This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For + * details, please see https://owasp.org/www-project-benchmark/. + * + *
The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *
The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Alexey Zhukov + * @created 2024 + */ +package org.owasp.benchmarkutils.score.parsers.sarif; + +import org.owasp.benchmarkutils.score.CweNumber; +import org.owasp.benchmarkutils.score.ResultFile; +import org.owasp.benchmarkutils.score.TestSuiteResults; + +public class PTAIReader extends SarifReader { + + static final int PTAI_CWE_EXTERNAL_FILEPATH_CONTROL = 73; + static final int PTAI_CWE_BLIND_XPATH_INJECTION = 91; + + static final String EXPECTED_TOOL_NAME = "Positive Technologies Application Inspector"; + static final String SHORTENED_TOOL_NAME = "PT Application Inspector"; + + public PTAIReader() { + super(EXPECTED_TOOL_NAME, true, CweSourceType.FIELD); + } + + @Override + public String toolName(ResultFile resultFile) { + return SHORTENED_TOOL_NAME; + } + + /** + * SARIF report tool version field is too long as it contains build number. Shorten it to X.Y.Z + */ + @Override + public void setVersion(ResultFile resultFile, TestSuiteResults testSuiteResults) { + super.setVersion(resultFile, testSuiteResults); + String version = testSuiteResults.getToolVersion(); + String[] versionItems = version.split("\\."); + if (versionItems.length < 4) return; + testSuiteResults.setToolVersion( + String.format("%s.%s.%s", versionItems[0], versionItems[1], versionItems[2])); + } + + @Override + public int mapCwe(int cwe) { + switch (cwe) { + case PTAI_CWE_EXTERNAL_FILEPATH_CONTROL: + return CweNumber.PATH_TRAVERSAL; + case PTAI_CWE_BLIND_XPATH_INJECTION: + return CweNumber.XPATH_INJECTION; + } + return cwe; + } +} diff --git a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/PTAIReaderTest.java b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/PTAIReaderTest.java new file mode 100644 index 00000000..6df8ffcc --- /dev/null +++ b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/PTAIReaderTest.java @@ -0,0 +1,57 @@ +/** + * OWASP Benchmark Project + * + *
This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For + * details, please see https://owasp.org/www-project-benchmark/. + * + *
The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *
The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ * PURPOSE. See the GNU General Public License for more details.
+ *
+ * @author Alexey Zhukov
+ * @created 2024
+ */
+package org.owasp.benchmarkutils.score.parsers.sarif;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.owasp.benchmarkutils.score.*;
+import org.owasp.benchmarkutils.score.parsers.ReaderTestBase;
+
+public class PTAIReaderTest extends ReaderTestBase {
+
+ private ResultFile resultFile;
+
+ @BeforeEach
+ void setUp() {
+ resultFile = TestHelper.resultFileOf("testfiles/Benchmark_PTAI-v4.7.2.sarif");
+ BenchmarkScore.TESTCASENAME = "BenchmarkTest";
+ }
+
+ @Test
+ public void onlyPTAIReaderTestReportsCanReadAsTrue() {
+ assertOnlyMatcherClassIs(this.resultFile, PTAIReader.class);
+ }
+
+ @Test
+ void readerHandlesGivenResultFile() throws Exception {
+ PTAIReader reader = new PTAIReader();
+ TestSuiteResults result = reader.parse(resultFile);
+
+ assertEquals(TestSuiteResults.ToolType.SAST, result.getToolType());
+
+ assertEquals("PT Application Inspector", result.getToolName());
+ assertEquals("4.7.2", result.getToolVersion());
+
+ assertEquals(2, result.getTotalResults());
+
+ assertEquals(CweNumber.PATH_TRAVERSAL, result.get(1).get(0).getCWE());
+ assertEquals(CweNumber.SQL_INJECTION, result.get(8).get(0).getCWE());
+ }
+}
diff --git a/plugin/src/test/resources/testfiles/Benchmark_PTAI-v4.7.2.sarif b/plugin/src/test/resources/testfiles/Benchmark_PTAI-v4.7.2.sarif
new file mode 100644
index 00000000..c861425d
--- /dev/null
+++ b/plugin/src/test/resources/testfiles/Benchmark_PTAI-v4.7.2.sarif
@@ -0,0 +1,104 @@
+{
+ "version": "2.1.0",
+ "$schema": "http://json.schemastore.org/sarif-2.1.0.json",
+ "runs": [
+ {
+ "tool": {
+ "driver": {
+ "name": "Positive Technologies Application Inspector",
+ "version": "4.7.2.36549",
+ "organization": "Positive Technologies",
+ "informationUri": "https://www.ptsecurity.com/ww-en/products/ai/",
+ "rules": [
+ {
+ "id": "SQL Injection",
+ "name": "SQL Injection",
+ "properties": {
+ "cwe": [
+ "CWE-89"
+ ]
+ },
+ "defaultConfiguration": {
+ "level": "error",
+ "enabled": true
+ },
+ "messageStrings": {
+ "default": {
+ "text": "SQL Injection"
+ }
+ }
+ },
+ {
+ "id": "Arbitrary File Reading",
+ "name": "Arbitrary File Reading",
+ "properties": {
+ "cwe": [
+ "CWE-73"
+ ]
+ },
+ "defaultConfiguration": {
+ "level": "error",
+ "enabled": true
+ },
+ "messageStrings": {
+ "default": {
+ "text": "Arbitrary File Reading"
+ }
+ }
+ }
+ ]
+ }
+ },
+ "results": [
+ {
+ "ruleId": "Arbitrary File Reading",
+ "suppressions": [
+ ],
+ "message": {
+ "id": "default",
+ "text": "Arbitrary File Reading"
+ },
+ "locations": [
+ {
+ "physicalLocation": {
+ "artifactLocation": {
+ "uri": "./src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00001.java"
+ },
+ "region": {
+ "startLine": 71,
+ "snippet": {
+ "text": "new java.io.FileInputStream(new java.io.File(fileName))"
+ }
+ }
+ }
+ }
+ ]
+ },
+ {
+ "ruleId": "SQL Injection",
+ "suppressions": [
+ ],
+ "message": {
+ "id": "default",
+ "text": "SQL Injection"
+ },
+ "locations": [
+ {
+ "physicalLocation": {
+ "artifactLocation": {
+ "uri": "./src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00008.java"
+ },
+ "region": {
+ "startLine": 57,
+ "snippet": {
+ "text": "connection.prepareCall(sql)"
+ }
+ }
+ }
+ }
+ ]
+ }
+ ]
+ }
+ ]
+}
diff --git a/pom.xml b/pom.xml
index bd745b6d..dcaca1cb 100644
--- a/pom.xml
+++ b/pom.xml
@@ -48,12 +48,12 @@