE-478: Missing Default Case in Switch Statement */
-    public static int MISSING_DEFAULT_CASE = 478;
+    public static final int MISSING_DEFAULT_CASE = 478;
 
     /** CWE-483: Incorrect Block Delimitation */
-    public static int INCORRECT_BLOCK_DELIMITATION = 483;
+    public static final int INCORRECT_BLOCK_DELIMITATION = 483;
 
     /** CWE-484: Omitted Break Statement in Switch */
-    public static int OMITTED_BREAK = 484;
+    public static final int OMITTED_BREAK = 484;
 
     /** CWE-493: Critical Public Variable Without Final Modifier */
-    public static int PUBLIC_VAR_WITHOUT_FINAL = 493;
+    public static final int PUBLIC_VAR_WITHOUT_FINAL = 493;
 
     /** CWE-500: Public Static Field Not Marked Final */
-    public static int PUBLIC_STATIC_NOT_FINAL = 500;
+    public static final int PUBLIC_STATIC_NOT_FINAL = 500;
 
     /** CWE-501: Trust Boundary Violation */
-    public static int TRUST_BOUNDARY_VIOLATION = 501;
+    public static final int TRUST_BOUNDARY_VIOLATION = 501;
 
     /** CWE-502: Deserialization of Untrusted Data */
-    public static int INSECURE_DESERIALIZATION = 502;
+    public static final int INSECURE_DESERIALIZATION = 502;
 
     /** CWE-523: Unprotected Transport of Credentials */
-    public static int UNPROTECTED_CREDENTIALS_TRANSPORT = 523;
+    public static final int UNPROTECTED_CREDENTIALS_TRANSPORT = 523;
 
     /** CWE-532: Insertion of Sensitive Information into Log File */
-    public static int SENSITIVE_LOGFILE = 532;
+    public static final int SENSITIVE_LOGFILE = 532;
 
     /** CWE-564: SQL Injection: Hibernate */
-    public static int HIBERNATE_INJECTION = 564;
+    public static final int HIBERNATE_INJECTION = 564;
 
     /** CWE-572: Call to Thread run() instead of start() */
-    public static int THREAD_WRONG_CALL = 572;
+    public static final int THREAD_WRONG_CALL = 572;
 
     /** CWE-580: clone() Method Without super.clone() */
-    public static int CLONE_WITHOUT_SUPER_CLONE = 580;
+    public static final int CLONE_WITHOUT_SUPER_CLONE = 580;
 
     /** CWE-563: Assignment to Variable without Use */
-    public static int UNUSED_VAR_ASSIGNMENT = 563;
+    public static final int UNUSED_VAR_ASSIGNMENT = 563;
 
     /** CWE-581: Object Model Violation: Just One of Equals and Hashcode Defined */
-    public static int OBJECT_MODEL_VIOLATION = 581;
+    public static final int OBJECT_MODEL_VIOLATION = 581;
 
     /** CWE-583: finalize() Method Declared Public */
-    public static int FINALIZE_DECLARED_PUBLIC = 583;
+    public static final int FINALIZE_DECLARED_PUBLIC = 583;
 
     /** CWE-584: Return Inside Finally Block */
-    public static int RETURN_INSIDE_FINALLY = 584;
+    public static final int RETURN_INSIDE_FINALLY = 584;
 
     /** CWE-595: Comparison of Object References Instead of Object Contents */
-    public static int OBJECT_REFERENCE_COMPARISON = 595;
+    public static final int OBJECT_REFERENCE_COMPARISON = 595;
 
     /** CWE-601: URL Redirection to Untrusted Site ('Open Redirect') */
-    public static int OPEN_REDIRECT = 601;
+    public static final int OPEN_REDIRECT = 601;
 
     /** CWE-611: Improper Restriction of XML External Entity Reference */
-    public static int XXE = 611;
+    public static final int XXE = 611;
 
     /** CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute */
-    public static int INSECURE_COOKIE = 614;
+    public static final int INSECURE_COOKIE = 614;
 
     /** CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection') */
-    public static int XPATH_INJECTION = 643;
+    public static final int XPATH_INJECTION = 643;
 
     /**
      * CWE-649: Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity
      * Checking
      */
-    public static int OBFUSCATION = 649;
+    public static final int OBFUSCATION = 649;
 
     /** CWE-754: Improper Check for Unusual or Exceptional Conditions */
-    public static int IMPROPER_CHECK_FOR_CONDITIONS = 754;
+    public static final int IMPROPER_CHECK_FOR_CONDITIONS = 754;
 
     /** CWE-783: Operator Precedence Logic Error */
-    public static int OPERATOR_PRECEDENCE_LOGIC = 783;
+    public static final int OPERATOR_PRECEDENCE_LOGIC = 783;
 
     /** CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') */
-    public static int LOOP_WITH_UNREACHABLE_EXIT = 835;
+    public static final int LOOP_WITH_UNREACHABLE_EXIT = 835;
 
     /** CWE-916: Use of Password Hash With Insufficient Computational Effort */
-    public static int PASSWORD_HASH_WITH_INSUFFICIENT_COMPUTATIONAL_EFFORT = 916;
+    public static final int PASSWORD_HASH_WITH_INSUFFICIENT_COMPUTATIONAL_EFFORT = 916;
 
     /** CWE-918: Server-Side Request Forgery (SSRF) */
-    public static int SSRF = 918;
+    public static final int SSRF = 918;
 
     /** CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag */
-    public static int COOKIE_WITHOUT_HTTPONLY = 1004;
+    public static final int COOKIE_WITHOUT_HTTPONLY = 1004;
 
     /** CWE-1021: Improper Restriction of Rendered UI Layers or Frames */
-    public static int IMPROPER_UI_LAYER_RESTRICTION = 1021;
+    public static final int IMPROPER_UI_LAYER_RESTRICTION = 1021;
 
     /** CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine */
-    public static int SSTI = 1336;
+    public static final int SSTI = 1336;
 }

plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/FortifyReader.java

@@ -79,7 +79,7 @@ public TestSuiteResults parse(ResultFile resultZip) throws Exception {
         return tr;
     }
 
-    private String fetchToolVersison(Node root) {
+    private static String fetchToolVersison(Node root) {
         Node eData = getNamedChild("EngineData", root);
         String version = getNamedChild("EngineVersion", eData).getTextContent();
         Node rps = getNamedChild("RulePacks", eData);
@@ -96,13 +96,13 @@ private String fetchToolVersison(Node root) {
      * @param root
      * @return
      */
-    private boolean isFortifyOnDemand(Node root) {
+    private static boolean isFortifyOnDemand(Node root) {
         return getNamedChild("SourceBasePath", getNamedChild("Build", root))
                 .getTextContent()
                 .contains("ronq");
     }
 
-    public String parseTime(String filename) {
+    public static String parseTime(String filename) {
         try {
             // to make the same as normal filenames, strip off the '.fvdl' at the end of the
             // filename
@@ -150,7 +150,7 @@ public String parseTime(String filename) {
     //            outputFile.delete();
     //        }
 
-    private TestCaseResult parseFortifyVulnerability(Node vuln) {
+    private static TestCaseResult parseFortifyVulnerability(Node vuln) {
         TestCaseResult tcr = new TestCaseResult();
 
         Node ci = getNamedNode("ClassInfo", vuln.getChildNodes());
@@ -218,7 +218,7 @@ private TestCaseResult parseFortifyVulnerability(Node vuln) {
         return null;
     }
 
-    private int cweLookup(String vtype, String subtype, Node unifiedNode) {
+    public static int cweLookup(String vtype, String subtype, Node unifiedNode) {
 
         switch (vtype) {
             case "Access Control":
@@ -232,7 +232,7 @@ private int cweLookup(String vtype, String subtype, Node unifiedNode) {
                     // Verify its the exact type we are looking for (e.g., not HttpOnly finding)
                     if ("Cookie not Sent Over SSL".equals(subtype))
                         return CweNumber.INSECURE_COOKIE;
-                    else return 00;
+                    else return CweNumber.DONTCARE;
                 }
 
             case "Cross-Site Request Forgery":
@@ -250,7 +250,7 @@ private int cweLookup(String vtype, String subtype, Node unifiedNode) {
                 }
 
             case "Dead Code":
-                return 00;
+                return CweNumber.DONTCARE;
             case "Denial of Service":
                 return 400;
             case "Dynamic Code Evaluation":
@@ -306,11 +306,11 @@ private int cweLookup(String vtype, String subtype, Node unifiedNode) {
                             return 330;
                         }
                     }
-                    return 00; // If neither of these, then don't care
+                    return CweNumber.DONTCARE; // If neither of these, don't care
                 }
 
             case "Password Management":
-                return 00;
+                return CweNumber.DONTCARE;
             case "Path Manipulation":
                 return 22;
 
@@ -351,7 +351,8 @@ private int cweLookup(String vtype, String subtype, Node unifiedNode) {
                             // TODO: Assuming this Fortify rule is valid, we might need to fix
                             // Benchmark itself to eliminate unintended vulns.
                         case "Insecure Mode of Operation":
-                            return 0; // Disable so it doesn't count against Fortify.
+                            return CweNumber
+                                    .DONTCARE; // Disable so it doesn't count against Fortify.
                     }
                     return 327;
                 }
@@ -379,13 +380,13 @@ private int cweLookup(String vtype, String subtype, Node unifiedNode) {
             case "Portability Flaw":
             case "Race Condition":
             case "Redundant Null Check":
-                return 00;
+                return CweNumber.DONTCARE;
 
             default:
                 System.out.println(
                         "Fortify parser encountered unknown vulnerability type: " + vtype);
         } // end switch
 
-        return 0;
+        return CweNumber.UNMAPPED;
     }
 }

plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/Reader.java

@@ -32,6 +32,7 @@
 import org.owasp.benchmarkutils.score.parsers.sarif.CodeQLReader;
 import org.owasp.benchmarkutils.score.parsers.sarif.ContrastScanReader;
 import org.owasp.benchmarkutils.score.parsers.sarif.DatadogSastReader;
+import org.owasp.benchmarkutils.score.parsers.sarif.FortifySarifReader;
 import org.owasp.benchmarkutils.score.parsers.sarif.PTAIReader;
 import org.owasp.benchmarkutils.score.parsers.sarif.PrecautionReader;
 import org.owasp.benchmarkutils.score.parsers.sarif.SemgrepSarifReader;
@@ -45,10 +46,8 @@ public abstract class Reader {
     protected final ObjectMapper jsonMapper = new ObjectMapper();
     protected final XmlMapper xmlMapper = new XmlMapper();
 
-    // TODO: Figure out how to dynamically add all readers here without listing them
-    // out manually
-    // NOTE: There is a unit test that at least automatically verifies that any
-    // reader with a unit
+    // TODO: Figure out how to dynamically add all readers without listing them manually
+    // NOTE: There is a unit test that at least automatically verifies that any reader with a unit
     // test is in this list
     public static List<Reader> allReaders() {
         return Arrays.asList(
@@ -74,6 +73,7 @@ public static List<Reader> allReaders() {
                 new FindbugsReader(),
                 new FluidAttacksReader(),
                 new FortifyReader(),
+                new FortifySarifReader(),
                 new FusionLiteInsightReader(),
                 new HCLAppScanIASTReader(),
                 new HCLAppScanSourceReader(),
@@ -132,9 +132,9 @@ public static Node getNamedNode(String name, NodeList list) {
 
         return null;
     }
+
     // Returns the node inside this nodelist whose name matches 'name', that also
-    // has an attribute
-    // called 'key' whose value matches 'keyvalue'
+    // has an attribute called 'key' whose value matches 'keyvalue'
 
     public static Node getNamedNode(String name, String keyValue, NodeList list) {
         if ((name == null) || (keyValue == null) || (list == null)) return null;
@@ -265,6 +265,7 @@ public static int testNumber(String path, String testCaseName) {
             // Remove remaining dots
             path = path.replace(".", "");
             // System.out.println("Final: " + path);
+
             // In the case of $innerclass
             int dollar = path.indexOf("$");
             if (dollar != -1) {