Skip to content
Open
Show file tree
Hide file tree
Changes from 11 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@
package org.owasp.benchmarkutils.score.parsers;

import org.json.JSONArray;
import org.json.JSONObject;
import org.owasp.benchmarkutils.score.*;

public class GitLabSastReader extends Reader {
@Override
public boolean canRead(ResultFile resultFile) {
return resultFile.isJson()
&& resultFile.json().has("scan")
&& resultFile
.json()
.getJSONObject("scan")
.getJSONObject("analyzer")
.getJSONObject("vendor")
.getString("name")
.equalsIgnoreCase("GitLab");
}

@Override
public TestSuiteResults parse(ResultFile resultFile) throws Exception {
TestSuiteResults tr = new TestSuiteResults("GitLab-SAST", true, TestSuiteResults.ToolType.SAST);

JSONArray vulnerabilities = resultFile.json().getJSONArray("vulnerabilities");

for (int vulnerability = 0; vulnerability < vulnerabilities.length(); vulnerability++) {
TestCaseResult tcr = parseGitLabSastFindings(vulnerabilities.getJSONObject(vulnerability));
if (tcr != null) {
tr.put(tcr);
}
}
return tr;
}

private TestCaseResult parseGitLabSastFindings(JSONObject vulnerability) {

try {
String className = vulnerability.getJSONObject("location").getString("file");
className = (className.substring(className.lastIndexOf('/') + 1)).split("\\.")[0];

if (className.startsWith(BenchmarkScore.TESTCASENAME)) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you use Reader#testNumber and pass BenchmarkScore.TESTCASENAME to it? So instead of

String className = vulnerability.getJSONObject("location").getString("file");
className = (className.substring(className.lastIndexOf('/') + 1)).split("\\.")[0];

if (className.startsWith(BenchmarkScore.TESTCASENAME)) {
[...]
tcr.setNumber(testNumber(className));

Directly check for the test number:

int testNumber = testNumber(vulnerability.getJSONObject("location").getString("file"));

if(testNumber > -1) {
[...]
tcr.setNumber(testNumber);

Just an idea to reduce the amount of code. Disclaimer: Untested, just an idea 😅

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, Modified it and it is working

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great, thank you!

TestCaseResult tcr = new TestCaseResult();

JSONArray identifiers = vulnerability.getJSONArray("identifiers");

int cwe = identifiers.getJSONObject(1).getInt("value");
cwe = translate(cwe);

String category = identifiers.getJSONObject(2).getString("name");
category = category.split("-")[1].strip();

String evidence = vulnerability.getString("cve");

tcr.setCWE(cwe);
tcr.setCategory(category);
tcr.setEvidence(evidence);
tcr.setConfidence(0);
tcr.setNumber(testNumber(className));

return tcr;
}
} catch (Exception ex) {
ex.printStackTrace();
}

return null;
}

private int translate(int cwe) {

switch (cwe) {
case 22:
return CweNumber.PATH_TRAVERSAL;
case 79:
return CweNumber.XSS;
case 89:
return CweNumber.SQL_INJECTION;
case 90:
return CweNumber.LDAP_INJECTION;
case 113:
return CweNumber.HTTP_RESPONSE_SPLITTING;
case 185:
return CweNumber.COMMAND_INJECTION;
case 326:
case 327:
case 328:
return CweNumber.WEAK_CRYPTO_ALGO;
case 338:
return CweNumber.WEAK_RANDOM;
case 614:
return CweNumber.INSECURE_COOKIE;
case 643:
return CweNumber.XPATH_INJECTION;
case 1004:
return CweNumber.COOKIE_WITHOUT_HTTPONLY;
case 259:
case 306:
break;
default:
System.out.println(
"INFO: Found following CWE in GitLab SAST results which we haven't seen before: "
+ cwe);
}

return cwe;
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,7 @@ public static List<Reader> allReaders() {
new FluidAttacksReader(),
new FortifyReader(),
new FusionLiteInsightReader(),
new GitLabSastReader(),
new HCLAppScanIASTReader(),
new HCLAppScanSourceReader(),
new HCLAppScanStandardReader(),
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
package org.owasp.benchmarkutils.score.parsers;

import org.json.JSONArray;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.owasp.benchmarkutils.score.*;

import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertTrue;

class GitLabSastReaderTest extends ReaderTestBase {

private ResultFile resultFile;

@BeforeEach
void setUp() {
resultFile = TestHelper.resultFileOf("testfiles/Benchmark_GitLab_SAST.json");
BenchmarkScore.TESTCASENAME = "BenchmarkTest";
}

@Test
public void onlyGitLabSastReaderReportsCanReadAsTrue() {
assertOnlyMatcherClassIs(this.resultFile, GitLabSastReader.class);
}

@Test
void readerHandlesGivenResultFile() throws Exception {
GitLabSastReader reader = new GitLabSastReader();
TestSuiteResults result = reader.parse(resultFile);

assertEquals(TestSuiteResults.ToolType.SAST, result.getToolType());
assertTrue(result.isCommercial());
assertEquals("GitLab-SAST", result.getToolName());

assertEquals(5, result.getTotalResults());

assertEquals(CweNumber.WEAK_CRYPTO_ALGO, result.get(1).get(0).getCWE());
assertEquals(CweNumber.PATH_TRAVERSAL, result.get(5).get(0).getCWE());
}

@Test
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you test the test here? What does this test do?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually before implementing a logic in the main java file, I was trying it out in the test file. Only when It passes, i add the same logic there. This is an unnecessary test, I'll remove it

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please let me know, if I need to remove this test

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd recommend to remove it, since it's basically just testing the testfile, not the reader.

void isAbleToExtractDataToCreateTestCaseResults() {
JSONArray vulnerabilities = resultFile.json().getJSONArray("vulnerabilities");
String path = vulnerabilities.getJSONObject(1).getJSONObject("location").getString("file");

assertEquals("src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00001.java", path);

String className = (path.substring(path.lastIndexOf('/') + 1)).split("\\.")[0];
assertTrue(className.startsWith(BenchmarkScore.TESTCASENAME));

JSONArray identifiers = vulnerabilities.getJSONObject(1).getJSONArray("identifiers");
int cwe = identifiers.getJSONObject(1).getInt("value");
assertEquals(327, cwe);

String category = identifiers.getJSONObject(2).getString("name");
category = category.split("-")[1].strip();
assertEquals("Cryptographic Failures", category);

String evidence = vulnerabilities.getJSONObject(1).getString("cve");
assertEquals("semgrep_id:find_sec_bugs.CIPHER_INTEGRITY-1:71:71", evidence);
}
}
Loading