CWE mappings for findings (#43)

praetorian-thendrickson · web-flow · commit 4b43e9f80dde · 2021-09-15T09:19:37.000-07:00
* update finding types to refer to CWE id

* fix the broken tests
diff --git a/analyzers/cmdi.go b/analyzers/cmdi.go
@@ -75,7 +75,7 @@ func cmdInjectionRun(pass *analysis.Pass) (interface{}, error) {
 						message := "Danger: possible command injection detected"
 						targetFunc := util.GenerateTaintedCode(pass, vulnFunc.Fn, vulnFunc.Instr.Pos())
 						taintSource := taintAnalyzer.TaintSource
-						finding := util.MakeFinding(message, targetFunc, taintSource, "Command Injection")
+						finding := util.MakeFinding(message, targetFunc, taintSource, "CWE-78: OS Command Injection")
 						results = append(results, finding)
 					}
 				}
diff --git a/analyzers/cmdi_test.go b/analyzers/cmdi_test.go
@@ -39,7 +39,7 @@ func TestCommandInjection(t *testing.T) {
 	}
 	for i := 0; i < len(testFiles); i++ {
 		t.Run(testFiles[i], func(t *testing.T) {
-			testutil.RunTest(testFiles[i], testResults[i], "Command Injection", CommandInjectionAnalyzer, t)
+			testutil.RunTest(testFiles[i], testResults[i], "CWE-78: OS Command Injection", CommandInjectionAnalyzer, t)
 		})
 	}
 }
diff --git a/analyzers/rsa.go b/analyzers/rsa.go
@@ -173,9 +173,9 @@ func rsaRun(pass *analysis.Pass) (interface{}, error) {
 
 				// Check if argument of vulnerable function has keylen that is less than RECOMMENDED_KEYLEN
 				if keylen_check(pass, vulnFunc.Instr.Call.Args[1], call_graph) {
-					message := fmt.Sprintf("Danger: key length is too short, recommend %d", RECOMMENDED_KEYLEN)
+					message := fmt.Sprintf("Danger: RSA key length is too short, recommend %d", RECOMMENDED_KEYLEN)
 					targetFunc := util.GenerateTaintedCode(pass, vulnFunc.Fn, vulnFunc.Instr.Pos())
-					results = append(results, util.MakeFinding(message, targetFunc, nil, "RSA Key Length"))
+					results = append(results, util.MakeFinding(message, targetFunc, nil, "CWE-326: Inadequate Encryption Strength"))
 				}
 			}
 		}
diff --git a/analyzers/rsa_test.go b/analyzers/rsa_test.go
@@ -51,7 +51,7 @@ func TestRsaKeylen(t *testing.T) {
 	}
 	for i := 0; i < len(testFiles); i++ {
 		t.Run(testFiles[i], func(t *testing.T) {
-			testutil.RunTest(testFiles[i], testResults[i], "RSA Key Length", RsaKeylenAnalyzer, t)
+			testutil.RunTest(testFiles[i], testResults[i], "CWE-326: Inadequate Encryption Strength", RsaKeylenAnalyzer, t)
 		})
 	}
 }
diff --git a/analyzers/sqli.go b/analyzers/sqli.go
@@ -80,7 +80,7 @@ func sqlRun(pass *analysis.Pass) (interface{}, error) {
 					message := "Danger: possible SQL injection detected"
 					targetFunc := util.GenerateTaintedCode(pass, vulnFunc.Fn, vulnFunc.Instr.Pos())
 					taintSource := taint_analyzer.TaintSource
-					results = append(results, util.MakeFinding(message, targetFunc, taintSource, "SQL Injection"))
+					results = append(results, util.MakeFinding(message, targetFunc, taintSource, "CWE-89: SQL Injection"))
 				}
 			}
 		}
diff --git a/analyzers/sqli_test.go b/analyzers/sqli_test.go
@@ -39,7 +39,7 @@ func TestSQLInjection(t *testing.T) {
 	}
 	for i := 0; i < len(testFiles); i++ {
 		t.Run(testFiles[i], func(t *testing.T) {
-			testutil.RunTest(testFiles[i], testResults[i], "SQL Injection", SQLInjectionAnalyzer, t)
+			testutil.RunTest(testFiles[i], testResults[i], "CWE-89: SQL Injection", SQLInjectionAnalyzer, t)
 		})
 	}
 }
diff --git a/analyzers/ssrf.go b/analyzers/ssrf.go
@@ -158,7 +158,7 @@ func ssrfRun(pass *analysis.Pass) (interface{}, error) {
 								message := "Danger: possible SSRF detected"
 								targetFunc := util.GenerateTaintedCode(pass, vulnFunc.Fn, vulnFunc.Instr.Pos())
 								taintSource := taintAnalyzer.TaintSource
-								results = append(results, util.MakeFinding(message, targetFunc, taintSource, "SSRF"))
+								results = append(results, util.MakeFinding(message, targetFunc, taintSource, "CWE-918: Server-Side Request Forgery"))
 
 							}
 						}
@@ -169,7 +169,7 @@ func ssrfRun(pass *analysis.Pass) (interface{}, error) {
 							message := "Danger: possible SSRF detected"
 							targetFunc := util.GenerateTaintedCode(pass, vulnFunc.Fn, vulnFunc.Instr.Pos())
 							taintSource := taintAnalyzer.TaintSource
-							results = append(results, util.MakeFinding(message, targetFunc, taintSource, "SSRF"))
+							results = append(results, util.MakeFinding(message, targetFunc, taintSource, "CWE-918: Server-Side Request Forgery"))
 
 						}
 					}
diff --git a/analyzers/ssrf_test.go b/analyzers/ssrf_test.go
@@ -47,7 +47,7 @@ func TestSSRF(t *testing.T) {
 	}
 	for i := 0; i < len(testFiles); i++ {
 		t.Run(testFiles[i], func(t *testing.T) {
-			testutil.RunTest(testFiles[i], testResults[i], "SSRF", SSRFAnalyzer, t)
+			testutil.RunTest(testFiles[i], testResults[i], "CWE-918: Server-Side Request Forgery", SSRFAnalyzer, t)
 		})
 	}
 }
diff --git a/analyzers/traversal.go b/analyzers/traversal.go
@@ -75,7 +75,7 @@ func traversalRun(pass *analysis.Pass) (interface{}, error) {
 
 					targetFunc := util.GenerateTaintedCode(pass, vulnFunc.Fn, vulnFunc.Instr.Pos())
 					taintSource := taintAnalyzer.TaintSource
-					results = append(results, util.MakeFinding(message, targetFunc, taintSource, "Path Traversal"))
+					results = append(results, util.MakeFinding(message, targetFunc, taintSource, "CWE-22: Path Traversal"))
 
 				}
 			}
diff --git a/analyzers/traversal_test.go b/analyzers/traversal_test.go
@@ -51,7 +51,7 @@ func TestPathTraversal(t *testing.T) {
 	}
 	for i := 0; i < len(testFiles); i++ {
 		t.Run(testFiles[i], func(t *testing.T) {
-			testutil.RunTest(testFiles[i], testResults[i], "Path Traversal", PathTraversalAnalyzer, t)
+			testutil.RunTest(testFiles[i], testResults[i], "CWE-22: Path Traversal", PathTraversalAnalyzer, t)
 		})
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -75,7 +75,7 @@ func cmdInjectionRun(pass *analysis.Pass) (interface{}, error) {`
`75`	`75`	`message := "Danger: possible command injection detected"`
`76`	`76`	`targetFunc := util.GenerateTaintedCode(pass, vulnFunc.Fn, vulnFunc.Instr.Pos())`
`77`	`77`	`taintSource := taintAnalyzer.TaintSource`
`78`		`- finding := util.MakeFinding(message, targetFunc, taintSource, "Command Injection")`
	`78`	`+ finding := util.MakeFinding(message, targetFunc, taintSource, "CWE-78: OS Command Injection")`
`79`	`79`	`results = append(results, finding)`
`80`	`80`	`}`
`81`	`81`	`}`
Original file line number	Diff line number	Diff line change
`@@ -39,7 +39,7 @@ func TestCommandInjection(t *testing.T) {`
`39`	`39`	`}`
`40`	`40`	`for i := 0; i < len(testFiles); i++ {`
`41`	`41`	`t.Run(testFiles[i], func(t *testing.T) {`
`42`		`- testutil.RunTest(testFiles[i], testResults[i], "Command Injection", CommandInjectionAnalyzer, t)`
	`42`	`+ testutil.RunTest(testFiles[i], testResults[i], "CWE-78: OS Command Injection", CommandInjectionAnalyzer, t)`
`43`	`43`	`})`
`44`	`44`	`}`
`45`	`45`	`}`
Original file line number	Diff line number	Diff line change
`@@ -173,9 +173,9 @@ func rsaRun(pass *analysis.Pass) (interface{}, error) {`
`173`	`173`
`174`	`174`	`// Check if argument of vulnerable function has keylen that is less than RECOMMENDED_KEYLEN`
`175`	`175`	`if keylen_check(pass, vulnFunc.Instr.Call.Args[1], call_graph) {`
`176`		`- message := fmt.Sprintf("Danger: key length is too short, recommend %d", RECOMMENDED_KEYLEN)`
	`176`	`+ message := fmt.Sprintf("Danger: RSA key length is too short, recommend %d", RECOMMENDED_KEYLEN)`
`177`	`177`	`targetFunc := util.GenerateTaintedCode(pass, vulnFunc.Fn, vulnFunc.Instr.Pos())`
`178`		`- results = append(results, util.MakeFinding(message, targetFunc, nil, "RSA Key Length"))`
	`178`	`+ results = append(results, util.MakeFinding(message, targetFunc, nil, "CWE-326: Inadequate Encryption Strength"))`
`179`	`179`	`}`
`180`	`180`	`}`
`181`	`181`	`}`
Original file line number	Diff line number	Diff line change
`@@ -51,7 +51,7 @@ func TestRsaKeylen(t *testing.T) {`
`51`	`51`	`}`
`52`	`52`	`for i := 0; i < len(testFiles); i++ {`
`53`	`53`	`t.Run(testFiles[i], func(t *testing.T) {`
`54`		`- testutil.RunTest(testFiles[i], testResults[i], "RSA Key Length", RsaKeylenAnalyzer, t)`
	`54`	`+ testutil.RunTest(testFiles[i], testResults[i], "CWE-326: Inadequate Encryption Strength", RsaKeylenAnalyzer, t)`
`55`	`55`	`})`
`56`	`56`	`}`
`57`	`57`	`}`
Original file line number	Diff line number	Diff line change
`@@ -80,7 +80,7 @@ func sqlRun(pass *analysis.Pass) (interface{}, error) {`
`80`	`80`	`message := "Danger: possible SQL injection detected"`
`81`	`81`	`targetFunc := util.GenerateTaintedCode(pass, vulnFunc.Fn, vulnFunc.Instr.Pos())`
`82`	`82`	`taintSource := taint_analyzer.TaintSource`
`83`		`- results = append(results, util.MakeFinding(message, targetFunc, taintSource, "SQL Injection"))`
	`83`	`+ results = append(results, util.MakeFinding(message, targetFunc, taintSource, "CWE-89: SQL Injection"))`
`84`	`84`	`}`
`85`	`85`	`}`
`86`	`86`	`}`
Original file line number	Diff line number	Diff line change
`@@ -39,7 +39,7 @@ func TestSQLInjection(t *testing.T) {`
`39`	`39`	`}`
`40`	`40`	`for i := 0; i < len(testFiles); i++ {`
`41`	`41`	`t.Run(testFiles[i], func(t *testing.T) {`
`42`		`- testutil.RunTest(testFiles[i], testResults[i], "SQL Injection", SQLInjectionAnalyzer, t)`
	`42`	`+ testutil.RunTest(testFiles[i], testResults[i], "CWE-89: SQL Injection", SQLInjectionAnalyzer, t)`
`43`	`43`	`})`
`44`	`44`	`}`
`45`	`45`	`}`
Original file line number	Diff line number	Diff line change
`@@ -158,7 +158,7 @@ func ssrfRun(pass *analysis.Pass) (interface{}, error) {`
`158`	`158`	`message := "Danger: possible SSRF detected"`
`159`	`159`	`targetFunc := util.GenerateTaintedCode(pass, vulnFunc.Fn, vulnFunc.Instr.Pos())`
`160`	`160`	`taintSource := taintAnalyzer.TaintSource`
`161`		`- results = append(results, util.MakeFinding(message, targetFunc, taintSource, "SSRF"))`
	`161`	`+ results = append(results, util.MakeFinding(message, targetFunc, taintSource, "CWE-918: Server-Side Request Forgery"))`
`162`	`162`
`163`	`163`	`}`
`164`	`164`	`}`
`@@ -169,7 +169,7 @@ func ssrfRun(pass *analysis.Pass) (interface{}, error) {`
`169`	`169`	`message := "Danger: possible SSRF detected"`
`170`	`170`	`targetFunc := util.GenerateTaintedCode(pass, vulnFunc.Fn, vulnFunc.Instr.Pos())`
`171`	`171`	`taintSource := taintAnalyzer.TaintSource`
`172`		`- results = append(results, util.MakeFinding(message, targetFunc, taintSource, "SSRF"))`
	`172`	`+ results = append(results, util.MakeFinding(message, targetFunc, taintSource, "CWE-918: Server-Side Request Forgery"))`
`173`	`173`
`174`	`174`	`}`
`175`	`175`	`}`
Original file line number	Diff line number	Diff line change
`@@ -47,7 +47,7 @@ func TestSSRF(t *testing.T) {`
`47`	`47`	`}`
`48`	`48`	`for i := 0; i < len(testFiles); i++ {`
`49`	`49`	`t.Run(testFiles[i], func(t *testing.T) {`
`50`		`- testutil.RunTest(testFiles[i], testResults[i], "SSRF", SSRFAnalyzer, t)`
	`50`	`+ testutil.RunTest(testFiles[i], testResults[i], "CWE-918: Server-Side Request Forgery", SSRFAnalyzer, t)`
`51`	`51`	`})`
`52`	`52`	`}`
`53`	`53`	`}`
Original file line number	Diff line number	Diff line change
`@@ -75,7 +75,7 @@ func traversalRun(pass *analysis.Pass) (interface{}, error) {`
`75`	`75`
`76`	`76`	`targetFunc := util.GenerateTaintedCode(pass, vulnFunc.Fn, vulnFunc.Instr.Pos())`
`77`	`77`	`taintSource := taintAnalyzer.TaintSource`
`78`		`- results = append(results, util.MakeFinding(message, targetFunc, taintSource, "Path Traversal"))`
	`78`	`+ results = append(results, util.MakeFinding(message, targetFunc, taintSource, "CWE-22: Path Traversal"))`
`79`	`79`
`80`	`80`	`}`
`81`	`81`	`}`
Original file line number	Diff line number	Diff line change
`@@ -51,7 +51,7 @@ func TestPathTraversal(t *testing.T) {`
`51`	`51`	`}`
`52`	`52`	`for i := 0; i < len(testFiles); i++ {`
`53`	`53`	`t.Run(testFiles[i], func(t *testing.T) {`
`54`		`- testutil.RunTest(testFiles[i], testResults[i], "Path Traversal", PathTraversalAnalyzer, t)`
	`54`	`+ testutil.RunTest(testFiles[i], testResults[i], "CWE-22: Path Traversal", PathTraversalAnalyzer, t)`
`55`	`55`	`})`
`56`	`56`	`}`
`57`	`57`	`}`